Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
191 Cards in this Set
- Front
- Back
Access
|
right of an individual to inspect and obtain a copy of his or her own health information that is contained in a designated record set
|
|
Use
|
sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that maintains such information
|
|
Disclosure
|
(release of information) release of confidential information that identifies a patient to another entity or person
|
|
Primary Data Source
|
A record developed by healthcare professionals in the process of providing patient care
|
|
Records can be used for
|
* public health reporting *research *quality & safety measures *payment *provider certification & accreditation *marketing
|
|
Data
|
may be patient specific or de-identified aggregate for statistical purposes
|
|
Secondary Data
|
When data from a record are used for purposes other than what was intended
|
|
ARRA - the American Recovery and Reinvestment Act provides
|
Provides financial incentives to promote the use and electronic sharing of PHI through the implementation of *EHR'S *HIE'S *HIO'S
|
|
What are 3 things that ARRA initiated
|
*HIE - Health Information Exchange *HIO - Health Information Org *RHIO - Regional Health Info Org
|
|
HIE - Health Information Exchanges
|
Electronic movement of health related information among organizations within a region or community that facilitates access to & retrieval of clinical data in support of safe, timely, efficient patient-centered care
|
|
HIE - Health Information Exchanges
|
an organization or entity that forms to create an electronic framework to connect physicians to pharmacies, hospitals & other healthcare entities
|
|
HIO - Health Information Organization
|
An Organization that oversee's & governs the exchange of health related information among organizations according to nationally recognized standards
|
|
RHIO - Regional Health Information Organization
|
A health information organization that brings together health care stakeholders within a defined geographic area & governs health information exchange among them for the purpose of improving health in that community
|
|
HITECH remains
|
silent on the issue of who owns the information generated through the HIE, HIO, & RHIO's
|
|
DHHS - ONC - Office of the National Coordinator for Health Information Technology
|
is addressing issues of access, use & disclosure of PHI among the HIE's etc, including what rights patients have to allow or deny disclosure of their PHI to these entities for secondary data uses
|
|
The Office of the National Coordinator published
|
"National Privacy & Security Framework for Electronic Exchange of Individual Identified Health Information" for the purpose of establishing a single, consistent approach to address the privacy & security challenges related to electronic health information exchange through a network for all persons regardless of the legal framework that may apply to a particular organization
|
|
AMIA - American Medical Informatics Association suggests that
|
organizations develop a full disclosure policy on ownership - informs patients that while they do not have exclusive ownership of their information, they have the right to know what is collected about them & what secondary uses may be made of the information
|
|
Access to Patient Health Information Federal Regulations - HIPAA
|
Individual has certain rights to access, use, & disclose his or her protected health information (PHI). Authorization & accounting of disclosure requirements
|
|
HITECH - Health Information Technology for Economic & Clinical Health
|
passed as a portion of the ARRA - American Recovery and Reinvestment Act - contains changes to the HIPAA Privacy Rule - who is covered, what information is protected, & what safeguards must be in place to ensure appropriate protection of electronic protected health information
|
|
Oregon law - Internal Release of Information
|
Recommendation regarding continuing care: Request release information to outside facility in non-emergency situations but the transfer of information should not be delayed waiting for release/*Healthcare Facility employees & appointed representatives: Need to Know is the guiding principle for employees & appointed representatives. Access must be limited to specific information required for the individual to fulfill their job responsibilities.
|
|
Who Can Access Health Information?
|
*Competent Adult *Age of majority - MOST STATES AGE 18 *Individual's authorized personal representative *Individual who holds persons durable power of attorney or durable power of attorney for healthcare decisions
|
|
UHCDA - Uniform Health-Care Decision Act
|
A model created in 1993 that provides that an individual may give an oral or written instruction to a healthcare provider that remains in force even after the individual loses capacity, and suggests decision-making priority for that individuals surrogates.
|
|
Decision making priority
|
-Spouse -Adult child -Parent -Adult sibling -Adult non-relative familiar with patient -Court appointed individual
|
|
Competent Adult
|
an individual who is mentally & physically competent to tend to his own affairs & has reached the age of majority - 18 - * Can appoint a person to be their PERSONAL REPRESENTATIVE
|
|
Personal Representative
|
Someone who is legally authorized to make healthcare decisions on an individuals behalf or to act on behalf of a deceased individual and/or their estate
|
|
Age of Majority
|
18 in most states
|
|
How does an Incompetent adult access their health information?
