PTA HIPPA Flashcards
Hippa
WHO MUST COMPLY WITH HIPAA?
HIPAA’s main goal is to assure that a person’s health information is properly protected - while still allowing the flow of health information needed to provide high-quality healthcare and to protect the public’s health and well-being. According to HIPAA, all “Covered Entities” must comply with privacy and security rules.
“Covered Entities” include:
o 1. Healthcare providers (including doctors, nurses, hospitals, dentists, nursing homes, and pharmacies).
Under HIPAA, a healthcare provider is defined as:
• Any person or organization that furnishes, bills, or is paid for healthcare services in the normal course of business, and transmits and stores that healthcare information
• o A person or organization that engages a third party to process, transmit, and store claims
• 2. Health plans (insurance companies)
• 3. Healthcare clearinghouses, which are entities that process certain information, such as:
• o Billing services o Repricing companies o Community health management information systems
As a healthcare worker, you are part of the “healthcare provider” network and therefore are required to comply with HIPAA rules and regulations regarding Protected Health Information (PHI). Workers in dietary, engineering, housekeeping, etc. may have access to PHI and also are required to comply with HIPAA regulations.
WHAT IS PROTECTED HEALTH INFORMATION (PHI)?
PHI relates to:?
Individually identifiable health information is either:
AT IS PROTECTED HEALTH INFORMATION (PHI)?
Protected Health Information (PHI) is:
• Individually identifiable health information
• Information that is linked to a patient
PHI relates to:
• A person’s past, present, or future physical or mental health or condition
• The provision of healthcare to a person
• The past, present, or future payment for the provision of healthcare to the person
Individually identifiable health information is either:
• Health information that specifically identifies a person, or
• Information that could reasonably be expected to identify a person, even if that person is not named
Many different types of information can identify an individual’s PHI under HIPAA, including but not limited to:
- Patient’s name
- Patient’s address
- Dates directly related to a person, such as birth date, admission date, discharge date, death date
- Telephone number, fax number, email address
- Social security number, medical record number, account number
- The individual’s e-mail, URL, or IP address
- Health plan beneficiary number (insurance number)
- Certificate/license number
- Vehicle identifier and serial number, including license plate number
- Biometric identifier, including fingerprints and voice prints
- Full-face photographs and any comparable images
- Any other unique identifying number, characteristic, or code
HOW SHOULD PHI BE USED AND DISCLOSED? HIPAA protects the privacy of Personal Health Information (PHI). Here are some important facts to keep in mind:
- As a healthcare worker, if you are involved in the gathering, storing, and transmission of patient information, you MUST comply with HIPAA.
- Failure to follow HIPAA regulations could result in fines for you and/or your employer.
- However, PHI can be used and disclosed without a signed or verbal authorization from the patient when it is a necessary part of treatment, payment, or healthcare operations.
HIPAA allows the use or disclosure of PHI for the following reasons:
- For treatment
- For payment
- For healthcare operations
- When authorized by the individual
- When required by law
About the Minimum Necessary Standard Rule
The Minimum Necessary Standard Rule states that only the information needed to get the job done should be provided.
- Healthcare organizations MUST obtain permission or authorization from a patient for the purpose of marketing, advertising, and other purposes.
- Healthcare organizations must establish written privacy policies and procedures regarding protected health information.
- Caregivers should refer to their facility’s health information policies and procedures regarding the use and disclosure of PHI.
The Minimum Necessary Standard Rule does NOT apply to the following:
- Disclosures to or requests by a healthcare provider for treatment purposes (such as communication hand-offs)
- Disclosures to the patient
- Uses or disclosures made with a patient’s authorization
- Uses or disclosures required for compliance with HIPAA Rules
- Disclosures to the U.S. Department of Health and Human Services when disclosure of information is required under HIPAA for enforcement purposes
- Uses or disclosures that are required by other laws
the Privacy Rule
HIPAA PRIVACY AND SECURITY RULES
The Privacy Rule
-Under HIPAA, the Privacy Rule protects the privacy of all Protected Health Information (PHI), which is individually identifiable health information that is gathered, stored, or transmitted on paper, orally, or by electronic or any other media.
It is important to know that the HIPAA Privacy Rule requirements:
Apply to most healthcare providers
• Set a federal standard for protecting individually identifiable health information across all mediums (electronic, paper, and oral)
• Limit how Covered Entities may use and disclose individually identifiable health information they receive or create
• Give individuals rights with respect to their PHI, including:
o The right to examine and obtain a copy of information in their medical records
o The right to ask Covered Entities to amend their medical record if information is inaccurate or incomplete
• Impose administrative requirements for Covered Entities; and establish civil penalties
Under the HIPAA Privacy Rule:
- All patients MUST receive a healthcare organization’s Notice of Privacy Practices.
- Patients may give a verbal authorization to provide PHI to family members and friends.
- Patients are notified of their rights to complain about an organization’s compliance with the Privacy Rule.
- Patients have the right to access and amend their own Personal Health Information.
The Security Rule
- The Security Rule establishes national standards to protect certain health information that is held or transferred in electronic form.
- The Security Rule requires appropriate safeguards to ensure the confidentiality, integrity, and security of electronic Protected Health Information (PHI).
- The U.S. Office of Civil Rights, in conjunction with the federal Department of Justice, is responsible for enforcing this rule and imposing criminal penalties of imprisonment and fines for HIPAA violations involving PHI.
HOW PHI CAN BE COMPROMISED
- Face-to-face conversations
- Telephone or dictated conversations
- On unprotected computer hard drives or on copy machines
- Via fax transmissions
- Through mobile devices, laptops, flash drives, CDs
- Via cell phones or PDAs (personal digital assistants that function as electronic organizers)
- Through email, text messages, or social media posts
- By disposing PHI in the trash
- Having unsecured PHI (no data encryption, unsecured networks, unlocked file cabinets)
- Through inappropriate access, such as a caregiver accessing the PHI of a patient they are not caring for
PHI ACCESS AND DISCLOSURE Under HIPAA, patients have certain rights regarding their Protected Health Information (PHI)
Patients have the right to request, inspect, and receive a copy of their own PHI, including electronic records.
• A response to such a request must be made within 30 days. An exception of this would be psychotherapy notes and information that has been gathered in anticipation of civil, criminal, or administrative action.
• Patients also have the right to amend their Protected Health Information. An organization can require that these requests are in writing and that the individual explains the reason for the change.
• Patients also have a right to know the identities of individuals o
Special Circumstances
- Protecting public health - such as through public health surveillance, program evaluation, terrorism preparedness, outbreak investigations, and other public health activities - often requires access to or the reporting of Protected Health Information.
- HIPAA permits Covered Entities to disclose protected health information without authorization for specified public health purposes. There may be more rigorous state laws regarding special circumstances, so it is important for you as a healthcare worker to know about the policies and procedures in place for your organization.
HIPAA VIOLATIONS
A HIPAA violation is the use or disclosure of Protected Health Information (PHI) in a way that compromises an individual’s right to privacy or security and poses a significant risk of financial, reputational, or other harm. The HIPAA Breach Notification Rule requires Covered Entities to promptly notify the affected person as well as the U.S. Secretary of Health and Human Services of the loss, theft, or certain other impermissible uses or disclosures of PHI. As a healthcare worker, you must report any knowledge of potential or actual violations immediately to your supervisor.