HIPAA and HITECH AHE 110 Flashcards

1
Q

What does HIPAA stand for

A

Health Insurance Portability and Accountability Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which Year was HIPAA signed

A

1996

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

HIPAA is a law with how many standards

A

4 standards meant to PROTECT and SECURE electronic patient information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the purpose of HIPAA

A

To keep a person’s health information secure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does HIPAA keep Health Info secure?

A
  1. Regulates who has the right to view a person’s medical records, data and other personal information
  2. Sets standards on how a person’s protected health info is to be stored and transmitted,
  3. Requires health care orgs to set policies allowing pt or res to have access to own med records
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which Agency is Responsible for HIPAA

A

US Dept of Health and Human Services (HHS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which Agency is Responsible for HIPAA violations?

A

HHS Office for Civil Rights (OCR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the goal of HIPAA? (why)

A

Administrative Simplification,

Simplify exchange of info through consistent Electronic Exchange of Information,

Same coding sys, same requirements = decreased clerical burden and increase elec transaction adoption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How is HIPAA going to Simplify Administration

A
  1. use same coding systems,

2. use same requirements for the exchange of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is meant by CODING SYSTEM

A

Coding system uses characters like symbols and numbers to represent things like medical procedures or diseases

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

HIPAA STANDARD 1

A

Related to TRANSACTIONS AND CODE SETS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What happened Standard 1

A

HHS adopted standard transactions for the electronic exchange of administrative health care information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Standard 1 includes:

A

insurance claims,
payments,
insurance eligibility information.
Also MANDATES universal coding systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Goal of Standard 1

A

to speed up the process of

a. identifying insurance benefits,
b. submitting insurance claims,
c. receiving payment

speed, money = identify, submit, receive $

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Why do we use universal systems

A

process is more efficient when everyone uses same system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is CPT

A

CPT is Current Procedural Terminology -

codes procedures and services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is ICD

A

ICD is international Classification of Disorders - codes diseases and disorders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

HIPAA STANDARD 2 Is concerned with

A

the PRIVACY RULE

Comprehensive federal protection guidelines for the privacy of health info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the Privacy Rule

A

Personal Medical info shared with dr’s, hospitals etc. and those who provide and pay for Hc are protected.

health care facilities, insurance companies and other need to protect the written, electronic, oral patient health information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the Goal of the Privacy Rule

A

imposes restrictions by defining and limiting situations when pt’s info can be Used and Disclosed,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What 3 things does the privacy rule do?

A
  1. imposes restrictions on use and disclose of personal health information,
  2. gives pt greater access to med records,
  3. gives pt greater protections of med records

restrictions on u and d, access, protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What Rights does Privacy Rule give patients

A
  1. examine health records,
  2. obtain copies of health records,
  3. request corrections to be made if incorrect

examine, obtain copies, corrections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is Meant by Use

A

PHI is USED when

a. shared,
b. examined,
c. applied,
d. analyzed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is meant by Disclosure

A

PHI is DISCLOSED WHEN

a. released or transferred and
b. in any way made accessible to anyone outside of the CE

release, transfer, accessible to outsiders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is meant by a COVERED ENTITY

A
any facility, 
provider, 
plan or 
clearing house t
hat transmits protected health information electronically
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Who are included as Covered Entities?

A

PROVIDERS; MD,DO, NP, PA etc. Dentists, chiropractors, psychologists,

FACILITIES; nursing homes, pharmacies, ambul. Care

COMPANIES; health ins., govt insurance, HMOs,

CLEARINGHOUSES, BILLING SERVICES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Rules Covered Entities must comply with

A
  1. safeguard all pt info,
  2. ensure BA keep PHI private,
  3. written agreement with BA on how to safeguard PHI,
    4 CE cannot give PHI to BA without written signed agreements
  4. only PHI required for the job can be given to the BA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Define Claims Clearing house

A

an organization that accepts the claim data from the provider,
reformats the data to meet specifications outlined in ins. Plan
and submits the claim

accepts, reformats, submits claims

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Define Protected Health Information

A

ind. Identifiable health info

stored or transmitted by CE or business associates, i

incl verbal, paper, electronic

30
Q

Define Business Associate

A

a person or business that provides a service to a CE that involves access to PHI (legal, billing, accred, management, consulting firms, claims processing

31
Q

Define Permission

A

a reason for releasing or disclosing pt. info under HIPAA

32
Q

Define De-identify

A

remove all direct pt identifiers from the PHI which could link info to a specific person

33
Q

Define Limited Data Set

A

PHI which has all direct pt identifiers removed

34
Q

Examples of Patient Identifiers

A

name, dob, ss#, payment or billing info, physical or mental health conditions, test results, current meds, allergies

35
Q

When do providers require written authorization from a patient?

A

Written authorization is needed when PHI is being disclosed to a third party (person wants family to know, records transfer to another facility, life insurance)

36
Q

6 Permissions NOT requiring written authorization from patient to release PHI

A
  1. TPO
  2. to the individual,
  3. use and disclosure with the opportunity to agree or object,
  4. incidental use and disclosure (i.e. overheard on phone during course of job),
  5. public interests and benefits, limited data sets
37
Q

What does TPO mean?

A

Treatment, payment, healthcare operations payment= activities related to payment or reimbursement for services (i.e.. If fail to pay bill can be turned over to collections),
HC OPERATIONS - financial, legal, quality improv that HC facilities need to do to run and support a business.

38
Q

When is written permission needed

A

when disclosing PHI to third party (pt wants someone else told, records transferred, life insurance

39
Q

What does Written authorization include?

