ch. 9 data privacy and confidentiality
types of discovery
1) depositions 2) Interrogatories 3) Request for production of documents or things or permission to enter upon land 4) Physical and mental examination 5) Request for release of medical records, AND 6) Request for admissions 7.subpoenas 8.court orders 9.warrants 10.e-discovery
what are the three types of covered entities?
1. health care providers that conduct certain transactions(financial or administrative) electronically. health care providers include hospitals, long term care facilities, physicians, and pharmacies 2. health plans, which pay for the cost of medical care (for example, a health insurance company.) 3. healthcare clearing house, which process claims between a healthcare provider and payer (an intermediary that processes a hospitals claim to medicare to facilitate payment.)
determining whether information is PHI or not requires meeting all parts of a three-part test.
1. the information must be held or transmitted by a covered entity or a BA in any of the forms listed previously (electronic, paper or oral) 2. it must be individually identifiable health information 3. it must relate to ones past, present or future physical or mental health condition, the provision of healthcare, or payment for the provision of healthcare.
what are the two goals for the privacy rule?
1. to provide greater privacy protections for ones health information 2.to provide an individual with greater rights with respect to his/her health information
HIPAA contains ---- titles
5
per a federal rule published subsequent to ARRA, PHI of deceased person loses PHI status and is no longer protected by HIPAA after the individual has been deceased more than ---- years
50
legal hold
A communication issued because of current or anticipated litigation, audit, government investigation, or other such matters that suspend the normal disposition or processing of records. Legal holds can encompass business procedures affecting active data, including, but not limited to, backup tape recycling. The specific communication to business or IT organizations may also be called a "hold," "preservation order," "suspension order," "freeze notice," "hold order," or "hold notice"
facility directory
A directory of patients being treated in a healthcare facility
business associate (BA)
A person or organization other than a member of a covered entity's workforce that performs functions or activities on behalf of or affecting a covered entity that involve the use or disclosure of individually identifiable health information
privacy officer
A position mandated under the HIPAA Privacy Rule—covered entities must designate an individual to be responsible for developing and implementing privacy policies and procedures
business records exception
A rule under which a record is determined not to be hearsay if it was made at or near the time by, or from information transmitted by, a person with knowledge; it was kept in the course of a regularly conducted business activity; and it was the regular practice of that business activity to make the record
notice of privacy practices
A statement (mandated by the HIPAA Privacy Rule) issued by a healthcare organization that informs individuals of the uses and disclosures of patient-identifiable health information that may be made by the organization, as well as the individual's rights and the organization's legal duties with respect to that information
hearsay
A written or oral statement made outside of court that is offered in court as evidence
subpoena duces tecum
A written order commanding a person to appear, give testimony, and bring all documents, papers, books, and records described in the subpoena. The devices are used to obtain documents during pretrial discovery and to obtain testimony during trial
health information technology for economic and clinical health act (HITECH) is part of
ARRA
sale of information
Addressed specifically by ARRA, which prohibits a covered entity or BA from selling (receiving direct or indirect compensation) in exchange for an individual's PHI without that individual's authorization; the authorization must also state whether the individual permits the recipient of the PHI to further exchange the PHI for compensation
right of access
Allows an individual to inspect and obtain a copy of his or her own PHI contained within a designated record set, such as a health record
right to request restrictions of PHI
An individual can request that a covered entity restrict the uses and disclosures of PHI to carry out treatment, payment, or healthcare operations
Right to request accounting of disclosures
An individual has the right to receive an accounting of certain disclosures made by a covered entity
court order
An official direction issued by a court judge and requiring or forbidding specific parties to perform specific actions
covered entity (CE)
As amended by HITECH, (1) a health plan, (2) a health care clearinghouse, (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter (45 CFR 160.103 2013)
breach notification
As amended by HITECH, a covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach (45 CFR 164.404 2013)
administrative simplification
As amended by HITECH, authorizes HHS to: (1) adopt standards for transactions and code sets that are used to exchange health data; (2) adopt standard identifiers for health plans, health care providers, employers, and individuals for use on standard transactions; and (3) adopt standards to protect the security and privacy of personally identifiable health information (45 CFR Parts 160, 162, and 164 2013)
Designated Record Set (DRS)
As amended by HITECH: (1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals (2) For purposes of this paragraph, the term means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity (45 CFR 164.501 2013)
red flags rule
Consists of five categories of red flags that are used as triggers to alert the organization to a potential identity theft; the categories are: (1) alerts, notifications, or warnings from a consumer reporting agency; (2) suspicious documents; (3) suspicious personally identifying information such as a suspicious address; (4) unusual use of, or suspicious activity relating to, a covered account; (5) Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account
interrogatories
Discovery devices consisting of a set of written questions given to a party, witness, or other person who has information needed in a legal case
right to request confidential communications
Healthcare providers and health plans must give individuals the opportunity to request that communications of PHI be routed to an alternative location or by an alternative method
fundraising
In these activities that benefit the covered entity, the covered entity may use or disclose to a BA or an institutionally related foundation, without authorization, demographic information and dates of healthcare provided to an individual
Protected Health Information (PHI)
Individually identifiable health information that is transmitted or maintained by electronic media; excludes individually identifiable information.
