Ch. 8 - Medical Privacy Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

Reasons for medical data privacy

A
  1. Inner workings of one’s body, is highly sensitive and personal
  2. Patients more open about their condition if privacy respected.
  3. Protect employees from unequal treatment.
  4. Protect health insurance consumers from discrimination.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Confidentiality of Substance Use Disorder Patient Records Rule: Scope

A
  • Covers disclosure and use of PI by treatment programs for alcohol and substance abuse.
  • Covers PI that could identify one diagnosed with or undergone treatment for.
  • Also covers any info - written or verbal - that could lead/substantiate criminal charges.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Confidentiality of Substance Use Disorder Patient Records Rule: Applicability

A
  • Any program that receives federal funding.
  • Program means:
    1. provider of alc/sub abuse diagnosis, treatment, referral
    2. unit within med facility doing same.
    3. staff whose primary function is provision of same.
    4. required by state licensing agency to comply
    5. clinician uses contr sub for detox and must be DEA licensed.

-

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Confidentiality of Substance Use Disorder Patient Records Rule: Disclosure and Re-disclosure

A
  • Program must obtain written consent before disclosing info subject to Rule.
  • Can include general consent to those with provider relationship with patient.
  • No redisclosure if would identify one as having been diagnosed, treated, or referred.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Confidentiality of Substance Use Disorder Patient Records Rule: Exceptions to Consent

A
  • Medical emergencies
  • Scientific research
  • Audits and evaluations
  • Communications with a qualified service organization (QSO) related to information needed by the organization to provide services to the program
  • Crimes on program premises or against program personnel
  • Child abuse reporting
  • Court order
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Confidentiality of Substance Use Disorder Patient Records Rule: Security and Enforcement

A
  • Program and entity disclose to lawfully must have formal policies/procs to protect security.

Violations of Rule are criminal. first violation a finde not more than 500, each subsequent not more than 5k.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Confidentiality of Substance Use Disorder Patient Records Rule: Convergence and Pre-emption

A
  • Not pre-empt.

- Like HIPAA and is lots of overlap, but not completely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

HIPAA: PHI Definition

A

Protected health information (PHI) is defined as any individually identifiable health information that: is transmitted or maintained in any form or medium; is held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of health care or payment for health care to that individual.30

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

HIPAA: Covered entities

A
  • Directly covered by HIPAA.
  • Covers 3 types of entities:
  • Healthcare providers (e.g., a doctors’ offices, hospitals) that conduct certain transactions in electronic form (if not bill for insurance, not covered)
  • Health plans (e.g., health insurers)
  • Healthcare clearinghouses (e.g., third-party organizations that host, handle or process medical information)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

HIPAA: Business associates covered

A
  • Business associate = any person or organization, other than a member of a covered entity’s workforce, that performs services and activities for, or on behalf of, a covered entity, if such services or activities involve the use or disclosure of PHI.
  • Privacy Rule and Security Rule apply directly to BAs, thanks to HITECH
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

HIPAA Privacy Rule: Authorizations for uses and disclosures

A
  • Authorizes use and disclosure of PHI for essential healthcare purposes. Others require opt-in authorization.
  • Authorization must
    1. be independent document
    2. specific identifies into to be disclosed, purpose, person to which disclosed.
  • Can’t require consent to provide treatment.
  • Rules for opt-in marketing and strict rules for psychotherapy notes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

HIPAA Privacy Rule: Minimum necessary use or disclosure

A
  • other than for treatment, covered entities must make reasonable efforts to limit the use and disclosure of PHI to the min necessary to accomplish intended purpose.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

HIPAA Privacy Rule: Access and accounting of disclosures

A
  • Have right to access and copy their PHI from CE or BA kept in a “designated record set” i.e. med and billing records, or other records used (by CE) to make decisions.
  • Right to an accounting of certain disclosures by CE.
  • Right to amend PHI held by CE.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

HIPAA Privacy Rule: Safeguards

A
  • Privacy rule requires implement admin, physical, tech measures.
  • Security Rule covers only PHI
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

HIPAA Privacy Rule: Accountability

A
  • CEs must designate a privacy official.
  • Personnel must be trained
  • procedures must be in place.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