|
Age of majority, but is incapacitated, Court must legally deem person incompetent & appoint legal guardian who may be spouse, parent, sibling, agent, attorney, or surrogate
|
|
Rights of competent adult or legal guardian of incompetent adult
|
To request, receive, examine, copy & authorize disclosure/release of PHI
|
|
Minors - who can access health information
|
Individuals under the age of 18 who are not legally emancipated (declared an adult) by the court require parental authorization
|
|
Minors are considered legally incompetent & unable to make decisions regarding treatment or handling of health information unless per state law
|
minors can consent to treatment for abortions, mental health, substance abuse treatment, and/or STD treatment, then minors can authorize access, use, & disclosure of their own healthcare information
|
|
Who can access a Minors Health Information
|
Parental authorization typically required as recognized by law -Married biological parents -Separated or divorced biological parent(s) -Adoptive parents -Foster parents -Grandparents -Legal guardians -Relative with guardianship while parent is overseas or in service -State law defines parent who can sign
|
|
Parental Authorization Not Required
|
-Emancipated minor under the age of majority & self-supporting with parents who have surrendered their rights of custody, care, and support -Minor who is married or previously married -Minor in the military -Minor who is a parent of a child -Minor who reaches age of majority while under treatment -Minor treated for drug or alcohol dependency, mental health, STDs or HIV/AIDs, contraception & abortion per state laws
|
|
Rights of a noncustodial parent or others
|
-Parent who does not have legal custody of the child -Legally endowed with parental rights which allow access unless stated otherwise by state law *Scenario: Father seeks medical records of his child. It is learned that the father has visitation rights with the child, but is the non custodial parent. Should the requested records be given to him?
|
|
Minors - Best practice regardless of person's age or competence
|
- in case of noncustodial parent, seek authorization whenever possible.
|
|
Emancipated minor - Best practice regardless of person's age or competence
|
- request copy of court order and/or other proof that minor is emancipated
|
|
Incompetent adult - Best practice regardless of person's age or competence
|
require legal documentation of the incompetent adult's legal position & the reason the adult is unable to sign the authorization, along with documentation of the personal representative's authority to access or authorize disclosure of the incompetent adult's PHI
|
|
Types of Sensitive Health Information
|
-Behavioral (mental) health information -Substance (alcohol and drug) abuse records -HIV/AIDS records -Genetic information -Adoption information -Specific authorization required
|
|
Behavioral Health Records
|
General rule: mental health information is to be kept confidential *What state law says: *provides protections *provides exceptions
|
|
Behavioral Health Records - Requests by patients
|
-Historically, denied (believed injurious to their mental health) -Today, facility policies may still require asking the physician first -Some states specifically grant right of access to patient, which is consistent with HIPAA Privacy Rule
|
|
Requests by others - Behavioral Health Records
|
Right of access is generally per state statute *Factors to consider: *Authorization form shall specify that release of behavioral health information is authorized *Identity of mental health patients are often protected by state statute. Why? How has HIPAA changed this? State statute must comply with HIPAA
|
|
Duty to warn
|
Required under certain circumstances *State laws may permit or even compel psychologists & psychiatrists to use their discretion to warn intended victims of potential harm without the patient's authorization *Tarasoff v/s The Regents of the University of California
|
|
Substance Abuse Records Federal laws apply to:
|
-Any "federally assisted" drug & alcohol programs (broadly defined) -"Programs" providing diagnosis, treatment or referral for drug & alcohol abuse (also broadly defined) **Entity dedicated to these services **Unit of a general medical facility dedicated to these services **Medical personnel with primary function to provide these services
|
|
Federal Law on Substance Abuse Records
|
-Protects the identity of substance abuse patients (not just their clinical information) -Form shall specify release of substance abuse information is authorized; must contain certain items to be valid -If minor can consent to treatment per state law, minor authorizes release of the records -Limited exceptions to authorization requirement: medical emergency; scientific research, audits, program evaluation, court order; suspected child abuse -If federal and state law conflict, the most restrictive (most protective of patient confidentiality) wins
|
|
Re-disclosure Statement Drug & Alcohol Records
|
This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR Part 2). The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2. A general authorization for the disclosure of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient. Rev. 04/12
|
|
ROI General rule: HIV/AIDS information is to be kept confidential
