Healthcare / Medical Flashcards
4-6 questions
Define:
protected health information
- any individually identifiable health information that is transmitted or maintained in any form or medium
- is held by a covered entity or its business associates;
- identifies the individual or offers a reasonable basis for identification
- is created or received by a covered entity or an employer and
- relates to a past, present, or future physical or mental condition, provision of health care, or payment for health care to that individual
Define:
electronic protected health information (ePHI)
any PHI that is transmitted or maintained in electronic media
Define:
covered entities
- health care providers that conduct certain transactions in electronic form
- health plans
- health care clearinghouses (e.g., 3P orgs that host, handle or process medical information)
- HIPAA does NOT apply to other health care providers and services (e.g., doctors that accept only cash or credit card)
Define:
business associate
any person or organization, other than a member of a covered entity’s workforce, that performs services and activities for or on behalf of a covered entity, if such services or activities involve the use or disclosure of PHI
Define:
business associate agreement
- signed between business associate and covered entity
- usually includes provisions that pass privacy and security standard down to the business associate
Define:
HIPAA Transactions Rule
- regulations on standard electronic formats for health care transactions
What are the key provisions of the HIPAA Privacy Rule?
- privacy notices
- authorization for uses and disclosures
- “minimum necessary” use or disclosure
- individual right to access and accountings of disclosures
- individual right to amend
- security safeguards
- accountability via administrative requirements and enforcement
Define:
HIPAA Security Rule
- establishes minimum security requirements for PHI that a covered entity or a business associate receives, creates, maintains, or transmits in electronic form
Define:
privacy notices
HIPAA
covered entity required to provide a detailed privacy notice at the date of first service delivery and must contain certain elements (e.g., detailed statements about individuals’ rights with respect to their PHI)
Define:
authorization for uses and disclosures
under HIPAA
- HIPAA itself authorizes use and disclosure of PHI for essential health care purposes: treatment, payments and operations (TPO) as well as for certain other established compliance purposes
- other uses or disclosures of PHI require individual’s opt-in authorization
Define:
authorization
HIPAA
- independent document that specifically identifies the info to be used or disclosed, the purposes of the use or disclosure, the person or entity to which a disclosure may be made, and other information
- covered entity may not require an individual to sign an authorization as a condition of receiving treatment or participating in a health plan
Define:
“minimum necessary” use or disclosure
under HIPAA
other than for treatment, covered entities must make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary in order to accomplish the intended purpose
When can covered entities disclose PHI to a business associate?
only if the covered entity ensures the BA is bound by all obligations applicable to the covered entity, including the minimum necessary standards
Define:
access and accountings of disclosures
under HIPAA
individuals have right to:
- access and copy their own PHI from a covered entity or a business associates kept in a “designated record set”
- receive an accounting of certain disclosures of their PHI that have been made
Define:
designated record set
fairly broad definition including a patient’s medical records and billing records or other records used by the covered entity to make decisions about individuals
Define:
right to amend
- right to amend PHI possessed by a covered entity
- if covered entity denies request to amend PHI, individual may file a statement that must then be included in any future use or disclosure of the information
Define:
safeguards
HIPAA
covered entities must implement administrative, physical, and technical safeguards to protect the confidentiality and integrity of all PHI
Define:
accountability
HIPAA
covered entities subject to set of administrative requirements including:
- must designate privacy official who is responsible for development and implementation of privacy protections
- personnel must be trained, and complaint procedures must be in place
- enforcement agencies (like Office for Civil Rights in HHS)
Privacy Rule doesn’t apply to…
HIPAA
- deidentified information
- medical research: research can occur with the consent of the individual, or without consent if an authorized entity such as an institutional review board approves the research as consistent with the Privacy Rule and general rules covering research on human subjects
- information used for public health activities
- to report victims of abuse, neglect or domestic violence
- in judicial and administrative proceedings
- for certain law enforcement activities
- for specialized governmental functions
Define:
deidentified information
HIPAA
information that does not actually identify an individual and where there is no reasonable basis to believe that the information can be used to identify an individual
How to deidentify information under HIPAA?
- remove all of at least 18 data elements listed in the rule or
- have an expert certify that the risk of reidentifying the individuals is very small
Disclosure of PHI for law enforcement purposes is…
HIPAA
is allowed but not required
HIPAA Security Rule is comprised of…
- standards
- implementation specifications
Implementation specifications can be…
under HIPAA
- required or
- addressable: covered entity/BA assesses whether it is an appropriate safeguard for the entity to adopt (if not, must document why not reasonable and if appropriate, adopt an alternative)
HIPAA Security Rule requires…
requires covered entities and business associates to, via any security measures that allow them to reasonably and appropriately implement the standards and implementation specifications:
- ensure confidentiality, integrity and availability of all ePHI the covered entity or the BA creates, receives, maintains or transmits
- protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI
- protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule
- ensure compliance with the Security Rule by its workforce
HIPAA Security Rule specifically requires…
- each covered entity and each BA must identify an individual who is responsible for implementation and oversight of Security Rule compliance program
- each covered entity and BA must conduct initial and ongoing risk assessments
- each covered entity and each BA must implement a security awareness and training program for its workforce
Who is the primary enforcer for the HIPAA Privacy Rule and Security Rule?
Office for Civil Rights under HHS
How does OCR enforce HIPAA?
- can assess civil monetary penalties of up to approximately $2 million per year per type of violation
- has instituted a program to regularly audit a select number of covered entities and BAs to ensure compliance
Define:
HIPAA Safe Harbor Law
- enacted in 2001
- requires OCR to consider whether a covered entity has implemented recognized security practices for the prior 12 months, and if it has, OCR has discretion to apply leniency in setting fines and corrective action, notably in the event of a data breach
Is there a private right of action under HIPAA?
no private right of action; must file complaint against OCR
Does HIPAA preempt state laws?
HIPAA does not preempt state laws that provide more protection than the federal law
What does it mean for a state law to provide an exemption related to coverage under HIPAA?
complying with HIPAA will be viewed as complying with the state law
Define:
HITECH Act
- Health Information Technology for Economic and Clinical Health Act enacted to promote adoption and meaningful use of health information technology
- codified and funded the Office of the National Coordinator for Health Information Technology and provided $19b in incentives for health care providers to adopt electronic health records and develop a national electronic health information exchange
- modifies HIPAA
- enforced by FTC
Define:
breach
under HITECH Act
occurs in event of unauthorized acquisition, access, use or disclosure of unsecured information unless covered entity or BA demonstrates through risk assessment that there is a low probability that security or privacy of info has been compromised
Define:
data breach notification requirement
under HITECH Act
if high probability of security or privacy of info compromised, covered entity must notify within 60 days of discovery and BA must notify covered entity if it discovers the breach
- if breach affects > 500 people, covered entity must notify HHS immediately
- if breach affects > 500 in same jurisdiction, it must notify the media
- all breaches requiring notice must be reported to HHS at least annually
personal health record providers under HITECH Act
separate part of HITECH applies to “personal health record” providers which covers cloud services for storing an individual’s health records
- includes medical apps and wearable devices
- similar data breach notice requirements
penalties under HITECH Act
- penalties up to $2mil for most willful violations
- criminal liability to individuals who misuse PHI
- penalties even if the covered entity did not know of the violation
Disclosures under HITECH act should…
- try to comply with definition of a limited data set: PHI where certain direct identifiers of the individual have been removed
- if not possible, data disclosed must be minimum amount necessary
Rules around electronic health records under HITECH Act
- covered entities must provide individuals with a copy of their EHR on request and must account for all nonverbal disclosures made within three years on the request
- covered entities may not sell EHRs without the consent of the patient, and covered entities cannot receive payment for certain marketing plans
What is the scope of the Confidentiality of Substance Use Disorder Patient Records Rule?
covers disclosure and use of “patient-identifying” information by treatment programs for alcohol and substance abuse
Define:
patient-identifying information
under Confidentiality of Substance Use Disorder Patient Records Rule
any and all information that could reasonably be used to identify, directly or indirectly, a person who has been diagnosed with a substance abuse issue or has undergone alcohol or substance abuse treatment
applicability of Confidentiality of Substance Use Disorder Patient Records Rule
applies to any program that receives federal funding
Define:
program
under Confidentiality of Substance Use Disorder Patient Records Rule
- individual or entity OR identified unit within a general medical facility who holds itself out as providing, and provides, substance abuse diagnosis, treatment or referral for treatment
- medical personnel or other staff in general medical facility whose primary function is provision of substance abuse diagnosis, treatment or referral for treatment
disclosure and use restrictions
under Confidentiality of Substance Use Disorder Patient Records Rule
- program must obtain written patient consent before disclosing information subject to the rule
- restricts use of any information, whether written or verbal, that could lead to or substantiate criminal charges against a patient concerning their alcohol or drug usage
requirements for consent form
under Confidentiality of Substance Use Disorder Patient Records Rule
- consent form may include general designation that allows disclosure to entity as long as entity has treating provider relationship with the patient
- patient can request list of entities to which their information has been disclosed if general designation
- consent form must explicitly describe the type of info that is to be disclosed relative to alcohol or drug abuse treatment
redisclosure restriction
under Confidentiality of Substance Use Disorder Patient Records Rule
redisclosing information obtained from program prohibited when that info would “identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment
exceptions to consent requirement
under Confidentiality of Substance Use Disorder Patient Records Rule
- medical emergencies
- scientific research
- audits and evaluations
- communications with a qualified service organization (QSO) related to info needed by the org to provide services to the program
- crimes on program premises or against program personnel
- child abuse reporting
- court order
security requirement
under Confidentiality of Substance Use Disorder Patient Records Rule
entity lawfully holding patient-identifying information must have formal policies and procedures in place to protect security of this info
(violations are criminal)
What does the Genetic Information Nondiscrimination Act amend?
- amended Employee Retirement Income Security Act (ERISA), Public Health Service Act, Social Security Act and Civil Rights Act
generally, GINA prohibits…
prohibits health insurance companies from:
- discriminating on the basis of genetic predispositions in the absence of manifest symptoms or
- requesting that applicants receive genetic testing
and prohibits employers from using genetic information in making employment decisions
Define:
GINA amendment to ERISA
- prohibits group health plan providers from adjusting premiums or other contribution schemes on the basis of genetic information absent a manifestation of a disease or disorder
- also can’t request or require genetic testing in connection with offering of group health plans unless request for voluntary testing for research
GINA amendment to Public Health Service Act
prohibits adjustments to premiums or other contribution schemes on the basis of genetic information absent a manifestation of a disease or disorder
GINA amendment to Civil Rights Act
expressly prohibits discrimination on basis of genetic information
prohibits employers from requiring, requesting or purchasing such genetic information about employees or family members unless an express exception applies, which include:
- request is inadvertent
- request part of employer-offered wellness program that employee voluntarily participates in with written authorization
- request made to comply with Family and Medical Leave Act
- employer purchases commercially and publicly available materials that include the info
- info used for legally required genetic monitoring for toxin exposure in workplace if employee voluntarily participates with written authorization
- employer conducts DNA analysis for law enforcement purposes and requests the info for quality-control purposes
Is there a private right of action under GINA?
no
Does GINA preempt state laws?
GINA does NOT preempt state laws with stricter protections
What does the 21st Century Cures Act cover?
use and interoperability of electronic health information (EHI)
Who does the Cures Act Final Rule apply to?
applies to any health care provider, health IT developers of certified health IT, health information exchanges or health information networks
Who enforces the Cures Act?
ONC can bring enforcement actions for violation with fine up to $1 million
What are the key obligations of the CURES Act?
- limits information blocking: any activity that is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information
- covered health IT developers must publish APIs that allow health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs
- researchers permitted to remotely view PHI where remote access meets minimum safeguards consistent with HIPAA’s Privacy and Security Rules
- requires certificates of confidentiality to be issued by the National Institutes of Health (NIH) for any federally funded research
- requires HHS to issue guidance to HIPAA regarding the circumstances under which a health care provider or a covered entity is permitted to discuss with family members or caregivers the treatment of an adult with mental health disorder or an alcohol or substance abuse disorder
- certain individual biomedical research information exempted from disclosure under FOIA if individual biomedical research info could reveal individual identity
Define:
medical technology
can enable individuals to collect health information in real time in the convenience of their own home
When does HIPAA apply when it comes to medical technology?
when a covered entity is involved in the use of a wearable, app or website, the companies providing these products or services are generally either the covered entity or a business associate
When health information is in the hands of noncovered entities, how are users protected?
- Section 5 of FTC Act is primary federal statue that applies to privacy and security practices of companies not covered by HIPAA (deceptive and unfair trade practices)
- U.S. Food and Drug Administration protects consumers against unlawful medical devices by enforcing the Federal Food, Drug and Cosmetic Act which defines a device as an “instrument … intended for use in the diagnosis of disease or other conditions, or in the … treatment or prevention of disease”
- state medical privacy laws
