HIPAA Privacy Training Flashcards

1
Q

HIPAA HISTORY

  • HIPAA - HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT, 1996
  • PRIVACY RULE, 2003
  • SECURITY RULE, 2005
  • HITECH ACT (INTERIM RULE) 2009
  • OMNIBUS RULE (FINAL RULE) 2013
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

WHAT AGENCY ENFORCES HIPAA?

A

the Office for Civil Rights (OCR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

HOW MANY PHI IDENTIFIERS ARE THERE?

A

18 Identifiers
The 18 identifiers that make health information PHI are:

Names
Dates, except year
Telephone numbers
Geographic data
FAX numbers
Social Security numbers
Email addresses
Medical record numbers
Account numbers
Health plan beneficiary numbers
Certificate/license numbers
Vehicle identifiers and serial numbers including license plates
Web URLs
Device identifiers and serial numbers
Internet protocol addresses
Full face photos and comparable images
Biometric identifiers (i.e. retinal scan, fingerprints)
Any unique identifying number or code
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

MINIMUM NECESSARY REFERS TO HOW MANY PEOPLE ARE ALLOWED TO ACCESS A PARTICULAR PATIENT’S RECORD

A

TRUE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

WHAT DOES TPO STAND FOR?

A

Treatment, Payment, Health Care Operations
TPO stands for Treatment, Payment, and Operations. It is used to describe some of the circumstances in which covered entities are allowed to disclose patient information without the need to obtain authorization from patients.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

WE CAN RELEASE PHI FOR ANY SUBPOENA WE RECEIVE IF IT IS ORDERED BY A JUDGE?

A

If a valid federal grand jury subpoena or HIPAA subpoena is received, the HIPAA Privacy Rule permits the disclosure of PHI. HIPAA assumes the judge or magistrate issuing the subpoena has considered the privacy and confidentiality rights of an individual(s) prior to signing the subpoena.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

WHAT IS INCLUDED IN THE “DESIGNATED RECORD SET”?

A

Designated record sets include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

WHAT IS INCLUDED IN AN ACCOUNTING OF DISCLOSURES?

A

For each disclosure, the accounting must include:

(1) The date of the disclosure;
(2) the name (and address, if known) of the entity or person who received the protected health information;
(3) a brief description of the information disclosed; and
(4) a brief statement of the purpose of the disclosure (or a copy of the written request for the disclosure).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

WHAT DOES HIPAA STAND FOR?

A

HIPAA- HEALTH
INSURANCE
PORTABILITY AND
ACCOUNTABILITY ACT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

WHAT IS A COVERED ENTITY?

A
  • HEALTH CARE PROVIDER SUCH AS DOCTORS, NURSING HOMES, CLINICS, AND PHARMACIES
  • HEALTH PLAN SUCH AS HEALTH INSURANCE COMPANIES, HMOS, COMPANY HEALTH PLANS, GOVERNMENT
    PROGRAMS THAT PAY FOR HEALTH CARE, SUCH AS MEDICARE MEDICAID, AND THE MILITARY AND VETERANS HEALTH
    CARE PROGRAMS.
  • HEALTHCARE CLEARINGHOUSE.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

WHAT IS A BUSINESS ASSOCIATE (BA)

A

A BUSINESS ASSOCIATE (BA) IS AN ENTITY OR PERSON, OTHER THAN STAFF MEMBER OF A COVERED ENTITY (CE), WHO PERFORMS ACTIVITIES, FUNCTIONS, OR PROVIDES CERTAIN SERVICES, WHICH INVOLVE ACCESS TO PHI OR ePHI FROM THE CE.

