Clearinghouse
A private or public healthcare entity that facilitates the processing of non-standard electronic transactions into HIPAA transactions (e.g. billing service)
Deidentifying
Removing descriptive information about that patient
Employer Identification Number (EIN)
A number assigned to an employer for the purpose of identification
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Regulates the privacy of patients' health information
Healthcare Integrity and Protection Data Bank (HIPDB)
A national data ban that collects and reports disclosure of action taken against healthcare practioners, providers, and vendors for noncompliance and fraudulent activities
Medical Informatics
The application of communication and information to medical practice, research, and education
Minimum Necessary Standard
Means that the provider must take a reasonable effort to limit the disclosure of patient information to only the minimum amount that is necessary to accomplish the purpose of the request
Sanctions
Penalties and Fines
Expectations when visit physician's office or medical facility?
Quality Care and Confidentiality
Congress mandated the Health Insurance Portability and Accountability Act of 1996?
- Enforce privacy provision by Apr 14 2003
- Law complicated and expensive for physicians to implement but more careful attention to issues of patient privacy
Confidentiality:
- Physicians are expected to maintain all confidences concerning their patients
- Modern medicine and technology make patient privacy issues a paramount concern
- Confidentiality preserves the patient's dignity
HIPAA - Five major categories covered under HIPAA:
- Insurance portability
- Administration /simplification
- Medical savings and tax deductions
- Group health plan provisions
- Revenue offset provisions
PRIVACY Rules
- Applies to protected health information
- Limits disclosures to only minimum information necessary to carry out medical treatment
- Patient must grant written consent or permission to disclose their PHI for treatment, payment, and other health care oper
Who is Affected by Privacy Rule:
- Public Health Authorities
- Healthcare Clearinghouses
- Self Insured Employers
- Private Insurers
- Information System Venders
- Various Service Organizations
- Universities
Why have some health care institutions deny access to patient medical information?
Some health care institutions , such as nursing homes, may have to deny access to patient medical information in order to protect the patient
States Preemptions:
- Some states have stricter privacy standards than those of HIPAA
- The states laws would then take precedence over the Federal HIPAAA regulation
Unique Identifiers for Health Care Providers:
- Standard Identifiers are used to reduce confusion and errors
- Employer Identifier Standard - Published in 2002
- Uses Employer Tax ID Number or Employer ID Number EIN
- Used for electronic transmission
How to de-identify Public Health Information (PHI)
- Remove patient name, address, email, telephone, fax number, all dates including birth date except year, admission, discharge, and death
- SSN, medical records number, health insurance number, license number, photo (facial), other identifying numbers or
Special Rules Relating to Research:
- Researcher must obtain patient authorization that complies with HIPAA
- Waiver of authorization from a privacy board or intuitional review board
- Waiver must include extensive documentation as required by HIPAA
Problems Relating to HIPAA's Privacy Rules:
- Some health care providers now refuse to provide medical records to anyone except the patient
- Compliance with HIPAA slows police investigations and impedes prosecution of crimes
Misconceptions about HIPAA:
- Does not prevent physicians or hospitals from sharing patient information to treat
- Does not prevent disclosure to clergy
- Does not apply to most police or fire department (may release information about accident victims)
- Does limit information EMT's
Recommendations to prevent HIPPA violations:
- Appoint and train privacy officer
- Conduct internal assessment of existing policy
- Enter agreements with all nonemployee service providers
- Adapt procedures for handling patient requests
- Implement notice of privacy practices
- Revise employee manua
Ethical Concerns with Information Technology
WLANS - Communication system used to access patient records from central databases
- Medical Informatics - application of communication and information to medical practice, research, and education
- Telemedicine - Use of communication and information tech
Required disclosures
a. Health and Human Services (HHS) can view accounts, records, and other financial documents. B. Patient requests to view own records
Valid patient authorization
a. Allows for PHI to be disclosed
Patient requests for disclosure
a. May view own records b. May discuss treatment and medical condition with physician
For the treatment, payment and healthcare operations (TPO) AND of other covered entities
a. Patient's written permission is needed for other covered entities, such as attorneys and insurance plans, to have access to PHI covered entities.
