HIT 101 - FInal 3
Difference between General Consent and Informed Consent
General Consent: Obtained on admission giving the provider and ORG permission on intervention. Informed Consent: obtained for more invasive interventions. Patient was educated on the intervention being given.
Legal action- granted by ARRA and HITECH
Grants state attorneys general the ability to bring civil actions in federal court on behalf of residents believed to have been negatively affected by a HIPAA violation.
1 What types o health record are subject to the HIPAA PRivacy RUle
HEALTH RECORDS IN ANY FORMAT
1 Legal significance of Licensure *The govt entity has deemed the facility or person competent and safe to provide care.
HIM professionals are not LICENSED but can be CERTIFIED
HIM professional: certified or Licensed
HIM professionals do not have a license but are CERTIFIED. ie. RHIA, RHIT. W/ AHIMA they offer master-level credentials in Coding (CCS), health data analyst (CHDA) They may assume the role of maintenance and issuing license to organizations and MD's
Negligence : 3 types
Nonfeasance: failure to act, such as not ordering a standard diagnostic test Malfeasance: a wrong or improper act, such as removal of the wrong body part Misfeasance: improper performance during an otherwise correct act, such as nicking the bladder during an otherwise appropriately performed gallbladder surgery.
1) Which of the following provides a complete description to patients about how PHI is used in a healthcare facility?
Notice of privacy practices -The notice of privacy practices provide a description to patients about how PHI is used.
Right of ACCESS- Oppurtunity to review
two instances where access is granted: 1) where a licensed healthcare professional determines that access to requested PHI would likely endanger the life or physical safety of the individual or another. 2)Would reasonably endanger the life or physical safety of another person mentioned in the PHI.
CSO (chief security officer)
responsible for the technical aspects of ensuring the security of information such as the development and use of firewalls, intranets, extranets, and anti-virus software.
Authorization - HIPAA REQUIRED - Uses and disclosure of PHI
two instances: 1) when the individual or rep requests access to or an accounting of disclosure of the PHI. 2) when the HHS is conducting an investigation, review , or enforcement action.
DHHS
under Executive Branch. it s mission if to enhance and protect the well being of all Americans by providing health and human services and promoting advancements in medicine, social and public services.
General Consent
used from a patient for routine treatment and failure to d so can result in a legal treatment and failure to do so can results in legal action; generally for battery or harmful or offensive contact
digital certificate
used to implement public key encryption on a large scale. an electronic document that uses a digital sign to bind together a public key with an identity such as the name of a person or an org, address and so on.. CA certificate authority acts as the middleman who the sending and receiving computer trusts. Confirming that each compter is who it says it is.
Malware transmission
usually gains access to computers via internet as attachments in emails to through browsing a website that installs the software after teh user clicks on the popup window.
6 key areas of a EHR
volume and duplicity persistence dynamic changeability content metadata environmental dependence and obsolesce dispersion and searchability
Tort - intentional
where an individual purposely commits a wrongful act that results in injury.
Pursue and Prosecute"
which includes the monitoring of an attack the minimization of the attack, the collection of teh evidence and teh involvement of the law enforcement agency. i.e. identity theft
Privacy rule outline 3 key documents
which informs patients and give them a degree of control over their PHI 1) Notice of Privacy Practices 2) Authorizations 3) Consent (per HIPAA is optional)
Likelihood determination:
which is an estimate of the probability of threats occurring. Security Rules
Impact Analysis:
which is what the impact o threats information assets might be. Security Rules
PSO (Patient Safety Organization) A Business associate inclusion under HIPPAA
which receives and analyze: -patient safety issues -health information org (HIOS) -e-prescribing gateways and persons who facilitate data transmissions -PHR vendors who enable covered entities (CE) to offer PHR to their patients as part of the CE EHR.
Right of Amendment - request of amendment of PHI
with this right, one may request thay a CE amend PHI or a record about the person in a DSR (Designated Record Set) Response: within 60 days and a 30 day extension.
Brief
-A written statement by an attorney that summarizes a case and the laws and rulings that support it
Appellate Courts
-Part of the State court System -
Advance Direction
A special type of consent that communicates persons wished to be treated or if person should become unable to express on his or health behalf.
res judicata
"The thing has been decided." A claim cannot be retried between the same parties if it has already been legally resolved. under Common law
1 which of the following actions by the health records custodian affirms the legitimacy of the health record
Authentication
Security Breaches - Types
"Unauthorized data or system access, : -People from both inside and outside the organization. -Can occur through hardware or software failures and when an intruder hacks into the system. **More often they occur when an employee within an org either accesses information without authorization or deliberately alters or destroys information.
Health Record
"comprises individually identifiable data, in any medium, that are collected, processed, stored, displayed, and used by healthcare professionals" any episodes of care for the person
Jurisdiction
(n.) an area of authority or control; the right to administer justice. *The authority of the court to hear a case. **Health record of an individual who is party to a legal proceeding is usually admissible in litigation or judicial proceedings provided it is material or relevant to the issue. Either a court order or a subpoena are used to obtain the health information.
OTP
(one-time password) A password that is generated for use in one specific session and becomes invalid after the session ends. usually a combination of a token and a password
Hearsay
(out of court statement used to proved the truth of a matter and it is inherently deemed untrustworthy because the maker of the statement was not cross-examined at the time the statement was made. ) Exceptions are the Business Records- which are deemed inherently trustworthy.
Statute of Limitations - health records
* period of time in which a lawsuit must be filed. Health records must be kept in its original form coinciding with the statute of limitations for that state.
Legalities
**Health record of an individual who is party to a legal proceeding is usually admissible in litigation or judicial proceedings provided it is material or relevant to the issue. Either a court order or a subpoena are used to obtain the health information. Responses to the court order and subpoenas depend on the state regulations. Some state allows copies of health records be certified and mailed to the clerk where some states only allows in person submissions of the health record.
Subpeona
**Most important discovery tool - Its NOT a method of that elicits information but instead facilitates DISCOVERY by compelling individuals to appear at certain time and place or to produce requested documentation. -These subpoenas may direct that originals or copies of health records, lab reports, X-rays or other records be brought to a deposition or to court. -In most cases, Authorization accompanies the subpoenas or permission, from the individual. -Two types of Subpoenas: -Subpoena ad Testificandum: Seeks testimony -Subpoena duces tecum: to bring documents and other records with oneself.
HIPAA - 5 titles
**Title II is the most relevant title to the HIM professional. Containing provisions relating to the prevention of healthcare fraud and abuse and medical liability (medical malpractice) reform and administrative simplification. -Title I : Insurance Probability -Title II: Administrative Simplification -Title III: Medical Savings and Tax Deduction -Title IV: Group health plan Provisions -Title V: Revenue Offset Provisions
Negligence Lawsuit
**to be successful, the plaintiff must provide four elements: 1) the existence of duty to meet a standard of care (degree of caution expected of an ordinary and reasonable person under given circumstances) 2) Breach or deviation form that duty 3) Causation, the relationship between the defendants conduct and the harm that was suffered 4) Injury (harm), which may be economic (medical expenses and loss of wages) or non-economic (pain and suffering).
Destruction of Health records process
*Any health record involved in investigations, audits, or litigation should be destroyed even if the records retention schedule would provide for a destruction of the record. Process: -A list of all the destroyed health records and eh manner of destruction must be documented. -A certificate of destruction is presented -and an agreement that assures that protection of the information should be both be obtained.
EHR charting changes
*Electronic record corrections are particularly important because courts have historically viewed their integrity as SUSPECT.. Thus the procedures must be developed to control check and track changes made to data housed in the EHR. In particular changes must be transparent so a court is satisfied that they cannot be done surreptitiously and without traceable evidence change.
Disclosures without patient authorization
*May be required under specific state statutes. For instance in: -Reporting vital statistics (BIrth and death) -other public health safety or welfare situations i.e. STD spread, injuries from firearms, knives, or from other violent criminal activity. Treatment of suspected victims of child abuse or neglect.
DPOA-HVD Healht care decisions
, an individual whiel STILL COMPETENT, designates another person (PROXY) to make healthcare decisions consistent with the individuals whishes and ehave.
CIPHERS
, which are codes that are o be kept secret. under cryptography
Security Rule standards - HIPAA
- Administrative safeguards -Physical Safeguard -Technical Safeguards -Organizational Requirements -Policies and procedures and documentation requirements. -enforcing the TENET of information governance, which is the protection of information and access by authorized individuals only..
Legal health record distinction
- it is important to an org business and leagal process -because the legal health record is the record that is produced upon request, including legal requests it become important to make sure that the record is legally sound and defensible as a valid document in legal situations. Specific Data. DRS and EHR are MORE expansive than the LHR
HIM professional -legal aspect regarding health records includes:
-Compilation, maintenance and retention of health records -Ownership and control of health records, including use and disclosure -Defining the legal health record **HIMs may also be involved in the medical staff credentialing process as well as organizational licensure, certification an accreditation.
Authorization - four types
-Compound: that are combined with any other legal permission -Conditioned: set the circumstances under which the policy applies -Stand-Alone: -Unconditioned:
Malware (Malicious Software)
-Computer virus: A program that reproduces itself and attaches itself to legitimate programs on a computer and can be programmed to destroy, change or corrupt data. -Computer Worm: A program that copies itself and spreads throughout a network. It can independently execute and run itself. -Trojan Horse: A program that gains unauthorized access to a computer and masquerades as a useful information. Capable of comprising data by copying confidential files to unprotected areas of the computer system. May copy themselves and send themselves to e-mail addresses in a users computer -Spyware: A computer program that tracks an individuals activity on a computer system. Cookie are a type of spyware. Storing confidential information like passwords. -Backdoor programs: A computer program that bypasses normal authentication processes and allows access to computer resources such as programs, networks or entire systems. -Rootkit: A computer program designated to gain unauthorized access to a computer and assume control over the operating system and modify the operating system.
