HIPAA Flashcards

1
Q

What does it stand for

A

Health insurance portability and accountability act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

HIPAA requires health care organizations to protect the

A

confidentiality, integrity, and availability of patient’s protected health information (PHI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

HIPAA provides legal

A

protections for patients relative to their PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

HIPAA complements or strengthens

A

state law protections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

PHI and ePHI is protected when

A

It is confidential
It has integrity
It is available

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

PHI and ePHI is protected when - it is confidential when

A

the info is accessible only by authorized people and processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

PHI and ePHI is protected when - it has integrity when

A

the info hasn’t been inappropriately altered or destroyed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

PHI and ePHI is protected when - it is available when

A

the info is available when needed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

HIPAA applies to

A

covered entities
CEs workforce
CEs business associates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Covered entities include

A

health care providers, health plans, health care clearinghouse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CEs workforce

A

employees, medical staff, contractors, residents, students and volunteers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CEs business associates

A

entities that handle PHI on behalf of the CE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

DMUs HIPAA responsibilities

A
Legal obligation as a CE (our clinics and research)
Educational mission (prepare students for workplace)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Student at DMU are considered

A

part of the CE workforce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

PHI

A

Individually identifiable information that is created or received by a CE and relates to the past, present or future physical or mental health or condition, the provision of health care, or payment of health care

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

PHI in any form is

A

private and protected under HIPAA and state laws

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

EX of PHI and ePHI

A

Content of medical record or billing
Photo of pt injury
Diagnostic imaging
Fact that patient is scheduled for a visit
Type of insurance a patient has
Demographic info in records (name, address, account number, social, phone number)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Identifiable info

A

Name, addresses, date of service, phone, fax, social, health plan ID, medial record #, email, relatives name, voice, fingerprints, photo, IP addresses, employer, device serial #, other numbers and codes

19
Q

HIPAA is a statute of

A

prohibition

20
Q

HIPAA is a statute of prohibition - you are prohibited from

A
  1. accessing or using PHI unless the use fits into an exception or is explicity permitted - treatment, payment, healthcare operations
  2. disclosing PHI to third party unless disclosure fits into an exception or is explicitly permitted (if no exception, patient signed authorization is required)
21
Q

Common exceptions to accessing, using, or disclosing

A

Provision, coordination or management of health care
Consultation between pts health care providers
Referral of patient between providers
Disclosure to family or friends involved in patients care - unless patient objects

22
Q

Common exceptions to accessing, using, or disclosing - payment

A
Eligibility determinations
Precertification for services
Coverage
Billing
Claims management 
Collection activities
Utilization review
23
Q

Common exceptions to accessing, using, or disclosing - operations

A

Business management and administrative functions such as risk management, compliance, customer service
Quality assessment and improvement activities
Accreditation
Medical review
NOT MARKETING OR FUNDRAISING

24
Q

Common exceptions to accessing, using, or disclosing - OTHER (as permitted or required by law)

A
Emergency - patient incapacitated 
Abuse reporting
Law enforcement
Public health reporting
Legal processes 
Research
25
Q

Workforce members can obtain, use and disclose only

A

minimum necessary info to do a job or handle a request

26
Q

The minimum necessity rule does not apply to uses and disclosures

A

Between health care providers for tx purposed

To the pt or a the request of the pt

27
Q

HIPAA is a basic floor - at federal level it provides

A

minimum rights and protections for all patients

28
Q

Patient rights under HIPAA

A

Receive a notice of privacy practices
Access PHI and receive copy of records
Receive an accounting of disclosures made by CE
Request restriction on use and disclosure of PHI to others, including restriction on disclosures if patient is a self pay for service
Request amendment to PHI
Request alternative means of communication
Be notified of any breaches of their PHI
Make complaint without fear of retaliation

29
Q

Required safeguards

A
Technical controls limiting access to systems containing ePHI
Unique user IDs/Logins with monitoring
Authentication (password)
Encryption of ePHI
Audits
Policies
Trainings for workforce
30
Q

Breaches are defined as

A

Unauthorized acquisition, access, use, or disclosure of PHI which poses a significant risk of financial, reputational, or other harm to the patient

31
Q

Breaches - covered entities must report

A

internally and evaluate all potential breaches

32
Q

After mandated risk assessment by Privacy Officer –

A

may have obligation to notify patient of breach
Must report breaches to gov.
Must take appropriate disciplinary or remedial action

33
Q

Incidental disclosures - define

A

unintended or unavoidable disclosures of PHI occurring as a part of a permitted disclosure

34
Q

Ex of Incidental disclosure

A

Another employee or visitor overhearing
Nurse and tech discussing a test order for pt
Physician discussing tc options with pt and family members in room (Sharing with other patient)
Registration staff member collecting demographic info in waiting area

35
Q

Penalties for non-compliance

A

Potential civil and criminal penalties at state and federal level
Potential exclusion from federal health care programs
Potential licensure revocation
Potential malpractice civil liabilities
Potential institutional disciplinary action

36
Q

HIPAA ad research - HIPAA defines research as any

A

systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge

37
Q

HIPAA permits use for research if

A

Data has been de-identified or patient has signed authorization

38
Q

HIPAA and research - several limited exceptions may allow minimum necessary use

A

IRB or Privacy board approves waiver
Preparatory to research
Research on decedents
Use of limited data set under a data use agreement

39
Q

Risk Areas

A
Technology
Email/text
Digital photos and videos
Virus
Snooping and curiosity 
Social media
40
Q

DMUs social media policy for students

A

Do not post any info regarding a patient
Do not post photos related to patient care or surgical cases
Do not discuss personal characteristics of a patient
Do not discuss hospital/clinic procedures
Do not discuss any info pertaining to a cadaver or describe dissection stages

41
Q

General protective behaviors

A

Prevent casual observers from seeing screens
Never share your user ID or passwords
Log out or lock devices - never leave unattended
Properly dispose of PHI and ePHI

42
Q

Your fundamental obligations

A

Access PHI only if you have a job related need
Access only the amount of PHI that you need
Only share PHI with other who need it to do their jobs
De-identify patient info before presenting case study
Report violations or breaches to Privacy Officer or Information Security Officer

43
Q

Mandatory reporting

A

Loss of PHI or equipment containing PHI
Misuse of PHI, system access, passwords
Accidental or unauthorized disclosures