Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Hlth Info Mngmt
HIPAA
| Question | Answer |
|---|---|
| healthcare provider that chooses to transmit health info electronically, a health plan, or healthcare clearinghouse, and must comply w/HIPAA's requirements | covered entity |
| claims/encounter info, eligibility requests, referrals & authorizations, & claims status inquiries are the 4 types medical info a health care provider can submit electronically/on-paper & are required to | transmit using HIPPA's standards |
| health plan & healthcare clearinghouse must be able to receive the provider's 4 types medical info subject to HIPAA standards, but also be able to electronically conduct | premium payments, claim payments, & remittance advice, enrollment & disenrollment, & coordination of benefits |
| healthcare clearinghouse working on behalf of healthcare provider, in role of business associate, must also | comply w/HIPAA standards requirements under a "covered entity" |
| electronic exchange of info between (2) covered-entity business partners using HIPAA-defined electronic data interface exchange transaction standards for the exchange | covered transactions |
| patient sending email message to physician containing patient-identifiable info ___ be considered a covered transaction under HIPAA | would not |
| physician transmitting electronic claim to health care plan or referral/auth. electronically to another physician, lab or hospital ___ be considered a covered transaction under HIPAA | would |
| the receipt of a physician transmitting electronic claim to health care plan or referral/auth. electronically to another physician, lab or hospital | invokes security protections the physician must have in place under HIPAA |
| computer-to-computer exchange of routine business info using publicly available standards | electronic data interchange (EDI) |
| refers to transmission of info between 2 parties to carry out financial/administrative activities | transaction |
| HIPAA requires that providers carefully define who has access to personal health information; what portions of PR available to front-office, utilization mgrs, billing personnel, etc. | minimum necessary |
| discourage anyone from having open access to medical records that contain files of info regarding an individual's medical history | intent of minimum necessary |
| legal document developed by a practice & its attorney stating what practice will do to protect each patient's rights | Notice of Privacy Practices (NPP) |
| one person who oversees privacy activities & security protections; can delegate responsibilities to privacy team but alone holds accountability for HIPAA compliance | privacy & security officials |
| under HIPAA's privacy & security officials, members of a privacy team must be | trained specifically to fulfill any delegated responsibilities |
| the privacy & security official may be | the same person |
| in larger practices, depending on the workload, the privacy & security official would usually be | separate people |
| info that can be used to identify an individual because it contains 1/more patient identifiers | Protected Health Information (PHI) |
| the HIPAA Privacy Rules specifies that PHI must be protected whether it is | written, spoken, or in electronic form |
| de-identified health information is | not considered PHI |
| HIPAA defers to laws of the state if state's laws are more stringent than HIPAA privacy standards | state preemption |
| put in force 2002, HIPAA gave physicians freedom to continue treating patients, seeking payment, & conducting routine healthcare operations without requiring written consent to conduct business of behalf of patient | Modification to the Privacy Rule |
| HIPAA privacy consent is not the same as | a Consent to Treat |
| means you can provide care, including coordination or management of health care between providers, or referring patient to another provider | treatment |
| within HIPAA means you can disclose PHI (name, address, date/birth, social security # & account number) to obtain reimbursement | payment |
| refers to activities including: quality assessments or improvements, reviewing competencies or qualifications of health care professionals, evaluating professional's performance, business mngmt & general admin. activities | healthcare operations |
| if you must defend an activity under HIPAA's healthcare operations category, before proceeding w/task, you should | clarify w/ privacy official or your attorney |
| is a requirement | standard |
| document including standards | rule |
| each rule starts out with a | Notice of Proposed Rule-Making (NPRM) |
| presents NPRM for public comment & revisions | US DHHS |
| final rules are published in the | Federal Register |
| deadline for compliance or implementation is 24 months after | a rule's effective date |
| a rule's effective date, may be 30-60 days after | publication date |
| in 1991 created to study what impact replacing paper healthcare transactions would have on containing rising healthcare costs | Workgroup for Electronic Data Interchange (WEDI) |
| foundation of Administrative Simplification provisions in HIPAA | 1993 WEDI report |
| guarantees that you can obtain insurance if you change jobs, first term of the title law | portability |
| begins to identify who/what should be accountable for specific healthcare activities, second term of the title law | accountability |
| Administrative Simplification was designed to address the health care | administrative systems & business issues |
| Administrative Simplification promises to make | business of health care easier |
| those data sets that identify diagnoses, treatment procedures, drug codes, equipment codes, & other codes | code sets |