Discovery
-Considered as both the process and a period of time--is a pretrial stage where parties to a lawsuit use numerous strategies to discover or obtain information that other parties hold. -Purpose: is to learn each party's relative weaknesses and strengths in a case to avoid a surprise at trials and perhaps encourage pretrial settlement. Types of Discovery: -Subpoena (most important type of discovery) -Deposition -Interrogatories -Court Order -Warrants -E-Discovery -Metadata
Right of Accounting requirements - Elements to be included per ARRA
-Date of Disclosure -Name and address if known of the entity or person who received the information -Brief description of the PHI disclosed -Brief statement of the purpose of the disclosures or a copy of the persons written authorization or request be included.
Litigation Process- Third step Complaint response
-Denying -Admitting -Pleading to ignorance to the allegations -Bringing a countersuit (counterclaim) against a third party (joiner) or against another defendant (cross-Claim)
Disclosure
-Disclosure is how the health information is disseminated outside of the facility. -becomes very important when the facility is under litigation and health information become key evidence necessary for fact-finding uring the purpose for the discovery process and trial.
Advance directive three type of document specifying a persons specific wishes: -
-Durable power of attorney for healthcare decision (DPOA-HCD) -A living Will -Do-Not-Resuscitate (DNR) JACHO-accredited org are required to implement policies regarding advance directives and DNR orders.
Security Program should contain
-Employee awareness including ongoing education and training -Risk management programs -Access safeguards -Physical and administrative safeguards -Software application safeguards -Network safeguards -Disaster planning and recovery -data quality control process
When is the use or disclosure of PHI permitted, even without patient authorization? (The patient is able to agree or deny)
-Facility directory (patient list , hospital census) -Notification of family and friends
Health Record guidelines according to AHIMA:
-Health record should be organized systematically to facilitate the retrieval and compilation of data. -Only be documented by persons authorized by the hospitals policies and medical rules and regulations -Hospital policy and medical staff rules and regulations should specify who may receive and transcribe an MD verbal orders. -Record entries should be documented at the time the treatment was describe is rendered. -Authors of all entries should be clearly identifiable -Abbreviations and symbols should be used in the health record ONLY when approved by hospital and medical staff bylaws and per regulations. JACHO contains a list of prohibited abbreviations that the facilities bust consider. -All entries in the health record should be permanent. -To correct errors or make changes in the paper health record, a single line should be drawn in ink through the incorrect entry. *The word ERROR should be printed at the top of the entry along with a legal signature or initials. *Electronic record corrections are particularly important because courts have historically viewed their integrity as SUSPECT.. Thus the procedures must be developed to control check and track changes made to data housed in the EHR. In particular changes must be transparent so a court is satisfied that they cannot be done surreptitiously and without traceable evidence change. -If a patient wishes to change information in his or her health record, the change should not be made to the original entry but rather should be made as an ADDENDUM (or Amendment). *the changes should be clearly identified as an additional document appended to the original health record at the request of the patient. Under HIPAA the patient is allowed for amendment to his or her EHR, but the provider may be allowed to deny the request change.
Deposition
-Its an important discovery method. Def: Its a formal proceeding where the oral testimonies of parties to a lawsuit (Plaintiff and defendant) and other relative witnesses are obtained. -Attendance is compelled by a subpoena (a court order of instructions) -Plaintiff and defendant are usually present. -HIM professionals can be subpoenaed to testify as to the: -authenticity of the health records by confirming the records were compiled in the usual course of business and have not altered in any way.
3 parts that defines a PHI
-Must be identifiable health information (meaning ability to identify the person) -Must relate to past, present and future mental and physical health as well as financial. -Information is transmitted or held under a Covered Entity or Business Associate per ARRA a deceased person no longer has a PHI and not covered by HIPAA
HIPAA - pre-enactment of HIPAA
-No federal statutes or regulations generally protected the confidentiality of healath information. -They varied considerably (state-by-state) creating a patchwork of laws across the US. -Many states passed laws that protected highly sensitive health records such as Mental Health and HIV/AIDS only. -Many had to result to Lawsuits for wrongful health record disclosure often alleging negligence.
Authorization -Permits access without authorization - Uses and disclosure of PHI
-Patient HAS the opportunity to formally agree or disagree **facility directory **notification of relatives and friends -Patient DOES NOT have opportunity to agree or object -As required by Law (to meet public interest) -Public health activities (preventing and controlling disease, injuries and disabilities) -Victims of abuse, neglect, or domestic violence -Healthcare oversight activities (audits and investigations, license, inspections) -Judicial and administrative proceedings (Court orders, subpoenas, discovery process) -Law enforcement purposes (including deceased individuals, ongoing investigations) -Decedents (coroner or medical examiner) -Cadaveric organ, eye, or tissue donation -Research (IRB or privacy board must exempt the authorization requirement) -Threat to health and safety -Specialized government function -workers compensation -incidental uses or disclosure -limited data sets
Security Program - embodies 3 basic elements
-Protecting the privacy of data -Ensuring the integrity of data -Ensuring the availability of data.
GEneral Rule
-Provides the objective and scope of the HIPAA Security Rule as a whole. Specify that covered entities must develop a security program that includes a range of security safeguards to protect persons identifiable health information maintained or transmitted in the electronic form.
When is the use or disclosure of PHI permitted, even without patient authorization? (The patient is NOT able to agree or deny)
-Public interest and safety (12 listed - S234) -TPO -per patient request -incidental disclosures (calling a patient in the RN station) -limited data set (lacks direct PHI identifier)
HIPAA - Persons rights and time frames
-Right to access : 30 day response (60 if PHI is not onsite)/ 30 day extension -Right to request amendment of PHI: 60days / 30 day extension -Right to accounting of disclosures: 60 days after reciept of request / 30 day extension (no charge to PHI within 12 month period ) -Right to request confidential communications -Right to complain of Privacy Rule violations
health record -Organizations compilation and maintenance
-State laws -Federal Laws -Organizations : i.e. JACHO, AHIMA -Third -party payers **Taking into consideration all these rules and regulations the healthcare org establish their own requirements to ensure the UNIFORMITY of health record format and content. **Using the form of erg policies and procedures as well as medical staff practices
Arbitration
-Sub-category of Alternative Dispute Resolution -Settling a dispute by agreeing to accept the decision of an impartial outsider
US constitution
-The US constitution does not grant a right to PRIVACY, but courts have interpreted it to give privacy rights in certain areas such as: -Religion -Child Bearing -There are currently no health information rights to privacy. Coverage: Child-bearing. Religion
Authorizations are deemed INVALID if:
-The exp date has passed or the expiration event is known by the covered to have occurred -The authorization has not been filled out properly/completely -The authorization is known by the covered entity to have bee revoked -The authorization lacks a required element (signature) -The authorization violates the compound authorization requirements -Any material information in the authorization is known by the covered entity to be false
Appeal court or Supreme Court
-These trials are no "Reenactments." Legal documents are prepared by each partys attorney, who argue the merits of the case before a panel of appellate courts. **Appeals are designed nearly exclusively to address legal errors or problems alleged to have occurred at the lower court, by they are not meant to address the facts of the case again.
Information security Committee
-Works with the CSO to evaluate the org security needs. -east a security program -develop associated policies and procedures including monitoring and sanction policies -ensure that the policies are followed.
Authorization should contain at least the following elements to be VALID:
-a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion -Name or other specific identification of the person or class or persons authorized to make the requested use or disclosure
Security rule standards are grouped into five categories:
-administrative safeguards -Physical safeguards -Technical safeguards -Organizational requirement -Policies and procedures and documentation requirements
Access Control foundation
-identification -authentication -authorization
Beneficence
-part of health care ethics -Doing good or causing good to be done; kindly action
PHI
-requires to meet all 3 parts: ~All information must be held or transmitted within the CE or BA ~Must be individually identifiable information ~Must relate to past, presemt future physical, mental or financial
When is the use or disclosure of PHI required, even without patient authorization? (2)
-when patient or representative requests access and accounting disclosure. -DHHS is conducting a review, investigation, or enforcement action.
Metadata
-which are data about data, a concept that was unheard of in paper documentation. -Provides information such as who accessed or attempted to access a system and when , which part if the system were affected, and what operations took place .
PHI - three part test
1) the information must be held or transmitted by a covered entity or a BA in any form. 2) it must be individually identifiable helaath information (identify the person or provide reasonable basis to believe the person could be identified from teh information). 3) it must relate to ones past, present, or future physical or metnaal health condition, the ptovision healthcare, or payment of care.
HIPAA - Privacy Rule 2 main Goals
1) to provide greater privacy protections for ones health information serving, also serving to limit access by others 2) to provided an person with greater RIGHTS with respect to his or health health information. *HIPAA implementation furthers this goal.
An effective data security program embodies:
Availability Integrity Privacy
right of ACCESS - Process after a Denial of access has been made
1)CE must write a denial letter in plain language and include a reason 2) must explain that the person has teh right to request a review of the denial 3)Must describe who to the person may contact regarding the denial which includes the Name, title, number of office. 4) Must include information on how to contact secretary of HHS. or the person has the write to have the denial reevaulation by another healthprofessional who did not particiapte in teh original denial and is designated by the CE to act as the reviewing official. Then the CE must grant or deny according to the reviewer officials decision.
