Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP-US > Healthcare / Medical > Flashcards

Healthcare / Medical Flashcards

4-6 questions

You may prefer our related Brainscape-certified flashcards:
U.S. Geography flashcards
1
Q

HIPPA history

A

HIPAA became law in 1996; in effect in 2000s; periodically updated most notably by HITECH Act of 2009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define:

protected health information

A
  • any individually identifiable health information that is transmitted or maintained in any form or medium
  • is held by a covered entity or its business associates;
  • dentifies the individual or offers a reasonable basis for identification
  • is created or received by a covered entity or an employer and
  • relates to a past, present, or future physical or mental condition, provision of health care, or payment for health care to that individual
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define:

electronic protected health information (ePHI)

A

any PHI that is transmitted or maintained in electronic media

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define:

covered entities

A
  • health care providers that conduct certain transactions in electronic form
  • health plans
  • health care clearinghouses (e.g., 3P orgs that host, handle or process medical information)
  • HIPAA does NOT apply to other health care providers and services (e.g., doctors that accept only cash or credit card)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define:

business associate

A

any person or organization, other than a member of a covered entity’s workforce, that performs services and activities for or on behalf of a covered entity, if such services or activities involve the use or disclosure of PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define:

business associate agreement

A
  • signed between business associate and covered entity
  • usually includes provisions that pass privacy and security standard down to the business associate
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define:

HIPAA Transactions Rule

A
  • regulations on standard electronic formats for health care transactions
  • promulgated by HHS in August 2000
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define:

HIPAA Privacy Rule

A

rules concerning privacy of protected health information, initially promulgated by HHS in December 2000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define:

HIPAA Security Rule

A
  • establishes minimum security requirements for PHI that a covered entity or a business associate receives, creates, maintains, or transmits in electronic form
  • promulgated in Feb 2003 by HHS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

key provisions of HIPAA

A
  • privacy notices
  • authorizations for use and disclosure of PHI
  • limits on use and disclosure to the minimum necessary
  • individual access and accounting rights
  • security safeguards
  • accountability through administrative requirements and enforcement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define:

privacy notices

HIPAA

A

covered entity required to provide a detailed privacy notice at the date of first service delivery and must contain certain elements (e.g., detailed statements about individuals’ rights with respect to their PHI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define:

authorization for uses and disclosures

A
  • HIPAA itself authorizes use and disclosure PHI for essential health care purposes: treatment, payments and operations (TPO) as well as for certain other established compliance purposes
  • other uses or disclosures of PHI require individual’s opt-in authorization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Define:

authorization

HIPAA

A
  • independent document that specifically identifies the info to be used or disclosed, the purposes of the use or disclosure, the person or entity to which a disclosure may be made, and other information
  • covered entity may not require an individual to sign an authorization as a condition of receiving treatment or participating in a health plan
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define:

“minimum necessary” use or disclosure

A

other than for treatment, covered entities must make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary in order to accomplish the intended purpose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When can covered entities disclosre PHI to a business associate?

A

only if the covered entity ensures the BA is bound by all obligations applicable to the covered entity, including the minimum necessary standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Define:

access and accountings of disclosures

A

individuals have right to:
* access and copy their own PHI from a covered entity or a business associates kept in a “designated record set”
* receive an accounting of certain disclosures of their PHI that have been made

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Define:

designated record set

A

fairly broad definition including a patient’s medical records and billing records or other records used by the covered entity to make decisions about individuals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Define:

right to amend

A
  • right to amend PHI possessed by a covered entit
  • if covered entity denies request to amend PHI, individual may file a statement that must then be included in any future use or disclosure of the information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Define:

safeguards

HIPAA

A

covered entities must implement administrative, physical, and technical safeguards to protect the confidentiality and integrity of all PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Define:

accountability

HIPAA

A

covered entities subject to set of administrative requirements including:
* must designate privacy official who is responsible for development and implementation of privacy protections
* personnel must be trained, and complain procedures must be in place
* enforcement agencies (like Office for Civil Rights in HHS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Privacy Rule doesn’t apply to…

HIPAA

A
  • deidentified information
  • medical research: research can occur with the consent of the individual, or without consent if an authorized entity such as an institutional review board approves the research as consistent with the Privacy Rule and general rules covering research on human subjects
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Define:

deidentified information

HIPAA

A

information that does not actually identify an individual and where there is no reasonable basis to believe that the information can be used to identify an individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How to deidentify information under HIPAA?

