1

HIPAA TRAININGHIPAA TRAINING

West Liberty UniversityWest Liberty University

Health SciencesHealth Sciences

2

HISTORYHISTORY

• HIPAA stands for “Health Insurance HIPAA stands for “Health Insurance Portability and Accountability Act of Portability and Accountability Act of 1996”1996”

• HIPAA was passed in 1996 as part of HIPAA was passed in 1996 as part of a broad congressional attempt at a broad congressional attempt at healthcare reformhealthcare reform

• This training will address Title II of This training will address Title II of the Act- Administrative Simplificationthe Act- Administrative Simplification

3

PURPOSEPURPOSE

• To increase the efficiency and To increase the efficiency and effectiveness of the health care system effectiveness of the health care system through standardizationthrough standardization

• To enhance the security and privacy of To enhance the security and privacy of Protected Health Information (PHI) Protected Health Information (PHI)

• According to the Department of Health According to the Department of Health and Human Services 1 in 6 patients omit and Human Services 1 in 6 patients omit sensitive information when discussing sensitive information when discussing medical history with their physician out of medical history with their physician out of fear of misuse or mishandling.fear of misuse or mishandling.

4

COMPONENTSCOMPONENTS

• PRIVACY STANDARDS – April 14, PRIVACY STANDARDS – April 14, 20032003

• Electronic Transactions Standards – Electronic Transactions Standards – Oct 16, 2003Oct 16, 2003

• Security Standards – April 20, 2005Security Standards – April 20, 2005• This training will focus on the This training will focus on the

Privacy StandardsPrivacy Standards

5

HIPAA APPLIES TO HIPAA APPLIES TO COVERED ENTITIESCOVERED ENTITIES

• HospitalsHospitals• PhysiciansPhysicians• Home Health AgenciesHome Health Agencies• PharmacyPharmacy• DentistsDentists• Durable Medical Equipment Durable Medical Equipment

CompaniesCompanies• Health PlansHealth Plans

6

PRIVACY STANDARDSPRIVACY STANDARDSKEY FEATURESKEY FEATURES

• Protected Health Protected Health

Information (PHI)Information (PHI)• Uses & DisclosuresUses & Disclosures• AuthorizationAuthorization• Notice of Privacy PracticesNotice of Privacy Practices

• Minimum Minimum NecessaryNecessary

• Patient RightsPatient Rights• PenaltiesPenalties

7

PENALTIESPENALTIES

WHY YOU WANT TO READ WHY YOU WANT TO READ THIS PRESENTATIONTHIS PRESENTATION

8

CIVIL PENALTIESCIVIL PENALTIES

• $100 per violation per person up to a $100 per violation per person up to a maximum of $25,000 per person per maximum of $25,000 per person per year per standard violationyear per standard violation

• These penalties can be assessed These penalties can be assessed against individual employees against individual employees

9

CRIMINAL PENALTIESCRIMINAL PENALTIES

• Up to $50,000, 1 year in prison, or both, Up to $50,000, 1 year in prison, or both, for inappropriate use of PHIfor inappropriate use of PHI

• Up to $100,000, 5 years in prison, or both Up to $100,000, 5 years in prison, or both for using PHI under false pretensesfor using PHI under false pretenses

• Up to $250,000, 10 years in prison or Up to $250,000, 10 years in prison or both, for the intent to sell or use PHI for both, for the intent to sell or use PHI for commercial advantage, personal gain, or commercial advantage, personal gain, or malicious harmmalicious harm

• These penalties can be assessed against These penalties can be assessed against individual employeesindividual employees

10

PRIVACY RULEPRIVACY RULE

• Regulates the internal use and Regulates the internal use and external disclosure of protected external disclosure of protected health information (PHI) by health information (PHI) by organizations and their employeesorganizations and their employees

• For example, PHI cannot be For example, PHI cannot be discussed in places like elevators, discussed in places like elevators, hallways, the cafeteria, or the hallways, the cafeteria, or the smoking areassmoking areas

11

EXAMPLE VIOLATIONEXAMPLE VIOLATION

A nurse sees an acquaintance has A nurse sees an acquaintance has checked into the hospital and checked into the hospital and discovers he is scheduled for discovers he is scheduled for surgery. She calls a few of his surgery. She calls a few of his friends to make sure they are aware friends to make sure they are aware of this, thinking they can wish him of this, thinking they can wish him well or be of some assistance to his well or be of some assistance to his family.family.

