Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
43 Cards in this Set
- Front
- Back
What is HIPAA?
|
*Health Insurance Portability and Accountability Act
*Became a law August 21, 1996 *Also known as the Kennedy-Kassebaum Act *Compliance date of April 23, 2003 *Has five titles: I. Health Care access, Portability and Renewability II. Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform III. Tax-related Health Provisions IV. Application and Enforcement of Group Health Insurance V. Revenue Offsets *Title I and II impact the medical Office |
|
Purpose of HIPAA
|
*standardlization of electronic data in a exchange
*protection and security for patients health information *the promoting of the use of medical savings accounts *improve the portability in health insurance *helps to combat waste, fraud and abuse in health care delivery,insurance, and hospitals *improves access to long term care services in coverage for the patients *it simplifies adminstration of health insurance benefits |
|
Title I- Insurance Reform
|
*Ensures insurance access, portability and renewability
*Provide protection for employees and their families -Increases the ability to get health coverage starting a new job *Limits the use of preexisting health conditions *Allow individual to carry health coverage after losing or leaving job |
|
Title II- Administrative Simplification
|
*covers adminstrative simplification
*the goal is to reduce the administrative cost *there's a set standard for electronic transactions *Unique identier standards-cover secruity and the privacy rules |
|
Who and How does it affect the Medical Profession?
|
*Healthcare providers and employees
*Healthcare organizations *Healthcare clearinghouses-designed for insurance preferences *Health Insurance Plans *Self insured employers *Public health authorities *Healthcare business associates |
|
Requirements of the Provider
|
*secure and protect patients that records and pertain PHI
*PHI-Protected Health Information *provide patients with MPP *MPP-notice of prviacy practice that should be given upon first visit *explain how the information is to be used *how the protected health information is to used and utilized within the business *adopt impliment privacy procedures that has been set by HIPAA *to train employers. to understand how the work of HIPAA are, how they are designated to protect the information *designate this privacy officer-person within the office who helps to make sure things are in compliancy with HIPAA laws and if any problems they will be responsible for them * |
|
Requirements for the Medical Staff
|
*include everything you see, read, and hear is kept confidential
*charts and written documentation needs to be kept out of the view of unauthorized indiviuals *charts should be out of the view of patients *information should only be exchanged with authorized personnel only *if unsure who is authorized check charts or ask the doctors, office manager or coworker *use care when using the phone or talking about a patient *make sure what is talked about is kept confidential from indiviuals |
|
HIPAA Related Oragnizations
|
*OIG-Office of the Inspector General-protects the integrity of DHHS, performs audits, investigations and inspections
*OCR-Office for Civil Rights-divion of the federal government that enforces privacy standards *DHHS-Department of Health and Human Services-U.S. agency providing essential human services and protecting health of indiviuals *COBRA-Consolidated Omnibus Budget Reconciliation Act-entity that allows employees and their families to continue their group health benefits that have been lost |
|
HIPAA Terms
|
*PHI-Protected Health Information-any individually identifiable health information
*IIHI-Individually Identifiable Health Information- information that includes demographic information that relates to: -past, present or future physical or mental condition -provision of health care to the individual -past, present, or future payment for the provision of health care *NPP-Notice of Privacy Practices-document of the organizations privacy practices *TPO-Treatment, Payments and Operations-condition where an individuals PHI may be used and/or accessed without consent *PO-Privacy Officer-designated person who ensures compliancy of privacy standards *TPA-Third Party Administrator-organization that processes health claims and other business related functions of a health plan *Covered Entity(CE)-a health plan, healthcare clearinghouse or healthcare provider *Business Associate(BA)-a person or organization that performs a function/activity on behalf of a covered entity *Authorization-individuals right to access PHI -TPO -Law enforcement. government agency, public health organization -Anyone outside of the above,(i.e. spose, sibling) the patient must give authorizationto access information *Use-the release of PHI inside of the organization *Disclosure-the releaseof PHI outside of the organization *Incidental Use/Disclosure-use or disclosure of PHI that cannot reasonably be prevented(i.e. ER room) *Compliant-requirement of an organization to follow HIPAA laws *Minimum Necessary-("need to know")employees requiring access to PHI to perform work duties will be given access to only the information that they need |
|
Penalties for Non-Compliancy
|
*Civil Penalties
-Monetary Penalty($100)-Offenses-Single violation of a provision (can be multiple violations with penalty of $100 each as long as each violation is for a different provision) -Monetary Penalty-$25,000-Offenses-Multiple violations of an identical requirement or prohibition made during a calendar year *Criminal Penalties -Up to $50,000-up to 1 year-wrongful disclosure of IIHI -Up to $100,000-up to 5 years-wrongful disclosure of IIHI committed under false pretenses -up to $250,000-up to 10 years-wrongful disclosure of IIHI committed under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm |
|
Health Insurance Portability
|
*people who lose their jobs, change their job or become self employed
*allows for continance coverage of benefits for employers in their families *COBRA allows it to happen |
|
Standards for Electronic Transactions
|
