Question

The document that Covered Entities are required to provide to patients describing how the CE will use or disclose the PHI and what the patient’s rights and CE’s duties are is called:   

a.

breach notification

b.

business associate agreement

c.

facility directory

d.

notice of privacy practices

A defense to a claim of negligence might be:   

a.

self defense

b.

contributory negligence

c.

lack of contractual capacity

d.

responsible corporate officer

Answer 1

Answer: Notice of Privacy Practice

Notice of Privacy Practices (NPP) HIPAA mandated notice that covered entities must give to patients and research subjects that describes how a covered entity may use and disclose their protected health information, and informs them of their legal rights regarding PHI(Protected Health Information).

Electronic protected health information of ePHI is defined in HIPAA regulation as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media. HIPAA regulation states that ePHI includes any of the 18 district demographics that can be used to identify a patient.

The HIPAA Privacy Rule requires health plans and covered health care providers to develop and distribute a notice - the notice of Privacy Practices (NPP) that provides a clear user-friendly explanation of individuals' rights with respect to their personal health information, and the privacy practices of health plans such as:

• How we may use and disclose your health information in the course of providing treatment and services to you
• What rights you have with respect to your health information. These include the right.
• To inspect and obtain a copy of your health information.
• To request that we amend health information in our records.

The NPP must contain the following: This notice describes how medical information about you may be used and disclosed and how you can get access to this information.

• Uses and disclosures
• Individual Rights
• Covered Entity Duties
• Complaints
• Contact
• Effective Dates

These rights include the right to request restrictions on certain uses and disclosures of PHI. The right to receive confidential communications of PHI, as permitted by law. The right of an individual to obtain a paper copy of the notice, upon request.

privacy Rule requires that USC gives all patients an important document called the Notice of Privacy Practices (Notice). The Notice explains to patients that ways USC is allowed to use their health information and lists the rights patients have with respect to their health information.

HIPAA Rules and Regulations layout three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies security standards, and for each standard, it names both required and addressable implementation specifications.

A Covered Entity may disclose PHI to facilitate treatment, payment, or health care operations (TPO) without a patient;s express written authorization. Any other disclosure of PHI requires the covered entity to obtain and store written authorization from the individual for the disclosure. When a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.

Patient's rights and CE's Duties:

HIPAA law under the Privacy and Security Rules requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures. They must appoint a Privacy Official and a contact person responsible for receiving complaints and train all members of their workforce in procedures regarding PHI. A patient has the right to make informed decisions regarding his or her care and has the right to include family members in those decisions. A patient has the right to information from his or her doctor in order to make informed decisions about his or her health care. HIPAA PrivacyRules provides right of access, right to request amendment of PHI, right to an accounting of disclosures, right to request restrictions of PHI, right to request confidential communications, and right to complain of Privacy Rule violations. An individual who believes that HIPAA Privacy and Security Rules are not being upheld can file a complaint with the Department of Health and Human Services Ofice for Civil Rights (OCR), the reporting information but be available on the organizations' Notice of Privacy Practices that is handed to the patient or visible in on obvious place like a doctors waiting room.

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI), the failure to enter into a HIPAA compliant business associate agreement.

The minimum fine for willful violations of HIPAA Rules is $50,000. Knowingly violating HIPAA Rules with malicious intent or for personal gain can result in a prison term of up to 10 years in gain. There is also a mandatory two-years jail term for aggravated identity theft.