A

dated, signed

40
Q

What is a Disclosure Authorization Form?

A

authorization to disclose form - pt gives written auth to transfer records,

41
Q

What does a Disclosure Authorization Form need to include?

A
expiration date, ,
patients name, 
date of request, 
info of facility receiving records, 
must notify  pt they can revoke permission,
42
Q

What is a Records Release?

A

When a pt wants records released to another fac. Must a. complete, b. sign, c. date medical records release form. Video and images may need separate form

43
Q

What is meant by “higher level of confidentiality”?

A

parts of pt record. May need separate release form.

44
Q

What is incl. in Higher level of confidentiality

A
  1. psychotherapy notes.
  2. HIV info,
  3. Drug and Alcohol
45
Q

What is the

Confidentiality of Alcohol and Drug Abuse Patient Records statute?

A

many federal and state laws around D and A abuse. This one is HHS and restricts the release and use of pt records including substance use diagnoses and services

46
Q

What is HIPAA standard 3 ?

A

national standard for the protection of patient info that is stored or transmitted

47
Q

What is included in Standard 3

A

anything

a. created,
b. used,
3. received,
4. maintained

48
Q

What are the 3 types of safeguards in Standard 3

A
  1. Administrative
  2. Physical,
  3. Technical
49
Q

What is the Administrative Safeguard

A
  1. Security Officer resp for creating and carrying out security Policies and Procedures.
  2. risks identified,
  3. steps taken to prevent issues (cyber attacks huge issue)
50
Q

What is the Physical Safeguard in Standard 3

A

facilities, workstations and devices. Under resp of security officer, procedures and protocols

51
Q

What is the technology Safeguards in Standard 3

A

only authorized employees have access to ePHI,

p and p to audit, track, prevent alterations,

destruction, transmissions

52
Q

What does HITECH stand for?

A

Health Information Technology and Clinical Health Act

53
Q

What is HITECH?

A

an act that expands HIPAA privacy

54
Q

What is included in HITECH?

A
  1. patient rights,
  2. requirements for BA,
  3. breach notifications,
  4. marketing provisions,
  5. penalties for non-compliance
55
Q

Who is covered under HITECH?

A

a. CE,
b. hc providers,
c. health plans,
d. health care clearing house,
e. business assoc with access to pt records

56
Q

What is different about BA in HITECH

A

BA’s must comply with use and disclosure requirements of HIPAA’s privacy rule. Subject to same penalties

57
Q

What is meant by patients rights in HITECH

A

pts have added rights regarding use of EHR or ePHI, CE’s must agree to patient requests to restrict disclosure of ePHI if
a. it is to health plan used for carrying out payment or hc operations, NOT TREATMENT IF PAID IN FULL

58
Q

in HITECH pts have right to access their info by

A

a. can receive account of all non-routine disclosures of EHR,
b. request an accounting of disclosures they authorized in past 3 years,
c. designate 3rd party to be recipient of eHealth info

receive, request, designate

59
Q

Consent for routine health care is option BUT

A

consent for routine health care is optional but signature is req for use and disclosure PHI for purposes OTHER THAN TPO

60
Q

What is included in an authorization form?

A

use and disclosure outlined in whatever is in the form.

a. descript of PHI being used, what purpose,
b. who will u and d PHI,
c. if there is financial gain for the CE,
d. pt right to revoke,
e. signature,
f. date,
g. expirations date

61
Q

Authorization is not required

A

a. to maintain a pt directory,
b. inform identified people about care,
c. inform approp agencies in disaster relief,
d. public health activities, report victims of a, n, dom viol.,
e. health oversite for license,
f. coroners, med examiners, tissue donations,
g. avert serious threat to health and safety

62
Q

What is meant by minimum necessary (need to know)

A

the minimum of info needed to get the job done right

63
Q

how do CE’s ensure minimum necessary

A

a. dev. P and p,
b. employees who access ePHI are identified,
c. types of PHI needed and conditions for access. (NOTE does not apply for u and d of med records for treatment)

64
Q

What is the privacy notice

A

pt have right to adequate notice about u and d of PHI on First Day of Treatment

65
Q

What is the purpose of Privacy Notice

A

a. pts rights and CE legal duties,
b. made avail in print,
c. be displayed and on internet, (NOTE - must try to get written ack or note about why not possible)

66
Q

What are the Patient Rights

A

a. receive privacy notice on 1st day,
b. restrict u and d,
c. have PHI communicated in different ways,
d. designate a 3rd party to be recip of PHI,
e. inspect, correct, amend PHI and obtain copies,
f. request hx of PHI disclosures,
g. able to report concerns over breach of privacy

67
Q

What about privacy of minors

A

parents are de facto except

a. HIV testing,
b. cases of abuse,
c. parents have given up control

68
Q

What resp do Admins have for Privacy under HIPAA and HITECH

A

a. allow pt to see and have copies of PHI,
b. designate official person resp for progs.
C. dev Notice of Privacy Practices,
d. develop policies and safeguards to protect PHI and limit incidental u and d,
e. training prog,
f. complaints process,
g. make sure BA’s comply with Privacy Rule and HITECH

69
Q

What are the notification requirements for data breach under HITECH act

A

breach - inapp or unauth u or d of PHI.
A. CE must notify pts,
b. incl unauth disclose of PHI to 3rd party AND internal access to PHI,
c. must be notified w/in 60 days,
d. if more than 500 contact HHS, and print and broadcast

70
Q

Violations under HITECH

A

tiered increase in civil and criminal penalties