|
Example of an HIV/AIDS state law that: -Provides protections -Then provides exceptions **Wrongful disclosure leads to civil penalties *For example, Ohio law protects: -ID of individual receiving HIV test -Results of HIV test in form that IDs individual -ID of individual diagnosed with AIDS or AIDS-related condition (ARC)
|
|
Genetic Information Nondiscrimination Act (GINA) of 2008
|
-Prohibits discrimination by health insurers & employers based on genetic information -Title I effective December 7, 2009, focuses on genetic nondiscrimination in health insurance; states that health plans may not use genetic information to make eligibility, coverage, underwriting, or premium-setting decisions
|
|
Title I of GINA modifies the HIPAA Privacy Rule to state that genetic information is health information & prohibits the use & disclosure of genetic information by covered health plans for underwriting purposes. Two exceptions:
|
1. Health insurers may request genetic information in the case that coverage of a particular claim would only be appropriate if there is a known genetic risk 2. When working in collaboration with external research entities, health insurers may request (but not require) in writing that an individual undergo a genetic test. The individual may do so voluntarily, but refusal to participate will have no negative effect on his or her premium or enrollment status. The collected genetic information may be used for research purposes only, not for underwriting decisions
|
|
Disclosure of Active Records of Currently Hospitalized or Ambulatory Care Patients
|
Currently hospitalized patient (inpatient) or a patient currently being seen in a clinic setting (outpatient) or their personal representative may access, inspect, obtain a copy of, or disclose PHI from the patient's record
|
|
Active record
|
is the term used to denote the health records of individuals who are currently hospitalized inpatients or outpatients
|
|
If active inpatient or outpatient wishes to access, copy, or disclose his or her PHI,
|
then the healthcare provider should follow the same policies & procedures that are in place for allowing the access, copying, and disclosure of PHI for patients not currently hospitalized or being treated as an outpatient
|
|
Deceased Patients
|
Access or disclosure of patient information on deceased patient usually determined by state law *HIPAA - individual has the same privacy rights in death as they did in life but leaves it up to states in terms of who qualifies as deceased person's legal representative for access, use, and disclosure purposes
|
|
Legal executor or administrator of the estate
|
has first rights to access deceased's PHI or records
|
|
In absence of executor
|
rely on UHCDA in identifying next-of-kin priority
|
|
Other states require that these individuals become
|
the deceased's official personal representative through appointment by a probate court or court order
|
|
Proposed HITECH rule changes to HIPAA Privacy Rule related to deceased patients provide for additional flexibility in the disclosure of PHI by:
|
(1) removing the PHI status from health records 50 years after the patient's death (2) permitting CE's to disclose decedent records to family members & others involved in the patient's care or payment of care unless doing so would be inconsistent with any known preference of the patient
|
|
Re-disclosure of Deceased Patient Records
|
-Generally, protected health information of a decedent is treated the same as when the decedent was alive -After death, the personal representative or other person authorized by law to act on behalf of the decedent takes on the role of the decedent under HIPAA -Covered entities must keep patient protected health information for at least 6 years
|
|
Regulations allow covered entities to release protected information
|
to a coroner or funeral director without consent or authorization -Use of deceased patient information for research is permitted without consent -Oregon law contains special protections for use of genetic information for research & preempts HIPAA in specific instances
|
|
Autopsies performed to determine cause of death
|
Objectionable to some religions & cultures
|
|
Consent to autopsy required
|
except where autopsy is needed to determine cause of death for public policy purposes
|
|
Privacy Rule allows release of PHI without authorization
|
to a medical examiner or coroner for purpose of identifying deceased person, determining cause of death, and other authorized purposes
|
|
If the death of the individual is not a medical examiner or coroner's case
|
the surviving spouse or descendants of the deceased may authorize the autopsy
|
|
Healthcare organization should require that an authorization form be
|
completed & retained in the health record for evidentiary purposes
|
|
When is a valid authorization required for Third Party Payers
|
Unless contractual agreement in place - written authorization -Written policies & procedures
|
|
When is a valid authorization required for a CEO
|
not required
|
|
When is a valid authorization required for the Governing Board
|
owner of record -need to know basis *Patient authorization required in all other instances
|
|
When is a valid authorization required for Facility Attorney
|