12

WHAT IS PHI?WHAT IS PHI?Personal Health InformationPersonal Health Information

• Oral, written, and electronic Oral, written, and electronic communication communication

• Health and demographic information Health and demographic information about an individual that is transmitted or about an individual that is transmitted or maintained in any form where the maintained in any form where the information is created or received by a information is created or received by a health care provider, health plan, health care provider, health plan, employer or health care clearinghouseemployer or health care clearinghouse

• Includes past, present, and future health Includes past, present, and future health information information

13

EXAMPLES OF PHIEXAMPLES OF PHI

• NameName• AddressAddress• BirthdateBirthdate• Admission dateAdmission date• Discharge dateDischarge date• Date of deathDate of death• Telephone Telephone

numbersnumbers• Fax numberFax number

• E-mail addressE-mail address• Social Security #Social Security #• Medical record #Medical record #• Account #Account #• Certificate/license Certificate/license

##• PhotographsPhotographs• All clinical dataAll clinical data

14

PERMITTED USES & PERMITTED USES & DISCLOSURESDISCLOSURES

• TTreatmentreatment• PPaymentayment• Health Care Health Care OOperationsperations

These are referred to as: “These are referred to as: “TPOTPO””

15

OTHER USES & OTHER USES & DISCLOSURESDISCLOSURES

• Some disclosures are mandated by Some disclosures are mandated by law such as health oversight law such as health oversight activities, public health concerns, activities, public health concerns, FDA etcFDA etc

• ALL OTHER USES OR ALL OTHER USES OR DISCLOSURES OUTSIDE OF TPO DISCLOSURES OUTSIDE OF TPO REQUIRE AN AUTHORIZATIONREQUIRE AN AUTHORIZATION

16

TREATMENTTREATMENT(Examples)(Examples)

• To a consulting physicianTo a consulting physician• To a post discharge provider such To a post discharge provider such

as, a rehab unit, skilled unit, or as, a rehab unit, skilled unit, or home health agencyhome health agency

• To another department within the To another department within the hospitalhospital

17

PAYMENTPAYMENT(Examples)(Examples)

• Medicare/MedicaidMedicare/Medicaid• Insurance CompaniesInsurance Companies• Workers’ CompensationWorkers’ Compensation• Liability CarrierLiability Carrier• Provision of billing information to a Provision of billing information to a

physician who treated the patient at the physician who treated the patient at the hospitalhospital

• To the billing companies for the emergency To the billing companies for the emergency room physicians or radiologistsroom physicians or radiologists

18

HEALTHCARE HEALTHCARE OPERATIONSOPERATIONS

(Examples)(Examples)

• Quality assessment and Quality assessment and improvementimprovement

• Peer review and credentialing Peer review and credentialing activitiesactivities

• Legal servicesLegal services• Auditing servicesAuditing services• Business planning and Business planning and

developmentdevelopment

19

AUTHORIZATIONAUTHORIZATION

• Authorization must be obtained for ALL Authorization must be obtained for ALL uses and disclosures other than TPO or uses and disclosures other than TPO or those mandated under law.those mandated under law.

• Authorizations must include:Authorizations must include: Description of the informationDescription of the information Name of person/entity to release toName of person/entity to release to Expiration dateExpiration date Information regarding right to revokeInformation regarding right to revoke Date and signatureDate and signature

20

PRIVACY NOTICEPRIVACY NOTICE

• Every patient must receive a copy of Every patient must receive a copy of the healthcare provider’s or the healthcare provider’s or institution’s privacy notice the first institution’s privacy notice the first time they receive services (Starting: time they receive services (Starting: April 14, 2003)April 14, 2003)

• The notice must be posted in areas The notice must be posted in areas easily seen by patientseasily seen by patients

• The notice must be posted on the The notice must be posted on the official websiteofficial website

21

PRIVACY NOTICE PRIVACY NOTICE REQUIREMENTSREQUIREMENTS

• Be in plain languageBe in plain language• Contain a description and example of TPOContain a description and example of TPO• Contain a description and example of other Contain a description and example of other

uses and disclosures not requiring uses and disclosures not requiring AuthorizationAuthorization

