HCCA - CHPC Overview AND STUDY
GUIDE
Access and Copy InformationPatients are entitled to a copy of, or access to, the information in
the designated record set
Are two specific instances where a CE must seek permission from the individual if they want to
use or disclose PHI? - "facility directories,"
- Second is "uses and disclosures for involvement in the individual's care and notification
purposes.
Can "Addressable" Security requirements be ignored? No
Disclosure when information leaves the boundary of the legal entity or when it leaves the
HIPAA CE functions in a hybrid entity
Does a provider have to amend the record if a patient asks? it is only a request. If the provider
determines the record to be accurate, they can deny the request.
Does a provider need a standing facility to be considered a CE NO
Does USE and DISCLOSURE mean the same thing? No
HIPAA became law 1996
HIPAA grants the CE related to security • Covered entities may use any security measures
that allow the CE to reasonably and appropriately implement the standards and
implementation specifications.
• In deciding which security measures to use, a CE must take into account the following factors:
--The size, complexity, and capabilities of the CE
--The CE's technical infrastructure, hardware, and software s ecurity capabilities
--The costs of security measures
--The probability and criticality of potential risks to electronic protected health information.
HIPAA resides in what CFR section 45 CFR sections 164.102 through 164.534
How did Access And Copy Information under HITECH? HITECH extended the requirements
via electronic health records (EHRs). CEs must provide the patient (or individuals or entities
authorized by the patient, such as doctors and personal health record services) with an electronic
copy of their file.
How do you determine if organization is a CE - compare the functions of the entity to the
three principal types of "covered entities" (CE),
- determine if the entity electronically transmits one of the nine defined transactions"
How does privacy bridge the gap of security? - privacy professional coordinates the
administrative safeguards
- generally limited to policies and procedures
How is a Provider defined - "a provider of services (as defined in section 1395x (u) of title
XIX)
- a provider of medical or other health services (as defined in section 1395x (s) of title XIX)
- any other person furnishing health care services or supplies.
Identify the four sections in the CFR by location and topic Section One: 164.102 - 164.318 and
164.530 - 164-534 Organizational Requirements
, Section Two: 164.500 - 164.514 Use and Disclosure of Information
Section Three: 164.520 - 164.528 Individual's Rights and Penalties
Section Four: Interaction with the HIPAA Security Rule
If a breach occurs of less than 500 people who must be notified and when? The HHS Secretary at
least annually
If information is encrypted is it considered a breach? No
Intent purpose of this subtitle to improve the Medicare program under title XVIII of the Social
Security Act, the Medicaid program under title XIX of such Act, and the efficiency and
effectiveness of the health care system, by encouraging the development of a health information
system through the establishment of standards and requirements for the electronic transmission
of certain health information.
Is a valid authorization required for Psychotherapy Notes/Records? yes, except for TPO
including the entity's internal
training program and Marketing.
Mandated Disclosures- to the individual who is the subject of the information (or their legal
representative), and to - the Secretary of Health and Human Services.
Mandated Reporting of Breaches and Individual Notification - imposes an organizational
response
- imply a client right
May CE use, disclose or request a whole medical record? amount disclosed must reasonably
necessary to accomplish the purpose of the use, disclosure, or request
Minimum Necessary using or disclosing information to limit protected
health information to the minimum necessary
to accomplish the intended purpose of the use,
disclosure, or request.
Notice of Privacy Practice - CE must provide a Notice of Privacy Practice (NPP).
- This statement provides the rules of the road on how an entity will use and disclose
information.
- These are the policies and procedures (P&P) that support the privacy and security of the
information and the entity's commitment to the individual.
Request for Confidential Communication Communication. patient may request other
communication channels not typical for the entity, such as email, or meeting in off-site locations.
Request for Restrictions patient has the right to request restrictions on the U&D of
information, even for the TPO exception
Request to Amend client has the right to request an amendment to their designated record set
if they determine it may be inaccurate
Right to an Accounting of Disclosures Patients are entitled to know the identity of to
whom information is disclosed, and the purpose of the
disclosure
Security Rule says an entity must: • Ensure the confidentiality, integrity, and availability
(CIA) of all electronic protected health information (EPHI) the CE creates, receives, maintains,
or transmits
• Support CIA through Administrative, Technical and Physical safeguards
GUIDE
Access and Copy InformationPatients are entitled to a copy of, or access to, the information in
the designated record set
Are two specific instances where a CE must seek permission from the individual if they want to
use or disclose PHI? - "facility directories,"
- Second is "uses and disclosures for involvement in the individual's care and notification
purposes.