A
  1. remove all of at least 18 data elements listed in the rule or
  2. have an expert certify that the risk of reidentifying the individuals is very small
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Other exceptions under which PHI may be used without consent

HIPAA

A
  • information used for public health activities
  • to report victims of abuse, neglect or domestic violence
  • in judicial and administrative proceedings
  • for certain law enforcement activities
  • for specialized governmental functions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Disclosure of PHI for law enforcement purposes is…

HIPAA

A

Privacy Rule permits but does not require covered entities to disclosure PHI about an individual for law enforcement purposes pursuant to process and as otherwise required by law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

HIPAA Security Rule is comprised of…

A
  • standards
  • implementation specifications
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Implementation specifications can be…

A
  • required or
  • addressable: covered entity/BA assesses whether it is an appropriate safeguard for the entity to adopt (if not, must document why not reasonable and if appropriate, adopt an alternative)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

HIPAA Security Rule requires…

A

requires covered entities and business associates to, via any security measures that allow them to reasonably and appropriately implement the standards and implementation specifications,:
* ensure confidentiality, integrity and availability of all ePHI the covered entity or the BA creates, receives, maintains or transmits
* protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI
* protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule
* ensure compliance with the Security Rule by its workforce

29
Q

HIPAA Security Rule specifically requires…

A
  • each covered entity and each BA must identify an individual who is responsible for implementation and oversight of Security Rule compliance program
  • each covered entity and BA must conduct initial and ongoing risk assessments
  • each covered entity and each BA must implement a security awareness and training program for its workforce
30
Q

Who is the primary enforcer for the HIPAA Privacy Rule and Security Rule?

A

Office for Civil Rights under HHS

31
Q

How does OCR enforce HIPAA?

A
  • can assess civil monetary penalties of up to approximately $2 million per year per type of violation
  • has instituted a program to regularly audit a select number of covered entities and BAs to ensure compliance
32
Q

Define:

HIPAA Safe Harbor Law

A
  • enacted in 2001
  • requires OCR to consider whether a covered entity has implemented recognized security practices for the prior 12 months, and if it has, OCR has discretion to apply leniency in setting fines and corrective action, notably in the event of a data breach
33
Q

Is there a private right of action under HIPAA?

A

no private right of action; must file complaint against OCR

34
Q

Who else has enforcement power over HIPAA or HIPAA-related issues?

A
  • U.S. DOJ has criminal enforcement authority with prison sentences of up to 10 years
  • FTC can still bring enforcement actions for unfair and deceptive practices
  • state AGs can also bring enforcement for unfair and deceptive practices, or pursuant to any applicable state medical privacy law
35
Q

Does HIPAA preempt state laws?

A

HIPAA does not preempt state laws that provide more protection than the federal law

36
Q

What does it mean for a state law to provide an exemption related to coverage under HIPAA?

A

complying with HIPAA will be viewed as complying with the state law

37
Q

Define:

HITECH Act

A
  • Health Information Technology for Economic and Clinical Health Act enacted to promote adoption and meaningful use of health information technology
  • codified and funded the Office of the National Coordinator for Health Information Technology and provided $19b in incentives for health care providers to adopt electronic health records and develop a national electronic health information exchange
  • modifies HIPAA
38
Q

Define:

breach

under HITECH Act

A

occurs in event of unauthorized acquisition, access, use or disclosure of unsecured information *unless *covered entity or BA demonstrates through risk assessment that there is a low probability that security or privacy of info has been compromised

