HIPPA

Question 1

what does HIPAA stand for?

Answer 1

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Question 2

is HIPAA state or federal?

Answer 2

HIPAA is a federal law that establishes the rules for managing medical information throughout the United States

Although states may adopt stricter confidentiality rules, HIPAA sets the minimum standards and protections for medical privacy

Question 3

what does HIPAA do?

Answer 3

1. protects privacy
2. increases portability and limits pre-existing condition exclusions in health insurance
3. simplifies claims management by standardizing code sets and transactions
4. requires staff be trained on HIPAA policies and procedures

Question 4

what did the 2009 HIPAA amendments do?

Answer 4

HITECH amendments added strict new penalties – including the possibility of personal criminal liability – and make compliance with HIPAA’s privacy and security standards even more important

Question 5

what are “covered entities”

Answer 5

HIPAA’s privacy and security rules must be followed by “covered entities”

these include any person or business that provides, bills, or receives payment for medical care, including:
- health care providers

• clearinghouses that process (change the format of) medical information
• health plans and health insurance issuers

Question 6

what does the term “health plans” refer to?

Answer 6

refers to both individual and group plans, health maintenance organizations (HMOs); Medicare; Medicaid; Medicare Advantage and Medicare supplement insurers; and most long-term care insurers

includes health, dental, vision, and prescription drug insurers

Question 7

does HIPAA also covers “business associates” who have access to health care information from covered entities?

Answer 7

YES

Question 8

what does the term “business associates” include?

Answer 8

individuals and organizations (including contractors and other non-staff) who perform certain services and activities, such as:

• claims processing and third-party billing
• administrative, management, and professional consulting
• data transmission, storage, and aggregation (including web-hosting)

As a result, many businesses that aren’t in the medical field must now comply with HIPAA. For example, if a truck containing medical records is stolen, the delivery company may be required to notify the affected individuals or face HIPAA penalties.

Question 9

what does the HIPAA Privacy Rule do?

Answer 9

protects health information from the time a record is created (or the information is revealed) to the time it’s destroyed

• protects individually identifiable health information
• requires organizations to establish safeguards to ensure medical privacy
• restricts the use and disclosure of medical information
• gives patients the right to access and control their medical records

Question 10

how does the Privacy Rule balance privacy and care?

Answer 10

the Privacy Rule does not forbid all disclosures of medical data

for example, there are almost no restrictions on providing information to the patient, someone authorized by the patient, or a health care professional treating the patient

to guard against unauthorized or illegitimate uses, however, the Privacy Rule requires organizations to adopt safeguards to protect the confidentiality of medical information

additionally, it establishes penalties if organizations (or any individual) violate patients’ privacy rights

Question 11

what is considered Protected Health Information?

Answer 11

any information or record, in any form or media (including electronic, paper, or oral), about an individual’s mental or physical health, condition, or treatment (whether past, present, or future), should be considered Protected Health Information (PHI)

Question 12

what individual identifiers make something protected health information?

Answer 12

• names
• contact information (street or email address, telephone or fax number)
• dates directly relating to an individual (birth or death, admission or discharge)
• geographic subdivisions smaller than a state (county, city, zip code)
• account numbers (Social Security, medical record, insurance)
• biometric identifiers (fingerprint, retinal scan, full-face photograph)
• other unique identifiers (certificate or license number, vehicle license plate, Web URL, IP address)

Question 13

what is de-identifying PHI?

Answer 13

PHI can be de-identified by taking out all information that can be linked to any individual; the remaining data is then de-identified

remove “individual identifiers” so that there is no reasonable basis to relate the remaining information to a particular person

Question 14

what are “limited data set” records?

Answer 14

PHI that has most, but not all, individual identifiers removed

differ from de-identified PHI in that it may contain some information about a patient like birthday, admission/discharge date, zip code

Limited data sets are often used to gather statistics for research or public health purposes

Question 15

is an X-ray or MRI image labeled with a medical account number considered PHI?

Answer 15

yes!

health information in any form may qualify as PHI when it can be linked to a particular patient by a medical record or other unique account number.

Question 16

is a completed medical insurance claims form considered PHI?

Answer 16

yes!

PHI includes records involving an individual’s eligibility for benefits as well as the billing and payment for medical care by health plans and insurers

Question 17

is an email from a physician authorizing ‘corknut23@yahoo.com’ to be referred to a specialist considered PHI?

Answer 17

yes!

PHI includes electronic records regarding health care that contains individual identifiers, such as someone’s email address or other contact information

Question 18

what does the HIPAA Privacy Rule require organizations to do?

Answer 18

• adopt privacy policies and procedures
• notify patients and clients about their privacy rights
• institute safeguards to secure Protected Health Information (PHI)
• train staff (employees and volunteers) on their responsibility for privacy
• appoint a Privacy Officer responsible for enforcing privacy requirements
• set up procedures to respond to complaints about privacy
• take steps to minimize unauthorized access or use of PHI
• discipline staff for violating HIPAA’s privacy regulation

Question 19

what is a Privacy Notice?

