Ehr ch 9 the hippa privacy rule
HIT FOR ECONOMIC AND CLINICAL HEALTH ACT (HITECH)
Federal legislation that was passed a a portion of the American Recovery and Reinvestment Act; contains changes to the HIPAA Privacy Rule
USE
HIPAA definition with respect to individually identifiable health info, the sharing, employment, application, utilization, examination, or analysis of such info within an entity that maintains such info.
PRIVACY RULE
HIPPA ACT OF 1996
DEIDENTIFIED INFORMATION
Information from which personal characteristics have been stripped and that, as a result, neither identifies nor provides a reasonable basis to believe it could identify an individual.
Fundraising activities that target individuals based on diagnosis require prior authorization
True
CENTER FOR DEMOCRACY & TECHNOLOGY
A nonprofit public interest organization that promotes privacy in communications technologies; it houses the Health Privacy Project
AMERICAN RECOVERY AND REINVESTMENT ACT (ARRA)
Federal legislation that included significant funding for HIT and provided for significant changes to the HIPAA Privacy Rule.
AUTHORIZATION
A patient's permission to disclose PHI; the form or detailed document that gives covered entities permission to use PHI for specific purposes, generally other than for treatment, payment, or HC operations, or to disclose PHI to a third party specified by the individual.
HEALTH PRIVACY PROJECT
A nonprofit organization whose mission is to raise public awareness of the importance of ensuring health privacy in order to improve healthcare access and quality.
1. Know precautions related to the use of Chlorhexidine. 2. Know what potassium is essential to. 3. Which B vitamin is associated with a toxicity when given in excessive doses? 4. Supplementing with vitamin K may be necessary for what condition? 5. What is the required treatment for inhalation of a poisoning? 6. A syringe marked with U-100 indicates what type of syringe? 7. Know what to do with taking care of a snakebite. 8. In addition to bight blindness, vitamin A deficiencies may also be observed in another condition (know the condition). 9. Know the functions of iron (Fe) in the body. 10. What precautions should be taken elated to the use of Accutane?
...
CONSENT
1. A patient's acknowledgment that they understand a proposed intervention, including that interventions's risks, benefits, and alternatives; 2. A patient's agreement that PHI can be disclosed; the document that provides a record of the patient's consent.
INSTITUTIONAL REVIEW BOARD (IRB)
A committee of at least five members with varying backgrounds that determines the acceptability of proposed human subjects research in accordance with institutional policies, applicable law, and standards of professional practice and conduct.
FACILITY DIRECTOR
A directory of patients being treated in a HC facility.
PRIVACY BOARD
A group formed by HIPAA-covered entity to review research studies in which authorization waivers are requested and to ensure the HIPAA privacy rights of research subjects
DESIGNATED RECORED SET (DRS)
A group of records maintained by or for a covered entity encompassing medical records and billing records about individuals and enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan used, in whole or in part, by or for the covered entity to make decisions about individuals
FREEDOM OF INFORMATION ACT OF 1967 (FOIA)
A law covering the right of disclosure to and access by the public regarding federal agency records.
CLINICAL LABORATORY IMPROVEMENT ACT (CLIA)
A law that provides that clinical laboratories are to disclose test results or reports only to "authorized persons" - unless state law defines them otherwise, defined by the law as the person who orders the test.
PRIVACY ACT OF 1974
A law that requires federal agencies to safeguard personally identifiable records and provides individuals with certain privacy rights
PREEMPTION
A legal doctrine that requires a covered entity to comply with federal law when federal and state law conflict (that is, federal law preempts contrary state law).
ACCOUNTING OF DISCLOSURES
A list of all disclosures made of a patient's HI; Section 164.528 of the Privacy Rule states that an individual has the right to receive an accounting of certain disclosures made by a covered entity within the six years prior to the date on which the accounting was requested.
BUSINESS ASSOCIATE (BA)
A person or organization other than a member of a covered entity's workforce that performs functions or activities on behalf of or affecting a covered entity that involve the use or disclosure of individually identifiable HI
PERSONAL REPRESENTATIVE
A person with legal authority to act on behalf of another individual and is treated the same as the individual regarding the use and disclosure of the individual's PHI
PRIVACY OFFICER
A position mandated under the HIPAA Privacy Rule - covered entities must designate an individual to be responsible for developing and implementing privacy policies and procedures.
ENFORCEMENT RULE
A rule that created standardized procedures and substantive requirements for investigating complaints and imposing civil monetary penalties for HIPAA violations, as well as a uniform compliance and enforcement mechanism that addresses all of the Administrative Simplification regs, including privacy, security, and transactions and code sets.
