What are the key elements of the HIPAA Privacy Rule?
Who is covered
What information is protected
How protected health information can be used and
... [Show More] disclosed.
Who is Covered by the HIPAA Privacy Rule?
Health plans - Individual and group plans that provide or pay the cost of medical care are covered entities.
Health care providers - Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity.
Business Associates - a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of individually identifiable health information.
Health care clearinghouses - entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.
What Information is Protected by the HIPAA Privacy Rule?
"individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral;
Includes demographic data, that relates to:
- the individual's past, present or future physical or mental health or condition,
- the provision of health care to the individual
- the past, present, or future payment for the provision of health care to the individual,
Are there restrictions on de-identified health information?
No
When can a covered entity use or disclose protected health information?
(1) as the Privacy Rule permits or requires.
(2) as the individual who is the subject of the information (or the individual's personal representative) authorizes in writing.
What is meant by "minimum necessary" use and disclosure in relation to the HIPAA Privacy Rule?
A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
What are the twelve Public Interest and Benefit Activities of The Privacy Rule that permit use and disclosure of protected health information, without an individual's authorization or permission?
- Required by Law.
- Public Health Activities
- Victims of Abuse, Neglect or Domestic Violence
- Health Oversight Activities
- Judicial and Administrative Proceedings
- Law Enforcement Purposes
- Decedents
- Cadaveric Organ, Eye, or Tissue Donation
- Research
- Serious Threat to Health or Safety
- Essential Government Functions
- Workers' Compensation
Under the HIPAA Privacy Rule, a covered entity must share their privacy policy with all patients. When is it required that they share this privacy policy?
Not later than the first service encounter
When Requested by a patient
Electronically on their website
How often must a covered entity share their Privacy Policy with it's patients?
At least every three years to notify them that it is available upon request
How long must a covered entity retain any records or documentation related to personal health information for a patient?
Until six years after the later of the date of their creation or last effective date
What are the key elements of the HIPAA Security Rule?
who is covered
what information is protected
what safeguards must be in place to ensure appropriate protection of electronic protected health information.
Who is Covered by the HIPAA Security Rule?
Health plans - Individual and group plans that provide or pay the cost of medical care are covered entities.
Health care providers - Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity.
Business Associates - a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of individually identifiable health information.
Health care clearinghouses - entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.
What Information is Protected by the HIPAA Security Rule?
Individually identifiable health information, called protected health information (PHI), as explained in the Privacy Rule, specifically the subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form (ePHI).
The HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must follow what four steps?
1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information
3. Protect against reasonably anticipated, impermissible uses or disclosures
4. Ensure compliance by their workforce.
What Physical Safeguards must a covered entity utilize?
Facility Access and Control - limit physical access to its facilities while ensuring that authorized access is allowed
Workstation and Device Security - implement policies and procedures to specify proper use of and access to workstations and electronic media
What Technical Safeguards must a covered entity utilize?
- Access Control - technical policies and procedures that allow only authorized persons to access electronically protected health information (e-PHI).
- Audit Controls - hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Integrity Controls - policies and procedures to ensure that e-PHI is not improperly altered or destroyed.
- Transmission Security - technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
What are the names of the five sections of The NBHWC Standards of Ethical Conduct?
Section 1: Professional Conduct at Large
Section 2: Conflicts of Interest
Section 3: Professional Conduct with Clients
Section 4: Confidentiality/Privacy
Section 5: Continuing Development
What is the The NBHWC Pledge of Ethics?
As a Health and Wellness coach, I acknowledge and agree to honor my ethical and legal obligations to my coaching clients and sponsors, colleagues, and to the public at large. I pledge to comply with the NBHWC Code of Ethics and to practice these standards with those whom I coach, teach, mentor or supervise. [Show Less]