Chapter 9 - Data Privacy and Confidentiality

Ace your homework & exams now with Quizwiz!

Confidentiality

1. A legal and ethical concept that establishes the health care provider's responsibility for protecting health records and other personal and private information from unauthorized use or disclosure 2. As amended by HITECH, the practice that data or information is not made available or disclosed to unauthorized persons or processes (45 CFR 164.304 2013)

Consent

1. A patient's acknowledgement that he or she understands a proposed intervention, including that intervention's risks, benefits, and alternatives 2. The document signed by the patient that indicates agreement that protected health information (PHI) can be disclosed

Business associate (BA)

1. A person or organization other than a member of a covered entity's workforce that performs functions or activities on behalf of or affecting a covered entity that involve the use or disclosure of individually identifiable health information 2. As amended by HITECH, with respect to a covered entity, a person who creates, receives, maintains, or transmits PHI for a function or activity regulated by HIPAA, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services (45 CFR 160.103 2013)

Authorization

1. As amended by HITECH, except as otherwise specified, a covered entity may not use or disclose protected health information without an authorization that is valid under section 164.508 2. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with the authorization (45 CFR 164.508 2013)

Subpoena

A command to appear at a certain time and place to give testimony on a certain matter

Legal hold

A communication issued because of current or anticipated litigation, audit, government investigation, or other such matters that suspend the normal disposition or processing of records. Legal holds can encompass business procedures affecting active data, including, but not limited to, backup tape recycling. The specific communication to business or IT organizations may also be called a "hold", "preservation order", "suspension order", "freeze notice", "hold order", or "hold notice"

Facility directory

A directory of patients being treated in a healthcare facility

Warrant

A judge's order that authorizes law enforcement to seize evidence and conduct a search

Deposition

A method of gathering information to be used in a litigation process

Privacy officer

A position mandated under the HIPAA Privacy Rule- covered entities must designate an individual to be responsible for developing and implementing privacy policies and procedures

Business records exception

A rule under which a record is determined not to be hearsay if it was made at or near the time by, or from information transmitted by, a person with knowledge; it was kept in the course of a regularly conducted business activity; and it was the regular practice of that business activity to make the record

Subpoena ad testifcandum

A subpoena that seeks testimony

Hearsay

A written or oral statement made outside of court that is offered in court as evidence

Subponea duces tecum

A written order commanding a person to appear, give testimony, and bring all documents, papers, books, and records described in the subpoena. The devices are used to obtain documents during pretrial discovery and to obtain testimony during trial

Sale of information

Addressed specifically by ARRA, which prohibits a covered entity or BA from selling (receiving direct or indirect compensation) in exchange for an individual's PHI without that individual's authorization; the authorization must also state whether the individual permits the recipient of the PHI to further exchange the PHI for compensation

Right of access

Allows an individual to inspect and obtain a copy of his or her own PHI contained within a designated record set, such as a health record

Federal Trade Commission (FTC)

An independent federal agency tasked with dealing with two areas of economics in the United States: consumer protection and issues having to do with competition in business

Right to request restrictions of PHI

An individual can request that a covered entity restrict the uses and disclosures of PHI to carry out treatment, payment, or healthcare operations

Right to request accounting of disclosures

An individual has the right to receive an accounting of certain disclosures made by a covered entity

Court Order

An official direction issued by a court judge and requiring or forbidding specific parties to perform specific actions

Covered entity (CE)

As amended by HITECH, (1) a health plan, (2) a health care clearinghouse, (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this sub-chapter (45 CFR 160.103 2013)

Business associate agreement (BAA)

As amended by HITECH, a contract between the covered entity and a business associate must establish the permitted and required uses and disclosures of protected health information by the business associate and provides specific content requirements of the agreement. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of HIPAA, and requires termination of the contract if the covered entity or business associate are aware of noncompliant activities of the other (45 CFR 164.504 2013)

Breach notification

As amended by HITECH, a covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach (45 CFR 164.404 2013)

