HIPAA Privacy Rule Concepts and Patient Access Flashcards
List the Core Elements
Authorization
What must an authorization form contain?
- Description of the info that will be disclosed
- Name of the individual
- Name of the person authorized to make the disclosure
- Name or identification of the recipient
- Description of each purpose of the disclosure
- Expiration date or expiration event
- Individual’s or representative’s signature and date
List required information contained in the document
Authorization
Not the core elements
- Description/notification of the right to revoke the authorization
- Inability to condition treatment, payment, enrollment or benefit eligibility on whether the individual signs the authroization
- Notification that info disclosed according to the authorization could lose HIPAA protection and be redisclosed by the recipient
List possible reasons
Defective Authorization
- Passed expiration date
- Incomplete/missing required elements/information
- Authorization was revoked
- Violates compound authorization requirements
- Contains false information
- Conditions treatment, payment, enrollment in a health plan, or eligibility of benefits on signing the form
Define or List the Elements
Psychotherapy Notes
- Behavioral Health notes
- Recorded by a mental health professional
- Documents or analyzes contents or impressions of conversations in private counseling sessions
Psychotherapy Notes do not contain
- Start and stop times
- Prescriptions and monitoring
- Treatment modalities and frequencies
- Test results
- Summaries of the individual’s symptoms, diagnosis, prognosis, treatment plan, functional status, or progress to date
Circumstances where psychotherapy notes do not require a specific authorization:
- Rendering treatment by the originator of the notes
- Conducting counseling training
- Defending legal action brought by the individual
The two situations where HIPAA requires use or disclosure of PHI without the individual’s authorization
- The individual (or their rep) requests access to PHI or an accounting of disclosures of their PHI
- The DHHS is conducting an investigation, review, or enforcement action
Two situations where HIPAA does not require authorization, but the patient must be notified in advance and given the opportunity to informally agree or object
- Inclusion in a facility directory
- Disclosure of relevant PHI to a **family member, relative, or friend **who is involved in the individual’s care or payment
Three items covered entity’s can share for patients in a facility directory
- Name
- Location in the facility
- Condition (described in general terms)
Name the 12 Pubilic Interest and Benefit Exceptions to the authorization requirement
- As required by law
- Public health activities
- Victims of abuse, neglect, or domestic violence
- Healthcare oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
- Decedents
- Cadaveric organ, eye, or tissue donation
- Research
- Threat to health and safety
- Essential (Specialized) government functions
- Workers’ compensation
The use or disclosure of PHI for public health activities serves what purposes?
- Preventing or controlling diseases, injuries, and disabilities
- Reporting disease, injury (such as child abuse) and vital events such as births and deaths
- Public health surveillance, investigation, and interventions
Provide two examples of public health activities
- Reporting of adverse eents or product defects in order to complay with FDA regulations
- When authorized by law, reporting a person who may have been exposed to a communicable disease and might be at risk for contracting or spreading it
Is written authorization required to disclose student immunization records?
No
Need documented verbal agreement from parent/guardian/emancipated minor
List reasons for disclosing PHI to a coroner or medical examiner
- To identify a deceased person
- To determine a cause of death
- To accomplish other purposes required by law
Is authorization required to disclose PHI to medical examiners, coroners, or funeral directors?
- Not for medical examiners coroners for purposes of identifying a deceased person, determining a cause of death, or accomplishing other purposes required by law.
- Not for funeral directors if the purpose is for them to carry out thier duties.
Define Incidental uses and disclosures and provide an example
- Uses and disclosures that occur as part of doing business.
- Example: Calling out patient’s names in a physician’s office
What deidentification restrictions are lifted in a limited data set?
- Ages and dates
- Elements of geographic subdivisions (such as city, state, and zip code)
- Other unique identifying information (as appropriate)
Concerning research, in what circumstances can PHI be used or disclosed without an authorization of opportunity to agree or object?
The PHI is used or disclosed only for:
* Research,
* Public health, or
* Healthcare operations
Name the agreement that must be in place to use a limited data set
Data Use Agreement
Name five instances where HIPAA does not preempt state law, even though the state law is not more stringent
HIPAA does not preempt state laws that:
1. Prevent healthcare fraud and abuse
2. Regulate health plans
3. Complete state reporting on healthcare delivery or costs
4. Serve a compelling public health, safety, or welfare need
5. Provide for the reporting of vital statistics and other public health data
List the individual rights HIPAA provides to individuals regarding their PHI
- Access
- Amendment
- Accounting of Disclosures
- Restriction Requests
- Confidential Communications
Explain why the Cures Act Information Blocking Rule was designed
To eliminate barriers that impede sharing and exchange of patient information for a large scope of patient records.
Define Information Blocking
Conduct that is likely to interfere with access, exchange, or use of electronic health information.
Define Electronic Health Information (EHI)
Electronic protected health information (ePHI) that would be included in a designated record set (DRS).
