Attorneys for healthcare organizations use the health record to_____
Protect the legal interests of the facility and its patient care providers
Under HIPAA, who is considerate a business associates of a covered entity CE?
A business associate is a person or organization other than a member of a CE's workforce that performs functions or activities on behalf of or affecting a CE that involve the use/access or disclosure of individually identifiable health information such as
Under HIPAA Privacy Rule that covered entity CE
Covered Entities is a person or organization that involved, either directly or indirectly with transmitting or performing any electronic transaction specified in the act. The transaction such as health plan (insurance), healthcare clearinghouse, healthcar
The HIPAA Privacy Rule____
Sets a minimum (floor) of privacy requirements
Competent individuals have the following rights in regard to his or her healthcare____
Right to consent to or refuse medical treatment. Competent adult has the right to request, receive, examine, copy, and authorize disclosure of the patient's healthcare information.
How to meet the individually identifiable element "PHI" under the HIPAA Privacy Rule?
1. identify the person or provide a reasonable basis to believe the person could be identified from the information given. 2. It must relate to one's past, present, or future physical or mental health condition, the provision of health care, or payment fo
Give the example of identifier under the Privacy Rule.
Visa a/c 2773 985 0468, Vehicle license plate BZ LITYR, or Street address 265 valley Road. The age 75 is not a indiviual identifiable.
What is privacy Rule's minimum necessary standard?
Relating to use applies to individuals who work for an organization. For example, policies and procedures should identify those persons or classes of persons who work for the covered entity who need to access PHI to perform their duties. In addition, the
What circumstances that minimum necessary requirement does not apply to____.
Healthcare providers for treatment, the individual or his personal representative, pursuant to the individual's authorization to the Secretary of the HHS for investigations, compliance review, or enforcement, as required by law, or to meet other privacy r
Susan is completing her required high school community service hours by serving as a volunteer at the local hospital. Relative to the hospital, she is a(n)___
Workforce member. The hospital is a covered entities which is responsible for their workforce. Workforce consist of employee, volunteers, student interns, and trainees. so workforce member are not limited to people who receive wages from the CE.
Lane Hospital has a contract with Ready-Clean, a local company, to come into the hospital to pick up all of the facility's linens for off-site laundering. Ready-Clean is:
[Ready-Clean is not a business associate] Vendors who have a presence in a healthcare facility, agency, or organization will often have access to patient info in the course of their work,If a vendor is not a business associate, employees of the vendor sho
The HIPAA Security Awareness and Training administrative safeguard requires all of the following addressable implementation programs for all members of its entity's workforce.
Special protections must be taken to ensure info is not inappropriately released or accessed. These protections include log-in monitoring, password management, and security reminders.
The director of Health Information Services is allowed access to the medical record tracking system when providing the proper log-in and password. Under what access security mechanism is the director allowed access to the system?
User-based access is a security mechanism used to grant users of a system access based on the identity of the user.
Which is a data sets would be most useful in developing a grid for identification of components of the legal health record in a hybrid record environment?
AHIMA e-HIM work Group on Health Information in a Hybrid Environment 2010. Document name, media type, source system, electronic storage start date, stop printing start date.
The_____ provide the objective and scope for the HIPAA Security Rule as a whole.
[General rules] They specify that covered entities must develop a security program that includes a range of security safeguards that protect individually identifiable health info maintained or transmitted in electronic form.
How the covered entities do in order to comply with HIPAA Security provisions?
Require the facility to [Establish a contingency plan] to ensure that procedures are in place to handle and emergency response in the event of an untoward event such as a power outage.
What is the statement For HIPAA implementation specifications that are addressable.
Implementation specifications either "required" or "addressable" define how standards are to be. Covered entities must implement all implementation specification that are "required". The covered entity must conduct a risk assessment to determine if the sp
The medical record of Kathy Smith, the plaintiff, has been subpoenaed for a deposition. The plaintiff's attorney wishes to use the records as evidence to prove his client's case. In this situation, although the record constitutes hearsay, it may be used a
Business records exception is the rule under which a record is determined to not be hearsay if it was made at or near the times by, or from information transmitted by, a person with knowledge; it was kept in the course of a regularly conducted business ac
From an evidentiary standpoint, incident reports______.
[Should not be place in a patient's health record], nor should the record refer to an incident report. Incident reports involving patient care are not created to treat the patient, but rather to provide a basis for investigating the incident.
A hospital employee destroyed a health record so that its contents---which would be damaging to the employee(destroyed the evidence that can plate them guilty)----could not be used at trial. In legal terms, the employee action constitutes_____.
[Spoilation] is a legal concept applicable to both paper and electronic records.
Authentication of a record refers to____
[Establishment of its baseline trustworthiness] on top of its relevance
When served with a court order directing the release of health records, an individual____
Must comply with it and with/with out patient authorization.
The step that should included in a health information department's procedure for preparing health records in response to a subpoena____.
Patient's authorization to release the requested records, appropriate measures must be taken to prior to disclosure to ensure the completeness and integrity of the health record. such as ensure the patient's name is present on every page, examine the reco
Written or spoken permission to proceed with care is classified as___
Expressed consent which can be use in court.
To be in compliance with HIPAA regulations, a hospital would make its membership in a regional health information organization RHIO know to its patients through which of the following?
[Notice of Privacy Practices]. with RHIO provider has immediate access to the specific information needed to patient in case of remote treating patient. An individual has the right to a notice explaining how his or her PHI will be used and disclosed.
Law enacted by a legislative body is a(n)____
The US constitution defines and lays out the powers of the three branches of the federal government. The legislative branch(the house of representatives and the senate) creates statutory laws (statutes)
What is the legal term used to describe the physical and electronic protection of health information?
Security
The "custodian of health records" refers to the individual within an organization who is responsible for the following action(s)______
care, custody, control, and proper safekeeping and disclosure of health records.
Who owns the health record?
Provider who generated the information
Which stage of the litigation process focuses on how strong a case the opposing party has?
Discovery, where parties use various strategies to "discover" info about a case prior(early) to trial. It's during this period that health records are usually subpoenaed.
When is healthcare providers has to give the Notice of Privacy Practices to patient?
Healthcare providers should provide it no later than the date of the first service delivery, the notice must be available at the site where the individual is treated and must be posted in a prominent place where patient can reasonably be expected to read
What document directs an individual to bring originals or copies of records to court?
Subpoena duces tecum this is means to bring documents and other records with oneself.
To comply with HIPAA, under usual circumstances, a covered entity must act on a patient's request to review or copy his or her health info within____days
[30 days] No later than 30 days after the request is made, extending the response no more than 30 additional days if it give the individual a written statement explaining the reasons for the delay and the date by which the covered entity will complete its
The HIPAA Privacy Rule requires that covered entities must limit use, access, and disclosure of PHI to only the amount needed to accomplish the intended purpose. What concept is this an example of.
Minimum necessary
Under Privacy Rule healthcare provider are not required____
to obtain patient consent to use or disclose personal identifiable info for treatment, payment, and healthcare operation.
What is the term of "consent".
The term consent is used when the permission is for treatment, payment, or healthcare operations.
What is the term of "authorization".
The term authorization to permission granted by the patient or the patient's representative to release information for reasons other than treatment, payment, or healthcare operations. As a standard of practice, healthcare providers only obtained the indiv
What is an advance directive?
it's is a written document that names the patient's choice of legal representative for healthcare purposes. The person designated by the patient is then empowered to make healthcare decisions on behalf of the patient in the event that the patient is no lo
The legal term used to describe when a patient has the right to maintain control over certain personal info is referred to_____
Privacy
What is the legal term used to define the protection of health info in a patient provider relationship?
Confidentiality
Agreements between the covered entity and a business associate includes____ . It does NOT allow the business associate to maintain PHI indefinitely.
requires the business associate to make available all of its books and records relating to PHI use and disclosure to the Department of Health and Human Services or its agent; prohibits the business associate from using or disclosing PHI in any way that wo
Under HIPAA regulations, how many days does a covered entity have to respond to an individual's request for access to his or her PHI when it's stored off-site?
60 days
The security officer is responsible for____
developing the security goals and objectives for the covered entity; determining how the goals and objectives will be met; advising administration regarding info security; determining reporting procedures; and conducting adequate risk assessment.
Example of a business associate____
Contract coder, billing companies, consultants, accounting firms, etc.
Does patient have opportunity to agree or disagree about the directory of patients maintained by a covered entity?
A patient has the opportunity to agree or disagree (restrict, deny permission) with being placed in a patient directory. NO need to be in writing authorization.
According to HIPAA, what does the abbreviation PHI stand for?
Protected health information.
The legal health record (LHR) is a (n):
Defined subset of all patient-specific data created or accumulated by a healthcare provider that may be release to third parties in response to a legally permissible request for patient info.
What is the term of a nonmaleficence mean?
Doing good is included in the ethical principle of beneficence, not harming others, for example HIM professional need to ensure that info is not released to unauthorized person to access it and who might harm the patient if access were permitted.
What is the term of autonomy mean?
Recognizing the importance of individuals being able to decide what happens to them
What is the term of justice mean?
Treating people fairly for example releasing info more quickly to a favorite physician's office.
Which organization issues and maintains ethical standards for the health info management profession?
American Health Information Management Association AHIMA.
When sister of patient is requested for her brother's health record and she is a caregiver. In this case how would the HIM department proceed?
Refuse the request b/c caregiver is not legal authorized as a personal representative under the Privacy Rule.
The community Hospital is discussing restricting the access that physicians have to electronic clinical records. What is the HIM director should directe the committee?
The HIPPAA Privacy Rule concept of "minimum necessary" does not apply to disclosures made for treatment purposes. However, the covered entity must define, within the organization, what info physicians need as part of their treatment role.
If the physician left HIV-positive patients in public area and exposure to reporter, he read it and publishes an article about that patient. The physician can be sued for____
Invasion of privacy.
Which type of law defines the rights and duties among people and non-governmental business?
[private law] is the branch of law concerned with the rules and principles that define rights and duties among people and private businesses.
A law enacted by a legislative body is called_____
A [statute or statutory law] are enacted by a legislative body. The US congress and state legislatures are legislative bodies and the compendium of statues they create are generally referred to as codes. Such as Medicare and HIPAA are statutes b/c they we