HIPAA

Question 1

Who must follow HIPAA?

Answer 1

HIPAA applies to “covered entities” which include:

1) Health Plans – health insurance companies, HMOs, company health plans, government health care programs like Medicare, Medicaid, military and veterans health care programs

2) Data Clearinghouses – entities that process non standardized health information they receive from other entities into a standard format (e.g. middleman between providers and health plans, etc.)

3) Health Care Providers – physicians, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies – only affects providers who transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard

Question 2

Who must follow HIPAA?
– In addition to “covered entities,” HIPAA also applies to…

Answer 2

“business associates”

An entity or person who performs functions or activities involving the use or disclosure of protected health information on behalf of or providing services to a covered entity

Examples: third party administrators assisting health plans with claims processing, attorneys, CPA firms and accountants, medical transcriptionists, pharmacy benefits managers,

Question 3

HIPAA applies to “covered entities” which include:

Answer 3

1. Health Plans
2. Clearinghouses
3. Health Care Providers including pharmacist
4. Business Associate who assist covered entities with provision of health care

Question 4

Protected Heath Information (PHI)

Answer 4

Information protected under HIPAA

Includes all heath care information related to patients health/condition, treatment/ care, payment and any information that identifies or could be reasonably expected to identify the patient

-

Question 5

Examples of Protected Health Information

Answer 5

Names and address
Dates (birth, admit/discharge, death)
Phone/fax numbers
Email address
Social security number
Medical record number
Health plan beneficiary number
Account numbers
Certificate/license numbers
VIN vehicle identification numbers and serial numbers, license plate numbers URL address
IP address
Device identifiers
Biometric identifiers (finger prints, voice print)
Full face photos/images
Any other unique identifying numbers, characteristics or code

Question 6

HIPAA is a establishment of national standards for

Answer 6

• electronic health care transactions and national provider identifier (NPI) number
• rules on security and privacy of heath care information

Question 7

security

Answer 7

protects information (confidentially and availability)

Question 8

Privacy

Answer 8

patients right and how their information may be used

Question 9

Health Information Technology for Economic and Clinical Health Act (HITECH)

Answer 9

• amends HiPPA
• requires breach notification

Question 10

How is PHI defined in 45 CFR 160.103

Answer 10

• individually identifiable health information
• transmitted or maintained by electric media or in any form or medium
• by a covered entity or business associate

Question 11

How must pharmacies provide notice of privacy practices ?

Answer 11

• in paper on the first day patient uses the pharmacy (must be sent electronically)
• Posted in a prominent location in the pharmacy and provided if requested by any person ( not limited to patients)
• on the pharmacy’s website

Question 12

Knowledge of Notice

Answer 12

• must acquire written acknowledgment from the patient that they received the information
• one acknowledgment per persons, once!
• allowed to refuse to sign and pharmacy cannot refuse to serve ( document a good faith effort)
• signatures kept in logbook
• may mail notice to pt and request it sent back
• can be sent electronically

Question 13

Is it a violation if pharmacy made a good faith effort for acknowledgment from patient and documented they tried?

Answer 13

It is not considered a violation as long as the pharmacy tried to obtain it and documented that they tried

Question 14

who are able to sign for the patient acknowledgment ?

Answer 14

• personal representatives (parent-child, legal guardian, power of attorney)
• others may pick up prescriptions, but not permitted to sign the acknowledgment if they are not personal representatives

Question 15

Do Children under 18 have to sign the acknowledgment?

Answer 15

No

Question 16

how long should records of signatures for acknowledgment be kept

Answer 16

6 years from date signed or from the date the last prescription for the ration was dispensed

Question 17

When should pharmacy employees use or disclose health information

Answer 17

for treatment, payment, regular health care operations

Question 18

How much PHI can the Pharmacy Disclose?

Answer 18

• “minimum necessary amount”
• the amount needed to carry out the service you are engaging in for the patient

Question 19

What are exceptions where pharmacist may disclose a PHI ?