NOTICE OF PRIVACY PRACTICES (NPP)
A statement (mandated by the HIPAA Privacy Rule) issued by a healthcare organization that informs individuals of the uses and disclosures of patient-identifiable health info that may be made by the organization, as well as the individual's rights and the organization's legal duties with respect to that info
BELMONT REPORT
A statement of ethical principles to prevent the un ethical use of human subjects in research, sponsered by the Dept. of HHS
PROTECTED HEALTH INFORMATION (PHI)
A term defined in the HIPAA Pivacy Rule as "individually identifiable health info that is transmitted by electronic media, maintained in electronic medium, or transmitted or maintained in any other form or medium."
BUSINESS ASSOCIATE AGREEMENT (BAA)
A written and signed contract that allows covered entities to lawfully disclose PHI to business associates such as consultants, billing companies, accounting firms, or others that perform services for the provider, provided that the business associate agrees to abide by the provider's requirements to protect the information's security and confidentiality.
INDIVIDUAL
According to the HIPAA Privacy Rule, a person who is the subject of PHI
BREACH OF NOTIFICATION
An ARRA requirement that mandates the notification of individuals following the unauthorized use or disclosure of their PHI, as the information's security or privacy may be compromised.
NATIONAL RESEARCH ACT OF 1974
An act that required the Dept. of Health, Education, and Welfare (now the Dept. of HHS) to codify its policy for the protection human subjects into federal regs and created a commission that generated the Belmont Report.
ORGANIZED HEALTHCARE ARRANGEMENT (OHCA)
An agreement characterized by two or more covered entities that share PHI to manage and benefit their common enterprise and are recognized by the public as a single entity (HHS 2003)
STAND-ALONE AUTHORIZATION
An authorization for the use or disclosure of one's protected health info that is separate from an informed consent for treatment or participation in a research study.
COMPOUND AUTHORIZATION
An authorization that combines informed consent with an authorization for the use and/or disclosure of PHI
HYBRID ENTITY
An entity that performs both covered and non-covered functions under the Privacy Rule; for example, a university that educates students and maintains student educational records is not covered by the Privacy Rule. However the same university that operates a medical enter is covered by the Privacy Rule, as it meets the definition of "healthcare provider."
CONFIDENTIAL COMMUNICATIONS
As defined by HIPAA, a request that PHI be routed to a alternative location or by an alternative method; must be honored by health plans under HIPAA.
UNCONDITIONED AUTHORIZATION
Authorization is not required in order to receive treatment or some other service or benefit.
PSYCHOTHERAPY NOTES
Behavioral notes recorded by a mental health professional that document the content and impressions of conversations that are part of private counseling sessions; they are not part of the health record and do not contain info such as diagnosis, prescriptions, treatment modalities and test results
TREATMENT, PAYMENT AND HEALTHCARE OPERATIONS (TPO)
Collectively, these three actions are functions of a covered entity that are necessary for the covered entity to successfully conduct business; thus, many of the Privacy Rule's requirements are relaxed or removed where PHI is needed for purposes of treatment, payment, or healthcare operations.
REDISCLOSURE
Disclosure by a healthcare organization of info that was created by and received from another entity.
A BA is anyone who might have access to a CE's PHI
False
A CE needs only consider its employees when evaluating HIPAA compliance within the organization
False
A hospital employee's pre-employment physical examination is in his personnel file in Human Resources; this report is PHI
False
All the activities that meet the HIPAA definition of marketing must receive prior written authorization from the individual
False
An individual has the right of access to her psychotherapy notes
False
Complaints about alleged Privacy Rule violations must be submitted to the covered entity
False
De-identified info receives Privacy Rule protection
False
Enforcement of the Privacy Rule will continue to operate exclusively on a complaint-based system
False
In order to simplify processes, individuals may be required to waive their rights under the Privacy Rule to obtain treatment or benefits eligibility
False
The FOIA was enacted to address the privacy of health info
False
The HIPPA consent explains an individual's rights and theCE's legal duties with respect to PHI
False
The minimum necessary principle applies to disclosures made for TPO purposes
False
The threshold for required media notification in the event of a privacy breach is 300 affected individuals
False
Under no circumstances should health records from other facilities be made part of a organizations DRS
False
AFFILIATED COVERED ENTITIES
Legally separate covered entities, affiliated by common ownership or control; for purposes of the Privacy Rule, these legally separate entities may refer to themselves as a single covered entity.
FUNDRAISING
Money-generating activities that benefit a HIPAA-covered entity and are subject to the HIPAA Privacy Rule.