* No - when hospital is party to a lawsuit * Yes - when hospital is not a party
|
|
When is a valid authorization required for Facility insurance carrier
|
- not required when investigating claims
|
|
When is a valid authorization required for Medical record personnel
|
- not required
|
|
When is a valid authorization required for Admitting office personnel
|
- not required on "need to know" basis
|
|
When is a valid authorization required for Business office personnel
|
- final Dx and procedures only - not required
|
|
When is a valid authorization required for Nursing staff
|
- access while patient is being treated - after discharge "need to know" authorization not required
|
|
Anti-terrorism Initiatives
|
Homeland Security Act of 2002
|
|
Homeland Security Act of 2002
|
-is designed to prevent terrorist attacks in the U.S. while reducing vulnerability to terrorism, minimizing its damages, and assisting in recovery from attacks in US
|
|
What does the Homeland Security Act of 2002 give to the Secretary of Homeland Security, the Authority to do
|
Access information that includes PHI without the authorization of the patient or personal representative
|
|
ROI for Public figures/celebrities
|
Special procedures must be implemented to protect patient confidentiality HIPAA: directory; general information released only with authorization -Omission of name from record, code name, or alias -Computer access & paper record access restricted on need-to-know basis -Designated spokesperson to address media questions -Staff training & nondisclosure statements
|
|
Guidelines for Release of Information
|
Follow all regulations & procedures for safeguarding the confidentiality of electronically created stored & transmitted records, including passwords & level of access
|
|
Do not leave medical charts or insurance reports
|
out where patients or medical facility visitors can see them
|
|
See that When talking on the telephone
|
you do not use the caller's name if others in the room might overhear
|
|
Use caution in giving the results of medical tests
|
to patients over the phone or when leaving messages
|
|
Confidentiality protocol is
|
duly noted in the policy & procedure manual
|
|
Other Access, Requests, Disclosure Situations
|
-Laboratory Test Results -Clinical Laboratory Improvements Amendments (CLIA) -Insurance companies and government agencies payment requests -Medical Emergencies
|
|
Laboratories only to disclose test results or reports
|
to an "authorized person," who ordered test, unless state law states otherwise
|
|
Individual who is the subject of information is
|
not authorized to immediately & directly receive his or her laboratory test results unless defined by state law
|
|
Access to the individual's clinical laboratory information
|
will occur through the provider who ordered the test(s)
|
|
Medical Emergencies
|
-Obligation is to treat the patient & provide whatever information is necessary -This usually entails disclosing patient information without authorization
|
|
Insurance companies & government agencies payment requests
|
-Authorization if the information is for the payment of a specific episode of care (45 CFR 164.506) -Other information requests require patient authorization HIPAA Privacy Rule & requests for payment purposes, including utilization review & medical necessity review, do not require
|
|
Types of Request
|
-Verification of requester -Validity of authorization -Mail request -Telephone request -Electronic requests -fax, Internet -Walk-in request -On-site request -Request to send information electronically
|
|
ROI Reimbursement & Fee Structure
|
is a function of doing business
|
|
Federal regulations address cost for ROI
|
-HIPAA permits reasonable charges for labor, postage, etc -Other federal program set fees: CMS, QIO, OSHA, etc
|
|
State regulations on costs for ROI
|
See state medical record copying charges at: http://www.lamblawoffice.com/medical-records-copying-charges.html
|
|
Managing the Release of Information Process
|
-Accounting of disclosure & tracking releases -Steps to account for disclosure -Right to request restrictions -Reasons for refusing to disclose information
|
|
Release of Information - Rule of Thumb
|
Do not disclose any information about a patient to a third party without a signed consent. This extends to insurance companies, attorney & friends or family. It includes acknowledging whether or not the person is a patient
|
|
Patient Information Disclosure
|
DO NOT release information from a patient's medical record, except when specified by law or facility policy, without the written authorization of the patient, the guardian in the case of a minor, the Power of Attorney for health care in the case of an incompetent person, or the next of kin or executor of the estate in case of death
|
|
10 point consent
|
1. who is to release information 2. who is to receive information 3. name of the patient 4. description of the information to be released 5. purpose of the request 6. revocation statement ---"Consent is subject to revocation except to the extent that action has been taken in reliance upon consent" 7. signature of patient 8. date consent is given 9. time period it is valid 10. Re-disclosure statement - "Information disclosed may be protected by federal law & state law & I specifically consent to disclosure of such information."
