Domain 2 - Access, Disclosure, Privacy, and Security

Public Law

Involves the government at any level and its relationship with individuals and organizations

Criminal Law

Where the government is a party against an accused who has been charged with violating a criminal statute

Private Law

Involves rights and duties among private entities and individuals

Civil Law

Non criminal law

Torts

Wrongful civil act that results in injury to another

Constitutional Law

Defines the amount and types of power and authority governments are given

Legislative

U.S. Congress and House of Representatives and Senate, creates statutory law

Executive Branch

President and staff at cabinet level agencies, enforces law Judi

Judicial Branch

The court system, interprets law passed by the legislative branch

Statutes

Enacted by legislative bodies

Administrative Law

Public law, develop and enforce rules and regulations that carry out the intent of statutes

Judicial Law

Law created from the court decisions

Arbitration

Parties agree to submit a dispute to a third party to decide

Mediation

Parties agree to submit a dispute to a third party who assists the parties in reaching a resolution

Discovery

Pretrial process in a time period in which parties to a lawsuit use various strategies to discover or obtain information about a case

Deposition

Obtains the parties and other witnesses out of court testimony under oath

Interrogatories

Written questions to the parties in order to obtain information

Subpoena

Legal document that facilitates discovery by instructing someone to do something

Subpoena Ad Testificantum

Seek’s one’s testimony

Subpoena Duces Tecum

Seeks documents and other records can bring with him or her

Contempt of Court

Failure to comply

Metadata

Data about data

Spoilation

Act of destroying, changing, or hiding evidence intentionally

Legal Hold

Generally a court order to preserve a health record if there is concern about destruction

Voir Dire

Selecting a jury

Federal Rules of Evidence (FRE)

Govern admissibility in the federal court system H

Hearsay

Out of court statement used to prove the truth of the matter and is inherently deemed untrustworthy

Business Records Exemption

Business records are deemed inherently trustworthy and are admissible as long as they are made at or near the time of the event being recorded

Negligence

Unintentional wrongdoing

Nonfeasance

Failure to act as a prudent person would

Malfeasance

Wrong or improper act that may be unlawful

Misfeasance

Improper performance during an otherwise correct act

For a negligence lawsuit to be successful the plaintiff must prove what four elements?

• The existence of duty to me is standard of care

• Breach or deviation from that duty

• Causation, the relationship between the defendants conducts and the harm that was suffered

• Injury that may be economic or non economic

General Consent

Consent for routine treatment

Informed Consent

Patient has basic understanding of the diagnosis and nature of the treatment or procedure

Durable Power of Attorney for Healthcare Decisions (DPOA-HCD)

An individual while still competent designates another person to make healthcare decisions consistent with the individuals wishes on his or her behalf

Living Will

Executed by a competent adult expressing the individual’s wishes on his or her behalf

Living Will

Executed by a competent adult expressing the individual’s wishes regarding treatment should the individual became afflicted with certain conditions

Privileged Communication

Laws generally prohibit medical practitioners from disclosing information during litigation if that information arises from the parties professional relationship and relates to the patients care and treatment

Jurisdiction

Legal authority to make decisions

Authentication

Affirms a health record legitimacy through testimony or written validation

Personal Health Record (PHR)

Owned and managed by the individual who was the subject of the health record, not the business record of the organization

False Claims Act

False claims against the government

Licensure

Designation given to any individual organizations by a government agency or board that gives the individual permission to practice

Certification

A designation given by a private organization to acknowledge a requisites level of knowledge competency and skills

HIPPA Privacy Act

Governs the protection of protected health information

Preemption

Federal law may supersede state law, HIPPA privacy rule is only a federal floor of privacy requirements so it does not supersede stricter state statutes

American Recovery and Reinvestment Act (ARRA)

Provided significant funding for health information technology and other economic stimulus funding, creator of HITECH

Covered Entity

Person or organization other than a member of the CE’s workforce that performs functions or activities on behalf of a CEO that involves the use or disclosure of PHI

