Week 10

The Privacy Act of 1974 states

"The right to privacy is a personal and fundamental right protected by the Constitution of the United States."

All of the following HIPAA required content for NPP were included in the Missouri State Hospital's NPP EXCEPT:

A statement regarding fundraising communications and an individual's right to opt out of receiving such communications, if a CE intends to contact an individual to raise funds for the CE.

Staff members visiting about their patients at lunch in the cafeteria

As a hospital employee, which of the following is not a time when you can share what you know?

Upon receiving a completed request for amendment from a patient the HIM department representative forwards it to the Privacy Officer. The Privacy Officer contacts the:

Author to review and evaluate the request for amendment

Include as part of the record any correspondence the patient may write explaining she disagrees with the history of chronic back pain. This will be flagged to be included as part of the history whenever the record is subsequently released; however, there is no guarantee this inclusion will affect the current situation

Catherine walks into the HIM department asking to have his history of chronic back pain removed from her emergency room record. She claims this information is erroneous and has created a problem with her current work-related accident claim. Catherine insists that this be corrected immediately. The patient has already contacted the attending physician who refused to do anything about the situation. There is no visit history after the admission in question. You offer to:

In fact, there are a number of individual rights related to health information that are required as shown in Figure 1.

Figure 1 The right to request restrictions to the use of health information in treatment, payment and healthcare operations (TPO), to those involved in the patient's care, and to those involved in the payment for the patient's care. The right to receive confidential communications in alternative means or locations, e.g. email, different regular mail address. The right to access health information in the designated record set with exceptions, e.g. exception - psychotherapy notes. The right to request correction and amendment of health information. The right to request an accounting of disclosures.

Use refers to the use (internal) of the health information by the CE.

For example, CEs use health information in the performance of quality reviews. Disclosure refers to disclosing (external) the health information to those outside of the CE. For example, CEs must report certain infectious diseases to public health agencies. Of course, there are many more examples; you can click on the above hyperlinks to Cox Health System's NPP and Mercy Health System's NPP to review their examples.

The Missouri State Hospital scenario clearly illustrated what opportunity(ies) for improvement in the HIM department?

HIM staff need to be educated on the patient's right to request an amendment to PHI as provided by HIPAA. b. HIM staff need to be educated on the facility policy and procedure for the amendment process or a HIPAA compliant policy and procedure needs to be developed. c. HIM staff need an inservice on customer service skills. Correctd. all of the above

D all the above

Internal use of patient information for patient care purposes should not be granted to: a. all physicians on staff b. legal counsel c. a family member who is an employee d. all of the above

The patient's right to privacy has been addressed for thousands of years.

Notable in recent decades are the Privacy Act of 1974, Uniform Health Care Information Act of 1985, and Health Insurance Portability and Accountability Act (HIPAA) of 1996 (effective April 14, 2003).

Privacy Act of 1974 and HIPAA

Patients were allowed to amend their health information with the passage of which law(s)?

it is an example of how PHI will be used for healthcare operations

Samuel is writing the notice of privacy practices required by HIPAA for ABC Hospital. He writes the hospital will use PHI to review competency and/or qualifications of hospital staff/physicians. Why can he include this?

The uses and disclosures addressed in the NPP are:

TPO (treatment, payment, and operations) uses and disclosures that do not require patient authorization uses and disclosures that do require patient authorization uses and disclosures that are planned and which the patient may object individual rights related to health information These uses and disclosures and individual rights will be spelled out in the NPP and include examples as required by HIPAA.

False

a copy of the patients advanced directives must be included in the patients health record

HIPAA requires a NPP to include a brief description of how the individual may exercise their rights respective to PHI. All of the following descriptions are included in the Missouri State Hospital's NPP EXCEPT:

a. To request confidential communication of your PHI, you must submit a request in writing to the Privacy Officer. b. To request an amendment, you must send a written request to the Privacy Officer. You must include a reason that supports your request. c. You may exercise your rights set forth in the notice by providing a written request to the HIS Department, Attn: Privacy Officer. Correctd. ****none of the above

The Uniform Health Care Information Act of 1985 was enacted to

bring uniformity to state law. It was to be the framework for states to pass similar legislation. Except in certain defined circumstances, this law prohibits a healthcare provider from disclosing health information to a third party without the patient's authorization. This law does provide for patients to have access to their health information and to request correction or amendment to that information. Nevertheless, it was not successful in its purpose of standardization. HIPAA has subsequently stepped in!

