Law and Ethics Chapter 7

Rule

A document that includes the HIPAA standards or requirements

Protected health information (PHI) refers to

All health records collected for a patient, including lab results, X-rays, notes, and so on

To remove patient-identifying information from PHI

De-identify.

What are the two required disclosures of healthcare information that HIPAA mandates?

Disclosure to authorized HHS representatives; disclosure to patient

One of two types of PHI access mandated by HIPAA

HIPAA representatives ask to see PHI

Firewalls

Hardware, software, or both designed to prevent unauthorized persons from accessing electronic information

Protected Health Information (PHI)

Information that contains one or more patient identifiers.

Covered entities

Physicians and pharmacists

Which of the four standards is most concerned with confidentiality of medical records?

Standard 2: Privacy Rule

Verification

The requirement under HIPAA that a patient's identity be verified before protected health information is released

Encryption

The scrambling or encoding of information before sending it electronically

Transaction

Transmission of information between two parties for financial or administrative activities

Minimum Necessary

a Term referring to the limited amount of patient information that may be disclosed, depending on circumstances.

Shirley, an EMT, is off duty and is driving her private vehicle on the interstate in a snowstorm. The care ahead of Shirley hits an icy patch and skids off the road, overturning as it his the ditch. Shirley stops to help and dials 911 on her mobile phone. The lone woman in the wrecked car has scratches and bruises and an obviously broken arm. While Shirley is helping the woman, a news van stops and a television reporter films the wreck for the evening news. The injured driver refuses to answer questions, so the reporter turns to Shirley, who knows the injured driver's name. 36. May Shirley tell the television reporter the injured woman's name without violating federal law? Why or why not?

?

Is the HIPAA Privacy Rule prohibitively expensive to implement?

A 2002 White House report estimated the costs of implementing privacy over 10 years at about $18 billion. Savings incurred through implementation were estimated at about $29.9 billion over 10 years. However, some sources disagree with these figures, estimating it could cost around $43 billion over 10 years for healthcare providers to comply with HIPAA.

Treatment, Payment, and Healthcare Operations (TPO)

A HIPAA term for qualified providers, disclosure of PHI to obtain reimbursement, and activities and transactions among entities. Treatment means that a healthcare provider can provide care; payment means that a provider can disclose PHI to be reimbursed; healthcare operations refers to HIPAA-approved activities and transactions.

Health Insurance Portability and Accountability Act (HIPAA)

A federal law passed in 1996 to protect the privacy and other healthcare rights for patients. The act helps workers keep continuous health insurance coverage for themselves and their dependents when they change jobs, protects confidential medical information from unauthorized disclosure and/or use. It was also intended to help curb the rising cost of healthcare fraud and abuse.

Standard

A general requirement under HIPAA

A business associate is? a. A person, group, or organization outside the medical practice that has a HIPAA-approved reason to see protected health information. b. A healthcare practitioner's financial advisor. c. Anyone who sells products related to healthcare. d. None of the above.

A person, group, or organization outside the medical practice that has a HIPAA-approved reason to see protected health information.

Which of the following is not considered marketing under HIPAA provisions? a. A pharmaceutical company wants to send special mailings to a provider's diabetic patients to announce a new blood sugar testing device. b. A reminder to female patients when their mammograms should be scheduled. c. Cholesterol screening results sent to patients through the mail. d. None of the above.

A reminder to female patients when their mammograms should be scheduled.

Notice of Privacy Practice (NPP)

A written document detailing a healthcare provider's privacy practices.

What information must be included in healthcare facility privacy notices?

Access to medical records and the right to copy them; Request for amendment to designated record set; Request for an accounting of disclosures of PHI; Request to be contacted at an alternate location; Requests for further restrictions on who has access to PHI; Right to file a complaint.

Which of the following is not a violation of HIPAA's Privacy Rule? a. You call across a crowded waiting room to tell a patient he has forgotten his prescription for dilantin, a drug used to control seizures. b. You are a medical assistant for a physician's private practice, and you tell a friend, who is a bank teller, that a mutual friend has seen your employer and is pregnant. c. A telephone caller identifies himself as an insurance plan representative and requests PHI. You do not know the caller, but you comply. d. All of the above are violations of HIPAA's Privacy Rule.