Three part test in order to identify PHI

First - The information to be held or transmitted by a CEO or a BA

Second - The information must be individually identifiable health information

Third - It must relate to a person’s past, present, or future physical or mental health condition

Designated Record Set

Includes the health records, billing records, and various claim records that are used to make decisions about an individual

Minimum Necessary Standard

Requires that uses, disclosures, and requests may be limited to only the amount needed to accomplish the intended purpose

Public interest and Benefit Circumstances

16 Circumstances where PHI can be used or disclosed without an individuals authorization

Breach Notification

• Breach notification regulations are issued by the Federal Trade Commission (FTC)

• A breach should be presumed following an impermissible use of disclosure unless the covered entity demonstrates a low probability that the PHI has been compromised

• All individuals whose information has been breached must be notified without unreasonable delay no more than 60 days

• If 500 or more individuals are affected, they must be individually notified as well

• Individuals must be given a description of what occurred, the types of PHI that were involved, and the steps that can be taken to protect themselves

Disclosure of Health Information

Process of providing PHI access to individuals or entities that are authorized to either receive or review it

Step 1 - Enter the request and the disclosure of Health Information Database

Step 2 - Determine the validity of authorization

Step 3 - Verify the patients identity

Step 4 - Process the request

Data Integrity

Data is complete, accurate, consistent and up to date, so the data is reliable

Social Engineering

Manipulation of individual’s to freely disclose personal information or account credentials to hackers

Phishing

Hacker sends what appears to be a legitimate e-mail from a legitimate company requesting the target to click a link within the email

Spear Phishing

The hacker researches the individual and comes up with an e-mail that would be interesting to that individual

Baiting

Leaving an infected USB in a public area and hope that someone will come by and pick it up

Tailgaiting

Hacker gains access to a restricted area by using an authorized individual access

Malware

Any type of software attack designed to disrupt mobile or computer operations

Computer Virus

Program that reproduces itself and attaches itself to legitimate programs on a computer

Computer Worm

Program that reproduces itself and attaches itself to legitimate programs on a computer

Trojan Horse

Program that gains unauthorized access to a computer and masquerades as a useful function

Spyware

Computer program that tracks an individual’s activity on a computer system

Back Door Program

Computer program that bypasses unauthorized access to a computer and assumes control of it and modifies the operating system

Ransomware

Malicious software that a hacker sends employees to block access to a computer system, victims will see an electronic ransom note appears on the screen

Security Incident

Attempted or successful unauthorized access use disclosure modification or destruction of information

Risk Management

Comprehensive program of activity that is intended to minimize the potential for injuries to occur in a facility

Risk Analysis

Involves assessing security threats and vulnerabilities and the likely impact of any vulnerabilities

Access Safeguards

Fundamental security strategy is the identification of which employees should have access to what data

Access Control

Restriction of access to information and information resources to only those who are authorized

Two Factor Authorization

Providing information from two or three different types of authentications information

Three types of authentication information are

Passwords, Smart Cards and tokens, and biometrics

Physical Safeguards

Physical protection of information resources from physical damage, loss from natural or other disasters and theft

Administrative Safeguards

Physical protection of information resources from physical damage loss from natural ior other disasters and theft

Administrative Safeguards

Policies and procedures that address the management of computer resources

Edit Check

Help ensure data integrity by allowing only reasonable and predetermined values to be entered into the computer

Firewall

Designed to block unauthorized access while permitting authorized communications

Cryptography

Branch of Mathematics that is based on the transformation of data by developing ciphers

Encryption

Method of encoding data converting them to jumble of unreadable, scrambled characters and symbols as they are transmitted through a telecommunication network, so they are not understood by persons who do not have a key

Risk Analysis

Helps to ensure maintenance of the confidentiality, integrity, and availability of e-phi

Workforce Security

Ensuring appropriate clearance procedures to grant access to individually identifiable information to workforce members who need to use PHI to perform their duties

Facility Access Controls

Allowing access to the appropriate people to the facility

Workstation Use

How workstations are used that access PHIS

Server Redudancy

Reduce the risk that information is not accessible during a server crash