HIPAA Privacy Rule: Enforcement

A
  • Primary enforcer is OCR at HHS. Process complaints, can assess civil fines up to $1.6M per year per type of violation.
  • OCR regularly audits select CEs
  • DOJ has criminal enforcement - up to 10 years in prison.
  • FTC can bring unfair and deceptive even if covered by HIPAA.
  • State AGs for state privacy laws.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Limits/Exceptions on Privacy Rule

A
  • No consent required for treatment, payment and healthcare operations.
  • Also, de-id is exempted from PR. 2 methods (expert and removal of specific elements).
  • Also exempted is research - no consent necessary if IRB approves as consistent with PR and human subjects rules.
  • Other exceptions:
    Secy of HHS for compliance

information used for public health activities;

to report victims of abuse, neglect or domestic violence;

in judicial and administrative proceedings;

for certain law enforcement activities;

for certain specialized governmental functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

HIPAA Security Rule: Basics and Goal

A
  • Admin, tech, physical measures for protecting ePHI in a tech neutral manner.
  • Goal is for CEs to implement policies/procs to prevent, detect, contain, and correct security violations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

HIPAA Security Rule: Addressable vs. Required, for CEs

A
  • Rule has standards and implementation specifications.
  • Some impl. specs are required, others “addressable” meaning have to determine if appropriate. if so, must adopt and if not, must say why not reasonable and if appropriate, adopt an alternative measure.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

HIPAA Security Rule: Requirements for CE and BA

A

Requirements:

  1. Ensure the confidentiality, integrity and availability of all ePHI the covered entity creates, receives, maintains or transmits
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule
  4. Ensure compliance with the Security Rule by its workforce
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

HIPAA Security Rule: Factors must take not consideration

A

CEs and BAs take factors into consideration:

  1. The size, complexity and capabilities of the covered entity
  2. The covered entity’s technical infrastructure, hardware and software security capabilities
  3. The costs of security measures
  4. The probability and criticality of potential risks to electronic protected health information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

HIPAA Security Rule: Misc requirements for CEs

A
  • identify responsible official
  • conduct ongoing risk assessments.
  • implement security awareness and training program, and discipline failure to comply.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

GINA: Health insurance restrictions

A
  • prohibits health insurance companies from discriminating on the basis of genetic predispositions in the absence of manifest symptoms,
  • prohibits health insurance companies from requesting that applicants receive genetic testing

-

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

GINA: Employer restrictions

A

Prohibits employers from

  • using genetic information in making employment decisions, in absence of manifestation.
  • discrim against individuals who have family members who has manifested a disease
  • requiring or requesting or purchasing genetic info about employees or family members unless an express exception applies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

GINA: Group Health Plan restrictions

A

Per ERISA amendments, prohibits group health plan providers from –

  • adjusting premiums or other contribs on basis of genetic info, absent manifestation of disease/disorder.
  • requesting or requiring genetic testing in connection with offering of group health plans (except voluntary research).
  • enforcement - penalty of $100 each day of noncompliance per person - can rise to $15k in some circs.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

GINA - Individual health plan market

A

Per amendments to Public Health Service Act, prohibits insurers in indiv. market from

  • adjustment of premiums/contribs on basis of genetic info absent manifestation.
  • using genetic predisposition to find excludable pre-existing condition.

Also note amendments to Social Security Act extend these protections to providers of Medicare supplemental insurance policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

GINA - Exceptions to prohibition on employers from requiring, requesting, purchasing genetic info about employees or their family members

A

(1) such a request is inadvertent,
(2) the request is part of an employer-offered wellness program that the employee voluntarily participates in with written authorization,
(3) the request is made to comply with the Family and Medical Leave Act of 1993,
(4) an employer purchases commercially and publicly available materials that include the information,
(5) the information is used for legally required genetic monitoring for toxin exposure in the workplace if the employee voluntarily participates with written authorization or
(6) the employer conducts DNA analysis for law enforcement purposes and requests the information for quality-control purposes (i.e., to identify contamination).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

GINA Enforcement

A
  • No PROA under GINA itself, but perhaps under statute that GINA amends (ERISA, Social Security, etc - maybe)
  • Commission to review developments in genetic science and make reccs. re. disparate impact cause of action under GINA.
29
Q

21st Century Cures Act: Privacy Provisions

A

The purpose of the 21st Century Cures Act (“Cures Act”) is to expedite the research process for new medical devices and prescription drugs, quicken the process for drug approval, and reform mental health treatment.