IN OTHER WORDS, A BUSINESS ASSOCIATE IS A BUSINESS PARTNER OF A CE THAT DOES THINGS FOR OR IN THE OPERATING ENVIRONMENT OF THE CE’S BUSINESS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

BUSINESS ASSOCIATES INCLUDE:

A
ANSWERING SERVICES 
ATTORNEYS 
AUTOMATIC PAYMENT SOFTWARE VENDORS 
BILLING COMPANIES 
BIOMEDICAL EQUIPMENT MAINTENANCE & REPAIR SERVICES
CLEARINGHOUSES
COLLECTION AGENCIES
COPIER & EQUIPMENT VENDOR
ELECTRONIC MEDICAL RECORDS SOFTWARE VENDORS
INSURANCE VERIFICATION SOFTWARE VENDORS
IT PROFESSIONALS OR CONSULTANTS 
PRACTICE MANAGEMENT SOFTWARE VENDOR
RECORD STORAGE COMPANIES
TRANSCRIPTION SERVICES
X-RAY DESTRUCTION COMPANIES
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

WHY IS HIPAA IMPORTANT?

A

IT IS MANDATED BY THE FEDERAL GOVERNMENT THAT COVERED ENTITIES AND BUSINESS ASSOCIATES MUST COMPLY WITH HIPAA.
AS A WORK FORCE MEMBER, YOU HAVE A LEGAL AND ETHICAL RESPONSIBILITY TO SAFEGUARD THE PRIVACY OF ALL PATIENTS PROTECTED HEALTH INFORMATION.
IF ANY STAFF MEMBER DOES NOT COMPLY WITH HIPAA YOU CAN BE WRITTEN UP AND EVEN HAVE YOUR JOB TERMINATED BY YOUR EMPLOYER.
A PERSON OR COMPANY WHO DELIBERTELY RELEASES PHI CAN FACE CRIMINAL AND/OR CIVIL CHARGES. AS WELL AS, BOTH YOU AND YOUR EMPLOYER CAN BE FACED WITH EXCESSIVE FINES AND JAIL TIME UP TO 10 YEARS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

WHAT AM I PROTECTING?

A

PHI - PROTECTED HEALTH INFORMATION
18 IDENTIFIERS OF PHI MUST BE PROTECTED

WHICH IS INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION TRANSMITTED OR MAINTAINED IN ANY FORM OR MEDIUM (INCLUDING ORALLY, WRITTEN, OR ELECTRONIC FORM).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

WHAT IS PHI?

A

PHI - PROTECTED HEALTH INFORMATION
IS ANY INFORMATION ABOUT HEALTH STATUS, WHETHER PAST PRESENT, OR FUTURE, PROVISION OF HEALTH CARE, OR PAYMENT FOR HEALTH CARE THAT CAN BE LINKED TO A SPECIFIC INDIVIDUAL.
EVEN THOUGH THE PERSON’S MEDICAL RECORD IS THE MOST OBVIOUS PLACE TO FIND PHI, PHI CAN ALSO BE FOUND ON INSURANCE CARDS, OFFICE BOARDS, TELEPHONE NOTES, DICTATION TAPES, FAX MACHINES, COPY MACHINES, DELIVERY TICKETS, AND OTHER PLACES, WHEN WORKING WITH HARD COPY PHI YOU SHOULD MAKE SURE TO KEEP IT FROM THE EYES OF OTHERS. THIS MEANS IF YOU HAVE A DOCUMENT, IT SHOULD BE PUT UPSIDE DOWN SO OTHERS CAN’T SEE IT.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

WHAT DOES PROTECTED MEAN?

A
  • PROTECTED MEANS THAT ONLY PEOPLE WHO NEED THE INFORMATION TO DO THEIR JOB SHOULD HAVE ACCESS TO
    THIS HEALTH INFORMATION, THE MINIMUM NECESSARY STANDARD.
  • DO NOT SHARE PHI WITH ANYONE WHO IS NOT PART OF THE PATIENT’S CARE OR IS NOT LISTED BY THE PATIENT AS
    SOMEONE WHO IS ALLOWED TO OBTAIN INFORMATION ( i.e. a family member).
  • IT ALSO MEANS, IN SOME CIRCUMSTANCES, YOU MUST GET THE PATIENT’S PERMISSION TO DISCLOSE OR USE THEIR
    PHI.
17
Q

WHAT DOES MINIMUM NECESSARY MEAN?