Answer 19

• communication to the patient
• communication with other health care providers treating the patient
• if patient authorizes disclosure
• as required by HHS to determine compliance and enforce HIPAA
• if required by law

Question 20

When are incidental disclosures are permitted ?

Answer 20

• they couldn’t be reasonably prevented
• are limited in nature
• unintended byproduct of a permitted disclosure

Question 22

Pharmacists not liable for incidental disclosures if they have “reasonable safeguards” in place. Who are reasonable safeguards?

Answer 22

• administrative
• technical
• physical

ex:Patients in waiting area may overhear pharmacist counseling another patient

Question 23

is it a violation to call out patients name if they are waiting for a prescription ?

Answer 23

No

Question 24

Can a pharmacist leave a phone message to the patient ?

Answer 24

yes, but must be careful about what they disclose; limit to only minimum necessary informations

do not use the name of the medication

Question 24

Privacy rule permits use and disclosure of protected health information without the patients permission

Answer 24

• serious threats to health or safety
• public health activities
• exposed to a communicable disease or at risk of contracting or spreading the disease or condition
• employers concerning information on work related illness to comply with OSHA
• school reporting proof of immunization of students required by state
• victims of abuse
• judicial and administrative proceedings
• law enforcement and specialized military purposes
• research purposes
• decedents
• tissue donations
• workers’ compensation benefit programs

Question 25

Covered entities are required to develop reasonable policies and procedures for PHI disposal. How should PHI be disposed ?

Answer 25

• shred or burn paper with PHI
• using opaque bags in secured location prior to pickup
• clearing/ destroying electronic information

Question 26

Breach notification is required if analysis shows a breach. How must a PH breach be notified?

Answer 26

• Affected individuals must be notified “ without reasonable delay” but within 60 days of discovery
• If less than 500 individuals affected, pharmacy must notify HHS within 60 day of discovery
• If more than 500 individuals affected, pharmacy must notify media with 60 days and and HHS immediately

Question 27

what are exceptions to maketing PHI restrictions ?

Answer 27

• communications by a covered entity about its own products or services
• communications made for treatment of the individual
• communications made for case management/care coordination or recommendations on alternative treatments and health care providers

Question 28

Refill reminder exceptions (marketing and PHI)

Answer 28

• communication must be about a currently prescribes drug or biologic
• communication involves financial remuneration that is reasonably related to the covered entity’s cost of making the communication

Question 29

What examples DO fall under the refill reminder exception (marketing and PHI) ?

Answer 29

• refill reminder
• communications about generic equivalents of a drug being prescribed
• communications about recently lapsed prescription (within the last 90 days)
• adherence communications

Question 30

What examples DO NOT fall under the refill reminder exception (marketing and PHI) ?

Answer 30

• specific new formulations of a currently prescribed medication
• specific adjunctive drugs related to the currently prescribes medication
• encouraging an individual to switch from a prescribed medicaticine to alternative medicine

Question 31

Must all pharmacy employees be trained regarding HIPAA?

Answer 31

Yes.. Document completion of training

Must also notify patient of their privacy rights and how there information can be used. (public notices must be publicly available)

Question 32

Cures Act

Answer 32

encourages access and exchange of PHI to appropriate parties
-sharing info with friends and family
-research
-mental health

Question 33

What may be done by a health provider if a patient is not present or incapacitated?

Answer 33

a health provider may share the patient information with family, friends, or others involved in the patients care to payment of care

as long as the health care provider determines, based on professional judgment, that doing so is in the best interest of the patient

Question 34

When a patient is not present or unable to agree or object to disclose due to incapacity or emergency circumstances what is the health care provider permitted to do ?

Answer 34

determine whether disclosing a patient’s information to the patient’s family, friends, or other persons involved in the patient’s care or payment for care, is in the best interests of the patient

• disclose only the PHI that is directly relevant to the person’s involvement in the patient’s care or payment for care

Question 35

If the patient is present and has the capacity to make health care decisions, can the healthcare provider discuss the patient’s health information with the patient’s family, friends, or others involved in the patient’s care or payment for care?

