Chapter 11 Test 4 Flashcards
___________ provides individuals with rights to provide some control over their health information
HIPAA privacy rule
__________, covered entities with EHRs must make PHI available electronically, or must send it to designated person or entity electronically if individual requests
Per HITECH
_________ must respond within 30 days after request received
30 days from receipt of request
Permitted 30-day extension if written statement includes reason for delay and date covered entity will complete its action.
Extended time permitted for records not maintained on site
Covered entity
________ have the right to know about instances where his or her PHI has been disclosed
Individuals
________________ includes:
Date of disclosure
Name and address of entity or person who received the information
Brief statement of the purpose of the disclosure
Accounting of Disclosures
______ response to request for accounting
Timely
_____ accounting within a 12-month period is free
First
Must account for disclosures in past ______
3 years
Per HITECH proposed rule, which is still pending, the _________ would require CEs to account for everyone who used or disclosed electronic health information in a DRS
access report
______ disclosures would be displayed in access report as well as public health reporting
TPO
Notice of Privacy Practices must inform individuals of ___________ at CE level and to the US Department of Health and Human Services (DHHS), along with contact information
right to complain
An “unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information
HIPAA Breach
_______ are deemed to have been discovered when the breach is first known or when it reasonably should have been known
breaches
Individuals should be notified without delay, and within _____ of breach
60 days
If more than ____ individuals are affected and written notice is unsuccessful, web postings or the use of media is recommended
9
If more than ______ individuals, media outlets MUST be used and the Secretary of HHS MUST be notified immediately.
500
_____ use an online breach reporting system
CEs
_________ is a public interest and benefit authorization exception, but IRB or privacy board must approve variations to authorization requirement
Research
__________ is the rule of law that if the federal government through Congress has enacted legislation on a subject matter it shall be controlling over state laws and/or preclude the state from enacting laws on the same subject if Congress has specifically declared it has “occupied the field.”
Preemption
______ is a federal floor, or minimum, on patient privacy requirements.
HiPAA
How much is it for Unknowing penalties (even with reasonable due diligence)
$100- $50,000
How much is it Due to reasonable cause and not willful neglect?
$1,000-$50,000
how much is it Due to willful neglect/corrected within 30 days of discovery?
$10,000- $50,000
How much is it Due to willful neglect and not corrected as required?
$50,000
______ for non-compliance apply to both CEs and BAs
Civil
Criminal
Penalties
HIPAA Enforcement Rule implemented in _____
2006