HIM 226: Test #4 CH 10 & CH 11
7. Redisclosure notice, pg. 195 and figure 10.8, pg. 196
= This is a statement placing the recipient of health information on notice that the information received may be used only for the stated purposes; that the recipient is barred from redisclosing the information to third parties without the patient's authorization; and that the information should be destroyed after the stated purpose is fulfilled. The redisclosure notice is mandated when information relating to alcohol or drug abuse patients is released.
11. Adoption Records, pg. 207
= are the health records of the individual placed for adoption. = at the core of the access to adoption records, there are two competing interests: (1) the interest of the biological parents in placing a child for adoption, with the promise of confidentiality. (2) the interests of the adoptee for genetic information and to satisfy curiosity about his natural identity. = courts have erected barriers to access: 1. requiring adoptee to establish a good cause for access 2. imposing notice and hearing requirements: a) conducting a search if the biological parents consent to the ROI. b) conducting a hearing to balance the interests of all parties. = legislatures have responded by: 1. easing the standards for access 2. creating voluntary adoption registry services 3. permitting independent searches for biological parents to solicit their consent for a meeting
8. Belmont Report, pg. 201
= is the name of the landmark document in the area of human research ethics. = asserts that the 3 main principles form the ethical basis for all research involving human subjects: respect for persons, beneficence, and justice.
5. Figure 10.6 Core Elements of a Valid Release of Health Information Form, pg. 193
1. The individual's name and identifying information. 2. A specific and meaningful description of the information to be used or disclosed. 3. The name or other specific identification of the person or class of persons authorized to make the requested use or disclosure. 4. The name of other specific identification of the person or class of persons to whom the disclosure is to be made. 5. An expiration date or expiration event that relates to the individual or purpose of the use or disclosure. 6. A statement of the individual's right to revoke authorization, the exceptions to the right to revoke, and a description of the individual may revoke the authorization. 7. A statement that the information used or disclosed is subject to redisclosure and may lose its protected status. 8. The signature and date of the individual. 9. If the authorization is signed by the individual's personal representative, a description of the representative's authority to act for the individual.
2. Secretary of Health and Human Services - their role in Drug and Alcohol Abuse disclosure and use. Pg. 218
= 2 federal laws place restrictions on the disclosure and use of drug and alcohol abuse patient records: (1) Drug Abuse Prevention, Treatment, and Rehabilitation Act (2) Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 = both laws delegate to the Secretary of HHS the power to promulgate (promote) rules and regulations imposing restrictions on these records. = the rules and regulations that the secretary of HHS has promulgated apply to all treatment programs that receive federal assistance.
5. Which regulations govern the regulations and standards for psychiatric facilities? Pg. 227
= Medicare CoP governs the regulation and standards for any psychiatric facility receiving Medicare funds. = In addition to statutory and regulatory requirements, accrediting standards may also mandate certain documentation requirements. JC (the Joint Commission) promulgates standards for facilities offering mental health, mental retardation, and developmental disability services. In addition to the standard documentation requirements, the JC requires documentation of the patient's legal status and the involvement of family members in the patient's treatment program.
10. Business Associate pg. 205; Be able to recognize who could be a business associate. You must be able to differentiate between an employee, customer, and a business associate. Who monitors the business associate's compliance with HIPAA?
= a business associate is one who performs or assists in performing a function or activity involving the use or disclosure of individually identifiable health information on behalf of a covered entity. The HIPAA Privacy Rule is an assurance, manifested through a written agreement, that the business associate will safeguard this information disclosed to it by the covered entity. Provisions of the American Recovery and Reinvestment Act (ARRA) place an obligation on the health care provider to monitor the business associate's compliance with the HIPAA Privacy Rule. = Who monitors the business associate's compliance with HIPAA? => the health care provider has a duty to monitor (HIPAA Privacy compliant) the business associate's compliance with the terms of the agreement, particularly any HIPAA provisions. For that reason, health care providers would be wise to include audit provisions in the agreement.
6. Compound authorization, pgs. 193-194
= a compound authorization refers to an authorization for use or disclosure of patient-specific health information that is combined with another document. It is permitted in instances of combining both treatment and research, for psychotherapy notes, and in other instances where the health care provider has not conditioned the provision of treatment, payment, eligibility for benefits, or enrollment in a health plan on obtaining the authorization.
9. Institutional Review Board - Role, pg. 201
= a group formally designated by an institution to safeguard the rights and welfare of human subjects by reviewing, approving, and monitoring medical research.
13. Public health threats, pg. pgs. 206-207
= a wide variety of health care problems that potentially endanger the public health and must be reported to a public health agency. = common public health threats include communicable diseases (such as venereal diseases and AIDS), child abuse, injuries caused by deadly weapons, fetal deaths, and cancer. = each state's law details its reporting requirements, including a listing of threats that must be reported, time frames within which to report the threat, and whether to disclose patient identity. = providers and institutions report threats to their state department of health and/or to local law enforcement agencies (depending on the threat). In turn, state agencies aggregate their data and send it to the U.S. Public Health Service. = failure to report may be an infarction of the law = the HIPAA Privacy Rule mandates disclosure in certain circumstances, negating the need to obtain the patient's authorization before releasing information. Examples of those mandated disclosures are found in Table 102
4. Notice Accompanying Disclosure, Figure 11.4, pg. 221
= another difference between a general ROI and that used for substance abuse programs is the regulation prohibiting disclosure. Federal regulations prohibit the person or facility receiving the patient information from further disclosing the information unless the patient has given written consent addresing this redisclosure. A notice prohibiting "redisclosure" must accompany any disclosure of patient specific information. = the regulations does not give any freedom to the treatment program (drug and alcohol abuse) to develop the notice prohibiting redisclosure. Each program must use the statement listed in the regulation. This statement is illustrated in Figure 11.4
6. Official Record vs. Personal Record (psychotherapy notes), pg. 227
= another difference between general health records and mental health/developmental disability care health records is the existence of 2 separate records: 1. Official record = contains info necessary to document the patient's care and treatment: Hx and mental status exam, consent forms, treatment plans, physician orders, lab results, etc. = This is the record required to be maintained by law. = the official or public record maintained by the treatment facility 2. Personal Record (Psychotherapy Notes) = maintained by the clinician consists of notes in the clinician's sole possession that gives the clinician's viewpoint of the patient and their communications = HIPAA regulations define this as "ones recorded by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session." This definition excludes medical Rx and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Dx, Functional status, treatment plan, symptoms, prognosis, and progress to date. = the clinician's personal record does not substitute for progress notes in the official record and is kept separate from the official record. = there is no legal requirement that a personal record be maintained in addition to the official record.
1. HIPAA Privacy Rule, pgs. 182-185, 191
= establishes the patient's right of access to his own health information. = While the HIPAA recognizes a patient's right of access, it does not go as far as specifying that the health care provider acts in a trust capacity for the patient. = dictate that the patient be notified of (patient-specific health information) uses and be given the opportunity to consent, reject, or request restriction of this information for any or all of the many uses of the health record serves. This notice requirement is called NOTICE OF PRIVACY PRACTICES. The rule details both the content of the notice and the methods by which the patient is notified of the health care provider's information practices. = sets a standard where the health care provider may seek the patient's consent (agreement) before using protected health information to carry out TPO. = previously, the Privacy Rule allowed covered entities to not honor the patient's request, making it possible for them to even condition treatment (in the case of a health care provider) or enrollment (in the case of a health plan). ARRA modifies the health care provider's ability to honor or not honor a patient's request to restrict disclosure of PHI. = the difference between written consent vs written authorization: consent is agreement (ex: Consent to the Use and Disclosure of Health Information for TPO) while authorization is to give permission (ex: ROI authorization forms).
7. GINA Genetic Information Nondiscrimination Act, Table 11.1, pgs. 232-233
= strengthens the safeguards provided by HIPAA and state laws by including protections against misuse of genetic information in employment and insurance contexts. (HIPAA offers protection against genetic discrimination for health insurance purposes; GINA offers protections against genetic discrimination for both employment and insurance purposes.) = further, GINA sets a floor of protections, allowing a state to enact more stringent safeguards where appropriate. This approach is the opposite of preemption, a doctrine that allows federal laws to take precedence over state laws. Individual states may offer greater rights/protections to individuals concerning the use of genetic information than those rights and protections provided by GINA. = the rights and protections offered by GINA may also affect participation in clinical research studies positively by increasing the willingness of patients to consider undergoing the genetic tests required as part of a research study protocol. = Specific protections afforded by GINA are listed in Table 11.1
3. Sequestering of data and who issues regulations regarding this issue (Secretary of Health and Human Services), pg. 190
= the health care provider and by extension-- the health information professional-- may be required to sequester data for some situations (e.g. payment and operations) but not for others (e.g. treatment). = Who issues regulations regarding this issue? => Secretary of HHS = the HITECH-HIPAA Omnibus Final Rule permits patients to sequester information from their health record if they pay for the related service out of pocket. (pg 192).
4. Preemption, pg. 191
= this doctrine states that certain matters are of such a national, as opposed to local, nature that federal laws preempt, or take precedence over, state laws. In such circumstances, the federal laws will apply. Under the HIPAA Privacy Rule, there is no preemption, so the health information professional must understand both the HIPAA Privacy Rule and any state provisions that are more stringent than HIPAA. = the first step in how to reconcile federal and any state requirements is to address the question of preemption. The second step is compliance with both the federal and state standards. (Ex: HIPAA Privacy Rule and ARRA. The terms of the HIPAA Privacy Rule do not preempt the laws, rules, or regulations of the states, except where the state laws/rules/regulations are contrary to the HIPAA Privacy Rule. Therefore, the HIPAA Privacy Rule provides a floor of protections, allowing a state to enact more stringent protections.)
