Chapter 10 HIPAA

Question 1

when was HIPAA enacted? and what does it stand for?

Answer 1

1996; Health Insurance Portability and Accountability Act

Question 2

What are some problems to keeping confidentiality?

Answer 2

Pts see many doctors, billings must be sent, 3rd parties(insurers) are all involved as well as multiple facilities and vendors for tailored medical equipment; if it is leaked then you have potential embarrassment for the pt.

Question 3

What was HIPAA originally written for? (4 objectives)

Answer 3

1 inc. portability of healthcare
2 combat waste and fraud
3 inc. use of medical savings accounts
4 simplify admin of healthcare

Question 4

When it was seen that pt info was going to be sent electronically to meet the 4 objectives, what did congress do to ensure the privacy of the info?

Answer 4

Congress asked the department of health and human resources (HHS) to write privacy rules.

Question 5

What is PHI? And some examples?

Answer 5

Protected Health Information; examples include any identifiers like SSN, address, phone #, in connection with a person’s medical record/care.

Question 6

What do the Privacy Rules (written by HHS) include?

Answer 6

That all covered entities must abide by standards to ensure PHI is protected. Permission must be gained for disclosure of PHI. Pts must have access to own health records. Only necessary info is disclosed.

Question 7

What are covered entities?

Answer 7

All the people/groups/companies that may come in contact with PHI. They must be in compliance with HIPAA. This doesn’t include the patient.

Question 8

What must be given to a pt. to sign so their PHI can be disclosed?

Answer 8

a Notice of Privacy Practices (NPP)

Question 9

HIPAA requires disclosure of how much information to carry out medical treatment?

Answer 9

The minimum amount, with the fewest people possible.

Question 10

Can PHI be communicated with vendors?

Answer 10

Yes, if they have a written assurance (contract.)

Question 11

How does the Privacy Rule standardize all transmissions of PHI?

Answer 11

With the use of the Employer Identification Standard, which assigns an Employer Identification Number (EIN) to be used in all electronic transmissions.

Question 12

What is State’s Preemption?

Answer 12

State rules concerning privacy trump federal rules when they are more strict or require disclosure for safety reasons. Otherwise, HIPAA federal laws are preemptive.

Question 13

What must be removed for “deidentifying” PHI? In what instance would you do this?

Answer 13

name, address, zip, SSN, licence numbers, photos, emails, medical record #’s, all dates except birth, etc. You might do this to publish statistics about a communities health.

Question 14

What is the “minimum necessary standard”?

Answer 14

It is that a provider has a requirement to provide the minimum necessary information in order to complete a task. (ie: not sending the whole medical file when only part is requested.)

Question 15

What are the 6 Pt. rights in the NPP?

Answer 15

1 Access & copy of medical records
2 request for an amendment to them
3 request an account of disclosures
4 request for alternate method/location for contact
5 request for restrictions on who can have access to the record
6 right to file a complaint

Question 16

What are the 3 main exceptions to when consent is needed for treatment?

Answer 16

1. Emergency (but it must get signed asap afterwards)
2. Language barrier and to one to interpret
3. When treating prison inmates

Question 17

What is a clearinghouse?

Answer 17

It is a covered entity (must follow HIPAA) that processes nonstandard electronic transactions into HIPAA transactions (may be deemed a billing service.)

Question 18

what is a healthcare plan?

Answer 18

an individual or a group that provides or pays for medical care

Question 19

What does the acronym TPO stand for?

Answer 19

Treatment, payment and healthcare operations

Question 20

What is TPO, what is the designation for?

Answer 20

Used to indicate that a healthcare provider may disclose PHI for the treatment of pts, for the payment of the care given, and for healthcare operations, such as quality assurance

Question 21

What are covered transactions?

Answer 21

they are mandated transmissions by HIPAA regulation for the transmission of healthcare information; basically there are rules for these communications

Question 22

What are the 3 basic covered transactions (between covered entities)?

Answer 22

1 Physician sending PHI to another Physician
2 Physician sending an electronic claim to an insurance company
3 Physician sending any PHI to a billing service

Question 23

What are the penalties for non-compliance to HIPAA?

Answer 23

$100/incidence/person up to 25k/year for minor violations
Up to $50k and 1yr in prison for criminal liability (obtained info under false pretenses)
And if you were going to sell, maliciously use that info for fraud, personal gain, etc… up to 250k and 10yrs in prision

Question 24

What is the HIPDB?

Answer 24

The Healthcare Integrity and Protection Data Bank for listing violations, fraud, etc.of providers and is available to fed and gvt. agencies and various healthplans to see who has been naughty or nice.

Question 25

What is a HIPAA-defined permission?

Answer 25

a situation when permission must be granted by the pt to disclose PHI

Question 26

What two disclosures are required by HIPAA?

Answer 26

Disclosure to the HSS and disclosures that the pt requests.

Question 27

What are the 11 areas of HIPAA-defined permission?

Answer 27

1 The required disclosures (to HSS and pt)
2 Valid Pt. authorization
3 Pt. requests for disclosure
4 TPO
5 TPO in other covered entities (attorneys, insurance plans, etc.)
6 Pt. representatives such as family (must have legal document)
7 Disaster relief organizations
8 Incidental disclosures (talking about lab results, calling a pt by name, leaving a covered pt chart outside room, etc)
9 For public purposes (FDA, health dept.)
10 When Identifiers have been removed
11 In limited data sets where certain identifiers have been removed that pts do not have access to. (like in prisons and research projects)

Question 28

Researchers must have what to use medical information?

Answer 28

Either a pt. authorization form that complies with HIPAA, or a waiver by an IRB (institutional review board.)

Question 29

May a hospital release PHI to workers comp?

Answer 29

Yes

Question 30

Are police privy to PHI?

Answer 30

Yes

Question 31

Can a provider communicate with an HR dept, or an attorney?

Answer 31

Yes

Question 32

Can church clergy see names of people in a hospital?

Answer 32

Yes

Question 33

Can a physician tell family members about the pt if the pt has identified them as involved in their care?

Answer 33

Yes

Question 34

Are EMTs free to share PHI?

Answer 34

No, they have limitations.

Question 35

Do pts have to sign in to be on the hospital’s directory?

Answer 35

No, but they can opt out.

Question 36

What can a physician or physician group do to implement HIPAA?

Answer 36

Hire a Privacy officer, do internal assessments, have written agreements with all non-employee service providers who may have access to PHI, implement NPP, revise employee handbooks on HIPAA, train employees, establish complaint procedure for non-compliance, etc…

Question 37

Which entity investigates violations of HIPAA?

Answer 37

Office of Civil Rights (OCR)

Question 38

How long must you retain authorizations, NPP copies, and agreements for restriction of PHI from pts?

Answer 38

6 years

Question 39

What is the issue with WLANs?

Answer 39

HIPAA security rules apply to PHI in electronic forms and many physicians use WLANs– they must have safeguards in place for these devices

Question 40

What is medical informatics?

Answer 40

it is the application of communication and information to medical practice, research and education. Seen in the linking of pharmacy and physician’s requests electronically.

Question 41

What is telemedicine?

Answer 41

You know. But what is important is that PHI becomes really sticky when you are treating a pt. who is in another state. Security also might be an issue.

Question 42

The original intent of the law being put aside, what does the law designed to do now?

Answer 42

to protect the privacy of PHI and to control how it is used, transmitted and disclosed.

Question 43

Who issues fraud alerts to the public and providers?

Answer 43

Inspector General of the US HHS

Question 44

What is the Security Rule cover?

Answer 44

Protects pt’s electronic PHI.

Question 45

When does confidentiality start?

Answer 45

with the initiation of the physician -pt relationship; the offer and acceptance

Question 46

When may confidentiality be breached?

Answer 46

For the sake of public health, hazard avoidance, and in child or elder abuse cases

Question 47

How long is PHI protected for?

Answer 47

50 yrs after death

Question 48

A pt may complain to HSS, but may not do what when privacy is violated?

Answer 48

Sue anyone.

Question 49

What may be obtained from a pt. for disclosure of PHI for TPO?

Answer 49

Consent

Question 50

When must authorization be gained by a covered entity from a pt to disclose PHI?

Answer 50

When it is not a covered transaction, for TPO, or otherwise allowed in the Privacy Rule.

Question 51

What is the HITECH act?

Answer 51

Health Information Technology for Economic and Clinical Health; enacted in 2009 to promote adoption of health IT, address privacy and security, strengthen enforcement, requires notification of breaches of PHI to all affected