HIPAA

Ace your homework & exams now with Quizwiz!

HIPAA: When referring to 8. Health care operations

Quality assessment or improvement activities, Case management, Care coordination, Medical reviews, Audits, Credentialing, Risk rating, Accreditation, Legal services(insurance fraud and abuse detection)

Basic Principle -

To limit the circumstances in which the protected health information may be used or disclosed by a covered entity

The provisions of health care to the individual

What test are or will be done Who is attending to them Discharge status Admission status Work status (workers comp)

A covered entity may not use or disclose PHI unless

1. As the privacy rule permits 2. Authorized in writing by the individual 3. When required by law

Health Care Provider

Any one who transmits health information in connection with: Benefits Claims Eligibility inquiries Referrals or authorizations (In short any person or organization that furnishes, bills, or is paid for health care)

HIPAA: When referring to 1. HHS or DHS

Department of Health and Human Services

HIPAA: When referring to 5. Disclosure

The action of making information known

HIPAA: When referring to 2. PHI

Protected Health Information

HIPAA: When referring to 6. Treatment

Provision, management, or coordination of health care

Patients right under HIPAA:

- Request a restriction on further uses and disclosures of their PHI - Requests communication by alternate means or at an alternate address - Request access, inspect, or get a copy of their medical record - Request an amendment (correction) to their PHI - Request an account of certain disclosures

Limited data sets: research, public health, health care operations.

- Specific data where patients relatives, household members, or employers information has been removed.

Who is required to follow or is subject to "The Privacy Rule"

1. Health plans 2. Health care providers 3. Health care clearing houses

Examples requiring written authorization:

1. Life insurance coverage 2. Pre-employment physical 3. Lab tests 4. Pharmaceutical firms 5. Marketing 6. Psychotherapy notes

Public interest and Benefit Activity: The privacy rule permits the use and disclosure of PHI for 12 national priority purposes:

1. Required by law (state or federal) 2. Public health activities (flu, measles outbreak) 3. Victims of abuse, neglect , or domestic violence 4. Health oversight activities (audits, investigations) 5. Judicial and administrative activities (subpoena, protective order) 6. Law enforcement purposes (identify, locate a suspect or fugitive; victim of a crime) 7. Decedents (deaths, coroner or medical examiners office) 8. Cadaveric, eye, tissue donation 9. Research 10. Serious threat to health or safety (ebola, contagion outbreak) 11. Essential government function (intelligence, national security) 12. Workers compensation

Permitted uses and disclosures: a covered entity is permitted, but not required, to disclose PHI without authorization:

1. To the individual 2. Treatment, payment, health care operations 3. Opportunity to agree or object 4. Incident to an otherwise permitted use or disclosure 5. Public interest and Benefit Activity 6. Limited data sets: research, public health

Any individually identifiable health information (PHI) This includes demographic information that relates to or such as:

1.The individuals past, present, or future physical or mental health or condition 2. The provisions of health care to the individual 3. The past, present, or future payment provisions of health care to the individual

Treatment, payment, health care operations:

A covered entity may use and disclose PHI for its own treatment, payment, and health care operation activities.

Penalties continued Criminal Penalties (OCR Privacy Rule Summary)

A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice.

HIPAA: When referring to 7. Payment

Activities that include: Furnish or obtain reimbursement Provider obtaining payment or reimbursement for services provided Obtain premiums Furnishing or Obtaining reimbursement for care provided

Authorized uses and disclosures:

An entity must obtain patients written authorization for any use or disclosure that is NOT for treatment, payment, or health care operations.

Health Care Clearinghouses

An entity that processes information from a non-standard format to a standard format or vice versa. This includes: Billing services Pricing or re-pricing companies Community health management information systems (CDC)

Incident to an otherwise permitted use or disclosure:

Best example of this is when a provider is speaking to a patient in a shared room or a room that is only divided by a curtain. The information must be limited to the "minimum necessary".

Opportunity to agree or object: Informal permission

Either by asking the patient outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Also, in an emergency situation, or where the person is incapacitated or not available. This includes participating in patient directory and disclosing information to relatives, friends, and family of the patient.

Penalties for not complying with HIPAA Civil Money Penalties (OCR Privacy Rule Summary)

HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement. That penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule requirement in a calendar year. HHS may not impose a civil money penalty under specific circumstances, such as when a violation is due to reasonable cause and did not involve willful neglect and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation.

HIPAA=

Health Insurance Portability and Accountability Act of 1996

The past, present, or future payment provisions of health care to the individual

Insurance information Employment Bank Information Medical History Referrals Home health Future medical (work comp)

The individuals past, present, or future physical or mental health or condition

Name Address Birth date Social security number Reason they are being treated Treatment status Diagnosis Prognosis

De-identified Health Information

Note: There is no restriction on the use or disclosure of de-identified health information. De-identified health information is: information that neither identifies or provides a reasonable basis to identify an individual No name No date of birth No address No relatives/ household members information

The Individual

The entity may disclose PHI to the individual who is the subject of the information - unless required for access, or accounting

What is protected health information?

This is information in any format. Spoken Paper Telephone Electronic Mail Fax

Health Plans defined as

individual or group who pays the cost of medical care. That includes: Dental Vision Prescription drugs insures HMO/ PPO Medicaid/ Medicare

"Minimum Necessary"

means only accessing or disclosing the PHI necessary to do your job. - A covered entity must develop policies and procedures that reasonably limit it disclosures of and requests for PHI to the minimum necessary - A covered entity is not required to apply the "minimum necessary" rule for disclosures to, or requests by a health care provider for treatment purposes

HIPAA: When referring to 3. Privacy Rules

refers to HIPAA

HIPAA: When referring to 4. Covered Entities

refers to organizations subject to the privacy rule; abide by HIPAA


Related study sets

Introducing Christian Doctrine Chapter 5: The Preservation of the Revelation: Inspiration

View Set

CompTIA A+ Exam 220-1001 - Network Protocols Quiz

View Set

REPRO SEXUAL HEALTH (PART 3 PHASES OF MENSTRUAL CYCLE)

View Set