CIPP / US - Medical Privacy Flashcards
The HIPAA security rule requires covered entities and business associates to:
- Ensure the confidentiality, integrity, and availability, of all ePHI the covered entity creates receives, maintains or transmits
- Protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy rule
- ensure compliance with the Security rule by its workforce
- Identify an individual who is responsibility for the implementation and oversight of the Security Rule
- Conduct initial and ongoing risk assessments
- Implement a security awareness and training program
What must happen in the event of a breach of unsecured information under the HITECH act?
- The covered entity must perform a risk assessment to determine the risk of harm
- If there is a significant risk of harm (financial reputational, or other) it must notify individuals within 60 days of discovery
- If a business associate discovers a beach it must notify the covered entity
- If the breach affects more than 500 ppl the covered entity must notify HHS immediately
- If the breach affects more than 500 people in the same jurisdiction, it must notify the media
- All breaches requiring notice must be reported to HHS at least annually
Genetic Information Nondiscrimination Act (GINA) of 2008
Prohibits health insurance companies from discriminating on the basis of genetic predispositions in the absence of manifest symptoms or the from requesting that applicants receive genetic testing, and prohibits employers from using genetic information in making employment decisions.
Health Insurance Portability Accountability Act (HIPAA)
- Passed to create national standards for electronic healthcare transactions, among other purposes
- Required HHS to promulgate regulations to protect the privacy and security of personal health information
- The basic rule is that patients have to opt-in before the information can be shared with the other organizations although there are important exceptions such as treatment, payment and healthcare operations
What are some key protections offered by the HIPAA privacy rule?
- Privacy notices
- Authorizations for uses and disclosures
- Minimum Necessary uses or disclosures
- Access and accounting of disclosures
- Safeguards
- Accountability
What is De-identification?
An action that one takes to remove identifying characteristics from data. De-identified data is information that does not identify an individual. Some laws require specific identifiers to be removed (HIPAA 165 514(b)(2). Hashing is not enough to de-identify data.
Protected health information (PHI)
Any individually identifiable health information transmitted or maintained in any form or medium that is held by an entity covered by HIPAA or its business associate, identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer, and relates to a past, present, or future physical or mental condition, provision of healthcare or payment for healthcare to that individual
What is a business associate?
Any person or organization, other than a member of a covered entity’s workforce, that performs services and activities for, or on behalf of, a covered entity, is such services or activities involve the use or disclosure of PHI
What methods does the HIPAA privacy rule provide for de-identifying data?
- Remove all of at least 17 data elements in the rule
2. have an expert testify that the risk of re-identifying the individuals is very small
What are covered entities?
- Healthcare providers that conduct certain transactions in electronic form
- Health plans (e.g. health insurers)
- Health clearinghouses (e.g. third party organizations that host, handle or process medical information
What exceptions are there to the HIPAA privacy rule?
- Major categories of treatments, payments, and healthcare operations
- De-identified information
- Medical research
- Audits and evaluations
- Communications w/ a qualified service organization (QSO) related to information needed by the organization to provide services to the program
- Crimes on program premises or against program personnel
- Child abuse reporting
- Court order
Health Information Technology for Economic and Clinical Health Act (HITECH)
- Enacted as part of the American Recovery and Reinvestment Act of 2009
- Addresses privacy and security issues involving PHI
- The HITECH privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties
- Its most noteworthy elements elaborate upon breach notifications resulting form the use or discourse of information that compromises its security or privacy
The 21st Century Cures Act of 2016
- Purpose is to expediate the research process for new medical devices & prescription drugs, quicken the process for drug approval & reform mental health treatment
- Seeks a balance btwn the protection of personal data & the public interest in the appropriate utilization of this info
- Allows medical researchers to remotely review PHI
- Requires certificates of confidentiality to be issued by the National Institute of Health (NIH) for any federally funded research & permits the NIH to issue such certificates at its discretion for research that is not federally funded
Redisclosure
Redisclosing information obtained from a program is prohibited when that information would “identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment”
