CIPP-US > Medical Privacy > Flashcards

Medical Privacy Flashcards

Understand HIPAA’s key rules governing the use and disclosure of protected health information. (62 cards)

Study These Flashcards
1
Q

What is the Hippocratic Oath?

A

An oath of ethics taken by physicians to protect patient confidentiality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does the Hippocratic Oath say about confidentiality?

A

Physicians must not divulge anything seen or heard in their profession that should not be published.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Why is privacy important for medical records?

A
  • Preserves identity
  • Promotes openness with doctors
  • Protects against workplace discrimination
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How can privacy protect employees?

A

Prevents discrimination based on treatment costs, medications, or stigma.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does HIPAA stand for?

A

Health Insurance Portability and Accountability Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What was HIPAA originally designed to do?

A

Improve health care efficiency by shifting reimbursement to electronic format.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the key privacy elements of HIPAA?

A
  • Privacy Rule
  • Security Rule
  • Breach Notification Rule
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Protected Health Information?

(PHI)

A

Identifiable health information held by covered entities or their associates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is electronic PHI?

(ePHI)

A

PHI stored or shared electronically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Who qualifies as a covered entity under HIPAA?

A
  • healthcare providers
  • insurers
  • clearinghouses doing electronic transactions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who is a business associate under HIPAA?

A

Non-workforce persons or organizations providing services for covered entities involving PHI.

Example: claims processing, data analysis, consulting, financial services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Who is not considered a covered entity?

A
  • Cash-only doctors
  • Wellness apps
  • Online/social media
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Who enforces HIPAA?

A
  • HHS Office for Civil Rights
  • DOJ
  • FTC
  • State Attorneys General
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How did HHS OCR adjust HIPAA rules during COVID-19 pandemic?

A

Permitted non-public-facing videoconferencing even if not fully HIPAA-compliant, with secure login.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What was suspended by the DEA for telemedicine?

A

Parts of the Ryan Haight Act requiring in-person exams before prescribing controlled substances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the IMLC?

A
  • Interstate Medical Licensure Compact
  • Supports multistate medical licensing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does California’s Reader Privacy Act restrict?

A

Access to records about reading material, especially on health topics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What must be shown to access reader records under CA law?

A

A compelling interest must be demonstrated by government or litigants.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

When is notice not required under HIPAA?

A

In indirect treatment relationships or medical emergencies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What uses and disclosures are authorized under HIPAA?

A

Treatment, payment, operations (TPO), and compliance purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the ‘minimum necessary’ standard?

A

Use or disclose only the minimum PHI needed to accomplish the purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What safeguards does HIPAA require?

A

Administrative, technical, and physical controls

To protect confidentiality, integrity, and availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What accountability measures are required under HIPAA?

A
  • Appoint privacy official
  • Train staff
  • Establish compliance procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the HIPAA Safe Harbor Law?

