HCCA - CHPC Exam Prep AND
EXPLANATIONS
4 principles US regs governing privacy and confidentiality of individually identifiable info
45 CFR, Subpart A-Protection of human subjects
21 CFR 50 and 56-FDA Regs on Protection of Human Subjects and Institutional Review Boards
45 CFR 160 and 164-HIPAA Privacy Rule
301(d), 42 U.S.C. 241(d)-Public Health Service Act Certifications of Confidentiality
Access and Copy InformationPatients are entitled to a copy of, or access to, the information in
the designated record set
Are two specific instances where a CE must seek permission from the individual if they want to
use or disclose PHI? - "facility directories,"
- Second is "uses and disclosures for involvement in the individual's care and notification
purposes.
Belmont Report 1979, aka Ethical Principles and Guidelines for the Protection of Human
Subjects of Research
discovered "ethical lapses": Tuskegee syphilis
- identified difference between medical practice and research
-determined that where research is taking place 3 basic ethical principles need to be followed to
protect human subjects: respect for persons (individual autonomy of each person), beneficence
(do no harm-max benefit; min possible harm); justice (not take advantage of disadvantaged
population)
Applied in 3 areas: Informed consent; assessment of risk and benefits; and selection of subjects
Can "Addressable" Security requirements be ignored? No
Can a Covered Entity also be a Business Associate? Yes, if the CE meets the BA definition.
DOES still require a separate executed BAA
Clinical investigation "Any experiment that involves a test article [regulated by the FDA] and
one or more human subjects"
Confidentiality "Refers to data; and to the agreements that are made about ways in which
information is restricted to certain people."`
Declaration of Helsinki 1964, aka World Medical Association Declaration of Helsinki,
Ethical Principles for Medical Research Involving Human Subjects
Adopted by World Medical Association (WMA)
, Applies to physicians engaged in research regardless of the legal or regulatory frameworks that
may apply in the jurisdictions where their research is carried out
"protect life, health, dignity, integrity, right to self-determination, privacy, and confidentiality of
personal info of research subjects"
"protect privacy of research subjects and the confidentiality of personal info and minimize
impact of study on physical, mental, and social integrity"
"...where consent is impossible or impractical to obtain for such research or pose a threat to the
validity of the research, research only may be done after consideration and approval of a research
ethics committee..."
Department of Health and Human Services (DHHS) Oversees 4 regs regarding privacy and
confidentiality
Disclosure when information leaves the boundary of the legal entity or when it leaves the
HIPAA CE functions in a hybrid entity
Does a provider have to amend the record if a patient asks? it is only a request. If the provider
determines the record to be accurate, they can deny the request.
Does a provider need a standing facility to be considered a CE No, a provider does not need
a standing facility to be considered a CE
Does USE and DISCLOSURE mean the same thing? No
Federal Education Rights and Protection Act (FERPA) Generally, 1) gives parents and
students more control over educational records and 2) prohibits educational institutions from
disclosing PII in education records without written consent
1) protects confidentiality of medical records
2) limits disclosures of educational records
3) gives students/parents the right to review their own records
4) students must provide consent for parents to receive their educational records
5) directory information is not protected (opt out)
General Data Protection Regulations (GDPR) 1) European Union regulation on privacy
and security of PII that applies to any entity anywhere that services or collects PII on EU citizens
2) Individuals have the right to erasure or the right to be forgotten
Gramm Leach-Bliley Act Summary 1) customers must be provided with a privacy notice about
NPI
2) must develop a written information security plan regarding handling customer data
HIPAA grants the CE related to security • Covered entities may use any security measures
that allow the CE to reasonably and appropriately implement the standards and
implementation specifications.
• In deciding which security measures to use, a CE must take into account the following factors:
--The size, complexity, and capabilities of the CE
--The CE's technical infrastructure, hardware, and software s ecurity capabilities
--The costs of security measures
--The probability and criticality of potential risks to electronic protected health information.
HIPAA resides in what CFR section 45 CFR sections 164.102 through 164.534
EXPLANATIONS
4 principles US regs governing privacy and confidentiality of individually identifiable info
45 CFR, Subpart A-Protection of human subjects
21 CFR 50 and 56-FDA Regs on Protection of Human Subjects and Institutional Review Boards
45 CFR 160 and 164-HIPAA Privacy Rule
301(d), 42 U.S.C. 241(d)-Public Health Service Act Certifications of Confidentiality
Access and Copy InformationPatients are entitled to a copy of, or access to, the information in
the designated record set
Are two specific instances where a CE must seek permission from the individual if they want to
use or disclose PHI? - "facility directories,"
- Second is "uses and disclosures for involvement in the individual's care and notification
purposes.
Belmont Report 1979, aka Ethical Principles and Guidelines for the Protection of Human
Subjects of Research
discovered "ethical lapses": Tuskegee syphilis
- identified difference between medical practice and research
-determined that where research is taking place 3 basic ethical principles need to be followed to
protect human subjects: respect for persons (individual autonomy of each person), beneficence
(do no harm-max benefit; min possible harm); justice (not take advantage of disadvantaged
population)
Applied in 3 areas: Informed consent; assessment of risk and benefits; and selection of subjects
Can "Addressable" Security requirements be ignored? No
Can a Covered Entity also be a Business Associate? Yes, if the CE meets the BA definition.
DOES still require a separate executed BAA
Clinical investigation "Any experiment that involves a test article [regulated by the FDA] and
one or more human subjects"
Confidentiality "Refers to data; and to the agreements that are made about ways in which
information is restricted to certain people."`
Declaration of Helsinki 1964, aka World Medical Association Declaration of Helsinki,
Ethical Principles for Medical Research Involving Human Subjects
Adopted by World Medical Association (WMA)
, Applies to physicians engaged in research regardless of the legal or regulatory frameworks that
may apply in the jurisdictions where their research is carried out
"protect life, health, dignity, integrity, right to self-determination, privacy, and confidentiality of
personal info of research subjects"
"protect privacy of research subjects and the confidentiality of personal info and minimize
impact of study on physical, mental, and social integrity"
"...where consent is impossible or impractical to obtain for such research or pose a threat to the
validity of the research, research only may be done after consideration and approval of a research
ethics committee..."
Department of Health and Human Services (DHHS) Oversees 4 regs regarding privacy and
confidentiality
Disclosure when information leaves the boundary of the legal entity or when it leaves the
HIPAA CE functions in a hybrid entity
Does a provider have to amend the record if a patient asks? it is only a request. If the provider
determines the record to be accurate, they can deny the request.
Does a provider need a standing facility to be considered a CE No, a provider does not need
a standing facility to be considered a CE
Does USE and DISCLOSURE mean the same thing? No
Federal Education Rights and Protection Act (FERPA) Generally, 1) gives parents and
students more control over educational records and 2) prohibits educational institutions from
disclosing PII in education records without written consent
1) protects confidentiality of medical records
2) limits disclosures of educational records
3) gives students/parents the right to review their own records
4) students must provide consent for parents to receive their educational records
5) directory information is not protected (opt out)
General Data Protection Regulations (GDPR) 1) European Union regulation on privacy
and security of PII that applies to any entity anywhere that services or collects PII on EU citizens
2) Individuals have the right to erasure or the right to be forgotten
Gramm Leach-Bliley Act Summary 1) customers must be provided with a privacy notice about
NPI
2) must develop a written information security plan regarding handling customer data
HIPAA grants the CE related to security • Covered entities may use any security measures
that allow the CE to reasonably and appropriately implement the standards and
implementation specifications.
• In deciding which security measures to use, a CE must take into account the following factors:
--The size, complexity, and capabilities of the CE
--The CE's technical infrastructure, hardware, and software s ecurity capabilities
--The costs of security measures
--The probability and criticality of potential risks to electronic protected health information.
HIPAA resides in what CFR section 45 CFR sections 164.102 through 164.534