|
|
HIPAA Privacy Rule - 12 public interest & benefits activities exceptions
|
1. Required by law, 45 CFR 164.512(a) 2. Public Health activities , 45 CFR 164.12(b) 3. Victims of Abuse, neglect, domestic violence 45 CFR 164.12(c) 4. Health oversight activities 45 CFR 164.12(d) 5. Judicial and administrative proceedings 45 CFR 164.12(e) 6. Law enforcement purposes 45 CFR 164.12(f) 7. Decedents 45 CFR 164.12(g) 8. Cadaver organ, eye or tissue donation 45 CFR 164.12(h) 9. Research 45 CFR 164.12(i 10. Prevent or lessen serious threat to health or safety 45 CFR 164.12(j) 11. Specialized government functions 45 CFR 164.12(k) 12. Workers Compensation 45 CFR 164.12(l)
|
|
For the 12 HIPAA exceptions, an individual is not
|
given the opportunity to agree or object to the disclosure of their information, nor is authorization required. The amount of information disclosed is usually defined by law or statute.
|
|
Doctrine of PREEMPTION
|
-Provides that federal law must be followed when federal & state laws conflict, unless the state law is more stringent on matter than federal law -State law will prevail if there are provisions of state law, including state procedures for reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention (45 CFR 160.203)
|
|
Notice of Privacy Practices
|
Under HIPAA, generally "..an individual has a right to adequate notice of the uses & disclosures of protected health information that may be made by the covered entity. . ." (45 CFR 164.520)
|
|
Notice of Privacy Practices should include
|
information regarding reporting without patient authorization under state & federal law
|
|
Accounting of Disclosures
|
Privacy Rule requires the tracking of disclosures of PHI made in writing, electronically, by telephone, or orally
|
|
Organization must track disclosures
|
in a central tracking system that enables departments to record disclosures
|
|
Common State Reporting Requirements
|
Births, Deaths, Abuse of a child or elderly, notifiable diseases, statewide cancer registry, trauma, medical examiner cases
|
|
Definition of a Child
|
any person under of 18 or physically or mentally handicapped up to age of 21
|
|
Abuse & neglect of children
|
Required by state law, reportable to law enforcement or county childrens' services boards in the county where the incident occurred
|
|
4 Types of neglect (maltreatment) defined by state law include
|
o Neglect o Physical abuse o Sexual abuse o Emotional abuse
|
|
State laws identify
|
-who must report child and neglect -the time frame for reporting -the kind of information reported
|
|
Most common reporting individuals are
|
healthcare practitioners, police officers, educators & human service workers
|
|
Reporting individuals
|
are given protection from civil or criminal liability through state statutes for reporting abuse & neglect made in good faith **No conflict with HIPAA regarding authorization for disclosure due to public interest & benefit exceptions
|
|
Abuse & Neglect of the Elderly & Disabled
|
-Includes individuals 60 years of age & older -Disability attributable to mental or physical impairment that results in functional limits
|
|
Types of Abuse & Neglect of the Elderly & Disabled
|
• Physical • Emotional • Financial • Sexual • Neglect • Abandonment
|
|
There may be separate laws
|
covering abuse in home setting (domestic abuse) versus abuse in institutional setting such as a nursing home *State laws also vary regarding required reporting of abuse of the elderly & disabled **No conflict with HIPAA regarding authorization for disclosure due to public interest & benefit exception
|
|
T or F State required reporting laws are an exception to the doctrine of Preemption
|
True
|
|
T or F When information is released to meet state required reporting laws, the release does not have to be included in the facilities accounting of disclosures
|
False
|
|
T or F Central Registries are covered by & must adhere to the requirements of HIPAA
|
False
|
|
T or F Abuse of the elderly is limited to financial exploitation of an elder persons assets
|
False
|
|
T or F Physical abuse is usually the only type of maltreatment that must be reported under child abuse laws
|
False
|
|
Vital records
|
Required by state & federal law - are births, deaths, marriages, divorces, abortions & fetal deaths
|
|
National Center for Health Statistics (NCHS) responsible
|
for working with state vital statistic laws
|
|
State laws requiring the reporting of vital statistics do not conflict with HIPAA
|
because under the privacy rule, the public interest & benefit exception of "public health activities" are permissible without authorization
|
|
Birth certificates
|
completed on every live birth •Two parts to certificate - identifying information & information on mother's pregnancy & any birth defects •Laws define how a father is acknowledged & what surname in entered for child
|
|
Death certificates
|
usually completed by funeral director -Includes identifying information about the deceased as well as information about the cause of death -Physician must provide the cause of death & sign the death certificate
|
|
Communicable diseases
|
-Transmitted from infected person, animal, or inanimate reservoir to a susceptible person or host by either direct or indirect contact -State laws define what diseases are reportable, by whom, and how they should be reported, also have provisions to keep information confidential
|
|
Notifiable diseases
|
classified according to their potential for endemic or epidemic spread & danger to public health, reportable within 24 hours usually (ie - anthrax, Ebola, hepatitis, malaria, measles , the more dangerous the shorter the reportable time frame)
|
|
Induced termination of pregnancy (abortion)
|
-State law requires healthcare organization where induced termination or pregnancy to report termination -Information typically reported: date of birth, race, marital status, and county & state of residence; the type of procedure performed; and resulting complications
|
|
Birth defects
|
Information may be obtained from birth certificates filed with the state used to determine trends in birth defects & to look for ways to prevent them ** Reportable under HIPAA exception public health activities
|
|
Reportable Deaths
|
•State law determines requirements for reporting certain deaths & what information can be disclosed in various cases (varies by circumstances & law enforcement involvement)
|
|
Types of reportable deaths
|
- Accidental death - Homicide - Suicide - Sudden death - Suspicious death - Death from abortion - Induced termination of pregnancy
|
|
Medical Examiner (ME)
|
is typically a physician with pathology training
|
|
Coroner
|
appointed or elected official, who may or may not be a physician
|
|
Deaths reportable to medical examiner vs. coroner
|
-Both responsible for investigating suspicious deaths -ME's & coroners have right to receive medical information needed to investigate the case without authorization & may have subpoena powers to collect such information
|
|
Information in Reportable Deaths form
|
*Name and address of the deceased *Age of the deceased, if known *Marital status of the deceased *Ethnicity of the deceased *Time of accident or onset of cause of death *Place, mode, and manner of injury *Place of death *Time of death *Location of body *Other pertinent data *Name of person reporting the case, including date & time *Name of physician who pronounced person dead
|
|
Reportable deaths have no issue with HIPAA due to
|
under the exceptions of public health activities & disclosure for law enforcement purposes, and about decedents
|
|
Reporting of Wounds
|
•Wounds such as knife wounds, gunshot wounds, and burns indicative of crimes must also be reported to legal authorities •States also require reporting of unusual events & other instances that might assist with public health prevention & control programs
|
|
Reporting of Wounds have no issue with HIPAA due to
|
exceptions of public health activities & disclosure for law enforcement purposes, and about decedents
|
|
Reporting Fetal Deaths
|
•Refers to death of fetus of particular weight frequently 500 grams or more, or 22 or more completed weeks of gestation
|
|
Depending on state law, responsibility for completing the fetal death certificate may lie with
|
- Designated person in the institution where the fetal death occurred -funeral director -Other person responsible for internment or cremation of remains -Physician in attendance if fetal death occurred outside an institution -If no one in attendance, must notify ME who completes death certificate
|
|
Unusual Events & Other State Reporting Requirements
|
-Medication errors -Transfusion reactions -Falls resulting in fractures -Wrong patient/wrong site surgical procedures -Operative complications
|
|
Prescription drug monitoring programs (PDMPs)
|
-Require pharmacies to report to state data bank on state identified controlled drugs
|
|
Nuclear Regulatory Commission (NRC)
|
-Oversight for medical use of ionizing radiation -Medical centers must report to state agency & NRC information on use of radioactive materials & any mis-administration of the material
|
|
Reporting Unusual Events & Other State Reporting Requirements have no issue with HIPAA due to
|
HIPAA Public interest & benefit exception of "required by law" or to "prevent or lessen a serious threat to public health or safety"
|
|
Worker's Compensation for Occupational Illnesses, Injury, Death • Purpose of legislation
|
-Ensures employees injured on job or become ill as result of job are provided with some means of support while recovering from illness or injury
|
|
Worker's Compensation process
|
-Employee or employee representative files a worker's compensation claim -Must sign an authorization to release medical information to the workers' compensation entity -Information may be disclosed to other state or federal agency without patient authorization
|
|
Reporting Worker's Compensation, have no issue with HIPAA due to
|
under the public interest & benefit section of workers compensation
|
|
Children's Health Act of 2000
|
