HIPAA Privacy and Security Requirements Flashcards
What are the goals of privacy?
Patient control over sharing of information
Disclosure of how information will be used
What are the goals of security?
Information available to those who need it
Information not available to those who do not
What is protected health information?
Information that identifies an individual and describes his/her medical condition or treatment
Includes clinical information, information on payment, basic demographic information, name, address, and telephone number
Applies to written and electronic information
What is use and disclosure?
Information is used by members of our workforce for collection of information by clinical staff, review of patient charts by clinical staff, completion of billing forms by clerical staff, and accounting and bookkeeping entries
Information is disclosed when it is shared with others (transmission or information to a health plan or billing service, transmission of prescriptions to a pharmacy, consultation with an independent provider, and reporting to government agencies)
What is notice of privacy practices and acknowledgement?
A notice is a statement given to each patient describing how the practice will use and disclose health information and outlining the patient’s rights under HIPAA
Acknowledgement is written documentation that the notice was provided to a patient, either signed by the patient or completed by a staff member explaining why the patient did not sign it
*HIPAA requires us to give the notice to every patient when they first visit a medical practice
Consent in a concept that doesn’t exist in HIPAA
What is authorization?
Required for uses and disclosures other than for treatment, payment, healthcare operations, and to comply with legal mandates
Signed by the patient or patient’s personal representative
An authorization must identify the information to be disclosed or used, how the information will be used, and who will use it
The authorization must be signed by the patient or by the patient’s representative if the patient is unable to sign it
What is the workforce?
Members of the medical practice
Employees of the medical practice
Independent contractors we hire (under our supervision)
*Anyone who performs work for us is covered by the HIPAA privacy and security provisions
What is a business associate?
An entity that performs services for the practice
Examples: billing services and accreditation agencies
Must give satisfactory assurances
What is a personal representative?
A person who can act on behalf of the patient
Must have legal authority to act on the patient’s behalf
A personal representative may acknowledge the Notice of Privacy Practices, authorize use and disclosure of information, request and receive an accounting of use and disclosure, and request amendment of health information (change in information about a patient)
What is minimum necessary?
HIPAA limits use and disclosure of protected health information to the ‘minimum necessary’ to accomplish an intended purpose
Examples:
Any information requested for treatment
Any information in a standard transaction
Information required by administrative task
Information specified in request from law enforcement officials, regulatory officials, subpoena or court order
When is authorization not required to use and disclose a patient’s medical information?
Treatment of the patient
Obtaining payment
Out day-to-day operations (confirming contracts with 3rd parties, etc.)
Legally mandated reporting or disclosure
What is treatment?
Collection of information
Review of patient records and test results
Consultation with other providers
Referral to another provider
Transmitting information to other providers
*As long as we have not agreed to a request from the patient to restrict the sharing of information, we are not limited by HIPAA in terms of the information we can share – as long as it is used for the purpose of treatment
Do we need to obtain the patient’s authorization to transmit payment information?
No
To determine whether a patient is eligible for coverage under a health plan
To determine whether specific tests or services are covered under a health plan or to determine cost sharing requirements
To submit a claim or to inquire about the status of a claim
To process payments or claims remittances
To process credit card transactions or obtain approvals of checks
What are health care operations?
Maintenance of medical records
Maintenance of accounting records
Quality assurance activities
Staff credentialing and performance evaluation
Conducting financial and management audits
Investigating complaints
Supporting legal activities
Resolving grievances
General business management
*Any of these activities may require us to examine information from patient records
We do not need a patient’s approval for any of these uses
However, we have to limit the information we use to the “minimum necessary” for the task at hand
What are legally mandated disclosures?
Federal, state and local laws may require our medical practice to disclose or report information about patients
HIPAA allows us to comply with these requests for information
Examples:
Police and Law Enforcement
Public Health Reporting (reportable infectious diseases and vital events (birth and death))
Abuse and Neglect Reporting
Licensing and regulatory oversight
Legal proceedings
What are some general examples of legally mandated disclosures?
Reporting certain injuries or wounds to law enforcement agencies
Reporting crimes
Complying with investigations of fraud and abuse
Reporting infectious diseases and vital events to public health authorities
Reporting suspected abuse, neglect or domestic violence
Permitting inspection of records by licensing and regulatory agencies
Disclosing information as part of legal proceedings
Who is disclosure permitted to?
Spouses, parents and legal guardians, and others involved in care
Is it good to obtain patient permission to disclose information to family members?
Yes
We still should make sure the patient is given a chance to object to the disclosure of information to family members or others
We’re allowed to assume there’s no objection if the patient is present while we discuss the case with a relative and the patient says nothing about it
If the patient cannot be consulted on this issue, the patient’s representative should be consulted
What are incidental disclosures?
Unwitting disclosure of information about our patients
It could take the form of a conversation overheard by another staff member, a vendor, or a patient
A telephone call to a patient to communicate test results might be overheard, or test results might be left where they can be seen by unauthorized persons
What are some examples of incidental disclosures?
