Mod 9 Health Information Privacy and Security Review

HIPPA violations: Civil Penalties

$100 with no prison for each individual HIPAA regulation up to a maximum of $250,000

HIM professional responsibilities for technical safeguards:

* Implement technical policies to allow only authorized individuals access to e-PHI - Encryption: technology that scrambles a message to make its contents unreadable without the de-encryption key - Authentication: the process of ensuring that the user or system is who or what it claims to be * Install hardware, software, and other mechanisms to record and examine access and other activity within systems containing e-PHI * Create and implement policies and procedures and electronic measures that confirm e-PHI cannot be altered, destroyed, or transmitted by anyone other than those authorized

Administrative Safeguards Purpose:

* Limit use and disclosures of PHI to "minimum necessary" * Authorize access to e-PHI (electronically protected health information) as appropriate by user's role (role-based access)

HIM Professional Responsibilities for an Administrative Safeguards:

* Train all workforce members to comply with security policies and inform them of consequences of failure to comply with those policies and procedures * Complete annual assessments to ensure knowledge of policies and procedures compliance

HIPPA violations: Criminal Penalties

* Up to $50,000 and up to 1 year in jail for unauthorized disclosure of PHI * Up to $100,000 and up to 5 years in prison for the unauthorized disclosure of PHI through deception * Up to $250,000 and up to 10 years in prison for unauthorized disclosure of PHI through deception with intent to sell or use for business-related benefit, personal gain, or hateful detriment

Identify an exception to the definition of a breach: - A coder accidently sends PHI to a billing clerk in the same healthcare organization - Information was erroneously sent to another health care organization. - The wrong patient information was sent to the patient's attorney. - Information was loaded on the Internet inappropriately.

A coder accidently sends PHI to a billing clerk in the same healthcare organization

Identify an example of a security incident: - An employee took home a laptop with unsecured PHI. - Temporary employees were not given individual passwords. - A handheld device was left unattended on the crash cart in the hall for 10 minutes. - A hacker accessed PHI from off site.

A hacker accessed PHI from off site.

You have been asked to provide an example of a trigger that might be used to reduce auditing. The example you should provide is: - A nurse is caring for a patient and reviews the patient's record. - The patient is a Medicare patient. - A patient has not signed his or her notice of privacy practices. - A patient and user have the same last name.

A patient and user have the same last name.

Determine which of the following is an appropriate use of the emergency access procedure: - The coder who usually codes the emergency room charts is out sick and the charts are left on a desk in the ER admitting area. - Data is collected for administrative purposes. - An audit is being conducted by the OIG. - A patient is crashing. The attending physician is not in the hospital, so a physician who is available helps the patient.

A patient is crashing. The attending physician is not in the hospital, so a physician who is available helps the patient.

Example of accidental use and disclosure

A physician is discussing a patient's condition with a nurse standing outside the patient's room. They are speaking in a quiet tone, but someone comes around the corner and unexpectedly overhears what is being said.

An employee of a healthcare organization has asked what makes a privacy/security audit successful. Educate the employee: - A successful audit prevents OCR audits. - A successful audit finds objective evidence of compliance or noncompliance. - A successful audit finds ALL areas of noncompliance. - A successful audit results in counseling of employees.

A successful audit finds objective evidence of compliance or noncompliance.

What are logic bombs?

A type of computer virus that lies in wait for unsuspecting computer users to perform a triggering operation before executing its instructions (this is a type of Trojan horse)

Context-based access control:

Access control method that controls what data and functionality a user is able to access based on their role and their location.

Access Safeguard:

Allows employees to only access the data that they need to perform their jobs

Physicians and all Health Care Providers Health Plans Health Care Clearinghouses Health Care workforce, which includes all staff (full-time and part-time; paid and volunteer)

Are covered entity

Physical Safeguards purpose:

Control physical access to environment and equipment, including workstations

HIM professional responsibilities for Physical safeguards:

Create and implement policies and procedures about compliant use, re-use, transfer, removal, and disposal of electronic media and ePHI

health information is not covered under HIPAA

De-identified

Authorization:

Document signed by patient allowing the covered entity to disclose protected health information

Electronic protected health information (e-PHI):

Health information stored in the EHR and other information systems that is subject to the HIPAA privacy and security rules.

Identify the true statement about the Privacy Act of 1974: - It applies to all health care organizations. - It applies to all agencies in the federal government except for the Veterans Health Administration. - It applies only to documents maintained by the federal government. - It applies to all organizations that maintain health care data in any form.

It applies only to documents maintained by the federal government.

The patient was admitted and discharged before a notice of privacy practices could be provided to him. The proper action to take is: - Send someone to the patient's home to get the patient to sign for receipt. - Give the patient the notice on the next visit. - Ask the patient to come back within 72 hours to sign the document. - Mail the notice of privacy practices to the patient.

