Healthcare/Medical

Question 1

Why was the Health Insurance Portability and Accountability Act of 1996 (HIPAA) enacted?

Answer 1

To improve the efficiency of healthcare delivery. It also shifted reimbursement of federal healthcare payments from Medicare and Medicaid to an electronic format, which increased the need to protect the privacy and security of healthcare information.

Question 2

Who enforces HIPAA? What are the possible penalties?

Answer 2

Enforcement of HIPAA regulations is the responsibility of the Department of Health and Human Services, which, as of 2020, can levy fines of up to $1.8 million. Civil penalties increase annually to reflect inflation and more egregious violations may result in jail time of up to 10 years.

Question 3

Does HIPAA preempt stricter state laws?

Answer 3

No, HIPAA does not preempt stricter state laws.

Question 4

What are the requirements of the HIPAA privacy rule?

Answer 4

PRIVACY NOTICE UP FRONT: The Privacy Rule requires a covered entity to provide a detailed privacy notice at the date of first service delivery.

OPT-IN, LIMITED USE AND DISCLOSURE, ACCESS AND AMENDMENT: The rule also requires opt-in authorization for use or disclosure of PHI outside of HIPAA guidelines; it limits the use and disclosure of protected health information for business associates and it provides information on how individuals can access and amend their PHI.

SAFEGUARDS, PRIVACY OFFICIAL: Covered entities must also have safeguards in place to protect the confidentiality and integrity of all PHI and designate a privacy official to develop and implement privacy protections.

Question 5

What are the requirements of the HIPAA security rule?

Answer 5

REASONABLE LEVEL OF SECURITY: To ensure the confidentiality, integrity and availability of ePHI, the Security Rule requires a reasonable level of security to protect against anticipated threats and hazards, and unauthorized use or disclosure of ePHI.

SECURITY/RISK ASSESSMENT PROGRAM: It further establishes that a designated person must implement and oversee a security and training program, as well as conduct ongoing assessment of risk.

EXCEPTIONS: The Security Rule does not apply to PHI transmitted orally or in writing.

Question 6

What are some common concerns with the use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates?

Answer 6

• Invasiveness of the technology, data minimization efforts, the collection and possible exposure of sensitive information and reidentification of infected individuals
• Contact tracing apps should minimize the amount of data they are collecting, protect the data, use any personal information collected for the sole purpose of contact tracing and destroy the data as soon as the purpose has been fulfilled

Question 7

What did the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 accomplish?

Answer 7

• HITECH promoted the adoption and meaningful use of health information technology and offered incentives for healthcare providers to use and develop electronic health records and a national electronic health information exchange.
• HITECH strengthened existing HIPAA laws through data minimization, increased penalties and notice of breach.

Question 8

What are the policy goals of the 21st Century Cures Act of 2016?

Answer 8

The 21st Century Cures Act expedites the research process for new medical devices and prescription drugs, quickens the process for drug approval and reforms mental health treatment.

Question 9

What is the Confidentiality of Substance Use Disorder Patient Records Rule (42 CFR Part 2)?

Answer 9

• The Confidentiality of Substance Use Disorder Patient Records Rule provides privacy protections for people seeking medical care for alcohol and substance abuse.
• The scope of the Confidentiality of Substance Use Disorder Patient Records Rule includes restricting the use of information that could lead to criminal charges.

The Rule also prohibits the re-disclosing of information if it would identify the individual as receiving treatment.

Question 10

What are the exceptions to the consent requirements of 42 CFR Part 2?

Answer 10

• Exceptions to consent requirements of the Confidentiality of Substance Use Disorder Patient Records Rule include emergencies, research, evaluations, crimes on premises or against personnel, child abuse reporting, and court orders.

Question 11

What is a covered entity under HIPAA?

Answer 11

“Covered entities” are entities that must comply with HIPAA’s requirements to protect the privacy and security of health information and provide individuals with certain rights related to their health information.

They include health plans (such as health insurance companies, HMOs, company health plans, and Medicare/Medicaid),

healthcare clearinghouses (such as billing services or healthcare management information systems), and

healthcare providers who electronically transmit health information.

Question 12

What is a business associate under HIPAA?

Answer 12

Any person or organization, other than a member of a covered entity’s workforce, that performs services and activities for or on behalf of a covered entity if such services and activities involve the use or disclosure of PHI.

Services and activities include things such as claims processing, data analysis, utilization review and billing, as well as legal, actuarial, accounting, consulting, data aggregation, management, administration, accreditation and/or financial services.

Question 13

What is Protected Health Information?

Answer 13

Protected health information (or PHI) is any individually identifiable health information transmitted or maintained in any form or medium that relates to an individual’s past, present, or future physical or mental health or condition; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to the individual.

Question 14

Do covered entities and business associates have to meet the same standards under HIPAA?

Answer 14

Yes. Where a covered entity uses a business associate to help with data processing, the covered entity must have a written agreement or other arrangement that states specifically what the business associate has been engaged to do and requires them to comply with the Privacy Rule’s privacy and security standards.

Question 15

What is GINA?

Answer 15

GINA was created to protect individuals against genetic discrimination by health insurance providers (Title I) and employers (Title II)

• Title I prohibits insurance providers from implementing higher premiums based on genetic tests
• Title II prohibits employment discrimination based on genetic information, including unions and training programs, family members who have manifested a disease, and requirements or requests for genetic information
• GINA creates national limits on the use of genetic information in health insurance and employment
• Does not preempt stricter state laws
• GINA directs the secretary of HHA to revise HIPAA regulations to include genetic information in the definition of PHI

Question 16

What are the privacy provisions of the 21st Century Cures Act?

Answer 16

• Prohibition of information-blocking (conduct that would interfere with the exchange of electronic health information)
• Requirement of “Certificates of confidentiality” for research—particularly for those with alcohol and or substance abuse issues
• Guidelines for permissible “compassionate” sharing of mental health or substance abuse information with family or caregivers
  o 42 CFR Part 2 regulations generally require a special court order before the records of individuals with alcohol or substance abuse issues can be shared with law enforcement or a court
• Exemptions for mandatory disclosure of individual biomedical research information under the Freedom of Information Act
• Remote review of PHI under HIPAA rules

Question 17

When does GINA not apply?

Answer 17

• Health coverage non-discrimination protections do not apply to life insurance, disability insurance or long-term care insurance
• Employment provisions generally do not apply to employers with fewer than 15 employees

Question 18

What laws were amended as a result of GINA?

Answer 18

Employee Retirement Income Security Act of 1974 (ERISA), the Public Health Service Act, the Social Security Act, and the Civil Rights Act.

Group health plan providers, individual health insurers, and Medicare can’t adjust premiums because of genetic info or require genetic testing (except voluntary for research).

No employment discrimination based on genetic info in absence of manifestation of disease/disorder, or family member info, can’t require testing or purchase genetic data. Applies to unions and training programs too.

Question 19

How did HITECH increase HIPAA breach notification requirements?

Answer 19

Notice of breach: A covered entity that handles PHI must notify individuals, the Department of Health and Human Services, and possibly the media, when security or privacy of information is compromised. The HHS Secretary must be notified within 60 days if more than 500 individuals are affected; otherwise, breaches may be reported annually.