Medical Privacy - HIPAA Rules Flashcards

Podcast

Play an AI-generated podcast conversation about this lesson

Download our mobile app to listen on the go

Get App

Questions and Answers

What are covered entities?

Healthcare providers
Insurers
Business associates
All of the above (correct)

Which statements are true regarding non-covered entities?

Conversations with friends are covered by HIPAA
Health information in their hands is protected by HIPAA
Individuals can purchase books about health without HIPAA protections (correct)
Websites providing medical information are covered entities

What was the initial reason for HIPAA?

To improve the efficiency of healthcare delivery.

What does PHI stand for?

Protected Health Information. Signup and view all the answers

Which entities are specifically covered under HIPAA?

All of the above (D) Signup and view all the answers

HIPAA applies to doctors who only accept cash or credit cards.

False (B) Signup and view all the answers

What does HITECH stand for?

Health Information Technology for Economic and Clinical Health. Signup and view all the answers

Define a business associate under the HIPAA Privacy Rule.

A person or organization, other than a member of a covered entity's workforce, that performs services for or on behalf of a covered entity involving the use or disclosure of PHI. Signup and view all the answers

Which activities are performed by a business associate under HIPAA?

All of the above (D) Signup and view all the answers

What is required for a covered entity to enter into a business associate contract under the Privacy Rule?

It must include provisions that pass the privacy and security standards down to the contracting entity. Signup and view all the answers

What does HIPAA require concerning privacy notices?

All of the above (D) Signup and view all the answers

HIPAA authorizes the use of PHI without individual consent for any purposes.

False (B) Signup and view all the answers

What is the Minimum Necessary standard under HIPAA?

Covered entities must limit the use and disclosure of PHI to the minimum necessary to accomplish intended purposes. Signup and view all the answers

Individuals have the right to access their own PHI and to amend it.

True (A) Signup and view all the answers

What are the safeguards implemented under the Privacy Rule?

Physical and technical safeguards to protect PHI. Signup and view all the answers

Who primarily enforces the Privacy Rule?

The Office for Civil Rights (OCR). Signup and view all the answers

What is the role of the US DOJ concerning HIPAA?

Criminal enforcement authority. Signup and view all the answers

How does the FTC relate to HIPAA?

Can bring enforcement actions for unfair and deceptive trade practices. Signup and view all the answers

What methods can be used for de-identifying data under the Privacy Rule?

Remove all specified data elements or certify that the risk of re-identification is very small. Signup and view all the answers

What does the HIPAA Security Rule establish?

Minimum security requirements for electronic PHI. Signup and view all the answers

What is the goal of the HIPAA Security Rule?

All of the above (D) Signup and view all the answers

What should covered entities consider when developing a security program?

Size, complexity, technical capabilities, cost of security measures, and potential risks. Signup and view all the answers

Flashcards are hidden until you start studying

Study Notes

Medical Privacy - HIPAA Privacy & Security Rules

Covered Entities: Include healthcare providers, insurers, and business associates receiving data from covered entities.
Non-Covered Entities: Health information in the hands of non-covered entities (e.g., bookstores, websites) is not protected by HIPAA. Conversations with friends also fall under non-covered.
Initial Reason for HIPAA: Aimed to improve healthcare delivery efficiency, requiring entities to transition to electronic formats for reimbursement requests, noting privacy threats arising from this shift.
Protected Health Information (PHI): Individually identifiable health information maintained in any form by covered entities or business associates, relating to physical/mental conditions, healthcare, or payment.
Specific Entities Covered Under HIPAA: Includes healthcare providers conducting electronic transactions, health plans, and healthcare clearinghouses handling medical data.
Doctors Accepting Cash/Credit Only: Not subject to HIPAA regulations as they do not file insurance claims.
HITECH Act: Expanded HIPAA protections through written contracts between business associates and covered entities.
Business Associate Definition: A person or organization that performs services for a covered entity involving the use of PHI.
Activities by Business Associates: Include claims processing, data analysis, utilization review, and various administrative and consulting services.
Business Associate Contract Requirement: Written agreements must enforce privacy and security standards, can be electronically signed under state laws.
HIPAA Privacy Rule & Fair Information Practices: Enforces detailed requirements such as privacy notices, use and disclosure authorizations, security safeguards, and accountability measures.
Privacy Notices: Must be provided at the first service encounter, with exceptions for indirect treatment relationships or emergencies.
PHI Use and Disclosure Authorizations: Requires consent for non-essential uses of PHI; cannot condition treatment on a patient’s authorization to disclose.
Minimum Necessary Use: Covered entities must limit PHI use/disclosure to the minimum necessary for specific purposes.
Access to PHI: Individuals can request copies of their PHI and receive accounts of disclosures; may incur a reasonable fee.
Privacy Safeguards: Establish protocols for physical and technical protection of all PHI; the Security Rule mandates similar safeguards but focuses on electronic PHI.
Accountability Measures: Covered entities must designate a privacy official and ensure personnel training and compliance with privacy protocols.
Primary Enforcer of Privacy Rule: The Office for Civil Rights (OCR) manages individual complaints and can impose penalties; extensive audits of covered entities for compliance are conducted.
U.S. Department of Justice (DOJ): Holds criminal enforcement authority under HIPAA, with severe penalties including imprisonment for violations.
Federal Trade Commission (FTC): Can enforce actions against unfair trade practices applicable to HIPAA-covered entities.
De-Identification Limits: Information not identifying an individual or reasonably believed to identify someone is excluded from HIPAA protections.
Research Exceptions: Medical research may use PHI with proper consent or approval from ethical review boards; flexible rules apply for de-identified data.
Public Health Exceptions: PHI can be shared for public health activities, abuse reporting, judicial processes, law enforcement, and compliance investigations.
Methods for De-identifying Data: Involves removing specific identifying data elements or certifying the minimal risk of re-identification.
HIPAA Security Rule: Sets minimum security requirements for ePHI, mandating reasonable security measures regardless of technology.
Goal of the Security Rule: To have policies in place for prevention, detection, containment, and correction of security violations.
Security Standards: Includes administrative, technical, and physical safeguards; some specifications are mandatory while others are addressable.
Security Program Development Elements: Covered entities must assess size, technical capabilities, security costs, and potential risks to ePHI when formulating security programs.
Additional Security Requirements: Necessitate appointing a compliance officer and performing risk assessments and staff training, with consequences for non-compliance.