What Refers To Information Shared Within An Organization Hipaa

health plans, healthcare clearinghouse and healthcare providers who electronically transmit information under standards of operation established by HHS

Health Insurance Portability and Accountability Act created to improve continuity of health insurance coverage and the administration of health care services

Protects patients information so it is available to those who need to see it, while protecting that information from those who should not

Organizations that access the personal health information of patients. They include health care providers, health plans, and health care clearinghouses.

Any professional who provides health care services

As defined in the HIPAA law, includes everyone involved with a covered entity whether or not they are full time and whether or not they get paid. an employee within a Covered Entitity any member of a service contracted with a facility that does not make use of PHI, ex. laundry, cleaning services, etc.

Health care data that can be connected to a specific person

Any identifiable patient health information regardless of the form in which it is stored

As defined by HIPAA, the sharing of information between people working in the same health care facility for the purpose of caring for a patient means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information

As defined by HIPAA, the sharing of information between health care professionals working in separate entities, or facilities, in the course of caring for a patient

The accidental release of PHI during the course of proper patient care

Reveal only the smallest amount of information required to accomplish the task and no more when using any PHI, a covered entity must generally make reasonable efforts to limit itself to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request

protects and guarantees health insurance coverage when an employee changes jobs

protects health data integrity, confidentiality, and availability

the right of an individual to keep his/her individual health information from being disclosed

release or divulgence of information by an entity to persons or organizations outside of that entity

the mechanism for obtaining consent form a patient for the use and disclosure of health information for a purpose that is not treatment, payment, or healthcare operations required to disclose PHI to person or agency outside the facility

all individually identifiable health information and other information on treatment and care that is transmitted or maintained in any form or medium

requests for access to PHI by consumers must be responded to by the facility within __ days

accounting of disclosures: -time frame: ______ -clock starts: ____________

how we protect PHI from accidental or intentional disclosure, alteration, destruction, or loss

Health Insurance Portability and Accountability Act 1. HIPAA makes it illegal for information to be released to inappropriate parties 2. Intended to make it easier for patients to move from one insurance plan to another 3. Establishes a standard format for health care organizations to share medical information

1. HIPAA requires that patients be made aware of their rights and how to protect their information 2. Health care providers are required to post notices for patients telling them how their health care information is used

PROTECTED HEALTH INFORMATION 1. PHI includes information about a person's physical health, mental health, provided care and payment for that care 2. All PHI is considered confidential under HIPAA such as: Name Address Social Security Number Birth Date Names of Relatives

HIPAA Violations 1. Fines and civil penalties can be filed against any individual that negligently discloses or knowingly & willfully obtains, discloses or uses medical information 2. Fines can be brought against an institution for failing to prevent/report unauthorized access, use or disclosure of medical information HIPAA Consequences Civil Penalties: Range from $100 per violation to annual maximum of $1.5 million for repeated violations. Amount of penalty is based on reasonable cause for HIPAA violation, willful neglect and corrective steps taken Criminal Penalties: Consists of a fine up to $250,000 as well as a prison sentence of up to 10 years

a person or business who, on behalf of the Covered Entitiy utilizes and/or discloses protected health information

process of reviewing information in medical records for those patients admitted within specific time frame after discharge

example of a disclosure that the patient has the right to agree or object

a facility that performs both covered and non-covered functions under the HIPAA privacy rule. ex. University Medical Clinic

effective date of the notice description of grievance process list of individual rights per HIPAA privacy rule

rule that does not require the consent of the patient to transfer records to a facility for follow up care.

HIPAA's attempt to streamline and standardize the healthcare industry's nonuniform and seemingly chaotic business practices, such as billing.

No, it only serves as a federal floor or minimum on privacy requirements - stricter state laws still prevail.

American Recovery and Reinvestment Act (2009)

Business associate agreements, minimum necessary requirements, individual rights, breach notification, personal health record vendors, marketing/fundraising/sale of information, and increased enforcement and penalties for noncompliance.

1) Provide and individual with greater rights with respect to his or her health information, and 2) Provide greater protections for one's health information.

Protected Health Information - individually identifiable health information that is transmitted by electronic media, maintained in any electronic medium, or maintained in any other form or medium.

The information must either identify the person or provide a reasonable basis to believe the person could be identified from the information.

Healthcare providers, health plans, and healthcare clearinghouses.

A person or organization, other than a member of a covered entity's workforce, that performs functions or activities on behalf of or to a covered entity that involves the use or disclosure of PHI (i.e. consultants, billing companies, transcription companies, accounting firms, and law firms).

The health records, billing records, and various claims records that are used to make decisions about an individual.

A rule that applies to individuals who work for an organization (providers and other CEs) that they must limit the use, disclosure, and requests of PHI to only the amount needed to accomplish the intended purpose (excludes TPO).

Treatment, Payment, and Operations (the exceptions to the release of PHI).

When they are directly or indirectly involved with transmitting or performing any electronic transactions specified in the act (i.e. in regards to health claims, insurance coverage, etc.).

The written contract that BAs of CEs must assign to agree to abide by the covered entity's requirements to protect the information's security and confidentiality.

Employees, volunteers, student interns, trainees, and on-site contractors/vendors whom the covered entity is responsible for their actions.

1) Strip it of all identifying information (name, SSN, locations, dates, etc.), or 2) Have an expert apply scientific and scientific principles to minimize the identification risk.

Right of access, right to request amendment of PHI, right to accounting of disclosures, right to request restrictions of PHI, right to request confidential communications, and right to complain of Privacy Rule violations.

Without opportunity to appeal, any records that are: psychotherapy notes, compiled for legal proceedings, subject to CLIA, about an inmate and could cause harm, subject of research to which denial of access has been agreed, subject to Privacy Act, or obtained from someone in confidence. With opportunity to review: any records where a licensed professional determines access may endanger life or safety, or there is reference to another person and access could cause harm.

30 days and up to 30 days more if written notice is given as to way and expected date of availability (60 days if the info is stored off-site).

60 days and up to 30 more if given a written notice as to why/ETA.

The amendment must be linked to the original entry, and the amendment must be sent to whomever the patient requests.

The basis for denial, their right to submit a statement disagreeing with the denial (and how to submit this), that the request for amendment and denial will accompany any new requests for information, and a contact person who they can complain to.

3 years

TPO information (if the provider does not have an EHR), disclosure to the patient themselves, any disclosure incidental to another proper disclosure, any for the facility directory, any for national security, for law enforcement officials, or part of a limited data set.

Date, name and address of requestee, and brief statement of the purpose of disclosure.

60 days and an extension of 30 days if notification is given to the patient

ARRA unless a patient pays completely out of pocket and the CE entity agrees (not required to do so).

Notice of Privacy Practices (required), authorization (required), and consent (optional).

A notice explaining how an individual's PHI will be used or disclosed, along with their rights, and the CE's legal duties.

Standard header, description of how information will be used for TPO and for other purposes,statement that other disclosures will only be made with the patients consent, statement of the individual's rights, how to make complaints and the contact person to do so, and effective date.

Description of the info being disclosed, people authorized to request the data, who can make the disclosure of data, expiration date, statement of the right to revoke authorization, statement that info is subject to redisclosure, signature/date, and a representatives right to sign (if applicable)

Psychotherapy notes

1) When the patient or their representative requests access or accounting of disclosures (with exceptions), 2) When HHS is conducting an investigation, review, or enforcement action.

1) Patient directory, and 2) Notification to relatives and friends.

1) Public interest and benefit (12 situations), 2) TPO purposes, 3) To the individual, 4) Incidental disclosures, and 5) Use in limited data sets.

1) As required by law, 2) For public health activities, 3) To disclose PHI regarding victims of abuse, neglect, and domestic violence, 4) For health oversight activities, 5) For judicial and administrative proceedings, 6) For law enforcement purposes (6 situations),

7) Regarding decedents (i.e. to coroner or ME), 8) For cadaver organ, eye, or tissue donation, 9) For research (with limitations), 10) To prevent or lessen serious threat to health or safety, 11) For essential government functions, 12) For workers comp.

1) Pursuant to legal process or otherwise required by law, 2) In response to request for identifying/locating a suspect, fugitive, material witness, or missing person, 3) In response to an official request about someone who is, or suspected to be a victim of a crime, 4) About a deceased person that may have happened from criminal conduct, 5) When it is believed in good faith that criminal conduct occurred on the CE's premises, and 6) In response to a medical emergency.

An unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information.

When 500+ people are affected

Description of what occurred (the date and date it was discovered), the types of PHI involved, steps the individual may take to protect themselves, what the entity is doing to prevent/rectify the situation, and contact info for any questions.

Communication about a product or service that encourages the recipient to purchase or use that product or service.

Ones that occur face-to-face with the CE or they concern a promotional gift of nominal value to the patient.

Communications to describe health-related products and services, communication for treatment of the individual, and case management or care coordination for the individual.

When it is in regards to a prescribed drug where the payment was "reasonable" or it is from a BA on behalf of the CE. If payment was accepted it must always be prominently stated and have the option to opt out.

When it may be beneficial to them, it is explained why they are being targeted, and how the service relates to them.

When it is disclosed to a BA or institutionally related foundation, only the demographic information and dates of healthcare are provided, they are given the chance to opt out, and they were notified of the use in the NPP.

1) A Privacy Officer and contact person for receiving complaints be designated, 2) All workforce members are given privacy training (with documentation showing such), 3) There are safeguards and mechanisms in place to safeguard information (administrative, technical, and physical safeguards), 4) There are written policies and procedures (and ongoing review of such) that comply with all standards and specifications.

CEs, BAs, and employees of these

They are tiered according to intent and extent of violation: Unknowing violations < Violations due to a reasonable cause < Willful Neglect < Uncorrected Violations