2. Ownership of Health Information, pg. 182-184
= traditionally, the law has focused on the medium used: the paper-based health record. Over time, the trend has moved away from focusing on the medium used and toward the protection of health information itself. The idea of placing health information in a trust capacity is a trend of the future (the health care provider acts as a trustee for the patient's benefit to create, receive, and protect patient-specific health information). = one general rule of ownership is accepted in virtually all of the US: the health record, as a medium, is owned by the health care provider, with the patient possessing a right or interest in the health information contained in it. This general rule is established at the federal level through the HIPAA Privacy Rule and at the state level by statute, by licensing regulation, and by judicial decision. Health record banks = repositories of PHRs in e-form operated by governmental or commercial entities who serve as trusted custodians of the data contained in the health record bank. = data is added by the patient, caregiver, and others to the PHR over the patient's lifetime. This data is fully accessible by the patient and available to others upon the patient's consent.
12. Methods of Disclosure, pg. 195
= who may grant the authority to release health information is a matter governed by state law and regulation. Generally, the authority to release information rests with: (1) the patient if the patient is a competent adult/emancipated minor (2) a legal guardian or parent on behalf of a minor child (3) the executor or administrator of an estate if the patient is deceased. = PHI is no longer protected (i.e. ROI is no longer required) 50 years after a patient's death = state law/regulation does not specify methods of disclosure. Rather, professional guidelines and institutional practices govern. = disclosure of health information is most frequently handled by mail but may also be accomplished through: > electronic transmittal > facsimile machine > telephone where the mail method will not meet the need for urgent patient care.
12. Anonymous testing, Mandatory Testing, Voluntary testing, pgs. 236-237
All three types of testing detect HIV infection. Voluntary testing involves the consent of the individual to be tested. Mandatory testing involves the forcing of the individual to be tested, without the individual's right to refuse. Anonymous testing is a form of voluntary testing, allowing the individual to maintain anonymity by using a unique identifier in lieu of a signature on the consent form and name of the vial containing the blood sample
10. HIV- Pre-test Counseling, pg. 235
Name the three areas that encompass voluntary HIV testing: Consent for testing, delivery of pretest information, and disclosure of test results. = in addition to written informed consent for voluntary HIV testing, most states place a burden on the health care provider ordering the HIV test to deliver certain pretest information to the individual to be tested. This is often referred to pretest counseling or consultation, common requirements include: (1) distributing information about the type of tests involved (2) the testing methodology employed (3) the meaning of the test results (4) the methods of transmitting the disease (5) the methods of reducing risk of transmisttion
1. Specialized records vs. general health records - differences, pg. 217
The specialized patient records covered in this chapter involves substance (drug and alcohol) abuse, mental health, developmental disability, genetic information, home health care, and HIV/AIDS status. One distinguishing aspect between specialized patient records and general health record is the nature of the information present in the record. Specialized patient records include not only medical information but therapeutic mental and emotional information as well. The volume of this therapeutic mental and emotional information is often greater than that contained in general health record, and combine with the lengths of stay of many of these type of patients, creates a voluminous health record, thereby raising storage concerns, which in turn affect record retention policies. Secondly, a specialized health record involving abuse or mental health may also include entries made by paraprofessionals, such as teachers or counselors with no license or certification. Finally, health information of specialized patient records are subject to more stricter confidentiality requirements.
9. Disclosure without Written Patient Authorization, pg. 229
for Mental Health/Developmental Disability = may be disclosed without patient authorization only where statutory or regulatory authority allows disclosure. = state law may allow disclosure without patient authorization to health care personnel within the treatment facility or under the treating clinician's supervision. = the HIPAA Privacy Rule permits health care provider to disclose information without the patient authorization if the patient is incapacitated or an emergency situation exists as long as the provider determines it is in the patient's best interest to do so. The Privacy Rule permits disclosure only of the protected health information that is directly relevant to another person's involvement in the patient's care or payment for care (health care personnel with a "need to know"). = state law may also permit disclosure without patient authorization to: > persons conducting peer review > an atty defending the treatment facility > any agency that has custody of the recipient (ex: wardn that has custody of a prisoner) > parents or legal guardian of the resident, to law enforcement officers or to court in judicial proceedings = because the authority to disclose without patient authorization is based in most part on state law, the HIM professional should be familiar with the applicable state law in addition to HIPAA Privacy Rule.