HIPAA Privacy Rule Flashcards
HIPAA acronym
Health Insurance Portability and Accountability Act
Privacy Rule was passed in what year?
2003
Security Rule was passed in what year?
2005
The privacy rule establishes the ______
minimum
(NOTE: if state and federal are diff, follow the most stringent one)
What is privacy?
Freedom from unauthorized intrusion
What is confidentiality?
requires HC providers to protect heath records from unauthorized use
(NOTE: may be written or verbal)
What title # of HIPAA pertains to privacy and security?
Title II
What forms of info does the Privacy rule cover?
oral, written, and electronic
What forms of info does the Security rule cover?
Only electronic info
PHI acronym
Protected health info
What does HIPAA lack?
a private right of action
(NOTE: means that a pt can’t sue for HIPAA violation, only an attorney or general gov)
Purpose of HITECH (2009) (2)
- Strengthens privacy and security of PHI (i.e. use of EHRs)
- increased penalties
What is health info per HIPAA?
Any info (whether oral or recorded in any form) that is created or received by a health care provider, health plan, employer, life insurer, school
AND relates to the past, present, or future phys/mental health of an individual
What happens if health info is not dated?
Applies to the future
(no end date)
What 6 things does HIPAA provide the patient the right of?
- access
- request amendment
- accounting of disclosure
- request confidential communications
- request restrictions
- complain of privacy rule violations
Who does HIPAA apply to? (2)
- Covered entities (+ workforces)
- Business associates (+ workforce and subcontractors)
What is covered under HIPAA?
PHI (and any “HIPAA identifiers” that point to a certain pt)
What is NOT covered under HIPAA? (2)
- De-identifiied info
- personnel and edu records
Three HIPAA CEs:
- Healthcare provider
- Health plan
- Healthcare clearinghouse
CE: Healthcare provider description
doctor
CE: Health plan description
insurance plan
CE: Healthcare Clearinghouse description
3rd party billing vendor
Should HIPAA be politicalized?
No
An example of an organization that would need a business associate agreement is…
a) housekeeping service
b) Hospital where dr refers patients for surgery
c) Healthcare organization’s employees
d) Billing service that the healthcare organization uses
d) Billing service that the healthcare organization uses
HIPAA Applicability: What is a Business Associate (BA)?
Any person or org that provides services around PHI or its disclosure
(ex: 3rd party vendors, consultants, etc)
What is a Business associate agreement (BAA)? Does it apply to subcontractors?
Legally protects info handled by BA that complies with HIPAA
Yes
Components of a BAA (3):
- written
- specifies permitted/prohibited uses
- assurances of safeguards to prevent unauthorized use
What law added more BA categories?
HITECH
If a health care facility accepts cash or provides free services, like a clinic that provides physical exams, administers vaccines, and gives well baby check-ups regulated by HIPAA?
No; free services are not CE
Are wearable devices that collect PHI covered by HIPAA?
No
Are artificial intelligence (AI) programs that analyze patient data considered BAs?
No
What was added to the 2024 HIPAA update?
- strengthened reproductive privacy
- reward, similar to qui tam
- increased care coordination for SUD records
What is a workforce?
Any individual working under the CE’s direct control
(paid employees, volunteers, trainers, interns, outsourced vendors)
What are the three components for determining PHI?
- identifies a person or a reasonable basis to believe a person could be identified
- relates to one’s health condition
- is held or transmitted by a CE or its BA
Decedents according to 2013 Omnibus Final Rule
PHI does not have to be retained after 50 yrs
What happens with the HIPAA privacy rule under emergencies?
Specific parts can be suspended for up to 72 hours
What Act covered edu records?
Federal Education Records Privacy Act (FERPA)
PHI disclosure
Dissemination of PHI from a CE/NA
PHI Use
Handling PHI internal to a CE/BA
PHI Request
Asking for access to PHI
Minimum necessary
“need to know” concept
Limits PHI uses, disclosures and request to only the “minimum necessary” amt to accomplish an intended purpose
Two situations where HIPAA requires use or disclosure of PHI without an individual’s authorization:
- Indv or rep requests access
- US Dept H&HS is investigating
What is TPO? Does it require authorization?
Treatment, payment, operations
No but may do it as a courtesy
2 Situations where indv can informally agree or object
- Pt admission directory
- Notification to fam/friends
For what things is a valid authorization for disclosure of info required? (5)
- PHI that cannot be released w/out authorization
- psychotherapy notes
- marketing
- research
- sale of PHI
What is marketing in HC?
Communication about a product or service that encourages the recipient to purchase or use it
What did HITECH do in terms of marketing?
