Using and Disclosing PHI

Question 1

Permissible Uses and Disclosures of PHI

Answer 1

TPO:
<ul>
<li>Treatment</li>
<li>Payment</li>
<li>Operations</li>
</ul>
covered entities: for any disclosure outside TPO, must obtain explicit authorization from individual whose information is to be disclosed
business associates: only allowed to disclose for specific intended stated purpose in the BA contract. Cannot use/disclose PHI which violates contract (including when provided by CO or BA), or in violation of the law

Question 2

Sharing or Disclosing PHI with Third Parties

Answer 2

due diligence with questions to confirm HIPAA compliant before signing BA.

Question 3

Minimum Necessary Standard

Answer 3

BA must perform reasonable efforts to not use/disclose more than minimum PHI for intended purpose

Question 4

for CE or BA to disclose outside of TPO, …

Answer 4

1. get explicit permission from patient with a signed authorization
2. “de-identify” the information by deleting all individually identifying information

Question 5

Individually Identifiable Information

Answer 5

name, address, email, phone number, any other unique identifiers or codes

Question 6

breach

Answer 6

when PHI is improperly used or disclosed

Question 7

breach response

Answer 7

investigate, mitigate, document, and notify the CE whose information was affected, and potentially notify the Office of Civil Rights at the Department of Health and Human Services.