HIPAA and HITECH AHE 110 Flashcards
What does HIPAA stand for
Health Insurance Portability and Accountability Act
Which Year was HIPAA signed
1996
HIPAA is a law with how many standards
4 standards meant to PROTECT and SECURE electronic patient information
What is the purpose of HIPAA
To keep a person’s health information secure
How does HIPAA keep Health Info secure?
- Regulates who has the right to view a person’s medical records, data and other personal information
- Sets standards on how a person’s protected health info is to be stored and transmitted,
- Requires health care orgs to set policies allowing pt or res to have access to own med records
Which Agency is Responsible for HIPAA
US Dept of Health and Human Services (HHS)
Which Agency is Responsible for HIPAA violations?
HHS Office for Civil Rights (OCR)
What is the goal of HIPAA? (why)
Administrative Simplification,
Simplify exchange of info through consistent Electronic Exchange of Information,
Same coding sys, same requirements = decreased clerical burden and increase elec transaction adoption
How is HIPAA going to Simplify Administration
- use same coding systems,
2. use same requirements for the exchange of information
What is meant by CODING SYSTEM
Coding system uses characters like symbols and numbers to represent things like medical procedures or diseases
HIPAA STANDARD 1
Related to TRANSACTIONS AND CODE SETS
What happened Standard 1
HHS adopted standard transactions for the electronic exchange of administrative health care information
Standard 1 includes:
insurance claims,
payments,
insurance eligibility information.
Also MANDATES universal coding systems
Goal of Standard 1
to speed up the process of
a. identifying insurance benefits,
b. submitting insurance claims,
c. receiving payment
speed, money = identify, submit, receive $
Why do we use universal systems
process is more efficient when everyone uses same system
What is CPT
CPT is Current Procedural Terminology -
codes procedures and services
What is ICD
ICD is international Classification of Disorders - codes diseases and disorders
HIPAA STANDARD 2 Is concerned with
the PRIVACY RULE
Comprehensive federal protection guidelines for the privacy of health info
What is the Privacy Rule
Personal Medical info shared with dr’s, hospitals etc. and those who provide and pay for Hc are protected.
health care facilities, insurance companies and other need to protect the written, electronic, oral patient health information
What is the Goal of the Privacy Rule
imposes restrictions by defining and limiting situations when pt’s info can be Used and Disclosed,
What 3 things does the privacy rule do?
- imposes restrictions on use and disclose of personal health information,
- gives pt greater access to med records,
- gives pt greater protections of med records
restrictions on u and d, access, protection
What Rights does Privacy Rule give patients
- examine health records,
- obtain copies of health records,
- request corrections to be made if incorrect
examine, obtain copies, corrections
What is Meant by Use
PHI is USED when
a. shared,
b. examined,
c. applied,
d. analyzed
What is meant by Disclosure
PHI is DISCLOSED WHEN
a. released or transferred and
b. in any way made accessible to anyone outside of the CE
release, transfer, accessible to outsiders
What is meant by a COVERED ENTITY
any facility, provider, plan or clearing house t hat transmits protected health information electronically
Who are included as Covered Entities?
PROVIDERS; MD,DO, NP, PA etc. Dentists, chiropractors, psychologists,
FACILITIES; nursing homes, pharmacies, ambul. Care
COMPANIES; health ins., govt insurance, HMOs,
CLEARINGHOUSES, BILLING SERVICES
Rules Covered Entities must comply with
- safeguard all pt info,
- ensure BA keep PHI private,
- written agreement with BA on how to safeguard PHI,
4 CE cannot give PHI to BA without written signed agreements - only PHI required for the job can be given to the BA
Define Claims Clearing house
an organization that accepts the claim data from the provider,
reformats the data to meet specifications outlined in ins. Plan
and submits the claim
accepts, reformats, submits claims
Define Protected Health Information
ind. Identifiable health info
stored or transmitted by CE or business associates, i
incl verbal, paper, electronic
Define Business Associate
a person or business that provides a service to a CE that involves access to PHI (legal, billing, accred, management, consulting firms, claims processing
Define Permission
a reason for releasing or disclosing pt. info under HIPAA
Define De-identify
remove all direct pt identifiers from the PHI which could link info to a specific person
Define Limited Data Set
PHI which has all direct pt identifiers removed
Examples of Patient Identifiers
name, dob, ss#, payment or billing info, physical or mental health conditions, test results, current meds, allergies
When do providers require written authorization from a patient?
Written authorization is needed when PHI is being disclosed to a third party (person wants family to know, records transfer to another facility, life insurance)
6 Permissions NOT requiring written authorization from patient to release PHI
- TPO
- to the individual,
- use and disclosure with the opportunity to agree or object,
- incidental use and disclosure (i.e. overheard on phone during course of job),
- public interests and benefits, limited data sets
What does TPO mean?
Treatment, payment, healthcare operations payment= activities related to payment or reimbursement for services (i.e.. If fail to pay bill can be turned over to collections),
HC OPERATIONS - financial, legal, quality improv that HC facilities need to do to run and support a business.