For patient representatives such as family
a. Must present a legal document, such as a Medical Power of Attorney, before granting access to PHI by family or friend
Qualified disaster relief organizantions
a. Used to provide notification regarding disaster relief b. May be provided unless patient objects
Incidental disclosures about patients without their authorization
a. Nurses and healthcare professionals may discuss patient cases when they are out of the hearing distance of others b. Healthcare professionals may leave limited phone messages for patients; it is always preferable to ask the patient if this is acceptabl
For public purposes
a. When the PHI disclosure is required by law such as with a request by court b. Public health departments are authorized to collect data relating to communicable diseases, births and deaths c. In all cases if abuse or neglect d. Disclosure necessary to p
When deidentification has occurred (i.e), when patient identifiers have been removed)
#10 HIPPA identified permission
In limited data set in which certain identifiers, such as patient's, relative's, and employer's names have been removed, patients do not have the right to access
a. Psychotherapy notes
b. Certain laboratory tests, under the Clinical Laboratory Improvement Act of 1988 my only be given to person who authorized the test-usually a physician c. If they are prison inmates d. Certain research projects in which the limite
Covered entities
Healthcare organizations covered under HIPAA regulations such as public health authorities, healthcare clearinghouse, and self-insured employers, life insurers, information systems vendors, and universities
Employer Identifier Standard
A standard number based on an employer's tax ID number or EIN that is used for all electronic transmissions
Healthcare plan
An individual or group plan that provides or pays for medical care
HIPAA-defined permission
Permission to use information based on the reason for knowing, or use of, the information
Notice of Privacy Practices (NPP)
A written statement that details the provider's privacy practices
Office of Civil Rights (OCR)
The federal office that investigates violations of HIPAA
Permission
HIPAA defined areas in which permission must be granted in order to use or disclose patient health information (PHI)
Privacy Rule
A requirement that all covered entities under HIPAA must be in compliance with the privacy, security, and electronic-data provisions by April 14, 2003
Protected Health Information (PHI)
Any individually identifiable information that relates to the physical or mental condition or the provision of healthcare to an individual
Telemedicine
The use of communications and information technologies to provide healthcare services to people at a distance
Treatment, payment, and healthcare operations (TPO)
Functions that a healthcare provider can perform
Wireless Local Area Networks (WLANs)
A wireless system that is used by physicians and nurses to access patient information
Penalties of Noncompliance with HIPPA
-Civil penalties
-Federal criminal liability with sanctions (fines) and time in prison
-Risk of class action suit and public relations
PRIVACY RULE
All covered entities must be in compliance
WLAN's
wireless systems to send and receive data
HIPAA
Health Insurance Portability and Accountability Act of 1996
EIN
Number assigned to an employer
CLEARINGHOUSE
a billing service
HEALTHCARE PLAN
Individual or group that provides or pays for medical care
PHI
Individually identifiable information
TELEMEDICINE
Use of information technologies to treat people at a distance
EMPLOYER IDENTIFIER STANDARD
Based on employer's tax ID or on their EIN
HHS
Department of health and human services
The privacy rule is meant to ensure:
a. standardization of health data
b. standardization of financial data
c. standardization of medical care
d. a and b only
e. a, b, and c
D. a and b only
a. standardization of health data
b. standardization of financial data
An example of a clearinghouse is:
a. PHI
b. a skilled nursing facility
c. a billing service
d. a government regulation
e. EIN
c. a billing service
The government organization that investigates a violation of a patient's medical privacy is called
a. OSHA
b. OCR
c. PHI
d. HIPAA
e. none of the above
b. OCR
A network of wireless communication systems used to access patient records is
a. HIPAA
b. PHI
c. WLANs
d. EIN
e. ADA
c. WLAN's
The privacy law
a. prevents hospitals from sharing medical information with other facilities
b. prevents hospitals from sharing registered patient names with the clergy
c. does not appy to most police and fire departments
d. allows unlimited information t
c. does not appy to most police and fire departments
A violation of HIPAA
a. is a criminal offense
b. does not carry any financial penalty at present
c. is not reportable
d. does not affect a physician's reputation, as it is just a document
e. may have a fine of under $100 for all offenses
a. is a criminal offense
When implementing HIPAA, physicians and physician groups should
a. hire a privacy officer
b. implement a Notice of Privacy Practices
c. retain signed authorization for at least six years
d. enter into written agreements with nonemployee service provides
e
e. all of the above
Covered entities include all of the following except
a. hospice programs
b. medical device companies
c. clinical laboratories
d. police departments
e. skilled-nursing facilities
d. police departments
Patients rights under HIPAA include the ability to
a. examine their medical record
b. have a full copy of their medical record
c. complain to the HHS if they believe there is a violation
d. a and c only
e. a, b, and c
e. a, b, and c
ALL
When pt info is requested via a subpoena you must
a. comply and send the entire record immediately
b. provide only the minimum necessary standard even if more is requested in the subpoena
c. provide all PHI that is requested in the subpeona
d. provide PHI
c. provide all PHI that is requested in the subpoena
What is the privacy Rule and why is it important?
Helps to protect the privacy of the pt and ensure the security of electronic health info of the pt with confidentiality
What is a covered transaction? and give an example.
Certain type of electronic transaction between two covered entities under HIPAA regulations -> Physical therapy, pharmacist, ambulance, labs, private insurers
What are some examples of forms of identity that must be deidentified when health statistics are obtained?
name, telephone, fax, address, MRN, birth certificate, photos, license #, health Ins #, SS #
What are some of the misconceptions about HIPAA?
-MD or hospital can share pt info with family
-privacy law does not apply to law and fireman
-HIPAA is limited as in pt does not have to give consent to be on hospital directory (can opt out though)
What are some of the benefits of telemedicine?
-receive healthcare service from abroad MD's
-Dx & Tx pts, radiography studies transmitted
-home bound or rural pts can have access to care from their home
What might be some of the ethical concerns with WLANs?
Info might not be well protected over LAN or possible chance of unknown access
What are some privacy precautions to use when taking care of patients?
-Fax cover sheets must be used
-don't discuss pt info where others can hear
-change passwords frequently
-Install anti-virus and firewalls
Who should pt contact if they wish to register a complaint about a potential privacy violation?
Office of civil Rights
What does "minimum necessary standard" mean and why is it important?
provide only the necessary info to carry out the request -> this protects pt's privacy
Explain the quote from Justice Brandeis, found in this chapter, relating to our right to privacy
The most valued privacy right is to be left alone."
-civil rights are taken from the people when privacy rights are violated
Electronic Health Records (EHR)
fully computerized method of record-keeping