Mail the notice of privacy practices to the patient.

Breach notification:

Mandatory reporting privacy and security breaches to patients, the Office of the Inspector General and the media.

Degaussing:

Method of destruction used for electronic data.

De-identified health information

neither identifies nor provides a reasonable basis to identify an individual.

Intrusion detection systems analyze

network traffic

any personally identifiable health information regardless of the form in which it is stored (paper, computer file, etc.), that is, data that include a collection of information that, when put together, indicates one specific individual:

Protected health information (PHI)

Contingency plan:

Strategy that will be used in the event of failure of an information system that will allow the healthcare organization to operate.

Disaster recovery:

Strategy used to get the organization back up and running after the failure of an information system.

Authentication

The coder logs into the EHR and she is able to access some data and perform some functions. The process of determining what data and functions she has access to is known as

Identify the situation that violates a patient's privacy: - The hospital uses aggregate data to determine whether or not to add a new operating room suite. - The physician on the Quality Improvement Committee reviews health records for potential quality problems. - The hospital sends patients who are scheduled for deliveries information on free childbirth classes. - The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples.

The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug

Recommend an example of proof of compliance for the administrative safeguard standard workforce security. - The process used to determine what access to information systems an employee needs. - Presence of sanction policy. - documentation showing how employees are removed from information when their employment is severed. - documentation of risk assessment

The process used to determine what access to information systems an employee needs.

Physician office you go to has a data integrity issue. This means: - There has been unauthorized alteration of patient information. - A break-in attempt has been identified. - Someone in the practice has released information inappropriately. - The user's access has not been defined.

There has been unauthorized alteration of patient information.

You have been given some data. The patient's name, address, social security number have all been removed. It does include the patient's account number. Identify the true statement: - This data is aggregate data. - This is de-identified information because the patient's name and Social Security number are not included in the data. - This is not de-identified information, because it is possible to identify the patient. This information is a limited data set.

This is not de-identified information, because it is possible to identify the patient.

Technical Safeguards Purpose:

Utilize technology that protects ePHI and access to ePHI

Your department was unable to provide a patient with a copy of his health record within HIPAA's 30-day limitation. Identify the step that should be taken: - Write and call the patient to tell him you need a 30-day extension. - Call the patient and let him know that you will need a 30-day extension. - Call the patient and apologize. - Write the patient and tell him that you will need a 30-day extension.

Write the patient and tell him that you will need a 30-day extension.

Release

a generic term for providing health information.

discovery

a legal process used to obtain information for court.

Robert Burchfield was recently caught accessing his wife's health record. The system automatically notified the staff of a potential breach due to the same last name for the user and the patient. This was an example of

a trigger

proving the user is who he or she says they are.

authentication

The three components of a data security program are confidentiality, integrity, and - authentication. - availability. - protection. - validity.

availability

The chief security officer has recommended a security measure that utilizes fingerprints or retina scans. He recommended: - authentication. - audit trail. - biometrics. - encryption.

biometrics.

When developing the security plan, the plan must address the records subject to the security rule. This would include: - faxed records. - cancer registry. - paper health records. - X-ray films stored in radiology.

cancer registry. *the data in the cancer registry would identify the patient, it would be e-PHI.

determines whether or not the covered entity (CE) is meeting the HIPAA requirements.

compliance audit

In a recent review, it was determined that the EHR is essential to the operations of the home health agency. Identify this type of malware.

criticality analysis

You have been asked to provide examples of technical security measures. Identify what you would include in your list of examples: - minimum necessary - training - locked doors - encryption

encryption

The company's policy states that audit logs, access reports, and security incident reports should be reviewed daily. This review is known as a(n): - workforce clearinghouse. - risk analysis. - information system activity review. - data criticality analysis.

information system activity review

Risk analysis:

is a review of your processes to identify areas of risk.

Information system activity review :

is ongoing audits of user's use of the information to ensure the access and action is appropriate.

Disclosure:

is providing health information outside of the healthcare organization.

Workforce clearinghouse:

is the process whereby the covered entity (CE) determines that the employee has the appropriate access to information systems.

I have been asked if I want to be in the facility directory. The admission clerk explains that if I am in the facility directory: - my condition can be released to hospital staff only. - my friends and family can find out my room number. - my condition can be released to the news media. - my condition can be discussed with any caller in detail.

my friends and family can find out my room number.