Answer 19

HIPAA requires organizations to notify individuals about their rights and most do it by distributing a Privacy Notice that explains:

• the organization’s privacy practices and obligations
• how the organization may use and disclose PHI
• the organization’s duty to provide notice about breaches of PHI (discussed later)
• the uses and disclosures of PHI that require authorization
• their rights to complain and whom to contact

Question 20

how does HIPAA give individuals control over their own PHI?

Answer 20

individuals have the right to:

• access their PHI
• obtain copies of their PHI (including electronic records) within 30 days
• request amendments to correct or complete their records
• request confidential communications
• obtain an accounting of who used or received their PHI
• impose restrictions on disclosure of their PHI under certain conditions
• opt out of fundraising communications
• revoke previous authorizations
• file complaints

Question 21

when can PHI be disclosed?

Answer 21

PHI can be used or disclosed only if HIPAA expressly permits it or if the individual authorizes it

but even when PHI may be shared, the Privacy Rule strictly limits the amount of information that may be given

Question 22

what is the HIPAA “minimum necessary rule”?

Answer 22

PHI disclosure must be restricted to the minimum necessary that is needed to accomplish the task

staff access to PHI should be on a “need to know” basis, and limited to the information required for each person to do their job

you should not access, acquire, examine, talk about, or share PHI unless required by your assigned duties

to the extend possible, it only permits “de-identified” PHI or a “limited data set” to be used or disclosed

Question 23

what are the exceptions to the minimum necessary rule where full disclosure is permitted?

Answer 23

it is not necessary to limit disclosures:

• to health care providers when PHI is requested for treatment or evaluation
• to the individual who is the subject of the information
• if authorized by the individual
• during government investigations or if otherwise required by law
• to comply with other HIPAA rules

Question 24

what are the two situations that HIPAA requires organizations to disclose PHI?

Answer 24

1. when an individual (or their personal representative) requests their own information
2. to respond to investigations by the Department of Health & Human Services

Question 25

when does HIPAA permit organizations to disclose PHI?

Answer 25

• needed for the public interest
• used specifically for “treatment, payment, and health care operations” (TPO)
• the disclosure is “incidental” to other appropriate use
• going to another person or entity authorized by the individual

Question 26

when can an organization disclose PHI in the public interest?

Answer 26

• when required by law (to report suspected abuse, neglect, or domestic violence)
• to support public health or health oversight activities (to report communicable diseases)
• to comply with orders, subpoenas, and warrants in judicial and administrative proceedings
• to help law enforcement identify a missing person or fugitive
• to facilitate the donation or transplantation of cadaveric organs, eyes, and tissue
• to funeral directors, coroners, or medical examiners to identify a deceased person or the cause of death
• when used for research projects or clinical trials if certain minimum safeguards (including a privacy board) are satisfied
• to comply with workers’ compensation laws

Question 27

what is TPO?

Answer 27

an organization may disclose PHI without an individual’s authorization for “treatment, payment, and health care operations”

the Privacy Rule permits full disclosure of PHI when needed by a health care provider for treatment or evaluation. However, the “minimum necessary” rule applies to other staff, and to disclosures of PHI when requested for payment and health care operations.

Question 28

what is treatment?

Answer 28

Treatment means providing, coordinating, or managing health care by one or more providers (consultations and referrals)

Question 29

what is payment?

Answer 29

payment refers to determining eligibility or processing claims (for reimbursements or insurance premiums).

Question 30

what is health care operations?

Answer 30

Health care operations are administrative, financial, legal, and quality-improvement activities (auditing and medical reviews)

Question 31

what are incidental disclosures??

Answer 31

a patient consulting with a pharmacist may be overheard by others standing nearby. Or, a patient in a shared room may hear doctors discuss another patient’s condition. Similarly, hospital visitors may see patients’ names on a sign-in sheet, or overhear nursing staff orally coordinating their duties.

as long as organizations take steps to comply with HIPAA, the Privacy Rule isn’t intended to impede normal and necessary communications required for effective health care.

Question 32

how can you avoid incidental disclosures?

Answer 32

speak quietly when discussing patients or health care in public areas (waiting room, hallways, elevators)

avoid using patients’ names in public areas

use a private office when authorized to discuss PHI on the telephone

don’t leave health care records or files where they’re visible to others

Question 33

what makes an authorization valid?

Answer 33

Authorizations typically grant an organization (or person) permission to use PHI for specified purposes. They may also describe restrictions or limit the purpose for which the information may be used

To be valid, authorizations must be in writing and include:

• a description of the PHI to be used and disclosed
• the identity of who is authorized to make the use or disclosure
• the recipient of the information
• the individual’s right to revoke the authorization
• an expiration date
• a signature

Question 34

how are psychotherapy notes authorization different?

Answer 34

special rules apply to authorizations regarding (1) psychotherapy notes and (2) using PHI for marketing purposes

Basically, a specific authorization is required for any use of records of psychotherapy sessions or before allowing outside vendors to use PHI to sell products or services.

Question 35

what is included in a facility directory?

Answer 35

a covered entity can sometimes maintain a directory of individuals in its facility. A facility directory may include the following information about individuals in the facility:

Name
Location in the facility
General condition (but not any specific medical information), and
Religious affiliation

Before an individual’s information may be included in the directory, the individual must be informed about the directory and given an opportunity to “opt out.” This directory information may be disclosed to members of the clergy or to anyone who asks for an individual by name, but in this situation religious affiliation may NOT be disclosed

For example, a minister of a particular religion may obtain a list of a hospital’s patients who are of the same religion in order to visit and pray with them. No one other than clergy can obtain such a list. Anyone else who asks for an individual by name may be told the location and general condition of that individual but may not be told the individual’s religious affiliation

Question 36

HIPAA permits the limited sharing of relevant PHI with families and friends, such as?

Answer 36

A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.

A hospital may discuss a patient’s payment options with her adult daughter.

A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.

A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.

A surgeon may, if consistent with his professional judgment, inform a patient’s wife, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient’s progress and prognosis.

A doctor may, if consistent with her professional judgment, discuss an incapacitated patient’s condition with a family member over the phone.

Question 37

what are personal representatives?

Answer 37

“personal representatives” have the legal authority to act on the individual’s behalf - generally, personal representatives have the same authority under HIPAA as the individual patient.

For example, parents are almost always the personal representatives of their minor children.

Question 38

what papers prove a personal representatives legal status?

Answer 38

Health care power of attorney

Court appointed legal guardianship

General (or durable) power of attorney

After someone dies, their personal representative may include the executor (or administrator) of their estate, next of kin, or another family member.

Question 39

what is the HIPAA Security Rule?

Answer 39

the Privacy Rule controls the use and disclosure of PHI

HIPAA “Security Rule” prevents unauthorized access to electronic medical data - it’s designed to:

• secure electronic Protected Health Information (E-PHI) from disclosure, alteration, or loss
• establish standards for electronic security procedures

Question 40

what’s the difference between the Privacy Rule and the Security Rule?

Answer 40

The Security Rule only applies to electronic Protected Health Information (E-PHI). This is in contrast to the Privacy Rule, which covers PHI no matter whether it’s in electronic, oral, or paper form.

Question 41

what are the safegaurds the Security Rule requires organizations to implement?

Answer 41

Administrative safeguards

Physical safeguards

Technical safeguards

Question 42

what are administrative safeguards?

Answer 42

required by the Security Rule

Administrative safeguards, such as assigning responsibility for security and appointing a “Security Official,” adopting procedures to prevent and correct security violations, providing security training to staff, and disciplining staff for security policy violations.

Question 43

what are physical safeguards?

Answer 43

required by the security rule

Physical safeguards, which are methods to protect data, equipment, and the facility against physical hazards (backing up data off-site and requiring laptops to be locked when not in use) and to prevent unauthorized use or intrusion (locking office doors, and erasing disks before reusing them).

Question 44

what are technical safeguards?

Answer 44

Technical safeguards, which are primarily automated procedures to track and reduce unauthorized access (computer log-in and automatic log-off procedures, requiring special verification procedures for offsite/remote log ins, and authentication controls ensuring data encryption during transmission).

Question 45

what is unsecured data?

Answer 45

Data is “unsecured” when it is not encrypted or destroyed (unusable and unreadable according to regulatory standards)

It’s important to note that HITECH requires notification for a breach only when it involves “unsecured” data

For example, a lost laptop containing encrypted PHI does not involve a breach of unsecured data, since the PHI cannot reasonably be accessed nor read. However, if that laptop was lost with a patient’s file visible on the screen, it would qualify as a breach of that individual’s unsecured data

Question 46

how long does somebody have to file a complaint of a HIPAA violation?

Answer 46

180 days

HIPAA also protects patients and staff members from retaliation. This means an organization may not discipline or fire individuals who file a complaint, assist in official investigations, or otherwise oppose violations of HIPAA

Question 47

what is the fine for a single HIPAA violation?

Answer 47

may now result in an organization (or individual) facing a $100 to $50,000 civil fine

Question 48

what’s the maximum annual penalty for HIPAA violations?

Answer 48

the maximum annual penalty was raised to $1,500,000 for related violations

Question 49

what’s the punishment for knowingly obtaining or disclosing PHI in violation of HIPAA ?

Answer 49

$50,000 to $250,000 criminal fine, and up to ten years imprisonment

Question 50

what are the most sever HIPAA violation punishments for?

Answer 50

The most severe criminal penalties are reserved for selling or using PHI for commercial advantage, personal gain, or malicious harm