Health Privacy in the Digital Age - April 3 & 8 Flashcards
What does the Health Insurance Portability and Accountability Act (HIPAA) do? (Q)
Under HIPAA, the Department of Health and Human Services, or HHS, created the Privacy Rule, which is intended to protect patients’ private information while also improving health-record management.
What does the privacy rule apply to? (Q)
The Privacy Rule applies only to certain entities, called covered entities.
For the purposes of HIPAA, what businesses are considered entities? (Q)
Most healthcare entities, healthcare providers, and health plans are covered entities.
What is the Health Information Technology for Economic Clinical Health Act (HITECH)? (Q)
One of HITECH’s primary goals is to encourage the use of electronic health records through financial incentives. HITECH also updated HIPAA’s existing requirements with some new elements.
What patient information is protected? (Q)
HIPAA’s Privacy Rule protects individually identifiable health information, which is typically shortened to protected health information (PHI)
What is considered PHI? (Q)
PHI must be linked to an identifiable patient and includes information like:
·general identifiers, such as the patient’s name, address, birth date, or Social Security number;
the patient’s past, present, or future health condition;
the healthcare provided to the patient; and
past, present, or future payments made for the patient’s healthcare.
When are PHI disclosures mandatory? (Q)
A covered entity must disclose PHI to a patient who’s requesting his own information and to HHS for compliance investigations.
Who are covered entities generally permitted to disclose PHI to? (Q)
A covered entity is generally permitted to disclose PHI:
to the individual patient;
for the patient’s treatment;
for payment purposes;
for healthcare operations, such as providing training or quality control; or
pursuant to the patient’s formal written consent.
How may consent be valid? (Q)
To be valid, a consent must be in writing and identify specific information, such as what PHI may be disclosed, the authorized recipient, and the disclosure’s purpose.
How may a patient’s informal consent be obtained? (Q)
A patient’s informal consent may be obtained (1) expressly, such as by getting verbal consent; (2) impliedly, after the patient has an opportunity to object to the disclosure and doesn’t; or (3) impliedly from the circumstances.
For lawful disclosures, HIPAA provides that covered entities must do what? (Q)
For lawful disclosures, HIPAA provides that covered entities must make reasonable efforts to disclose only the minimum-necessary information to accomplish the disclosure’s intended purpose.
However, this requirement has significant exceptions. For instance, an entity may provide more than the minimum-necessary information for disclosures to the patient, to healthcare providers for treatment, or that are required by HHS or the law.
What additional duties do entities have to patients concerning PHI? (Q)
Entities must also protect PHI from accidental disclosures. In addition, a covered entity must protect electronically stored PHI from reasonably anticipated threats and unlawful disclosures.
Ex: A covered healthcare entity must take steps to ensure that its workforce complies with the Privacy Rule.
For the purposes of HIPAA what are business associates? (Q)
Business associates are parties whose work with the healthcare entity involves using PHI in the entity’s possession.
What must entities get from business associates regarding PHI? (Q)
With some exceptions, generally for low-risk uses, the entity must get written, satisfactory assurances that a business associate will safeguard any patient PHI before the entity shares that information. Federal law defines what are considered satisfactory assurances.
Ex: Assume a dental office hired an outside company to handle patient billing. The billing company would be a business associate. The dental office would need to get written, satisfactory assurances that the billing company would safeguard its patients’ information before the dental office could share that private information with the billing company.
What happens if a covered entity discovers that PHI in its protection has been unlawfully disclosed? (Q)
If a covered entity discovers that PHI in its protection has been unlawfully disclosed, the entity must (1) notify each individual whose PHI the entity reasonably believes was compromised and (2) do so reasonably quickly but no later than 60 days after the discovery.
What happens if the unlawful disclosure of PHI impacts the PHI of more than 500 residents of the same state? (Q)
If the unlawful disclosure impacts the PHI of more than 500 residents of the same state, the entity must also notify HHS and sometimes media outlets.
What must the covered entity do regarding smaller breaches? (Q)
For smaller breaches, the entity must log the incident and submit its log to HHS once per year.
How may a patient use HIPAA to hold a provider accountable? (Q)
The individual patient himself wouldn’t have a private cause of action under HIPAA. Instead, the patient could complain to HHS in hopes of triggering a governmental response. Or the patient might be able to bring state-law claims against the dentist, such as a claim for negligence that uses HIPAA’s requirements to define the standard of care or a claim for violating the state’s consumer-protection laws.