Privacy Provisions:

  • Certain individual biomedical research information exempted from disclosure under Freedom of Information Act.
  • Researchers permitted to remotely view PHI.
  • P.
  • Prohibits providers, health information technology (HIT) providers, health information exchanges (HIEs), or networks from information blocking, a term meant to describe unreasonable conduct that is likely to interfere with the exchange of electronic health information. This requirement must be balanced with HIPAA’s requirements concerning PHI.
  • The Cures Act requires certificates of confidentiality to be issued by the National Institutes of Health (NIH) for any federally funded research, and permits the NIH to issue such certificates at its discretion for research that is not federally funded. These certificates ensure that the research material cannot be used in any legal or administrative proceeding without the consent of the individual involved.
  • “Compassionate” sharing of mental health or substance abuse information with family or caregivers. The Cures Act requires HHS to issue guidance to HIPAA regarding the circumstances under which a health care provider or a covered entity is permitted to discuss with family members or caregivers the treatment of an adult with a mental health disorder or an alcohol or substance abuse disorder
30
Q

What is HIPAA?

A

The Health Insurance Portability and Accountability Act. A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations.

31
Q

What is PHI?

A

Protected Health Information. Any individually identifiable health information transmitted or maintained in any form or medium that is held by an entity covered by the Health Insurance Portability and Accountability Act or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual.

32
Q

What are covered entities?

A
  1. Healthcare providers that conduct certain transactions in electronic form
  2. Health Plans (e.g. health insurers)
  3. Healthcare clearinghouses (e.g. third-party organizations that host, handle or process medical information
33
Q

What is a business associate?

A

Any person or organization, other than a member of a covered entity’s workforce, that performs services and activities for, or on behalf of, a covered entity, if such services or activities involve the use or disclosure of PHI.

34
Q

What are some key protections offered by the HIPAA Privacy Rule?

A
  1. Privacy Notices.
  2. Authorizations for uses and disclosures
  3. “Minimum necessary” use or disclosure
  4. Access and accountings of disclosures
  5. Safeguards
  6. Accountability
35
Q

What exceptions are there to the HIPAA Privacy Rule?

A
  1. Major categories of treatment, payment, and healthcare operations
  2. De-identified information
  3. Medical Research
36
Q

What is De-identification?

A

An action that one takes to remove identifying characteristics from data. De-identified data is information that does not actually identify an individual. Some laws require specific identifiers to be removed (See HIPAA 165.514(b)(2)). Hashing is not enough to de-identify data.

37
Q

What methods does the HIPAA Privacy Rule provide for de-identifying data?

A
  1. Remove all of at least 17 data elements listed in the rule
  2. have an expert testify that the risk of re-identifying the individuals is very small
38
Q

What is the HIPAA Security Rule?

A

A rule that established the minimum security requirements for PHI that a covered entity receives, creates, maintains, or transmits in electronic form.

39
Q

The HIPAA Security Rule requires covered entities and business associates to:

A
  1. Ensure the confidentiality, integrity, and availability of al ePHI the covered entity creates, receives, maintains, or transmits
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule
  4. Ensure compliance with the Security Rule by its workforce
  5. Identify an individual who is responsible for the implementation and oversight of the Security Rule
  6. Conduct initial and ongoing risk assessments
  7. Implement a Security Awareness and Training Program
40
Q

What is the HITECH Act?

A

The Health Information Technology for Economic and Clinical Health Act. Enacted as part of the American Recovery and Reinvestment Act of 2009, the HITECH Act, among other objectives, further addresses privacy and security issues involving PHI as defined by HIPAA. The HITECH privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties. Its most noteworthy elements elaborate upon breach notifications resulting from the use or disclosure of information that compromises its security or privacy.

41
Q

What must happen in event of a breach of unsecured information under the HITECH Act?