Limited the def of HC operations to increase the marketing authorization requirement
What is the problem with marketing?
CEs often classify marketing activities as HC operations NOT requiring authorization
When can fundraising be considered part of operations?
When it uses de-identified info to raise funds to benefit the org
What pt info can be used for fundraising purposes? (6)
- demographics
- date of HC provided
- department of service info
- treating physician
- outcome info
- health insurance status
HITECH imposes additional requirements on CEs and ____ patients’ ability to easily and inexpensively opt out of fundraising solicitations that use or disclose PHI
strengthens
When does the notice of privacy practice have to be given?
before on on the first visit
How long does the notice of privacy practice have to be kept?
3 years
What is the notice of privacy practices?
- lays out how a CE will use and disclose PHI
- CE legal duties regarding PHI
What does the use and disclosure of psychotherapy notes require?
Authorization
Is selling PHI a violation of the Notice of Privacy Practices?
Yes
What happens if the pt refuses to sign the Notice of Privacy Practices?
Must be documented; care can’t be withheld
Does consent has an expiration date?
No
T/F: Providers are required to obtain a pt’s signed consent to use/disclose PHI for TPO purposes?
False; not required
What is authorization?
Written permission for specific disclosure (things other than TPO)
Key HIPAA elements included in authorization (9)
- name of individual
- who is making disclosure
- to whom info is going to
- type of info disclosed
- signature of individual
- date signed
- expiration date
- statement of right to revoke
- redisclosure statement
Providing a copy of an emergency room visit report to a PCP is an example of which of the following under HIPAA?
A. Use of protected health information
B. Provision of protected health information
C. Minimum necessary of protected health information
D. Disclosure of protected health information
D. Disclosure of protected health information
What is the right to request restrictions?
Requesting restrictions on uses/disclosures of PHI outside of TPO;
(NOTE: not required to agree if too difficult to carry out request)
What is the exception to the right to request restrictions?
If individual wishes to not use Health Plan and pay in full with cash
What info is included in accounting of disclosures?
- date
- name/address of entity that recieved info
- info disclosure
- statement on purpose of disclosure
Who investigates HIPAA violations?
HHS- OCR
Office of Civil Rights
Who owns the pt record?
Provider/ org
When a pt is requesting access to records, how long do CEs have to respond after the request was received?
30 days (15 days if electronic info)
Instances when a pt can be denied access to PHI (3)
- psychotherapy notes
- correctional institutions if it jeopardizes safety
- if info was obtained other than provider and access would reveal source of info
What did the 21st Century Cures Act do? (2)
- reiterates pt access
- prohibits info blocking
Reasons for having a denied PHI request (2)
- endangers life or safety
- causes substantial harm to another person mentioned in PHI
Explain if it is a HIPAA Privacy rule violation:
Natalie requested a list of people who have reviewed her record. This is her second request of the year. The hospital is charging her $150
Yes, excessive fee
Explain if it is a HIPAA Privacy rule violation:
The hospital received a request to amend a patient record. They refused to accept the request
Yes, have to accept but may not honor request
Explain if it is a HIPAA Privacy rule violation:
Bob refused to sign the Notice of Privacy Practice, but the hospital treated him anyway
No
Explain if it is a HIPAA Privacy rule violation:
Mr. Smith requests a copy of his wife’s medical record but does not include a written authorization from his wife.
Yes, need the wife’s authorization
What is a breach?
unauthorized access, use, or disclosure of PHI
Must demonstrate PHI was compromised
Omnibus rule’s 3 exceptions to breach notification rule
- PHI disclosure was not intentional
- access to PHI was unintentional by a workforce member
- HC org has good faith the PHI was not retained
Breach notification notice is for… (2)
- individuals affected
- HSS via online portal
HIPAA Breach Notification Requirements: 9-499 individuals
Web posting and media notification
What does preemption do?
Gives legal precedence to federal law when it conflicts with state law
HIPAA Breach Notification Requirements: 500+ individuals
notice to media outlets and Secretary of HHS
Is this a HIPAA violation?
There was an overdose at 17 Tyler Road around 1:30 this morning. Charleston County responded and the female in the home was taken via ambulance to the hospital. Per the officers, it was cocaine and pills
No, the resident is not a CE or BA.
How many tiers of HIPAA violation penalties are there?
4
HIPAA Violation Penalties: Tier 1
Unaware of HIPAA violation
HIPAA Violation Penalties: Tier 2
Had reasonable cause and not willful neglect
HIPAA Violation Penalties: Tier 3
Had willful neglect and corrected within 30 days of discovery
HIPAA Violation Penalties: Tier 4
Had willful neglect and not corrected as required