Release of Information (ROI) - Process of information request
1. Enter the request in the ROI database (pt name, DOB< MRN, name of requester, purpose, what was requested, etc.) 2. Determine the validity of authorization (ORG requirements are based on the State and federal regulations, ie. requests that pertains HIV records, abuse treatment, behavioral treatment) **If authorization is invalid its noted on the ROI and returned to the requester. 3. Verify the patients identity (HIM verifies if the person has been a patient from the facility and compares the information provided as well as the signature) 4. Process the request: (record if retrieved and only the information authorized or release is copied and released.)
Breach - exemptions
1. Unintentional acquisition made in good faith and within the scope of authority 2. Disclosures where the recipient would not reasonably be able to retain the information 3. disclosures by a person authorized to access PHI to another authorized person at the covered entity of BA.
Authorization -Does NOT HAVE Opportunity to Agree or Object- NO OPTION TO AGREE OR DISAGREE-
16 circumstances where PHI can be used or disclosed WITHOUT the persons authorization or have an option to disagree or agree. -As required by Law (to meet public interest) -Public health activities (preventing and controlling disease, injuries and disabilities) -Victims of abuse, neglect, or domestic violence -Healthcare oversight activities (audits and investigations, license, inspections) -Judicial and administrative proceedings (Court orders, subpoenas, discovery process) -Law enforcement purposes (including deceased individuals, ongoing investigations) -Decedents (coroner or medical examiner) -Cadaveric organ, eye, or tissue donation -Research (IRB or privacy board must exempt the authorization requirement) -Threat to health and safety -Specialized government function -workers compensation -incidental uses or disclosure -limited data sets
IRB (Institutional Review Board)
5 Board member that reviews research proposals for ethical violations/procedural errors Under the Common Rule requiring a signed consent . IRB is able to waive consent of the participant
Risk Analysis
: identifying security threats including identifying vulnerabilities. Security Rules
"Watch and Warn"
: that includes monitoring and notification of an incident but takes no action immediately.
healthcare clearinghouses: covered entity
: those that process claims between a healthcare provider and payer (I.e. intermediary that process a hospitals claim to Medicare to facilitate payment)
healthcare providers - covered entity
:those who conduct certain transactions electronically (financial or administrative)
RBAC (Role Based Access Control)
A "real-world" access control model in which access is based on a user's job function within the organization. Used most frequently CBAC is less stringent than RBAC.
Implied Contract
A contract formed in whole or in part from the conduct of the parties. **are created by the parties behaviors (i.e. a patients arrival at a MD office)
A legal Hold
A court order to preserve data for the purposes of an investigation. Upon receipt of a legal hold notification, a company is required to activate a defensible policy for the preservation of the data. A legal hold supersedes the routine destruction procedure. Application of the legal hold also applies to E-discovery. (retention and destruction) prevents Spoliation of evidence.
UPS (uninterruptible power supply)
A device that provides backup power when the electrical power fails or drops to an unacceptable voltage level. ie. power generators
CMS (Centers for Medicare and Medicaid Services)
A division responsible for developing a replacement for ICD-9 CM Volume 3 procedures codes An agency within the cabinet-level HHS (Department of Human and health Services)
Preemption
A doctrine under which certain federal laws preempt, or take precedence over, conflicting state or local laws. -Privacy Rule is only a federal "Floor", or minimum, of the privacy requirements so it does not preempt or supersede stricter state laws/statutes
Court Order
A document issued by a judge that compels certain actions, such as testimony or the production of documents such as health records. -if the person does not comply then he/she is at risk for 'Contempt-of-court (failure to comply) sanctions, possibl including jail time.
employee awareness program
A good security program should have ______ to educate employees about security policies and procedures. should include policies and procedures regarding mobile devices, the use of e-mail and faxed information, and appropriate and inappropriate use of social media and consequences in the failure of following them
health record -compilation and maintenance
A health record can be defined as written or graphic information documenting facts and events during the rendering of patient care. Either paper or electronic format. **Health record entries and records, dictated by best practices, states that they must be in their entirety be COMPLETE, ACCURATE AND TIMELY.
Breach notification
A requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) whereby all affected parties, individuals affected, federal government, and media outlet, must be notified if their protected health information has been involved in a security breach. FTC- Federal trade commission: The main federal agency designed to enforce consumer protection laws. ONLY apply to unsecured PHI that tech has not made unusable, unreadable, or indecipherable to unauthorized persons.
Mediation Under Judicial Decision
A method of settling disputes outside of court by using the services of a neutral third party, called a mediator. The mediator acts as a communicating agent between the parties and suggests ways in which the parties can resolve their dispute. **Parties agree to submit a dispute to a third party facilitator, who assists the parties in reaching an agreed-upon resolution.
Incident response plan
A plan that an organization uses to categorize a security threat, determine the cause, preserve any evidence, and also get the systems back online so the organization can resume business. -includes management procedures and responsibilities to ensure a quick response is effectively implemented for specific type f incidences TYPES: -"Watch and Warn" : that includes monitoring and notification of an incident but takes no action immediately. -"Repair and Report" a response used in the case of a virus attack -"Pursue and Prosecute" which includes the monitoring of an attack the minimization of the attack, the collection of teh evidence and teh involvement of the law enforcement agency. i.e. identity theft
Certification
A process in which a person, an institution, or a program is evaluated and recognized as meeting certain predetermined standards to provide safe and ethical care.
Privileged communication
A protection for patient confidentiality. *generally prohibit medical practitioners from disclosing information arising from the parties professional relationship and relating to the patients care and treatment. *If patients WAVE their privilege, the medical providers is NOT prohibited from making disclosures.
Right of Access report
A report of all persons (within the facility) who have had access to a patient's protected health information. TPO disclosures would appear in the Access Report rather than the Accounting of Disclosures. Proposed by HHS and is still pending.
National Practitioner Data Bank (NPDB)
A repository of information about health care practitioners, established by the Health Care Quality Improvement Act of 1986 Main goal is to limit the movement of the MD throughout the states where their negative history may go undetected from the move(s). Penalties and liability can result from not using the NPDB.
Common Rule 1981
A results of the Tuskegee Syphilis study towards black farm workers Rules of ethics pertaining to human subjects research. based on the Belmont Report (An outline statement of basic ethical principles re: human studies) and DHHS federal ruling
Health care ethics -4
B-ioethics M-edical ethics A-pplied ethics P-rofessional ethics
External threats
A threat to an IT system that comes from outside the organisation. (Hackers, Virus)
Bench Trial
A trial in which a judge alone hears a case (no jury). is a trial by judge, as opposed to a trial by jury. The term applies most appropriately to any administrative hearing in relation to a summary offense to distinguish the type of trial
Administrative Law
A type of public Law. The Executive branch of government responsible for enforcing laws enacted by the legislative branch. Administrative agencies which are part of the EXECUTIVE branch , develop and enforce rules and regulations that carry out the intent of statutes ie. HHS developed rules and regulations to carry out the intent of the HIPAA statute, and it has the power to enforce them. (under Administrative Law) FDA within HHS, the power to develop rules that control the manufacture of drugs. ***The LEGISLATIVE branch of the federal govt has given a number of administrative agencies the power to establish regulations.
single sign-on
A type of technology that allows a user access to all disparate applications through one authentication procedure, thus reducing the number and variety of passwords a user must remember and enforcing and centralizing access control
1 which of the following determines health record content
ACCREDITING BODIES
Sale of information
Addressed specifically by ARRA, which prohibits a covered entity or BA from selling (receiving direct or indirect compensation) in exchange for an individual's PHI without that individual's authorization; the authorization must also state whether the individual permits the recipient of the PHI to further exchange the PHI for compensation Exemption: -Public Health and r.esearch data -treatment -Healthcare operations to a BA pursuant to a business associate agreement. -to a person who is receiving a copy of his or er own PHI -other exemptions deemed by the secretary of HHS>
1. CONSENTS: play an important role in documenting individuals wishes regarding the healthcare they will receive
Advance Directive: are important in documenting the persons end-of-life decisions.
Right of Access
Allows an individual to inspect and obtain a copy of his or her own PHI contained within a designated record set, such as a health record. -This right extends as long as the PHI is maintained, although HIPAA does not require records be retained for a specified period. -Exceptions to Access are: ~Psych Notes ~information compiled in reasonable anticipation of a civil criminal, or administrative action or proceeding. ~PHI is subject to the CLIA (clinical laboratory improvement Act)
FACTA - Fair & Accurate Credit Transactions Act
Amendment to FCRA. Provides help with identity theft and credit fraud, employee misconduct investigations by third parties. Does not specifically address medical identity theft
False Claims Act
An act that allows employees to sue employers on behalf of the federal government for fraud against the government. The employee retains a share of the recovery as a reward for his or her efforts. May be brought up to 10 YEARS after the incident.
Health Record - Disclosure
how health information is disseminated externally
Health Record - USE
how information is used internally
Compound authorization
An authorization that combines informed consent with an authorization for the use and/or disclosure of protected health information Under HIPAA, an authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows: (i) an authorization for the use of disclosure of protected health information for a research study may be combined with any other type of written permission for the same or another research study; (ii) an authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes; (iii) when a covered entity has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits under this section on the provision of one of the authorizations (45 CFR 164.508 2013)
personal health record (PHR)
An electronic or paper health record maintained and updated by an individual for himself or herself; a tool that individuals can use to collect, track, and share past and current information about their health or the health of someone in their care *Owned and manged by the individual who is the subject o the record.
PKI (Public Key Infrastructure) or PGP pretty good privacy
An encryption system that is composed of a CA, certificates, software, services, and other cryptographic components, for the purpose of verifying authenticity and enabling validation of data and entities.
business associate
An organization or individual who provides specific services to a covered entity involving the use or disclosure of PHI; for example, an off-site storage company that houses EMR data, law firms, transcription companies, etc. ARRA also includes in the BA definition Patient Safety Org (PSO). *BA's Subcontractors are also subjected to the HIPAA rules and regulations, regardless of whether the agreement was signed.