Can "Addressable" Security requirements be ignored? No
Disclosure when information leaves the boundary of the legal entity or when it leaves the
HIPAA CE functions in a hybrid entity
Does a provider have to amend the record if a patient asks? it is only a request. If the provider
determines the record to be accurate, they can deny the request.
Does a provider need a standing facility to be considered a CE NO
Does USE and DISCLOSURE mean the same thing? No
HIPAA became law 1996
HIPAA grants the CE related to security • Covered entities may use any security measures
that allow the CE to reasonably and appropriately implement the standards and
implementation specifications.
• In deciding which security measures to use, a CE must take into account the following factors:
--The size, complexity, and capabilities of the CE
--The CE's technical infrastructure, hardware, and software s ecurity capabilities
--The costs of security measures
--The probability and criticality of potential risks to electronic protected health information.
HIPAA resides in what CFR section 45 CFR sections 164.102 through 164.534
How did Access And Copy Information under HITECH? HITECH extended the requirements
via electronic health records (EHRs). CEs must provide the patient (or individuals or entities
authorized by the patient, such as doctors and personal health record services) with an electronic
copy of their file.
How do you determine if organization is a CE - compare the functions of the entity to the
three principal types of "covered entities" (CE),
- determine if the entity electronically transmits one of the nine defined transactions"
How does privacy bridge the gap of security? - privacy professional coordinates the
administrative safeguards
- generally limited to policies and procedures
How is a Provider defined - "a provider of services (as defined in section 1395x (u) of title
XIX)
- a provider of medical or other health services (as defined in section 1395x (s) of title XIX)
- any other person furnishing health care services or supplies.
Identify the four sections in the CFR by location and topic Section One: 164.102 - 164.318 and
164.530 - 164-534 Organizational Requirements
, Section Two: 164.500 - 164.514 Use and Disclosure of Information
Section Three: 164.520 - 164.528 Individual's Rights and Penalties
Section Four: Interaction with the HIPAA Security Rule
If a breach occurs of less than 500 people who must be notified and when? The HHS Secretary at
least annually
If information is encrypted is it considered a breach? No
Intent purpose of this subtitle to improve the Medicare program under title XVIII of the Social
Security Act, the Medicaid program under title XIX of such Act, and the efficiency and
effectiveness of the health care system, by encouraging the development of a health information
system through the establishment of standards and requirements for the electronic transmission
of certain health information.
Is a valid authorization required for Psychotherapy Notes/Records? yes, except for TPO
including the entity's internal
training program and Marketing.
Mandated Disclosures- to the individual who is the subject of the information (or their legal
representative), and to - the Secretary of Health and Human Services.
Mandated Reporting of Breaches and Individual Notification - imposes an organizational
response
- imply a client right
May CE use, disclose or request a whole medical record? amount disclosed must reasonably
necessary to accomplish the purpose of the use, disclosure, or request
Minimum Necessary using or disclosing information to limit protected
health information to the minimum necessary
to accomplish the intended purpose of the use,
disclosure, or request.
Notice of Privacy Practice - CE must provide a Notice of Privacy Practice (NPP).
- This statement provides the rules of the road on how an entity will use and disclose
information.
- These are the policies and procedures (P&P) that support the privacy and security of the
information and the entity's commitment to the individual.
Request for Confidential Communication Communication. patient may request other
communication channels not typical for the entity, such as email, or meeting in off-site locations.
Request for Restrictions patient has the right to request restrictions on the U&D of
information, even for the TPO exception
Request to Amend client has the right to request an amendment to their designated record set
if they determine it may be inaccurate
Right to an Accounting of Disclosures Patients are entitled to know the identity of to
whom information is disclosed, and the purpose of the
disclosure
Security Rule says an entity must: • Ensure the confidentiality, integrity, and availability
(CIA) of all electronic protected health information (EPHI) the CE creates, receives, maintains,
or transmits
• Support CIA through Administrative, Technical and Physical safeguards
