Healthcare / Medical Flashcards
4-6 questions
Define:
protected health information
- any individually identifiable health information that is transmitted or maintained in any form or medium
- is held by a covered entity or its business associates;
- identifies the individual or offers a reasonable basis for identification
- is created or received by a covered entity or an employer and
- relates to a past, present, or future physical or mental condition, provision of health care, or payment for health care to that individual
Define:
electronic protected health information (ePHI)
any PHI that is transmitted or maintained in electronic media
Define:
covered entities
- health care providers that conduct certain transactions in electronic form
- health plans
- health care clearinghouses (e.g., 3P orgs that host, handle or process medical information)
- HIPAA does NOT apply to other health care providers and services (e.g., doctors that accept only cash or credit card)
Define:
business associate
any person or organization, other than a member of a covered entity’s workforce, that performs services and activities for or on behalf of a covered entity, if such services or activities involve the use or disclosure of PHI
Define:
business associate agreement
- signed between business associate and covered entity
- usually includes provisions that pass privacy and security standard down to the business associate
Define:
HIPAA Transactions Rule
- regulations on standard electronic formats for health care transactions
What are the key provisions of the HIPAA Privacy Rule?
- privacy notices
- authorization for uses and disclosures
- “minimum necessary” use or disclosure
- individual right to access and accountings of disclosures
- individual right to amend
- security safeguards
- accountability via administrative requirements and enforcement
Define:
HIPAA Security Rule
- establishes minimum security requirements for PHI that a covered entity or a business associate receives, creates, maintains, or transmits in electronic form
Define:
privacy notices
HIPAA
covered entity required to provide a detailed privacy notice at the date of first service delivery and must contain certain elements (e.g., detailed statements about individuals’ rights with respect to their PHI)
Define:
authorization for uses and disclosures
under HIPAA
- HIPAA itself authorizes use and disclosure of PHI for essential health care purposes: treatment, payments and operations (TPO) as well as for certain other established compliance purposes
- other uses or disclosures of PHI require individual’s opt-in authorization
Define:
authorization
HIPAA
- independent document that specifically identifies the info to be used or disclosed, the purposes of the use or disclosure, the person or entity to which a disclosure may be made, and other information
- covered entity may not require an individual to sign an authorization as a condition of receiving treatment or participating in a health plan
Define:
“minimum necessary” use or disclosure
under HIPAA
other than for treatment, covered entities must make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary in order to accomplish the intended purpose
When can covered entities disclose PHI to a business associate?
only if the covered entity ensures the BA is bound by all obligations applicable to the covered entity, including the minimum necessary standards
Define:
access and accountings of disclosures
under HIPAA
individuals have right to:
- access and copy their own PHI from a covered entity or a business associates kept in a “designated record set”
- receive an accounting of certain disclosures of their PHI that have been made
Define:
designated record set
fairly broad definition including a patient’s medical records and billing records or other records used by the covered entity to make decisions about individuals
Define:
right to amend
- right to amend PHI possessed by a covered entity
- if covered entity denies request to amend PHI, individual may file a statement that must then be included in any future use or disclosure of the information
Define:
safeguards
HIPAA
covered entities must implement administrative, physical, and technical safeguards to protect the confidentiality and integrity of all PHI
Define:
accountability
HIPAA
covered entities subject to set of administrative requirements including:
- must designate privacy official who is responsible for development and implementation of privacy protections
- personnel must be trained, and complaint procedures must be in place
- enforcement agencies (like Office for Civil Rights in HHS)
Privacy Rule doesn’t apply to…
HIPAA
- deidentified information
- medical research: research can occur with the consent of the individual, or without consent if an authorized entity such as an institutional review board approves the research as consistent with the Privacy Rule and general rules covering research on human subjects
- information used for public health activities
- to report victims of abuse, neglect or domestic violence
- in judicial and administrative proceedings
- for certain law enforcement activities
- for specialized governmental functions
Define:
deidentified information
HIPAA
information that does not actually identify an individual and where there is no reasonable basis to believe that the information can be used to identify an individual
How to deidentify information under HIPAA?
- remove all of at least 18 data elements listed in the rule or
- have an expert certify that the risk of reidentifying the individuals is very small
Disclosure of PHI for law enforcement purposes is…
HIPAA
is allowed but not required
HIPAA Security Rule is comprised of…
- standards
- implementation specifications
Implementation specifications can be…
under HIPAA
- required or
- addressable: covered entity/BA assesses whether it is an appropriate safeguard for the entity to adopt (if not, must document why not reasonable and if appropriate, adopt an alternative)
HIPAA Security Rule requires…
requires covered entities and business associates to, via any security measures that allow them to reasonably and appropriately implement the standards and implementation specifications:
- ensure confidentiality, integrity and availability of all ePHI the covered entity or the BA creates, receives, maintains or transmits
- protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI
- protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule
- ensure compliance with the Security Rule by its workforce