Notice of privacy practices

As amended by HITECH, a statement (mandated by the HIPAA Privacy Rule) issued by a healthcare organization that informs individuals of the uses and disclosures of patient-identifiable health information that may be made by the organization, as well as the individual's rights and the organization's legal duties with respect to that information (45 CFR 164.520 2013)

Administrative simplification

As amended by HITECH, authorizes HHS to: (1) adopt standards for transactions and code sets that are used to exchange health data; (2) adopt standard identifiers for health plans, health care providers, employers, and individuals for use on standard transactions; and (3) adopt standards to protect the security and privacy of personally identifiable health information (45 CFR Parts 160, 162, and 164 2013)

Workforce

As amended by HITECH, employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate

Protected health information (PHI)

As amended by HITECH, individually identifiable health information: (1) Except as provided in paragraph (2) of this definition, that is: (i) transmitted by electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information (i) in education records covered by the Family Educational Rights and Privacy Act, as amended 20 USC 1232g; (ii) in records described at 20 USC 1232g(a)(4)(B)(iv); (iii) in employment records held by a covered entity in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years (45 CFR 160.103 2013

Individually identifiable health information

As amended by HITECH, information that is a subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual (45 CFR 160.103 2013)

Marketing

As amended by HITECH, means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, or where the covered entity receives financial remuneration in exchange for making communication (45 CFR 164.501 2013)

Disclosure

As amended by HITECH, the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information (45 CFR 160.103 2013)

Use

As amended by HITECH, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information (45 CFR 160.103 2013)

Designated record set (DRS)

As amended by HITECH: (1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals (2) For purposes of this paragraph, the term means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity (45 CFR 164.501 2013)

Red Flags Rule

Consists of five categories of red flags that are used as triggers to alert the organization to a potential identity theft; the categories are: (1) alerts, notifications, or warnings from a consumer reporting agency; (2) suspicious documents; (3) suspicious personally identifying information such as a suspicious address; (4) unusual use of, or suspicious activity relating to, a covered account; (5) Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account

Metadata

Descriptive data that characterize other data to create a clearer understanding of their meaning and to achieve greater reliability and quality of information. Metadata consist of both indexing terms and attributes. Data about data: for example, creation date, date sent, date received, last access date, last modification date

Interrogatories

Discovery devices consisting of a set of written questions given to a party, witness, or other person who has information needed in a legal case

Clinical Laboratory Improvement Amendments (CLIA) of 1988

Established quality standards for all laboratory testing to ensure the accuracy, reliability, and timeliness of patient test results regardless of where the test is (Public Law 90-174-1967)

Right to request confidential communications

Healthcare providers and health plans must give individuals the opportunity to request that communications of PHI be routed to an alternative location or by an alternative method

Preemption

In law, the principle that a statute at one level supersedes or is applied over the same or similar statute at a lower level (for example, the federal HIPAA privacy provisions trump the same or similar state law except when state law is more stringent)

Complaint

In litigation, a written legal statement from a plaintiff that initiates a civil lawsuit

Fundraising

In these activities that benefit the covered entity, the covered entity may use or disclose to a BA or an institutionally related foundation, without authorization, demographic information and dates of healthcare provided to an individual

Deidentified information

Information where personal characteristics have been stripped from it in such a way that it cannot be later constituted or combined to re-identify an individual; it is commonly used in research

Fair and Accurate Credit Transactions Act

Law passed in 2003 that contains provisions and requirements to reduce identity theft (Public Law 108-159 2003)

Health Information Technology for Economic and Clinical Health Act (HITECH)

Legislation created to promote the adoption and meaningful use of health information technology in the United States. Subtitle D of the Act provides for additional privacy and security requirements that will develop and support electronic health information, facilitate information exchange, and strengthen monetary penalties. Signed into law on February 17, 2009, as part of ARRA (Public Law 111-5 2009)

Right to request amendment

One may request that a covered entity amend PHI or a record about the individual in a designated record set

Personal representative

Person with legal authority to act on a patient's behalf

E-discovery

Refers to Amendments to Federal Rules of Civil Procedure and Uniform Rules Relating to Discovery of Electronically Stored Information; wherein audit trails, the source code of the program, metadata, and any other electronic information that is not typically considered the legal health record is subjected to motion for compulsory discovery

