Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

43 Cards in this Set

  • Front
  • Back
What is HIPAA?
*Health Insurance Portability and Accountability Act
*Became a law August 21, 1996
*Also known as the Kennedy-Kassebaum Act
*Compliance date of April 23, 2003
*Has five titles:
I. Health Care access, Portability and Renewability
II. Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
III. Tax-related Health Provisions
IV. Application and Enforcement of Group Health Insurance
V. Revenue Offsets

*Title I and II impact the medical Office
Purpose of HIPAA
*standardlization of electronic data in a exchange
*protection and security for patients health information
*the promoting of the use of medical savings accounts
*improve the portability in health insurance
*helps to combat waste, fraud and abuse in health care delivery,insurance, and hospitals
*improves access to long term care services in coverage for the patients
*it simplifies adminstration of health insurance benefits
Title I- Insurance Reform
*Ensures insurance access, portability and renewability
*Provide protection for employees and their families
-Increases the ability to get health coverage starting a new job

*Limits the use of preexisting health conditions
*Allow individual to carry health coverage after losing or leaving job
Title II- Administrative Simplification
*covers adminstrative simplification
*the goal is to reduce the administrative cost
*there's a set standard for electronic transactions
*Unique identier standards-cover secruity and the privacy rules
Who and How does it affect the Medical Profession?
*Healthcare providers and employees
*Healthcare organizations
*Healthcare clearinghouses-designed for insurance preferences
*Health Insurance Plans
*Self insured employers
*Public health authorities
*Healthcare business associates
Requirements of the Provider
*secure and protect patients that records and pertain PHI
*PHI-Protected Health Information
*provide patients with MPP
*MPP-notice of prviacy practice that should be given upon first visit
*explain how the information is to be used
*how the protected health information is to used and utilized within the business
*adopt impliment privacy procedures that has been set by HIPAA
*to train employers. to understand how the work of HIPAA are, how they are designated to protect the information
*designate this privacy officer-person within the office who helps to make sure things are in compliancy with HIPAA laws and if any problems they will be responsible for them
Requirements for the Medical Staff
*include everything you see, read, and hear is kept confidential
*charts and written documentation needs to be kept out of the view of unauthorized indiviuals
*charts should be out of the view of patients
*information should only be exchanged with authorized personnel only
*if unsure who is authorized check charts or ask the doctors, office manager or coworker
*use care when using the phone or talking about a patient
*make sure what is talked about is kept confidential from indiviuals
HIPAA Related Oragnizations
*OIG-Office of the Inspector General-protects the integrity of DHHS, performs audits, investigations and inspections
*OCR-Office for Civil Rights-divion of the federal government that enforces privacy standards
*DHHS-Department of Health and Human Services-U.S. agency providing essential human services and protecting health of indiviuals
*COBRA-Consolidated Omnibus Budget Reconciliation Act-entity that allows employees and their families to continue their group health benefits that have been lost
*PHI-Protected Health Information-any individually identifiable health information
*IIHI-Individually Identifiable Health Information- information that includes demographic information that relates to:
-past, present or future physical or mental condition
-provision of health care to the individual
-past, present, or future payment for the provision of health care
*NPP-Notice of Privacy Practices-document of the organizations privacy practices
*TPO-Treatment, Payments and Operations-condition where an individuals PHI may be used and/or accessed without consent
*PO-Privacy Officer-designated person who ensures compliancy of privacy standards
*TPA-Third Party Administrator-organization that processes health claims and other business related functions of a health plan
*Covered Entity(CE)-a health plan, healthcare clearinghouse or healthcare provider
*Business Associate(BA)-a person or organization that performs a function/activity on behalf of a covered entity
*Authorization-individuals right to access PHI
-Law enforcement. government agency, public health organization
-Anyone outside of the above,(i.e. spose, sibling) the patient must give authorizationto access information
*Use-the release of PHI inside of the organization
*Disclosure-the releaseof PHI outside of the organization
*Incidental Use/Disclosure-use or disclosure of PHI that cannot reasonably be prevented(i.e. ER room)
*Compliant-requirement of an organization to follow HIPAA laws
*Minimum Necessary-("need to know")employees requiring access to PHI to perform work duties will be given access to only the information that they need
Penalties for Non-Compliancy
*Civil Penalties
-Monetary Penalty($100)-Offenses-Single violation of a provision (can be multiple violations with penalty of $100 each as long as each violation is for a different provision)
-Monetary Penalty-$25,000-Offenses-Multiple violations of an identical requirement or prohibition made during a calendar year

