|
Glossary |
Under HIPAA, patients have the right to know how their protected health information (PHI) is used and disclosed. They have a right to an "accounting of disclosures" for any uses of their PHI outside of treatment, payment and operations (TPO) that they have not authorized. The accounting must include the date of the disclosure, the purpose of the disclosure, a description of what was disclosed, and it must identify who received the information.
HIPAA requires patient authorization for most uses of protected health information (PHI) outside of treatment, payment and operations (TPO).
This is the form used to obtain patient authorization. This form is included on the Resources page if you would like to take a look.
There are several ways to do HIPAA compliant research. One way is to receive a waiver of authorization from the IRB. You must apply for a waiver in writing. You application will be evaluated according to specific criteria described in both HIPAA and the Common Rule.
Business Associates are individuals or organizations to whom we give PHI so that they can perform specific functions or services for OHSU. Some examples of Business Associates are data archival services, transcription services, consultants, and software vendors.
HIPAA includes civil and criminal penalties for violations of the HIPAA standards. Civil penalties include fines of up to $25,000. Criminal penalties range from 1-10 years in prison and up to $250,000 in fines.
Also known as 45CFR46, the Common Rule is federal legislation that protects human research subjects. It relies on the process of informed consent, which is designed to make sure research subjects understand what will happen to them in the course of research.
HIPAA gives patients the right to request restrictions on how confidential information is communicated to them. For instance, patients may ask that reminders be sent to their office instead of their home. We should try to accommodate all reasonable requests.
If you include PHI in e-mails that you send, you should include a statement of confidentiality in your e-mail. Below is a suggested statement you can use: The information contained in this EMAIL message is confidential and protected by law. The information is intended only for the person or business identified in the document. If you are not the intended recipient, a sharing, printing, storing or copying of the information will result in a violation of the law. If you have received this EMAIL by mistake, please notify the sender of this EMAIL and copy the Office of Information Privacy and Security at oips@ohsu.edu .
A Data Use Agreement is an agreement between OHSU and Business Associates or other third parties that ensures that the party will protect limited data sets that are disclosed by OHSU. The purpose of data use agreement is to make sure that limited data sets are used in ways that are consistent with research, public health, or health care operations.
The Data Use Agreement must limit who can use or receive the data, require the data recipient to agree not to re-identify the data or contact the research subject, and it must contain adequate assurances that the data recipient will protect the data.
The designated record set is a new concept under HIPAA and is an expansion of the usual concept of a health record. It is not simply a hospital or dental chart, but includes a wide scope of information, including for instance financial or billing information, as well as any other information we may use to make decisions about patients.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the federal government's response to simplifying the healthcare system, legislating a patient's bill of rights and requiring the health care industry to safeguard health records and protect patient privacy. There are three sets of standards included in the HIPAA legislation: Privacy Standards, Security Standards and Transaction Standards.
At OHSU we have an office that handles questions about HIPAA and its implementation. For information on how to contact this group, see our website http://www.ohsu.edu/xd/about/services/integrity/. E-mail oioeduc@ohsu.edu
The HIPAA Privacy Standards define protected health information (PHI), give patients more control over their health information, set boundaries on the use of health information, establish appropriate safeguards that health care providers and others must implement, and impose civil and criminal penalties for privacy violations.
Compliance with this regulation is required by April 14, 2003. This course is part of required compliance activities.
Transaction Standards improve the efficiency of the health care system by calling for the standardization of coding and billing transactions.
The Security Standards are the third component of HIPAA. These standards describe the type of policies, procedures and physical safeguards that OHSU must have in place to ensure the confidentiality, accessibility, and integrity of protected health information.
The Institutional Review Board, or IRB, meets weekly to review research proposals. They must approve all human subjects research at OHSU.
The Notice of Privacy Practices is used to educate patients about how their Protected Health Information (PHI) will be used for the purposes of treatment, payment and operations (TPO) at OHSU. We must give this document to all of our patients at their first date of service, beginning April 14, 2003. We must make a good faith effort to get patient acknowledgement that they have received this Notice.
Protected Health Information (PHI) refers to health information combined with personal and/or billing information, such as name or e-mail address, which identifies or could be used to identify a specific person. HIPAA requires that we follow certain standards to secure PHI and protect patient privacy.
HIPAA calls out 18 specific identifiers that define PHI. These are:
Role based access is how we apply the minimum necessary standard to information access at OHSU. Access to information, such as computer applications, and restricted areas, are provided to the members of our workforce based on the specific needs of the job or role they perform here.
Strong passwords are easy for you to remember, but difficult for others to guess. Strong passwords incorporate a combination of letters and numbers.
Third party disclosures, including such activities as mandatory reporting (cases of child abuse, for instance, or public health reporting) must be tracked and described in an Accounting of Disclosures. The right to an Accounting is a new patient right under HIPAA.
Treatment, Payment and Operations (TPO), refers to the basic activities we do here at OHSU. Protected Health Information (PHI) may be used for TPO without patient authorization. Most uses of PHI outside of TPO require patient authorization.