A

THE “MINIMUM NECESSARY STANDARD, A KEY PROTECTION OF THE HIPAA PRIVACY RULE, REQUIRES THAT A COVERED ENTITY MUST MAKE ALL REASONABLE EFFORTS NOT TO USE OR DISCLOSE MORE PHI THAN IS NECESSARY TO ACCOMPLISH THE INTENDED FUNCTION.

THE MINIMUM NECESSARY STANDARD REQUIRES CE’S TO EVALUATE THEIR PRACTICES AND ENHANCE SAFEGUARDS AS NEEDED TO LIMIT UNNECESSARY OR INAPPROPRIATE ACCESS TO AND DISCLOSURE OF PHI.

18
Q

HOW TO KEEP PHI PRIVATE….

A

TO KEEP PHI PROTECTED ALWAYS MAKE SURE THE PERSON YOU ARE SPEAKING TO HAS THE RIGHT TO ACCESS THE INFORMATION YOU ARE DISCLOSING.

THIS INCLUDES FAMILY MEMBERS AS WELL AS OTHER WORKFORCE MEMBERS THAT MAY NOT BE INCLUDED IN THEIR CARE.

SPEAK IN HUSHED TONES SO THAT OTHERS MAY NOT EASILY OVERHEAR YOU, WHETHER YOU ARE ON THE PHONE OR IN PERSON.

19
Q

WHAT IS A DESIGNATED RECORD SET?

A

A GROUP OF RECORDS MAINTAINED BY OR FOR A MEDICAL PRACTICE THAT INCLUDES THE MEDICAL RECORDS AND BILLING RECORDS ABOUT INDIVIDUALS THAT IS USED IN WHOLE OR PART BY OR FOR THE PRACTICE TO MAKE DECISIONS ABOUT INDIVIDUALS.
THE TERM RECORD IS DEFINED AS ANY ITEM, COLLECTION, OR GROUPING OF INFORMATION THAT INCLUDES PROTECTED HEALTH INFORMATION AND IS MAINTAINED, COLLECTED, USED, OR DISSEMINATED BY OR FOR THE PRACTICE.

20
Q

WHAT ARE “PATIENTS’ RIGHTS”?

A

PATIENTS HAVE THE RIGHT TO VIEW AND RECEIVE A COPY OF THEIR PHI.
THIS WILL INCLUDE BILLING RECORDS, X-RAYS, LAB REPORTS AS WELL AS MEDICAL RECORDS INCLUDED IN THE DESIGNATED RECORD SET.
THIS REQUEST MUST BE IN WRITING.
PATIENTS HAVE THE RIGHT TO AMEND OR CORRECT THEIR PHI.
RESTRICTIONS- A PATIENT HAS THE RIGHT TO REQUEST HIS/HER PHI NOT BE DISCLOSED TO THEIR INSURANCE CARRIER FOR SERVICES PAID BY THE PATIENT OUT O POCKET AND IN FULL. IN WRITING, AND FOR THAT DATE OF SERVICE ONLY.
COMPLAINTS - RIGHT TO COMPLAIN ABOUT THE TREATMENT OF THEIR PHI. COMPLAINTS MUST BE ADDRESSED BEFORE THE PATIENT LEAVES.

21
Q

WHAT IF I MAKE A MISTAKE?

A

IT IS NOT THE END OF THE WORLD!
WE ARE HUMAN AND ARE KNOWN TO MAKE MISTAKES. FINES, PENALTIES, AND JAIL TIME COME WITH WILLFUL NEGLECT. MEANING, IF YOU INTENTIONALLY MEANT TO DISCLOSE PHI.
CONTACT SUPERVISOR ASAP AND EXPLAIN WHAT, WHY, AND HOW IT HAPPENED.
THINK OF THE BEST WAYS THE MISTAKE COULD HAVE BEEN PREVENTED FROM YOUR POINT OF VIEW AND WRITE THE SOLUTION DOWN AND GIVE IT TO YOUR SUPERVISOR/MANAGER.