You are reviewing your privacy and security policies, procedures, training program, and so on and comparing them to the HIPAA and ARRA regulations. You are conducting a

risk assessment

controls are the same for all users who have the same role such as all nurses.

role based access

Your job is to determine the health information subject to the HIPAA Security Rule. The document that you identify is: - scanned operative report stored on CD. - document faxed to the healthcare organization - paper health record. - copy of discharge summary.

scanned operative report stored on CD.

a malware that monitors what the user does.

sypware

Encryption

technology that scrambles a message to make its contents unreadable without the de-encryption key

Confidentiality

the expectation that personal health information given to a physician will be used only for its intended purpose and not shared with others

Security

the implementation of data protection and the systems that contain that data.

Authentication

the process of ensuring that the user or system is who or what it claims to be

Password management:

the process of establishing policies and processes related to passwords.

Release of information (ROI)

the process of using or disclosing PHI.

Coder reviewed 10 patients' health records order to assign diagnosis & procedure codes. Identify term used for this practice: - release - disclosure - use - discovery

use *Use is how the health care organization handles health information internally.

controls are individualized for each user of the information system.

user based access

HIPAA requires patient notification of a delay in providing PHI to be in

writing

There are two ways to de-identify information:

1. A formal determination by a qualified statistician 2. The removal of specified identifiers of the individual and of the individual's relatives, household members, and employers; removal of all this information is required and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual

A covered entity must disclose PHI in only two situations:

1. To individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information 2. To the Department of Health and Human Services (DHHS) when it is undertaking a compliance investigation, a review, or an enforcement action

Mary processed a request for information and mailed it out last week. Today, the requestor, an attorney, called and said that all of the requested information was not provided. Mary pulls the documentation, including the authorization and what was sent. She believes that she sent everything that was required based on what was requested. She confirms this with her supervisor. The requestor still believes that some extra documentation is required. Given the above information, identify the true statement: - Mary is not required to release the additional information because her administrator agrees with her. - Mary is required to release the extra documentation because, in the customer service program for the healthcare organization, the customer is always right. - Mary is required to release the extra documentation because the requestor knows what is needed. - Mary is not required to release the extra documentation because the healthcare organization has the right to interpret a request and apply the minimum standard rule.

Mary is not required to release the extra documentation because the healthcare organization has the right to interpret a request and apply the minimum standard rule.

Treatment, payment, and healthcare operations (TPO):

PHI can be used without obtaining patient authorization for their treatment, to obtain reimbursement for the patient's care and for other routine administrative processes.

Bob submitted his resignation from Coastal Hospital. His last day is today. He should no longer have access to the EHR and other information systems as of 5:00 PM today. The removal of his information system privileges is known as

Terminating Access

Critique the following statement: Privacy and security training documentation only includes handouts and other course materials. - The documentation should include handouts and signing sheets only. - The documentation should include sign-in sheets, handouts, email messages quizzes and more. - This is a true statement. - The documentation should included sign-in sheets, any handouts, and schedule of training.

The documentation should included sign-in sheets, any handouts, and schedule of training.

A patient signed an authorization to release information to a physician but decided not to go see that physician. Educate the patient on the appropriate process.

The patient can request, in writing, to cancel the authorization as long as the PHI has not been sent to the physician.

Alisa has trouble remembering her password. She taped the password to the bottom of her keyboard. As the chief privacy officer, your appropriate response is: - Great idea! - This is inappropriate and must be removed. - A better place would be somewhere in your desk. - Use something like your daughter's name so that you will remember and not need to write it down.

This is inappropriate and must be removed.

The physician's office has set the information systems to automatically log out after 5 minutes of inactivity. This falls under: - access control. - physical safeguards. - administrative safeguard requirements. - cryptography.

access control

You are a nurse who works on 3West during the day shift. One day, you had to work the night shift because they were shorthanded. However, you were unable to access the EHR. Identify the type of access control being used.

context-based *access control goes beyond the role or user to address the circumstances such as control access to particular patients, specific days/time, units, and the like.

Security

helps to prevent unauthorized access and unauthorized modification of data.

An employee in the admission department stole the patient's name, Social Security number, and other information and used it to get a charge card in the patient's name. This is an example of

identity theft

Covered entities (CE) are required to:

- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit - Identify and protect against reasonably anticipated threats to the security or integrity of the information - Protect against reasonably anticipated impermissible uses or disclosures - Ensure compliance by their workforce

Risk analysis and management includes:

- Evaluation of the likelihood and impact of potential risks to e-PHI - Implementation of appropriate security measures to address the risks identified in the risk analysis - Documentation of the chosen security measures and, where required, the rationale for adopting those measures - Maintenance of continuous, reasonable, and appropriate security protections

Permitted uses and disclosures of protected health information (PHI):

- To the individual - For treatment, payment, and/or operations (TPO) - If the patient has the opportunity to agree or object: - If a patient is alert and present, the provider can ask the patient for permission to disclose and accept a verbal agreement or objection - Accidental, by way of incidental use and disclosure

