HIPAA Flashcards
Who must follow HIPAA?
HIPAA applies to “covered entities” which include:
1) Health Plans – health insurance companies, HMOs, company health plans, government health care programs like Medicare, Medicaid, military and veterans health care programs
2) Data Clearinghouses – entities that process non standardized health information they receive from other entities into a standard format (e.g. middleman between providers and health plans, etc.)
3) Health Care Providers – physicians, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies – only affects providers who transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard
Who must follow HIPAA?
– In addition to “covered entities,” HIPAA also applies to…
“business associates”
An entity or person who performs functions or activities involving the use or disclosure of protected health information on behalf of or providing services to a covered entity
Examples: third party administrators assisting health plans with claims processing, attorneys, CPA firms and accountants, medical transcriptionists, pharmacy benefits managers,
HIPAA applies to “covered entities” which include:
- Health Plans
- Clearinghouses
- Health Care Providers including pharmacist
- Business Associate who assist covered entities with provision of health care
Protected Heath Information (PHI)
Information protected under HIPAA
Includes all heath care information related to patients health/condition, treatment/ care, payment and any information that identifies or could be reasonably expected to identify the patient
-
Examples of Protected Health Information
Names and address
Dates (birth, admit/discharge, death)
Phone/fax numbers
Email address
Social security number
Medical record number
Health plan beneficiary number
Account numbers
Certificate/license numbers
VIN vehicle identification numbers and serial numbers, license plate numbers URL address
IP address
Device identifiers
Biometric identifiers (finger prints, voice print)
Full face photos/images
Any other unique identifying numbers, characteristics or code
HIPAA is a establishment of national standards for
- electronic health care transactions and national provider identifier (NPI) number
- rules on security and privacy of heath care information
security
protects information (confidentially and availability)
Privacy
patients right and how their information may be used
Health Information Technology for Economic and Clinical Health Act (HITECH)
- amends HiPPA
- requires breach notification
How is PHI defined in 45 CFR 160.103
- individually identifiable health information
- transmitted or maintained by electric media or in any form or medium
- by a covered entity or business associate
How must pharmacies provide notice of privacy practices ?
- in paper on the first day patient uses the pharmacy (must be sent electronically)
- Posted in a prominent location in the pharmacy and provided if requested by any person ( not limited to patients)
- on the pharmacy’s website
Knowledge of Notice
- must acquire written acknowledgment from the patient that they received the information
- one acknowledgment per persons, once!
- allowed to refuse to sign and pharmacy cannot refuse to serve ( document a good faith effort)
- signatures kept in logbook
- may mail notice to pt and request it sent back
- can be sent electronically
Is it a violation if pharmacy made a good faith effort for acknowledgment from patient and documented they tried?
It is not considered a violation as long as the pharmacy tried to obtain it and documented that they tried
who are able to sign for the patient acknowledgment ?
- personal representatives (parent-child, legal guardian, power of attorney)
- others may pick up prescriptions, but not permitted to sign the acknowledgment if they are not personal representatives
Do Children under 18 have to sign the acknowledgment?
No
how long should records of signatures for acknowledgment be kept
6 years from date signed or from the date the last prescription for the ration was dispensed
When should pharmacy employees use or disclose health information
for treatment, payment, regular health care operations
How much PHI can the Pharmacy Disclose?
- “minimum necessary amount”
- the amount needed to carry out the service you are engaging in for the patient
What are exceptions where pharmacist may disclose a PHI ?
- communication to the patient
- communication with other health care providers treating the patient
- if patient authorizes disclosure
- as required by HHS to determine compliance and enforce HIPAA
- if required by law
When are incidental disclosures are permitted ?
- they couldn’t be reasonably prevented
- are limited in nature
- unintended byproduct of a permitted disclosure
Pharmacists not liable for incidental disclosures if they have “reasonable safeguards” in place. Who are reasonable safeguards?
- administrative
- technical
- physical
ex:Patients in waiting area may overhear pharmacist counseling another patient
is it a violation to call out patients name if they are waiting for a prescription ?
No
Can a pharmacist leave a phone message to the patient ?
yes, but must be careful about what they disclose; limit to only minimum necessary informations
do not use the name of the medication
Privacy rule permits use and disclosure of protected health information without the patients permission
- serious threats to health or safety
- public health activities
- exposed to a communicable disease or at risk of contracting or spreading the disease or condition
- employers concerning information on work related illness to comply with OSHA
- school reporting proof of immunization of students required by state
- victims of abuse
- judicial and administrative proceedings
- law enforcement and specialized military purposes
- research purposes
- decedents
- tissue donations
- workers’ compensation benefit programs
Covered entities are required to develop reasonable policies and procedures for PHI disposal. How should PHI be disposed ?
- shred or burn paper with PHI
- using opaque bags in secured location prior to pickup
- clearing/ destroying electronic information
Breach notification is required if analysis shows a breach. How must a PH breach be notified?
- Affected individuals must be notified “ without reasonable delay” but within 60 days of discovery
- If less than 500 individuals affected, pharmacy must notify HHS within 60 day of discovery
- If more than 500 individuals affected, pharmacy must notify media with 60 days and and HHS immediately
what are exceptions to maketing PHI restrictions ?
