Electronic Health Record Chapter 10
CMS permits the authentication of medical records by _____ ______ but does not specify methods.
Computer key
must notify affected individuals, the Secretary of Health and Human Services, and, in certain circumstances, the media following the discovery of a breach of unsecured PHI. Business associates must notify covered entities if a breach has occurred. The OCR must post a list of breaches that affect 500 or more individuals.
Covered Entities
Digital signatures use a branch of mathematics called ______
Cryptography
use a branch of mathematics called cryptography and PKI, which stands for Public Key Infrastructure.
Digital signatures
Because of this difference, security discussions are assumed to be about the protection of electronic health records, but the Security Rule actually covers all PHI that is stored electronically. This is called .
EPHI
EDI
Electronic Data Interchange
This identifier is used to identify employer-sponsored health insurance. It is the same as the federal Employer Identification Number (EIN) employers are assigned for their taxes by the Internal Revenue Service.
Employer Identifier
HIPAA is an acronym for the
Health Insurance Portability and Accountability Act
HHS
Health and Human Services
HIPAA implementation and enforcement is under the jurisdiction of several entities within the U.S. Department of _____ ____ _____ ______
Health and Human Services (HHS)
ICD-10-CM
International Classifications of Diseases, 10th revision, Clinical modfication
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.
Media Notice
This identifier has not yet been implemented, but when it is it will be a unique identification number assigned to each insurance plan and to the organizations that administer insurance plans, such as payers and third-party administrators.
National Health Plan Identifier
This type of identifier is assigned to doctors, nurses, and other healthcare providers.
National Provider Identifier
OCR
Office for Civil Rights
A healthcare entity may use or disclose _____ for its own treatment, payment, and healthcare operations activities. For example, a hospital may use _____ to provide healthcare to the individual and may consult with other healthcare providers about the individual's treatment.
PHI
What do the acronyms PHI and EPHI represent?
PHI - Protected Health Information; EPHI - Protected Health Information in Electronic Format
In general, these are the mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They include restricting access to EPHI and retaining off-site computer backups.
Physical safeguards:
HIPAA privacy rules frequently refer to PHI or ___ ____ ____. PHI is the patient's personally identifiable health information.
Protected Health Information
PKI
Public Key Infrastructure
To fully comply with the Privacy Rule, it is necessary to understand and implement the requirements of the ____ _____. There are clearly areas in which the two rules supplement each other because both the HIPAA Privacy and Security rules are designed to protect identifiable health information.
Security Rule
_____ awareness and _____for all new and existing members of the workforce is required.
Security awareness and training
must address how to identify security incidents and provide that the incident be reported to the appropriate person or persons.
Security incident procedures
defines physical safeguards as physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.
The Security Rule
involves the successful identification and authentication of the signer at the time of the signature, binding of the signature to the document, and nonalterability of the document after the signature has been affixed. Only "digital signatures" meet all three of these criteria.
The electronic signature process
TPO
Treatment, Payment, Operation of healthcare practice
The Privacy Rule originally required providers to obtain patient "_______" to use and disclose PHI except in emergencies. The rule was almost immediately revised to make it easier to use PHI for the purposes of treatment, payment, or operation of the healthcare practice.
consent
A ___ _____ is not a valid permission to use or disclose protected health information for a purpose that requires an authorization under the Privacy Rule.
consent document
HIPAA documents refer to healthcare providers, plans, and clearinghouses as ____ _____.
covered entities.
healthcare organization and all of its employees.
covered entity
Authorizations are usually ______ for researchers to use PHI. The only difference in a research authorization form is that it is not required to have an expiration date. The authorization may be combined with consent to participate in a clinical trial study for example.
required
HIPAA requires the use of standard sets of codes. Two of those standards are: ◆ Diagnoses ____ _____ ◆ Procedure _____ _____ ____ _____
(ICD-10-CM) codes (CPT-4 and HCPCS) codes
Valid electronic signatures must meet three criteria. 1. ____ _____ means the recipient must be able to confirm that the document has not been altered since it was signed. 2. ______ The signer must not be able to deny signing the document. 3. ____ ______ The recipient must be able to confirm that the signature was in fact "signed" by the real person.
1. Message Integrity 2. Nonrepudiation 3. User Authentication
The Administrative Simplification Subsection has four distinct components:
1. Transactions and code sets 2. Uniform identifiers 3. Privacy 4. Security
The ____ _____ also added new requirements regarding the occurrence of a breach of unsecured protected health information.
HITECH Act
is the first step. It is used to establish the administrative processes and procedures.
The Security Management Process
What happens if a healthcare facility experiences a power outage, a natural disaster, or other emergency that disrupts normal access to healthcare information? __ ______ _____ consists of strategies for recovering access to EPHI should the organization experience a disruption of critical business operations. The goal is to ensure that EPHI is available when it is needed.
A contingency plan
are the policies, procedures, and actions to manage the implementation and maintenance of security measures to protect EPHI.
Administrative Safeguards
Security Standards
Administrative safeguards Physical safeguards Technical safeguards:
In general, these are the administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements.
Administrative safeguards:
are "hardware, software, and/or procedural mechanisms that record and examine activity in information systems."
Audit Controls
Within Workforce Security there are three addressable implementation specifications: 1. _____ or _______ _______ is the process of determining whether a particular user (or a computer system) has the right to carry out a certain activity, such as reading a file or running a program. 2. Workforce Clearance Procedure Ensure members of the workforce with authorized access to EPHI receive appropriate clearances. 3. Termination Procedures Whether the employee leaves the organization voluntarily or involuntarily, termination procedures must be in place to remove access privileges when an employee, contractor, or other individual previously entitled to access information no longer has these privileges.
Authorization or Supervision Authorization
"The HIPAA Privacy Rule applies only to covered entities—healthcare providers, plans, and clearinghouses. However, most healthcare providers and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses.
Business Associates
(COB)
Claims or Equivalent Encounters and Coordination of Benefits
are policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed.
Facility Access Controls
Before _____, no generally accepted set of security standards or general requirements for protecting health information existed in the healthcare industry.
HIPAA
gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their healthcare providers, as well as to be informed of their privacy rights with respect to their personal health information.
HIPAA Privacy Rule
The first section of the regulations to be implemented governed the electronic transfer of medical information for business purposes such as insurance claims, payments, and eligibility.
HIPAA Transactions and Code Sets
The Security Rule defines ___ _____ as "the technology and the policy and procedures for its use that protect electronic protected health information and control access to it."
Technical Safeguards
In general, these are primarily the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted.
Technical safeguards:
outlines the procedures for limiting access to only those persons or software programs that have been granted access rights by the Information Access Management administrative standard (discussed earlier).
The Access Control standard
accepts the use of electronic signatures in hospital, ambulatory care, home care, long-term care, and mental health settings. The Joint Commission requirement for electronic signatures and computer key signatures is simple: "The practitioner must sign a statement that he or she alone will use it."
The Joint Commission
There are three exceptions to the definition of "breach": ◆ _____ _______, access, or use of PHI by an employee of a covered entity or business associate ◆ ______ ________ of PHI from an authorized person to another authorized person at the covered entity or business associate ◆ If the covered entity or business associate has a good faith belief that the _____ ______, to whom the impermissible disclosure was made, would not have been able to retain the information
Unintentional acquisition Inadvertent disclosure impermissible disclosure unauthorized individual
or Other Arrangement Covered entities should have a written agreement with business associates ensuring the security of EPHI. Government agencies that exchange EPHI should have a Memorandum of Understanding.
Written Contract
Covered entities must provide ____ _____ written notice by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically
affected individuals
A ______ is defined as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputation, or other harm to the affected individual.
breach
To protect the patient's information while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research, the Privacy Rule ___ ____ some exceptions that permit researchers to access PHI without individual authorizations. Typically, these are cases where the patients are deceased;
does allow
HIPAA standardized these formats by requiring specific transaction standards for____ ____ __ ____ ___ ____ ____ _____. Two additional EDI transactions are not yet finalized. The HIPAA transactions are:
eight types of EDI or Electronic Data Interchange
However, the Privacy Rule covers PHI in all forms of communications, whereas the Security Rule covers only ____ ____.
electronic information
Ongoing _______ of security measures is the best way to ensure all EPHI is adequately protected. Periodically evaluate strategy and systems to ensure that the security requirements continue to meet the organization's operating environments.
evaluation
Unlike the Privacy Rule concept of consent, authorizations are not ______. A new authorization is signed each time there is a different purpose or need for the patient's information to be disclosed.
global
Covered entities are required to provide a notice in plain language that describes: ◆ How the covered entity may use and disclose protected ______ _______ about an individual. ◆ The individual's rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity. ◆ The covered entity's legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information. ◆ Whom individuals can contact for further information about the covered entity's privacy policies."4
health information.
The HIPAA law was intended to: ***Know this*** ◆ Improve portability and continuity of ____ _____ _____. ◆ Combat ____, _____, and ______ in health insurance and healthcare delivery. ◆ Promote use of ____ _____ accounts ◆ Improve access to ____ ____ ___ ◆ Simplify _______ of health insurance
health insurance coverage waste, fraud, and abuse medical savings long-term care administration
There may be times when individuals are legally or otherwise incapable of exercising their rights, or simply choose to designate another to act on their behalf with respect to these rights. Under the Rule, a person authorized to act on behalf of the individual in making healthcare related decisions is the
individual's personal representative.
Protecting the _____ of EPHI is a primary goal of the Security Rule.
integrity
The term consent has multiple meanings in a medical setting. Informed consent refers to the ___ _____ to receive medical treatment having been provided sufficient information to make an informed decision. Consent for medical procedures must still be obtained by the practice.
patient's agreement
Under the Privacy Rule the term consent is only concerned with use of the ___ ____, and should not be confused with consent for the treatment itself.
patient's information
Authorization differs from consent in that it does require the ___ _____ to disclose PHI.
patient's permission
The covered entity's contract or other written arrangement with its business associate must contain the elements specified in the privacy rule. For example, the contract must: ◆ Describe the ____ and _____ uses of protected health information by the business associate; ◆ Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and ◆ Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract."
permitted and required
Healthcare providers have a strong tradition of safeguarding private health information and have established privacy practices already in effect for their offices. For instance: ◆ "By ___ ____ when discussing a patient's condition with family members in a waiting room or other public area; ◆ By avoiding using ___ ____ in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality; ◆ By isolating or locking ___ ___ or _____ rooms; or ◆ By providing ____ _____, such as passwords, on computers maintaining personal information.
speaking quietly patients' names file cabinets or records additional security
User Authentication
the recipient must be able to confirm that the signature was in fact "signed" by the real person.
Nonrepudiation
the signer must not be able to deny signing the document.
HIPAA established ____ _____ standards to be used on all claims and other data transmissions.
uniform identifier
Message Integrity
—the recipient must be able to confirm that the document has not been altered since it was signed.
The appearance of an authorization form is up to the practice, but the Privacy Rule requires that it contain specific information. The required elements are: ◆ Date ____ ◆ ________ date ◆ To whom the information may be _____ ◆ What is _____ to be disclosed ◆ For what purpose the ______ may be used
◆ Date signed ◆ Expiration date ◆ To whom the information may be disclosed ◆ What is permitted to be disclosed ◆ For what purpose the information may be used