HIPAA and FERPA
What are the three main rules that outline HIPAA's implementation requirements?
1. The Privacy Rule - focuses on when and to whom confidential patient information can be disclosed 2. The Transaction Rule - addresses technical aspects of the electronic health care transaction process and requires the use of standardized formats whenever health care transactions, such as claims, are sent or received electronically 3. The Security Rule - seeks to assure the security of confidential electronic patient information. This is an EXTREEMELY helpful document that is reader friendly and can give you more background on HIPAA and how it was designed: http://www.apapracticecentral.org/business/hipaa/security-rule.pdf
Under Evidence Code § 1014 and subject to section 912, which 3 groups/individuals have the privilege to refuse to disclose confidential communications that take place between psychotherapist and client?
1. The client 2. A person who is legally authorized to hold this privilege (e.g. a conservator or legal guardian) 3. The psychotherapist at the time of the communication. This psychotherapist may not claim this privilege if he or he has been instructed not to by the person authorized to permit such disclosure (e.g. the individuals that are identified in #1 and #2 above)
Name the four individuals who can/must sign a release of information (ROI) for it to be valid and information to be shared?
1. The patient 2. The legal representative of the patient if the patient is deemed incompetent or if the patient is a minor 3. The spouse of the patient or the person who is financially responsible for the patients care. The ROI can be signed by these individuals for the SOLE PURPOSE of processing an application for health insurance, enrolling in a hospital program, or for the planning of employment health benefits 4. The beneficiary of personal representative of the patient if the patient is deceased
If a patient asks to inspect a copy of his/her records, the psychologist is obligated to fulfill this request within how many days? A. 7-10 days B. 14 - 21 days C. 30 days or less
30 days or less. Ideally as soon as possible.
To what agencies/institutions do the FERPA rules apply to?
All educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. E.g. virtually all public schools/school districts, most private and public postsecondary institutions. OF NOTE: Private and religious schools at the elementary and secondary level generally do not receive funds from the Department of Education, so they are not subject to FERPA
If you discover that there was been a breach of patient Protected Health Information (PHI), you must notify the patient of this breach as soon as possible or within ____ days A. 1 day/24 hours B. 3 days C. 7 days (one week) D. 30 days (roughly a month after) E. 60 days (roughly two months after)
E. 60 Days
True or false, under the Privacy Rule, patients have the right to inspect/obtain a copy of their psychotherapy notes?
False. Patients do not have this right. These notes are for the therapist only and are used in order to to help guide their work with the client.
In MOST CASES, does the HIPAA Privacy Rule apply to an elementary or secondary school student records?
Generally no, because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. A more detailed description around the interactions between HIPAA, FERPA, and the disclosure of student PHI can be found in 45 Code of Federal Regulations § 160.103
In what form(s) can Protected health information PHI be transmitted?
PHI can be transmitted: 1. Electronically 2. On paper/written 3. Orally
Put most simply, what is considered Protected health information (PHI)?
PHI is individually identifiable health information includes common identifiers such as name, address, social security number, date of birth, or any other information that can be used to identify the individual
The Privacy Rule is a federal regulation under the HIPAA statute that sets up minimum standards for how/in what ways a psychologist (or health care provider) can disclose patient information to third parties. The Privacy Rule gives the patients these three rights:
The rights to: 1.Receive notice from his/her psychologist about how and when they will disclose their information 2.To have access to their health information 3.To amend their records
A provider of health care, a health care service plan, or a contractor shall disclose medical information if the disclosure is compelled by any of the following 9 parties:
1. By a court pursuant to an order of that court 2. By a board, commission, or administrative agency for the purposes of adjudication pursuant to its lawful duty 3. In cases where there is a subpoena 4. By a board, commission, or administrative agency in cases where there is a subpoena 5. By an arbitrator or arbitration panel, when arbitration is lawfully requested by either party, pursuant to a subpoena 6. By a lawfully issued search warrant 7. By a patient or patient's representative 8. By a coroner under specific circumstances/when specific criterion have been met 9. When otherwise specified by the law
If it is an emergency or if disclosure of knowledge pertaining to a student's educational records or treatment records of the information is necessary to protect the health or safety of the student or other individuals, FERPA permits a post-secondary institution to provide this type of information to which three parties?
1. Law enforcement officials 2. The student's parents (surprising....) - there are exceptions to this rule...if you are curious, go to https://www2.ed.gov/policy/gen/guid/fpco/ferpa/safeschools/index.html?exp=6 3. Others (think Tarasoff)
Not all research organizations/entities who work with clients are subject to the Privacy Rule. When and under what circumstances is a researcher/research organization subject to the Privacy Rule?
A researcher/research organization is subject to the Privacy Rule when he/she/the organization in question furnishes health care services to individuals, including research participants, and transmits any health information in electronic form in connection with a transaction covered by the Transactions Rule If you want to know more about the Transactions rule, I would recommend going to the page below. It was an easy to read document and I think it will come in handy for the prelim/in general: http://www.apapracticecentral.org/business/hipaa/security-rule.pdf
At the elementary and secondary level, what information (although not directly related to classroom learning) is considered "education records"?