With the Notice of Privacy Practices (NPP) a CE notifies the patient of uses and disclosures of health information that may be made and the patient's right to consent, reject, or request restrictions of this health information for any and all of the many uses the record serves.

The timing of this notification is generally the patient's first encounter with the CE. However, there are exceptions in emergency situations. Also, a written acknowledgment of receipt of the NPP is required, but the patient can refuse. In cases of refusal the CE needs to document their good faith effort to obtain it. Nevertheless, the patient's failure to sign acknowledgment does not prevent the use and disclosures as described in the NPP nor prevent the patient from receiving treatment.

which of the following is NOT recommend content of and informed consent?

exact length of time for the proposed procedure These ARE recommended nature and purpose of proposed procedure risks and benefits of proposed procedure any risks of refusing proposed procedure

the right to be left alone or the right to control personal information is known as

privacy

The Privacy Act of 1974 was enacted to

protect the privacy of individuals identified in information systems maintained by federal agencies, such as the Veterans Administration and Indian (Native American) Health Services. Federal agencies collect records about individuals for a variety of reasons. For example, an agency may collect medical records to determine an individual's eligibility for federal employment or participation in a federal benefit program. This act provided an individual with the rights to find out what information had been collected about them, to see and have a copy of that information, and to correct or amend that information. Beyond the scope of this federal law, few states had passed specific legislation affording patients these rights.

HIPAA provides that a patient has the right to request an amendment to his/her PHI within the designated record set. The HIM department at Missouri State Hospital should be responsible for assisting patients and accepting patient requests for amendment to PHI. According to HIPAA, the HIM department representative should:

provide the patient with a request for amendment form to complete

The HIPAA legislation was established by the Department of Health and Human Services (HHS) with the original purpose of

reducing administrative overhead. It has taken on much more since its humble beginnings! This class focuses on its privacy intentions. Basically, HIPAA establishes that covered entities (CE) must have established patient rights policies; when and how a patient should be fully informed of these rights; and ensure the patient understands these rights. This requirement is met with the Notice of Privacy Practices (aka: Notice of Information Practices).

in the consent process the patient has the

right to consent to procedure right to refuse a procedure right to revoke either decision after its been made.

If a patient's request for amendment to PHI is denied, the patient may:

submit a statement of disagreement b. request that the request for amendment and the denial be included with any future disclosures of the PHI subject to the amendment (if there is not a statement of disagreement filed) c. file a complaint with the organization or Secretary of the U.S. DHHS Correctd. all of the above

Confidentiality

the obligation of the healthcare provider to maintain patient information in a manner that will not permit disclosure beyond the healthcare provider is known as:

Upon receiving a completed request for amendment form from a patient, the maximum time period to respond per HIPAA is:

within 60 days of receipt with an option of a one-time extension of up to 30 days, if needed

As a legal document, the NPP is admissible as evidence where a patient's rights are concerned.

A contract, if you will, in which a patient can hold the CE accountable for any uses or disclosures of health information that is inconsistent with the NPP. Initially, HIPAA required (pages 203-210) a signed consent for uses and disclosures of information as outlined in the NPP that was separate from the signed acknowledgment of receipt of the NPP. However, HIPAA was amended in 2002 (click here)Preview the document to eliminate the requirement for consent for uses and disclosures of information in response to the healthcare industry's concerns of efficiency. Interestingly, by removing the requirement for consent for use and disclosure of health information, HIPAA shifted the burden of proof (Recall: res ipsa loquitur) to the CE in the event of a privacy related legal action. Without a signed consent for uses and disclosures from the patient, the NPP is the only means by which a CE can defend that in a given situation it was "permitted" to use or disclose the health information in question!

use your PHI to comply with Worker's Compensation laws

HIPAA requires a NPP to include a description, including at least one example of the types of uses and disclosures that the covered entity is permitted to make for treatment, payment, and healthcare operations (TPO). All of the following examples of TPO are included in the Missouri State Hospital's NPP EXCEPT: these ARE: use of PHI to bill insurance use of PHI to communicate with staff involved in your care use of PHI to conduct quality improvement activities

right to receive a copy of the notice electronically

HIPAA requires a NPP to include an individual's rights respective to PHI. All of the following individual rights are included in the Missouri State Hospital's NPP EXCEPT: These ARE: right to review and obtain copies if PHI right to amend protected health information right to file a privacy complaint

right to obtain an accounting of disclosures once every two years

HIPAA requires a NPP to include an individual's rights respective to PHI. All of the following individual rights included on the Missouri State Hospital's NPP are accurate EXCEPT: