HIPAA Module 2
training
a requirement of workforce members as outlined by the framers of HIPAA
minimum necessary
a requirement under HIPAA that allows workforce members to access only the PHI needed to perform their jobs
zero tolerance
a type of policy implemented by many organizations, which forbids workforce members from accessing their own health records
The third most frequently reported Privacy Rule complaint is lack of patient ___ to PHI.
access
Records not returned to the medical records area at the end of the day should be ___ for.
accounted
flashdrive
an electronic storage device, often used to store PHI
Privacy Rule violations can result in ___ actions.
civil and criminal
Most Privacy Rule violations related to the lack of safeguards could have been prevented with the use of ___.
common sense
When sending a fax transmission, be sure to use a ___ stating that the material to follow is confidential information.
cover page
incidental
disclosure of PHI that could not have reasonably been prevented
When confirming the identity of a telephone caller, ___ all the attempts taken to safeguard patient privacy.
document
The August 31, 2005 OCR report indicated that the most common privacy complaints involve ___ use and disclosure of PHI.
impermissible
Every healthcare organization should keep an ___ of all electronic devices containing PHI that are used by workforce members.
inventory
Contact your ___ for guidelines on discarding old computers.
privacy official
New workforce member must undergo training within a ___ period after being hired.
reasonable
authorization
required before disclosure of any PHI unrelated to TPO
When a workforce member is traveling with a laptop computer containing PHI, it is recommended that the computer be locked in the hotel ___.
safe
The second most frequently reported Privacy Rule complaint is lack of ___ for PHI.
safeguards
The OCR has reported lack of safeguards as the ___ most frequently reported violation of the Privacy Rule.
second
If you are not currently working on a document containing PHI, the document should be ___ placed in a drawer.
securely
privacy official
the co-worker who can provide guidance and assistance in relation to the HIPAA Privacy Rule
Office for Civil Rights
the name of the government agency in charge of enforcing the HIPAA Privacy Rule
Department of Justice
the name of the government agency that receives reports of the most serious violations of HIPAA Privacy Rule
federal
the type of legislation represented by the HIPAA Privacy Rule
impermissible
the type of use and disclosure most frequently reported as a violation to the Office for Civil Rights
access
theright of individuals to see and receive a copy of their PHI
reasonable
this type of precautions that should be taken to minimize the chance of disclosure to others who may be nearby
T/F An outline of permissible uses and disclosures can be found in the employee handbook.
• False • An outline of permissible uses and disclosures can be found in the Notice of Privacy Practices.
T/F A physician may post the Notice of Privacy Practices in the waiting room and does not need to give it to every patient.
• False • HIPAA requires a covered healthcare provider to give the notice to every individual no later than the date of the first delivery of service and to make a good-faith effort to obtain the individual's written acknowledgment of receipt of the notice. It is not enough to merely post the notice in the waiting room.
From April 2003 through August 31, 2005, the OCR received ___ cases requiring corrective action.
23,805
The OCR began accepting complaints involving the privacy or patient rights on ___.
April 14, 2003
Cases that are advanced from the OCR for further investigation are sent to the ___.
Department of Justice
___ your computer when it will be unattended.
Log off
T/F The physician's office must provide HIPAA Privacy Rule training to technicians who provide repair services to the office's phone system.
• False • Only workforce members of the actual healthcare-related organization are required to have Privacy Rule training. A phone technician is not considered a member of that workforce. Any disclosure of PHI that occurs in the performance of the technician's duties is more than likely limited in nature, occurs as a byproduct of these duties, and cannot reasonably be prevented. Such disclosures are incidental and permitted by the Privacy Rule.
T/F Under HIPAA, physicians' offices are not allowed to use patient sign-in sheets.
• False • Patient sign-in sheets may be used as long as the information being disclosed is appropriately limited and does not include medical information.
T/F All privacy complaints related to impermissible use and disclosure of health information will be considered violations.
• False • The OCR may investigate the complaint and learn that it stems from an incidental disclosure, which is not considered a violation.
T/F The HIPAA Privacy Rule prohibits a physician's office or hospital from communicating with a spouse or guardian regarding payment of a bill.
• False • The Privacy Rule permits the physician's office or hospital to disclose the information necessary to secure payment for health care unless the patient has requested confidential communication.
T/F The Privacy Rule minimum necessary requirements prohibit students from accessing patients' medical information in the course of their training.
