HIPAA Awareness Training Flashcards
HIPAA
Health Insurance Portability and Accountability Act
United States legislation that provides data privacy and security provisions
for safeguarding medical information.
HIPAA
HIPAA’s main objective
To protect the privacy and security of our
health information and to provide us certain rights on our health information.
WHAT IS PROTECTED BY HIPAA?
Protected Health Information
HIPAA is meant to protect your sensitive health
information in this ecosystem, regulate how it can be used or disclosed, and also give you certain rights to your information.
The Healthcare Ecosystem
Two types of organizations that are regulated
under HIPAA:
- Covered Entities
- Business Associates
Cover Entities composed of:
- Healthcare providers
- Health Plans
- Healthcare clearing houses
All third party vendors and business partners that create, receive, maintain or transmit PHI on behalf of a covered entity
Business Associates
A term used in the HIPAA Security NPRM for a pattern of agreements that extend protection of health care data by requiring that each covered entity that shares health care data with another entity require that that entity
provide protections comparable to those provided by the covered entity, and that that entity, in turn, require that
any other entities with which it shares the data satisfy the same requirements.
Chain of Trust
Structure of the HIPAA Regulations has two major categories:
1, Insurance Reform (Portability)
2. Administrative Simplification (Accountability)
The Administrative Simplification section of HIPAA consists of standards for the following areas:
- Transactions, Code Sets, and Identifiers
- Privacy
- Security
Standardization of electronic transactions and data required for healthcare exhanges between employers, health insurance payers, and healthcare providers.
Transactions, Code Sets, and Identifiers
Safeguards for Protected Health Information in all forms
Privacy
Safeguards for protected health information in electronic form (ePHI)
Security
USING AND DISCLOSING PHI
- Permissible Uses and Disclosure of PHI
- Disclosure Exceptions
- Authorizations
3, Sensitive Health Information
4, Sharing or Disclosing PHI with third parties - Minimum Necessary Standard
- Incidental uses and disclosures
- De-identification
- Improper Uses and Disclosures- Breaches
Examples of uses and disclosures for TPO for which an authorization is NOT required are:
- Medical Tx
- Determination of eligibility or coverage
- Billing
- Claims Management
- Healthcare data processing
- Conducting Quality Assessment
- Evaluation of healthcare provider performance
- Business planning and certain administrative activities
- Medical Referrals
Disclosure Exceptions
- Emergencies involving imminentn threat to health or safety
- Where required by law
- Law enforcement
- Judicial Proceedings
- Health oversight activities
- Public Health Activities
- Research purpose under limited circumstance
- Specialized government functions
- Organ transplant
- Worker’s Compensation
- Coreners, medical examiners, and funeral directors
- Incidental Disclosures
Healthcare providers must obtain a __________ for uses or disclosure other than TPO (treatment, payment or operations).
Patient’s Authorization
Sensitive Health Information comprises of:
- Substance Abuse
- Mental Health
- Sexually Transmitted Disease
The incidentsal disclosures include things such as:
- waiting room sign-in sheets
- patient charts at bedside
- doctors talking with patients in semi-private rooms
- doctors conferring at nurses stations with the potential of being heard by a passerby
Healthcare providers have two options in using and or discloscing PHI outsiside of TPO (treatment, payment, and options)
- Authorization
- De-identification
The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar terms referring to situations where persons other than authorized users and for an other than authorizd purpose have access or potential access to personallly identifiable information, whether physical or electronic.
Breach
HIPPA Privacy document is called ____.
Notice of Privacy Practices
To comply with HIPAA Privacy. an organization must implement the following 3 components.
- Compliance Officer
- Employee Training
- Formal Documents and Controls
The security rule’s requirements are organized into three categories:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
Policies and procedures designed to show how the entity will comply with the security role.
Administrative Safeguards
The controlling of physical access to protect against inappropriate acces to protected data.
Physical Safguards
The controlling of access to computer systems and the protection of communication containing PHI transmitted electronically over open networks.
Technical Safeguards