-Restrict the use of restraints & seclusion in all psychiatric facilities that receive federal funds & in non-medical community-based facilities for children & youth •Use of restraints & seclusion restricted to emergency safety situations only •Parent or legal guardian must be notified no later than 24 hours after the occurrence
|
|
Quality Measures for CMS, Joint Commission & other entities require:
|
-Quality measures for hospitals, physician's offices, nursing homes, and other provider entities for purpose of improving the quality & safety of patient care -PHI collected is used for retrospective analysis & real-time reporting to comprehensively evaluate & manage quality improvement efforts -Data submitted to federally supported Quality Improvement Organizations (QIOs), Clinical Data Abstraction Centers (CDACs), CDC, & others
|
|
2010 Affordable Care Act
|
established mandatory quality reporting requirements for long-term care hospitals, inpatient rehabilitation facilities, and hospice programs, goes into effect in 2014 **•Mandatory reporting by hospitals already required •Medicare providers that fail to comply with data reporting requirements are subject to 2% reduction of reimbursement
|
|
Programs designed to prevent fraud & abuse
|
-Recovery Audit Contractors (RACs) -Medicare Administrative Contractors (MACs) -Medicaid Integrity Contractors (MICs) **•Purpose of these programs - to measure, prevent, identify, and correct incorrect payments under the Tax Relief & Health Care Act of 2006 & other federal healthcare reform legislation's
|
|
Purpose RACs, MACs, and MICs
|
to measure, prevent, identify, and correct incorrect payments under the Tax Relief & Health Care Act of 2006 & other federal healthcare reform legislation's
|
|
National Practitioner Data Banks (NPDB)
|
-Created by Health Care Quality Improvement Act of 1986, information expanded by Medicare & Medicaid Patient & Program Protection Act of 1987
|
|
Purpose of NPDB
|
identify & discipline those who engage in unprofessional behavior & restrict ability of incompetent healthcare practitioners to move from State to State without disclosure or discovery of previous medical malpractice payment & adverse action
|
|
Healthcare Integrity & Protection Data Bank (HIPDB)
|
- Established under Section 1128E of the Social Security Act; operational in 2000 *Purpose - to establish national healthcare fraud & abuse data collection program for reporting of final adverse actions (not including settlements in which no findings of liability have been made) against healthcare providers, suppliers, or practitioners
|
|
NPDB & HIPDB
|
• Information reported to the data banks is considered confidential & is not disclosed except as specified by regulation • Requirements include: - Who reports - What information is available - Who can query databases
|
|
Safe Medical Devices Act of 1990
|
-Requires reporting to the FDA & the product manufacturer of medical device occurrences that have or may have contributed to serious illness, serious injury, or death, including occurrences attributed to user error
|
|
Medical Device Amendments of 1992
|
clarified terms & established a single reporting standard for device users, manufacturers, importers, and distributors
|
|
Definition of Medical device
|
defined as anything that is used in treatment or diagnosis that is not a drug -X-ray machines, sutures, defibrillators, grafts, syringes, lasers, heating pads, bone screws, pumps, etc
|
|
Medical Device Reporting
|
FDA requires specific information to be reported within 10 days: -User facility report number -Name & address of the device manufacturer -Device brand name & common name -Product model, catalog, serial, and lot numbers -Brief description of event reported to manufacturer and/or the FDA -Where report was submitted (FDA, manufacturer, or distributor)
|
|
HIPAA allows medical device reporting without patient authorization
|
-To collect or report adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations -To track FDA-regulated products -To enable product recalls, repairs, replacements, or look back -To conduct post-marketing surveillance
|
|
Medical Device Reporting Under Freedom of Information and Privacy Act, FDA information maybe accessed but FDA is required to delete:
|
-Any personal, medical, and similar information that would constitute a clear unwarranted invasion of personal privacy -Trade secrets & confidential commercial or financial information related to the manufacturer -Identifying information of the reporter of the event
|
|
T or F The attending physician usually has responsibility for filing the death certificate
|
False
|
|
T or F Reporting of Notifiable diseases without the patients authorization is allowed under the public interest & benefit exception under HIPAA
|
True
|
|
T or F National Hospital quality data may only be released to the QIO or the CDAC with a signed authorization from the patient
|
False
|
|
T or F Every hospital receiving reimbursement from Medicare for implantable cardiac defibrillators must submit data to the American College of Cardiologists National Cardiovascular Data Registry
|
True
|
|
