HIPAA

Question 0

What is HIPAA?

Answer 0

Federally mandated guidelines signed into law in 1996

Question 1

What does HIPAA stand for?

Answer 1

Health Insurance Portability And Accountability Act… of 1996

Question 2

Pertaining to HIPAA, what is required by all healthcare providers and claims processors?

Answer 2

To use the same insurance coding systems

Question 3

What is universal coding designed to do?

Answer 3

Reduce administrative costs for providers and payers.

Question 4

What are the 3 sections of HIPAA?

Answer 4

• Transaction Code Sets
• Security
• Privacy

Question 5

What are transaction code sets?

Answer 5

Mandated requirement of standards that allow for data interchange through one common format. (ie: ICD9 or CPT)

Question 6

What does the security aspect entail?

Answer 6

Protecting access to health information, including computer systems and electronic transmission.

Question 7

What does privacy affect and how might one ensure it is honored?

Answer 7

It affects how physicians practice and function - to be aware of any conversations regarding a patient. You must make every attempt to keep patient information secure.

Question 8

What is the difference between privacy and confidentiality?

Answer 8

PRIVACY - Right of individual to control personal information and not have it used or disclosed without permission.

CONFIDENTIALITY - Obligation of another party to respect privacy by protecting personal information.

Question 9

What does PHI stand for and what does it mean?

Answer 9

Protected Health Information - All health information that can be reasonably identifiable to a specific patient. Including past, present, or future conditions and/or payments of an individual.

Question 10

What is a covered entity?

Answer 10

All healthcare providers and businesses regulated under HIPAA. Including Providers, Health plans (HMO’s), and Healthcare clearinghouses.

Question 11

(True or False) The Dept. of Health and Human Services recognizes that the hospital and the privileged physicians must be able to share PHI for treatment purposes, payment and for their joint healthcare operations.

Answer 11

True

Question 12

Does every individual have a right to review or receive a copy of their own PHI?

Answer 12

NO. An exception would be when it is determined to be in the best interest of the patient to NOT have a copy… An example would be providing medical records to a mental health patient.

Question 13

When might an individual’s right to access PHI be suspended?

Answer 13

When consenting to participate in a clinical research trial provided the participant agreed to the denial of access. The right to access PHI will be reinstated at the conclusion of the clinical trial.

Question 14

(True or False) Covered entities may use/disclose PHI for research when an individuals authorization is not obtained.

Answer 14

True. This is allowed when the covered entity obtains a documented Institutional Review Board (IRB) or Privacy Board approval.

Question 15

Individuals have the right to request an amendment to their medical record. Who reviews this request?

Answer 15

The institution or department involved in the request.

Question 16

If the request to amend PHI is permitted, what is done next?

Answer 16

A notation is made on the file that the record has been amended.

Question 17

If the request to amend PHI is denied, what happens next?

Answer 17

The patient has the right to write up his/her perspective regarding the PHI in controversy. This write up is kept on file and used whenever the PHI in controversy is used/disclosed.

Question 18

An accounting of PHI disclosure gives an individual the ability to inquire disclosures of their PHI not used for treatment, payment, or operations. What is included in the accounting and how often will they be provided?

Answer 18

The accounting will include

• To whom PHI was disclosed
• What was disclosed
• When it was disclosed

Each patient is allowed 1 accounting per 12 month period without charge.

Question 19

When might PHI disclosure supersede privacy?

Answer 19

• Required by public policy
• Court orders
• Workman’s compensation

Question 20

What are some examples of disclosure based on public policy?

Answer 20

These include reporting abuse and violence, communicable diseases, infection control, and subpoenas.

Question 21

What does NPP stand for and what does it mean?

Answer 21

Notice of Privacy Practice - Document summarizing the “covered entity’s” policy and procedures for disclosing PHI and the patients rights under HIPAA.

Question 22

When is an NPP presented to a patient?

Answer 22

Prior to performance of services by a healthcare provider. And in an emergency it must be presented to the patient as soon as the emergency has resolved and is practical.

Question 23

What is the role of the NPP?

Answer 23

It allows a covered entity to use/disclose PHI, without a patient’s explicit authorization, solely for Treatment Payment Operations (TPO). This includes…

1) TREATING the patient
2) Obtaining PAYMENTS for services provided to the patient
3) Performing standard OPERATIONS (Quality Assurance)

Question 24

A good faith effort must be made to obtain the patient’s signature acknowledging presentation of the NPP, but what must be done if a patient refuses to sign?

