CHC Study Q Healthcare Compliance Certification HIPAA

Term Definition
Health Ins. Portability and Accountability Act (HIPAA) passed in 1996 to reduce costs of healthcare.
HIPAA Preempts HIPAA is a national regulation. if a federal statues states it overrides state law on a particular issues, then the federal law is the law that must be followed.
Request for Records Under HIPAA a person is entitled to a copy of their medical records within 30 days of the request.
Health Information Technology for Economic and Clinical Health (HITECH) Act Passed in 2009 given the implementation of the electronic medical record.
HIPAA governs The use and disclosure of protected health information (PHI) by covered entities directly and their business associates indirectly. If the organization does not fit the definition of a covered entity, the regulation does not apply.
Covered entities are defined in the HIPAA rules as health plans,health care clearinghouses, health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. … Covered entities can be institutions, organizations, or persons
HIPAA Individual Rights Under The Privacy Rule obtain a copy of their PHI,amend, obtain accounting disclosures of PHI,receive a Ntc PP,communications about PHI in confidential,restrict disclosure on certain uses/disclosures of PHI,file a complaint to the entity & office of OCR
Notice Of Privacy Practices Health care providers/plans are required to provide the patient with a copy of Ntc PP The notice must be provided to the patient at the first episode of care. If the first episode of care was via telephone, the Ntc must be mailed to the patient w/in 24hr
Privacy rule requires for PHI to be produced upon request but some PHI can be restricted PsyNotes,Infor compiled in litigation,CLIA,Jail if access will put patient at risk,Research study if agreed, inform rec'd from another source other health care providerm,inform subject to the Privacy Act,In general if access would put patient at risk.
Denied Access to Health Information An appeal process must be provided and a third party individual (licensed health care professional) not involved must review the decision.
HITECH Requirement of Electronic Records Copies of medical records are to be provided in electronic format if maintained electronically.
Right to an Amendment of Protected Health Information Patient has the right to request to amend their records. Co can amend records per policies but co does have the right to reject request for amend. If co amends the patient’s records, amendment cannot completely eliminate the information from the record.
Denials for Request for Amendment of Records The information in the records was not generated by the companyThe request for amendment is for information not part of the designated record set and/or the patient does not have access to same.
Right to Request Restrictions A patient can restrict use and disclosure of PHI when used for • Treatment• Payment • Healthcare operations• Disclosure to family member• Disclosure to friend• Disclosure to other person involved in the patient’s care
Denied Right to Request Restrictions PHI Given the burned to grant these requests, the cover entity has no obligations to agree to the restrictions.
HITECH Exception to Right to Request Restrictions of PHI Health care providers not to disclose health information to health plans in cases where the patient and/or other individual pays for all health services in full.
Right to Request for PHI Confidential Communications If a person makes a request to communicate PHI in a specific way, the covered entity has the obligation to grant this request unless there is an unreasonable basis for not granting the request.
Right to Request an Accounting of PHI Disclosures If a patient requests an accounting of PHI disclosures, the covered entity is required to provide this information for a period of up to six years.
An Accounting of PHI Disclosures is not Required For TPO,Made in limited data set,with author from patient, national security, prior to April 14, 2003, to the patient, required giving the individual an opportunity to object, jail/law enforcement having custody of the individual & give care.
An accounting of PHI Disclosures Includes • Who received the information• The date the disclosure was made• A brief description of the information• A brief statement of purpose
Right to File A Complaint A patient has the right to file a complaint with cover entities Privacy Officer and Office of Civil Rights, DHHS.
Uses & Disclosures of Patient Information ONLY • Use and disclosure by covered entity without patient consent.• Use and disclosure by covered entity once patient has been given the opportunity to object.• Use and disclosure with patient’s consent.
PHI Required Disclosures • When requested by DHHS for an investigation.• When the patient requests same
Permitted Disclosures TPO The primary use of PHI is for:• Treatment• Payment of health care• Health care operations
The Rule for Access to PHI for Purpose in the Public Interest The Privacy regulations allows disclosure for public interests without a patient’s authorization but the covered entity is not required to disclose any information.
Examples of Access to PHI for Purpose in the Public Interest Public health act,victims of abuse,health oversight activities,Judicial proceedings,Law enforcement,Inform to coroners/others, organ donation,research,avert a serious threat,Specialized governmental functions,Worker’s compensation
Access PHI Requiring an Opportunity to Object 3 opportunities when PHI can be used or disclosed w/out patient’s permission Once patient has been given the chance to object. When inform about the patient is listed in the hosp’s direc. Specific disclosure to family, friends/others involved in care/payment for care. For disaster relief to determine location & condition
Information Listed within Hospital Directory The patient must be informed and given the chance to object to this listed information or part of the information and to who the PHI can be disclosed. Person’s name, Location, General condition, Religious affiliations
PHI Authorization Request Requirements – if not it is not valid and the covered entity cannot rely on it to use and disclose PHI Descr of PHI, purpose, Name of person to disclosure/rec PHI, exp date,Sign/date, Statement right to revoke author in writing,statement signing author precon of treat, part research, eligibility benefits, enrollment of plan,State redisclose info not PHI
Fundraising HIPAA Requirements HIPAA permits use and disclosure of limited PHI without authorization:• Demographic informationo Nameo Addresso Contact informationo Insurance statuso Date of careFor additional PHI an authorization is required
Fundraising HITECH Requirements implemented for a patient’s right for an easy and inexpensive (no more than a stamp) way to opt out of all fundraising communications and the Patient’s response is not conditioned on treatment or payment of health services.
Marketing HIPAA Requirements author is required for use/disclosure of PHI. co has 2 report 2 patient if getting paid. market doesnt include inform given about benefit/service part of patient’s health plan, inforRE treat, altern treat, therapies, health care providers, setting of care
Marketing HIPAA Requirement w/out Authorization If the marketing event is face to face and the patient agrees and is getting paid, an authorization is not required.
Marketing HITECH Requirements Req autho for certain health related comm sent by health providers to patient’s in exch 4 payment recd from 3rd party whose product/service is being described. subsidized treatment comm, health provider is req to include get paid in the autho & opt out
HIPAA Minimum Necessary Standards used to indentify the amount of PHI that can be used or disclosed in a particular circumstance. Anytime a covered entity makes a use or disclosure of PHI and evaluation for minimum necessary is required.
HIPAA Minimum Necessary Standards NOT REQUIRED • With an authorization• To a provider for treatment• To the patient • To the secretary of DHHS• As required by law• As required to comply with the regulations
HIPAA Role base access means only allowing employees and others access to the information that is needed to perform their role in the organization.
HIPAA Need-to-know this is an educational process. The ability to have access to PHI does not mean there is a need to know. For example: a doctor with full access to the medical record but should only access the medical record for his patient.
HITECH Need-to-know requires covered entities to consider limited data set for this purpose which includes limited identifiers. HHS has to provide guidance.
HIPAA Limited Data Set is described as health inform that excludes certain, listed direct identifiers (16) but that may include city; state; ZIP Code; elements of date; & other numbers, characteristics, or codes not listed as direct IDs. THIS DOES NOT REASONABLY ID A PERSON.
HIPAA Disclosure of Limited Data Set for purposes of research, public health, or health care operations, without obtaining either an individual's Authorization or a waiver or an alteration of Authorization for its use and disclosure, with a data use agreement.
HIPAA data use agreement is used by covered entities to obtain satisfactory assurances that recipient of limited data set to be use/disclose PHI in data set only for specified purposes by all.
De-identifying Protected Health Information Under the Privacy Rule Covered entities may use/discl PHI de-ID w/out restriction. CE seeking to release health info must dete info has been de-ID using statistical verif of de-ID or remov 18 elem from record that could be use to ID personRelativesEmployers
HIPAA Breach of protected health information A breach of protected health information (“PHI”) is defined as the acquisition, access, use, or disclosure of unsecured PHI,which poses a significant risk of financial, reputational, or other harm to the affected individual
Breach of Information data breach is an incident in which sensitive, protected/confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. PHI, personally identifiable information (PII), trade secrets or intellectual property.
Security breach is any incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms.
How to Determine if there is a Breach Risk Assessment2determine if the nature/ extent of PHI involved. ID & likelihood of re-ID, who the unautho person was. Co need to determine who recd/viewed the data,if autho/not, PHI was actually acquired/viewed, extent to which isk toPHI wasmitigated
HIPAA Verification Privacy regulation requires the covered entity to have policies and procedures to verify who is the individual requesting the PHI and they can receive this information.
Business Associate covered entity contracts with an external co2provide services that are part of their health care operations which involves access to PHI.Before services can begin, the covered entity has2make sure BA agreement follows the privacy regulations
HIPAA Business Associates Requirements must provide satisfactory assurance that the PHI will be used as per privacy regulations. functions and limitations of PHI must be defined. must also defined what will happen to the PHI upon termination of the agreement.
HITECH Business Associate Requirements comply with technical, administrative &physical safeguards under the security rule &make them accountable/directly liable4criminal/civil penalties4 violation of rule. Req even if there is no contract with BA &holds BAs’ subcontractors liable as well.
Exceptions to breaches De-ID info which all HIPAA ID have been removed, Discl in a good faith belief that receipt of info would not reasonably have been able to retain info, uninten acquisition, access/use of info by persons acting under autho of CE/BA
PHI is considered unusable/ unreadable when it is encrypted per NIST standards, when PHI is de-identified, shredded or when paper cannot be reconstructed.
HITECH Breach Requirements To notify the Office of Civil Rights for DHHS of breaches of unsecured PHI
Notice to Deceased Patient Notice must be provided to the next of kin
Breaches of 500 or more must be reported immediately to HHS online via the OCR website. The patients must be ntc imm or no later than 60 days after the breach occurred. Media outlets must also be notified, radio, television with the same information provided to the patients.
Breaches of 500 or less rep annually to HHS online via OCR website w/in 60 days end of CY. For insufficient add/ntc are returned, sub ntc must be given imm by phone/email/posting 90 days on home page of CE website, major print/broadcast media in geo area where person lives.
Notice of Breach Requirements desc of what happened, date of breach& discovery,types of info involved,Steps to take to protect from harm, what CE is doing to inves/mitigate from further breaches,Contact info2ask questions include a toll-free#/email, website or postal address.
HIPAA Privacy Rule applies to all PHI held by the covered entity
HIPAA Security Rule applies to ePHI records maintained in an electronic medium which require physical, technical & administrative safeguards to protect the integrity availability & confidentiality of ePHI
HIPAA Security Rule Content Rule is broken down into standards?d into implemen specification. It requires a standard2be implem or defined as addressable. If standard is required, it must be implemented. If addressable it does not have to be implemented but co must docu why
Organized Health Care Arrangements OHCA Clinically integrated setting person rec' care from more than 1 provider, it allows for OHCA a joint PHI ntc for care operations for all services provided within OHCA
Affiliated Covered Entity ACE a group of legally separate covered entities that share a common ownership of control 5% or greate. HIPAA allows it to function as one CE but not all legally separate entities are liable for privacy violations of other entities.
Hybird Covered Entity HCE is a business that has as one of its function an activity that makes it a health care provider, a health plan and/or a health care clearinghouse. Per Privacy rule, this is a covered entity and must comply with regulations
HIPAA General Rule Covered entity may not use or disclose protected health information except as permitted or required
HIPAA Rules Governs The rule applies to the State where the records are maintained and always follow the stricter standard
HIPAA Enforcement Office of Civil Rights Privacy & Security Civil complaints. Department of Justice for Privacy Criminal complaints. Centers for Medicare & Medicaid for transactions & code sets.
Health Plans a plan that provides or pays the cost of medical care. Includes Medicare/Medicaid/Self Funded with more than 50 participants administer by employer
Providers A provider of medical or health services such as SNFs, home health, hospitals, physicians clinic that transmit any health information in electronic form
Clearinghouse billing process claims on behalf of a provider, process health information from a nonstandard content into standard data elements or to a standard transaction.
3rd Party Administrator oversees who manages the plan administrator
Use is internal, with respect to individually ID health information, sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information
Disclosure is external, the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information
Protected Health Information PHI is health info collected from person created/recd by a CE & relates to past, present, future care,treatment, payment of health care to a person which can be used to ID the person/maintained in any form-NOT ED/employ records
De-Identified PHI All identifiers listed within the rule are stripped out. De-Identified information is not protected health information & not protected under HIPAA.
De-Identified Data Is defined in the rule as data that MAY NOT be included. Thus all 18 elements must be removed. Date information can ONLY list a year. If other date info is listed, the data is NOT de-identified.
Limited data set is defined in the rule as data that MAY NOT be included.Thus all 16 elements must be removed to be a limited data set.
Reportable Breach Requirements a privacy breachand unsecured PHI. presumptive reportable breach unless there is a low probability of compromise. Based on Risk Assessment
Privacy Breach unauthorized acquisition, access, use or disclosure of PHI
Unsecured PHI PHI not secured through technology or a method specified by the secretary through guidance -unusable, unreadable or indecipherable to unauthorized individuals by encryption & destruction
Presumption of Breach – Risk Assessment Factors Content-what PHI was included, Person-to whom was the PHI disclosed, Access-was the PHI actually accessed, Mitigation-to what extent has the risk of harm been lessened. Assess all to determine risk.
Business Associate Agreement requirements What PHI will be accessed, PHI will be protected, How it will be destroyed, what happens if a breach occurs and termination.
HIPAA Civil Monetary Penalties – first level Not know by entity & could not have been discovered $100-$50,000
HIPAA Civil Monetary Penalties- 2nd level Reasonable cause, but not from willful neglect $1,000. – $50,000
HIPAA Civil Monetary Penalties – 3rd level Willful neglect, but corrected within 30 days of discovery $10,000 – $50,000
HIPAA Civil Monetary Penalties – 4th level Willful neglect and not corrected within 30 days $50,000 – $50, 000
HIPAA Civil Monetary Penalties cap per calendar year $1, 500,000 per violation event
Security Rule Breakdown 3 safeguards – 18 standards: Administrative(oversight,risk assessment,password). Physical (surrou). Technical (how U limit&protect data). 42 ImplemSpecifications, they are 20required& 22addressable. Add do not have to be Implem but have to tell/docu why
Security Rule Intent Technology neutral, to be scalable, Protect confidentiality, integrity and availability of ePHI.

Leave a Reply

Your email address will not be published. Required fields are marked *