A

OCR must consider recent implementation of safeguards and may apply leniency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What are **valid exceptions** for PHI use without authorization?
* TPO * De-identification * Research * Public health * Legal * Law enforcement * Government functions
26
How is PHI **de-identified**?
* Remove **18 identifiers**, or * Use **expert certification**
27
What conditions allow PHI use **in research**?
* IRB approval * De-identified data * Consistency with the privacy rule
28
What did **Dobbs v. Jackson Women's Health Organization** decide?
* Overturned Roe v. Wade * Removed federal protection for abortion rights
29
Does HIPAA protect data on **personal mobile devices**?
No ## Footnote HIPAA Rules do not apply to data accessed or stored on personal devices.
30
What does the **HIPAA Security Rule** establish?
**Minimum reasonable security** requirements for PHI to prevent, detect, contain, and correct issues.
31
What **additional requirements** does the Security Rule mandate?
* Designate a security official * Conduct risk assessments * Train workforce * Enforce compliance
32
Does HIPAA **override stricter state** security laws?
No
33
What does **HITECH** stand for?
Health Information Technology for Economic and Clinical Health Act
34
What are the **goals** of HITECH?
* Encourage electronic health records * Develop health info exchange * Strengthen HIPAA privacy or security
35
How did HITECH **change HIPAA rules** for **Business Associates**?
BAs **became directly subject to HIPAA**, not just via contracts.
36
What defines **a breach** under HITECH?
**Unauthorized modification, access, deletion, or exfiltration** (MADE) of unsecured ePHI where privacy/security is compromised.
37
When is there **no breach** under HITECH?
Unauthorized MADE but **high confidence that ePHI was not affected** or is encrypted.
38
Who bears the **burden of proof** in a breach scenario?
Covered Entity (CE) or Business Associate (BA)
39
What are HITECH **breach notification requirements**?
* Notify individuals within 60 days * BAs notify CEs * Breach of more than 500 individuals triggers HHS/media notice
40
What is '**limited data**' under HITECH?
Data set **excluding direct identifiers** like name, SSN, email.
41
What must Covered Entities **provide** related to **Electronic Health Records**?
* EHR on request * Account for non-oral disclosures (3 years) * Can't sell without consent
42
What does **42 CFR Part 2** regulate?
Confidentiality of **substance use disorder** (SUD) patient records.
43
What **laws** created the foundation for 42 CFR Part 2?
* 1970 Alcohol Abuse Act * 1972 Drug Abuse Act
44
What is considered '**patient-identifying**' information?
Any data that could reasonably identify an individual.
45
**Who** must comply with 42 CFR Part 2?
* Federally-funded programs * Some state-licensed or DEA-involved providers
46
When can **SUD patient info** be disclosed?
* With written consent, or * Under exceptions like emergencies, audits, or court order
47
What does **GINA** stand for?
Genetic Information Nondiscrimination Act
48
What is the **purpose** of GINA?
**Prohibit discrimination** based on genetic information by health insurers and employers.
49
What does GINA **prohibit** for **health insurance providers**?
Using genetic info for **premiums or coverage decisions** before symptoms appear.
50
What does GINA **prohibit for employers**?
Using genetic info in hiring, firing, job assignments, or promotions.
51
How is genetic information **treated under HIPAA** due to GINA?
It is classified as **Protected Health Information**. | (PHI)
52
What are **exceptions** to GINA's restrictions?
* Voluntary/inadvertent disclosures * FMLA compliance * Commercial data * Required workplace testing * Law enforcement DNA testing
53
What does California's **CalGINA** add to GINA?
**Extends protections** to housing, education, emergency services, and lending.
54
What are the **objectives** of the **21st Century Cures Act**?
* Expedite research * Drug/device approvals * Reform mental health care * Promote EHI interoperability
55
What is **interoperability** in the context of the **Cures Act**?
The ability to share/exchange electronic health information across systems.
56
What is **information blocking**?
Activity likely to **obstruct exchange/sharing** of EHI.
57
What are '**certificates of confidentiality**'?
**NIH-issued documents** barring use of research data in legal proceedings without consent.
58
What is '**compassionate**' sharing under the Cures Act?
Guidance allowing **sharing** of mental health/substance abuse info **with family caregivers** under HIPAA.
59
What is **Medtech**?
* Medical imaging machines * Real-time monitoring * At-home testing * EHR accessibility ## Footnote Examples: X-rays, MRI, CT, fertility/DNA tests, cancer screening kits, EHR tools.
60
What **law** does the FDA enforce related to **Medtech**?
Food, Drug, and Cosmetic Act | (FDCA)
61
What **determines** FDA regulation of Medtech?
**Level of risk** posed by the device. ## Footnote Most Medtech is low-risk.
62
What is **Software as a Medical Device**? | (SaMD)
Software that diagnoses, treats, or prevents conditions regulated by the FDA.
CIPP-US
flashcards
Decks in class (12)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions