Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/43

Click to flip

43 Cards in this Set

  • Front
  • Back
What is HIPAA?
*Health Insurance Portability and Accountability Act
*Became a law August 21, 1996
*Also known as the Kennedy-Kassebaum Act
*Compliance date of April 23, 2003
*Has five titles:
I. Health Care access, Portability and Renewability
II. Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
III. Tax-related Health Provisions
IV. Application and Enforcement of Group Health Insurance
V. Revenue Offsets

*Title I and II impact the medical Office
Purpose of HIPAA
*standardlization of electronic data in a exchange
*protection and security for patients health information
*the promoting of the use of medical savings accounts
*improve the portability in health insurance
*helps to combat waste, fraud and abuse in health care delivery,insurance, and hospitals
*improves access to long term care services in coverage for the patients
*it simplifies adminstration of health insurance benefits
Title I- Insurance Reform
*Ensures insurance access, portability and renewability
*Provide protection for employees and their families
-Increases the ability to get health coverage starting a new job

*Limits the use of preexisting health conditions
*Allow individual to carry health coverage after losing or leaving job
Title II- Administrative Simplification
*covers adminstrative simplification
*the goal is to reduce the administrative cost
*there's a set standard for electronic transactions
*Unique identier standards-cover secruity and the privacy rules
Who and How does it affect the Medical Profession?
*Healthcare providers and employees
*Healthcare organizations
*Healthcare clearinghouses-designed for insurance preferences
*Health Insurance Plans
*Self insured employers
*Public health authorities
*Healthcare business associates
Requirements of the Provider
*secure and protect patients that records and pertain PHI
*PHI-Protected Health Information
*provide patients with MPP
*MPP-notice of prviacy practice that should be given upon first visit
*explain how the information is to be used
*how the protected health information is to used and utilized within the business
*adopt impliment privacy procedures that has been set by HIPAA
*to train employers. to understand how the work of HIPAA are, how they are designated to protect the information
*designate this privacy officer-person within the office who helps to make sure things are in compliancy with HIPAA laws and if any problems they will be responsible for them
*
Requirements for the Medical Staff
*include everything you see, read, and hear is kept confidential
*charts and written documentation needs to be kept out of the view of unauthorized indiviuals
*charts should be out of the view of patients
*information should only be exchanged with authorized personnel only
*if unsure who is authorized check charts or ask the doctors, office manager or coworker
*use care when using the phone or talking about a patient
*make sure what is talked about is kept confidential from indiviuals
HIPAA Related Oragnizations
*OIG-Office of the Inspector General-protects the integrity of DHHS, performs audits, investigations and inspections
*OCR-Office for Civil Rights-divion of the federal government that enforces privacy standards
*DHHS-Department of Health and Human Services-U.S. agency providing essential human services and protecting health of indiviuals
*COBRA-Consolidated Omnibus Budget Reconciliation Act-entity that allows employees and their families to continue their group health benefits that have been lost
HIPAA Terms
*PHI-Protected Health Information-any individually identifiable health information
*IIHI-Individually Identifiable Health Information- information that includes demographic information that relates to:
-past, present or future physical or mental condition
-provision of health care to the individual
-past, present, or future payment for the provision of health care
*NPP-Notice of Privacy Practices-document of the organizations privacy practices
*TPO-Treatment, Payments and Operations-condition where an individuals PHI may be used and/or accessed without consent
*PO-Privacy Officer-designated person who ensures compliancy of privacy standards
*TPA-Third Party Administrator-organization that processes health claims and other business related functions of a health plan
*Covered Entity(CE)-a health plan, healthcare clearinghouse or healthcare provider
*Business Associate(BA)-a person or organization that performs a function/activity on behalf of a covered entity
*Authorization-individuals right to access PHI
-TPO
-Law enforcement. government agency, public health organization
-Anyone outside of the above,(i.e. spose, sibling) the patient must give authorizationto access information
*Use-the release of PHI inside of the organization
*Disclosure-the releaseof PHI outside of the organization
*Incidental Use/Disclosure-use or disclosure of PHI that cannot reasonably be prevented(i.e. ER room)
*Compliant-requirement of an organization to follow HIPAA laws
*Minimum Necessary-("need to know")employees requiring access to PHI to perform work duties will be given access to only the information that they need
Penalties for Non-Compliancy
*Civil Penalties
-Monetary Penalty($100)-Offenses-Single violation of a provision (can be multiple violations with penalty of $100 each as long as each violation is for a different provision)
-Monetary Penalty-$25,000-Offenses-Multiple violations of an identical requirement or prohibition made during a calendar year

*Criminal Penalties
-Up to $50,000-up to 1 year-wrongful disclosure of IIHI
-Up to $100,000-up to 5 years-wrongful disclosure of IIHI committed under false pretenses
-up to $250,000-up to 10 years-wrongful disclosure of IIHI committed under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm
Health Insurance Portability
*people who lose their jobs, change their job or become self employed
*allows for continance coverage of benefits for employers in their families
*COBRA allows it to happen
Standards for Electronic Transactions
*HIPAA required that health providers and health plans standardize their transactions to one format to improve efficiency and decrease costs
*Types of transactions include:
-Health claims
-Payment and remittance advice
-Coordination of benefits(COB)
-Health claim status
-Enrollment and dis-enrollment of health plan
-Eligibility of a health plan
-Health plan premium payments
-Referral certifications or authorization
-First report of injury
-Health claim attachments
Standard Code Sets
*Standardization of data is accomplished by using Standard Code Sets
-ICD9-diagnosis
-CPT-procedure or service
-HCPCS-equipment or supplies
-NDC-drugs
Unique Identifers
*are used for doing business in a medical field using multiple numbers
*were developed to make the process a little more efficient
*EIN number-Employer Identification Number; it's issused by the IRS and is used for enrollment in health plans, health claims, eligibility and premium payments
*NPI-National Provider Indentifer-managed by CMS
CMS-Center for Medicaid/Medicare Services
*a 10 digit # that will remain with the physician throughout the life of their practice
*used for administrative and financial transactions
*the #'s do not carry any personal information about the particular provider
*these #'s must be used for billing and health insurance claim forms
*compliance date:May 23 2007
Privacy Rule
*to protect the privacy of al IIHI regardless of form(paper, oral or electronic)
*Set of standard rules that are fair and protect all Americans
*Allow patient rights
*Individuals authorized to use PHI without authorization:
-Health care professionals involved in patients care
-Billing and managed care companies involved in patients care
-Other agencies required by law, public health, law enforcement, and government
-TPO-Treatment, Payment and Operations
What Does PHI Include?
*Name
*Address
*Telephone number
*Fax number
*Email address
*Social Secruity Number
*Medical Record Number
*Health Plan Beneficiary Number
*Account Number
*Certificate/License Number
*Date of: Birth, Admission, Discharge and Death
*Vehicle Identification and Serial Number
*Device Identifiers and Serial Numbers
*URL
*IP Address
*Finger or Voice Prints
*Full-facee Photographs
*Any other identifying: Number, Characteristic or Code
Required Activities of the Privacy Rule
*Provide all patients a formal NPP
*Allow patients to determine who will receive disclosure of PHI for other than TPO
*Restrict disclosure of PHI to minimum necessary for TPO
*Protect use and disclosure PHI
*Enforce requirements to access of PHI
*Enforce criminal sanactions for improper use of PHI
*Designate a privacy officer
*Implement compliance program
Security Rule
*Protection of health information that is kept or sent electronically(ePHI)
*Ensure the confidentality, integrity and availability of electronic information that is created, received, maintained or transmitted
*Protect against possible threats or hazards to the secruity
*Protect against anticipated use or disclosure of electronic information that is not permitted
*Enforce employee compliancy
Safeguards
*Administrative
-Develop policies and procedures for day to day operations controlling ePHI
-Designate the responsibilty of ePHI security to a Facility Information Secruity Officer
-Have and enforce contracts with business associates
-Train employees

*Physical
-Workstation use and secruity
-ePHI data backup and storage
-Requirements to protect electronic information systems

*Technical
-Unique user identification
Procedures to access ePHI during and emergency
-Auditsto ensure safeguards are in place and working
Relationship with State Law
*HIPAA preempts contrary state law
*Three exceptions:
-State laws that prevent Fraud and Abuse
-State laws that address controlled substances
-State laws that are more stringent than HIPAA requirements
-Ensure state insurance or health paln regulation
Privileged Information
*Information related to treatment and progress of patient
*Authorization for Disclosure must be signed by patient
*Can be used for TPO
*Must be protected in any form(written, verbal, electronic)
Non-privileged Information
*Ordinary facts that do not relate to treatment of patient
-Names, city, dates of admission and discharge

*Information must be sensitized against unauthorized disclosure

*Professional judgment is required

*Information is disclosed on a legitimate need to know basis(i.e. Referring Physician)
Exception of Right to Privacy
*Industrial cases(workers comp)
*Communicable diseases
*Child Abuse
*Gunshot wounds or stabbings from a criminal action
*Disease or ailment newborns or infants
Privacy Rights
*all patients have
*everything you read, hear or see will remain confidential
*never discuss patient information with any one other than the provider, insurance company or authorized individual
Patients Bill of Rights
*The right to notice of a facility's privacy practices
*The right to have access to, view, and obtain a copy of their PHI
*The right to restrict certain parts of uses of their PHI
*The right to request that communications from the facility be kept confidential
*The right to request the facility to amend the PHI
*The right to receive notice of all disclosures of their PHI
Right to Notice of Privacy Practices
*NPP
*all patients have the right to receive copies of their NPP
*patients should sign an acknowledgement that they have received their copy
*needs to be permanant displayed in the office
*should a patient not sign does not mean they shouldn't be seen
*document that the patient was offered but refused to sign
Notice of Privacy Practice
Must include the following:
*How PHI is used and disclosed by the facility
*The duties of the provider to protect health information
*Patients rights regarding PHI
*How complaints can be filed
*To whom the complaints are filed
*Effective date of NPP
Right to Access PHI
*the maker owns the record
*The patient has the right to access, inspect and obtain a copy of their health Information
*Request must be in writing
*Fscility has 30 days to act on request
*Restriction to psychotherapy notes, information compiled for legal proceedings, a research project still in progress inmate of a correctional facility that the information could endanger others
Right to Request Restrictions
*patients have a right to request restrictions
*they can restrict on what and whom information is disclosed
*a pill process should be in place if the provider does not agree with the restriciton
Right to Request Confidential Communications
*Patient has the right to restrict how they will receive communications from the provider/facility
-Cell phone, email, work phone, mail

*Providers must accommodate resonable requests
*Documentation should be made in patients chart as a reminder of how to contact patient
Right to Request Amendment
*A patient can request a change in their medical record
*It must be in writing
*Only the creator of the information can make the change
*The request must be denied or completed within 60 days
*If denied documentation must be submitted to the patient
Right to Receive an Account of Disclosures
*a copy of non routine disclosures of other informations that has been enclosed to other intitives
*records needs to be kept in patients chart
*entitled to 1 free copy a year
*provider can charge for additional copies
Authorizations
*An authorization allows use and disclosure of PHI for uses other thsn TPO
*Must be in written in plain language
*Specific description of information to be disclosed
*Name of person authorized to make the requested use or disclosure
*Name of whom the covered entity may make the requested use or disclosure
*Description of purpose-"at the request of the individual"
*Expiration Date
*Statement of individuals right to revoke
*Statement of information used or disclosed is no longer protected
*Signature of authorizing individual and date
Defective Authorizations
*expiration date has passed
*if it has passed it needs a new authorization signed
*if it hasn't been filled out completely
*an uncompletely form leaves it wide opened for all types of problems
*if it's non to have been revoked
*If information has been passed on after it has been revoked, you're in breech of that confidentiallity
* information that is false can make authorization defective
Minor's Health Record
*Allows patients to see child's medical record as long as it is not inconsistent with the state law
*The parent is generally referred to as the minor's representative under the Privacy Rule
* Exclusions:
-If the state law does not require the consent of the parent/personal representative to obtain a particular form of treatment(HIV testing, contraceptive devices, mental health services)
-Minor is emancipated
-Parent agrees the minor can have a confidentail relationship
-If a provider has a "reasonable belief" thaht a child has been, or may be, subject to abuse or neglect, and providing information to a parent/personal representative could endanger the minor
-A court or other law authorizes someone other than the parent to make treatment decisions for a minor, that authorized person controls the information associated with the controlled treatment
Family and friends
*allow permission that the provider to share information with individuals
*presentating information upon 1st visit
*infroamtion that will be directly relevant to patients care
*provider can share a relevant amount of information if they can conclude if it is based on a judgement that the patients are not going to object
*a request of the information must be honored if shared
Incidential Use and Disclosure
*An incidental disclosure of confidential information is not considered a violation, provided that the entity has met the safeguards and minimum necessary requirements

*Examples of incidental disclosure:
-Waiting room sign in sheets
-Semiprivate rooms
-Emergency departments
-Providers talking at nurse's station
-Lab courier seeing information on a specimen container
Safeguard Requirements
*Do not leave patient specific information easily accessible(turn charts over, papers face down, use of cover sheets)
*Limit access to areas where PHI is easily visible
*Close doors/windows to keep conversations private
*Lower voice when speaking in semiprivate areas
*Don't allow phone conversations to be overheard
*Turn computer monitors out of view of unauthorized individuals
Minimum Necessary Standards
*whatever it takes but just enough to get a job done
*request for information whether it being authorization or referring from a physician
* give only information requested
*If there is an request for the entire recor dmake a judgment call to what the need is
*If patient is changing physician it is a need for the entire record
Have a Complaint?
*Who can file?
-Anyone who believes that an entity has notcomplied with HIPAA laws

*Time frame for filing?
180 days that the person filing the compliaint became aware of the HIPAA violation

*Who can be penalized?
-Employees and other members of its workface
-Business associates
Criteria for a Complaint
*Complaints must have the following information
*FIled in writing (Paper or electronic)
*Name the entity that is subject to the complaint
*Describe the acts or omissions believed to be in violation
*File within 180 days of the complaint


File with:
1. The facility's Pivacy Officer(PO), if not resolved to
2. Office manager or Physician, if not resolved to
3. Office for Civil Rights(OCR)
Maintaining Privacy
*Use private areas to discuss PHI
*Lower your voice when talking with or about patients in non-private areas where it could be overheard(hallways, cafeteria, elevator)
*When releasing PHI on the phone verify caller
*Do not access PHI of family, friends or other individuals out of curiosity
*Turn computer monitors so they cannot be viewed by unauthorized personnel
*Do not put patient information on the hard drive where unauthorized persons could retrieve
*Log off of your computer when you are away from your workstation
*Keep your password private
*Do not leave messages concerning a patients condition on answering machines
Reminder
*What I see here.
*What I hear here
*When I leave here
*Will remain here