When is written permission needed
when disclosing PHI to third party (pt wants someone else told, records transferred, life insurance
What does Written authorization include?
dated, signed
What is a Disclosure Authorization Form?
authorization to disclose form - pt gives written auth to transfer records,
What does a Disclosure Authorization Form need to include?
expiration date, , patients name, date of request, info of facility receiving records, must notify pt they can revoke permission,
What is a Records Release?
When a pt wants records released to another fac. Must a. complete, b. sign, c. date medical records release form. Video and images may need separate form
What is meant by “higher level of confidentiality”?
parts of pt record. May need separate release form.
What is incl. in Higher level of confidentiality
- psychotherapy notes.
- HIV info,
- Drug and Alcohol
What is the
Confidentiality of Alcohol and Drug Abuse Patient Records statute?
many federal and state laws around D and A abuse. This one is HHS and restricts the release and use of pt records including substance use diagnoses and services
What is HIPAA standard 3 ?
national standard for the protection of patient info that is stored or transmitted
What is included in Standard 3
anything
a. created,
b. used,
3. received,
4. maintained
What are the 3 types of safeguards in Standard 3
- Administrative
- Physical,
- Technical
What is the Administrative Safeguard
- Security Officer resp for creating and carrying out security Policies and Procedures.
- risks identified,
- steps taken to prevent issues (cyber attacks huge issue)
What is the Physical Safeguard in Standard 3
facilities, workstations and devices. Under resp of security officer, procedures and protocols
What is the technology Safeguards in Standard 3
only authorized employees have access to ePHI,
p and p to audit, track, prevent alterations,
destruction, transmissions
What does HITECH stand for?
Health Information Technology and Clinical Health Act
What is HITECH?
an act that expands HIPAA privacy
What is included in HITECH?
- patient rights,
- requirements for BA,
- breach notifications,
- marketing provisions,
- penalties for non-compliance
Who is covered under HITECH?
a. CE,
b. hc providers,
c. health plans,
d. health care clearing house,
e. business assoc with access to pt records
What is different about BA in HITECH
BA’s must comply with use and disclosure requirements of HIPAA’s privacy rule. Subject to same penalties
What is meant by patients rights in HITECH
pts have added rights regarding use of EHR or ePHI, CE’s must agree to patient requests to restrict disclosure of ePHI if
a. it is to health plan used for carrying out payment or hc operations, NOT TREATMENT IF PAID IN FULL
in HITECH pts have right to access their info by
a. can receive account of all non-routine disclosures of EHR,
b. request an accounting of disclosures they authorized in past 3 years,
c. designate 3rd party to be recipient of eHealth info
receive, request, designate
Consent for routine health care is option BUT
consent for routine health care is optional but signature is req for use and disclosure PHI for purposes OTHER THAN TPO
What is included in an authorization form?
use and disclosure outlined in whatever is in the form.
a. descript of PHI being used, what purpose,
b. who will u and d PHI,
c. if there is financial gain for the CE,
d. pt right to revoke,
e. signature,
f. date,
g. expirations date
Authorization is not required
a. to maintain a pt directory,
b. inform identified people about care,
c. inform approp agencies in disaster relief,
d. public health activities, report victims of a, n, dom viol.,
e. health oversite for license,
f. coroners, med examiners, tissue donations,
g. avert serious threat to health and safety
What is meant by minimum necessary (need to know)
the minimum of info needed to get the job done right
how do CE’s ensure minimum necessary
a. dev. P and p,
b. employees who access ePHI are identified,
c. types of PHI needed and conditions for access. (NOTE does not apply for u and d of med records for treatment)
What is the privacy notice
pt have right to adequate notice about u and d of PHI on First Day of Treatment
What is the purpose of Privacy Notice
a. pts rights and CE legal duties,
b. made avail in print,
c. be displayed and on internet, (NOTE - must try to get written ack or note about why not possible)
What are the Patient Rights
a. receive privacy notice on 1st day,
b. restrict u and d,
c. have PHI communicated in different ways,
d. designate a 3rd party to be recip of PHI,
e. inspect, correct, amend PHI and obtain copies,
f. request hx of PHI disclosures,
g. able to report concerns over breach of privacy
What about privacy of minors
parents are de facto except
a. HIV testing,
b. cases of abuse,
c. parents have given up control
What resp do Admins have for Privacy under HIPAA and HITECH
a. allow pt to see and have copies of PHI,
b. designate official person resp for progs.
C. dev Notice of Privacy Practices,
d. develop policies and safeguards to protect PHI and limit incidental u and d,
e. training prog,
f. complaints process,
g. make sure BA’s comply with Privacy Rule and HITECH
What are the notification requirements for data breach under HITECH act
breach - inapp or unauth u or d of PHI.
A. CE must notify pts,
b. incl unauth disclose of PHI to 3rd party AND internal access to PHI,
c. must be notified w/in 60 days,
d. if more than 500 contact HHS, and print and broadcast
Violations under HITECH
tiered increase in civil and criminal penalties