• Include statements about an individual’s Include statements about an individual’s rightsrights

• Include statements about the duties of the Include statements about the duties of the providerprovider

• Describe the complaint processDescribe the complaint process

22

MINIMUM NECESSARYMINIMUM NECESSARY

The privacy rule requires covered The privacy rule requires covered entities to use or disclose only the entities to use or disclose only the ““minimum necessaryminimum necessary” PHI to ” PHI to accomplish the intended purpose of accomplish the intended purpose of the use, disclosure, or requestthe use, disclosure, or request

23

INTERNAL INTERNAL REQUIREMENTSREQUIREMENTS

• Identify workforce who need access to Identify workforce who need access to PHIPHI

• For each job code, limit access based For each job code, limit access based on a need-to-know basison a need-to-know basis

• Employees of the healthcare service Employees of the healthcare service are obligated to use the access they are obligated to use the access they have available to only perform their have available to only perform their job duties.job duties.

24

EXTERNAL EXTERNAL REQUIREMENTSREQUIREMENTS

• Limit access to what is needed to Limit access to what is needed to accomplish the purpose for which accomplish the purpose for which the request was madethe request was made

• Do not send a requestor an entire Do not send a requestor an entire medical record if they ask for medical record if they ask for insurance information or a particular insurance information or a particular lab resultlab result

25

EXAMPLE VIOLATIONEXAMPLE VIOLATION

• You go to lunch with your friend You go to lunch with your friend from another department. At lunch from another department. At lunch your friend says, “ We have really your friend says, “ We have really been busy this morning. Dr. Right been busy this morning. Dr. Right saw 20 patients this morning”. You saw 20 patients this morning”. You ask if Edward Stellin is Dr. Right’s ask if Edward Stellin is Dr. Right’s patient and your friend replies, “yes, patient and your friend replies, “yes, didn’t you know he had a didn’t you know he had a cholecystecomy?”cholecystecomy?”

26

PATIENT RIGHTSPATIENT RIGHTS

• Receive written notice of privacy Receive written notice of privacy practicespractices

• Request restrictions on uses & Request restrictions on uses & disclosuresdisclosures

• Access, inspect & copy their PHIAccess, inspect & copy their PHI• Request amendment or correction of Request amendment or correction of

their PHItheir PHI• Receive an accounting of disclosures of Receive an accounting of disclosures of

their PHItheir PHI• Request confidential communicationsRequest confidential communications

27

CONFIDENTIAL CONFIDENTIAL COMMUNCIATIONSCOMMUNCIATIONS

• A patient has a right under HIPAA to A patient has a right under HIPAA to request alternate methods of request alternate methods of communicationcommunication

• The hospital must honor those The hospital must honor those requests if they are reasonablerequests if they are reasonable

28

RIGHT TO INSPECT AND RIGHT TO INSPECT AND COPYCOPY

• Patients have the right to inspect Patients have the right to inspect and copy their medical informationand copy their medical information

• This includes medical and billing This includes medical and billing records, but excludes psychotherapy records, but excludes psychotherapy notesnotes

29

RIGHT TO AMENDRIGHT TO AMEND

• Patients have a right to request an Patients have a right to request an amendment to their record as long as amendment to their record as long as the information is kept by the the information is kept by the hospitalhospital

• Any requests for amendments must Any requests for amendments must be in writing and submitted to be in writing and submitted to Medical RecordsMedical Records

• Hospital may deny the request to Hospital may deny the request to amend the informationamend the information

30

DENY REQUEST TO DENY REQUEST TO AMENDAMEND

• If the request is not in writingIf the request is not in writing

• If the portion of the record was not If the portion of the record was not created by that Institution or created by that Institution or healthcare service originallyhealthcare service originally

• If the original record is accurate and If the original record is accurate and completecomplete

31

RIGHT TO REQUEST RIGHT TO REQUEST RESTRICTIONSRESTRICTIONS

• Patients have a right to request a Patients have a right to request a restriction or limitation on the medical restriction or limitation on the medical information the hospital uses or discloses information the hospital uses or discloses about them for TPOabout them for TPO

