HCCA - CHCP: Breach Notification(Q&A)2022
Which rule requires HHS to issue interim final regulations for breach notification? - Health Information Technology for Economic and Clinical Health (HITECH) Act as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5). Subtitle D of the HITECH Act (the Act), entitled ''Privacy,'' among other provisions Which government agency handles Personal Health Records (PHR)? FTC Access ability or means necessary to read, write, modify, communicate, or otherwise use data/information. Authorized Person individual authorized by the entity or the entity's Business Associate to acquire, access, or use Protected Health Information ("PHI") that is within the individual's scope of employment Limited Data Set. PHI that excludes 16 specific identifiers as defined in the HIPAA Privacy Rule, but includes: - zip codes - geographical codes - dates of birth - other date information - any other code. Organized Healthcare Arrangement A clinically integrated care setting in which individuals typically receive health care from more than one provider Unauthorized An impermissible use or disclosure of PHI under the HIPAA Privacy Rule Unauthorized Access inappropriate viewing of a patient's medical or financial information without a direct need for diagnosis, treatment, payment, or other lawful use. Unsecured Protected Health Information PHI that is not secured through the use of a technology or methodology that renders PHI "unusable, unreadable, or indecipherable to unauthorized" - encryption _ destruction Protected Health Information ("PHI") Individually identifiable health information that is (i) transmitted by electronic media (ii) maintained in any medium such as magnetic tape, disc, optical file (iii) transmitted or maintained in any other form or medium (including but not necessarily limited to paper, voice, Internet, or facsimile). Workforce Member Employees, volunteers, students, medical residents, trainees, and other persons whose conduct, in the performance of work for an entity, is under the direct control of the entity, whether or not they are paid by the entity Breach (as defined in HITECH 164.402 The acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information Harm means poses a significant risk of financial, reputational, or other harm to the individual. PHI identifiers • Name • Date of Birth or any other date smaller than a year • Any elements of dates smaller than a year (i.e., date of admission, discharge, death, etc.) • Zip Code • Medical Record Number • Device Identification Numbers • Social Security Number • Any geographic subdivision smaller than a state • Phone Numbers • Fax Numbers • E-mail Addresses • Health Plan Beneficiary Number • Any other Account Number • Certificate/License Numbers • Vehicle Identifiers • WEB URLs • Internet IP Address Numbers • Full face photographs or comparable images • Biometric Identifiers (fingerprint, voice prints, retina scan, etc.) • Any other unique number, characteristic or code Unsecured Protected Health Information health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology on the HHS Web site Individual Notification of a Breach must contain the following • Brief description of what happened and when it happened, to include the date of the breach and the date it was discovered. • Description of the types of unsecured PHI involved in the breach (example: the individual's social security number, date of birth, etc.) • Steps individuals should take to protect themselves from potential harm as a result of the breach. • Brief description of what the involved covered entity is doing to investigate the breach, mitigate losses, and protect against any further breaches. • Contact procedures for individuals to ask questions or learn additional information. When must notification be made to the individual? without unreasonable delay, When is a breach "discovered"? "discovered" when at least one employee of the entity (other than the person responsible for the breach) knows or reasonably should know of the breach. How is a individual notified? by First Class mail Can you email notice of a breach? Yes, if the individual has previously agreed to be notified by mail. If more than 10 individuals information is out-of-date what must an CE do? must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside If notified is by WEB or media what must be included? Toll Free Number When must media be used to give notice? when over 500 When must the media be notified? - As soon as, reasonably eable but not more than 60 days. - Must include same information as individual notification When must the HHS Secretary be notified of a breach over 500 people? What must be included to the secretary? - Number of individuals affected - Breaches Affecting 500 or More Individuals • If a breach affects 500 or more individuals, a covered entity must provide the Secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach. This notice must be submitted electronically. • If a covered entity that has submitted a breach notification form to the Secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission.
Written for
- Institution
- HCCA - CHCP
- Course
- HCCA - CHCP
Document information
- Uploaded on
- November 11, 2022
- Number of pages
- 5
- Written in
- 2022/2023
- Type
- Exam (elaborations)
- Contains
- Questions & answers
Subjects
-
hcca chcp breach notificationqampa2022
-
which rule requires hhs to issue interim final regulations for breach notification
-
which government agency handles personal health records phr