Ch. 6 The Privacy and Security of Electronic Health Information
Authorization
(special permission) permission to use and disclose information for uses other than TPO.
The authorization document must be east to understand and must include the following:
- A description of the information to be used or disclosed - The name or other specific identification of the persons authorized to use or disclose the information - The name of the persons or group to whom the covered entity may make the use or disclosure - A description of each purpose of the requested use or disclosure - An expiration date - The signature of the individual (or authorized representative) and the date
What are the basic types of threats that come from individuals?
- Employees who make unintentional mistakes - Employees who abuse their security priviledges - Outsiders who try to damage or steal information - Employees who hold grudges or make threats
The HIPPA legislation was designed for?
- Ensure the portability of insurance coverage as employees moved from job to job - Increase accountability and decrease fraud and abuse in health care - Improve the efficiency of health care transactions and mandate standards for health information - Ensure the security and privacy of health information
The Privacy Rule says that covered entities must:
- Have privacy policies and procedures that are appropriate for their health care services - Notify patients about their privacy rights and how their information can be used or disclosed - Train employees so that they understand the privacy practices - Appoint a privacy official responsible for seeing that the privacy policies and procedures are implemented - Safeguard patients' records
Some of the provisions the HHS was required to establish included:
- National standards for electronic health care transactions - National identifiers for providers, health plan, and employers - Rules to protect the privacy and security of health information, known as the Privacy Rule and the Security Rule
In addition, the rule states that a valid authorization must include statements:
- Of the individual's right to revoke the authorization in writing - About whether the covered entity is able to base treatment, payment, enrollment, or eligibility for benefits on the authorization - That information used or disclosed after the authorization may be disclosed again by the recipient and may no longer be protected by the rule
Covered entities must comply with a number of requirements, including:
- Possessing a set of privacy practices that are appropriate for their health care services - Notifying patients about their privacy rights and how their information can be used or disclosed - Training employees so that they understand the privacy practices - Appointing a member of the staff to be the privacy official responsible for seeing that the privacy practices are implemented - Keeping patients' records safe and secure
The HIPAA Privacy Rule also provides significant rights to patients, what are these rights?
- Receive a written notice of information practices - Ask to access, inspect, and obtain a copy of their PHI - Request an accounting of disclosures - Request amendment of records - Request restrictions on uses and disclosures of their PHI - Receive accommodation of reasonable alternate communications request - File a complaint about violation with the organization or with the Office for Civil Rights (OCR) in the Department of Health and Human Services
Certain health care benefits are exempt from the HIPAA standards even when provided by health plans:
- Workers' compensation - Coverage for on-site medical clinics - Accident or disability income insurance - General and automotive liability insurance - Automobile medical payment insurance
When should patients be given a copy of the NPP?
At the time of their first encounter, and at least every three years thereafter.
______ must be obtained for uses and disclosures other than for TPO.
Authorization
To ensure that confidential health information is protected once it is exchanged with non-CE, HIPAA requires CEs to enter into contracts with?
Business Associates
ePHI
Electronic Protected Health Information; PHI created, received, maintained, or transmitted in electronic form.
____ is the most significant legislation affecting the health care field since the Medicare and Medicaid programs were introduced in 1965.
HIPPA 1996
Administrative Simplification
HIPPA Title II on the uniform transfer of electronic health care data and privacy protection.
Who are considered covered entities?
HIPPA, health plans, providers, and clearinghouses
NPP
Notice of Privacy Practices; document describing practices regarding use and disclosure of PHI.
What is one of Americans' civil rights?
Privacy
Payment
Providers usually submit claims to health plans on behalf of patients, which involves exchanging demographic and diagnostic information.
Designated Record Set (DRS)
The HIPAA term for a group of records. And information that includes PHI and is maintained by a covered entity.
OCR
The Office of Civil Rights; charged with investigating complaints that HIPAA privacy regulations have been violated.
Integrity of ePHI
The information is not changed in any way during storage or transmission, is authentic and complete, and can be relied on to be suffieceintly accurate for its purpose.
Confidentiality of ePHI
The information is shared only among authorized individuals or organizations.
Operations
This purpose includes activities such as tracking and measuring adherence to quality standards, accreditation, staff training, and business planning.
Treatment
This purpose primarily consists of discussion of the patient's case with other providers.
What are the two parts/titles of the legislation?
Title I - Health Insurance Reform ; Title II - Administrative Simplification Standards
Under the HIPPA Privacy Rule, covered entities must list their privacy policies and procedures in?
a Notice of Privacy Practices (NPP)
For purposes of the HIPAA privacy rule what does record mean?
any item, collection, or grouping of information that includes PHI and is maintained by the covered entity.
Covered entities may use and disclose PHI only .....?
as permitted by HIPAA or by a more protective state rule if one applies.
The Privacy Rule applies to PHI in any form....What forms can they be?
communicated verbally, written or printed on paper, or maintained in an electronic format.
Clearinghouses
companies that process health information and execute electronic transactions, such as the submission of insurance claims, on behalf of providers.
What does the ePHI physical devices are covered?
computers, USB flash drives, CDs, and magnetice tapes, computer networks, and information sent or received over the Internet.
What are the goals of the HIPAA security standards?
confidentiality, integrity, availability
Business Associates
entity that works under contract for a covered entity and is therefore subject to the CEs HIPAA policies and procedures.
What are some of the environmental hazards?
fires, floods, and earthquakes, utility failures (power outages)
Many in Congress believed that establishing national standards for electronic health information, and the greater use of technology in transaction processing, would lead to.......?
gains in efficiency and significant cost savings.
Who does the Security Rule apply too?
health care professionals and organizations that meet the definition of covered entity, just as the HIPAA Privacy Rule does. And only covers Electronic Protected Health Information.
HIPPA only applies to.....?
health care professionals and organizations that provide health care in the normal course of business and that electronically transmit information that is protected under HIPPA.
Threats to information security come from a number of sources, what are some of these sources?
individuals, the environment, and computer hardware, software and networks.
What are some of the electronic hazards?
insufficient security in the hardware or software, programming errors, changes to existing software including upgrades, and the addition of new users to the system.
Health Plan
insurance plan that provides or pays fpr medical care
De-identified health information
is information that neither identifies nor provides a reasonable basis for identifying and individual.
Title II Administrative Simplification Standards
is the section of HIPPA that is important to the discussions in this chapter.
Minimum Necessary Standard
means using reasonable safeguards to protect PHI from being accidentally released---to those who do not need access to the information---during an appropriate use or disclosure.
The CE may be held responsible for the actions of its business associates if it knew?
of a pattern of activity that was in violation of the contract and it failed to take reasonable steps to fix the problem.
Providers
people or organizations that furnish, bill, or are paid for health care in the normal course of business
Covered Entities (CEs)
professionals and organizations that normally provide health care and electronically transmit PHI.
What type of patient information is not subjected to law?
protected health information (PHI)
What is the challenge health care is facing today with electronic health information?
protecting information exchanged over computer networks with many access points and convincing the public to trust the electronic systems.
HIPPA Security Rule
protects the confidentiality, integrity, and availability of electronic health information.
These rules for use and disclosure do not apply to the release of PHI in certain circumstances, including....?
public interest purposes as public health, law enforcement, research, workers' compensation cases, and national security situations.
Disclosure
refers to the release of PHI to an outside provider or organization.
Information about alcohol and drug abuse, sexually transmitted diseases, HIV, and behavioral and mental health services may not be released without a?
specific authorization
HIPPA was created in part to improve.....?
the efficiency of financial and administrative health care transactions
Title I Health Insurance Reform
the section of the law that allows individuals to continue health insurance coverage when they change jobs.
How do you complain to the OCR?
they must be in writing and sent either on paper or electronically, and must be filed within 180 days of when the individual knew or should have known that the act had occured.
Under the HIPAA privacy standards, covered entities may use and disclose PHI for?
treatment, payment, and operations (TPO) purposes without special permission from a patient.
TPO
treatment, payment, and operations; conditions under which PHI can be released without patient consent.
HIPAA Privacy Rule
was enacted to protect the confidentially, integrity, and availability of of electronic health information.