C

HIPAA & Regulatory Compliance - Key Terms (Video Notes)

Consent Types

  • Implied Consent: Based on behavior or action rather than a formal agreement. Example: Patient agrees to lab work by following the nurse to have blood drawn.

  • Verbal Consent: Given verbally for procedures/treatments with slight risk.

  • Informed Consent: Required for procedures/treatments with high risk or invasive treatment. Includes: Doctor explains proposed treatment, associated risks, alternatives and answers all questions. Patient may choose to undergo surgery.

  • Quick mapping:

    • For procedures/treatments with no risk: Implied consent

    • For procedures/treatments with slight risk: Verbal consent

    • For procedures/treatments with high risk or invasive treatment: Informed consent

  • Example scenarios from the transcript:

    • Lab work by following nurse to have blood drawn

    • Open-heart surgery with risks, alternatives, and questions answered

Quiz: Consent Type (Pages 3

  • Question: A 54-year-old patient is scheduled for open-heart surgery to repair a blocked artery. The surgeon explains the risks, benefits, and alternatives of the procedure, and the patient signs a document agreeing to the surgery. What type of consent is required before performing this high-risk, invasive procedure?

    • A. Implied consent

    • B. Verbal consent

    • C. Informed consent

    • D. No consent needed

  • Answer: C. Informed consent

  • Rationale: High-risk, invasive procedures require informed consent, which includes explanation of risks/benefits/alternatives and patient understanding.

  • Question (same scenario appears again): Answer: C. Informed consent

HIPAA Overview

  • HIPAA is a federal law that sets rules and protections around health information. It has four key components:- 1) Protects patient privacy: Patient Health Information (PHI) such as names, dates of birth, medical records, and insurance details must be kept confidential.

    • 2) Sets security standards: Electronic records and billing systems must follow safeguards to prevent unauthorized access, hacking, or data breaches.

    • 3) Standardizes electronic transactions: Requires uniform code sets and electronic formats for claims, such as:

    • ICD-10-CM for diagnoses

    • CPT/HCPCS for procedures and services

    • Standard electronic forms (e.g., 837 claim form)

    • 4) Ensures compliance: Organizations can face heavy fines and penalties if PHI is mishandled or HIPAA rules are not followed

HIPAA Privacy Rule

  • What you can/can’t do with PHI (all forms): written, spoken, or electronic- Prevent unauthorized access or sharing of PHI data

    • What it covers: All PHI, across all forms

    • Main focus: Rules for when and how patient information can be used or shared

    • Examples:

    • Patients can access their medical records

    • Providers need patient permission for most non-treatment uses (e.g., marketing)

HIPAA Security Rule

  • How you must protect patient info in electronic form (ePHI)- What it covers: Only electronic PHI (ePHI)

    • Main focus: Security measures for electronic health information

    • Examples:

    • Using strong passwords and unique logins

    • Encrypting data and setting up firewalls

    • Limiting physical access to computers/servers

    • Training staff to follow security procedures

Covered Entities and Non-Covered Entities

  • HIPAA applies to “covered entities”: organizations or people who must follow HIPAA rules because they handle PHI in healthcare services or payment- 1) Healthcare Providers – Doctors, nurses, hospitals, clinics, therapists, pharmacies, etc., who transmit health information electronically (billing, claims, eligibility checks)

    • 2) Health Plans – Insurance companies, HMOs, Medicare, Medicaid, employer-sponsored health plans

    • 3) Healthcare Clearinghouses – Entities that process non-standard health information into a standard format (or vice versa), such as billing services or repricing companies

  • Non-covered entities (not subject to HIPAA directly):- 1) Businesses (medical supply companies, applications, life insurance, workers’ compensation)

    • 2) Employers (in their role as employers, not as sponsors of a health plan)

    • 3) Schools and school districts

    • 4) Law enforcement agencies

    • 5) Many mobile apps or wellness programs

Protected Health Information (PHI) Identifiers (18 identifiers)

  • The following are PHI identifiers that, when linked to health information, make PHI:

  • 1. Name

  • 2. Address

  • 3. All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 (must be aggregated into “90 or older”)

  • 4. Telephone numbers

  • 5. Fax numbers

  • 6. Email addresses

  • 7. Social Security numbers

  • 8. Medical record numbers

  • 9. Health plan beneficiary numbers

  • 10. Account numbers

  • 11. Certificate/license numbers

  • 12. Vehicle identifiers (license plate numbers, serial numbers, etc.)