PHI (Protected Health Information)
Any information concerning a patient's health, medical condition, diagnosis, or treatment; it can include financial information that be identifiable to a person from the information given . applies to Electronic and paper information **per ARRA, PHI of a deceased person is considered to be protected for 50 years.
Health Record- custodians
As a legal custodian, the org is responsible to ensure that it maintains its integrity and the heath record is kept secure.
Business Associate Agreement (BAA)
As amended by HITECH, a contract between the covered entity and a business associate must establish the permitted and required uses and disclosures of protected health information by the business associate and provides specific content requirements of the agreement. -The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of HIPAA, and requires termination of the contract if the covered entity or business associate are aware of noncompliant activities of the other (45 CFR 164.504 2013)
Executive Branch
Branch of government, headed by the President, that enforces the laws comprises of the president and staff, namely cabinet-level agencies ie. CMS (centers for Medicare and Medicaid Services) HHS (Department of Human and health Services)
4 main sources of law
C-onstitutional Law (branches of govt-public law) A-dministrative Law (branch of consitutional law) C-ommon Law (or case law-court system) S-tatutory Law (legislature)
CA certificate authority
CA certificate authority acts as the middleman who the sending and receiving computer trusts. Confirming that each compter is who it says it is.
1 a physician-patient relationship
CANNOT BE SUBJECT TO A BREACH OF CONTRACT LEGAL ACTION
CBAC Context based access caontrol
CBAC is less stringent than RBAC. limits a users access based not only on identity and role, but also on a persons location and time of access. i.e. two RTs might be given the same access on their identical roles but their access will be further refined based on the units to which they are assigned to and the shift they are on.
Right of Access - requesting access to ones own PHI
CE Entity may require the request be in writing. Response to the request no more than 30 days (60 days if the information is off cite and with 30 day extension) Cost: Copying, postage and preparing at reasonable cost. But HIPAA does not permit retrieval fees to be charged to patients, but they are permitted to do so for non-patient requests.
Right of Access - NO opportunity to review:
CE can deny a person access to the PHI without providing him/her an opportunity to review or appeal the denial when/is: -Psych notes -Use for criminal or civil litigation or admin action -CE is a correctional institutionand the request of an inmate request will create health or safety conerns -Research information that includes treatent, and an invidual recieving treatment as part of a research study agrees to suspend his/her right to access temporarily. -PHI was obtained by other than the healthcare provider under teh promise of confidentiality and the access requested would be reasonaly likely to reveal othe source of the information. -Contains records that are subject to the federal privacy act -CE is subject to CLIA which regulates the quality of lab testing and CLIA would prohibit access. -PHI is mainteained by a CR exempt by CLIA
1 A lawsuite by a defendant again a plaintiff is
COUNTERCLAIM
TWo-factor authentication:
requires the user to provide two means of authentication, what the user knows (password) and what the user has (security token)
Breach: Companion Breach Notification regulations
Companion Breach Notification regulations by the FTC provide protection to persons whose information has been breached by: - non covered entities -non-BAs that are PHR vendors third-party service providers - PHR vendors or others not covered by HIPAA.
Subpoena
Compels a response a response in a legal proceedings Two main types: -Subpoena as testificandum: is a court summons to appear and give oral testimony for use at a hearing or trial. The use of a writ for purposes of compelling testimony -Subpoena decus tecum: or subpoena for production of evidence) is a court summons ordering the recipient to appear before the court and produce documents or other tangible evidence for use at a hearing or trial.
1 *** No medical liability for breach of contract can exist WITHOUT a physician--patient relationship
Compliance with legal requirements for appropriate use and disclosure must be ensured as must adherence to the professions ethical principle.
Consent to Use or Disclose PHI
Consent: the patients agreement to use or disclose personally identifiable information for treatment, payment and healthcare operations. Per HIPAA healthcare providers are not required to obtain consent But care providers obtain consent per facility policy except at times of emergencies. obtained during patient care/procedure and has NO exp date
Testifying - HIM
Considered as the custodian of the record. Custodians are called as a witness by one party or the other to testify as to the authenticity of a record sought as evidence. Testifying as to a records authenticity means the record custodians is verifying that it contains information about the individual in question, was completed in the usual course of business, and is reliable and truthful as evidence. Parties may also agree upon allowing a photocopy of the record or a printed version of the electronic health record (EHR) to be introduced into evidence rather than the original.
Legislative Branch
Consists of the US Congress and is comprised of the House of Reps and the Senate who creates statutory law (statutes)
Sources of Public and Private Law
Constitutional, Statutory, Administrative, Judicial (Common Law/Case Law)
Business Associate Agreement
Contract between the provider, BAs, and a clearinghouse that submits the electronic claims on behalf of the provider regarding PHI disclosures. Has to meet HIPAA and ARRA requirements which is to protect the informations security and confidentiality. **But if a person or Org meets teh definition of a BA, they are BY LAW a BA even is the required agreement has not been signed, and are REQUIRED subject to HIPAAs penalties if they violate HIPAA.
Statutory law (statutes)
Created by the legislative branch (Congress) i.e. Medicare and HIPAA statute law is written law set down by a body of legislature or by a singular legislator (in the case of an absolute monarchy). This is as opposed to oral or customary law; or regulatory law promulgated by the executive or common law of the judiciary. Statutes may originate with national, state legislatures or local municipalities
Ethical Theories - 4
D-eontology (duty based) U-tilitarianism (what is the best option) R-ight based (Everybody has rights) V-irtue Based (do what make one happy)
1 which of the following is an element of negligence
DUTY
Data Phases:
Data at rest: data contained in databases, file systems or flash drives. data in motion: data moving through a network or wireless transmission data in use: data in the process of being created, retrieved, updated or deleted data disposed: discarded records and recycled electronic media . Critical to use appropriate data destruction methods to ensure it cannot be read retrieved or reconstructed in any way.
Data quality dimensions
Data availability: data are easily obtained Consistency: component of data integrity Definition: describing the data. Every data should have a clear meaning
Metadata
Data that describes other data. F or example, a digital image may include metadata that describe the size of the image, number of colors, or resolution. *data about data and include information that track actions such as when and by whom a document was accessed or changed.
Encryption - what can be encrypted
Data transfers data at rest passwords
Business Records Exception -exception to Hearsay
Deemed inherently trustworthy and are admissible Exceptions to hearsay A rule under which a record is determined not to be hearsay if it was made at or near the time by, or from information transmitted by, a person with knowledge; it was kept in the course of a regularly conducted business activity; and it was the regular practice of that business activity to make the record.
Constitutional Law
Defines the amount and types of power and authority governments are given. The US constitution defines and sets forth the powers of the 3 branches of the Federal Govt', which are also found in the State Govt: -Legislative -Executive -Judicial Branch (The court system) Each state constitution is the supreme law of that state, but it is subordinate to the US constitution, Supreme Law of the nation.
Spoliation of Evidence
Deliberate withholding, changing, hiding, or destruction of evidence relevant to a legal proceeding. prevented by "Legal Hold"
Right of Amendment - DENIAL request of amendment of PHI -
Denial: CE may deny request when: -Was not created by the covered entity -in not part of the DRS -Is not available for inspection as noted in the regulation of access (inmate notes, psych notes) -is accurate or complete as is. Request must be responded to no later than 60 days (30 days extension) allowing it or denying request in writing. Denial Response must be made within 60 days of the request with a written letter in plain language and contain: -Basis for denial -The persons write to submit a written statement disagreeing with the denial. -The process where they can submit their disagreement -Explain how everything is documented the request and the denial) - description of how the person may complain to the CE>
DISCOVERY 5 main types
Deposition: in a formal proceeding all parties involved including witnesses Oral testimonies are given. Interrogatories: questions given to the other party. Answers must be verified if answered by the lawyer Subpoena: Most important tool for Discovery. Compels the person to appear or produce documents. Court Order: given by the judge Warrants: given by the judge to allow law enforcement to obtain evidence or search.
Litigation Process- fourth step Discovery
Discovery is where parties use various strategies to obtain information about a case prior to trials and determine the strength of an opposing party's case. 2 common types of Discovery methods: - Depositions: which obtains ones out-of-court testimony under oath - Subpoena: (an associated discovery tool) which compels a response in a legal proceeding.
Notice of Privacy Practices
Document informing a patient of when and how their PHI can be used. -Mjust explain in plain language the patients rights and the covered entity's legal duties with respect to PHI. It is provided at the first service delivered Must be available at the sire where the patient is treated and must be posted in a prominent place where patients can reasonably be expected to read them. Website availability with easy access.
Data Security
Encompasses measures and tools to safeguard data and the information systems on which they reside from unauthorized access, use, disclosure, disruptions, modification or destruction
Admissibility - information exclusion
Even relevant evidence with probative value (that is, something that provides value) may be excluded form admissibility if: 1)it is outweighed as unfairly prejudicial or if presenting the evidence would cause undue delay. 2)If it is misleading or redundant. 3)Hearsay (out of court statement used to proved the truth of a matter and it is inherently deemed untrustworthy because the maker of the statement was not cross-examined at the time the statement was made. )
1) True or false. In all cases, a covered entity may deny an individual's request to restrict the use or disclosure of his or her PHI.
FALSE: The request may be denied in almost all cases, but it cannot be denied for disclosures to a health plan where the individual has paid for a service or item completely out of pocket.
The breach notification requirement:
FTC must be notified -All persons who information has been breached must be notified without unreasonable delay. *no more than 60 days *by first class mail *or by telephone (if there is threat of imminent use). -500 or MORE : **they must be individually notified **MEDIA OUTLETS must be used as a notification mechanism. **The Secretary of HHS must be specifically notified. -Fewer then 500: **must be logged by the CE in an HHS online reporting system **Submitted annually as a report no later than 60 days after the end of the calendar year.
CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart)
Falls under Authorization. Used when the system needs to verify if the user is HUMAN Requires the user t respond to a question that s assumed could be answered by a machine. A typical CAPTCHA is when access to a site requires the user to type a string of characters that appears skewed or distorted.-
1 True or False: The Joint Commission sets the official record retention standards for hospitals and other healthcare facilities.
False
HIM - Testimony
Focus is on the authenticity of the health record and refers to the documents baseline trustworthiness. If questions are outside the scope of expertise as an HIM professional, then he/she must respectfully decline to answer the question by stating it is beyond the scope of expertise. i.e. Eliciting information about a patients condition or purpose for medical treatment.
Statutes
Forms Statutory Law Enacted by legislative bodies. US Congress and state legislatures are legislative bodies . Local bodies, such as municipalities, also can enact statutes, sometimes referred to as ordinances.
Judicial Decision (Common Law/case law)
Fourth source of law created from court (judicial) decisions. Courts interpret statutes, regulations and constitution an resolve individual conflicts. Main source of PRIVATE Law.
Deidentified Data - HIPAA requirements
HIPAA requires that the Covered Entity do one of teh following things to ensure deidentification: 1) covered entity can STRIP certain elements to ensure thwat the patients information is truy deidentified. (anything unique to that individual) 2) covered entity can have an EXPERT APPLY GENERALLY ACCEPTED STATISTICAL AND SCIENTIFIC principle methods to minimize the rick that the information might be used to identify a person.
Which of the following statements is true?
HIPAA states that state law preempts the HIPAA privacy rule. They do not need to consult an attorney because they know the state law is stricter and therefore should abide by it.
Title II: Administrative Simplification
HIPAA's attempt to streamline and standardize the health care industry nonuniforms business practices, such as billing, including the electronic transmission of data. Contains: -Transactions -identifiers -security -Privacy -Enforcement
3 Main Covered Entities the Privacy Rule (HIPAA) applies to.
Health care providers that conducts the transactions ie. MD, pharmacy, long-term care facilities Health Plans tat pays for the cost of Medicare ie. insurance companies Healthcare clearinghouses that processes the claims between the hospital and payer. ie. intermediary that processes Medicare to facilitate payment.
Tort Liability
Healthcare providers also can be held responsible for professional Tort Liability., When they harm another person.
Right to request confidential communications
Healthcare providers and health plans must give individuals the opportunity to request that communications of PHI be routed to an alternative location or by an alternative method. -Health plans must honor the request if it is si reasonable and if the requesting individual states that disclosure could pose a SAFETY RISK. -Request can also be refused if the person does not provide information as to HOW PAYMENT WILL BE HANDLED or an alternative address or method by which he or she can be contacted. ie. A woman seeking billing information from her psychiatrist who is seeking help from an abusive relationship, be sent to her work instead of home.
General Jurisdiction Trial Courts
Hear cases of a general nature that are not within the jurisdiction of limited-jurisdiction courts Record and store testimony and evidence. Courts that hear any civil or criminal cases that have not been assigned to a special court. *Hear more serious criminal cases or civil cases involving larger sums of money.
Disclosure
How health information is disseminated outside an organization.
1 which of the following is a characteristic of a LEGAL HEALTH RECORD
IT IS THE RECORD DISCLOSED UPON REQUEST
Health Record Changes - per patient request
If a patient wishes to change information in his or her health record, the change should not be made to the original entry but rather should be made as an ADDENDUM (or Amendment). *the changes should be clearly identified as an additional document appended to the original health record at the request of the patient. Under HIPAA the patient is allowed for amendment to his or her EHR, but the provider may be allowed to deny the request change.
Causes of Action
In civil lawsuits, the allegation that the harm suffered by the plaintiff (victim) was a direct and proximate result of the defendant's behavior. i.e. Breach of Contract Intentional Tort negligence **Theories INDER WHICH LAWSUITS ARE BROUGHT THAT ARE RELATED TO PROFESSIONAL LIABILITY.
Release of Information (ROI) - quality control
Includes both: Productivity (Turnaround time) **continuity of Care information requests are released/processed takes PRIORITY **to monitor timeliness, the date of the request id received and the date the copies are sent are entered in the ROI database to determine patterns. Accuracy (Information released appropriately) **Sample authorization is checked to verify authorization validity and to ensure compliance with federal and state regulations. **Validation of the appropriate records released is also conducted.
Discoverable Data
Includes: EHR, emails, text, voicemails, draffts of documents, electronic schedulers, websites, and information housed on mobile devices such as smartphoens etc.
Private Law (Civil Law)
Involves rights and duties among private entities or individuals. Get its main source of laws from the JUDICIAL decision. i.e. when a contract for the purchase of a house is written between two parties. Covers: contracts property torts (injuries) civil actions Medical often applies when there is a breach of contract or when a tort occurs through malpractice
Public Law
Involves the government at any level and its relationship with individuals and org. Purpose: is to define, regulate and enforce rights where any part of a govt agency is a party. Most common type: Criminal law Also Covers: -COP (Medicare Conditions of Participation): the requirement set forth for healthcare providers who accept Medicare patients -Criminal Actions -Civil Actions -Administrative Law
1. Autonomy
It is an established right in the US individuals generally have the right of autonomy over their own bodies. Included in this right is the right of individuals to make their own health care decisions provided that they are not legally incompetent.
1 Which of the following statements is true of the notice of privacy practices?
It must be provided to every individual at the first time of contact or service with the covered entity. Notice of privacy practices must be given to every patient the first time they come to the facility for care.
1 Mary's PHI was breached by her physician office when it was disclosed in error to another patient. Which of the following breach notification statements is correct regarding the physician office's required action?
It must report the breach to HHS within 60 days after the end of the calendar year in which the breach occurred
1 courts legal authority to make decisions is called
JURISDICTION
Litigation Process- fifth step Trial
Jury Selection: Jury selection through the process of VOIR Dire . If a jury is waived, a judge heas the case called a bench trial. Evidence is presented. The plaintiffs attorney is first to call witness and present evidence. In turn. the defendants attorney call witnesses and presents evidence. ** Typically, in both health-related and non-health related cases that involve records as evidence, the record custodian is called as a witness by one party or the other to testify as to the authenticity of the records sought as evidence.
Tort Law
Law that deals with harm to a person or a person's property. **Is broad and include non-healthcare related acts (ie. when some one goes through a red light and strikes another rvehicle) or health related acts (a nurse administers the wrong medication).
HIPAA Privacy Rule
Law that regulates the use and disclosure of patients' protected health information (PHI). One of the key federal laws that goveern the protection of PHI. Sets a minimum (Floor) of privacy requirements.
Difference between LHR , DRS, EHR, PHR
Legal Health Record: record released upon valid request. Business Record. DEsignated Record Set: amended by HITECH. Any collection, item, or grouping of information that includes protected health information that is maintained by the organization. More expansive than LHR. Personal Health Record: Owned and managed by the person on the document. Not part of LHR> Electronic Health Record: more expansive then LHR because it contains Metadata,.
"record released upon a valid request"
Legal health record
Alternative Dispute Resolution (ADR) and its 2 sub-categories
Legal option of solving disputes out of court arbitration - arbitrator/third party mediation - mediator
Threats caused by People
Most threats comes from the Org employees . 1. Threats from insiders who make unintentional errors. Unintentional errors are one of the major causes of security breaches. --staff that make typographical errors, inadvertently delete files or disclose information. 2. Threats from insiders who abuse their access privileges to information. --disclosing information to another staff who does not have authorization, staff storing info in a thumb or flash drive, snooping on information their not supposed to. 3. Threats form inside who access information or computer systems for spite or profit. --those who seek to commit theft or fraud. 4. Threats from intruders who attempt to access information or steal physical resources. --those who come to the org property to access information or steal equipment. 5. Threats from vengeful employees or outsiders who mount attacks on the org information system. --malicious hackers, disgruntled employees might destroy hardware or software.
Deidentified Data
NOT protected by the Privacy Rule -does not identify an individual because personal characteristics have been stripped from t in such a way that it cannot be later constituted or combined to re-identify a person. -Most commonly used in RESEARCH.
Informed Consent
Needed when a treatment or procedure becomes progressively more risky or invasive. Form must be completed to ensure the patient has a basic understanding or treatment of diagnosis along with the risks of the treatment or procedures. Usually a process and it is the responsibility of the who will provide who will be rendering the treatment or procedures or performing the procedure . **Failure toe obtain the consent can laterally result legal action against them baised on NEGIGENCE.
Breach Notification Rule
ONLY applies to UNSECURED PHI that technology has not made unidentifiable, unreadable, unusable, indecipherable to authorized personnel.
ONC
Office of the National Coordinator for Health Information Technology
Malware precautions
Org establish an antivirus software and specify: -what devices should be scanned (servers, emails, computers) -what programs, documents, and files should be scanned -how often scans should be scheduled -who is responsible for ensuring that scans are completed -whats action should be taken when malware is detected -Filters should be used to filter both ongoing and incoming e-mail so that malware's quarantined.
1 admnistrative law is which type of law
PUBLIC LAW
Health Record - Access
Patients and other legitimately interested third parties have the right to access them. Associated with control is the issue of patients access to ones own health records. State Law and HIPAA grants individuals the right to access their protected health information with some exceptions. Patient portals have become more available and use is encouraged by providers the right of access is changing.