A student's health records, including immunization records, maintained by an educational agency or institution subject to FERPA, as well as records maintained by a school nurse, are "education records" subject to FERPA. See 34 CFR § 99.3
When you discover that there has been a breach of a patients PHI, you must inform the patient of this discovery. In firming the patient, you must include all of the following EXCEPT: A. A brief description of the breach, including dates B. A description of types of unsecured PHI involved C. Whether or not the PHI was encrypted (In cases where the PHI was stolen off of an electronic device) D. The steps the patient should take to protect against potential harm E. A brief description of steps you have taken to investigate the incident, mitigate harm, and protect against further breaches F. Your contact information.
C. Whether or not the PHI was encrypted (In cases where the PHI was stolen off of an electronic device)
Psychologists can both knowingly and unknowingly violate HIPAA rules. In cases where a psychologist Willfully Neglects (e.g. knows that he/she is either not following the HIPAA rules or does not take the appropriate steps to amend a HIPAA violation that has occurred) his or her duty to comply with HIPAA rules, what is the minimum penalty in fines that the U.S. department of Health and Human services will require a psychologist to pay? A. 1,000 - 10,000 B. 15,000 - 25,000 C. 30,000 - 45,000 D. 50, 000 or more
D. 50,000 or more In cases where the HIPAA violation affects multiple patients, the HHS is within their rights to count each patient as a separate violation. This is a helpful website if you want to know more about patient privacy and practitioner rights: http://www.apapracticecentral.org/update/2013/07-25/secure/hipaa-final-rule.pdf?ERIGHTS=TTZXEpLSEK4kWYdA5D1RQu19U0IlDZs5-18x2da40wvKT59B7soix2BefrHXeAx3Dx3D3sR3sExxPJ1XrGzj8MdS6Dwx3Dx3D-PiD7x2FzPQi2yPHW5WcD6o4Ax3Dx3D-Ex2BNHLlRwhe5Fx2BpGouiH67wx3Dx3D&ERSESSION=TTZXEpLSEK4kWYdA5D1RQu19U0IlDZs5-18x2da40wvKT59B7soix2BefrHXeAx3Dx3D3sR3sExxPJ1XrGzj8MdS6Dwx3Dx3D-PiD7x2FzPQi2yPHW5WcD6o4Ax3Dx3D-Ex2BNHLlRwhe5Fx2BpGouiH67wx3Dx3D
What is the primary purpose of the Family Educational Rights and Privacy Act (FERPA)?
Put most simply, FERPA is a Federal law that protects the privacy of students' "education records."
What was the purpose of establishing the Health Information Technology for Economic and Clinical Health [HITECH] Act of 2009?
The HITECH act imposes data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI." This was in response to the lax stance that many professionals had taken around the breach of PHI. --------------------------- This is a really difficult piece of legislation to read. I myself had a hard time understanding it all. I recommend going to the web page below for more information on the HITECH act and how it is applied http://www.hipaasurvivalguide.com/hitech-act-summary.php
True of False: For the purpose of diagnosis or treatment of the patient, patient information may be communicated to EMS/emergency personal via radio transmission or other means in emergency situations
True
True or False: Per § 1027 of the California Board of Psychology Laws and Regulations, even under circumstances where the minor holds "patient priviliges," if a psychologist believes that the patient in question has been a victim of a crime and that disclosure of confidential information will be in their best interest of the child, he/she has the right to disclose this information without the patients consent:
True. Evidence Code § 1027 states that the patient does not have privileges if they are either under the age of 16 or the therapist in question believes that the disclosure of the information/communication will be in the best interest of the child.
True or False: When a school provides health care to students in the normal course of business, such as through its health clinic, it is also a "health care provider" and are subject to the rules and regulations as defined by HIPAA
True. As a covered entity, the school must comply with the HIPAA Administrative Simplification Rules for Transactions and Code Sets and Identifiers with respect to its transactions. ------------------------------- If you want to learn more about this, 45 CFR § 160.103 has a more detailed description about the interactions between HIPAA and FERPA in the education setting. Another really good resource to learn more about these interactions is: https://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf If found it super helpful!
True or False? Records that schools maintain on special education students, including records on services provided to students under the Individuals with Disabilities Education Act (IDEA) are subject to FERPA
True. Records that schools maintain on special education students/records on services provided to students under the Individuals with Disabilities Education Act (IDEA), are considered "education records" because these records are (1) Directly related to a student (2) Maintained by the school or a party acting for the school (3) Not excluded from the definition of "education records."
True or False: The Privacy Rule under the HIPAA statute does not mandate what you must put in your patient records or require you to keep psychotherapy notes
True. The Privacy Rule under the HIPAA statute does not mandate what you must put in your patient records or require you to keep psychotherapy notes. Psychotherapy notes are separated from the rest of the patient's medical record and serve as the therapist's private notes for his or her own use. As such, third party payers and other health care professionals should not/do not need them.