Healthcare / Medical Flashcards

4-6 questions

You may prefer our related Brainscape-certified flashcards:
1
Q

Define:

protected health information

A
  • any individually identifiable health information that is transmitted or maintained in any form or medium
  • is held by a covered entity or its business associates;
  • identifies the individual or offers a reasonable basis for identification
  • is created or received by a covered entity or an employer and
  • relates to a past, present, or future physical or mental condition, provision of health care, or payment for health care to that individual
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define:

electronic protected health information (ePHI)

A

any PHI that is transmitted or maintained in electronic media

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define:

covered entities

A
  • health care providers that conduct certain transactions in electronic form
  • health plans
  • health care clearinghouses (e.g., 3P orgs that host, handle or process medical information)
  • HIPAA does NOT apply to other health care providers and services (e.g., doctors that accept only cash or credit card)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define:

business associate

A

any person or organization, other than a member of a covered entity’s workforce, that performs services and activities for or on behalf of a covered entity, if such services or activities involve the use or disclosure of PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define:

business associate agreement

A
  • signed between business associate and covered entity
  • usually includes provisions that pass privacy and security standard down to the business associate
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define:

HIPAA Transactions Rule

A
  • regulations on standard electronic formats for health care transactions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the key provisions of the HIPAA Privacy Rule?

A
  • privacy notices
  • authorization for uses and disclosures
  • “minimum necessary” use or disclosure
  • individual right to access and accountings of disclosures
  • individual right to amend
  • security safeguards
  • accountability via administrative requirements and enforcement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define:

HIPAA Security Rule

A
  • establishes minimum security requirements for PHI that a covered entity or a business associate receives, creates, maintains, or transmits in electronic form
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define:

privacy notices

HIPAA

A

covered entity required to provide a detailed privacy notice at the date of first service delivery and must contain certain elements (e.g., detailed statements about individuals’ rights with respect to their PHI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define:

authorization for uses and disclosures

under HIPAA

A
  • HIPAA itself authorizes use and disclosure of PHI for essential health care purposes: treatment, payments and operations (TPO) as well as for certain other established compliance purposes
  • other uses or disclosures of PHI require individual’s opt-in authorization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define:

authorization

HIPAA

A
  • independent document that specifically identifies the info to be used or disclosed, the purposes of the use or disclosure, the person or entity to which a disclosure may be made, and other information
  • covered entity may not require an individual to sign an authorization as a condition of receiving treatment or participating in a health plan
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define:

“minimum necessary” use or disclosure

under HIPAA

A

other than for treatment, covered entities must make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary in order to accomplish the intended purpose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When can covered entities disclose PHI to a business associate?

A

only if the covered entity ensures the BA is bound by all obligations applicable to the covered entity, including the minimum necessary standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define:

access and accountings of disclosures

under HIPAA

A

individuals have right to:

  • access and copy their own PHI from a covered entity or a business associates kept in a “designated record set”
  • receive an accounting of certain disclosures of their PHI that have been made
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Define:

designated record set

A

fairly broad definition including a patient’s medical records and billing records or other records used by the covered entity to make decisions about individuals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Define:

right to amend

A
  • right to amend PHI possessed by a covered entity
  • if covered entity denies request to amend PHI, individual may file a statement that must then be included in any future use or disclosure of the information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Define:

safeguards

HIPAA

A

covered entities must implement administrative, physical, and technical safeguards to protect the confidentiality and integrity of all PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Define:

accountability

HIPAA

A

covered entities subject to set of administrative requirements including:

  • must designate privacy official who is responsible for development and implementation of privacy protections
  • personnel must be trained, and complaint procedures must be in place
  • enforcement agencies (like Office for Civil Rights in HHS)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Privacy Rule doesn’t apply to…

HIPAA

A
  • deidentified information
  • medical research: research can occur with the consent of the individual, or without consent if an authorized entity such as an institutional review board approves the research as consistent with the Privacy Rule and general rules covering research on human subjects
  • information used for public health activities
  • to report victims of abuse, neglect or domestic violence
  • in judicial and administrative proceedings
  • for certain law enforcement activities
  • for specialized governmental functions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Define:

deidentified information

HIPAA

A

information that does not actually identify an individual and where there is no reasonable basis to believe that the information can be used to identify an individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How to deidentify information under HIPAA?