All of the above are violations of HIPAA's Privacy Rule.

Which of the following are the privacy officer's responsibilities? a. Researching the Privacy Rule. b. Helping to develop the Notice of Privacy Practice. c. Training staff on privacy policies and procedures. d. All of the above.

All of the above.

You could unintentionally expose content on your personal computer or your employer's system network by a. Shopping on the Internet while you are at work. b. Downloading games from the Internet. c. Sending and receiving unsecured emails to and from friends. d. All of the above.

All of the above.

What is an electronic transmission, and how and why does HIPAA address it?

An electronic transmission is the sending of information from one network-connected computer to another. HIPAA addresses it because protected health information is often transmitted electronically, and such transmissions must protect patient confidentiality.

You are a nurse and a teenaged patient's mother tells you she wants access to her daughter's medical records. 38. What will you do?

Answer depends upon the circumstances. If the child is a minor and if the information is not about the teenager's need for birth control or other sexual orientation health care, then the mother has the right to the information. However, if the child is not a minor and/or the information is pertinent to the daughter's care because she (the daughter) is sexually active, then the mother is not entitled to the information. Most physicians try to cover themselves in such situations by making sure all the appropriate releases are in place when minors are accepted as patients.

Covered transactions

Billing patients and filing insurance claims

Which federal government agency deals with compliance and implementation of the National Identifier Standard?

Centers for Medicare and Medicaid Services

Patient complaints about privacy must be directed to which government agency?

Complaints are filed with HHS, through the Office for Civil Rights

What is the determining factor in deciding whether or not healthcare providers are considered covered entities under HIPAA?

Covered entities are health care providers that transmit HIPAA standard transactions electronically and are people, businesses, or agencies that must comply with the HIPAA Standards and Privacy Rule.

The HIPAA-mandated standard for electronic transmissions.

Electronic data interchange (EDI)

Covered transactions

Electronic exchanges of information between two covered-entity business partners using HIPAA-mandated transaction standards.

One of a patient's six rights mandated by HIPAA

File a complaint

Privacy

Freedom from unauthorized intrusion

Mona frequently travels for her job, and even when she is in town, she's usually reached most easily on her mobile phone. She has three teenagers at home and doesn't want them to pick up her healthcare messages. She also wants her medical bills sent to her work address. 34. What should Mona's healthcare provider do to accommodate her requests?

Give Mona a privacy notification form on which she can stipulate where she wants to be notified, and who she authorizes to receive her health care messages.

1996 Health Insurance Portability and Accountability Act (HIPAA)

Guarantees that workers who change jobs can obtain health insurance. Increases efficiency and effectiveness of the U.S. healthcare system by electronic exchange of administrative and financial data. Improves security and privacy of patient-identifying information. Decreases the U.S. healthcare system transaction costs.

Are there legal penalties for healthcare providers who violate the HIPAA Privacy Rule?

HHS may impose civil penalties ranging from $100 to $25000 per offense. The U.S. Department of Justice may enforce criminal sanctions ranging from $50,000 to $250,000 for each offense, with corresponding prison terms.

May the media still access public information from hospitals about accident or crime victims?

HIPAA lets hospitals continue to make public certain patient directory information, as specified above in the question about hospital directories. If the patient specifically opts out of having such information made public, then the hospital must respect his or her wishes.

Is a hospital allowed to share patient information with the patient's family without the patient's expressed content?

HIPAA provides that a healthcare provider may disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual", medical information directly relevant to such person's involvement with the patient's care or payment related to the patient's care.

Does the Privacy Rule mandate many new disclosures of PHI?

HIPAA requires just two disclosures of PHI: One to HHS representatives who ask to review provider information, and the second to patient who ask to review their own medical records. Disclosure is permitted, but not mandated, in other situations, as discussed above.