• Hospital is not required to agree to the Hospital is not required to agree to the restrictionrestriction

• If hospital does agree to the restriction, If hospital does agree to the restriction, they must comply with the restriction they must comply with the restriction unless the information is needed to provide unless the information is needed to provide the patient with emergency treatmentthe patient with emergency treatment

32

ACCOUNTING FOR ACCOUNTING FOR DISCLOSURESDISCLOSURES

• Under HIPAA, patients have a right Under HIPAA, patients have a right to request an accounting of all to request an accounting of all disclosures we have made of their disclosures we have made of their PHIPHI

• We do not have to list those for TPOWe do not have to list those for TPO• We must track all others disclosuresWe must track all others disclosures• We do have to disclose any We do have to disclose any

inappropriate disclosuresinappropriate disclosures

33

INAPPROPRIATE INAPPROPRIATE DISCLOSURESDISCLOSURES

• If results are reported to a physician If results are reported to a physician who is not that patient’s physicianwho is not that patient’s physician

• If information is faxed to the wrong If information is faxed to the wrong fax numberfax number

• If we discover through an audit that If we discover through an audit that inappropriate access has occurredinappropriate access has occurred

• If information is left unattended and If information is left unattended and unauthorized personnel review itunauthorized personnel review it

34

EXAMPLE VIOLATIONEXAMPLE VIOLATION

• There are 2 doctors with the same There are 2 doctors with the same name – Dr. Julius name – Dr. Julius HH. Wrong and Dr. . Wrong and Dr. Julius Julius W.W. Wrong. Patient of Dr. Wrong. Patient of Dr. Julius Julius HH. Wrong presents for lab . Wrong presents for lab testing and he is incorrectly testing and he is incorrectly registered to Dr. Julius registered to Dr. Julius W.W. Wrong. Wrong. Lab reports results to Dr. Julius Lab reports results to Dr. Julius WW. . Wrong instead of Dr. Julius Wrong instead of Dr. Julius HH. . Wrong.Wrong.

35

REPORTING REPORTING INAPPROPRIATE INAPPROPRIATE DISCLOSURESDISCLOSURES

• All inappropriate disclosures must be All inappropriate disclosures must be reported to the Privacy Officerreported to the Privacy Officer

• It will be the responsibility of the It will be the responsibility of the Privacy Officer to log all Privacy Officer to log all inappropriate disclosures inappropriate disclosures

• Inappropriate disclosures will be Inappropriate disclosures will be tracked by employee and appropriate tracked by employee and appropriate disciplinary action will be takendisciplinary action will be taken

36

HOSPITAL HOSPITAL REQUIREMENTSREQUIREMENTS

• Designate a privacy officer with Designate a privacy officer with primary responsibility for ensuring primary responsibility for ensuring compliance with the regulationscompliance with the regulations

• Establish training programs for all Establish training programs for all members of the workforcemembers of the workforce

• Implement appropriate policies & Implement appropriate policies & procedures to prevent intentional procedures to prevent intentional and accidental disclosures of PHIand accidental disclosures of PHI

37

HOSPITAL HOSPITAL REQUIREMENTSREQUIREMENTS

• Establish a system for receiving and Establish a system for receiving and responding to complaints regarding responding to complaints regarding privacy practicesprivacy practices

• Implement appropriate discipline for Implement appropriate discipline for violations of the privacy guidelinesviolations of the privacy guidelines

• Make reasonable efforts to limit Make reasonable efforts to limit information to the minimum information to the minimum necessary to accomplish a person’s necessary to accomplish a person’s jobjob

38

EMPLOYEE EMPLOYEE OBLIGATIONSOBLIGATIONS

• Report any inappropriate disclosures Report any inappropriate disclosures or breaches of patient confidentiality or breaches of patient confidentiality to the Privacy Officerto the Privacy Officer

• Sign a confidentiality statement Sign a confidentiality statement annuallyannually

• Keep patient PHI confidential at all Keep patient PHI confidential at all timestimes

• Access information on a “need to Access information on a “need to know” basisknow” basis

39

ENFORCEMENTENFORCEMENT

• THE PUBLIC – The public will be THE PUBLIC – The public will be educated about their privacy rights educated about their privacy rights and will not tolerate violations to and will not tolerate violations to their privacy.their privacy.

• OFFICE OF CIVIL RIGHTS – They OFFICE OF CIVIL RIGHTS – They will provide guidance and monitor will provide guidance and monitor compliance.compliance.

• DEPARTMENT OF JUSTICE – They DEPARTMENT OF JUSTICE – They will be involved in criminal and will be involved in criminal and privacy violations.privacy violations.

40

Additional TipsAdditional Tips

• Accessing informationAccessing information• Faxing informationFaxing information• Practical informationPractical information

41

ACCESSING RECORDSACCESSING RECORDS

• Records of patients should only be accessed if Records of patients should only be accessed if you have a reason to do so to perform your job you have a reason to do so to perform your job dutiesduties

• You do not have the authority to access any You do not have the authority to access any other record just because you have the other record just because you have the computer access. In other words, if you have computer access. In other words, if you have access to PCI, you cannot look up your father-access to PCI, you cannot look up your father-in-law’s records unless you need to do so to in-law’s records unless you need to do so to perform your job dutiesperform your job duties

• All access is monitored and audit trails do existAll access is monitored and audit trails do exist• Employees have been terminated based on Employees have been terminated based on

those audit trailsthose audit trails

42

ACCESSING RECORDSACCESSING RECORDS

• Very important to sign off the computer Very important to sign off the computer when you walk away from it so others when you walk away from it so others can’t use your password for inappropriate can’t use your password for inappropriate accessaccess

• Any access under your password is Any access under your password is considered yoursconsidered yours

• If you feel someone else has your If you feel someone else has your password, contact Information Systems to password, contact Information Systems to have it changedhave it changed

• Do not share your password with anyoneDo not share your password with anyone

43

ACCESSING RECORDSACCESSING RECORDS

• We are no longer allowing employees We are no longer allowing employees access to their own record or the records access to their own record or the records of their childrenof their children

• Must now go through the same process as Must now go through the same process as any other patientany other patient

• Will be required to go to Medical Records Will be required to go to Medical Records to obtain recordsto obtain records

• Some records of your child are now Some records of your child are now protected under the law and even a parent protected under the law and even a parent does not have access. Examples include, does not have access. Examples include, certain psych records and HIV testingcertain psych records and HIV testing

44

FAXING PHIFAXING PHI

• Whenever you are faxing PHI outside of Whenever you are faxing PHI outside of the facility, a cover sheet must be usedthe facility, a cover sheet must be used

• Use a cover sheet when faxing within the Use a cover sheet when faxing within the facility when the fax is directed towards a facility when the fax is directed towards a specific employeespecific employee

• The cover sheet must be the OVHS&E The cover sheet must be the OVHS&E cover sheet which includes appropriate cover sheet which includes appropriate HIPAA language HIPAA language

• Do not use any unauthorized cover sheets Do not use any unauthorized cover sheets

45

FAXING PHIFAXING PHI

• When faxing, double check the number When faxing, double check the number entered prior to sending the faxentered prior to sending the fax

• If you realize you have faxed to the wrong If you realize you have faxed to the wrong number contact them immediately and number contact them immediately and retrieve the information sentretrieve the information sent

46

FAXINGFAXING

• Fax records only when it is Fax records only when it is absolutely necessary for the further absolutely necessary for the further treatment of the patienttreatment of the patient

• Fax only those records that must get Fax only those records that must get there immediatelythere immediately

47

OTHER STEPS TO OTHER STEPS TO PROTECT THE PRIVACY PROTECT THE PRIVACY

OF OUR PATIENTSOF OUR PATIENTS• Do not leave the records of patients laying Do not leave the records of patients laying

around in unsupervised areasaround in unsupervised areas• If you print PHI out destroy it immediately If you print PHI out destroy it immediately

after you are done with itafter you are done with it• If you take copies of PHI to a meeting If you take copies of PHI to a meeting

and pass them out make sure you collect and pass them out make sure you collect all copies at the end of the meeting and all copies at the end of the meeting and discard them appropriatelydiscard them appropriately

