2.2 HIPPA: Privacy and Confidentiality: Professional and Legal Responsibilities Flashcards
Includes any information that identifies or could reasonably identify an individual, his or her health/condition, treatment, or provision/payment for healthcare…
PHI (personal health information)
What is defined as all individually identifiable health information created, transmitted, received, or maintained by a covered health entity?
Protected health information (PHI)
What is included in identifying information?
-name
-address
-city
-zip code
-names of relatives
-names of employer
-birth date
-telephone number
-fax and email address
-social security number
-medical record number
-health plan beneficiary number
-account number
-certificate/license number
-any vehicle or other device serial number
-Web URL, Internet protocol address
-finger or voice print
photographic images, and any other unique identifying number, characteristic, or code
What is PHI included on?
- encounter forms
- claims
- appointment schedule
- reports
- dietary cards
- requisitions
- prior authorizations
- test results
- logs
- pharmacy labels
- electronic data
Name examples of PHI in the workplace.
- Communication: switchboard, hallway conversations, dictation, shift reports, telephone conversations, and meeting discussions
- Materials: medical records, meeting minutes, white boards, clinical reports, wristbands, encounter forms, medication vials, downtime logs, printers, paper files, and notes.
- Data: claims, computer screens, EKG strips, films, email, faxes. and electronic files
When dealing with personal information, there does not have to be some middle ground between strict non-disclosure and full disclosure. True or False
False
When dealing with personal information, there has to be some middle ground between strict non-disclosure and full disclosure.
Some public and private health information must be shared to properly treat populations and individuals. True or False
True
With so much information now digitized, and therefore easily transmitted, must there be there be some protection of health information that must remain confidential to the individual?
Yes some information must remain confidential to the individual.
Health information has one level of confidentiality. True or False
False… Health information has different levels of confidentiality.
Information on HIV status or psychiatric diagnosis may have a higher level of confidentiality than something less revealing, such as a zip code. What is this an example of?
This is an example of the different levels of health information confidentiality.
Some local and state laws may have higher documentation and disclosure requirement over special health information. True or False
True
What is the synonym for Health Insurance Portability and Accountability Act
HIPPA
When was HIPPA drafted?
HIPPA was drafted in 1996.
What was HIPPA originally drafted for?
HIPPA was originally drafted to protect health insurance coverage for workers and families when they changed or lost their jobs
PHI stands for Personal Health Information T/F
False PHI stands for Protected Health Information
PHI is included on most healthcare forms, reports, and screens. T/F
True PHI is included on encounter forms, claims, appointment schedules, reports, dietary card, requisitions, prior authorizations, test results, logs, pharmacy labels, electronic data.
All health information has the same level of confidentially T/F
False Health Information has different levels of confidentiality. For example, information on HIV status or psychiatric diagnosis may have a higher level of confidentiality.
The HIPPA Security Rule requires healthcare entities to protect against any reasonably anticipated threats or hazards to PHI
True The security rule requires healthcare entities to ensure the confidentiality, integrity, and availability of all electronic protected health information
HIPPA defines which types of technologies must be used to safe guard PHI
False One thing HIPPA does not specif is the type of technology to secure patient data. This is left to the health entities to figure out. It does specify that the technologies be appropriate to their operations and be supported by a thorough security.
The HIPPA Privacy rule gives patients the right to request correction to their medical records.
True It gives them the right examine and obtain a copy of their own medical records and request corrections.
An insurer, responsible for payment, is entitled to see all data in a patient’s health record.
False Generally limits release of information to a minimum needed for treatment, payment, operations.
What data a person can see in an EHR is dependent on his or her role.
True The role you have will dictate what you have the right to access.
An employee responsible for scheduling will have access to the same EHR functions as a nurse
False The role you have dictates the amount of patient information you have the right to access and disclose, so a scheduler on needs access to demographics and insurance information
If you accidentally view information you should not have access to, report the event to your supervisor.
True
As an employee in a healthcare organization, you have the right to access the maximum information needed to care for the patient
False
If an individual access a record inappropriately, he she is protected from being fired as long as he/she has completed HIPPA training
False It is becoming common that immediate employment termination could be the consequence of reviewing information that you do not have the right and need to know
HIPPA’s Privacy and Security policies became law in
1996
The HIPPA security rule requires healthcare entities to ensure
the confidentiality, integrity, and availability of PHI
HIPPA of 1996 continues to amend with
HITECH
What is Title I under HIPPA
Protects health insurance coverage for those who lose or change jobs
What is Title II under HIPPA
Standardizes electronic data exchange and protects the confidentiality and security of health data
What are the four Parts to Title II of HIPPA
- Standards for electronic transactions
- Unique identifiers for providers, employers, and health plans
- The security rule
- The privacy rule
HIPPA Security Rule states
- Security, integrity, and availability of PHI (disclosures of PHI that are not permitted
- Safeguard physical access to PHI (protected networks and computers
What is Protected Health Information and list for examples
- All individually identifiable health information created, transmitted, received or maintained by a healthcare institution
- Identification of an individual
- Health condition
- Treatment
- Provision/payment for healthcare
List some examples of identifying information
- Name, address, city, address, county, names of relatives. names of employers, photographic images. DOB, telephone number, fax number. email address social security number, medical record number, certificate/license
Name the Safeguards in HIPPA’s security Rule
Administrative, Physical, Technical
Name some examples of Administrative Safeguard
- Clear roles and responsibility for who can see what information
- Documented policies including password policies
- Security awareness training
- Security risk assessment
- Privacy and Security Officer
Name some examples of Technical Control Safeguards
- Firewalls
- Encryption - Transmission Security
- Audit trails
- Antivirus programs
- Use of passwords or other authentication methods
- —ex—-encryption and decryption———
A technical control audit trail consist of
- A log of each user and what is viewed and accessed in any given amount of time
- Evaluated for inappropriate access to function or information
Technical Controls consists of Data Integrity which is
Required to maintain data integrity so organizations should have
- a disaster recovery to protect against the loss of data
- ensuring data validity which means having good clean data and:
- –editing against list of values
- –required fields (can not go any further without being filled in
- –required values
- -compliance with data standards
Technical Control Authentication consist of
The way a system knows who you are and what access and control to give you
Authentication is based on
- What you have (A special card or token)
- What you know (Password or personal identification number PIN)
- Who you are - fingerprint or other biometric scan
Name the Do’s and Don’ts of passwords
- Do Not Share passwords or cards
- Do not log on for someone else
- Do not keep passwords in an obvious place
- Make sure system has a time-out and auto log off
- Use a strong password
What are the characteristics of a strong password
Upper case, number and symbol
Explain Role-Based security
- The job you have will dictate what you have the right to access and to disclose
- ONLY access information that you absolutely need to know and have the right to know
- Authentication may include electronic signature required for a document ( example is the Practice Fushion Encounter Note)
What is the minimum necessary concept (rule)
In all uses/disclosures of PHI under the Privacy Rule, healthcare entities must use.disclose the minimum amount of PHI NECESSARY TO ACHIEVE THE PURPOSE OF THE USE/DISCLOSURE
What is a Limited data set?
A “limited data set” means PHI with its patient identifiers removed. The Privacy Rule allows covered entities to use/disclosure limited data sets for certain purposes, if safeguards are put in place to protect the PHI remaining in the data.
Name the allowed purposes for “limited data sets”
research, healthcare operations, and public health activities
Give some examples of Physical Controls
-Locking down computer
=Placement of computer relative to viewing by other
-Computer does not allow the use of jump drives
-Physically securing data center were servers are located
Explain the HIPPA Privacy Rule
- Patients given more control/rights over their personal health information
- Safeguards to protect the privacy of health information
- Boundaries on use and release of health records
- Balances public responsibility that may require disclosure of some data to protect public health
- Patients have right to as to amend PHI if inaccurate or incomplete
- Patients have right to request restriction on PHI disclosure, BUT covered entities so not have to agree to these requests
What does the HIPPA Privacy Rule allow use/disclosure of PHI by a covered entity for its own:
T- treatment activities
P- payment activities
O- operations of the facility supporting healthcare activities
CMS
Centers for Medicare and Medicaid Services
EDI
Electronic data interchange
EIN
Employer identification number
PHI
Protected health information
TPO
Treatment, payment or healthcare operations (to carry out)
BAA
Business Associate Agreement
Legislation focused on Privacy and Security
ARRA
Uses a variety of characters
STRONG PASSWORD
authorized uses for disclosure of PHI
TPO
requires a key
ENCRYPTION
protects against viruses
FIREWALL
Used to ensure data integrity
REQUIRED FIELD
type of safeguard
PHYSICAL
removes patient identifiers
LIMITED DATA SET
Requires additional disclosure
PSYCHIATRIC NOTE
used to identify inappropriate access to PHI
AUDIT TRAIL
use for authentication method
TOKEN
Required before using an external transcription company
BAA
identifies an individual
PHI
legislation that included HITECH
HIPPA
For providers and insureers, release of information is limited to the minimum needed for
TPO–treatment, payment, operations
What is monitored to assess inappropriate access to a patient’s record
audit trail
What should the individual responsible for the security of health care data do first
perform a risk assessment
Tokens and biometric devices are examples of
authentication methods
For providers and insurers, release of information is limited to the minimum need for
TPO - treatment, payment, and operations
Your screen saver should activate in how many minutes
5 minutes
A clearinghouse that processes claims data must sign what kind of agreement
BAA - Business Associate Agreement
In Practice Fusion assignment where each physician sent a SOAP Note to the instructor what was the security risk?
Lack of encryption, ability of instructor to download the SOAP note to a personal hard drive
Encryption requires use of
a key
The last steps in your workday should be to
ensure the computer is physically secure, complete a full logoff to the system
What does PHI stand for?
Protected health information (PHI)
