Why Did Regulators Add New Standards After Hipaa'S Initial Implementation
21 community-sourced questions and answers. Free — no login.
What are the goals of HIPAA?
1. To improve the efficiency and effectiveness of the healthcare system 2. Improve portability and continuity of health insurance coverage 3. Prohibit discrimination in health coverage 4. Regulate the privacy and security of health information
What are the four aspects of health information?
. Transactions and code sets . National provider identities . Privacy . Security
What are examples of covered entities?
. Healthcare plans . Healthcare clearinghouses . Healthcare providers
Who must comply with HIPAA?
. Covered entities (they must protect information from unauthorized access, alteration, deletion, and transmission) . Business associates (must enter into a business associate contract before beginning work with the covered entity)
What is Protected Health Information (PHI)?
. Information covered under HIPAA that includes all health information that relates to past, present, or future physical or mental health; the provision of care, or payment of care . Information that identifies the patient or could reasonably be expected to identify the patient.
What is notice of privacy and its components?
. Explains the patients' rights to privacy . How you're going to use/protect their information . Who you will/will not share their information with without further authorization . Who to contact with complaints
What is acknowledgment of notice?
. Must make a good-faith effort to provided privacy notice and receive signed acknowledgment from each patient . Need only once . First transaction at the pharmacy . Written unless consent to electronic transmission . May not refuse treatment if they refuse . Must document effort
Use and disclosure of PHI
. Pharmacies are allowed to use and disclose PHI for TPO (treatment, payment, operations) . Can always provide complete disclosure to patient, their personal representative or their agent in a timely manner (30 days + 30 day extension)
What is HITECH and its importance?
. Health Information Technology for Economic and Clinical Health . If covered entities use an EMR they are required to account for ALL disclosures of PHI within 3 years of the request date . Requires a limited data set if possible in the EMR . Requires pharmacies to address breaches of PHI
When can patients request their PHI not be disclosed?
To their healthcare plan in out of pocket situations.
What are the exceptions to the minimum necessary rule for disclosure of patient information?
. To the patient . Other providers regarding treatment . When authorized by patient . When required for compliance and enforcement purposes . Required by law
What is de-identification?
. All individual identifying factors of a PHI are removed . NOT considered PHI after removal of identifiable information
Define a breach of PHI
The acquisition, access, use, or disclosure of PHI in a way that compromises the security or privacy of the PHI and poses a significant risk of financial, reputation, or other harm to the individual
When should a breach of PHI be reported?
Within 60 days of the breach discovery . First class mail (or electronically if agreed upon) if more than 500 individuals are affected the pharmacy must notify the media
How should disposal of PHI be handled?
Preferable but not required to hire business associate to handle disposal Must use reasonable safeguards to protect disposal of PHI
What are the rules and exceptions to marketing sale of PHI?
. Must have individual written authorization to sell or market PHI . Exceptions: for treatment uses, face to face, for case management or care coordination, recommended alternatives, about health-related services offered by the pharmacy or health plan, refill and adherence reminders
What policies and procedures do pharmacies have to follow?
. Must develop policies and procedures to implement HIPAA standards . Must outline penalties for violations for workers . Must identify a privacy officer to run compliance program
Penalties and enforcement of HIPAA
. Penalties for violating HIPAA can be severe and increased after the implementation of HITECH . Civil and criminal penalties can result for HIPAA violations . HIPAA does NOT create private cause action for individuals to use
Civil and criminal penalties
. Unintentional violations: $100-$25,000 per person per violation in one calendar year . Reasonable cause violations: $1,000 per violation up to $50,000 total in one calendar year . Willful neglect corrected within 30 days: $10,000 with annual cap of $250,000 . Willful neglect NOT corrected with 30 days: $50,000 with annual cap of $1.5m . Intentional violations or involvement of fraud are subject to prison time
What are the benefits of Health Information Technology (HIT)?
. Protect privacy of PHI . Reduce medical costs . Improve coordination of care . Improve delivery of public health services and emergency response system
What are the four main aspects of health information that HIPAA regulates?
1. Transaction and code sets 2. National Provider Identities 3. Privacy 4. Security
Looking for a different version?
CBTs get updated every year. Search for the exact version you're taking (e.g. "cyber awareness 2025").
Search all study materials