*HIPAA required that health providers and health plans standardize their transactions to one format to improve efficiency and decrease costs
*Types of transactions include: -Health claims -Payment and remittance advice -Coordination of benefits(COB) -Health claim status -Enrollment and dis-enrollment of health plan -Eligibility of a health plan -Health plan premium payments -Referral certifications or authorization -First report of injury -Health claim attachments |
|
Standard Code Sets
|
*Standardization of data is accomplished by using Standard Code Sets
-ICD9-diagnosis -CPT-procedure or service -HCPCS-equipment or supplies -NDC-drugs |
|
Unique Identifers
|
*are used for doing business in a medical field using multiple numbers
*were developed to make the process a little more efficient *EIN number-Employer Identification Number; it's issused by the IRS and is used for enrollment in health plans, health claims, eligibility and premium payments *NPI-National Provider Indentifer-managed by CMS CMS-Center for Medicaid/Medicare Services *a 10 digit # that will remain with the physician throughout the life of their practice *used for administrative and financial transactions *the #'s do not carry any personal information about the particular provider *these #'s must be used for billing and health insurance claim forms *compliance date:May 23 2007 |
|
Privacy Rule
|
*to protect the privacy of al IIHI regardless of form(paper, oral or electronic)
*Set of standard rules that are fair and protect all Americans *Allow patient rights *Individuals authorized to use PHI without authorization: -Health care professionals involved in patients care -Billing and managed care companies involved in patients care -Other agencies required by law, public health, law enforcement, and government -TPO-Treatment, Payment and Operations |
|
What Does PHI Include?
|
*Name
*Address *Telephone number *Fax number *Email address *Social Secruity Number *Medical Record Number *Health Plan Beneficiary Number *Account Number *Certificate/License Number *Date of: Birth, Admission, Discharge and Death *Vehicle Identification and Serial Number *Device Identifiers and Serial Numbers *URL *IP Address *Finger or Voice Prints *Full-facee Photographs *Any other identifying: Number, Characteristic or Code |
|
Required Activities of the Privacy Rule
|
*Provide all patients a formal NPP
*Allow patients to determine who will receive disclosure of PHI for other than TPO *Restrict disclosure of PHI to minimum necessary for TPO *Protect use and disclosure PHI *Enforce requirements to access of PHI *Enforce criminal sanactions for improper use of PHI *Designate a privacy officer *Implement compliance program |
|
Security Rule
|
*Protection of health information that is kept or sent electronically(ePHI)
*Ensure the confidentality, integrity and availability of electronic information that is created, received, maintained or transmitted *Protect against possible threats or hazards to the secruity *Protect against anticipated use or disclosure of electronic information that is not permitted *Enforce employee compliancy |
|
Safeguards
|
*Administrative
-Develop policies and procedures for day to day operations controlling ePHI -Designate the responsibilty of ePHI security to a Facility Information Secruity Officer -Have and enforce contracts with business associates -Train employees *Physical -Workstation use and secruity -ePHI data backup and storage -Requirements to protect electronic information systems *Technical -Unique user identification Procedures to access ePHI during and emergency -Auditsto ensure safeguards are in place and working |
|
Relationship with State Law
|
*HIPAA preempts contrary state law
*Three exceptions: -State laws that prevent Fraud and Abuse -State laws that address controlled substances -State laws that are more stringent than HIPAA requirements -Ensure state insurance or health paln regulation |
|
Privileged Information
|
*Information related to treatment and progress of patient
*Authorization for Disclosure must be signed by patient *Can be used for TPO *Must be protected in any form(written, verbal, electronic) |
|
Non-privileged Information
|
*Ordinary facts that do not relate to treatment of patient
-Names, city, dates of admission and discharge *Information must be sensitized against unauthorized disclosure *Professional judgment is required *Information is disclosed on a legitimate need to know basis(i.e. Referring Physician) |
|
Exception of Right to Privacy
|
*Industrial cases(workers comp)
*Communicable diseases *Child Abuse *Gunshot wounds or stabbings from a criminal action *Disease or ailment newborns or infants |
|
Privacy Rights
|
*all patients have
*everything you read, hear or see will remain confidential *never discuss patient information with any one other than the provider, insurance company or authorized individual |
|
Patients Bill of Rights
|
*The right to notice of a facility's privacy practices
*The right to have access to, view, and obtain a copy of their PHI *The right to restrict certain parts of uses of their PHI *The right to request that communications from the facility be kept confidential *The right to request the facility to amend the PHI *The right to receive notice of all disclosures of their PHI |
|
Right to Notice of Privacy Practices
|
*NPP
*all patients have the right to receive copies of their NPP *patients should sign an acknowledgement that they have received their copy *needs to be permanant displayed in the office *should a patient not sign does not mean they shouldn't be seen *document that the patient was offered but refused to sign |
|
Notice of Privacy Practice
|
Must include the following:
*How PHI is used and disclosed by the facility *The duties of the provider to protect health information *Patients rights regarding PHI *How complaints can be filed *To whom the complaints are filed *Effective date of NPP |
|
Right to Access PHI
|
*the maker owns the record
*The patient has the right to access, inspect and obtain a copy of their health Information *Request must be in writing *Fscility has 30 days to act on request *Restriction to psychotherapy notes, information compiled for legal proceedings, a research project still in progress inmate of a correctional facility that the information could endanger others |
|
Right to Request Restrictions
|
*patients have a right to request restrictions
*they can restrict on what and whom information is disclosed *a pill process should be in place if the provider does not agree with the restriciton |
|
Right to Request Confidential Communications
|
*Patient has the right to restrict how they will receive communications from the provider/facility
-Cell phone, email, work phone, mail *Providers must accommodate resonable requests *Documentation should be made in patients chart as a reminder of how to contact patient |
|
Right to Request Amendment
|
*A patient can request a change in their medical record
*It must be in writing *Only the creator of the information can make the change *The request must be denied or completed within 60 days *If denied documentation must be submitted to the patient |
|
Right to Receive an Account of Disclosures
|
*a copy of non routine disclosures of other informations that has been enclosed to other intitives
*records needs to be kept in patients chart *entitled to 1 free copy a year *provider can charge for additional copies |
|
Authorizations
|
*An authorization allows use and disclosure of PHI for uses other thsn TPO
*Must be in written in plain language *Specific description of information to be disclosed *Name of person authorized to make the requested use or disclosure *Name of whom the covered entity may make the requested use or disclosure *Description of purpose-"at the request of the individual" *Expiration Date *Statement of individuals right to revoke *Statement of information used or disclosed is no longer protected *Signature of authorizing individual and date |
|
Defective Authorizations
|
*expiration date has passed
*if it has passed it needs a new authorization signed *if it hasn't been filled out completely *an uncompletely form leaves it wide opened for all types of problems *if it's non to have been revoked *If information has been passed on after it has been revoked, you're in breech of that confidentiallity * information that is false can make authorization defective |
|
Minor's Health Record
|
*Allows patients to see child's medical record as long as it is not inconsistent with the state law
*The parent is generally referred to as the minor's representative under the Privacy Rule * Exclusions: -If the state law does not require the consent of the parent/personal representative to obtain a particular form of treatment(HIV testing, contraceptive devices, mental health services) -Minor is emancipated -Parent agrees the minor can have a confidentail relationship -If a provider has a "reasonable belief" thaht a child has been, or may be, subject to abuse or neglect, and providing information to a parent/personal representative could endanger the minor -A court or other law authorizes someone other than the parent to make treatment decisions for a minor, that authorized person controls the information associated with the controlled treatment |
|
Family and friends
|
*allow permission that the provider to share information with individuals
*presentating information upon 1st visit *infroamtion that will be directly relevant to patients care *provider can share a relevant amount of information if they can conclude if it is based on a judgement that the patients are not going to object *a request of the information must be honored if shared |
|
Incidential Use and Disclosure
|
*An incidental disclosure of confidential information is not considered a violation, provided that the entity has met the safeguards and minimum necessary requirements
*Examples of incidental disclosure: -Waiting room sign in sheets -Semiprivate rooms -Emergency departments -Providers talking at nurse's station -Lab courier seeing information on a specimen container |
|
Safeguard Requirements
|
*Do not leave patient specific information easily accessible(turn charts over, papers face down, use of cover sheets)
*Limit access to areas where PHI is easily visible *Close doors/windows to keep conversations private *Lower voice when speaking in semiprivate areas *Don't allow phone conversations to be overheard *Turn computer monitors out of view of unauthorized individuals |
|
Minimum Necessary Standards
|
*whatever it takes but just enough to get a job done
*request for information whether it being authorization or referring from a physician * give only information requested *If there is an request for the entire recor dmake a judgment call to what the need is *If patient is changing physician it is a need for the entire record |
|
Have a Complaint?
|
*Who can file?
-Anyone who believes that an entity has notcomplied with HIPAA laws *Time frame for filing? 180 days that the person filing the compliaint became aware of the HIPAA violation *Who can be penalized? -Employees and other members of its workface -Business associates |
|
Criteria for a Complaint
|
*Complaints must have the following information
*FIled in writing (Paper or electronic) *Name the entity that is subject to the complaint *Describe the acts or omissions believed to be in violation *File within 180 days of the complaint File with: 1. The facility's Pivacy Officer(PO), if not resolved to 2. Office manager or Physician, if not resolved to 3. Office for Civil Rights(OCR) |
|
Maintaining Privacy
|
*Use private areas to discuss PHI
*Lower your voice when talking with or about patients in non-private areas where it could be overheard(hallways, cafeteria, elevator) *When releasing PHI on the phone verify caller *Do not access PHI of family, friends or other individuals out of curiosity *Turn computer monitors so they cannot be viewed by unauthorized personnel *Do not put patient information on the hard drive where unauthorized persons could retrieve *Log off of your computer when you are away from your workstation *Keep your password private *Do not leave messages concerning a patients condition on answering machines |
|
Reminder
|
*What I see here.
*What I hear here *When I leave here *Will remain here |