Circle the letter for the statement that is NOT true of HIPAA: a. HIPAA requires that health care practitioners change a medical record if a patient complaints. b. If a patient asks to see his or her medical record, the request must be honored. c. Healthcare practitioners must supply patients who ask with a list of those who have received copies of the patient's medical record. d. Under HIPAA, any healthcare facility that transmits protected health information electronically is a covered entity.

HIPAA requires that health care practitioners change a medical record if a patient complaints.

HIPAA stands for

Health Insurance Portability and Accountability Act

The first federal law to deal thoroughly and explicitly with the privacy of medical records is_______

Health Insurance Portability and Accountability Act (HIPAA)

Does the HIPAA Privacy Rule prohibit or discourage doctor-patient emails?

Healthcare practitioners can continue to correspond with patients via email, but appropriate electronic safeguards must be in place.

Covered entities

Healthcare providers and clearinghouses that transmit HIPAA transactions electronically, and must comply with HIPAA standards and rules

May clergy members learn whether members of their congregation or religious affiliation are hospitalized?

Hospitals may continue disclosing directory information to member of the clergy, unless the patient has objected to such disclosure.

Covered Entities include

Hospitals, including academic medical centers Nursing homes Hospices Pharmacies Physician practices Dental practices Chiropractors Podiatrists Osteopaths Physical therapists Alternative medicine practitioners (acupuncturists, massage therapists) Laboratories Health plans (payers) Healthcare clearinghouses

State preemption

If a state's privacy laws are stricter than HIPAA privacy standards, state laws take precedence

HIPAA's Privacy Rule protects PHI a. Only in electronic form. b. Only in written form. c. Only in spoken form. d. In all of the above forms.

In all of the above forms

Name four common points in most federal and state privacy laws

Information collected and stored about individuals should be limited to what is necessary to carry out the functions of the business or government agency collecting the information. Once collected, access to personal information should be limited to those employees who must use the information in performing their jobs. Personal information cannot be released outside the organization collecting it unless authorization is obtained from the subject. When information is collected about a person, that person should know that the information is being collected and should have the opportunity to check the information for accuracy.

Lewis received a basketball scholarship to attend college, and he signed a form giving the university health service permission to access his healthcare records. Lewis now wants to know what is included in his healthcare records. 35. What should Lewis's healthcare provider do?

Lewis can request a list of all those who have received his PHI, and his health care provider should fulfill his request.36. No, the EMT cannot release this information—especially since the patient herself refused to release the information—because to do so would violate the patient's privacy.

Refers to providing only as much patient information as needed for a request or to conduct healthcare business.

Minimum necessary

Shirley, an EMT, is off duty and is driving her private vehicle on the interstate in a snowstorm. The care ahead of Shirley hits an icy patch and skids off the road, overturning as it his the ditch. Shirley stops to help and dials 911 on her mobile phone. The lone woman in the wrecked car has scratches and bruises and an obviously broken arm. While Shirley is helping the woman, a news van stops and a television reporter films the wreck for the evening news. The injured driver refuses to answer questions, so the reporter turns to Shirley, who knows the injured driver's name. Rescue services arrive while the television reporter is there. Can the ambulance attendants, who are also EMT s, tell the television reporter the apparent extent of the woman's injuries? Why or why not?

No, they cannot release the information because to do so would violate the patient's privacy

If I need emergency assistance from the police or fire department, is the 911 dispatcher prohibited from giving my name to rescue units or EMT s?

No. Names and addresses should be given to rescue or EMT staff for help in locating patients and treating their medical problems as quickly as possible.

A document that informs patients on how a healthcare provider intends to use and disclose patient information and also informs patients of their rights is called

Notice of Privacy Practices

Which of the following is true under HIPAA? a. HIPAA language states unequivocally that patients have no standing to sue under the law. b. Patients must submit complaints to the Secretary of Health and c.Human Services through the Office of Civil Rights. c. Only a court of law can hear patients complaints. d. None of the above.

Patients must submit complaints to the Secretary of Health and Human Services through the Office of Civil Rights

A valid reason to disclose protected health information

Permission

As a patient, how can I protect the privacy of my health care information?