Answer 35

yes , if the patient agrees or given the opportunity, doesn’t object

Question 36

HIPPA does not require that a health care provider document the patients agreement or lack of objection but?

Answer 36

a provider may choose to document a patients agreement to share information with a family, friend or other person in writing

Question 37

How may a patients health information be shared with a friend, family member or other person?

Answer 37

face to face, over the phone, or in writing

Question 38

Does HIPAA require proof of identity, if the the caller states that he or she is a family member or friend of the patient ?

Answer 38

no , must be reasonably sure

Question 39

If a patient brings a family member along as an interpreter, can you disclose the information to this family member?

Answer 39

YES, if the patient agrees, or does not object, or you determine in your professional judgment, that the patient does not object

Question 40

HIPAA allows covered health care providers to share a patient’s health information with an interpreter without the patient’s written authorization under the following circumstances:

Answer 40

• employee interpreters
• contracted phone service interpreters
• family member interpreters

Question 41

A patient with severe mental illness has stopped taking a prescribed medication. Can the provider tell the patient’s family members?

Answer 41

If patient doesn’t object, yes

If patient lacks capacity in provider’s professional judgment and sharing would be in best interest of patient, the provider may tell a family member and can only disclose necessary information

Cannot share if patient has capacity and objects, unless the provider has a good faith belief the patient poses a threat to the health or safety of the patient or others and the family member is reasonably able to prevent or lessen that threat

Question 42

a health care provider is permitted to share patient information with a patient’s personal representative under the Privacy Rule unless there is an exception. What is the exception?

Answer 42

• State law doesn’t require parental consent for a particular health service and the child consents to treatment and doesn’t request a parent be treated as a personal representative
• Parent agrees to confidential relationship between provider and child
• Provider believes there are safety concerns (violence, abuse, or neglect) and in their professional judgment it is not in the best interest of the patient to treat the parent as a personal representative

Question 43

What does the Privacy Rule permit in response to a law enforcement official’s request ?

Answer 43

a HIPAA covered entity, such as a hospital, to disclose certain protected health information, including the date and time of admission and discharg for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person

Question 44

Does provider have a duty to warn family or law enforcement that a patient might hurt themselves?

Answer 44

The mental healthcare providers’ “duty to warn” is based off of the Tarasoff v. Regents of University of California case (guy threats to kill ex gf)

Florida law allows mental health professionals to disclose patient communications necessary to warn potential victims or communicate the threat to law enforcement if the patients has made an actual threat to physically harm a victim and the professional makes a clinical judgment that the patient has an apparent capability to commit this act and it is more likely than not that they will carry it out in the near future.

Question 45

Notifying family, friends, or caregivers about a patient’s overdose from opioid misuse? May notify family, friends, or caregivers (FFC) if:

Answer 45

• Patient was given opportunity to object and doesn’t object
• The FCC have been involved in patients care or payment for care and patient has not objected
• Professional judgement of provider that its in the best interest of patient if patient is incapacitated
• Notification is necessary to prevent serious or imminent threat to health or safety of patients or others
• Can notify using professional judgment due to patient unavailablity in an emergency situation
• If patient is deceased, may disclose info to FFC indecent stated preferences not to disclose at some point prior to their death

Question 46

What are the HIPAA Security Rule guidelines in telemedicine ?

Answer 46

-Only authorized users should have access to ePHI

– A system of secure communication should be implemented to protect the integrity of ePHI

– A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches

Question 47

Health care providers should perform a security risk assessment when choosing a technology provider and use technology that has:

Answer 47

full encrypted data

peer to peer secure network connection

must address storage of video/ obtain system that does not store it on their server or of the do they are protected

the technology provider should be willing to enter into a business associate agreement (BAA) with the health care provider