A
  1. remove all of at least 18 data elements listed in the rule or
  2. have an expert certify that the risk of reidentifying the individuals is very small
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Disclosure of PHI for law enforcement purposes is…

HIPAA

A

is allowed but not required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

HIPAA Security Rule is comprised of…

A
  • standards
  • implementation specifications
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Implementation specifications can be…

under HIPAA

A
  • required or
  • addressable: covered entity/BA assesses whether it is an appropriate safeguard for the entity to adopt (if not, must document why not reasonable and if appropriate, adopt an alternative)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

HIPAA Security Rule requires…

A

requires covered entities and business associates to, via any security measures that allow them to reasonably and appropriately implement the standards and implementation specifications:

  • ensure confidentiality, integrity and availability of all ePHI the covered entity or the BA creates, receives, maintains or transmits
  • protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI
  • protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule
  • ensure compliance with the Security Rule by its workforce
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

HIPAA Security Rule specifically requires…

A
  • each covered entity and each BA must identify an individual who is responsible for implementation and oversight of Security Rule compliance program
  • each covered entity and BA must conduct initial and ongoing risk assessments
  • each covered entity and each BA must implement a security awareness and training program for its workforce
27
Q

Who is the primary enforcer for the HIPAA Privacy Rule and Security Rule?

A

Office for Civil Rights under HHS

28
Q

How does OCR enforce HIPAA?

A
  • can assess civil monetary penalties of up to approximately $2 million per year per type of violation
  • has instituted a program to regularly audit a select number of covered entities and BAs to ensure compliance
29
Q

Define:

HIPAA Safe Harbor Law

A
  • enacted in 2001
  • requires OCR to consider whether a covered entity has implemented recognized security practices for the prior 12 months, and if it has, OCR has discretion to apply leniency in setting fines and corrective action, notably in the event of a data breach
30
Q

Is there a private right of action under HIPAA?

A

no private right of action; must file complaint against OCR

31
Q

Does HIPAA preempt state laws?

A

HIPAA does not preempt state laws that provide more protection than the federal law

32
Q

What does it mean for a state law to provide an exemption related to coverage under HIPAA?

A

complying with HIPAA will be viewed as complying with the state law

33
Q

Define:

HITECH Act

A
  • Health Information Technology for Economic and Clinical Health Act enacted to promote adoption and meaningful use of health information technology
  • codified and funded the Office of the National Coordinator for Health Information Technology and provided $19b in incentives for health care providers to adopt electronic health records and develop a national electronic health information exchange
  • modifies HIPAA
  • enforced by FTC
34
Q

Define:

breach

under HITECH Act

A

occurs in event of unauthorized acquisition, access, use or disclosure of unsecured information unless covered entity or BA demonstrates through risk assessment that there is a low probability that security or privacy of info has been compromised

35
Q

Define:

data breach notification requirement

under HITECH Act

A

if high probability of security or privacy of info compromised, covered entity must notify within 60 days of discovery and BA must notify covered entity if it discovers the breach

  • if breach affects > 500 people, covered entity must notify HHS immediately
  • if breach affects > 500 in same jurisdiction, it must notify the media
  • all breaches requiring notice must be reported to HHS at least annually
36
Q

personal health record providers under HITECH Act

A

separate part of HITECH applies to “personal health record” providers which covers cloud services for storing an individual’s health records

  • includes medical apps and wearable devices
  • similar data breach notice requirements
37
Q

penalties under HITECH Act

A
  • penalties up to $2mil for most willful violations
  • criminal liability to individuals who misuse PHI
  • penalties even if the covered entity did not know of the violation
38
Q

Disclosures under HITECH act should…

A
  • try to comply with definition of a limited data set: PHI where certain direct identifiers of the individual have been removed
  • if not possible, data disclosed must be minimum amount necessary
39
Q

Rules around electronic health records under HITECH Act

A
  • covered entities must provide individuals with a copy of their EHR on request and must account for all nonverbal disclosures made within three years on the request
  • covered entities may not sell EHRs without the consent of the patient, and covered entities cannot receive payment for certain marketing plans
40
Q

What is the scope of the Confidentiality of Substance Use Disorder Patient Records Rule?

A

covers disclosure and use of “patient-identifying” information by treatment programs for alcohol and substance abuse

41
Q

Define:

patient-identifying information

under Confidentiality of Substance Use Disorder Patient Records Rule

A

any and all information that could reasonably be used to identify, directly or indirectly, a person who has been diagnosed with a substance abuse issue or has undergone alcohol or substance abuse treatment

42
Q

applicability of Confidentiality of Substance Use Disorder Patient Records Rule

A

applies to any program that receives federal funding

43
Q

Define:

program

under Confidentiality of Substance Use Disorder Patient Records Rule

A
  • individual or entity OR identified unit within a general medical facility who holds itself out as providing, and provides, substance abuse diagnosis, treatment or referral for treatment
  • medical personnel or other staff in general medical facility whose primary function is provision of substance abuse diagnosis, treatment or referral for treatment
44
Q

disclosure and use restrictions

under Confidentiality of Substance Use Disorder Patient Records Rule

A
  • program must obtain written patient consent before disclosing information subject to the rule
  • restricts use of any information, whether written or verbal, that could lead to or substantiate criminal charges against a patient concerning their alcohol or drug usage
45
Q

requirements for consent form

under Confidentiality of Substance Use Disorder Patient Records Rule

A
  • consent form may include general designation that allows disclosure to entity as long as entity has treating provider relationship with the patient
  • patient can request list of entities to which their information has been disclosed if general designation
  • consent form must explicitly describe the type of info that is to be disclosed relative to alcohol or drug abuse treatment
46
Q

redisclosure restriction

under Confidentiality of Substance Use Disorder Patient Records Rule

A

redisclosing information obtained from program prohibited when that info would “identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment

47
Q

exceptions to consent requirement

under Confidentiality of Substance Use Disorder Patient Records Rule

A
  • medical emergencies
  • scientific research
  • audits and evaluations
  • communications with a qualified service organization (QSO) related to info needed by the org to provide services to the program
  • crimes on program premises or against program personnel
  • child abuse reporting
  • court order
48
Q

security requirement

under Confidentiality of Substance Use Disorder Patient Records Rule

A

entity lawfully holding patient-identifying information must have formal policies and procedures in place to protect security of this info

(violations are criminal)

49
Q

What does the Genetic Information Nondiscrimination Act amend?

A
  • amended Employee Retirement Income Security Act (ERISA), Public Health Service Act, Social Security Act and Civil Rights Act
50
Q

generally, GINA prohibits…

A

prohibits health insurance companies from:

  • discriminating on the basis of genetic predispositions in the absence of manifest symptoms or
  • requesting that applicants receive genetic testing

and prohibits employers from using genetic information in making employment decisions

51
Q

Define:

GINA amendment to ERISA

A
  • prohibits group health plan providers from adjusting premiums or other contribution schemes on the basis of genetic information absent a manifestation of a disease or disorder
  • also can’t request or require genetic testing in connection with offering of group health plans unless request for voluntary testing for research
52
Q

GINA amendment to Public Health Service Act

A

prohibits adjustments to premiums or other contribution schemes on the basis of genetic information absent a manifestation of a disease or disorder

53
Q

GINA amendment to Civil Rights Act

A

expressly prohibits discrimination on basis of genetic information

prohibits employers from requiring, requesting or purchasing such genetic information about employees or family members unless an express exception applies, which include:

  • request is inadvertent
  • request part of employer-offered wellness program that employee voluntarily participates in with written authorization
  • request made to comply with Family and Medical Leave Act
  • employer purchases commercially and publicly available materials that include the info
  • info used for legally required genetic monitoring for toxin exposure in workplace if employee voluntarily participates with written authorization
  • employer conducts DNA analysis for law enforcement purposes and requests the info for quality-control purposes
54
Q

Is there a private right of action under GINA?

A

no

55
Q

Does GINA preempt state laws?

A

GINA does NOT preempt state laws with stricter protections

56
Q

What does the 21st Century Cures Act cover?

A

use and interoperability of electronic health information (EHI)

57
Q

Who does the Cures Act Final Rule apply to?

A

applies to any health care provider, health IT developers of certified health IT, health information exchanges or health information networks

58
Q

Who enforces the Cures Act?

A

ONC can bring enforcement actions for violation with fine up to $1 million

59
Q

What are the key obligations of the CURES Act?

A
  • limits information blocking: any activity that is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information
  • covered health IT developers must publish APIs that allow health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs
  • researchers permitted to remotely view PHI where remote access meets minimum safeguards consistent with HIPAA’s Privacy and Security Rules
  • requires certificates of confidentiality to be issued by the National Institutes of Health (NIH) for any federally funded research
  • requires HHS to issue guidance to HIPAA regarding the circumstances under which a health care provider or a covered entity is permitted to discuss with family members or caregivers the treatment of an adult with mental health disorder or an alcohol or substance abuse disorder
  • certain individual biomedical research information exempted from disclosure under FOIA if individual biomedical research info could reveal individual identity
60
Q

Define:

medical technology

A

can enable individuals to collect health information in real time in the convenience of their own home

61
Q

When does HIPAA apply when it comes to medical technology?

A

when a covered entity is involved in the use of a wearable, app or website, the companies providing these products or services are generally either the covered entity or a business associate

62
Q

When health information is in the hands of noncovered entities, how are users protected?

A
  • Section 5 of FTC Act is primary federal statue that applies to privacy and security practices of companies not covered by HIPAA (deceptive and unfair trade practices)
  • U.S. Food and Drug Administration protects consumers against unlawful medical devices by enforcing the Federal Food, Drug and Cosmetic Act which defines a device as an “instrument … intended for use in the diagnosis of disease or other conditions, or in the … treatment or prevention of disease”
  • state medical privacy laws
63
Q
A