Covered Entities (CE)
Persons or organizations that must comply with the HIPAA Privacy and Security Rules, also covering electronic transactions. Include: ~ healthcare providers :those who conduct certain transactions electronically (financial or administrative) ~ health plans: those that pay for the cost of the medical care (ie. insurance companies) ~ healthcare clearinghouses: those that process claims between a healthcare provider and payer (I.e. intermediary that process a hospitals claim to Medicare to facilitate payment)>
health record - Third-party payers -compilation and maintenance
Play an important role in the maintenance and content of health records. Payers have often have specific requirements about content that must be present in the health record in order for reimbursement to occur. Failure to comply by external entities will likely result in some type of penalty such as loss of licensure or accreditation, nonpayment of claims or fines.
Health Record
Primary function is document patient treatment and provide a means for a patients healthcare providers to communicate among each other. Also plays an important role for the LHR (legal health record) Other functions include assisting in assigning diagnoses, assisting in choosing treatment. ***Health record contains the who, what, when, where, why and how.*** Provides critical evidence in the legal process, medical malpractice, and other personal injury lawsuit, criminal cases, health fraud, etc.
ONC (Office of the National Coordinator of Health Information Technology)
first est by presidential executive order. it is now recognized by statute as an entity within the HHS (dept of health and human services). -its the primary federal entity with responsibility for coordinating national efforts to impliment and use health informaation technology, and to promote the exchange of electronic health information
Individuals
Privacy rule defines as persons who is subject of PHI.
Encryption
Process of converting readable data into unreadable characters to prevent unauthorized access. converting data and encoding data to a jumble of unreadable scrambled characters and symbols as they are transmitted through a telecommunication network. uses algorithm
Tort
Professional liability actions are brought against health care providers because of the tort of : Negligence Unintentional wrongdoing
Feral trade Commission (FTC)
Promotes consumer protection. deals with breaches not covered by HIPAA the non-CEs and non-BAs
Red Flags Rule
Promulgated under FACTA, the Red Flags Rule requires certain financial entities to develop and implement identity theft detection programs to identify and respond to "red flags" that signal identity theft.
limited data set
Protected health information from which certain specified, direct identifiers of individuals have been removed. This is used per ARRA until the Minimum data necessary has been clarified. used or disclosed only minimum necessary information, while reverting back to the amount needed to accomplish the intended purpose definition when the limited data set definition is inadequate.
ACCESS
Protected rights under the PRIVACY LAW. it allows a person to view and obtain his or hers PHI that is contained in a designated record set, such as a health record. (Brodnik)
ARRA - american recovery and reinvestment act
Provides funds for adoption of technology and other stimulus finding Provides the right for every individual to receive electronic copy of EHR Also made important changes to HIPAA which is under HITECH (which is part of ARRA)
ARRA (American Recovery and Reinvestment Act)
Provides funds for adoption of technology and provides the right for every individual to receive electronic copy of EHR. -made important changes to the HIPAA privacy Rule which are located in the HITECH - Health information tech for economic and clinical health act (which is part of ARRA)
Marketing - PHI use or disclosures
REQUIRES authorization from the person except for : -Occur face to face between the covered entity and the person -concern a promotional gift of nominal value provided by the CE -communications to describe health-related products and services provided by or included in the person health plan -communication for treatment -case management or care coordination for the individual or to direct or recommend alternate treatments, therapies, healthcare providers or care settings
health record - State Laws -compilation and maintenance
Requirements for compiling and maintaining health records are usually found in state rules and regulations. -Develop by admin agencies responsible fir licensing healthcare org, many often specify only that health records be complete and accurate.
health record - Federal Laws -compilation and maintenance
Requirements for maintaining health records include the Medicare Conditions of participation contain which contain specific requirements that must be satisfied by healthcare org that treat Medicare or Medicaid patients .
minimum necessary standard
Requires that uses, disclosures, and requests must be limited to only the amount needed to accomplish an intended purpose. But does NOT apply to PHI used, disclosed or requested for treatment purposes. Per policies and procedures staff should be identified who needs access to PHI and the amount of information that personal should have access to. i.e. housekeeping will not have the same access as nurses.
privacy officer
Responsible for ensuring privacy practices are followed within an institution. Required by HIPAA Role: -Developing and implementing privacy policies and procedures -facilitating org privacy awareness -performing privacy risk assessments -maintaining appropriate forms -overseeing privacy training -participates in compliance monitoring of BAs ensuring that patients rights are protected -maintains knowledge of applicable laws and accreditation standards -communicate with OCR (office of civil rights)
Privacy Act of 1974
Restricts the way in which personal data can be used by federal agencies Individuals must be permitted access to information stored about them and may correct any information that is incorrect. Agencies must insure both the security and confidentiality of any sensitive information. covers all federal agencies not the federally funded recipients
Trigger events
Review of access logs, audit trails, failed logins, and other reports generated to monitor compliance with the policies and procedures. ie. -accessing records with teh same last name -VIP records (celebrities, board members) -Files in minors -records of patients that the employee did not care for -records of terminated employees
7 patient HIPAA rights
Right of ACCESS Right to ACCESS OF PHI Right to ACCOUNTABILITY OF DISCLOSURES Right to request RESTRICTION ON PHI Right to request AMENDMENT OF PHI Right to COMPLAIN OF HIPAA VIOLATIONS Right to request CONFIDENTIAL COMMUNICATION
1 which of the following is the source of law
STATUTE
Date Security maintenance
Security begins with identification of the basic elements of a data security program.
subpoena ad testificandum
Seeks testimony / to testify is a court summons to appear and give oral testimony for use at a hearing or trial
Smart Cards and Tokens-something you have
Smart cards and tokens are more effective than a user ID and a password a plastic card with embedded microchip that an store multiple identification factors for a specific user.
Do Not Resuscitate (DNR)
Specifies a persons wish NOT to receive treatment (specifically CPR). Most often used by the elderly or in chronically ill health, it directs healthcare providers to refrain from performing the otherwise standing order of CPR in case of cardiac and respiratory arrest. State law provides the framework for completeing the DNR orders and forms JACHO-accredited org are required to implement policies regarding advance directives and DNR orders.
1 ARRA and HITECH granted which of the following the ability to bring civil actions in federal district court on behalf of residents believed to have been affected by a HIPAA violation?
State attorneys general One of the changes brough about by ARRA and HITECH allowed state attorney generals to bring civil charges related to HIPAA.
State Laws
State laws must also comply with HIPAA or else HIPAA laws will supersede them (Preemption) All states have laws that require the disclosure of health information even without patient authorization. ie. reporting of births, death, health and safety or welfare situations like abuse.
1 The source of law that is created by legislative bodies is which of the following?
Statute
US Constitution
Supreme Law of the nation.
1 Arbitration is teh submission of a dispute to
THIRD PARTY
1 True or false. A notice of privacy practices should include a statement explaining that individuals may complain to the Secretary of the Department of Health and Human Services if they believe that their privacy rights have been violated.
TRUE The requirements for the notice of privacy practices includes a statement that tells the patient who they can complain to in the event that their rights have been violated.
due process of law
That no citizen is denied of their legal rights (5th and 14 amandment in the Constitution) 2 main type: substantive (protects legal right and fairness) Procedural (Govt cannot take a life, property, liberty without DUE PROCESS)
Clinical privileges
The authorization granted by a healthcare organization's governing board to a member of the medical staff that enables the physician to provide patient services in the organization within specific practice limits. Queries are made to NPDB (National Practitioner Data Bank) which was est by the federal l Health care quality improvement Act. _which includes information on : professional background, credentials, previous professional experience, and quality profiles HIM may act as: Medical staff coordinator involving the collection organization, verification and storage of all information associated with credentialing.
Where is there NO protection towards Health information privacy?
The constitution Rights
Judicial Branch (Supreme Court)
The court systems Interprets laws passed by the legislative branch.
Breach of Contract
The failure, without legal excuse, of a promisor to perform the obligations of a contract. ** When the relationship between patient and physician does exists, the physicians failure to diagnose and treat the patient with reasonable skill and care may cause the patient to sure the MD for Breach of Contract.
Conditions of Participation (CoP)
The federal standards/ regulations that govern providers receiving Medicare and Medicaid certification reimbursements/funding must comply to.
Legal health record (LHR)
The form of a health record that is the legal business record of the organization and serves as evidence in lawsuits or other legal actions; what constitutes an organization's legal health record varies depending on how the organization defines it **The record used for legal purposes and is the "record released upon a valid request" it can be stored on any medium and its contents is defined by the ORG rather than by law.
Health record ownership
The generally accepted principle that individual health records are maintained and owned by the healthcare organization that creates them. But that patients have certain rights of control over the release of patient-identifiable (confidential) information **Although patients often believe they own their health record and do, in fact own the information in it, ultimate responsibility for the physical health record still rests with the org.
Advance Directive
The lack of advance directives can result in legal battles regarding the undocumented wishes of individuals who become legally incompetent. i.e. highly publicied end-of-life cases: -Karen ann Quinlan -Nancy Cruzan -Terri Schiavo
FTC (Federal Trade Commission)
The main federal agency designed to enforce consumer protection laws.
Passwords : something you know
The most common security tools used to restrict access to computer systems. -mandatory change so f passwords at specified intervals -operating system lock-outs for unsuccessful log-in attempts Smart cards and tokens are more effective than a user ID and a password
Release of Information (ROI)
The process of disclosing patient-identifiable information from the health record to another party.
e-discovery
The process of identifying and retrieving relevant electronic information to support litigation efforts. -Pretrial legal process that obtains and reviews electronically stored data. -regulated/created by the FRCP (Federal Rules of civil procedure)
General Rules
The provide the objective and scope for the HIPAA security rule as a whole.