Privacy experts recommend that you

Limited Data Set

Protected health information from which certain specified direct identifiers of individuals have been removed

Permissions

Reasons under HIPAA for disclosing patient information

Designated Record Set

Records maintained by or for a HIPAA-covered entity

This person evaluates, manages, and reports on the security of a health provider's electronic data

Security officer

If a patient complains that his privacy was breached, what should you ask that he do? a. Call a lawyer. b. Speak to your privacy officer to try to handle the complaint in the office. c. Immediately file a complaint with the Office for Civil Rights. d. Discuss the problem with someone else in the office.

Speak to your privacy officer to try to handle the complaint in the office.

Briefly summarize the four HIPAA standards

Standard 1: Transactions and Code Sets—for uniformity in reporting Standard 2: Privacy Rule—for protecting PHI during electronic transmission Standard 3: Security Rule—for securing electronic storage and transmission against unauthorized intruders Standard 4: National Identifier Standard—providers for uniform national identifiers for the movement of electronic transactions. The four identifiers are: provider, health plan, employer, and individual.

Which of the four HIPAA Standards addresses Administrative Simplification?

Standard 1—Transactions and Code Sets

Define state preemption

State preemption means that if a state's privacy laws are stricter than HIPAA privacy standards and/or guarantee more patients' rights, the state laws will take precedence.

May a patient be listed in the hospital's directory without the patient's consent, and may the directory be shared with the public?

The HIPAA Privacy Rule allows hospitals to continue providing directory information to the public, unless the patient has specifically chosen not to be included. Hospital directories can include the patient's name, location in the facility (such as hospital floor and room number), and condition in general terms. The information can also be disclosed to callers who ask for the patient by name, but the patient must be informed in advance of this use and disclosure and must have the opportunity to opt out.

Can patients sue healthcare providers who do not comply with the HIPAA Privacy Rule?

The HIPAA Privacy Rule does not give patients the express right to sue. Instead, the person must file a written complaint with the Secretary of Health and Human Services through the Office for Civil Rights. The HHS Secretary then decides whether or not to investigate the complaint. Patients may have other legal standings to sue, under state privacy laws.

May a patient's family member pick up prescriptions for the patient?

The Privacy Rule allows family members or others to "pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information."

If a patient refuses to sign an acknowledgement stating that he or she received the healthcare provider's Notice of Privacy Practices, must the healthcare provider refuse to provide services?

The Privacy Rule gives the patient a "right to notice" of privacy practices for protecting identifying health information. It requires that providers make a "good faith effort" to have patients acknowledge receipt of the notice, but the law does not give healthcare practitioners the right to refuse treatment to people who do not sign the acknowledgement.

Which of the following is not covered by HIPAA's Security Rule? a. The content of all documents pertaining to patient privacy. b. Maintaining electronic security for networked computers. c. Using HIPAA standards for electronic transmission of protected health information. d. None of the above.

The content of all documents pertaining to patient privacy

If a state law and HIPAA's federal law disagree, which law should you follow?

The law that most stridently protects patient privacy

An unauthorized person (a computer hacker) manages to access the computers in the hospital where you work and downloads information. Who is the most likely person to handle the disaster? a. The privacy officer b. The hospital administrator c. The security officer d. The medical records supervisor

The security officer

Electronic Transmission

The sending of information from one network-connected computer to another.

Security

The use of policies and procedures to protect electronic information from unauthorized access

Electronic Data Interchange (EDI)

The use of uniform electronic protocols to transfer business information between organizations via computer networks

The primary reason for the Security Rule is

To mandate protection of electronic networks and equipment from unauthorized intrusion

De-identify

To remove all information that identifies patients from healthcare transactions.

What is the primary objective of Administrative Simplification?

To standardize and simplify the recording and transmission of health information

The department of the federal government responsible for supervising HIPAA compliance and implementation is

U.S. Department of Health and Human Services (HHS)

Code set

Under HIPAA, terms that provide for uniformity and simplification of health care billing and record keeping.

Networks closed to the Internet that are provided by the telephone company

Value-added networks

May one physician's office send a patient's medical records to another physician's office without the patient's consent?

Yes