• False • The Privacy Rule provides for "training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers."
T/F Impermissible use and disclosure of health information is the same as incidental use and disclosure.
• False • The term incidental refers to use or disclosure that could not reasonably have been prevented. Impermissible refers to those disclosures that could reasonably have been prevented.
T/F Under HIPAA, staff in medical offices do need not be concerned with minimum necessary standards when calling a patient's name in the waiting room.
• False • The workforce member should implement reasonable safeguards and the minimum necessary standard when calling a patient from the waiting room.
T/F If a workforce member is unable to determine whether the use or disclosure is related to TPO, he or she should first release the information and then tell the privacy official.
• False • The workforce member should not release the information until after the privacy official has approved its release.
T/F Workforce members may share interesting or funny stories involving patients while on lunch break, as long as they do it in the lunchroom.
• False • Workforce members should avoid any unnecessary discussion of patient information.
T/F Workforce members may allow family members into their work areas when they come to visit.
• False • Workforce members should meet visitors and family members in a common area away from all medical records.
CASE STUDY: Mary, a health plan workforce member assigned to the phone unit, is on the phone, discussing a healthcare claim with a patient, when a second workforce member, Amy, comes into her office. As she waits for Mary to go to lunch with her, Amy—who is not authorized to access patient information—overhears the conversation. Mary, concerned that she may have violated the patient's privacy by allowing Amy to overhear the conversation, reports the incident to the privacy official. As a workforce member, what action could you reasonably have taken to prevent this potential HIPAA violation?
Put the patient on hold and ask the co-worker to wait in an area outside the phone unit.
CASE STUDY: A plastic surgery practice has a digital camera that is used to document the cases of patients treated in the office. After being used during a morning appointment, the camera is left on the nurses station desk, which is in the center of the treatment area. Patients must walk by the nurses station when going to and from exam rooms. Around 4:30 that afternoon, a staff member needs the camera but cannot locate it. The staff searches the office thoroughly but cannot find the camera, which holds photos of several patients. It is assumed that the camera has been taken by a patient or other individual walking by the nurses station, so the practice has no choice but to call the police and report the camera stolen. Fortunately, the practice keeps a log of patients who are photographed with the use of the camera and is able to determine which patients are affected. These patients are called and apprised of the sit
Make it a priority to monitor use of digital cameras and keep them locked in a drawer when they are not in use.
CASE STUDY: A phlebotomist who has been called to the emergency department to take blood from a patient notices that a friend of hers is in the treatment room next to that of the patient she is working with. Out of curiosity the phlebotomist gets on the computer the next day to see why her friend was in the emergency department and to learn whether she was admitted, thinking that she will visit her friend after finishing her shift. A co-worker sees the phlebotomist accessing the friend's records and reports her to the hospital's privacy official. The phlebotomist is suspended without pay for 3 days. What reasonable action(s) on the part of the phlebotomist might have prevented this incident?
Only accessing the medical records that were necessary for her to get the job done.
CASE STUDY: The XYZ Urology Practice places patients' charts in a clear plastic wall bin outside each exam room. The practice does not want to leave records unattended with the patient, but the healthcare providers want the records close by for quick review before they walk into the exam room. A complaint has been filed with the practice's privacy official because a copier technician who was working in the office that day noticed a neighbor's name on a chart in the plastic wall bin and then called the neighbor that evening to find out why the neighbor had been to the doctor's office. As a workforce member, what action could you have reasonably taken to have prevented this potential HIPAA violation?
Place the patient's chart in the plastic box with the front cover facing the wall instead of having it visible to anyone who walks by.
CASE STUDY: A physician assistant sees a patient and leaves the exam room to return to his office. A little later, the physician assistant goes to retrieve his dictation recorder from the back medicine counter, where he thinks he left it but cannot find it anywhere in the office. Is it possible that the patient has picked it up on the way out of the office? As a workforce member, what reasonable action(s) could you have taken to prevent this potential HIPAA violations?
Remind the physician assistant of the practice's policy, which states that recorders should not be taken into areas to which patients have access. The recorder should only be used in his office, where he performs dictation. Provide the physician assistant with a locked drawer in which to place the recorder when it is not in use.
CASE STUDY: Driving home on a windy evening, a workforce member at a local hospital sees papers blowing wildly down a street that is home to many medical offices. She stops her car, gets out, and retrieves some of the papers, which, she immediately realizes, are medical records from a nearby physician's office. The woman spends nearly half an hour gathering the records, then puts them in her car and calls the physician at home about the situation. The physician tells her that the records were set out for trash pickup that evening. As a workforce member, what reasonable action could you have taken to prevent this potential HIPAA violation?
Shred all documents before putting them in the garbage.
CASE STUDY: An employee at a local sandwich shop receives a fax transmission that has clearly been sent in error: medical records from the XYZ Fertility Treatment Center. The fax does not include a cover sheet, but the employee is able to locate a phone number for the clinic and calls to advise the staff that the shop has inadvertently received the transmission of medical records. As a workforce member, what two reasonable actions could you have taken to prevent this potential HIPAA violation?
• Program the fax machine to print a confirmation of every fax sent. • Use a cover page bearing the sender's name, address, and phone number, plus directions to inform the organization what to do if the fax is received by the wrong person.
CASE STUDY: A flash drive containing the names, addresses, Social Security numbers, and birthdates of the people participating in a research study has been either lost or stolen. The healthcare organization conducting the study is required to offer identity-theft protection to the more than 4000 participants in the study. As a workforce member, what reasonable action(s) could you have taken to prevent this potential HIPAA violation?
• Provide contact information on the device in the event that the device is lost. • Avoid the use of portable devices for storage of PHI.
CASE STUDY: A well-known physician who developed and published a famous diet dies weighing 258 lbs. The medical examiner's report indicates that the physician had a history of heart attack, heart failure, and hypertension. This information, contained in the death report, is inappropriately obtained and distributed by way of a copy of the report. Healthcare organizations should not assume that they are free to distribute copies of a deceased patient's medical records. After a patient's death, a healthcare organization may disclose the individual's records only to the individual's personal representative (e.g., an executor, administrator, or other person who has the authority to act on behalf of the deceased person or that's person's estate). What reasonable measure could the healthcare organization have taken to prevent this breach?
• Provide training for all workforce members. • Conduct background checks on all workforce members. • Implement a zero-tolerance policy in regard to minimum necessary disclosure.
CASE STUDY: A healthcare provider is instructing an administrative staff member to bill a specific patient for a vasectomy the provider performed in the hospital. The conversation is overheard by several people in the waiting room, one of them a close friend of the patient who had the procedure. The friend advises the patient that he has overheard a conversation about the patient's vasectomy. As a workforce member, what are two actions that could reasonably have been taken to prevent this potential HIPAA violation?
• Remind co-workers when they are speaking loudly or are at risk of having others hear them that their patients' privacy may be violated. • Keep the doors and windows closed between administrative, clinical, and patient waiting areas.
T/F Medical practices are allowed to use patient sign-in sheets under HIPAA.
• True • HIPAA is not intended to impede the use of patient sign-in sheets.
T/F As a means of protecting the privacy of other patients, workforce members may ask patients to stand a few feet back from the registration desk.
• True • It is common practice to designate a spot beyond which patients should wait while others register.
T/F Under HIPAA, PHI may be disclosed for TPO without the patient's authorization.
• True • It is permissible to disclose PHI for TPO without the patient's authorization.
T/F Under HIPAA, healthcare professionals may discuss a patient's condition with a student or during training rounds.
• True • Such discussions are allowed, as long as reasonable precautions are taken to minimize incidental disclosures to others who may be nearby.
T/F Under HIPAA, a physician may discuss an incapacitated patient's condition with a family member over the phone.
• True • Such discussions are permissible as long as the physician, using professional judgment, deems them appropriate.
T/F The HIPAA Privacy Rule permits a provider to discuss a patient's health status and treatment and payment arrangements with the patient's family and friends.
• True • The Privacy Rule specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient in the patient's care or payment for health care.
T/F Under HIPAA, a pharmacy may allow another person to act on behalf of the patient to pick up a filled prescription.
• True • This practice is permissible as long as the pharmacist, using professional judgment, deems it appropriate.
T/F The staff of a clinic places patient charts in plastic wall boxes outside an exam room. This practice is allowed under HIPAA.
• True • This practice is permissible as long as the staff takes reasonable and appropriate measures to protect patients' privacy. Reasonable measures might include placing the chart in the box so that the front cover of the chart faces the wall.
