Using the attached form, complete this weeks reflections related to your readings, assignments, and implications for current or future practice.
Chapter 11: HIPAA Privacy Rule,
Part II
Don't use plagiarized sources. Get Your Custom Essay on
Journal Entry Week 3 IN
Just from $13/Page
Fundamentals of Law for Health Informatics and Information Management, Third Edition
© 2017 American Health Information Management Association
© 2017 American Health Information Management Association
HIPAA: Individual Rights
HIPAA privacy rule provides individuals with rights to provide some control over their health information
Access
Request amendment
Accounting of disclosures
Request confidential communications
Request restrictions
Complain of privacy rule violations
© 2017 American Health Information Management Association
HIPAA: Individual Right of Access
Can access one’s own PHI contained in a designated record set
There are exceptions to access
Examples: Psychotherapy notes; information compiled for civil or criminal actions
Denial of access
May be subject to review (appeal)
May not be subject to review (appeal)
© 2017 American Health Information Management Association
HIPAA: Individual Right of Access (continued)
May require that request in writing
Covered entity must respond within 30 days after request received
30 days from receipt of request
Permitted 30-day extension if written statement includes reason for delay and date covered entity will complete its action.
Extended time permitted for records not maintained on site
Per HITECH, covered entities with EHRs must make PHI available electronically, or must send it to designated person or entity electronically if individual requests
© 2017 American Health Information Management Association
HIPAA: Individual Right of Access (continued)
Reasonable fee may be imposed on individual’s request
Labor and supplies
Search and retrieval fees may not be charged to individuals for their own records
Postage, when individual has requested information to be mailed
Preparation of an explanation summary, if agreed to by the individual in advance
Stricter state laws may apply to fees
© 2017 American Health Information Management Association
HIPAA: Individual Right to
Request Amendment
Individual has the right to request an amendment to his or her health information
May require the amendment request to be in writing
HIPAA provides reasons that an amendment request may be denied
Timely response to the request is required
HIPAA provides process for denial of amendment requests
© 2017 American Health Information Management Association
HIPAA: Individual Right of
Accounting of Disclosures
Individuals have the right to know about instances where his or her PHI has been disclosed
Accounting includes:
Date of disclosure
Name and address of entity or person who received the information
Brief statement of the purpose of the disclosure
Timely response to request for accounting
First accounting within a 12-month period is free
Must account for disclosures in past 3 years
© 2017 American Health Information Management Association
HIPAA: Individual Right of Accounting of Disclosures
Exceptions (disclosures not required to be accounted for)
For TPO purposes (unless disclosed from an EHR)
Individual was given his/her own PHI
Incident to an otherwise permitted or required use or disclosure
Pursuant to an authorization
Use in a facility directory, to persons involved in the individual’s care, or for other notification purposes
To meet national security or intelligence requirements
To correctional institutions or law enforcement officials
Limited data set
That occurred before the HIPAA privacy compliance date
© 2017 American Health Information Management Association
HIPAA: Individual Right of Accounting of Disclosures
Per HITECH, pending “access report” would require CEs to account for everyone who used or disclosed electronic health information in a DRS
© 2017 American Health Information Management Association
HIPAA: Individual Right of Confidential Communications
Individuals have the right to request alternative routing/destination of PHI
Requests may be refused if information is not provided as to how payment will be handled
© 2017 American Health Information Management Association
HIPAA: Individual Right to Request Restrictions
Individuals may request restrictions on uses and disclosures of PHI to carry out TPO
Covered entity does not have to agree to the requested restriction
Exception: Per HITECH, covered entity must agree if disclosure would be made to health plan for payment or operations, and PHI pertains solely to an item or service that has been paid for in full by other than the health plan
Must document and abide by request if covered entity agrees to it, unless and until terminated with notice to the other party
© 2017 American Health Information Management Association
HIPAA: Individual Right to