- communications by a covered entity about its own products or services
- communications made for treatment of the individual
- communications made for case management/care coordination or recommendations on alternative treatments and health care providers
Refill reminder exceptions (marketing and PHI)
- communication must be about a currently prescribes drug or biologic
- communication involves financial remuneration that is reasonably related to the covered entity’s cost of making the communication
What examples DO fall under the refill reminder exception (marketing and PHI) ?
- refill reminder
- communications about generic equivalents of a drug being prescribed
- communications about recently lapsed prescription (within the last 90 days)
- adherence communications
What examples DO NOT fall under the refill reminder exception (marketing and PHI) ?
- specific new formulations of a currently prescribed medication
- specific adjunctive drugs related to the currently prescribes medication
- encouraging an individual to switch from a prescribed medicaticine to alternative medicine
Must all pharmacy employees be trained regarding HIPAA?
Yes.. Document completion of training
Must also notify patient of their privacy rights and how there information can be used. (public notices must be publicly available)
Cures Act
encourages access and exchange of PHI to appropriate parties
-sharing info with friends and family
-research
-mental health
What may be done by a health provider if a patient is not present or incapacitated?
a health provider may share the patient information with family, friends, or others involved in the patients care to payment of care
as long as the health care provider determines, based on professional judgment, that doing so is in the best interest of the patient
When a patient is not present or unable to agree or object to disclose due to incapacity or emergency circumstances what is the health care provider permitted to do ?
determine whether disclosing a patient’s information to the patient’s family, friends, or other persons involved in the patient’s care or payment for care, is in the best interests of the patient
- disclose only the PHI that is directly relevant to the person’s involvement in the patient’s care or payment for care
If the patient is present and has the capacity to make health care decisions, can the healthcare provider discuss the patient’s health information with the patient’s family, friends, or others involved in the patient’s care or payment for care?
yes , if the patient agrees or given the opportunity, doesn’t object
HIPPA does not require that a health care provider document the patients agreement or lack of objection but?
a provider may choose to document a patients agreement to share information with a family, friend or other person in writing
How may a patients health information be shared with a friend, family member or other person?
face to face, over the phone, or in writing
Does HIPAA require proof of identity, if the the caller states that he or she is a family member or friend of the patient ?
no , must be reasonably sure
If a patient brings a family member along as an interpreter, can you disclose the information to this family member?
YES, if the patient agrees, or does not object, or you determine in your professional judgment, that the patient does not object
HIPAA allows covered health care providers to share a patient’s health information with an interpreter without the patient’s written authorization under the following circumstances:
- employee interpreters
- contracted phone service interpreters
- family member interpreters
A patient with severe mental illness has stopped taking a prescribed medication. Can the provider tell the patient’s family members?
If patient doesn’t object, yes
If patient lacks capacity in provider’s professional judgment and sharing would be in best interest of patient, the provider may tell a family member and can only disclose necessary information
Cannot share if patient has capacity and objects, unless the provider has a good faith belief the patient poses a threat to the health or safety of the patient or others and the family member is reasonably able to prevent or lessen that threat
a health care provider is permitted to share patient information with a patient’s personal representative under the Privacy Rule unless there is an exception. What is the exception?
- State law doesn’t require parental consent for a particular health service and the child consents to treatment and doesn’t request a parent be treated as a personal representative
- Parent agrees to confidential relationship between provider and child
- Provider believes there are safety concerns (violence, abuse, or neglect) and in their professional judgment it is not in the best interest of the patient to treat the parent as a personal representative
What does the Privacy Rule permit in response to a law enforcement official’s request ?
a HIPAA covered entity, such as a hospital, to disclose certain protected health information, including the date and time of admission and discharg for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person
Does provider have a duty to warn family or law enforcement that a patient might hurt themselves?
The mental healthcare providers’ “duty to warn” is based off of the Tarasoff v. Regents of University of California case (guy threats to kill ex gf)
Florida law allows mental health professionals to disclose patient communications necessary to warn potential victims or communicate the threat to law enforcement if the patients has made an actual threat to physically harm a victim and the professional makes a clinical judgment that the patient has an apparent capability to commit this act and it is more likely than not that they will carry it out in the near future.
Notifying family, friends, or caregivers about a patient’s overdose from opioid misuse? May notify family, friends, or caregivers (FFC) if:
- Patient was given opportunity to object and doesn’t object
- The FCC have been involved in patients care or payment for care and patient has not objected
- Professional judgement of provider that its in the best interest of patient if patient is incapacitated
- Notification is necessary to prevent serious or imminent threat to health or safety of patients or others
- Can notify using professional judgment due to patient unavailablity in an emergency situation
- If patient is deceased, may disclose info to FFC indecent stated preferences not to disclose at some point prior to their death
What are the HIPAA Security Rule guidelines in telemedicine ?
-Only authorized users should have access to ePHI
– A system of secure communication should be implemented to protect the integrity of ePHI
– A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches
Health care providers should perform a security risk assessment when choosing a technology provider and use technology that has:
full encrypted data
peer to peer secure network connection
must address storage of video/ obtain system that does not store it on their server or of the do they are protected
the technology provider should be willing to enter into a business associate agreement (BAA) with the health care provider