39
Q

Define:

data breach notification requirement

under HITECH Act

A

if high probability of security or privacy of info compromised, covered entity must notify within 60 days of discovery and BA must notify covered entity if it discovers the breach

  • if breach affects > 500 people, covered entity must notify HHS immediately
  • if breach affects > 500 in same jurisdiction, it must notify the media
  • all breaches requiring notice must be reported to HHS at least annually
40
Q

personal health record providers under HITECH Act

A

separate part of HITECH applies to “personal health record” providers which covers cloud services for storing an individual’s health records
* includes medical apps and wearable devices
* similar data breach notice requirements
* enforced by FTC

41
Q

penalties under HITECH Act

A
  • penalties up to $2mil for most willful violations
  • criminal liability to individuals who misuse PHI
  • penalties even if the covered entity did not know of the violation
42
Q

Disclosures under HITECH act should…

A
  • try to comply with definition of a limtied data set: PHI where certain direct identifiers of the individual have been removed
  • if not possible, data disclosed must be minimum amount necessary
43
Q

Rules around electronic health records under HITECH Act

A
  • covered entities must provide individuals with a copy of their EHR on request and must account for all nonverbal disclosures made within three years on the request
  • covered entities may not sell EHRs without the consent of the patient, and covered entities cannot receive payment for certain marketing plans
44
Q

Define:

Confidentiality of Substance Use Disorder Patient Records Rule

A
  • contains three confidentiality requirements aimed at concern that individuals might not seek medical care for alcohol and substance abuse problems unless privacy of this info strictly protected
45
Q

scope of Confidentiality of Substance Use Disorder Patient Records Rule

A

covers disclosure and use of “patient-identifying” information by treatment programs for alcohol and substance abuse

46
Q

Define:

patient-identifying information

under Confidentiality of Substance Use Disorder Patient Records Rule

A

any and all information that could reasonably be used to identify, directly or indirectly, a person who has been diagnosed with a substance abuse issue or has undergone alcohol or substance abuse treatment

47
Q

applicability of Confidentiality of Substance Use Disorder Patient Records Rule

A

applies to any program that receives federal funding

48
Q

Define:

program

under Confidentiality of Substance Use Disorder Patient Records Rule

A
  • individual or entity (other than general medical facility) OR identified unit within a general medical facility who holds itself out as providing, and provides, substance abuse diagnosis, treatment or referral for treatment
  • medical personnel or other staff in general medical facility whose primary function is provision of substance abuse diagnosis, treatment or referral for treatment
49
Q

disclosure requirement

under Confidentiality of Substance Use Disorder Patient Records Rule

A
  • program must obtain written patient consent before disclosing information subject to the rule
  • restricts use of any information, whether written or verbal, that could lead to or substantiate criminal charges against a patient concerning their alcohol or drug usage
50
Q

requirements for consent form

under Confidentiality of Substance Use Disorder Patient Records Rule

A
  • consent form may include general designation that allows disclosure to entity as long as entity has treating provider relationship with the patient
  • patient can request list of entities to which their information has been disclosed if general designation
  • consent form must explicitly describe the type of info that is to be disclosed relative to alcohol or drug abuse treatment
51
Q

redisclosure restriction

under Confidentiality of Substance Use Disorder Patient Records Rule

A

redisclosing information obtained from program prohibited when that info would “identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment

52
Q

exceptions to consent requirement

under Confidentiality of Substance Use Disorder Patient Records Rule

A
  • medical emergencies
  • scientific research
  • audits and evaluations
  • communications with a qualified service organization (QSO) related to info needed by the org to provide services to the program
  • crimes on program premises or against program personnel
  • child abuse reporting
  • court order
53
Q

security requirement

under Confidentiality of Substance Use Disorder Patient Records Rule

A

entity lawfully holding patient-identifying information must have formal policies and procedures in place to protect security of this info

(violations are criminal)

54
Q

Define:

Genetic Information Nondiscrimination Act

A
  • created new national limits on the use of genetic information in health insurance and employment
  • amended Employee Retirement Income Security Act (ERISA), Public Health Service Act, Social Security Act and Civil Rights Act
55
Q

generally, GINA prohibits…

A

prohibits health insurance companies from:
* discriminating on the basis of genetic predispositions in the absence of manifest symptoms or
* requesting that applicants receive genetic testing

and prohibits employers from using genetic information in making employment decisions

56
Q

Define:

GINA amendment to ERISA

A
  • prohibits group health plan providers from adjusting premiums or other contribution schemes on the basis of genetic information absent a manifestation of a disease or disorder
  • also can’t request or require genetic testing in connection with offering of group health plans unless request for voluntary testing for research
57
Q

GINA amendment to Public Health Service Act

A

prohibits adjustments to premiums or other contribution schemes on the basis of genetic information absent a manifestation of a disease or disorder

58
Q

GINA amendment to Civil Rights Act

A
  • expressly prohibits discrimination on basis of genetic information
  • prohibits employers from requiring, requesting or purchasing such genetic information about employees or family members unless an express exception applies, which include:
  • request is inadvertent
  • request part of employer-offered wellness program that employee voluntarily participates in with written authorization
  • request made to comply with Family and Medical Leave Act
  • employer purchases commercially and publicly available materials that include the info
  • info used for legally required genetic monitoring for toxin exposure in workplace if employee voluntarily participates with written authorization
  • employer conducts DNA analysis for law enforcement purposes and requests the info for quality-control purposes
59
Q

Is there a private right of action under GINA?

A

no

60
Q

Does GINA preempt state laws?

A

GINA provides “floor” of minimum protection against genetic discrimination and does NOT preempt state laws with stricter protections

61
Q

Define:

21st Century Cures Act

A
  • promotes medical research and reform mental treatment
  • promotes use and interoperability of electronic health information (EHI)
62
Q

Define:

Cures Act Final Rule

A
  • issued by Office of the National Coordinator for Health Information Technology (ONC)
  • sets forth limits on information blocking: any activity that is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information
63
Q

Who does the Cures Act Final Rule apply to?

A

applies to any health care provider, health IT developers of certified health IT, health information exchanges or health information networks

64
Q

enforcement actions under the CURES Act Final Rule

A

ONC can bring enforcement actions for violation with fine up to $1 million

65
Q

requirements under the CURES Act

A
  • requires HHS to establish “Conditions and Maintenance of Certifications Requirements for the ONC Health IT Certification Program”
  • covered health IT developers must publish APIs that allow health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs
  • certain individual biomedical research information exempted from disclosure under the Freedom of Information Act (FOIA) if individual biomedical research info could reveal individual identity
  • researchers permitted to remotely view PHI where remote access meetsm inimum safeguards consistent with HIPAA’s Privacy and Security Rules
  • requires certificates of confidentiality to be issued by the National Institutes of Health (NIH) for any federally funded research
  • requires HHS to issue guidance to HIPAA regarding the circumstances under which a health care provider or a covered entity is permitted to discuss with family members or caregivers the treatment of an adult with mental health disorder or an alcohol or substance abuse disorder
66
Q

Define:

medical technology

A

can enable individuals to collect health information in real time in the convenience of their own home

67
Q

When does HIPAA apply when it comes to medical technology?

A

when a covered entity is involved in the use of a wearable, app or website, the companies providing these products or services are generally either the covered entity or a business associate

68
Q

When health information is in the hands of noncovered entities, how are users protected?

A
  • Section 5 of FTC Act is primary federal statue that applies to privacy and security practices of companies not covered by HIPAA (deceptive and unfair trade practices)
  • U.S. Food and Drug Administration protects consumers against unlawful medical devices by enforcing the Federal Food, Drug and Cosmetic Act which defines a device as an “instrument … intended for use in the diagnosis of disease or other conditions, or in the … treatment or prevention of disease”
  • state medical privacy laws

CIPP-US (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions