HIT 101 - CH 8,

US constitution

-The US constitution does not grant a right to PRIVACY, but courts have interpreted it to give privacy rights in certain areas such as: -Religion -Child Bearing -There are currently no health information rights to privacy. Coverage: Child-bearing. Religion

Authorizations are deemed INVALID if:

-The exp date has passed or the expiration event is known by the covered to have occurred -The authorization has not been filled out properly/completely -The authorization is known by the covered entity to have bee revoked -The authorization lacks a required element (signature) -The authorization violates the compound authorization requirements -Any material information in the authorization is known by the covered entity to be false

Authorization should contain at least the following elements to be VALID:

-a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion -Name or other specific identification of the person or class or persons authorized to make the requested use or disclosure

Subpeona

**Most important discovery tool - Its NOT a method of that elicits information but instead facilitates DISCOVERY by compelling individuals to appear at certain time and place or to produce requested documentation. -These subpoenas may direct that originals or copies of health records, lab reports, X-rays or other records be brought to a deposition or to court. -In most cases, Authorization accompanies the subpoenas or permission, from the individual. -Two types of Subpoenas: -Subpoena ad Testificandum: Seeks testimony -Subpoena duces tecum: to bring documents and other records with oneself.

HIPAA - 5 titles

**Title II is the most relevant title to the HIM professional. Containing provisions relating to the prevention of healthcare fraud and abuse and medical liability (medical malpractice) reform and administrative simplification. -Title I : Insurance Probability -Title II: Administrative Simplification -Title III: Medical Savings and Tax Deduction -Title IV: Group health plan Provisions -Title V: Revenue Offset Provisions

Discovery

-Considered as both the process and a period of time--is a pretrial stage where parties to a lawsuit use numerous strategies to discover or obtain information that other parties hold. -Purpose: is to learn each party's relative weaknesses and strengths in a case to avoid a surprise at trials and perhaps encourage pretrial settlement. Types of Discovery: -Subpoena (most important type of discovery) -Deposition -Interrogatories -Court Order -Warrants -E-Discovery -Metadata

Right of Accounting requirements - Elements to be included per ARRA

-Date of Disclosure -Name and address if known of the entity or person who received the information -Brief description of the PHI disclosed -Brief statement of the purpose of the disclosures or a copy of the persons written authorization or request be included.

Disclosure

-Disclosure is how the health information is disseminated outside of the facility. -becomes very important when the facility is under litigation and health information become key evidence necessary for fact-finding uring the purpose for the discovery process and trial.

Deposition

-Its an important discovery method. Def: Its a formal proceeding where the oral testimonies of parties to a lawsuit (Plaintiff and defendant) and other relative witnesses are obtained. -Attendance is compelled by a subpoena (a court order of instructions) -Plaintiff and defendant are usually present. -HIM professionals can be subpoenaed to testify as to the: -authenticity of the health records by confirming the records were compiled in the usual course of business and have not altered in any way.

HIPAA - pre-enactment of HIPAA

-No federal statutes or regulations generally protected the confidentiality of healath information. -They varied considerably (state-by-state) creating a patchwork of laws across the US. -Many states passed laws that protected highly sensitive health records such as Mental Health and HIV/AIDS only. -Many had to result to Lawsuits for wrongful health record disclosure often alleging negligence.

Authorization -Permits access without authorization - Uses and disclosure of PHI

-Patient HAS the opportunity to formally agree or disagree **facility directory **notification of relatives and friends -Patient DOES NOT have opportunity to agree or object -As required by Law (to meet public interest) -Public health activities (preventing and controlling disease, injuries and disabilities) -Victims of abuse, neglect, or domestic violence -Healthcare oversight activities (audits and investigations, license, inspections) -Judicial and administrative proceedings (Court orders, subpoenas, discovery process) -Law enforcement purposes (including deceased individuals, ongoing investigations) -Decedents (coroner or medical examiner) -Cadaveric organ, eye, or tissue donation -Research (IRB or privacy board must exempt the authorization requirement) -Threat to health and safety -Specialized government function -workers compensation -incidental uses or disclosure -limited data sets

Hearsay

(out of court statement used to proved the truth of a matter and it is inherently deemed untrustworthy because the maker of the statement was not cross-examined at the time the statement was made. ) Exceptions are the Business Records- which are deemed inherently trustworthy.

HIPAA - Persons rights and time frames

-Right to access : 30 day response (60 if PHI is not onsite)/ 30 day extension -Right to request amendment of PHI: 60days / 30 day extension -Right to accounting of disclosures: 60 days after reciept of request / 30 day extension (no charge to PHI within 12 month period ) -Right to request confidential communications -Right to complain of Privacy Rule violations

Sale of information

Addressed specifically by ARRA, which prohibits a covered entity or BA from selling (receiving direct or indirect compensation) in exchange for an individual's PHI without that individual's authorization; the authorization must also state whether the individual permits the recipient of the PHI to further exchange the PHI for compensation Exemption: -Public Health and r.esearch data -treatment -Healthcare operations to a BA pursuant to a business associate agreement. -to a person who is receiving a copy of his or er own PHI -other exemptions deemed by the secretary of HHS>

Right of Access

Allows an individual to inspect and obtain a copy of his or her own PHI contained within a designated record set, such as a health record. -This right extends as long as the PHI is maintained, although HIPAA does not require records be retained for a specified period. -Exceptions to Access are: ~Psych Notes ~information compiled in reasonable anticipation of a civil criminal, or administrative action or proceeding. ~PHI is subject to the CLIA (clinical laboratory improvement Act)

FACTA - Fair & Accurate Credit Transactions Act

Amendment to FCRA. Provides help with identity theft and credit fraud, employee misconduct investigations by third parties. Does not specifically address medical identity theft

Compound authorization

An authorization that combines informed consent with an authorization for the use and/or disclosure of protected health information Under HIPAA, an authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows: (i) an authorization for the use of disclosure of protected health information for a research study may be combined with any other type of written permission for the same or another research study; (ii) an authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes; (iii) when a covered entity has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits under this section on the provision of one of the authorizations (45 CFR 164.508 2013)

business associate

An organization or individual who provides specific services to a covered entity involving the use or disclosure of PHI; for example, an off-site storage company that houses EMR data, law firms, transcription companies, etc. ARRA also includes in the BA definition Patient Safety Org (PSO). *BA's Subcontractors are also subjected to the HIPAA rules and regulations, regardless of whether the agreement was signed.

PHI (Protected Health Information)

Any information concerning a patient's health, medical condition, diagnosis, or treatment; it can include financial information that be identifiable to a person from the information given . applies to Electronic and paper information **per ARRA, PHI of a deceased person is considered to be protected for 50 years.

Right of Access - requesting access to ones own PHI

CE Entity may require the request be in writing. Response to the request no more than 30 days (60 days if the information is off cite and with 30 day extension) Cost: Copying, postage and preparing at reasonable cost. But HIPAA does not permit retrieval fees to be charged to patients, but they are permitted to do so for non-patient requests.

Notice of Privacy Practices

Document informing a patient of when and how their PHI can be used. -Mjust explain in plain language the patients rights and the covered entity's legal duties with respect to PHI. It is provided at the first service delivered Must be available at the sire where the patient is treated and must be posted in a prominent place where patients can reasonably be expected to read them. Website availability with easy access.

Admissibility - information exclusion

Even relevant evidence with probative value (that is, something that provides value) may be excluded form admissibility if: 1)it is outweighed as unfairly prejudicial or if presenting the evidence would cause undue delay. 2)If it is misleading or redundant. 3)Hearsay (out of court statement used to proved the truth of a matter and it is inherently deemed untrustworthy because the maker of the statement was not cross-examined at the time the statement was made. )

1) True or false. In all cases, a covered entity may deny an individual's request to restrict the use or disclosure of his or her PHI.

FALSE: The request may be denied in almost all cases, but it cannot be denied for disclosures to a health plan where the individual has paid for a service or item completely out of pocket.

The breach notification requirement:

FTC must be notified -All persons who information has been breached must be notified without unreasonable delay. *no more than 60 days *by first class mail *or by telephone (if there is threat of imminent use). -500 or MORE : **they must be individually notified **MEDIA OUTLETS must be used as a notification mechanism. **The Secretary of HHS must be specifically notified. -Fewer then 500: **must be logged by the CE in an HHS online reporting system **Submitted annually as a report no later than 60 days after the end of the calendar year.

HIM - Testimony

Focus is on the authenticity of the health record and refers to the documents baseline trustworthiness. If questions are outside the scope of expertise as an HIM professional, then he/she must respectfully decline to answer the question by stating it is beyond the scope of expertise. i.e. Eliciting information about a patients condition or purpose for medical treatment.

Legal action- granted by ARRA and HITECH

Grants state attorneys general the ability to bring civil actions in federal court on behalf of residents believed to have been negatively affected by a HIPAA violation.

1 What types o health record are subject to the HIPAA PRivacy RUle

HEALTH RECORDS IN ANY FORMAT

Deidentified Data - HIPAA requirements

HIPAA requires that the Covered Entity do one of teh following things to ensure deidentification: 1) covered entity can STRIP certain elements to ensure thwat the patients information is truy deidentified. (anything unique to that individual) 2) covered entity can have an EXPERT APPLY GENERALLY ACCEPTED STATISTICAL AND SCIENTIFIC principle methods to minimize the rick that the information might be used to identify a person.

Which of the following statements is true?

HIPAA states that state law preempts the HIPAA privacy rule. They do not need to consult an attorney because they know the state law is stricter and therefore should abide by it.

Title II: Administrative Simplification

HIPAA's attempt to streamline and standardize the health care industry nonuniforms business practices, such as billing, including the electronic transmission of data. Contains: -Transactions -identifiers -security -Privacy -Enforcement

Right to request confidential communications

Healthcare providers and health plans must give individuals the opportunity to request that communications of PHI be routed to an alternative location or by an alternative method. -Health plans must honor the request if it is si reasonable and if the requesting individual states that disclosure could pose a SAFETY RISK. -Request can also be refused if the person does not provide information as to HOW PAYMENT WILL BE HANDLED or an alternative address or method by which he or she can be contacted. ie. A woman seeking billing information from her psychiatrist who is seeking help from an abusive relationship, be sent to her work instead of home.

Release of Information (ROI) - quality control

Includes both: Productivity (Turnaround time) **continuity of Care information requests are released/processed takes PRIORITY **to monitor timeliness, the date of the request id received and the date the copies are sent are entered in the ROI database to determine patterns. Accuracy (Information released appropriately) **Sample authorization is checked to verify authorization validity and to ensure compliance with federal and state regulations. **Validation of the appropriate records released is also conducted.

Discoverable Data

Includes: EHR, emails, text, voicemails, draffts of documents, electronic schedulers, websites, and information housed on mobile devices such as smartphoens etc.

1 Which of the following statements is true of the notice of privacy practices?

It must be provided to every individual at the first time of contact or service with the covered entity. Notice of privacy practices must be given to every patient the first time they come to the facility for care.

1 Mary's PHI was breached by her physician office when it was disclosed in error to another patient. Which of the following breach notification statements is correct regarding the physician office's required action?

It must report the breach to HHS within 60 days after the end of the calendar year in which the breach occurred

HIPAA Privacy Rule

Law that regulates the use and disclosure of patients' protected health information (PHI). One of the key federal laws that goveern the protection of PHI. Sets a minimum (Floor) of privacy requirements.

Deidentified Data

NOT protected by the Privacy Rule -does not identify an individual because personal characteristics have been stripped from t in such a way that it cannot be later constituted or combined to re-identify a person. -Most commonly used in RESEARCH.

1) Which of the following provides a complete description to patients about how PHI is used in a healthcare facility?

Notice of privacy practices -The notice of privacy practices provide a description to patients about how PHI is used.

ONC

Office of the National Coordinator for Health Information Technology

Covered Entities (CE)

Persons or organizations that must comply with the HIPAA Privacy and Security Rules, also covering electronic transactions. Include: ~ healthcare providers :those who conduct certain transactions electronically (financial or administrative) ~ health plans: those that pay for the cost of the medical care (ie. insurance companies) ~ healthcare clearinghouses: those that process claims between a healthcare provider and payer (I.e. intermediary that process a hospitals claim to Medicare to facilitate payment)>

Individuals

Privacy rule defines as persons who is subject of PHI.

Red Flags Rule

Promulgated under FACTA, the Red Flags Rule requires certain financial entities to develop and implement identity theft detection programs to identify and respond to "red flags" that signal identity theft.

limited data set

Protected health information from which certain specified, direct identifiers of individuals have been removed. This is used per ARRA until the Minimum data necessary has been clarified. used or disclosed only minimum necessary information, while reverting back to the amount needed to accomplish the intended purpose definition when the limited data set definition is inadequate.

ARRA (American Recovery and Reinvestment Act)

Provides funds for adoption of technology and provides the right for every individual to receive electronic copy of EHR. -made important changes to the HIPAA privacy Rule which are located in the HITECH - Health information tech for economic and clinical health act (which is part of ARRA)

Marketing - PHI use or disclosures

REQUIRES authorization from the person except for : -Occur face to face between the covered entity and the person -concern a promotional gift of nominal value provided by the CE -communications to describe health-related products and services provided by or included in the person health plan -communication for treatment -case management or care coordination for the individual or to direct or recommend alternate treatments, therapies, healthcare providers or care settings

minimum necessary standard

Requires that uses, disclosures, and requests must be limited to only the amount needed to accomplish an intended purpose. But does NOT apply to PHI used, disclosed or requested for treatment purposes. Per policies and procedures staff should be identified who needs access to PHI and the amount of information that personal should have access to. i.e. housekeeping will not have the same access as nurses.

privacy officer

Responsible for ensuring privacy practices are followed within an institution. Required by HIPAA Role: -Developing and implementing privacy policies and procedures -facilitating org privacy awareness -performing privacy risk assessments -maintaining appropriate forms -overseeing privacy training -participates in compliance monitoring of BAs ensuring that patients rights are protected -maintains knowledge of applicable laws and accreditation standards -communicate with OCR (office of civil rights)

subpoena ad testificandum

Seeks testimony / to testify is a court summons to appear and give oral testimony for use at a hearing or trial

1 ARRA and HITECH granted which of the following the ability to bring civil actions in federal district court on behalf of residents believed to have been affected by a HIPAA violation?

State attorneys general One of the changes brough about by ARRA and HITECH allowed state attorney generals to bring civil charges related to HIPAA.

State Laws

State laws must also comply with HIPAA or else HIPAA laws will supersede them (Preemption) All states have laws that require the disclosure of health information even without patient authorization. ie. reporting of births, death, health and safety or welfare situations like abuse.

1 True or false. A notice of privacy practices should include a statement explaining that individuals may complain to the Secretary of the Department of Health and Human Services if they believe that their privacy rights have been violated.

TRUE The requirements for the notice of privacy practices includes a statement that tells the patient who they can complain to in the event that their rights have been violated.

FTC (Federal Trade Commission)

The main federal agency designed to enforce consumer protection laws.

Release of Information (ROI)

The process of disclosing patient-identifiable information from the health record to another party.

e-discovery

The process of identifying and retrieving relevant electronic information to support litigation efforts. -Pretrial legal process that obtains and reviews electronically stored data. -regulated/created by the FRCP (Federal Rules of civil procedure)

Admissibility

The quality of the evidence in a case that allows it to be presented to the jury. Admissibility rules are more stringent than discovery rules. Thus, in admissibility, much more information can be shared during pretrial discovery that is not permitted to be admitted as evidence at trial. Governed by the Federal Rules of Evidence (FRCP) separate rules of evidence that mirror the federal rules govern admissibility in each state.

medical identity theft

The unauthorized use of someone else's personal information to obtain medical services or submit fraudulent medical insurance claims for reimbursement.

Authorization -Opportunity to Agree or Object

There are two times where patient authorization is not required but the patient should be given the opportunity to informally agree (verbally): 1) Facility Directory- List of patients currently being treated and if they agree to be listed. 2) Disclosure of relevant PHI to a Family, relative, or close friend who is involved in the patients care.

fundraising activities

Those that benifit the CE, the covered entity may use or disclose to a BA or an institutionally related foundation without authorization, demographic information and dates of healthcare provided to the individual. Must have an option to Opt Out from receiving the material.

Penalties - ARRA and HITECH EST:

Tiered penalties per violations: $100-50,000 : unknowing violations $1,000-50,000: d/t reasonable cause $10,000-50,000: willful neglect that was corrected $50,000: willful neglect that was NOT corrected. A way of compensating those that were harmed from the violation.

Breach

Unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of such information. Breach should be presumed followed by an impermissible use or disclosure unless the CE or BA demonstrates a low probability that the PHI has been compromised.

1)In which of the following situations must a covered entity provide an appeal process for denials to requests from individuals to see their own health information?

When a licensed healthcare professional has determined that access to PHI would likely endanger the life or safety of the individual

HIPAA - Privacy Rule - The WHO and the WHAT

Who it applies to: Covered Entities Business Associates Workforce Members What it Protects: PHI - by defining protected health information

TPO - Operations

a broad list -includes quality assessments and improvement, case management review of healthcare professionals qualifications, insurance contracting, legal and auditing functions and general business management functions such as providing customer services and conducting due diligence. **Does not include marketing and fundraising.]

Right of Accounting of Disclosures

a person has the right to receive an accounting of certain disclosures made by a CE. HIPAA : 6 years prior to request ARRA: 3 years prior to request. Requires accounting: -Those that are made erroneously (breaches, errors) -For public interest and benefit activities where the patients authorizations are not obtained. -Pursuant to a court order Exceptions to accounting: -For treatment, payment and healthcare operations -individuals whom the information pertain and their reps -incidentals (ie. a sign-in sheet at a MD office, next patient that signs the sheet will see the previous persons name) -Pursuant to an authorization -for facility use directory -to meet national institutions or aw enforcement officials -Part of the LIMITED DATA SET -Occurred before the compliance date of the Covered Entity.

Personal Representative

a person who has the legal authority to act on another's behalf. per Privacy rule, a personal rep must be treated the same as a person regarding use and disclosure of the persons PHI.

Privacy

a social value and is the right "TO BE LET ALONE"

Interrogatories

are written questions for which written answers are prepared and then signed under oath. -A discovery method used to obtain information from other parties in a lawsuit. Process: During the interrogatories, parties are given questions to respond to in writing. These questions may be answered by a party's legal counsel rather than by the party himself (but requires a confirmation regarding the truthfulness and accuracy of teh answers).

1 A valid authorization requires which of the following?

description of the information to be used or disclosed, statement that the information being used or disclosed may be subject to redisclosure by the recipient, an expiration date or event

Audits

determine whether comprehensive policies and procedures are in place and whether they have been implemented to comply with the Privacy and security rules. Unannounced audits by ONC mandated for CE that are under ARRA/HITECH.

Worforce Members

does not only consists of only of employees but also VOLUNTEERS, STUDENT INTERNS, TRAINEES AND EVEN EMPLOYEES OF OUTSOURCES VENDORS. "Those who routinely work on-site in the covered entity facility. " i.e subcontracted janitorial work or security

ONC (Office of the National Coordinator of Health Information Technology)

first est by presidential executive order. it is now recognized by statute as an entity within the HHS (dept of health and human services). -its the primary federal entity with responsibility for coordinating national efforts to impliment and use health informaation technology, and to promote the exchange of electronic health information

Use

is how an org avails it self of health information internally

TPO - Treatment

means providing, coordinating or managing healthcare or healthcare-related services nu one or more healthcare provider. ie. treatment includeds caring fr patients admitted gto the hospital or coming for an appointment w. the physician and referrals made.

Stricter

means the at a state or federal statute provides an individual with a greater privacy protections or gives individuals great rights with respect to their PHI. If questions arise then a legal counsel should be consulted.

COnfidentiality

similar to privacy, but stems from the sharing of the protective legally such sharing is not legal Communication between patient-MD, Clergy-patron, etc is considered as protected privileged information.

Consent

the patients agreement to use or disclose personally identifiable inforamtion for treatment, payment and healthcare operations.

Information-Sharing during Discovery

this sharing is encouraged so each party knows the relation strength of the cases (which may lead to a settlement) and avoid surprised at trial. Federal rule permits discovery of any relevant "Non-privileged information" that may be limited by the court for reasons such as the request being unnecessary, duplicative, or too expensive for the party being asked to produce the requested information.

health plans: covered entity

those that pay for the cost of the medical care (ie. insurance companies)

subpoena duces tecum

to bring documents and other records with oneself. -These subpoenas may direct that originals or copies of health records, lab reports, xrays or other records be brought to a deposition or to court

Right of ACCESS- Oppurtunity to review

two instances where access is granted: 1) where a licensed healthcare professional determines that access to requested PHI would likely endanger the life or physical safety of the individual or another. 2)Would reasonably endanger the life or physical safety of another person mentioned in the PHI.

Authorization - HIPAA REQUIRED - Uses and disclosure of PHI

two instances: 1) when the individual or rep requests access to or an accounting of disclosure of the PHI. 2) when the HHS is conducting an investigation, review , or enforcement action.

Privacy rule outline 3 key documents

which informs patients and give them a degree of control over their PHI 1) Notice of Privacy Practices 2) Authorizations 3) Consent (per HIPAA is optional)

PSO (Patient Safety Organization) A Business associate inclusion under HIPPAA

which receives and analyze: -patient safety issues -health information org (HIOS) -e-prescribing gateways and persons who facilitate data transmissions -PHR vendors who enable covered entities (CE) to offer PHR to their patients as part of the CE EHR.

Right of Amendment - request of amendment of PHI

with this right, one may request thay a CE amend PHI or a record about the person in a DSR (Designated Record Set) Response: within 60 days and a 30 day extension.

Metadata

-which are data about data, a concept that was unheard of in paper documentation. -Provides information such as who accessed or attempted to access a system and when , which part if the system were affected, and what operations took place .

PHI - three part test

1) the information must be held or transmitted by a covered entity or a BA in any form. 2) it must be individually identifiable helaath information (identify the person or provide reasonable basis to believe the person could be identified from teh information). 3) it must relate to ones past, present, or future physical or metnaal health condition, the ptovision healthcare, or payment of care.

HIPAA - Privacy Rule 2 main Goals

1) to provide greater privacy protections for ones health information serving, also serving to limit access by others 2) to provided an person with greater RIGHTS with respect to his or health health information. *HIPAA implementation furthers this goal.

right of ACCESS - Process after a Denial of access has been made

1)CE must write a denial letter in plain language and include a reason 2) must explain that the person has teh right to request a review of the denial 3)Must describe who to the person may contact regarding the denial which includes the Name, title, number of office. 4) Must include information on how to contact secretary of HHS. or the person has the write to have the denial reevaulation by another healthprofessional who did not particiapte in teh original denial and is designated by the CE to act as the reviewing official. Then the CE must grant or deny according to the reviewer officials decision.

Release of Information (ROI) - Process of information request

1. Enter the request in the ROI database (pt name, DOB< MRN, name of requester, purpose, what was requested, etc.) 2. Determine the validity of authorization (ORG requirements are based on the State and federal regulations, ie. requests that pertains HIV records, abuse treatment, behavioral treatment) **If authorization is invalid its noted on the ROI and returned to the requester. 3. Verify the patients identity (HIM verifies if the person has been a patient from the facility and compares the information provided as well as the signature) 4. Process the request: (record if retrieved and only the information authorized or release is copied and released.)

Breach - exemptions

1. Unintentional acquisition made in good faith and within the scope of authority 2. Disclosures where the recipient would not reasonably be able to retain the information 3. disclosures by a person authorized to access PHI to another authorized person at the covered entity of BA.

Authorization -Does NOT HAVE Opportunity to Agree or Object- NO OPTION TO AGREE OR DISAGREE-

16 circumstances where PHI can be used or disclosed WITHOUT the persons authorization or have an option to disagree or agree. -As required by Law (to meet public interest) -Public health activities (preventing and controlling disease, injuries and disabilities) -Victims of abuse, neglect, or domestic violence -Healthcare oversight activities (audits and investigations, license, inspections) -Judicial and administrative proceedings (Court orders, subpoenas, discovery process) -Law enforcement purposes (including deceased individuals, ongoing investigations) -Decedents (coroner or medical examiner) -Cadaveric organ, eye, or tissue donation -Research (IRB or privacy board must exempt the authorization requirement) -Threat to health and safety -Specialized government function -workers compensation -incidental uses or disclosure -limited data sets

healthcare clearinghouses: covered entity

: those that process claims between a healthcare provider and payer (I.e. intermediary that process a hospitals claim to Medicare to facilitate payment)

healthcare providers - covered entity

:those who conduct certain transactions electronically (financial or administrative)

A legal Hold

A court order to preserve data for the purposes of an investigation. Upon receipt of a legal hold notification, a company is required to activate a defensible policy for the preservation of the data. A legal hold supersedes the routine destruction procedure. Application of the legal hold also applies to E-discovery. (retention and destruction) prevents Spoliation of evidence.

Preemption

A doctrine under which certain federal laws preempt, or take precedence over, conflicting state or local laws. -Privacy Rule is only a federal "Floor", or minimum, of the privacy requirements so it does not preempt or supersede stricter state laws/statutes

Court Order

A document issued by a judge that compels certain actions, such as testimony or the production of documents such as health records. -if the person does not comply then he/she is at risk for 'Contempt-of-court (failure to comply) sanctions, possibl including jail time.

Right of Access report

A report of all persons (within the facility) who have had access to a patient's protected health information. TPO disclosures would appear in the Access Report rather than the Accounting of Disclosures. Proposed by HHS and is still pending.

Breach notification

A requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) whereby all affected parties, individuals affected, federal government, and media outlet, must be notified if their protected health information has been involved in a security breach. FTC- Federal trade commission: The main federal agency designed to enforce consumer protection laws. ONLY apply to unsecured PHI that tech has not made unusable, unreadable, or indecipherable to unauthorized persons.

Warrants

is a judges order that authorizes law enforcement to seize evidence and, often, to conduct a search as well. In criminal cases health records are most likely to be obtained via warrant involve healthcare fraud and abuse investigations.

Right of Access - NO opportunity to review:

CE can deny a person access to the PHI without providing him/her an opportunity to review or appeal the denial when/is: -Psych notes -Use for criminal or civil litigation or admin action -CE is a correctional institutionand the request of an inmate request will create health or safety conerns -Research information that includes treatent, and an invidual recieving treatment as part of a research study agrees to suspend his/her right to access temporarily. -PHI was obtained by other than the healthcare provider under teh promise of confidentiality and the access requested would be reasonaly likely to reveal othe source of the information. -Contains records that are subject to the federal privacy act -CE is subject to CLIA which regulates the quality of lab testing and CLIA would prohibit access. -PHI is mainteained by a CR exempt by CLIA

Breach: Companion Breach Notification regulations

Companion Breach Notification regulations by the FTC provide protection to persons whose information has been breached by: - non covered entities -non-BAs that are PHR vendors third-party service providers - PHR vendors or others not covered by HIPAA.

Consent to Use or Disclose PHI

Consent: the patients agreement to use or disclose personally identifiable information for treatment, payment and healthcare operations. Per HIPAA healthcare providers are not required to obtain consent But care providers obtain consent per facility policy except at times of emergencies. obtained during patient care/procedure and has NO exp date

Business Associate Agreement

Contract between the provider, BAs, and a clearinghouse that submits the electronic claims on behalf of the provider regarding PHI disclosures. Has to meet HIPAA and ARRA requirements which is to protect the informations security and confidentiality. **But if a person or Org meets teh definition of a BA, they are BY LAW a BA even is the required agreement has not been signed, and are REQUIRED subject to HIPAAs penalties if they violate HIPAA.

Business Records Exception -exception to Hearsay

Deemed inherently trustworthy and are admissible Exceptions to hearsay A rule under which a record is determined not to be hearsay if it was made at or near the time by, or from information transmitted by, a person with knowledge; it was kept in the course of a regularly conducted business activity; and it was the regular practice of that business activity to make the record.

Spoliation of Evidence

Deliberate withholding, changing, hiding, or destruction of evidence relevant to a legal proceeding. prevented by "Legal Hold"

Right of Amendment - DENIAL request of amendment of PHI -

Denial: CE may deny request when: -Was not created by the covered entity -in not part of the DRS -Is not available for inspection as noted in the regulation of access (inmate notes, psych notes) -is accurate or complete as is. Request must be responded to no later than 60 days (30 days extension) allowing it or denying request in writing. Denial Response must be made within 60 days of the request with a written letter in plain language and contain: -Basis for denial -The persons write to submit a written statement disagreeing with the denial. -The process where they can submit their disagreement -Explain how everything is documented the request and the denial) - description of how the person may complain to the CE>

Authorizations- KEY COMPONENT OF HIPAA

by the individual, for the use or disclosure f their health information is a legal requirement and health information practice. A person may revoke the authorization but will not apply to disclosures already made. Must be obtained but with some exceptions. Required in : -use and disclosures of psychotherapy notes (except to carry out TPO for treatment by the originator of the notes) -In research (unless the CE has obtained IRB or privacy board waiver.) -Mental health training programs by the covered entity -to defend a legal action or other proceeding brought by the individual -Foresight of the originator of the notes.

Marketing

communication about a product or service that encourages the recipient to purchase or use that product or service.

TPO (Treatment, Payment, Operations)

important concept because HIPAA provides a number of exceptions for PHI [that is being used or disclosed for TPO purposes. Comprised of: Treatment Payment Operations

TPO- Payment

includes activity by a health plan to obtain premiom, billing by healthcare providers or healht plans to obtain reimbursement, claims management, claims collection, review of the midical necessity of care and utilization review.

Right of Accounting requirements

includes disclosures made in writing, telephone, or orally. - Disclosure Pursuant to a Subpoena that has written authorization from the patient is EXEMPT. But a pursuant to a court is NOT. - Response within 60 days after request with a 30-day extension. -First accounting within any 12-month period must be provided without charges. Additional request after the 12-month may have reasonable charges.

DRS (designated record set)

includes the health records, billing records, and various claims records that are used to make decisions about an individual HIPPA provisions apply to DRS It is broader than the legal health record, because it contains more components than those that would ordinarily be produced upon requests.

FRCP (Federal Rules of Civil Procedure)

incorporated electronic information through the creation of the E-discovery rules. FRCP only applies to cases in federal district courts, but many states have adopted similar e-discovery rules that apply both civil and criminal cases. Governs: Admissibility E-discovery