Medical Privacy Flashcards
Confidentiality of substance use disorder patient records rule scope
Covers disclosure and use of patient identifying information by treatment programs for alcohol and substance abuse.
Restricts the use of any information whether written or verbal that could lead to or substantiate criminal charges against a patient concerning their alcohol or drug usage.
Confidentiality of substance use disorder patient records rule applicability
Applies to any program that receives federal funding who holds itself out as providing alcohol or substance abuse diagnosis treatment or referral for treatment
- an individual or entity (other than a general medical facility)
- an identified unit in s general medical facility
- medical personnel or other staff in a general medical facility who primary function is the provision of the above
A state licensing agency requires them to comply
The clinician uses controlled substances for detoxification requiring licensing through the DEA
Confidentiality of substance use disorder patient records rule disclosure
The program must obtain written patient consent before disclosing information subject to the rule.
- must describe the type of information that will be disclosed
- must receive a list of entities to which the information has been dislodged
- entities must have a treating provider relationship with the patient
Confidentiality of substance use disorder patient records rule redisclosure
Redisclosing information obtained from a program is prohibited when that information would identify an individual as having been treated diagnosed or referred for treatment
Confidentiality of substance use disorder patient records rule exceptions to consent requirements
Exceptions to the rule that allow disclosure without consent are:
- medical emergencies
- scientific research
- audits and evaluations
- court order
- child abuse reporting
- crimes on program premises
- communication with a qualified service organization related to information needed by the organization to provide services to the program
Confidentiality of substance use disorder patient records rule security of records
An entity lawfully holding patient identifying information must have formal policies and procedures in place to protect the security of this information. There are separate requirements for paper and electronic records
Confidentiality of substance use disorder patient records rule violations
Violations are criminal and reported to the US attorneys office
- 1st is in a fine of no more than $500
- each subsequent offense is fined not more than $5000
PHI
Protected health information is defined as any individually identifiable health information that is transmitted or maintained in any form or medium.
It is held by a covered entity or business associate, identifies the individual, is created or received by a covered entity or an employer, related to a past present or future physical or mental condition provision of health care or payment for health care to that individual
ePHI
Electronic protected health information is any PHI that is transmitted or maintained in electronic media.
What are covered entities under HIPAA
Healthcare providers that conduct certain transactions in electronic form
Health plans (insurers)
Healthcare clearing houses (3rd parties that host handle or process medical information)
Who does HIPAA not apply too?
Doctors who only accept cash or credit cards and do not bill for insurance
When individuals reveal medical information with friends, purchasing books, surfing websites or posting online.
What is a business associate under HIPAA
Any person or organization that performs services and activities for or on behalf of a covered entity if these services involve the use of PHI
HIPAA privacy and security rules apply directly to BAs
What are the Privacy Rule or fair information privacy practices (requirements) under HIPAA
Privacy notices Authorization for uses and disclosures Minimum necessary use or disclosure Access and accounting of disclosures Safeguards Accountability
HIPAA Privacy Rule - privacy notice
Requires a covered entity to provide a detailed privacy notice at the dare of first delivery must include statements about individuals rights with respect to their PHI
HIPAA Privacy Rule - authorizations for used and disclosures
HIPAA authorizes the use and disclosure of PHI for essential healthcare purposes treatment, payment and operations (TPO) or compliance purposes
Other uses or disclosures require the individual to opt-in
HIPAA Privacy Rule - minimum necessary
Other than for treatment covered entities must limit the use and disclosure of PHI to the minimum necessary in order to accomplish the intended purpose
HIPAA Privacy Rule - access and accountings of disclosures
Individuals have the right to access and copy their own PHI from a covered entity or a business associate, the right to receive an accounting of certain disclosures of their PHI that have been made, amend PHI
HIPAA Privacy Rule - safeguards
Requires that covered entities implement administrative physical and technical safeguards to protect the confidentiality and integrity of all PHI
HIPAA Privacy Rule - accountability
Covered entities must designate a privacy official
Personnel must be trained
Compliant procedures must be in place
Exceptions to the privacy rule under HIPAA
- De-identification - does not apply to information that has been de-identified
- Research - can occur with the consent of the individuals, on de-identified information, or if an authorized entity such as an institutional review board approves the research
- court hearings
- report abuse
- information used for public health activities
- compliance
HIPAA security rule requirements
- Ensure the confidentiality, availability, and integrity of all ePHI
- Protect against any reasonably anticipated use or disclosure of information that are not permitted or required by the Privacy Rule
- Ensure compliance with the security rule by its workforce
- Protect against reasonably anticipated threats or hazards to the security and integrity of ePHI
- identify an individual who is responsible for the implementation and oversight of the program
- conduct risk assessments
- security and awareness training program
Medical federal laws vs state laws
Medical federal laws do not preempt state laws that include stricter protections
HITECH
The health information technology for economic and clinical health act
Enacted as part of the American recovery and reinvestment act of 2009 and was created to promote the adoption and meaningful use of health information technology and electronic health records.
Expanded and strengthens the scope of HIPAA
What does HITECH expand upon?
- notice of breach - must notify individuals within 60 days, if more than 500 people must notify HHS if more than 500 in the same jurisdiction must notify the media
- increased penalties - up to 1.5 million and extends criminal liabilities to individuals who misuse PHI
- limited data - all disclosure should be the minimum necessary
- electronic health records - provides funding for greater use of EHRs
The 21st century cures act of 2016
Purpose is to expedite the research process for new medical devices / prescription drugs, quickens the process for drug approval, and reform mental health treatment
What are the privacy provisions of the 21st century cures act of 2016?
Certain individual biometric research information exempted from disclosure under freedom of information act
Researchers permitted to remotely view PHI
Information blocking prohibited but HIPAA’s protection of PHI remains
Certificates of confidentiality for research
Compassionate sharing of mental health or substance abuse information with family or caregivers
Violation of this act can result in a fine up to 1million
HIPAA
Health insurance portability and accountability act
Why are their strict privacy laws for healthcare?
Medical information is related to the inner workings of ones mind or body, and ones individual sense of self may be violated if others have unfettered access to this information.
Most doctors believe patients will be more open about their medical conditions if they have assurance that embarrassing medical facts will not be revealed.
Medical privacy can protect employees from the risk of unequal treatment by employers