  • 13. Device identifiers and serial numbers

  • 14. Web URLs

  • 15. IP addresses

  • 16. Biometric identifiers (fingerprints, voice prints, retinal scans, etc.)

  • 17. Full-face photographs and comparable images

  • 18. Any other unique identifying number, code, or characteristic

HIPAA Quiz: NOT an Identifier

  • Question: According to HIPAA, which of the following is NOT one of the 18 specific identifiers that make health information PHI?- A. Facial photograph

    • B. Address

    • C. Health record number

    • D. Medical diagnosis

  • Answer: D. Medical diagnosis

Which is NOT PHI?

  • Question: Which is NOT considered PHI?- A. A patient’s MRI labeled with their name

    • B. Billing statement with patient ID and diagnosis code

    • C. A de-identified lab report with no linked identifiers

    • D. Discharge summary with patient’s medical record number

  • Answer: C. A de-identified lab report with no linked identifiers

Common PHI Breaches

  • Common examples of PHI breaches include:- Throwing away PHI without following proper procedures

    • Giving PHI to people who are not allowed to access it

    • Communicating patient information in public places (lobby, cafeteria, elevator)

    • Displaying patient information in unattended areas

    • Sharing patient information without patient consent to family members or friends

    • Accessing information about a patient not related to your job function

    • Sending PHI through unencrypted text messages

    • Not handling PHI carefully or securely

    • Posting or sharing PHI on the internet or social media without authorization

HIPAA Penalties (Civil and Criminal)

  • Baseline Civil Violation (Tier) penalties:

    • Unknowing: You didn’t know, and couldn’t reasonably know, that you violated HIPAA. 100-50000 per violation; Annual maximum of 25000 for repeated violations.

    • Reasonable cause: You should have known, but it wasn’t due to willful neglect. 1000-50000 per violation; Annual maximum of 100000 for repeated violations.

    • Willful Neglect (corrected): You violated HIPAA due to willful neglect, but corrected it within the required time. 10000-50000 per violation; Annual maximum of 250000 for repeated violations.

    • Willful Neglect (not corrected): You violated HIPAA on purpose and failed to correct the issue. 50000 per violation; Annual maximum of 1500000 for repeated violations.

  • Baseline Criminal Violations:

    • Knowingly obtaining or disclosing PHI: Fine up to 50000; Prison up to 1 year

    • Obtaining PHI under False Pretenses: Fine up to 100000; Prison up to 5 years

    • Obtaining/disclosing PHI for personal gain, commercial advantage, or malicious harm: Fine up to 250000; Prison up to 10 years

  • Practice Question (Penalties): Maximum penalty for knowingly selling, transferring, or using PHI for commercial advantage, personal gain, or malicious harm: 250000 and 10 years in prison (Answer: D)

  • Note: The above outlines the civil and criminal penalties associated with HIPAA violations as presented in the material.

Disclosures Without Authorization (When PHI Can Be Shared Without Written Authorization)

  • PHI can be shared outside a healthcare facility for legitimate medical or business purposes, but written patient consent is required and must include:

    1. Patient Identification: Full name, date of birth, and sometimes address or medical record number

    2. Recipient Information: Name of recipient (person, organization, or entity)

    3. Description of PHI to be Released: Exactly what information is being shared

    4. Purpose of Disclosure: Why information is being shared (treatment, insurance, legal, personal use)

    5. Expiration Date or Event: When authorization ends

    6. Patient’s Signature and Date: Consent affirmation

    7. Right to Revoke: Written revocation rights and how to revoke

    8. Potential for Redisclosure: Notice that the recipient might share it further and original provider’s protection obligations may end

  • Instances where PHI can be used/disclosed without authorization include:

    • Treatment: Sharing PHI among providers to provide care (e.g., primary doctor to specialist)

    • Payment: Billing or verifying insurance (e.g., hospital to insurer for reimbursement)

    • Operations: Quality assessments, audits, staff training

    • Law Enforcement, Public Interest and Benefit Activities:

    • Required by law (e.g., subpoenas, gunshot wound reporting)

    • Law enforcement purposes (identifying suspects, reporting crimes on hospital premises)

    • Essential government functions

    • Workers’ Compensation claims

    • Coroners, Funeral Directors, Organ Donations (sharing cause-of-death info with coroner or organ bank)

    • Limited Data Set: Research (coded patient records) and Public Health (reporting communicable diseases)

PHI Disclosures Without Authorization: Practice Questions

  • Question: Which situation allows the disclosure of a patient’s PHI without obtaining patient authorization under HIPAA?

    • A. At the patient’s request for personal use

    • B. To a public health authority for reporting communicable diseases

    • C. To a patient’s employer for general HR records

    • D. To a friend or family member without the patient’s knowledge

  • Answer: B

  • Question: Which situation allows disclosure without authorization? (Similar)

  • Answer: C (Reporting a gunshot wound to law enforcement as required by state law) for the linked scenario

  • Question: In which situation can a provider disclose PHI without authorization?

    • A. Sharing a patient’s chart with a family member who asks for it

    • B. Providing records to an attorney who calls the hospital for information

    • C. Reporting a gunshot wound to law enforcement as required by state law

    • D. Sending medical history to a patient’s employer for insurance purposes

  • Answer: C

Psychotherapy Notes

  • Psychotherapy notes have special protection under HIPAA:- Defined as the personal notes of a mental health professional documenting or analyzing counseling sessions

    • They are kept separate from the medical record

    • They cannot be disclosed without the patient’s authorization except in very limited cases (e.g., court order)

HITECH Act

  • The HITECH Act promotes and provides financial incentives for the use of Electronic Health Records (EHRs) by healthcare providers

  • It strengthens HIPAA Privacy and Security Rules by:- Requiring entities to notify individuals and the Department of Health and Human Services (HHS) when there is a security breach of PHI

    • Requiring action if PHI is breached (e.g., sending a patient invoice to the wrong address may require a patient call; if more than 500 patient records are affected, the media must be notified and identity theft protection services offered)

Other Health-Related Laws

  • Fair Debt Collection Practices Act (FDCPA): A federal law regulating how debt collectors can communicate with consumers when collecting a debt. Prohibits:

    • Harassment, threats, or abusive language

    • Calls before 8 a.m. or after 9 p.m. (unless you agree)

    • Contact at work if told not to

    • Misrepresentation of debt or pretending to be lawyers/government officials

    • Threats of arrest or harm to reputation

  • False Claims Act (FCA): A federal law making it illegal to knowingly submit false or fraudulent claims for payment to the U.S. government; penalties for knowingly submitting fraudulent claims

  • Stark Law (Physician Self-Referral Law): Prohibits physicians from referring Medicare/Medicaid patients to certain healthcare services where the physician (or immediate family member) has a financial relationship with the entity providing those services

HIPAA-Related Quiz Highlights

  • Which law offers financial incentives for meaningful use of electronic health records (EHRs)?

    • A. HIPAA

    • B. HITECH Act

    • C. Fair Debt Collection Practices Act

    • D. Stark Law

  • Answer: B. HITECH Act

  • Which law prohibits healthcare providers from referring patients to a facility in which they or an immediate family member have a financial interest?

    • A. HIPAA

    • B. HITECH Act

    • C. Fair Debt Collection Practices Act

    • D. Stark Law

  • Answer: D. Stark Law

Homework and Week 2 Overview

  • The slides indicate Week 2 activities and materials:- Unit 1 Lesson 1 Slides

    • Unit 1 Lesson 1 Worksheet

    • Unit 1 Lesson 1 Quiz

    • Unit 1 Lesson 2 Slides

    • Unit 1 Lesson 2 Worksheet

    • Unit 1 Lesson 2 Quiz

-