| "Everyone must send or receive transactions using | standards formats & data content |
| process to handle industry recommended modifications to standard that may enhance administrative simplification | designated standard-maintenance organization (DSMO) |
| outcome of ___ practices will have to ensure their software vendors can send/receive info using standard data formats & data content | Transactions and Code Sets Rule |
| requires PHI secure at rest, movement, or in | electronic, oral, written format |
| only the __ __ can know everyone's passwords | system administrator |
| about controlling access to PHI | security |
| about controlling how electronic, oral, & written PHI is used & disclosed | privacy |
| a practice immediately became obligated to build program that protects security of personal health information when | HIPAA was signed into law |
| within the __ __ are standards that say practices must "safeguard" or protect medical records | Privacy Rule |
| published in Federal Register 2/20/03, including administrative, physical & technical safeguards pertaining to electronic PHI that must be in place no later than 4/21/05 | final Security Rule |
| requires similar safeguards, to the final Security Rule, for not only electronic PHI but also oral & written PHI & must be in compliance by 4/14/03 | the Privacy Rule |
| rooms & storage facilities w/locks or other safeguards that control access are considered ___ safeguards | physical |
| policies & procedures defining who has access to info, user IDs, passwords, & actions if violations occur are considered | administrative safeguards |
| encryption of electronic data & use of passwords to verify users who have logged onto a system are considered | technical safeguards |
| security is an ongoing process that is | never done |
| are based on the principle of "reasonableness" given size/complexity of environment in which covered entity operates | privacy & security rules |
| as a foundation for developing a practice's polices & procedures ___ ___ must be conducted | risk analyses |
| as a foundation for developing a practice's polices & procedures determination of how to __ __ from the risk analyses | mitigate risks |
| Your first priority is to develop a way to quantify & evaluate ___ | risk |
| you need to know what you are protecting & how much it is worth before you can decide | how to protect it |
| even though there are federal penalties for noncompliance w/privacy & security rules, HHS' focus is to encourage | voluntary compliance |
| www.hhs.gov/ocr provides | guidance on privacy |
| www.cms.gov/hipaa provides | questions & guidance on security |
| under the final Security rule HIPAA will require every healthcare provider to put several layers of | safeguards in place |
| "reasonable & appropriate" administrative, technical & physical safeguards will vary depending on | area located and scope of technology used |
| product must be certified as defined by federal government, product can do e-prescribing, product is interoperable, & product has necessary clinical decision support to rpt on key clinical indicators as being rptd by government | HITECH provisions of ARRAs meaningful use |
| key terminology for all medical providers to be able to gain their Medicaid/Medicare incentives, a key benchmark within the HITECH provisions of ARRA | meaningful use |
| responsible for defining meaningful use | Office of the National Coordinator |
| responsible for rolling out specific provisions of HITECH ARRA | Secretary of Health & Human Services |
| a number of health insurance carriers will be moving to a an HITECH platform, which is a | valid program around patient centered medical home |
| gathers necessary the care of the patient, combines it together in a data repository, provides meaningful, timely, accurate info to develop a very effective plan of care, & kept by primary care physician | patient centered medical home |
| patient centered medical home differs from managed care in that the primary physician does not select referring doctors responsible for care for care, but rather responsible for | where all that care is coordinated |
| reduce reliance on necessary tests, potentially unnecessary hospitalizations, unnecessary follow-up visits to doctors because care/tests already rendered; quicker path to diagnosis | idea behind patient centered medical home |
| must be actively engaged in use HIT product | meaningful user |
| to determine physical safety of patient info, the security official is required to conduct a | risk analysis & regular audits |
| administrative actions, & policies & procedures, to manage selection, development, implementation, & maintenance of security measures to protect electronic PHI & to manage conduct of covered entity's workforce in relation to PHI | administrative safeguards |
| property that "data/info is accessible & usable upon demand by an authorized person" | availability |
| property that "data/info is not made available or disclosed to unauthorized persons or processes" | confidentiality |
| health plans, healthcare clearinghouses, & healthcare providers that transmit any health info in electronic form under the transactions standards | covered entities |
| PHI that meets requirements of (i) transmitted by electronic media, or (ii) maintained in electronic media, of the PHI definition | electronic protected health information (EPHI) |
| electronic storage media, transmission media used to exchange ePHI already in electronic storage media, & other ePHI transmissions (to the extent any ePHI transmitted via these means originates or is received as data in electronic storage media) | electronic media |
| algorithmic process to transform data into form in which low probability of assigning meaning w/out use of confidential process/key | encryption |
| using confidential process/key to transform information into the original data | decryption |
| physical measures, policies & procedures to protect covered entity's electronic info systems & related buildings & equipment from natural or environmental hazards & unauthorized intrusion | physical safeguards |
| property that "data/info has not been altered or destroyed in an unauthorized manner" | integrity |
| individually identifiable health info that is (i) transmitted by electronic media; (ii) maintained in electronic media; (iii) transmitted/maintained in any other form or media | protected health information (PHI) |
| requires implementation by covered entity | required implementation specification |
| allows covered entity to determine "whether each implementation specification is reasonable/appropriate safeguard in its environment, when analyzed w/reference to likely contribution to protecting entity's EPHI" | addressable implementation specification |
| administrative, physical & technical safeguards are the | 3 types of security standards |
| security standards will supersede any contrary provision of | State Law |
| security standards establish a __ level of security that covered entities must meet | minimum |
| compliance with Security Rule is designed to provide a ___ ___ of all EPHI | floor protection |
| the Security Rule is considered | technologically neutral |
| the Security Rule does not dictate what ___ ___ to make | technology choices |
| the Security Rule dictates what ___ to achieve | protections |
| under Security Rule standards, technology choices are considered | inputs |
| under Security Rule standards, protections are considered | outputs |
| security protections must be reasonable & appropriate, as assessed in the required risk analysis & study of rick-management measures | foundation of Security Rule |
| the Security Rule is designed to be | scalable & flexible |
| implementation of security rule standards will be reflected in policies & procedures which must be kept current & retained | for six years from creation date or date last in effect |
| documentation must be created & maintained that memorializes ___ ___ & ___ pertaining to the Security Rule | actions, activities, & assessments |
| should be carefully constructed, documented in writing, updated as appropriate & retained for 6 years in accordance w/HIPAAs documentation standard | required risk analysis |
| the required risk analysis will focus attention on ___ potential business risks | mitigating |
| the required risk analysis will help find solution that | will benefit the workforce |
| National Institute of Standards & Technology | NIST |
| NIST is part of | US Dept of Commerce |
| "likelihood of a given threat-source;s exercising a particular potential vulnerability, & resulting impact of that adverse event on the organization" | NIST definition of risk |
| general requirements, flexibility of approach, standards, implementation specifications, & maintenance are | 5 general rules in Security Rule |
| ensure confidentiality, integrity & availability of EPHI created, received, maintained, or transmitted; protect against reasonably anticipated threats/hazards, disclosures; & ensure compliance | four general requirements in general rules of Security Rule standards |
| size, complexity & capabilities; technical infrastructure, hardware, & software security capabilities; cost of security measures; probability of criticality of potential risk to EPHI by covered entity | reasonable & appropriate security measures factors |
| failure to comply with Security Rule standard leads to liability for | civil sanctions & potential loss of business |
| covered entity must balance the safeguard specification w/degree of __ __ the specification affords | risk mitigation |
| requires covered entity review security measures periodically & make modifications necessary to ensure providing "reasonable & appropriate protection of EPHI" | maintenance |
| there are nine ___ safeguard standard | administrative |
| implement policies & procedures to prevent, detect, contain & correct security violations; manage security risk, sanctions as disincentive for noncompliance, & periodically review security controls | Standard: Security-Management Process |
| Standard: Security-Management Process | "form the foundation upon which an entity;s necessary security activities are built" |
| risk analysis, risk management, sanction policy, & information system activity review are __ implementation specifications | required |
| identify security official responsible for development & implementation of policies/procedures required by Security Standards for Protection of EPHI; required implementation specification | Standard: Assigned Security Responsibility |
| implement policies/procedures for authorization and/or supervision of personnel who work w/or in locations were EPHI might be accessed | Standard: Workforce Security Authorization and/or Supervision - addressable |
| when there are addressable implementation specifications it is required that standard compliant policies & procedures be | documented in writing |
| implement procedures to determine that access of personnel access to EPHI is appropriate | Standard: Workforce Security; Workforce Clearance Procedure - addressable |
| implement procedures for terminating access to EPHI when termination of employment | Standard: Workforce Security; Termination Procedure - addressable |
| purpose of termination procedure documentation is to ensure that termination procedures include ___ action to be followed | security-unique |
| implement policies & procedures for authorizing access to EPHI consistent w/applicable requirements of Privacy of Individually Identifiable Health Information | Standard: Information Access Management |
| Isolating Healthcare Clearinghouse Functions is a ___ implementation specification of Standard: Information Access Management | required |
| implement policies & procedures for granting access to EPHI; addressable implementation specification of Standard: Information Access Management | Access Authorization |
| implement policies & procedures per access-authorization policies, establish, document, review, & modify user's right/access to workstation, transaction, program & processes; addressable implementation spec. of Standard: Information Access Management | Access Establishment & Modification |
| implementation of security awareness & training program for all members of workforce, including management; 4 addressable implementation specifications | Standard: Security Awareness & Training |
| periodic security updates; addressable implementation spec. of Standard: Security Awareness & Training | Security Reminders |
| procedures for guarding against, detecting & reporting malicious software; addressable implementation spec. of Standard: Security Awareness & Training | Protection from Malicious Software |
| procedures for monitoring log-in attempts & reporting discrepancies; addressable implementation spec. of Standard: Security Awareness & Training | Log-in Monitoring |
| procedures for creating, changing, & safeguarding passwords; addressable implementation spec. of Standard: Security Awareness & Training | Password Management |
| security training is dependent on entity's | configuration and risk |
| 1st goal of security training is | awareness |
| although an entity is not responsible for providing training outsides of it's workforce, they are responsible for ensuring that __ __ are aware of entity's security policies & procedures | business associates |
| CSRC | Computer Security Resource Center |
| Computer Security Resource Center is part of | National Institute of Standards & Technology |
| National Institute of Standards & Technology | NIST |
| Information Technology Security Training Requirements | special publication of NIST |
| awareness programs set the stage for training by changing organizational attitudes to realize the importance of security and the | adverse consequences of its failure |
| purpose of awareness training it to teach people skills that will | enable them to perform jobs more effectively |
| 2 important attributes if of successful awareness & training program | change in corporate culture & greater staff productivity |
| management play an important role in effecting change & | realizing the payoff |
| implement policies & procedures to address security incidents; one required implementation specification | Standard: Security Incident Procedures |
| attempted/successful unauthorized access, use, disclosure, modification, or destruction of info or interference w/system operations in an info system | security incident |
| identify & respond to suspected/known security incidents; mitigate to extent of practicable, harmful effect of security incidents known to covered entity; document incidents & outcomes | Response & Reporting |
| covered entity's are required to respond & mitigate any __ __ of security incidents | harmful effects |
| establish (implement as needed) policies & procedures for responding to emergency/other occurrence that damages systems that contain EPHI; 5 implementation specifications (3) required (2) addressable | Standard: Contingency Plan |
| establish & implement procedures to create & maintain retrievable exact copies of EPHI; required implementation specification of Standard: Contingency Plan | Data Back Up Plan |
| establish (implement as needed) procedures to restore any loss of data; required implementation specification of Standard: Contingency Plan | Disaster Recovery Plan |
| when preparing a disaster recovery plan, covered entity should examine __ __, even though the probability may be low | worst-case scenarios |
| EHNAC | Electronic Healthcare Network Accreditation Commission |
| has identified several key components to a disaster-recovery plan that mitigate business interruption | ENHAC |
| will be outgrowth of the identification of threats in the risk analysis | disaster recovery planning |
| determine outcomes for each of the threats& impact on the | operations of the practice |
| the final rule of the disaster recovery plan calls for covered entities to consider how natural disasters could damage systems that contain EPHI & develop policies & procedures for responding to these situations; these are considered to be | a reasonable precautionary step |
| establish (implement as needed) procedures to enable continuation of critical business processes for protection of security of EPHI while operating in emergency mode; required implementation specification of Standard: Contingency Plan | Emergency Mode Operation Plan |
| important to get input from each workforce member of duties/workflow in order to establish a | workable emergency mode operation plan |
| implement procedures for periodic testing/revision of contingency plans; addressable implementation specification of Standard: Contingency Plan | Testing & Revision Procedures |
| assess relative criticality of specific applications & data in support of other contingency-plan components; addressable implementation specification of Standard: Contingency Plan | Applications & Data Criticality Analysis |
| because Security Rule pertains to EPHI, the loss of ___ is critical & should be dealt w/in a covered entity's risk analysis | electricity |
| perform a periodic technical & non technical evaluation; establish extent to which entity's security policies/procedures meet requirements of Security Standards for Protection of EPHI | Standard: Evaluation |
