10) HIPAA Flashcards
Describe the Health Insurance Portability And Accountability Act (HIPAA) of 1996
Protects privacy and security of certain health info
- Privacy Rule - Establishes national standards for the protection of all individually identifiable health info
- Security Rule - Establishes a national set of security standards for protecting certain health info that is held or transferred in electronic form
Who are covered entities under HIPAA?
- HCP’s
- The Health Plan
- Health Care Clearinghouse
What are business associates? Are they covered under HIPAA?
A person/entity that performs certain fxns/activities that involve the use or disclosure of PHI on behalf of or provides services to a covered entity
- Attorneys, Accountants, Consultants, Claims Processing, Data Analysis, Quality Assurance, Utilization/Review, etc
- Not a covered entity!
Describe the Details of the Privacy Rule
- Protects most individually identifiable health info
- Gives pt’s rights to access their medical records, request changes, and inquire about how they have been accessed
- Restricts access by others
- Restricts access to only the people who really need to see the info → Federal crime to access info you don’t need
- States that all pt’s need to be informed about the facility’s privacy practices/policies
- Allows for pt’s to give authorization for disclosure beyond tx/business operations
Protected Health Information (PHI)
Individually identifiable health info including info related to pt demographics, MHx, provision of health care, and past/present/future payment for care
- Any info that can be used to ID a pt even if it doesn’t include names
When is pt authorization not required for sharing of PHI?
- 2 PT’s are tx’ing
- Disclosure to family, friends, and others involved in the pt’s care → Requires some professional judgement
- Sharing to ensure public health & safety
- Sharing to prevent/lessen imminent danger
- Facility directories
What should a HIPAA privacy notice include?
- The required heading
- A statement of use and disclosures
- A statement of individual rights
- A statement of the covered entity’s duties
- Directions for how to complain
- Contact info
Describe the Details of the Security Rule
Defines confidentiality as that e-PHI isn’t available/disclosed to unauthorized persons
- Requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI
Under the Security Rule, what must covered entities do?
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, and transmit
- ID and protect against reasonably anticipated threats to the security or integrity of the info
- Protect against reasonably anticipated, impermissible uses, or disclosures
- Ensure compliance by their workforce
Breach
An impermissible use/disclosure under the privacy rule that compromises the security or privacy of the PHI
Breach Notification Rule
Requires that HIPAA-covered entities and their business associates provide notification following a breach of unsecured PHI
What things regarding PT practice need to be considered for HIPAA?
- Pt ID
- Eval Procedures
- Sign in/Out Processes
- Physical layout of the facility
- Computer security
What can happen for HIPAA violations?
Civil or Criminal Sanction
- Civil = Fines bc of an honest mistake
- Criminal = Fines or jail time for personal gain
True or False: The degree of non-compliance makes a huge difference in penalties
True
What are the causes of improper payment?
- Improper billing
- Improper coding
- Poor documentation