Complain of Violations
Notice of Privacy Practices must inform individuals of right to complain at CE level and to the US Department of Health and Human Services, along with contact information
© 2017 American Health Information Management Association
HIPAA: Breach
Breach is an “unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information”
Several exceptions
Requirements apply only to unsecured PHI: that which technology has not made unusable, unreadable, or indecipherable to unauthorized persons
An impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA demonstrates a low probability the PHI has been compromised
© 2017 American Health Information Management Association
HIPAA: Breach Notification
HITECH requires breach notification as mitigation
Notification to individuals affected
Notification to HHS via online portal
HIPAA-covered entities and BAs subject to HHS regulations
Non HIPAA-covered entities and non-BAs subject to FTC regulations
Includes PHR vendors, third-party service providers of PHR vendors
© 2017 American Health Information Management Association
HIPAA: Breach Notification (continued)
Must inform affected individuals of
Description of what occurred (including date of breach and date of discovery)
Types of unsecured PHI involved
Steps individual may take to protect him/herself
Entity’s steps to investigate, mitigate, prevent in the future
Contact information for individuals to ask questions and receive updates
© 2017 American Health Information Management Association
HIPAA: Breach Notification (continued)
If a breach affects 500+ individuals, immediate notification is required to:
Local media outlets
Secretary of HHS for posting on breach portal
© 2017 American Health Information Management Association
HIPAA: Research
HIPAA affects research in the following ways:
When authorization is required
Research is a public interest and benefit authorization exception, but IRB or privacy board must approve variations to authorization requirement
In what form authorization may occur:
Standalone
Compound (informed consent + authorization)
Conditioned + unconditioned
Altered
Waived
© 2017 American Health Information Management Association
HIPAA: Preemption
HIPAA is a federal floor, or minimum, on patient privacy requirements.
State laws contrary to HIPAA apply if they are “more stringent”
Provide greater privacy protections
Provide greater patient rights regarding their PHI
or
Fulfill specific purposes enumerated in the law (i.e., are less stringent but serve purposes such as controlling regulated substances or preventing healthcare fraud and abuse)
© 2017 American Health Information Management Association
HIPAA: Administrative Requirements
Policies and procedures
Designation of privacy officer
Workforce training
Non-disclosure agreements
Mitigation
Include process for handling privacy complaints
Data safeguards
Retaliation and waiver
Document and record retention (HIPAA standard is 6 years)
© 2017 American Health Information Management Association
HIPAA: Penalties and Enforcement
HIPAA Enforcement Rule (2006)
Penalties for non-compliance apply to both CEs and BAs
Civil
Criminal
Penalty categories
Unknowing
Due to reasonable cause and not willful neglect
Due to willful neglect/corrected within 30 days of discovery
Due to willful neglect and not corrected as required
© 2017 American Health Information Management Association
HIPAA: Penalties and Enforcement Per HITECH
HHS contracts with a private entity to conduct random audits (no longer complaint-driven only)
State attorneys general may bring civil actions in federal court representing citizens affected by HIPAA violations
Individuals can now be individually prosecuted
Recommendations for compensating individuals harmed by violations
© 2017 American Health Information Management Association
Reflective Journal Rubric
20 pts
Exemplary
Developing
Needs Improvement
Discussion Criteria
10 Points
7 Points
4 Points
Faculty Comments
Application of Course Knowledge
Journal contributes reflections and unique perspectives or insights gleaned from weekly objectives or examples from the healthcare field.
Journal entry has limited application of course knowledge and demonstration of perspectives.
Journal does not reflect application of course knowledge and personal insights or examples from healthcare.
Grammar, Syntax, APA Format
APA format, grammar, spelling, and/or punctuation are accurate, or with zero to three errors.
Four to six errors in APA format, grammar, spelling, and syntax noted.
Journal entry contains greater than six errors in APA format, grammar, spelling, and/or punctuation or repeatedly makes the same errors after faculty feedback.
Reflective Journal
Name:
Date:
1. Summarize and reflect on this week’s, readings and learning activities.
2. How will these concepts impact your own professional practice now or in the future?