| Standard: Evaluation implementation specification is | reflected in the standard & is required |
| in accordance w/general rules of security standard, may permit business associate to create, receive, maintain, or transmit EPHI on entity's behalf | Standard: Business-Associate Contracts & Other Arrangements |
| must provide satisfactory assurances that they will protected EPHI | business associates |
| document satisfactory assurances through written contract/other arrangement that meets applicable requirements as part of Organizational Requirements; required implementation specification of Standard:Business-Associate Contracts & Other Arrangements | Written Contract/Other Arrangement |
| physical measures, policies, & procedures to protect a covered entity's electronic-information systems & related buildings & equipment from natural & environmental hazards, & unauthorized intrusion | physical safeguards |
| implement policies/procedures to limit physical access to electronic-information systems & facility(s) in which housed, while ensuring properly authorized access is allowed | Standard: Facility Access Controls |
| establish (implement as needed) procedures allowing facility access in support of restoration lost data under disaster-recovery plan & 911-mode operations plan in event of 911;addressable implementation specification of Standard: Facility Access Controls | Contingency Operations |
| implement policies & procedures to safeguard facility & equipment therein from unauthorized physical access, tampering, & theft; addressable implementation specification of Standard: Facility Access Controls | Facility Security Plan |
| implement procedures to control/validate person's access to facilities based on role/function, incl. visitors, & to software programs for testing/revision; addressable implementation specification of Standard: Facility Access Controls | Access Controls & Validation Procedures |
| implement policies/procedures to document repairs & modifications to physical components of facility related to security; addressable implementation specification of Standard: Facility Access Controls | Maintenance Records |
| Standard: Facility Access Controls applies to a covered entity's facility or | facilities |
| under Standard: Facility Access Controls facility includes physical premises and | interior/exterior of buildings |
| under Standard: Facility Access Controls is extended to include premises of workforce members who work __ __ with EPHI | at home |
| under Standard: Facility Access Controls a covered entity retains responsibility for considering facility security even where | it shares space with other organizations |
| under Standard: Facility Access Controls a covered entity must document in their risk analysis | third-party security measures |
| implement policies/procedures that specify proper functions to be performed, manner those functions to be performed & physical attributes of surroundings of specific workstation(s) that can access EPHI | Standard: Workstation Use |
| receptionist areas, in a private practice, __ __ __ __ to patients signing in w/receptionist | may not be visible |
| in a private practice, workstations throughout the practice should not be visible to any | passerby |
| implement physical safeguards for all workstations that access EPHI to restrict access to authorizes users; implementation is dependent upon entity's risk analysis & risk management process | Standard: Workstation Security |
| implement policies/procedures the govern receipt & removal of hardware & electronic media containing EPHI into & out of a facility & movement of these items within facility; 4 implementation specifications (2) req & (2) addressable | Standard: Device & Media Controls |
| implement policies/procedures to address final disposition of EPHI &/or hardware/electronic media on which it is stored; required implementation specification of Standard: Device & Media Controls | Disposal |
| implement policies/procedures for removal of EPHI from electronic media before media are made available for reuse; required implementation specification of Standard: Device & Media Controls | Media Reuse |
| Maintain record of movements of hardware/electronic media & any person responsible for them; addressable implementation specification of Standard: Device & Media Controls | Accountability |
| create retrievable, exact copy of EPHI when needed, before movement of equipment; addressable implementation specification of Standard: Device & Media Controls | Data Backup & Storage |
| even though software may claim to delete files, it may only deleted the __ __ & not erase the underlying content | file name |
| Accountability implementation specification does not refer to | audit trails within system/software |
| Accountability implementation specification does refer to | record of actions of a person relative to receipt/removal of hardware/software into & out of facility-traceable to that person |
| consists of technology & policy/procedures for its use that protect EPHI & control access to it; 5 safeguard standards | Technical Safeguards |
| implement policies/procedures for electronic info systems that maintain EPHI to allow access only to those persons/software programs that are granted access right per Administrative Safeguards standard of Info Access Mngmt | Standard: Access Control |
| each of implementation specifications under Standard: Access Control require technical assistance from | entity's system administrator/practice-management vendor |
| assign a unique name &/or # for identifying & tracking user identity; required implementation specification of Standard: Access Control | Unique User Identification |
| establish (implement as needed) procedures for obtaining necessary EPHI during 911 situation; required implementation specification of Standard: Access Control | Emergency Access Procedure |
| implement electronic procedures that terminate an electronic session after predetermined time of inactivity; addressable implementation specification of Standard: Access Control | Automatic Logoff |
| implement mechanism to encrypt/decrypt EPHI; addressable implementation specification of Standard: Access Control | Encryption & Decryption |
| implement hardware, software, &/or procedural mechanisms that record/examine activity in information system that contain/use EPHI | Standard: Audit Controls |
| according to preamble to Security Rule Standard: Audit Controls is mandatory; however entity's have flexibility to implement | in manner deemed appropriate by their risk analyses |
| implement policies/procedures to protect EPHI from improper alteration/destruction; one addressable implementation specification | Standard: Integrity |
| mechanism to authenticate EPHI; corroborate EPHI hasn't been altered/destroyed in an unauthorized manner | addressable implementation specification of Standard: Integrity |
| error-correcting memory & magnetic disk storage are examples of | built-in data authentication mechanisms |
| implement procedures to verify a person/entity seeking access to EPHI is the one claimed | Standard: Person or Entity Authentication |
| biometric ID systems, password systems, personal identification #'s. telephone callback, physical/soft token systems & digital signatures are examples of | Person/Entity Authentication |
| implement technical security measures to guard against unauthorized access to EPHI being transmitted over an electronic communication network | Standard: Transmission Security |
| implement security measures to ensure electronically transmitted EPHI is not improperly modified w/out detection until disposed of; addressable implementation specification of Standard: Transmission Security | Integrity Controls |
| implement mechanism to encrypt EPHI whenever deemed appropriate; addressable implementation specification of Standard: Transmission Security | Encryption |
| it is the covered entity's responsibility to secure its | transmissions |
| An estimated 15-30% of every healthcare dollar goes towards | administration (i.e. claim review, software development |
| activities meant to make the claims process easier have become parts of | health care's administrative black hole |
| high $$ concerns for a medical office include | rick management & medical malpractice |
| HIPAA was developed by __ __ & __ __ within the US DHHS, along with executive from private healthcare sector | physician leaders & policy makers |
| 1991, a collaboration of government & private industry, Louis Sullivan created | Workgroup for Electronic Data Interchange (WEDI) |
| WEDI was developed to study what impact replacing paper healthcare transactions would have on | containing rising healthcare costs |
| became foundation of the Administrative Simplification provisions in HIPAA | WEDI 1993 landmark report |
| guarantees you can obtain insurance if you change jobs | Portability |
| identifies who & what should be held responsible for specific healthcare activities | Accountability |
| Administrative Simplification promises to make the business of healthcare | easier |
| simplifies transactions so that all entities filing electronic transactions use same code sets, data content, & data format, & keep patient info safe/secure | purpose of Administrative Simplification |
| systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge | research defined by Privacy Rule |
| distinction between research activity & healthcare operations activity is whether the activity is designed to | develop or contribute to generalizable knowledge |
| require covered entity to obtain a detailed written authorization form from the patient, in order to satisfy all required elements of an applicable exception to the authorization requirement, under the Privacy Rule, when conducting | a research activity |
| Privacy Rule permits a covered entity to carry out its own health care operations w/out any form of patient permission & without any restrictions in the | use or disclosure of PHI |
| HHS drafted Privacy Rule in a manner that retains more stringent protection for the use/disclosure of PHI for __ __ than other health care operations activities | research purposes |
| if a covered entity uses/discloses only a limited data set of information pursuant to a data use agreement they may | use or disclose PHI for research activities |
| a covered entity may use or disclose PHI for research activities if the review of PHI is | preparatory to research |
| a covered entity may use or disclose PHI for research activities if the research is | on decedents' information |
| a covered entity may use or disclose PHI for research activities if institutional review board (IRB) or privacy board has approved | a waiver of or an alteration to the authorization |
| covered entities are always free to use & disclose information that has been | sufficiently de-identified |
| when covered entity removes all of a list of enumerated identifiers from PHI & covered entity has no actual knowledge that remaining info could be used alone or in combination w/other info to identify subject of info, is known as | "safe harbor" method |
| 2nd method to de-identify involves a person w/knowledge of & experience w/statistical & scientific principles must document methods & results of analysis that justify the determination that | the risk of identification is small |
| also known as retrospective, archival, or non-interventional research | records research |
Created by:
lfrancois
Popular Medical sets