A
  1. The covered entity must perform a risk assessment to determine the risk of harm.
  2. If the is a significant risk of harm (financial reputational, or other) it must notify individuals within 60 days of discovery.
  3. If a business associate discovers a breach it must notify the covered entity.
  4. If the breach affects more than 500 people the covered entity must notify HHS immediately.
  5. If the breach affects more that 500 people in the same jurisdiction, it must notify the media.
  6. All breaches requiring notice must be reported to HHS at least annually.
42
Q

What is GINA?

A

The Genetic Information Nondiscrimination Act of 2008. Prohibits health insurance companies from discriminating on the basis of genetic predispositions in the absence of manifest symptoms or the from requesting that applicants receive genetic testing, and prohibits employers from using genetic information in making employment decisions.

43
Q

What is the Cabinet-level department of the Federal executive branch most involved with the Nation’s human concerns?

A

HHS

44
Q

CDC is one of the major operating components of the

A

Department of Health and Human Services.

45
Q

GINA

A

Genetic information nondiscrimination act

46
Q

HIPAA

A

Health insurance portability and accountability act

47
Q

True or false?

HIPAA preempts stricter state laws.

A

False

48
Q

What qualifies as individually identifiable health information?

A

Name,
address,
phone number

49
Q

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

A

A US law passed to create national standards for electronic healthcare transactions, among other purposes. Requires HHS to promulgate regulations to protect the privacy of PHI. The basic rule is that patients have to opt in before their information can be shared with other organizations – although there are important exceptions such as for treatment, payment, and healthcare operations

50
Q

Protected Health Information (PHI)

A

Individually identifiable information related to a persons’ health status and collected by a HIPAA-covered entity.

51
Q

Electronic PHI (ePHI)

A

Any protected health information that is stored or transmitted by digital means.

52
Q

HIPAA Covered Entities

A
  1. Healthcare providers who engage in certain electronic transactions
  2. Health plans
  3. Health information clearinghouses

Business associate agreements (BAAs) extend HIPAA to the business partners of covered entities.

53
Q

HIPAA Exceptions

A
  1. Employer records
  2. Education records covered by FERPA
  3. Deidentified records
54
Q

HIPAA Privacy Rule

A

Establishes US national standards to protect individuals’ medical records and other PHI. Requires appropriate safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.

Key Provisions:
o	Notice of privacy practices
o	Permitted uses of PHI
o	Minimize use and disclosure of PHI
o	Right to review records
o	Controls to protect confidentiality and integrity of PHI
55
Q

HIPAA Security Rule

A

Requires administrative physical and technical safeguards for electronic PHI records. Established the minimum-security requirements for PHI that a covered entity receives, creates, maintains, or transmits in electronic form.

Key provisions:
o Applies to only ePHI
o Controls to protect confidentiality, integrity, and availability
o Identify and protect against threats
o Protect against impermissible uses or disclosure
o Ensure workforce compliance

56
Q

Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

A

further addresses privacy and security issues involving PHI as defined by HIPAA. The HITECH privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties. Its most noteworthy elements elaborate upon breach notifications resulting from the use or disclosure of information that compromise its security or privacy.further addresses privacy and security issues involving PHI as defined by HIPAA.

57
Q

HITECH Act Breach Notification Requirements

A
  1. Notify individuals within 60 days
  2. Notify the media of breaches affecting more than 500 individuals
  3. Notify covered entities of breaches by nosiness associates
  4. Notify HHS of all data breaches
  5. Business associates must comply with the provisions of HIPAA in their own right
  6. Increased penalties for HIPAA violations.
  7. Strengthened privacy protections (e.g., prohibiting marketing usage of data without consent)
58
Q

HITECH Act Breach Notification Exceptions

A

Exceptions:
o Encrypted information
o Unintentional access by employees
o Inadvertent disclosures between authorized individuals
o Disclosures to individuals who would not be able to retain the information

59
Q

The 21st Century Cures Act of 2016

A

Key Provisions:

i. Introduces penalties for information blocking practices
ii. Allows the compassionate sharing of mental health and substance abuse treatment information with families and caregivers
iii. Introduces privacy provisions to facilitate biomedical research

Detail:
Gives medical researchers the ability to review certain data to develop research protocols remotely and also requires certain steps from OCR in connection with mental health patients. The law asserts that “There is confusion in the health care community regarding permissible practices [under HIPAA]” and that “This confusion may hinder appropriate communication of health care information or treatment preferences with appropriate caregivers.” There is a “sense of Congress” that “clarification is needed regarding the privacy rule … regarding existing permitted uses and disclosures of health information by health care professionals to communicate with caregivers of adults with a serious mental illness to facilitate treatment.” The law requires OCR to issue new guidance on these issues (which will mainly serve to explain professional discretion that is built into the rule today), creates some new working groups on these issues, and even sets aside federal money for model training programs.