Access report

Report that provides a list of individuals who accessed patient information during a given period

Minimum necessary standard

Requires that uses, disclosures, and requests must be limited to only the amount needed to accomplish an intended purpose

Federal Rules of Evidence (FRE)

Rules established by the US Supreme Court guiding the introduction and use of evidence in federal court proceedings that are an important benchmark for state and other courts. FRE governs what and how electronic records may be used, and the roles of record custodianship

Federal Rules of Civil Procedure (FRCP)

Rules established by the US Supreme Court setting the "rules of the road" and procedures for federal court cases. FRCP include electronic records and continue to be very important as benchmarks in how these records can be used in courts, not only federal, but state and other courts as well

Treatment, payment, and operations (TPO)

The Privacy Rule provides a number of exceptions for PHI that is being used or disclosed for TPO purposes; treatment means providing, coordinating, or managing healthcare or healthcare-related services by one or more healthcare providers; payment includes activities by a health plan to obtain premiums, billing by healthcare providers or health plans to obtain reimbursement, claims management, claims collection, review of the medical necessity of care, and utilization review; the Privacy Rule provides a broad list of activities that are healthcare operations that includes quality assessment and improvement, case management, review of healthcare professionals' qualifications, insurance contracting, legal and auditing functions, and general business management functions such as providing customer service and conducting due diligence

Spoliation

The act of destroying, changing, or hiding evidence intentionally

Department of Health and Human Services (HHS)

The cabinet-level federal agency, and principal agency for protecting the health of all Americans and providing essential human services, especially for those who are least able to help themselves

Admissibility

The condition of being admitted into evidence in a court of law

Health Insurance Portability and Accountability Act (HIPAA)

The federal legislation enacted to provide continuity of health coverage, control fraud, and abuse in healthcare, reduce healthcare costs, and guarantee the security and privacy of health information; limits exclusion for pre-existing medical conditions, prohibits discrimination against employees and dependents based on health status, guarantees availability of health insurance to small employers, and guarantees renewability of insurance to all employees regardless of size; requires covered entities (most healthcare providers and organizations to transmit healthcare claims in a specific format and to develop, implement, and comply with the standards of the Privacy Rule and the Security Rule; and mandates that covered entities apply for and utilize national identifies in HIPAA transactions (Public Law 104-191 1996)

Privacy Rule

The federal regulations created to implement the privacy requirements of the simplification subtitle of the Health Insurance Portability and Accountability Act of 1996; effective in 2002; afforded patients certain rights to and about their protected health information

Medical identity theft

The fraudulent use of an individual's identifying information in a healthcare setting

Individual

The person who is the subject of the protected health information

Discovery

The pretrial stage in the litigation process during which both parties to a suit use various strategies to identify information about the case, the primary focus of which is to determine the strength of the opposing party's case

Office of the National Coordinator for Health Information Technology (ONC)

The principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information. The position of National Coordinator was created in 2004, through an Executive Order, and legislatively mandated in the HITECH Act of 2009

Release of information (ROI)

The process of disclosing patient-identifiable information from the health record to another party

American Recovery and Reinvestment Act (ARRA)

The purposes of this act include the following: (1) To preserve and create jobs and promote economic recovery. (2) To assist those most impacted by the recession. (3) To provide investments needed to increase economic efficiency by spurring technological advances in science and health. (4) To invest in transportation, environmental protection, and other infrastructure that will provide long-term economic benefits. (5) To stabilize state and local government budgets, in order to minimize and avoid reductions in essential services and counterproductive state and local tax increases

Privacy

The quality or state of being hidden from, or undisturbed by, the observation or activities of other persons, or freedom from unauthorized intrusion; in healthcare-related contexts, the right of a patient to control disclosure of protected health information

Breach

Under HITECH, the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part that compromises the security or privacy of the protected health information (45 CFR 164.402 2013)


Related study sets

12.6.10 Remote Services Practice Questions

View Set

Chapter 6 Consumer Choice Utility Assignment

View Set

Lab Assessment 11: Integumentary System

View Set

Pediatric Nursing Final Exam Study Set

View Set