HIPAA Flashcards
What does HIPAA do?
Protects individually identifiable health information
- sets limits on disclosures of PHI
- institutes safeguards to secure PHI
- hold people accountable for safeguarding PHI
- gives patients control of their PHI
HIPAA allows info to be more easily…
exchanged among health care professionals
Direct vs. Indirect treatment
Direct - healthcare provider is directly treating patient
Indirect - health care provider delivers treatment to individual based on orders of another provider
*RPh does BOTH
Hybrid Entity
business that has both covered and non-covered functions (ex. Walmart pharmacy/store)
*must ensure PHI remains within the pharmacy
Individual Identifiable health information
any info (recorded or oral) that includes demographic info relating to the health of an individual
Protected Health Information (PHI)
identifiable health info that is transmitted by electronic media and is covered by HIPAA
De-identification of PHI:
information about an individual that is de-identified…
means there is no reasonable way to identify the individual; NOT considered identifiable health information.
- removal of names, geographic subdivisions SMALLER than states, dates (except year), photos, etc.
- if info is RE-identified then becomes pHI once again.
Minimum Necessary
a covered entitiy must make reasonable efforts to limit protected health info to the minimum amount need to accomplish intended purpose.
- does NOT apply to pharmacists
Safeguards
put in place to protect privacy of PHI from intentional/unintentional disclosures
Privacy Officer
NECESSARY
responsible for development/implementation of safeguards
HIPAA Employee Training
- necessary for all workers
- employers must keep training records
- must be given training in reasonable timeframe
- employees must be informed/trained about any changes
- must punish employees who misuse PHI
Patients rights to access their health records
EXCEPTIONS:
- inmates
- psychotherapy notes
When can you deny a patient their right to access their PHI?
- danger to the patient
- harm to another
- give patient written reason for denial along with complaint procedures –> patient has right to review denial
Right to an Accounting
individual has right to receive a list of all disclosures of PHI for up to past 6 years
- must act on request within 60 days
- first account is FREE
Complaints
- patient has right to file complaint
- ANYONE can file a complaint
- file in writing (paper or electronic)
- file within 180 days of act
Patient Retaliation
NOT ALLOWED
Consent Forms vs. Authorization Forms
Consent Forms - voluntary
Authorization Forms - mandatory
Can you look up a patients info if you are NOT actively treating them?
NO
you MAY disclose patient PHI to others IF…
- you have patients agreement
- provide patient with opportunity to object
- based on professional judgement, you infer that patient does not object
If patient is not present, incapacitated, or in an emergency…
use your professional judgement to see if disclosure is best
Who has the authority to act on behalf of a minor?
parent, guardian, loco parentis
What do the police need to request access to PHI?
SUBPOENA
or a signed/written authorization from patient
Notice of Privacy Practices
- tells how you are going to use PHI
- tells patient of their rights
- patient can refuse to sign document –> can still treat/fill for patient (DOCUMENT refusal)
*EXCEPTION - inmates do NOT have right to notice of privacy
How long must you keep written acknowledgements of Notice of Privacy Practies?
6 years
Incidental Use/Disclosure
accidental
- overheard talking about patient
- you are NOT expected to guarantee a patient’s PHI from all potential risks
- must provide reasonable safeguards
- provide glass between counter and front of pharmacy, ask other patients to stand back while counseling
- speak with lowered tone of voice
- lock patient records/files
- use computer security
What was the purpose of HIPAA HITECH
- increased fines to increase compliance with HIPAA
If there is a breach in HIPAA you must notify…
- patient
- department of health & human services
define breach
use or disclosure of PHI in a manner not allowed by privacy rules
You must notify a patient of a breach in HIPPA…
ALWAYS (even if there is harm or no harm to patient)
If HIPAA is breached you must perform…
a Risk Assessment that includes:
- nature/extent of PHI (types of identifiers)
- who received access
- potential that PHI was actually viewed/aquired
- extent to which the risk was mitigated
- unintentional acquisition or access (if someone looked up wrong patient)
- inadvertent disclosure
If the HIPAA breach affected less than 500 people…
must send notification in written form via 1st class mail or email if requested by patient.
If the HIPAA breach affected more than 500 people…
- must notify secretary of HHS within 60 days after the end of the calendar year from when the breach was discovered.
- send individual notice
- provide media notice to prominent media outlets
What acts are examples of a HIPAA breach?
- tech looks up wrong patient
- give someone else’s med to another patient
- fax patient info to another HCP
- fax patient into to anyone else
Historian Rule or 50-Year Old Rule
HIPAA protects PHI of people for 50 years following the date of their death.
Categories of HIPAA Violations
Tier 1 - unaware of violation, typically could not have avoided
Tier 2 - violation that they should have been aware of
Tier 3 - willful neglect of HIPAA rules
Tier 4 - violation where no attempt has been made to correct the violation (have already been warned in past)
Tier 1 Punishments
fines:
- $100/violation up to $50,000
jail
- up to 1 year
Tier 2 Punishments
fines
- $1,000/violation up to $50,000
jail
- up to 5 years
Tier 3 Punishments
fines
- $10,000/violation up to $50,000
jail
- up to 10 years
Tier 4 Punishments
fines
- $50,000/violation up to 1.5 million/year
Whistleblowers
people who report violations get a % of the fines paid by violator
If Breach involves…
- SS #
- drivers license #
- credit card info
can lose license for 3-5 yrs
