Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Ryan's HIPAA Class (Graduate Level) > HIPAA > Flashcards

HIPAA Flashcards

1
Q

Covered Entities

A

(1) health plans
(2) health care clearinghouses
(3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards (i.e. Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Business Associates

A

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

PHI (protected health information)

A

Protected health information is information, including demographic information, which relates to:

  • the individual’s past, present, or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

De-identification and its Rationale

A

The process of removing identifiers from health information.

Lowers privacy risks for individuals and supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors. (see more: https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

If a CSP (cloud service provider) stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?

A

HHS says yes, because the CSP receives and maintains ePHI for a covered entity or another business associate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is required for FP to be HIPAA compliant?

A
  1. Downstream BAAs with all vendors where customer data touches or might touch
  2. Locked down cloud infrastructure
  3. Access logs kept forever
  4. All employees trained on HIPAA compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What makes something PHI vs just health data? Why is health data in Strava not considered PHI, but health data in Modern Health is considered PHI?

A

There’s no covered entity with Strava, or other consumer health apps. Modern Health is a covered entity. (might need more information on this)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How does de-identification work? How is this different from encrypting PHI?

A

There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual.

There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.

Encrypted data can still be identified, it just requires a private key to do so

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the HIPAA Compliant Tools?

A
  1. Amplitude
  2. Mixpanel
  3. Heap
  4. Pendo
  5. Tealium
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How much does Amplitude cost to get a BAA signed?

A

Minimum 60-75k / year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What tools AREN’T HIPAA Compliant?

A

Segment & Rudderstack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What makes something PHI vs just health data? Why is health data in Strava not considered PHI, but health data in Modern Health is considered PHI?

A

Health data that is not shared with a covered entity or is personally identifiable doesn’t count as PHI. For example, heart rate readings or blood sugar level readings without PII.

Because Strava isn’t a covered entity & consumers are choosing to collect the information for their own use, it is not PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How do you determine if a company needs to be HIPAA compliant?

A

Does it fall under a covered entity?

  1. Health plan
  2. Health care provider
  3. Health care clearing house
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How do you determine if the company is violating HIPAA?

A

Use Segment Event Tracker (Chrome Extension)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is considered PHI? What is not considered PHI?

A

https://mobisoftinfotech.com/resources/blog/what-is-phi-and-what-is-not-phi/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the Safe Harbor for de-identification of PHI?

A

The requirements of the HIPAA safe harbor de-identification process become fully satisfied if, and only if, after the removal of the specific identifiers, the covered entity has no actual knowledge that the remaining information could be used to identify the patient. Once protected health information has been de-identified, it is no longer considered to be PHI; as such, there are no longer restrictions on its use or disclosure. By definition, de-identified health information neither identifies nor provides a reasonable basis to identify a patient.

17
Q

Why does ID Masking satisfy the Safe Harbor requirement for de-identification of PHI, instead of being considered encrypted PHI?

A

ID Masking is a form of Hashing, which isn’t the same as encryption.

ID masking adds a random string to the inputs & then hashes it. That means that every output is unique & there is now way to use a key to “un-hash” something

18
Q

What does HIPAA mode do to a customer’s Freshpaint account + destination integrations?

A

a. Places product analytics integrations into server-side ONLY mode (so that IP addresses, etc are not collected by the destination - Mixpanel, Amplitude, etc).
b. Enables the Allowlist for event properties and user properties

19
Q

How does FP’s ID Masking Work?

A
  1. Freshpaint builds/updates customer profiles
  2. Freshpaint sends customer profiles to HIPAA compliant destinations normally
  3. For non-HIPAA compliant destinations, we cryptographically hash user identifiers + send server side. No PHI shared with downstream tool.
  4. You still get: identity resolution, user-level granularity, group by properties, etc.
  5. Meets HHS’s Safe Harbor criteria for de-identification of PHI
20
Q

What are FPs Enforced Allow Lists?

A
  1. Designate destinations that are HIPAA compliant
  2. Allowlist properties that are safe to go to HIPAA-compliant destinations
  3. Freshpaint screens data as it comes in
  4. Freshpaint blocks PHI metadata from going to any destination not allowlisted

Ryan's HIPAA Class (Graduate Level) (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions