Confidentiality & HIPAA Compliance

Questions and Answers

Which of the following actions by a healthcare professional constitutes a breach of patient confidentiality?

• Discussing a patient's case with another healthcare provider in a private setting.
• Consulting with a specialist regarding a patient's diagnosis with patient consent.
• Reviewing a patient's medical history to provide the best care.
• Leaving a patient's medical chart open and visible in a non-secured area. (correct)

In the context of HIPAA, what does 'portability' primarily refer to?

• The ability to transfer medical records electronically between providers.
• The protection of patient information from unauthorized access while mobile.
• The standardization of healthcare forms for easier processing.
• The assurance of continuous healthcare coverage when changing jobs. (correct)

Which scenario best illustrates a violation of the HIPAA Privacy Rule?

• A medical researcher accessing anonymized patient data for a study.
• A hospital implementing new security measures to protect patient data.
• A doctor sharing a patient's medical history with an insurance company after obtaining the patient’s signed consent form.
• A nurse discussing a patient's diagnosis in a public elevator. (correct)

What is the primary purpose of the Healthcare Integrity and Protection Data Bank (HIPDB)?

To track and prevent fraudulent healthcare practices and protect patients. (B)

Under what circumstances is a healthcare provider legally obligated to release a patient's confidential information without the patient's explicit consent?

When required by law to report cases of suspected child abuse. (B)

Which safeguard is most effective in preventing unauthorized access to patient information stored on a computer in a healthcare setting?

Implementing automatic screen lockouts with password protection after a short period of inactivity. (C)

What is the primary intent of the Patient Safety and Quality Improvement Act of 2005 (PSQIA)?

To encourage the reporting and analysis of patient safety events by protecting the identities of those who report. (A)

Which of the following actions would be considered a violation of patient confidentiality?

Disclosing a patient's HIV status to the patient's employer without the patient's consent. (A)

A hospital employee accesses a patient's medical record out of curiosity, without any legitimate reason. Which type of violation has occurred?

A breach of confidentiality and potential violation of HIPAA. (A)

What is the role of a 'release of information' form in healthcare?

It is a legal document that authorizes healthcare providers to disclose specific medical information to designated individuals or entities. (D)

Which of the following actions is most aligned with the principle of 'need to know' in HIPAA legislation?

A medical records clerk accessing patient files to update address information. (D)

Why is it important for healthcare professionals to adhere to strict confidentiality practices?

To maintain patient trust and encourage open communication, leading to better healthcare outcomes. (A)

What does the term 'preexisting condition' refer to in the context of health insurance and HIPAA?

A health condition that a patient has before their health insurance coverage begins. (D)

What is the main purpose of the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA) in relation to healthcare?

To allow employees who leave a company to continue their health insurance coverage for a limited time. (D)

What is ransomware, and how does it pose a risk to healthcare facilities?

Ransomware is malicious software that blocks users from accessing their computer systems and demands payment for restoration of access. (A)

Which action demonstrates respect for a patient's privacy and confidentiality?

Obtaining a signed release form prior to sharing a patient's medical information with their insurance company. (A)

What type of information does HIPAA protect under the umbrella of Protected Health Information (PHI)?

Any individually identifiable health information, including past, present, and future medical conditions, treatments, and billing information. (A)

Why did Congress decide to incorporate factors beyond just portability and preexisting conditions into the final HIPAA legislation?

To include protection of private medical information, standardization of forms, and strategies to prevent fraud, waste, and abuse. (A)

When is it ethically permissible for a healthcare professional to disclose patient information to protect the 'greater good'?

When a patient poses a direct threat to the safety of others, such as in cases of certain contagious diseases or potential harm to others. (B)

A medical assistant is asked by a patient's neighbor for information about the patient's recent visit. What is the appropriate course of action for the medical assistant?

Explain that they cannot provide any information due to patient confidentiality laws. (C)

What is the relationship between privacy and confidentiality?

Privacy is a condition, while confidentiality is an ethical duty. (D)

What should a healthcare professional do if a patient discloses that they are experiencing thoughts of self-harm?

Report the information to the local police department and the local Department of Human Services. (B)

An insurance clerk leaves her computer on while going to lunch. In plain sight is the insurance record of Mr. James Foreman. According to the text, what should the insurance clerk do to prevent such information from being viewed by others?

Make sure the computer is password protected with automatic computer save-and-shutoff settings. (D)

What is medical identity theft?

Stealing a patient's personal information, such as their name, address, and social security number. (C)

In the Susan's Story case study, how did the doctor violate Susan's privacy?

The doctor didn't close the examination room before giving Susan the diagnosis. (A)

In the Dr. George Sheffield case study, why shouldn't you share that Stephen Morris, your sister's favorite actor, visited the clinic?

Because by sharing it could get you punished ranging from fines to imprisonment. (D)

Which of the following items does HIPAA not cover?

HIPAA covers all of the answer options. (A)

In the text, it mentions the William Gladstone case study. Why did the attending physician contact the local health department and Superior?

To share that William had contracted food poisoning so others were alerted so they could seek medical treatment. (A)

Approximately how many ransomware computer attacks happen daily?

4000 (B)

What does child abuse mean?

Child abuse means harm of a person younger than 18 years of age who is not an emancipated minor. (C)

How many phases did the George Herbert Walker Bush and congress choose to introduce HIPAA into law?

3 (A)

What is the name of the act that addresses confidentiality, seeking to improve quality, safety, and efficiency of healthcare technology and the American healthcare system?

HITECH (C)

What does the acronym 'EOB' stand for?

Explanation Of Benefits (B)

What does portability mean?

Means that no lapse of healthcare coverage occurs when a person changes from one job to another. (B)

In the Releasing Medical Information case study, why couldn't Carol share information with Ms. Reid?

Ms. Reid was not authorized to have your medical information shared with her. (B)

Approximately how often is a report made concerning the maltreatment of a child in America?

Every 10 seconds. (A)

What is a better business bureau of healthcare?

Healthcare Integrity and Protection Data Bank (HIPDB). (A)

Which American president signed the Privacy Act of 1974 into law?

President Gerald Ford (D)

You are a medical assistant in a medical office. A friend asks you what is wrong with their favorite football team player. What is the best action to take as a response?

Inform the friend that I am unable to share information due to HIPAA. (D)

Flashcards

Confidentiality

Personal information shared with a professional, like a doctor or lawyer; vital in healthcare.

Privacy

The absence of intrusion into one's personal life and information from external sources.

Breach

To violate or break (a law, promise, agreement, or relationship).

HITECH Act

Legislation to modernize the flow of health information.

Ransomware

Malicious software that blocks access to computer systems until a ransom is paid.

Privacy Act of 1974

A law that protects the privacy of student education records.

Medical Identity Theft

Stealing someone's personal information to wrongly acquire insurance coverage or prescriptions.

Portability

No lapse of healthcare coverage occurs when a person changes jobs.

Preexisting conditions

Ailments or diseases a patient has before health insurance coverage begins.

Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA)

Allows continuous health coverage through COBRA.

Protected Health Information (PHI)

Personal data (past, present, and future).

Healthcare Integrity and Protection Data Bank (HIPDB)

Was established under HIPAA and became fully operational in 2000 to prevent fraudulent and/or abusive healthcare practitioners

Release of Information

A document that allows a healthcare provider to share certain information.

Patient Safety and Quality Improvement Act of 2005 (PSQIA)

Legislation for reporting patient safety violations.

Child Abuse

Harm to a person under 18: physical, emotional, sexual, or neglect.

Study Notes

• Confidential communications are imperative in professions like law, journalism, medicine, academia, and business
• Breaching the trust of confidentiality is detrimental

Key Objectives

• Importance of confidentiality in healthcare is vital
• The Health Insurance Portability and Accountability Act (HIPAA) should be followed
• Violations of patient confidentiality have ramifications
• Medical information confidentiality breaches occur frequently
• The Privacy Rule is one such way to safe guard confidentiality

Key Terms

• Breach: A violation
• Confidentiality: Protecting personal information
• Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA)
• Healthcare Integrity and Protection Data Bank (HIPDB)
• HITECH
• Medical Identity Theft
• Patient Safety and Quality Improvement Act of 2005 (PSQIA)
• Portability
• Preexisting condition
• Privacy
• Privacy Act of 1974
• Privacy Rule
• Protected Health Information (PHI)
• Ransomware
• Release of information

Privacy vs Confidentiality

• Privacy: The absence of intrusion into a person's life and information from external sources
• In healthcare: Patient health information is securely held, accessible only to authorized individuals
• Confidentiality: Personal information shared with professionals, is vital in healthcare
• Privacy is about the general state of being free of intrusion
• Confidentiality is an ethical duty to protect shared information
• Privacy and confidentiality are legally protected
• Violations of both have legal consequences
• Doctor-patient relationship: An implied confidentiality agreement exists
• Patients must sign documents acknowledging understanding of health privacy policies and procedures

Susan's Story: Case Study

• Susan experienced severe abdominal pains, vomiting, and diarrhea
• Joseph, Susan's husband, took her to the Community Hospital emergency room
• ER doctor, Ali Patel, diagnosed Susan with E. coli and dehydration after a 2-hour wait
• Dr. Patel announced the diagnosis without entering or closing the examination room
• Nurses and others passing by overheard the diagnosis
• Dr. Patel violated confidentiality by allowing others to hear Susan's diagnosis, infringing on patient privacy

Hippocratic Oath

• Hippocrates recognized the importance of confidentiality in medicine dating back to 460–377 BC
• Sharing a person's personal health information is unethical, This remains pertinent
• Patients can expect their medical information to be confidential
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) makes it illegal to do otherwise
• Protecting medical information is equivalent to confidentiality
• Healthcare professionals are entrusted with keeping medical information in confidence
• Physicians take the Hippocratic Oath, which emphasizes confidentiality
• Healthcare professionals must take steps to secure patient information

Confidentiality and the Health Industry

• Keeping personal medical information private is key
• This includes conditions, treatments, and the fact that a person sought treatment
• Professionals show respect when they protect a patient's medical information
• This builds patient trust and cooperation
• Confidentiality is mandated by law and is also ethical

Dr George Sheffield: Case Study

• As a medical assistant for Dr. George Sheffield a plastic surgeon, you cant tell your sister about his celebrity client.
• Mr. Morris who is your sister's favorite actor is seeking a face lift consultation
• Sharing this violates HIPAA laws resulting in penalties
• Confidentiality is serious and should be treated with care and the utmost professionalism
• Celebrities aren't entitled to better medical care or protection of medical information
• Treat each patient with respect, dignity, and standard of care.

Beginnings

• Federal government increased record maintenance in the 1960s
• Citizens and legislators questioned how private information was used
• The Department of Health, Education, and Welfare (HEW) issued a report in 1973
• The Privacy Act of 1974 (Public Law 93-579) was signed into law by President Gerald Ford
• The law isn't exclusive to medical information; addresses how sensitive information can be shared
• Applies to U.S. citizens and permanent residents
• Discussions surrounding the Privacy Act led to HIPAA

Common Breaches

• Patient confidentiality is vital legally and ethically
• Patient healthcare data is private
• Patients want to know who sees their data
• Individuals seek care when they believe their data is private
• By being open, patients give vital information
• Perry asks a patient in a public area "Why are you seeing the doctor today?"
• A sign-in sheet contains patient infomration
• Staff discuss patients where others can hear
• An insurance clerk leaves sensitive information on a computer while at lunch
• A custodian reads medical records

Scenarios

• Receptionists shouldn't ask about the visit reason in front of others
• Have patients come to the side, talk over the phone, or discuss it already when appoiontments are booked
• The sign-in sheet should have stickers
• Healthcare workers should speak in private with patient
• Insurance clerks should log out before leaving
• Passwords and auto shutoff settings can prevent some breaches
• Medical records should be locked when staff aren't around
• As access goes up chance of breaches also increases

HITECH

• HITECH: the Health Information Technology for Economic and Clinical Health Act
• Was assigned February 17, 2009
• Addressed confidentiality and appropriated 250 million towards technology
• Improve quality, safety, and efficiency
• Coordination should increase
• Improve health status
• Promote patient autonomy
• Assurance of privacy and security

Ransomeware

• An issue that poses data risks is ransomware, which is a malicious software used by computer hackers to block users from data in their own computer systems
• This can be referred to as digital extortion
• An average of 4000 attacks occur daily
• Since ransomeware compromises the user/owner access to its own electronic information, these recommendations can assist management:
• Conduct frequent computer system backups.
• Validating backed up data tests restorations
• Users should consider backing up offline and separate from theprimary network, also since some can remove or disrupt backups

Medical Identity Theft

• Stealing a patient’s personal information (name, address, social security number, etc.) to wrongly acquire insurance or prescriptions
• The wise medical consumer (patient) should be protective by:
• Review medical bills or insurance statements carefully
• Read medical collection notices
• Keep up with benefit (insurance) financial limits
• Contact healthcare if information is incorrect and get copies of medical records
• Keeping copies of records in a secure location to ensure it isn't leaked by third parties

The Health Insurance Portability and Accountability Act

• Signed into law in 1996 to address continuation of health insurance coverage in healthcare
• Provided patients with more control of information.
• Five forms required to protect patient information.
• Privacy notice.
• Signature of patient indication
• Patient's permission to provide medical information
• Trading partner specifying
• Contractual statement

Key Components of the Act

• The twofold goal: To improve conditions when individuals changing health insurance and to ensure no lapse of coverage and preexisting conditions covered
• Portability means no lapse of healthcare coverage when a person changes from one job to another
• Preexisting conditions: Diseases that the patient had before coverage begins
• Preexisting conditions often limit coverage
• Designed to help the patient get needed coverage
• Continuous coverage through the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA).
• In final HIPAA legislation, “add ons”
• Protection of private medical information.
• Standardized and simplified forms.
• Strategies to prevent fraud, waste, and abuse.
• The George Herbert Walker Bush administration chose to introduce the law in three phases:
• Federal privacy regulations
• Insurance claims
• Clearinghouse of electronic medical claims
• You must continually ask, “How can I achieve confidentiality for the sake of the patient?”
• Your best defense: professional silence and secure data management
• You must be aware of what actions are against HIPAA laws
• Access to a patient’s does not imply permission to go into that record
• As a medical receptionist, it is not likely you will require to access patient records
• A "need to know" clause should be present
• Five primary components:
• Insurance Portability
• Administrative Simplification
• Medical Savings and Tax Deduction
• Group Health Plan Provisions
• Revenue Offset Provisions

The Consolidated Omnibus Budget Reconciliation Act

• COBRA of 1985 mandated businesses with 20+ employees to provide extended health insurance for up to 18 months when they leave
• Insurance can be at the expense of the company but usually is paid for by the employee
• Most employees have free health insurance through the company.
• Employees leaving the job can then decide to purchase the coverage until other coverage begins

The Privacy Rule

• Went into effect between 2001 and 2003.
• Pertains to personal data, known as protected health information (PHI).
• PHI is specific medical info pertaining to the patient (name, DOB, SSN)
• Treatment of PHI:
• PHI can come in three forms: written, electronic, and oral.
• Exceptions to PHI may include child and spousal abuse and medical research.
• Varies by state.
• PHI doesn't include a range of information

HIPAA Exceptions

• Laws can't always cover evertying and are limited
• Financial documents (credit information, banking records)
• Information as maintained by the Central Intelligence Agency (CIA)
• Educational records etc
• Subpoenas for medical records needed in court cases
• Databases of private companies
• Employee records etc
• Other laws may act on documents. For example: FMLA

Healthcare Integrity and Protection Data Bank

• HIPDB established in 2000 under HIPAA
• Aggressive move to prevent fraudulent and/or abusive healthcare practitioners
• The Social Security Act outlines areas being monitored
• Licensure and certification actions
• Federal and state healthcare exclusion
• Healthcare judgements
• Cases of revoking criminal conduct
• Designed to improve a go-to place to prevent the unethical
• Better Business Bureau of Healthcare.

Release Of Information

• A patient’s medical information is protected:
• A physician can not dicuss their patient’s medical information
• A release of information form grants third parties information of a patient's medical record

Releasing Medical Information

• Carol in the case study discovered that only the employee's spouse had a release of information
• Carol can only state that Ms. Reid is not authorized and can not mention the spouse authorized permission
• Third parties require a permission for a medical record to be shared

Patient Safety and Quality Improvement Act

• Published in 2005 to provide better patient care
• System for violations of patient safety
• Protection of those who report
• Those who report feel more comfortable therefore violations occur more often

The quote from the Health and Human Services

• Providers may report and examine patient safety events without the worry of increased liability risk
• The Office for Civil Rights works with Agency for Healthcare Research and Quality

Exceptions to Confidentiality

• HIPAA does not cover exceptions that include at least:
• Child abuse
• Elder abuse
• Mental health patients
• Vulnerable populations
• The Medical Information Bureau

Child Abuse

• It has affected every socioeconomic group and poses an important issue
• Less when 18 who is emancipated
• Physical, emotional, and and/or sexual abuse
• Federal definitions include
• Any recent act or failure to act by them.
• An act of failure to act which has a big risk of serious harm
• Child abuse should be reported by a doctor
• Child abuse should be reported by a nurse
• Child abuse should be reported by a dentist
• Child abuse should be reported by mental health professional
• Child abuse should be reported by social worker
• Child abuse should be reported by a teacher
• Child abuse should be reported by a day care worker
• Child abuse should be reported by law enforcement personnel
• Clery and camp counselors can also report it
• Certain states require people who suspect or feel abuse is occuring to report it
• Healthcare professionals can report suspicions
• All have the right and are legally obligated
• Department of Human Services can be contacted

Elder Abuse

• Like child abuse, it is an issue that's unreported
• The age can vary state by state
• Is harmful treatment including physical, emotional, or sexual abuse
• One thing is neglect the senior
• Financially abusing
• Self-abuse
• Estimate 1 and 2 million 65 and older have been mistreated
• Report all cases, contact Department of Human Services
• In certain states, it is punishable by the law

Mental Health Patients that pose threat

• Mental illness- 1 in 5 are Americans and that can be a specific thing to look for
• Those professional encounter a patient with mental illness
• Any healthcare professional can report a suspicious
• Should self-harm or are harming someone else

William Gladstone Case Study

• Employed for a furniture company named Superior
• After a picnic, he felt with symptoms of nausea and vomiting
• Medical Staff concluded for food poisoning
• Potato salad at the picnic for 2 hours had spoiled and triggered poisoning
• All were exposed so it all had to come out

Putting It All Together

• Benefits from reporting outweigh the potential benefits of medical info.