ACCESS
One of the rights protected by the Privacy Rule, the right of access allows an individual to inspect and obtain a copy of their own PHI that is contained in a designated record set; also an information security term that refers to the ability to enter an electronic system and make use of the data within it.
LIMITED DATA SET
PHI that excludes direct identifiers of the individual and the individual's relatives, employers, or household members but still does not de-identify the info.
COVERED ENTITIES (CE)
Persons or organizations that must comply with the HIPAA Privacy and Security Rules; include HC providers, health plans, and HC clearinghouses.
ACCESS REPORT
Proposed by the Dept. of HHS in May 31, 2011, Notice of Proposed Rulemaking, it would allow individuals (upon request) to receive a listing from covered entities with EHRs of every person who viewed the individual's designated record set during the previous three years.
MITIGATION
Required by the Privacy Rule, the lessening as much as possible of harmful effects that result from the wrongful use and disclosure of PHI; possible courses of action may include an apology, disciplinary action against the responsible employee(s), repair of the process that resulted in the breach, payment of a bill or financial loss that resulted from the infraction, or gestures of goodwill and good public relations that may assuage the individual.
CONDITIONED AUTHORIZATION
Requires authorization in order to receive treatment or some other service or benefit.
RETALIATION AND WAIVER
Rights protected under the Privacy Rule. To ensure the integrity of individual's rights to complain about alleged Privacy Rule violations, covered entities are expressly prohibited from retaliating against anyone who exercises their under the Privacy Rule, assists in an investigation by the Dept. of HHS or other appropriate investigative authority, or opposes as act or practice that they believe is a violation of the Privacy Rule; individuals cannot be required to waived the rights that they hold under the Privacy Rule in order to obtain treatment, payment, or eligibility for enrollment or benefits.
DISCLOSURE
The act of making info known; the release of confidential HI about an identifiable person to another person or entity; release, transfer, provision of access to, or divulging in any other manner of info outside he entity holding the info.
ADMINISTRATIVE SIMPLIFICATION
The original intent of HIPAA - the streamlining and standardiation of the HC industry's non-uniform and seemingly inefficient business practices, such as billing and creating standards for the electronic transmission of data.
AMENDMENT REQUEST
The right of individuals to ask that a covered entity amend their HRs as provided in Section 164.526 of the Privacy Rule.
CONDITIONS OF PARTICIPATION
The standards that govern providers receiving Medicare and Medicaid reimbursements.
A conditioned authorization may be allowed by ARRA in certain situations
True
A university with a medical center is a hybrid entity under the Privacy Rule
True
Although an individual must verbally agree to be included in a facility directory, written authorization is not required
True
Breach notification is one type of mitigation under the Privacy Rule
True
By definition, a DRS includes billing records.
True
Drug an alcohol abuse treatment records have received protection under federal law
True
In part, info must be individually identifiable to meet the definition of PHI
True
Incidental disclosures do not require an individual's written authorization
True
One of the 12 public interest and benefit exceptions to the authorization requirements is disclosure to organ procurement agencies.
True
Per HITECH, an accounting of disclosures will be required in the future for TPO disclosures made by covered entities with EHRs
True
Per the HIPAA Privacy Rule, patient authorization is required for the use or disclosure of PHI unless it meets an exception whereby authorization is not required.
True
Some of the Privacy Rule's requirements are relaxed or removed where PHI is needed for purposes of TPO
True
The Conditions of Participation regulate only providers who receive funds from Medicare and Medicaid programs
True
The HITECH Act has strengthened BA requirements regarding compliance with the Privacy Rule
True
The HITECH Act of ARRA of 2009 made significant changes to the HIPAA Privacy Rule
True
The Privacy Rule resides in the adminstration simplification provision of Title II of HIPAA
True
The breach notification requirement is new under HITECH
True
The privacy Rule provides a floor, or minimum, of privacy requirements
True
Under HITECH, state attorneys general may bring civil actions in federal district court on behalf of residents believed to have been negatively affected by a HIPAA violation
True
Under thePrivacy Rule, a personal rep must be treated the same as the individual regarding the use and disclosure of the individual's PHI
True
WORKFORCE
Under the HIPAA Privacy Rule, employees, volunteers, trainees, and other persons, whether paid or not, who work for and are under the direct control of the covered entity.
REQUEST RESTRICTIONS
Under the Privacy Rule, the right of an individual to request that a covered entity limit the uses and disclosures of PHI to carry out treatment, payment, or healthcare operations
REQUESTS
Ways in which access, use, and disclosure of patient info are made, which may include mail, telephone, physical presence of the requester, fax or email