An overheard conversation among staff members
An overheard discussion between staff and patients
An overheard telephone call to a patient
Test results being filed in patient records
Are incidental disclosures permitted?
Yes, but should be avoided
Do incidental disclosures need to be documented?
NO
What can you do to try to minimize incidental disclosures?
Conduct discussions in private areas
Limit discussion when others are present
What does a notice of privacy practices tell the patient?
How their information will be used
With whom their information will be shared
When an authorization is needed
How to request an accounting
of uses and disclosures
How to request access to information
How to request changes in information
What are patient rights for the notice of privacy practices?
Request restrictions on use and disclosure
Request confidential communications
Obtain an accounting of uses and disclosures
Review protected health information
Request changes to information
Who provides the notice to patients?
Responsibility of receptionist
Provide during first patient visit
Review key provisions
Discuss and resolve requests for restrictions on use and disclosure and confidential communications (right to request restrictions on the ways their information is used)
Does the staff need to make an effort to obtain the patient’s written acknowledgement that they received the notice of privacy practices?
Yes
An acknowledgement documents receipt of the notice
It must be obtained only on the patient’s first visit here and should be obtained before the patient receives any medical services
An acknowledgement form is attached to the Notice, and is the preferred method of documenting receipt of the notice
If a patient cannot or will not sign the acknowledgement, we should document the attempt on the acknowledgement form itself
The reason the patient didn’t acknowledge receipt should be given
When is authorization needed for medical/clinical research?
Investigational treatment
Research protocols
Exception for “de-identified” data
When is authorization needed for marketing?
Promoting third-party products/services
Providing mailing lists to others
Do we have to get the patient’s OK any time we use or share their information for a purpose unrelated to treatment, payment, health care operations, or compliance with legal mandates?
Yes
What must authorization include?
Identify the information to be used or disclosed
Identify users/persons to whom disclosed
Identify purposes of use or disclosure
Note the potential for redisclosure
Can we make authorization a condition of treatment? (won’t treat unless you authorize)
No
This is true except when treatment available only to research subjects and treatment requested by the patient for disclosure
Should the authorization form be reviewed with the patient?
Yes
Any questions concerning the specific information to be used, the uses to which the information will be put, or the individuals and organization who will be given the information should be addressed
The potential for re-disclosure should be discussed
In a nutshell, information disclosed to a third party may not be protected by the federal privacy regulations
If the information will be protected from further re-disclosure, the authorization should note these protections
Obtain patient/representative signature
File authorization form in records
What is the goal of the accounting?
Let patients know who has received their information – and why
Facilitate amendment/correction when erroneous information has been disclosed
*we have to track disclosures to law enforcement agencies, to regulatory agencies, for public health reporting, and to report abuse or neglect
We must also own up to disclosures that should not have occurred, for example using information in a research study without the patient’s authorization
What are we not required to provide accountings of?
Uses and disclosure of information related to treatment, payment or health care operations
Disclosure of information to the patient
Incidental disclosures
Disclosures that are specifically authorized by the patient
Disclosures to a person who is involved in the patient’s care
Do patients have to file formal, written requests for accountings?
Yes
After reviewing the request, we prepare the accounting and make it available to the patient
We cannot charge the patient a fee for the first accounting produced for him or her in any 12-month period
We will charge, however, for all accountings beginning with the second one in a 12-month period
What is the content of the accounting?
Identity of the person or organization to whom information was disclosed
Description of the information disclosed
Description of the purpose of the disclosure
What rights does HIPAA give to patients?
To review and copy their records
To request changes in their records
To have changes communicated to others
What rights does HIPAA give to providers?
To charge for copies of health information
To deny requested changes in patient records
What needs to happen when a patient requests to change information?
Review the patient request
Changing patient records is something we don’t want to do - basically saying we didn’t provide standard of care in the first place and anyone who has gotten these records needs to be informed that they were changed
If we decide the information is correct, we statement and explain our reasons for not changing the information to the patient in writing
That written explanation must advise the patient that he or she can submit a written statement disagreeing with the denial, and require us to include the patient’s original request for a change in any subsequent disclosures of the same information
We also are required to spell out the procedures the patient should follow in preparing their written disagreement with our decision
We have the option of replying to that statement and including our reply – along with the original exchange – in any subsequent disclosure of the information
As you’d probably guess, we’re also required to maintain records of all of this correspondence
What are the two aspects of security?
Preventing unauthorized access/disclosure
Preventing loss of information
What is the scope of security concerns?
Securing electronic information
Securing paper records
Is security everyone’s business?
Yes
Information systems managers & staff
Medical professionals
Clerical and billing staff
Managers and supervisors
Consultants and contractors
What are some security threats?
Loss of information
Theft of information
Unauthorized disclosures
Accidental disclosures
What are liability control considerations?
Legibility
Accuracy
Completeness
Reasoning
Spoliation (intentional alteration or destruction of documentation; cannot go back and refine documentation, the first draft is the final draft)
Timeliness (documentation is concurrent with the care)
Alignment (medical documentation must support your billing and compliance documentation)