60
Q

Confidentiality of Substance Use Disorder Patient Records Rule (42 CFR Part 2)

A

Summary:

  1. Confidentiality of Substance Use Disorder Patient Records regulations
  2. Covers treatment records that could identify a patient
  3. Applies to any substance abuse treatment program accepting federal funding
  4. Violations are criminal offenses ($500 for first; $5000 fines for subsequent)
  5. Disclosures require written patient consent

Detail:
This notice of proposed rulemaking proposes changes to the Confidentiality of Substance Use Disorder Patient Records regulations. These proposals were prompted by the need to continue aligning the regulations with advances in the U.S. health care delivery system, while retaining important privacy protections for individuals seeking treatment for substance use disorders (SUDs). SAMHSA strives to facilitate information exchange for safe and effective substance use disorder care, while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder. Within the constraints of the statute, these proposals are also an effort to make the regulations more understandable and less burdensome.

61
Q

42 CFR Part 2: Consent Exceptions

A
o	Medical emergencies
o	Research
o	Audits and evaluations
o	Qualified service organizations
o	Child abuse and neglect
o	Reporting on-premises crimes and crimes against personnel 
o	Court ordered disclosure.
62
Q

According to the confidentiality of substance use Disorder Patient Record Rule, what is required for disclosure of patient information?

A

Written patient consent, explicitly describing the type of information to be disclosed

63
Q

What is one of the limitations of HIPAA?

A

Some doctors are not covered by HIPAA. A doctor who accepts only cash is not covered under HIPAA. HIPAA does not preempt state law.

64
Q

Under what circumstances do limitations and exceptions to the HIPAA Privacy Rule apply?

A

De-identification: Information does not identify an individual via:
1. Removing data elements listed in the rule (name, address)

  1. An expert certifying that the risk of re-identifying is small
  • Research: Can occur with the consent of the individual or without consent if an authorized entity approves it
  • Other: Public health activities, such as reporting abuse or neglect, judicial and administrative proceedings, specialized government functions
  • Entity must release PHI to the individual to whom it pertains or their rep. and to the secretary of HHS
65
Q

Requirements classified as “addressable” in HIPAA are?

A

optional if the organization has performed a risk assessment

66
Q

What are the key privacy protections of HIPAA’s Privacy Rule?

A

The HIPAA Privacy Rule was developed in 2000, revised in 2002 and modified in 2013 to implement amendments under HITECH (discussed further in this module)

  1. • Covered entities must provide detailed privacy notice at the date of first service delivery
  • Uses or disclosures outside of HIPAA’s guidelines require opt-in authorization
  • Use and disclosure of PHI for situations other than treatment is limited
  • Individuals have the right to access and copy their own PHI from a covered entity and to amend their PHI
67
Q

Under what circumstances do limitations and exceptions to the HIPAA Privacy Rule apply?

A

De-identification: Information does not identify an individual via:
1. Removing data elements listed in the rule (name, address)

  1. An expert certifying that the risk of re-identifying is small
  • Research: Can occur with the consent of the individual or without consent if an authorized entity approves it
  • Other: Public health activities, such as reporting abuse or neglect, judicial and administrative proceedings, specialized government functions
  • Entity must release PHI to the individual to whom it pertains or their rep. and to the secretary of HHS
68
Q

What are the key privacy protections of HIPAA’s Privacy Rule?

A

<p>The HIPAA Privacy Rule was developed in 2000, revised in 2002 and modified in 2013 to implement amendments under HITECH (discussed further in this module) 1.</p>

<p>• Covered entities must provide detailed privacy notice at the date of first service delivery</p>

<p>• Uses or disclosures outside of HIPAA’s guidelines require opt-in authorization • Use and disclosure of PHI for situations other than treatment is limited</p>

<p>• Individuals have the right to access and copy their own PHI from a covered entity and to amend their PHI</p>