Review of patient privacy and HIPAA from the ABR noninterpretive skills study guide. See my own study guide on this topic by clicking here.

Show Notes/Study Guide:

Welcome back to The Radiology Review podcast.  Per listener request, I will be producing a few more Noninterpretive Skills episodes and I have found that these are generally very popular episodes for listeners preparing for radiology board exams. This episode will focus on patient privacy and HIPAA as outlined in the 2021 ABR NIS study guide in chapter 5, specifically section 5.1.2 “Patient Privacy and HIPAA”.  I will make a free downloadable study guide on this topic available on my website www.theradiologyreview.com so please check that out if that is helpful to you.  Also, please follow @radrevpodcast on Twitter or Instagram where I post things like tips for the physics portions of radiology board exams.  Without further ado, let’s get into the questions and answers for this episode.

What is HIPAA?

A law enacted in 1996, HIPAA stands for the Health Insurance Portability and Accountability Act and represents codified law that enforces patient privacy by establishing national privacy standards that apply to healthcare providers, plans, and clearinghouses. Under HIPAA there is a Privacy Rule that establishes the national standards for protected health information (PHI) as well as the Security Rule that establishes national security standards for securing PHI in electronic form (e-PHI or electronic PHI) by establishing technical and nontechnical safeguards that must be in place to secure the protections outlined in the Privacy Rule.

Who enforces HIPAA and what penalties can be enacted for violating HIPAA?

HIPAA rules and standards are enforced by the Office for Civil Rights (OCR) which is part of the U.S. Department of Health and Human Services.  For violation of HIPAA civil money penalties can be enacted.

What are the major goals of HIPAA according to the ABR NIS study guide?

The major goals of HIPAA are to protect each individual’s PHI while also permitting this information to flow to providers and organizations to provide and promote quality healthcare.

True or false? A patient’s admission or discharge date is considered PHI.

True.

True of false? Geographic subdivisions smaller than a state where an individual resides are considered PHI

True with one exception.  The ABR NIS study guide states that if a zip code has at least 20k people within it, the first 3 digits of the zip code can be used and not considered PHI.

True or false? An individual’s license plate number is considered PHI.

True.

True or false? An individual’s internet protocol (IP) address is not considered PHI.

False.  IP addresses attached to an individual are considered PHI.

True or false? If there is a recording of a patient’s voice this is considered PHI.

True.  Biometric identifier’s such as finger-prints and voice-prints as well as full face or similar photographs are considered PHI.

True or false? Any unspecified unique identifier, characteristic, or code whereby an individual can be potentially identified is considered PHI.

True.  According to the ABR NIS study guide, after specifying specific examples of PHI, it states “any other unique identifier, characteristic, or code” is PHI.

According to the ABR NIS study guide, patient identifiers considered PHI include:

Patient names, geographic subdivisions smaller than a state (however, the first 3 digits of a ZIP code with a population over 20k people is not PHI), all elements of dates (except the year) that are related to an individual to include birthdate, admission date, discharge date, date of death, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate and license numbers, vehicle identification and license plate numbers, device identifiers and serial numbers, webpage URLs, IP addresses, biometric identifiers such as finger- and voice-prints, full face or similar photographs, and any other unique identifier, characteristic, or code.

True or false? PHI can be disclosed without an individual’s authorization if used for delivery of care or treatment.

True.  Remember part of HIPAA is to allow necessary information to flow to provide healthcare resources.

True or false? PHI can be disclosed without an individual’s authorization if used for billing purposes.

True. 

True or false? An individual must consent to the release of PHI for that information to be used for law enforcement purposes.

False.  For law enforcement purposes including fraud or abuse detection, domestic violence investigations, or judicial proceedings, PHI can be released without an individual’s authorization.

True or false? PHI can be disclosed without an individual’s authorization if used for quality improvement in healthcare.

True.

In general, PHI cannot be disclosed or transmitted to anyone other than the individual without authorization by that individual.  Exceptions to this rule listed by the ABR NIS study guide include:

PHI can be disclosed or transmitted without an individual’s authorization when necessary for the delivery of care or treatment, payment activities, and healthcare operations involving quality or competency insurance, fraud or abuse detection, or compliance. Information can also be released without an individual’s authorization when required by law to public health authorities, during an investigation of abuse, neglect, or domestic violence, to oversight agencies, for judicial and administrative proceedings, for law enforcement purposes and for worker’s compensation.

That concludes this podcast episode.  As a reminder, a free downloadable study guide on this topic is available at www.theradiologyreview.com so please check that out if helpful to you.  Please send episode suggestions to theradiologyreview@gmail.com or @radrev podcast on Twitter or Instagram.  Thank you for listening….