HCCA - CHPC Overview
How did Access And Copy Information under HITECH? - HITECH extended the requirements via
electronic health records (EHRs). CEs must provide the patient (or individuals or entities authorized by
the patient, such as doctors and personal health record services) with an electronic copy of their file
Access and Copy Information - Patients are entitled to a copy of, or access to, the information in
the designated record set
Are two specific instances where a CE must seek permission from the individual if they want to use or
disclose PHI? - - "facility directories,"
- Second is "uses and disclosures for involvement in the individual's care and notification purposes.
Can "Addressable" Security requirements be ignored? - No
Disclosure - when information leaves the boundary of the legal entity or when it leaves the HIPAA
CE functions in a hybrid entity
Does a provider have to amend the record if a patient asks? - it is only a request. If the provider
determines the record to be accurate, they can deny the request.
Does a provider need a standing facility to be considered a CE - NO
Does USE and DISCLOSURE mean the same thing? - No
HIPAA became law - 1996
HIPAA grants the CE related to security - • Covered entities may use any security measures that
allow the CE to reasonably and appropriately implement the standards and
implementation specifications.
• In deciding which security measures to use, a CE must take into account the following factors:
,--The size, complexity, and capabilities of the CE
--The CE's technical infrastructure, hardware, and software s ecurity capabilities
--The costs of security measures
--The probability and criticality of potential risks to electronic protected health information.
HIPAA resides in what CFR section - 45 CFR sections 164.102 through 164.534.
How do you determine if organization is a CE - - compare the functions of the entity to the three
principal types of "covered entities" (CE),
- determine if the entity electronically transmits one of the nine defined transactions"
How does privacy bridge the gap of security? - - privacy professional coordinates the
administrative safeguards
- generally limited to policies and procedures
How is a Provider defined - - "a provider of services (as defined in section 1395x (u) of title XIX)
- a provider of medical or other health services (as defined in section 1395x (s) of title XIX)
- any other person furnishing health care services or supplies.
Identify the four sections in the CFR by location and topic - Section One: 164.102 - 164.318 and
164.530 - 164-534 Organizational Requirements
Section Two: 164.500 - 164.514 Use and Disclosure of Information
Section Three: 164.520 - 164.528 Individual's Rights and Penalties
Section Four: Interaction with the HIPAA Security Rule
If a breach occurs of less than 500 people who must be notified and when? - The HHS Secretary at
least annually
, If information is encrypted is it considered a breach? - No
Intent - purpose of this subtitle to improve the Medicare program under title XVIII of the Social
Security Act, the Medicaid program under title XIX of such Act, and the efficiency and effectiveness of
the health care system, by encouraging the development of a health information system through the
establishment of standards and requirements for the electronic transmission of certain health
information.
Is a valid authorization required for Psychotherapy Notes/Records? - yes, except for TPO including
the entity's internal
training program and Marketing.
Mandated Disclosures - - to the individual who is the subject of the information (or their legal
representative), and to - the Secretary of Health and Human Services.
Mandated Reporting of Breaches and Individual Notification - - imposes an organizational
response
- imply a client right
May CE use, disclose or request a whole medical record? - amount disclosed must reasonably
necessary to accomplish the purpose of the use, disclosure, or request
Minimum Necessary - using or disclosing information to limit protected
health information to the minimum necessary
to accomplish the intended purpose of the use,
disclosure, or request.
Notice of Privacy Practice - - CE must provide a Notice of Privacy Practice (NPP).
- This statement provides the rules of the road on how an entity will use and disclose information.
How did Access And Copy Information under HITECH? - HITECH extended the requirements via
electronic health records (EHRs). CEs must provide the patient (or individuals or entities authorized by
the patient, such as doctors and personal health record services) with an electronic copy of their file
Access and Copy Information - Patients are entitled to a copy of, or access to, the information in
the designated record set
Are two specific instances where a CE must seek permission from the individual if they want to use or
disclose PHI? - - "facility directories,"
- Second is "uses and disclosures for involvement in the individual's care and notification purposes.
Can "Addressable" Security requirements be ignored? - No
Disclosure - when information leaves the boundary of the legal entity or when it leaves the HIPAA
CE functions in a hybrid entity
Does a provider have to amend the record if a patient asks? - it is only a request. If the provider
determines the record to be accurate, they can deny the request.
Does a provider need a standing facility to be considered a CE - NO
Does USE and DISCLOSURE mean the same thing? - No
HIPAA became law - 1996
HIPAA grants the CE related to security - • Covered entities may use any security measures that
allow the CE to reasonably and appropriately implement the standards and
implementation specifications.
• In deciding which security measures to use, a CE must take into account the following factors:
,--The size, complexity, and capabilities of the CE
--The CE's technical infrastructure, hardware, and software s ecurity capabilities
--The costs of security measures
--The probability and criticality of potential risks to electronic protected health information.
HIPAA resides in what CFR section - 45 CFR sections 164.102 through 164.534.
How do you determine if organization is a CE - - compare the functions of the entity to the three
principal types of "covered entities" (CE),
- determine if the entity electronically transmits one of the nine defined transactions"
How does privacy bridge the gap of security? - - privacy professional coordinates the
administrative safeguards
- generally limited to policies and procedures
How is a Provider defined - - "a provider of services (as defined in section 1395x (u) of title XIX)
- a provider of medical or other health services (as defined in section 1395x (s) of title XIX)
- any other person furnishing health care services or supplies.
Identify the four sections in the CFR by location and topic - Section One: 164.102 - 164.318 and
164.530 - 164-534 Organizational Requirements
Section Two: 164.500 - 164.514 Use and Disclosure of Information
Section Three: 164.520 - 164.528 Individual's Rights and Penalties
Section Four: Interaction with the HIPAA Security Rule
If a breach occurs of less than 500 people who must be notified and when? - The HHS Secretary at
least annually
, If information is encrypted is it considered a breach? - No
Intent - purpose of this subtitle to improve the Medicare program under title XVIII of the Social
Security Act, the Medicaid program under title XIX of such Act, and the efficiency and effectiveness of
the health care system, by encouraging the development of a health information system through the
establishment of standards and requirements for the electronic transmission of certain health
information.
Is a valid authorization required for Psychotherapy Notes/Records? - yes, except for TPO including
the entity's internal
training program and Marketing.
Mandated Disclosures - - to the individual who is the subject of the information (or their legal
representative), and to - the Secretary of Health and Human Services.
Mandated Reporting of Breaches and Individual Notification - - imposes an organizational
response
- imply a client right
May CE use, disclose or request a whole medical record? - amount disclosed must reasonably
necessary to accomplish the purpose of the use, disclosure, or request
Minimum Necessary - using or disclosing information to limit protected
health information to the minimum necessary
to accomplish the intended purpose of the use,
disclosure, or request.
Notice of Privacy Practice - - CE must provide a Notice of Privacy Practice (NPP).
- This statement provides the rules of the road on how an entity will use and disclose information.