T or F Federal Law requires that a hospital study the designated organ procurement organization (OPO) in a timely manner regarding specified organ donors who die in the hospital or for whom death is iminent
|
True
|
|
Reporting of Occurrences with Electronic Health Record Systems
|
•FDA has also been studying the issue of regulating EHR's •ONC working with FDA & representatives of patient, clinician, vendor, and healthcare organizations to determine role FDA should play to improve the safe use of certified EHR technology
|
|
Federal Registry on Implantable Cardiac Defibrillators (ICDs)
|
*2005: Medicare expanded its coverage ICDs to eligible Medicare beneficiaries *Every hospital that seeks reimbursement for ICDs must participate in ICD registry
|
|
Organ Procurement Organization
|
•Federal law requires hospital notify designated organ procurement organization (OPO) in a timely manner regarding specified organ donors who die in the hospital or for whom death is imminent •Hospital & OPO must do annual death record reviews •Hospital is not violating confidentiality by calling the OPO & providing information about an individual who has died •No requirement in statute or regulations that family be informed about hospital's notification to OPO before OPO can be contacted
|
|
•Occupational Fatalities, Injuries, and Illnesses
|
•Federal occupational safety & health regulation requires employers to report work-related fatalities, injuries, and illnesses •Healthcare facilities may be required to release medical information relevant to fatality, injury, or illness to appropriate authorities per state law as well
|
|
Registries
|
•Database containing information about a disease or condition -Used for a broad range of purposes in public health & medicine, from evaluating patient care to monitoring defective devices •May be required by federal or state laws
|
|
Common requirement is that data submitted to the registry
|
be maintained in a confidential manner & identity of the patient be protected from disclosure
|
|
Types of Registries
|
- Cancer registry - Trauma registry - Immunization - Birth defects - Diabetes - Implant - Transplant
|
|
Type of registry determines
|
what patient information is reported
|
|
Disclosures to Public Health Authorities Not Required by Law
|
• Covered entities may disclose PHI to public health entities even if law does not specifically require the disclosure, if the disclosure is for the purpose of: preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority. (45 CFR 164.512(b))
|
|
T or F Information included in state registries is considered public information
|
False
|
|
T or F Immunization registries are different from other state registries because they allow access by the individuals included in the registry or their representatives such as parents
|
True
|
|
T or F Transplant registries may include data about organ donors as well as organ recipients
|
True
|
|
T or F Implant registries are frequently developed in response to highly publicized cases of harm resulting from implants to provide for easier notification of individuals
|
True
|
|
T or F Statewide cancer registries are frequently required to report data to the National Center for Health Statistics
|
False
|
|
T or F Ownership of a health record has traditionally bean granted to the patient
|
False
|
|
T or F A competent adult may wish to appoint another person to be their personal representative
|
True
|
|
T or F A minor who is emancipated must still have their parents authorize for disclosure of health information
|
False
|
|
T or F A noncustodial parent has the right to access the healthcare information of their minor child subject to other mitigating circumstances related to the minors rights to access
|
True
|
|
T or F Attorneys have automatic access to patient information because they are officers of the court
|
False
|
|
T or F HIPAA does not distinguish highly sensitive health information from other types of health information
|
False
|
|
T or F Privilege statutes legally protect confidential communications between provider & patient related to diagnosis & treatment from disclosure during civil & some criminal misdemeanor litigation
|
True
|
|
T or F The duty to warn obligation enables a physician to disclose information to a third party who may be the victim of harm perpetrated by a patient
|
True
|
|
T or F In order for a substance abuse program to be in compliance with the Privacy Rule, the authorization of disclosure of information should include specific elements required by the Privacy Rule
|
True
|
|
T or F The health records of HIV/AIDS patients should be clearly marked as such
|
False
|
|
AHIMA's Recommended Retention Standards for 5 years
|
Diagnostic images- xrays
|
|
AHIMA's Recommended Retention Standards for 10 years
|
-Disease index -Fetal heart records infant reaches age of majority -Operative Index - Patient records-adults-after most recent encounter -Physician Index
|
|
AHIMA's Recommended Retention Standards for permanent retention
|
-Register of births -Register of deaths -Register of surgical procedures -Master Patient Index
|
|
AHIMA's Recommended Retention Standards for Minors
|
Age of Majority plus statute of limitations
|