American Recovery and Reinvestment Act (ARRA)
The purposes of this act include the following: (1) To preserve and create jobs and promote economic recovery. (2) To assist those most impacted by the recession. (3) To provide investments needed to increase economic efficiency by spurring technological advances in science and health. (4) To invest in transportation, environmental protection, and other infrastructure that will provide long-term economic benefits. (5) To stabilize state and local government budgets, in order to minimize and avoid reductions in essential services and counterproductive state and local tax increases
Admissibility
The quality of the evidence in a case that allows it to be presented to the jury. Admissibility rules are more stringent than discovery rules. Thus, in admissibility, much more information can be shared during pretrial discovery that is not permitted to be admitted as evidence at trial. Governed by the Federal Rules of Evidence (FRCP) separate rules of evidence that mirror the federal rules govern admissibility in each state.
Alternative Dispute Resolution (ADR) Under Judicial Decision
The resolution of disputes in ways other than those involved in the traditional judicial process. Purpose: is to lighten court dockets and provide less costly and time-consuming alternatives of parties to settle their differences Negotiation, mediation, and arbitration are forms of ADR.
medical identity theft
The unauthorized use of someone else's personal information to obtain medical services or submit fraudulent medical insurance claims for reimbursement.
Authorization -Opportunity to Agree or Object
There are two times where patient authorization is not required but the patient should be given the opportunity to informally agree (verbally): 1) Facility Directory- List of patients currently being treated and if they agree to be listed. 2) Disclosure of relevant PHI to a Family, relative, or close friend who is involved in the patients care.
Trial Courts (District Courts)
These are divided into courts of limited jurisdiction and hear cases pertaining to a particular subject or involve crimes of lesser severity or civil matters of lower dollar amounts.
Which of the following is true RE: internal threat
They originate within the org
fundraising activities
Those that benifit the CE, the covered entity may use or disclose to a BA or an institutionally related foundation without authorization, demographic information and dates of healthcare provided to the individual. Must have an option to Opt Out from receiving the material.
Internal threats
Threats that originate within an organization
Penalties - ARRA and HITECH EST:
Tiered penalties per violations: $100-50,000 : unknowing violations $1,000-50,000: d/t reasonable cause $10,000-50,000: willful neglect that was corrected $50,000: willful neglect that was NOT corrected. A way of compensating those that were harmed from the violation.
1 Which of the following spells out the powers of the three branches of the federal government?
US Constitution
Breach
Unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of such information. Breach should be presumed followed by an impermissible use or disclosure unless the CE or BA demonstrates a low probability that the PHI has been compromised.
Value is determined
Value is determined based on a number of factors such as: -criticality of the asset in daily operations , -degree of harm resulting if the asset is not available, -legal and regulatory requirement -loss of revenue should the asset by lost or damaged.
1)In which of the following situations must a covered entity provide an appeal process for denials to requests from individuals to see their own health information?
When a licensed healthcare professional has determined that access to PHI would likely endanger the life or safety of the individual
HIPAA - Privacy Rule - The WHO and the WHAT
Who it applies to: Covered Entities Business Associates Workforce Members What it Protects: PHI - by defining protected health information
TPO - Operations
a broad list -includes quality assessments and improvement, case management review of healthcare professionals qualifications, insurance contracting, legal and auditing functions and general business management functions such as providing customer services and conducting due diligence. **Does not include marketing and fundraising.]
Electronic Health Record (EHR)
a computerized lifelong health care record for an individual that incorporates data from providers who treat the individual. Contains Metadata considered more expansive than the LHR>
Accreditation
a designation bestowed by the American Psychological Association on psychological training programs that meet acceptable training standards. generally viewed as the highest level of competence and standard. JACHO is the most prevelent accredeting body. AOA and the AAAHC for ambulatoery health CARF (commision on accreditation of rehab facilities) for rehabilitaion centers.
Licensure
a designation given to a person or org by the government agency or board that gives the person permission to practice, or org to operate within the certain field of practice given. *The govt entity has deemed the facility or person competent and safe to provide care.
Administrative Agency
a federal, state, or local government agency established to perform a specific function
Litigation Process- First step Filing complaint.
a legal action to determine a decision in court. Many malpractice cases are negotiated and settled out of court. In order to prepare for judicial decision as the ultimate outcome of a legal proceeding (litigation): 1) a plaintiff initiates a lawsuit against a defendant by filing a complaint in the court, which outlines the defendants alleged wrongdoing. 2) After it is filed, a copy of the complain is served to the defendant along with a SUMMONS. 3) The summons and complaint give the defendant notice of the lawsuit of the lawsuit and to what it pertains to and informs the defendant that the complain must be answered or some other action action. 4) If the defendant fails to answer the complaint tor take other actions, the court grants the plaintiff a judgement of default.
Litigation Process- Second step Summons
a notice directing someone to appear in court to answer a complaint or a charge.
Firewall
a part of a computer system or network that is designed to block unauthorized access while permitting outward communication. software program or device that filters information and used as a buffer between two networks like intraet and internet *firewall is configured to permit, deny , encrypt or decrypt computer traffic
Right of Accounting of Disclosures
a person has the right to receive an accounting of certain disclosures made by a CE. HIPAA : 6 years prior to request ARRA: 3 years prior to request. Requires accounting: -Those that are made erroneously (breaches, errors) -For public interest and benefit activities where the patients authorizations are not obtained. -Pursuant to a court order Exceptions to accounting: -For treatment, payment and healthcare operations -individuals whom the information pertain and their reps -incidentals (ie. a sign-in sheet at a MD office, next patient that signs the sheet will see the previous persons name) -Pursuant to an authorization -for facility use directory -to meet national institutions or aw enforcement officials -Part of the LIMITED DATA SET -Occurred before the compliance date of the Covered Entity.
Personal Representative
a person who has the legal authority to act on another's behalf. per Privacy rule, a personal rep must be treated the same as a person regarding use and disclosure of the persons PHI.
Precedent (stare decisis)
a previous decision or ruling that, in common law tradition, is binding on subsequent decisions. Same ruling will be given to any future similar cases.
"Repair and Report"
a response used in the case of a virus attack
authorization
a right or permission given to a person to use a computer resource such as a a computer.
Privacy
a social value and is the right "TO BE LET ALONE"
Malfeasance:
a wrong or improper act, such as removal of the wrong body part
Access safeguards
fundamental security strategy. means being able to identify which employee should have access to what data. through this an org is taking steps to lessen its vulnerabilities, although it cannot prevent them all together.
AUthentication
affirms a records legitimacy through testimony or written validation. used by custodians of the health records.
Common Law
also known as case law/judicial law 4 main types Precedence/res decisis: let the decision stand. using the same ruling from similar cases. Res Judicata: a case that already be adjudicated and cannot be retried or pursued by the same party. To limit excessive litigation. malpractice: professional misconduct. failure to meet professional conduct.
Joint Commission
an independent, not-for-profit organization that evaluates and accredits healthcare organizations addresses an organization level of performance (ie patient care, privacy, confidentiality)
Assets - organizing informaiton assets
an inventory of applications software, hardware, networksand other information assets once identified their value to the org is determined. Value is determined based on a number of factors such as: -criticality of the asset in daily operations , -degree of harm resulting if the asset is not available, -legal and regulatory requirement -loss of revenue should the asset by lost or damaged.
PHI - protected health record
any information in any media created by the provider, insurer, public health authority, employee, school or health clearinghouse. any info that relates to the past presernt or future physical or mental health or condition and payments.
Designated Record Set (DRS)
any item, collection, or grouping of information that includes protected health information and is maintained by a covered entity term specific to HIPAA. **MORE expansive than the Legal health Record
Credentialing
general term that refers to ways in which professional competence is maintained
Interrogatories
are written questions for which written answers are prepared and then signed under oath. -A discovery method used to obtain information from other parties in a lawsuit. Process: During the interrogatories, parties are given questions to respond to in writing. These questions may be answered by a party's legal counsel rather than by the party himself (but requires a confirmation regarding the truthfulness and accuracy of teh answers).
UBAC (User-based access control)
grants access baaed on a users individual identity. i.e. the people in the same department might have different accesses depending on their unique responsibilities in that dept.
identification
basic building block of access control username or user number
cryptography
branch of math that is based on the transformation of data by developing CIPHERS, whicha re codes that are o be kept secret. used as a tool for data security
Authorizations- KEY COMPONENT OF HIPAA
by the individual, for the use or disclosure f their health information is a legal requirement and health information practice. A person may revoke the authorization but will not apply to disclosures already made. Must be obtained but with some exceptions. Required in : -use and disclosures of psychotherapy notes (except to carry out TPO for treatment by the originator of the notes) -In research (unless the CE has obtained IRB or privacy board waiver.) -Mental health training programs by the covered entity -to defend a legal action or other proceeding brought by the individual -Foresight of the originator of the notes.
Marketing
communication about a product or service that encourages the recipient to purchase or use that product or service.
Health information purpose
has a variety of purposes from: from provisions off direct patient care to use by outside entities such as insurance and pharmaceutical companies and those uses and disclosure must be appropriated.
Data at rest:
data contained in databases, file systems or flash drives.
data in use:
data in the process of being created, retrieved, updated or deleted
data in motion:
data moving through a network or wireless transmission
Blanchard-peal ethics check
decision-making guide -is it legal -is it fair/balanced -how will it make you feel
1 A valid authorization requires which of the following?
description of the information to be used or disclosed, statement that the information being used or disclosed may be subject to redisclosure by the recipient, an expiration date or event
Audits
determine whether comprehensive policies and procedures are in place and whether they have been implemented to comply with the Privacy and security rules. Unannounced audits by ONC mandated for CE that are under ARRA/HITECH.
data disposed:
discarded records and recycled electronic media . Critical to use appropriate data destruction methods to ensure it cannot be read retrieved or reconstructed in any way.