Answer 24

The person presenting the NPP must document that it was presented but the patient refused to sign the acknowledgement.

Question 25

(True or False) If an NPP has been presented to a patient but they refuse to sign, PHI can still be used/disclosed for limited purposes.

Answer 25

True

Question 26

Besides TPO, what are some other examples of why to obtain patient authorization?

Answer 26

• Requests for transfer of medical records
• Requests from life insurance companies
• Requests from lawyers
• Patients must specifically authorize to release genetic, HIV/AIDS (except as required by public policy) and mental health information.

Question 27

HIPAA requires that only the “minimum necessary” PHI be obtained/used/disclosed except in what 3 incidences?

Answer 27

1) Disclosures to/requests by healthcare providers for treatment purposes
2) Disclosure to the individual who is the subject of the PHI
3) Uses or disclosures required by law

Question 28

Who determines the authority of personal representatives?

Answer 28

State law

Question 29

What is a personal representative?

Answer 29

An individual granted legal authority to make healthcare decisions for adults or emancipated minors, parents and guardians. (Healthcare proxy, Estate executor)

Question 30

Who should not be included as a personal representative?

Answer 30

Nannies, babysitters, or anyone that does not meet state requirements, or is not court ordered.

Question 31

Can a physician discuss a patient’s condition with family or the patient’s friends involved in the individual’s care?

Answer 31

Yes, unless the patient objects

Question 32

(True or False) Healthcare professionals may not discuss a patient’s condition via phone with the patient, a provider, or a family member.

Answer 32

False. They can unless a patient restricts such discussion.

Question 33

(True or False) Healthcare professionals may discuss a patient’s condition during training rounds in an academic or training institution.

Answer 33

True

Question 34

What are “reasonable precautions”?

Answer 34

• Speak using lowered voices or talking apart from others when sharing PHI.
• In an area where frequent patient-staff communication occurs, use cubicles, divider shields, curtains or similar barriers.

Question 35

(True or Flase) Reasonable precautions must be taken to minimize the chance of incidental disclosure to others who may be nearby.

Answer 35

True

Question 36

What reasonable safeguards should be used to protect PHI?

Answer 36

• Limit amount of information left on answering machines.
• Use professional judgment as to whether leaving specific information with a family member, or other person in the household, is in the best interest of the individual and remember to limit the information disclosed.

Question 37

(True or False) If an individual requests communication in a confidential manner, such as by alternative means or alternative location, the Covered Entity does not have to accommodate the request.

Answer 37

False. If the request is reasonable, the Covered Entity must accommodate it.

Question 38

(True or False) HIPAA permits hospitals and disaster relief agencies to notify family members when a loved one has been admitted to a hospital or involved in a disaster.

Answer 38

True

Question 39

If the patient has not requested that information be withheld, can you release the condition of the patient to someone who asks?

Answer 39

Yes, but only using one-word terminology (undetermined, good, fair, serious, or critical).

Question 40

If the patient has not requested that information be withheld, when can you release the location of the patient?

Answer 40

When individuals inquire about the patient BY NAME, or to clergy without obtaining prior patient authorization.

Question 41

What should be done with media requests for informaiton?

Answer 41

Refer them to a hospital representative or hospital public relations representative.

Question 42

What are the penalties for disclosure of PHI or violation of a provision?

Answer 42

• Single violation of a provision = $100 fine

- Multiple violations of a single provision in a year = up to $25,000 fine

Question 43

What are the penalties for knowingly using a unique identifier, or obtaining/disclosing PHI?

Answer 43

• A fine of not more than $50,000
  AND/OR
• Imprisonment of not more than 1 year

Question 44

What are the penalties for knowingly using a unique identifier, or obtaining/disclosing PHI under false pretenses?

Answer 44

• A fine of not more than $100,000
  AND/OR
• Imprisonment of not more than 5 years

Question 45

What are the penalties for intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm?

Answer 45

• A fine of not more than $250,000
  AND/OR
• Imprisonment of not more than 10 years

Question 46

What government agencies oversee HIPAA?

Answer 46

• Center for Medicare and Medicaid Services (CMS)

- Office for Civil Rights (OCR)

Question 47

Does HIPAA prohibit faxing of PHI?

Answer 47

No, but there should be appropriate administrative, technical, and physical safeguards in place to protect the privacy of PHI.