deidentified information
Information where personal characteristics have been stripped from it in such a way that it cannot be later constituted or combined to reidentify an individual; it is commonly used in research
fair and accurate credit transactions act
Law passed in 2003 that contains provisions and requirements to reduce identity theft (Public Law 108-159 2003)
right to request amendment
One may request that a covered entity amend PHI or a record about the individual in a designated record set
personal representative
Person with legal authority to act on a patient's behalf
e-discovery
Refers to Amendments to Federal Rules of Civil Procedure and Uniform Rules Relating to Discovery of Electronically Stored Information; wherein audit trails, the source code of the program, metadata, and any other electronic information that is not typically considered the legal health record is subject to motion for compulsory discovery
access report
Report that provides a list of individuals who accessed patient information during a given period
minimum necessary standard
Requires that uses, disclosures, and requests must be limited to only the amount needed to accomplish an intended purpose
federal rules of evidence (FRE)
Rules established by the US Supreme Court guiding the introduction and use of evidence in federal court proceedings that are an important benchmark for state and other courts. FRE governs what and how electronic records may be used, and the roles of record custodianship
Treatment, Payment and Operations (TPO)
The Privacy Rule provides a number of exceptions for PHI that is being used or disclosed for TPO purposes; treatment means providing, coordinating, or managing healthcare or healthcare-related services by one or more healthcare providers; payment includes activities by a health plan to obtain premiums, billing by healthcare providers or health plans to obtain reimbursement, claims management, claims collection, review of the medical necessity of care, and utilization review; the Privacy Rule provides a broad list of activities that are healthcare operations that includes quality assessment and improvement, case management, review of healthcare professionals' qualifications, insurance contracting, legal and auditing functions, and general business management functions such as providing customer service and conducting due diligence
spoliation
The act of destroying, changing, or hiding evidence intentionally
Department of Health and Human Services (HHS)
The cabinet-level federal agency that oversees all of the health - and human-services-related activities of federal government and administers federal regulations.
admissibility
The condition of being admitted into evidence in a court of law
privacy rule
The federal regulations created to implement the privacy requirements of the simplification subtitle of the Health Insurance Portability and Accountability Act of 1996; effective in 2002; afforded patients certain rights to and about their protected health information
medical identity theft
The fraudulent use of an individual's identifying information in a healthcare setting
Release of Information (ROI)
The process of disclosing patient-identifiable information from the health record to another party
privacy
The quality or state of being hidden from, or undisturbed by, the observation or activities of other persons or freedom from unauthorized intrusion; in healthcare-related contexts, the right of a patient to control disclosure of personal information.
use
The sharing, employment application, utilization, examination, or analysis of individually identifiable health information (IIHI) within an organization that holds such information
the ONC is recognized as an entity with the
US department of health and human services (HHS); it is the primary federal entity with responsibility for coordinating national efforts to implement and use health information technology, and to promote the exchange of electronic health information.
subpoena
a command to appear at a certain time and place to give testimony on a certain matter.
business associate agreement (BAA)
a contract between the covered entity and a business associate must establish the permitted and required uses and disclosures of protected health information by the business associate and provides specific content requirements of the agreement.
warrant
a judge's order that authorizes law enforcement to seize evidence and conduct a search
Confidentiatlity
a legal and ethical concept that establishes the healthcare providers responsibility for protecting health records and other personal and private information from unauthorized use or disclosure; as amended by HITECH, the practice that data or information is not made available or disclosed to unauthorized persons or processes.
deposition
a method of gathering information to be used in a litigation process.
consent
a patients acknowledgement that he/she understands a proposed intervention, including that interventions risks, benefits, and alternatives; the document signed by the patient that indicates agreement that protected health information (PHI) can be disclosed.
subpoena ad testificandum
a subpoena that primarily seeks an individual's testimony
The HIPAA privacy rule resides in the
administrative simplification provision of title II along with the HIPAA security standards, national provider identifiers, and transaction and code set standardization requirements.
federal trade commission (FTC)
an independent federal agency tasked with dealing with two areas of economics in the united states; consumer protection and issues having to do with competition in business.
which of the following is an element of a deposition?
an individual appears at an appointed time and place to testify under oath
authorization
as amended by HITECH, except as otherwise specified, a covered entity may not use or disclose protected health information without an authorization that is valid under section 164.508; when a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with the authorization.
disclosure
as amended by HITECH, the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.
the privacy rule does not allow covered entities to disclose PHI to BAs unless the two enter into a written contract or
business associate agreement (BAA) that meets HIPAA and ARRA requirements.
common BA's include
consultants, billing companies, transcription companies, accounting firms and law firms.