Worforce Members
does not only consists of only of employees but also VOLUNTEERS, STUDENT INTERNS, TRAINEES AND EVEN EMPLOYEES OF OUTSOURCES VENDORS. "Those who routinely work on-site in the covered entity facility. " i.e subcontracted janitorial work or security
Risk Management
encompasses the identification, evaluation and control of risks that are inherent in unexpected and inappropriate events. Can aid in prevention, detection dn mitigation of security breaches including identity theft.
Nonfeasance:
failure to act, such as not ordering a standard diagnostic test
ONC - Office of the national coordinator for health information techonology
first est by executive order under DHHS The primary federal entity w the responsibility for coordinating national efforts to implement and use HIT and promote HIE
Ethical Principles -4
guides to moral behavior when faced with delimmas J-ustice (fairness) B-eneficence (doing good) A-utonomy (own decisions) N-onmaleficence(do no harm) Egioism(all about me) Consequentialism (what will happen) Altruism (all abt other ppl)
health record - Accrediting bodies -compilation and maintenance
i.e. JCHO standards relate to information management through its: Information Management (IM) record Care, treatment, and services (RC) chapters. Acute care, long tern care, home health, and behavioral health providers, among others, must follow these standards if they are to be accredited by JACHO. i.e. AHIMA which published best practices information
ITAD information tech asset disposition
identifies how all data storage devices are destroyed and purged of data prior to re purposing or disposal. Addressing the end of life cycle for hard drives, laptops, etc.
TPO (Treatment, Payment, Operations)
important concept because HIPAA provides a number of exceptions for PHI [that is being used or disclosed for TPO purposes. Comprised of: Treatment Payment Operations
Misfeasance:
improper performance during an otherwise correct act, such as nicking the bladder during an otherwise appropriately performed gallbladder surgery.
TPO- Payment
includes activity by a health plan to obtain premiom, billing by healthcare providers or healht plans to obtain reimbursement, claims management, claims collection, review of the midical necessity of care and utilization review.
Right of Accounting requirements
includes disclosures made in writing, telephone, or orally. - Disclosure Pursuant to a Subpoena that has written authorization from the patient is EXEMPT. But a pursuant to a court is NOT. - Response within 60 days after request with a 30-day extension. -First accounting within any 12-month period must be provided without charges. Additional request after the 12-month may have reasonable charges.
DRS (designated record set)
includes the health records, billing records, and various claims records that are used to make decisions about an individual HIPPA provisions apply to DRS It is broader than the legal health record, because it contains more components than those that would ordinarily be produced upon requests.
FRCP (Federal Rules of Civil Procedure)
incorporated electronic information through the creation of the E-discovery rules. FRCP only applies to cases in federal district courts, but many states have adopted similar e-discovery rules that apply both civil and criminal cases. Governs: Admissibility E-discovery
CIO - chief information officer
information tech systems directors, network eng, and representatives form clinical dept as appropriate management positions involved in the information security committee
Litigation Process- Part of Second step Judgement in default
is a binding judgment in favor of either party based on some failure to take action by the other party. Most often, it is a judgment in favor of a plaintiff when the defendant has not responded to a summons or has failed to appear before a court of law. The failure to take action is the default. The default judgment is the relief requested in the party's original petition.
Warrants
is a judges order that authorizes law enforcement to seize evidence and, often, to conduct a search as well. In criminal cases health records are most likely to be obtained via warrant involve healthcare fraud and abuse investigations.
VOIR Dire
is a process of jury de-selection designed to eliminate those individuals who have some inherent characteristic that blocks them from considering the facts necessary to appreciate your story. Additionally, get a transcript of a previous voir dire conducted by opposing counsel.
Physician--patient relationship
is established by either an implied contract or an express contract .
A living Will
is executed by competent adult , expressing the individuals wishes regarding treatment should the individual become afflicted with certain condition and no longer able to communicate on his or her own behalf. i.e. persistent vegetative state or terminal condition. Addresses extraordinary life-saving measures such as ventilator support and either the continuation or removal or nutrition and hydration.
Use
is how an org avails it self of health information internally
Medical Malpractice
is the professiona liability of healthcare providers--physicians, nurses, therapists or other involved in the delivery of the patient care.
Contract
is usually created by the mutual agreement of the parties involved--in this case by the patient and MD mutually agree to contract termination, the patient dismisses the physician, or the physician withdraws from providing care for the patient.
HITECH ACT of 2009 (health Information Technology for Economic and Clinical Health Act)
made into a law to promote the adoption and meaningful use of health information technology and HIE use in EHR Promote and widen the scope of security and privacy under HIPAA and to include companies not previously covered. increase legal liability for non-compliance
TPO - Treatment
means providing, coordinating or managing healthcare or healthcare-related services nu one or more healthcare provider. ie. treatment includeds caring fr patients admitted gto the hospital or coming for an appointment w. the physician and referrals made.
DUrable
means that the document is in effect when the individual is no long competent.
Stricter
means the at a state or federal statute provides an individual with a greater privacy protections or gives individuals great rights with respect to their PHI. If questions arise then a legal counsel should be consulted.
AHIMA code of ethics - 3
most applicable to the HIM professional Tenet I: advocate and uphold a patients right to privacy and confidentiality. Tenet III: Protect, preserve and secure PHI Tenet IV: Refuse to participate in unethical principles or procedures
Negligence
occurs when a healthcare provider doe snot do what a prudent person would normally do in similar circumstance.
Certification -
of individuals is a designation given by a private org to acknowledge a requisite level of knowledge, competencies and skills. May either be mastery level or entry level ENtry LEvel: RHIA - registered health information administrator RHIT - registered health information technologist MAster Level: CHPS - certified in healthcare privacy and security CHDA - Certified health data analysis CCS - certified coding speciality
Consents: Definition
ones agreement to receive medical treatment. IT can be: -written, (Preferred because it offers proof) -spoke; (communicated through words) -expressed or implied. (through conduct)
Ownership vs stewardship vs Custodianship
ownership: is the health care providor that created the health record stewardship: key component in information governance (management of information in an org) the management and oversight of an organization's data assets custodianship: are responsible for the safe custody, transport, storage of the data and implementation of business rules. (usually HIM manager)
Physical Safeguards
physical r]protection of information resources from physical damage, loss from natural or other disasters, and theft. '
DNR process
prior to executing a DR the patient and the MD should have a discussion , a CONSENT form should be signed by the patient and he MD writes an order in the patients health record stating as such.
Sniffers
program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network. "Eaves dropping
Uniform Health-Care Decisions Act (UHCDA)
provides an additional option to creating advance directives
Security Rules
requires an org to implement security measure that are sufficient to reduce risk and vulnerabilities, but it may use a flexible and reasonable approach to do so. Contains: -Risk Analysis: identifying security threats including identifying vulnerabilities. -Likelihood determination: which is an estimate of the probability of threats occurring. -Impact Analysis: which is what the impact o threats information assets might be.
Retention standards AHIMA - health records
routinely published recommendations on the retention of health records. Health retention schedules: -Are designed to meet an org needs so that health information is available for not only patient care, but also research education, and to meet the legal requirements that apply to the org. -Should be specific about the retention of information, including a description of what information is to b kept, for how long it is to kept and the medium on which it will be stored -Clearly specify in it policies and procedures the destruction method that is to be used for each medium on which health information is housed.
authentication
second element of Access Control has three types: -Something you know : Passwords -Something you have: Token or access cards -Something you are: Biometrics
Arbitration Under Judicial Decision
settling a dispute by agreeing to accept the decision of an impartial outsider. * Parties agree to submit a dispute to a third party to make to make a decision. Part of the Alternative Dispute Resolution
COnfidentiality
similar to privacy, but stems from the sharing of the protective legally such sharing is not legal Communication between patient-MD, Clergy-patron, etc is considered as protected privileged information.
1 Which of the following are laws enacted by a legislative body?
statutes
Administrative Law
the body of law that regulates the operation and procedures of government agencies. Containing the three branches of govt.
Biometrics - something you are
the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting
Jurisdiction
the official power to make legal decisions and judgments. An area of authority or control. two main types -Subject Matter: cases brought must be re:to federal or constitutional law -Diversity Matter: enables parties from different states to engage in a lawsuit in federal court. But it the amount in controversy must be over $75,000 and the parties must be from different states.
Consent
the patients agreement to use or disclose personally identifiable inforamtion for treatment, payment and healthcare operations.
Access Control
the restiction of access to information and information resources to only those who are authorized by role or other means.
Expressed Contracts
the terms of the agreement are fully and explicitly stated in words, oral or written **Articulate, either in writing or verbally (a patients written or verbal agreement to treatment)
Information-Sharing during Discovery
this sharing is encouraged so each party knows the relation strength of the cases (which may lead to a settlement) and avoid surprised at trial. Federal rule permits discovery of any relevant "Non-privileged information" that may be limited by the court for reasons such as the request being unnecessary, duplicative, or too expensive for the party being asked to produce the requested information.
health plans: covered entity
those that pay for the cost of the medical care (ie. insurance companies)
Three-Tier structure Federal and State
three-tier consists of : Trial Courts (lowest Court) - District courts in the federal system) Court of Appeal (also called appellate courts): that hears appeals on final judgment of the trial court Supreme Court (highest court)Hears final appeals from intermediate court of appeals
subpoena duces tecum
to bring documents and other records with oneself. -These subpoenas may direct that originals or copies of health records, lab reports, xrays or other records be brought to a deposition or to court
accounting of disclosures
•A list of all protocols for which their PHI may have been disclosed, along with the time frame for those disclosures. •The purpose of those protocols and the types of PHI sought. •The researcher's name and contact information for each study -Under the PRIVACY RULE