Audit trail:

A chronological set of computerized records that provides evidence of information system activity (log-ins and log-outs, file access) used to determine security violations

Biometrics:

Type of access control that uses retinal scans, finger prints and other attributes of the individual.

must obtain an individual's authorization to use or disclose psychotherapy notes

covered entity

Identify the requester that requires patient authorization before releasing PHI: - the nurse caring for the patient - patient's attorney - the public health department - a business associate

patient's attorney

You have been asked to give an example of secure data.

data that is encrypted that makes it unreadable

Identify the information that can be released without patient authorization: - protected health information - de-identified health information - designated record set - summary of patient care for the latest discharge

de-identified health information

You have been given the responsibility of destroying the PHI contained in the information system's old server before it is trashed. Recommend an appropriate destruction method.

degausing *an appropriate method of destruction for electronic data as it renders it irretrievable

As a chief privacy officer to Premier Medical Center, you have many responsibilities including: - writing policies on protecting hardware - writing policies on encryption standards - writing policies on protecting hardware - developing a plan for reporting privacy complaints

developing a plan for reporting privacy complaints

You have been assigned the responsibility of reviewing and revising the contingency plan. Identify what needs to be included.

disaster planning

You are defining the designated record set for South Beach Healthcare Center. Identify the information that will be included in the designated record set.

discharge summary

The Security Rule only applies to:

e-PHI * Fax, paper health records, and X-ray film are not considered to be e-PHI

Recommend a method of proving compliance for the physical safeguard device and media controls.

encryption

You are writing the policy that will be used to determine a valid authorization. You are basing the policy on the HIPAA Privacy Rule. The policy will require the authorizations to have a(n): - expiration date. - statement regarding release of psychiatric information. - statement that the PHR is subject to privacy rule. - Social Security number.

expiration date.

Data criticality analysis:

is the review of each information system to determine how critical they are to the healthcare organization. The more critical the system is, the higher priority an information system gets in the case of multiple information systems being down.

The clinic has decided to use mobile technology. Identify the best practice for use with this technology. a. logic bomb b. Trojan horse c. rootkit d. viruses

logic bombs

A covered entity

may use or disclose, without an individual's authorization, the psychotherapy notes for its own training and to defend itself in legal proceedings brought by the individual, to enable HHS to investigate or determine the covered entity's compliance with the privacy rules, to avert a serious and imminent threat to public health or safety, to enable a health oversight agency to carry out lawful oversight of the originator of the psychotherapy notes, to enable the lawful activities of a coroner or medical examiner, or to meet legal requirements.

Mountain Hospital has discovered a security breach. Someone hacked into the information system and viewed 50 health records. According to ARRA, the covered entity has a responsibility to complete a task within a reasonable time period that cannot exceed 60 days. This task is to

notify the patient

You have been asked to create a presentation on intentional and unintentional threats. Identify an example of an intentional and unintentional threat: - hard drive failures - data loss due to electrical failures due to a hurricane - data deleted by accident by an employee who was trying to figure out how to do something - patient's Social Security number used for credit card applications

patient's Social Security number used for credit card applications

The HIM director received an e-mail from the technology support services department about her e-mail being full and asking for her password. The director contacted tech support, and it was confirmed that their department did not send this e-mail. Identify the type of malware.

phishing *type of malware where the sender imitates businesses to try to obtain passwords, Social Security number, and other private information.

Identify what is included in an environmental risk assessment: - authentication - verifying that virus-checking software is in place - use of single sign-on technology - placement of water pipes in the healthcare organization

placement of water pipes in the healthcare organization

HIPAA allows health care providers to charge patients reasonable cost-based charges for copies of their health record. Identify when the patient can be charged: - utilities - insurance for the healthcare organization - retrieval fees - preparing a summary

preparing a summary

The healthcare organization is conducting an audit to ensure that they are meeting privacy and security standards. They must be conducting a:

process audit

Identify the disclosure that would require patient authorization. - law enforcement activities - release to patient's family - workers' compensation - public health activities

release to patient's family

The HIM director has received a request to amend a patient's health record. The appropriate action for him to take is to: - return the notice to the patient because amendments are not allowed. - make the modification because you have received the request. - file the request in the health record to document the disagreement with the information contained in the health record. - route the request to the physician who wrote the note in question to determine appropriateness of the amendment.

route the request to the physician who wrote the note in question to determine appropriateness of the amendment.

Privacy

the right of individuals to keep information about themselves from being revealed to anyone without their permission

Disclosure

the sharing of information between health care professionals working in separate entities, or facilities, in the course of caring for the patient.

Use

the sharing of information between people working in the same health care facility for purposes of caring for the patient.