HIPAA
who oversees HIPAA?
the office for civil rights (OCR) enforces the privacy regulations providing guidance and monitoring compliance. the department of justice (DOJ) is involved in criminal privacy violations. they provide fines, penalties, and imprisonment to offenders. the public is also educated about their privacy rights and will take the appropriate actions if they are violated.
what is "HIPPA"? what does it stand for?
HIPAA is an acronym for health insurance portability and accountability act of 1996. it provides a framework for establishment of nationwide protection of patient confidentiality, security of electronic systems, and standards and requirements for electronic transmission of health information.
are members of the workforce who are not involved in a patient's care allowed to review the patient's chart out of curiosity?
No they are not because it violates HIPAA
if someone forgets their login, can I let them use mine? why or why not?
No, because they may access a patient's information that you have no authorization to access. you will be held responsible for violating HIPAA because that patient's information was accessed under your login.
what is PHI?
PHI is an acronym for protected health information and may include information in the health record, such as encounter/visit documentation, lab results, appointment dates/times, invoices, radiology films and reports, history and physicals (H&P) and patient identifiers.
how can you identify if information is PHI?
PHI is individually identifiable health information that is created or received be a health care provider, health plan, employer, or health care clearing house and that relates to the past, present, or future physical or mental health or condition of an individual. it is also the past, present , or future payment for the provision of health care to an individual.
what is a privacy officer?
a privacy officer is responsible for the development and implementation of the policies and procedures of the entity. they are designated to receive and address complaints regarding privacy. they also provide additional information as requested about matters caused by the notice of privacy practices. the designation of the privacy officer must be documented.
what makes a good password?
a strong password uses at least 6-8 characters, min of 2 letters and one number, and both capital and lowercase letters.
explain what amending is
amending is a change or correction to a patient's PHI
explain the difference in consent and authorization.
authorization is required by the privacy rule for uses and disclosures of PHI not otherwise allowed by the rule. an authorization is a detailed document that gives covered entities permission to use PHI for specific purposes. an authorization must include a description of the PHI to be used and disclosed, the person authorized to make the use or disclosure, an expiration date, and the purpose for which the information may be used or disclosed. consent is required for a covered health plan provider to use and disclose client information for the purposes of health care treatment, payment, and operations.
who can you release PHI to?
generally, you can release PHI to anyone the patient wants.
what are some things i can do to be more alert to privacy and security?
i can access only trusted and approves sites, not download programs onto my workstation computer, not open email attachments or emails I am suspicious of or don't know the sender, or not forward jokes. i can also follow my organization's privacy and security policies.
Explain a covered entity
individuals, organizations, and agencies that use electronic form that must comply with HIPAA's regulations. a covered entity is a healthcare provider, health plan, or a healthcare clearing house. a healthcare provider includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, or pharmacies. insurance companies are also covered entities and may include HMO's, company plans, or government plans. healthcare clearing houses are entities that process nonstandard health information they get from an entity to be submitted for payment.
what does "minimum necessary" mean?
it is to use or disclose only the minimum necessary to accomplish the intended purpose of the use, disclose, or request. limit the PHI provided to a "need to know" basis.
list what is in a notice of patient privacy
the purpose of a NPP is to summarize how an organization uses and discloses a patient's PHI. it also details a patient's rights with respect to their PHI.
explain who a business associate is
they are companies that "maintain" PHI on behalf of a covered entity (CE), data storage companies, patient safety organizations, or companies that transmit PHI to a CE. they also include personal health record vendors, and subcontractors to business associates that create, receive, maintain, or transmit PHI on behalf of the business associate.
what can happen to a person who knowingly violates patients patient privacy for personal gain or malicious harm?
they may face a $250,000 fine and 10 years in prison for obtaining and disclosing for commercial advantage, personal gain, or malicious harm.
explain TPO (treatment, payment, and healthcare operations)
treatment is providing care to patients. payment is provision of benefits and premium payment. healthcare operations are the normal business activities such as reporting, quality improvement, training, auditing, customer, service, and resolution of grievances data collection and eligibility checks and accreditation.
explain the difference in use and disclose.
use is when we review or us PHI internally such as audits, training, customer service, or quality improvement. disclose is when we release or provide PHI to someone, for example, to an attorney, patient, or faxing records to another provider.
who is responsible about addressing patient complaints about privacy?
we must respond to privacy and security co plaints. all privacy complaints must be reported.
should i report a security or privacy violation?
you should immediately report a security or privacy violation to your supervisor or office manager.
you login to the computer three times. each time, a message box tells you that your password is incorrect. what should you do?
you should notify your supervisor or office manager and reset your password.