*Criminal Penalties
-Up to $50,000-up to 1 year-wrongful disclosure of IIHI
-Up to $100,000-up to 5 years-wrongful disclosure of IIHI committed under false pretenses
-up to $250,000-up to 10 years-wrongful disclosure of IIHI committed under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm
Health Insurance Portability
*people who lose their jobs, change their job or become self employed
*allows for continance coverage of benefits for employers in their families
*COBRA allows it to happen
Standards for Electronic Transactions
*HIPAA required that health providers and health plans standardize their transactions to one format to improve efficiency and decrease costs
*Types of transactions include:
-Health claims
-Payment and remittance advice
-Coordination of benefits(COB)
-Health claim status
-Enrollment and dis-enrollment of health plan
-Eligibility of a health plan
-Health plan premium payments
-Referral certifications or authorization
-First report of injury
-Health claim attachments
Standard Code Sets
*Standardization of data is accomplished by using Standard Code Sets
-CPT-procedure or service
-HCPCS-equipment or supplies
Unique Identifers
*are used for doing business in a medical field using multiple numbers
*were developed to make the process a little more efficient
*EIN number-Employer Identification Number; it's issused by the IRS and is used for enrollment in health plans, health claims, eligibility and premium payments
*NPI-National Provider Indentifer-managed by CMS
CMS-Center for Medicaid/Medicare Services
*a 10 digit # that will remain with the physician throughout the life of their practice
*used for administrative and financial transactions
*the #'s do not carry any personal information about the particular provider
*these #'s must be used for billing and health insurance claim forms
*compliance date:May 23 2007
Privacy Rule
*to protect the privacy of al IIHI regardless of form(paper, oral or electronic)
*Set of standard rules that are fair and protect all Americans
*Allow patient rights
*Individuals authorized to use PHI without authorization:
-Health care professionals involved in patients care
-Billing and managed care companies involved in patients care
-Other agencies required by law, public health, law enforcement, and government
-TPO-Treatment, Payment and Operations
What Does PHI Include?
*Telephone number
*Fax number
*Email address
*Social Secruity Number
*Medical Record Number
*Health Plan Beneficiary Number
*Account Number
*Certificate/License Number
*Date of: Birth, Admission, Discharge and Death
*Vehicle Identification and Serial Number
*Device Identifiers and Serial Numbers
*IP Address
*Finger or Voice Prints
*Full-facee Photographs
*Any other identifying: Number, Characteristic or Code
Required Activities of the Privacy Rule
*Provide all patients a formal NPP
*Allow patients to determine who will receive disclosure of PHI for other than TPO
*Restrict disclosure of PHI to minimum necessary for TPO
*Protect use and disclosure PHI
*Enforce requirements to access of PHI
*Enforce criminal sanactions for improper use of PHI
*Designate a privacy officer
*Implement compliance program
Security Rule
*Protection of health information that is kept or sent electronically(ePHI)
*Ensure the confidentality, integrity and availability of electronic information that is created, received, maintained or transmitted
*Protect against possible threats or hazards to the secruity
*Protect against anticipated use or disclosure of electronic information that is not permitted
*Enforce employee compliancy
-Develop policies and procedures for day to day operations controlling ePHI
-Designate the responsibilty of ePHI security to a Facility Information Secruity Officer
-Have and enforce contracts with business associates
-Train employees

-Workstation use and secruity
-ePHI data backup and storage
-Requirements to protect electronic information systems

-Unique user identification
Procedures to access ePHI during and emergency
-Auditsto ensure safeguards are in place and working
Relationship with State Law
*HIPAA preempts contrary state law
*Three exceptions:
-State laws that prevent Fraud and Abuse
-State laws that address controlled substances
-State laws that are more stringent than HIPAA requirements
-Ensure state insurance or health paln regulation
Privileged Information
*Information related to treatment and progress of patient
*Authorization for Disclosure must be signed by patient
*Can be used for TPO
*Must be protected in any form(written, verbal, electronic)
Non-privileged Information
*Ordinary facts that do not relate to treatment of patient
-Names, city, dates of admission and discharge

*Information must be sensitized against unauthorized disclosure

*Professional judgment is required

*Information is disclosed on a legitimate need to know basis(i.e. Referring Physician)
Exception of Right to Privacy
*Industrial cases(workers comp)
*Communicable diseases
*Child Abuse
*Gunshot wounds or stabbings from a criminal action
*Disease or ailment newborns or infants
Privacy Rights
*all patients have
*everything you read, hear or see will remain confidential
*never discuss patient information with any one other than the provider, insurance company or authorized individual
Patients Bill of Rights
*The right to notice of a facility's privacy practices
*The right to have access to, view, and obtain a copy of their PHI
*The right to restrict certain parts of uses of their PHI
*The right to request that communications from the facility be kept confidential
*The right to request the facility to amend the PHI
*The right to receive notice of all disclosures of their PHI
Right to Notice of Privacy Practices
*all patients have the right to receive copies of their NPP
*patients should sign an acknowledgement that they have received their copy
*needs to be permanant displayed in the office
*should a patient not sign does not mean they shouldn't be seen
*document that the patient was offered but refused to sign
Notice of Privacy Practice
Must include the following:
*How PHI is used and disclosed by the facility
*The duties of the provider to protect health information
*Patients rights regarding PHI
*How complaints can be filed
*To whom the complaints are filed
*Effective date of NPP
Right to Access PHI
*the maker owns the record
*The patient has the right to access, inspect and obtain a copy of their health Information
*Request must be in writing
*Fscility has 30 days to act on request
*Restriction to psychotherapy notes, information compiled for legal proceedings, a research project still in progress inmate of a correctional facility that the information could endanger others
Right to Request Restrictions
*patients have a right to request restrictions
*they can restrict on what and whom information is disclosed
*a pill process should be in place if the provider does not agree with the restriciton
Right to Request Confidential Communications
*Patient has the right to restrict how they will receive communications from the provider/facility
-Cell phone, email, work phone, mail

*Providers must accommodate resonable requests
*Documentation should be made in patients chart as a reminder of how to contact patient
Right to Request Amendment
*A patient can request a change in their medical record
*It must be in writing
*Only the creator of the information can make the change
*The request must be denied or completed within 60 days
*If denied documentation must be submitted to the patient
Right to Receive an Account of Disclosures
*a copy of non routine disclosures of other informations that has been enclosed to other intitives
*records needs to be kept in patients chart
*entitled to 1 free copy a year
*provider can charge for additional copies
*An authorization allows use and disclosure of PHI for uses other thsn TPO
*Must be in written in plain language
*Specific description of information to be disclosed
*Name of person authorized to make the requested use or disclosure
*Name of whom the covered entity may make the requested use or disclosure
*Description of purpose-"at the request of the individual"
*Expiration Date
*Statement of individuals right to revoke
*Statement of information used or disclosed is no longer protected
*Signature of authorizing individual and date
Defective Authorizations
*expiration date has passed
*if it has passed it needs a new authorization signed
*if it hasn't been filled out completely
*an uncompletely form leaves it wide opened for all types of problems
*if it's non to have been revoked
*If information has been passed on after it has been revoked, you're in breech of that confidentiallity
* information that is false can make authorization defective
Minor's Health Record
*Allows patients to see child's medical record as long as it is not inconsistent with the state law
*The parent is generally referred to as the minor's representative under the Privacy Rule
* Exclusions:
-If the state law does not require the consent of the parent/personal representative to obtain a particular form of treatment(HIV testing, contraceptive devices, mental health services)
-Minor is emancipated
-Parent agrees the minor can have a confidentail relationship
-If a provider has a "reasonable belief" thaht a child has been, or may be, subject to abuse or neglect, and providing information to a parent/personal representative could endanger the minor
-A court or other law authorizes someone other than the parent to make treatment decisions for a minor, that authorized person controls the information associated with the controlled treatment
Family and friends
*allow permission that the provider to share information with individuals
*presentating information upon 1st visit
*infroamtion that will be directly relevant to patients care
*provider can share a relevant amount of information if they can conclude if it is based on a judgement that the patients are not going to object
*a request of the information must be honored if shared
Incidential Use and Disclosure
*An incidental disclosure of confidential information is not considered a violation, provided that the entity has met the safeguards and minimum necessary requirements

*Examples of incidental disclosure:
-Waiting room sign in sheets
-Semiprivate rooms
-Emergency departments
-Providers talking at nurse's station
-Lab courier seeing information on a specimen container
Safeguard Requirements
*Do not leave patient specific information easily accessible(turn charts over, papers face down, use of cover sheets)
*Limit access to areas where PHI is easily visible
*Close doors/windows to keep conversations private
*Lower voice when speaking in semiprivate areas
*Don't allow phone conversations to be overheard
*Turn computer monitors out of view of unauthorized individuals
Minimum Necessary Standards
*whatever it takes but just enough to get a job done
*request for information whether it being authorization or referring from a physician
* give only information requested
*If there is an request for the entire recor dmake a judgment call to what the need is
*If patient is changing physician it is a need for the entire record
Have a Complaint?
*Who can file?
-Anyone who believes that an entity has notcomplied with HIPAA laws

*Time frame for filing?
180 days that the person filing the compliaint became aware of the HIPAA violation

*Who can be penalized?
-Employees and other members of its workface
-Business associates
Criteria for a Complaint
*Complaints must have the following information
*FIled in writing (Paper or electronic)
*Name the entity that is subject to the complaint
*Describe the acts or omissions believed to be in violation
*File within 180 days of the complaint

File with:
1. The facility's Pivacy Officer(PO), if not resolved to
2. Office manager or Physician, if not resolved to
3. Office for Civil Rights(OCR)
Maintaining Privacy
*Use private areas to discuss PHI
*Lower your voice when talking with or about patients in non-private areas where it could be overheard(hallways, cafeteria, elevator)
*When releasing PHI on the phone verify caller
*Do not access PHI of family, friends or other individuals out of curiosity
*Turn computer monitors so they cannot be viewed by unauthorized personnel
*Do not put patient information on the hard drive where unauthorized persons could retrieve
*Log off of your computer when you are away from your workstation
*Keep your password private
*Do not leave messages concerning a patients condition on answering machines
*What I see here.
*What I hear here
*When I leave here
*Will remain here