metadata
data about data
the privacy rule does not protect
deidentified information
which of the following is a discovery method?
deposition
workforce
employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.
clinical laboratory improvement amendments (CLIA) of 1988
established quality standards for all laboratory testing to ensure the accuracy, reliability, and timeliness of patient test results regardless of where the test is.
hearsay is often
excluded in trial
there is no constitutional right of privacy to ones health information, but this privacy protection has also been established through court cases as well as laws such as the
health insurance portability and accountability act (HIPAA)
preemption
in law, the principle that a statute at one level supersedes or is applied over the same or similar statute at a lower level (for example, the federal HIPAA privacy provisions trump the same or similar state law except when state law is more stringent)
complaint
in litigation, a written legal statement from a plaintiff that initiates a civil lawsuit.
individually identifiable health information
information that is a subset of health information, including demographic information collected from an individual, and is created or recieved by a health care provider, health plan, employer, or health care clearinghouse, and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; and that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
the designated record set is broader than the legal health record because
it contains more components than those that would ordinarily be produced upon request.
which of the following describes discovery?
it is a pretrial process
health information technology for economic and clinical health act (HITECH)
legislation created to promote the adoption and meaningful use of health information technology in the united states. subtitle d of the act provides for additional privacy and security requirements that will develop and support electronic health information, facilitate information exchange, and strengthen monetary penalties. signed into law on febrary 17, 2009 as part of ARRA ( Public law 111-5 2009)
operations do not include
marketing or fundraising activities
state laws that protect the privacy of health information
may be preempted by HIPAA
marketing
means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, or where the covered entity receives financial remuneration in exchange for making communication.
hearsay can be admitted into evidence if it
meets one of the hearsay exceptions.
A subpoena requesting patient records
must usually be accompanied by patient authorization
discovery is a --- stage
pretrial
health care operations include
quality assessment and improvement, case management, review of healthcare professionals qualifications, insurance contracting, legal and auditing functions and general business management functions such as providing customer service and conducting due diligence.
title II of HIPPA is the most
relevant to the HIM profession
the individuals right includes
right of access, right to request amendment of PHI, right to accounting of disclosures, right to request restrictions of PHI, right to request confidential communications, and right to complain of privacy rule violations.
federal rules of civil procedures (FRCP)
rules established by the us supreme court setting the "rules of the road" and procedures for federal court cases. FRCP include electronic records and continue to be very important as benchmarks in how these records can be used in courts, not only federal, but state and other courts as well.
Health Insurance Portability and Accountability Act (HIPAA)
the federal legislation enacted to provide continuity of health coverage, control fraud and abuse in healthcare, reduce healthcare costs and guarantee the security and privacy of health information; limits exclusion for pre-existing medical conditions, prohibits discrimination against employees and dependents based on health status, guarantees availability of health insurance to small employers, and guarantees renew ability of insurance to all employees regardless of size.
true
the health record is not a public document
individual
the person who is the subject of the protected health information.
discovery
the pretrial stage in the litigation process during which both parties to suit use various strategies to identify information about the case, the primary focus of which is to determine the strength of the opposing party's case.
Office of the National Coordinator for Health Information Technology (ONC)
the principle federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information. the position of the national coordinator was created in 2004, through an executive order, and legislatively mandated in the HITECH act of 2009.
american recovery and reinvestment act
the purpose of this act includes the following: 1.to preserve and create jobs and promote economic recovery 2.to assist those most impacted by the recession 3.to provide investments needed to increase economic efficiency by spurring technological advances in science and health 4.to invest in transportation, environmental protection, and other infrastructure that will provide long-term economic benefits 5. to stabilize state and local government budgets, in order to minimize and avoid reductions in essential services and counterproductive state and local tax increases
privacy
the right to be let alone
HIPAA structure:
title I: insurance portability title II: administrative simplification title III: medical savings and tax deductions title IV:group health plan provisions title V:revenue offset provisions
Title II: Administrative Simplification
transactions, identifiers, security, privacy and enforcement
If a person or organization meets the definition of a BA, they are a BA by law (even if the required agreement has not been signed) and are subject to HIPAA's personalities if they violate HIPAA.
true
information can be shared during pretrial discovery that is not permitted to be admitted as evidence at trial
true
the HIPAA privacy rule is one of the key federal laws that govern the protection of protected health information (PHI)
true
the federal rule permits discovery of any relevant non privileged information (information protected by attorney-client privilege) that may be limited by the court for reasons such as the request being unnecessary, duplicative, or too expensive for the party being asked to produce the requested information
true
breach
under HITECH, the acquisition, access, use or disclosure of protected health information in a manner not permitted under subpart E of this part that compromises the security or privacy of the protected health information.
the minimum necessary standard does not apply to PHI
used, disclosed or requested for treatment purposes.
meta data provides information such as
who accessed or attempted to access a system and when, which parts of the system were affected, and what operations (creating, viewing, printing editing) took place.