• Any copies of PHI should be shreddedAny copies of PHI should be shredded

48

PRACTICAL STEPSPRACTICAL STEPS

• Dictation and phone calls should occur in Dictation and phone calls should occur in private areasprivate areas

• Cell phones should only be used in Cell phones should only be used in emergency situations and must be used in emergency situations and must be used in private areasprivate areas

• Conversations among employees regarding Conversations among employees regarding patients must occur in private areaspatients must occur in private areas

49

PRACTICAL STEPSPRACTICAL STEPS

• Close exam room doors whenever you Close exam room doors whenever you are reviewing information with the are reviewing information with the patient or when you are performing a patient or when you are performing a test or proceduretest or procedure

• Use common sense – if the roles were Use common sense – if the roles were reversed would you feel that your reversed would you feel that your privacy was being adequately privacy was being adequately protectedprotected

50

MESSAGESMESSAGES

• If you call a patient and must leave a If you call a patient and must leave a message, leave the minimum amount of message, leave the minimum amount of information possibleinformation possible

• For example, “This call is for Lee Smith, For example, “This call is for Lee Smith, please call the Admitting Office at “please call the Admitting Office at “

• If you call someone and receive another If you call someone and receive another member of the household do not answer any member of the household do not answer any questions such as, what test are they having questions such as, what test are they having done or what is wrong with them etc.done or what is wrong with them etc.

51

NEED TO KNOWNEED TO KNOW

• Information regarding a patient should Information regarding a patient should only be given to employees who have a only be given to employees who have a need to knowneed to know

• OR Schedules, Admission lists etc are only OR Schedules, Admission lists etc are only intended for those who need that intended for those who need that

information to perform their job dutiesinformation to perform their job duties

• As employees we are not automatically As employees we are not automatically entitled to information entitled to information

52

HOW TO REPORTHOW TO REPORT

• Inappropriate disclosures or Inappropriate disclosures or breaches of patient confidentiality breaches of patient confidentiality should be reported to one of the should be reported to one of the following:following:

Privacy OfficerPrivacy Officer

Department ManagerDepartment Manager

Compliance Hotline (8181) Compliance Hotline (8181)

53

HIPAA GOLDEN RULEHIPAA GOLDEN RULE

MAINTAIN PATIENT MAINTAIN PATIENT INFORMATION IN THE SAME INFORMATION IN THE SAME MANNER YOU WOULD WANT MANNER YOU WOULD WANT SOMEONE TO MAINTAIN YOUR SOMEONE TO MAINTAIN YOUR PATIENT INFORMATIONPATIENT INFORMATION

54

FINAL THOUGHTSFINAL THOUGHTS

• REMEMBER – A Breach of REMEMBER – A Breach of confidentiality can be costly to the confidentiality can be costly to the organization and to you personally organization and to you personally

• WILL RESULT IN DISCIPLINARY WILL RESULT IN DISCIPLINARY ACTION – MOST LIKELY ACTION – MOST LIKELY TERMINATION OF EMPLOYMENTTERMINATION OF EMPLOYMENT

• Print the next slide: quizPrint the next slide: quiz• Complete the quizComplete the quiz• Return the quiz to your clinical Return the quiz to your clinical

instructor/supervisorinstructor/supervisor

55

Quiz: HIPAA Name: ____________________________________________________ Date: ____________Quiz: HIPAA Name: ____________________________________________________ Date: ____________

True or FalseTrue or False 1. HIPAA stands for Health Insurance Protection, Action, and Accountability.1. HIPAA stands for Health Insurance Protection, Action, and Accountability.

True or False 2. One purpose of HIPAA is to enhance the security and privacy of Protected Health True or False 2. One purpose of HIPAA is to enhance the security and privacy of Protected Health Information (PHI).Information (PHI).

True or False 3. The Privacy Standards component went into effect in 2008.True or False 3. The Privacy Standards component went into effect in 2008.

True or False 4. HIPAA applies to hospitals, pharmacies, health plans, and home health agencies, but NOT True or False 4. HIPAA applies to hospitals, pharmacies, health plans, and home health agencies, but NOT to physicians.to physicians.

True or False 5. Discussing Protected Health Information (PHI) in the cafeteria over lunch is a violation of True or False 5. Discussing Protected Health Information (PHI) in the cafeteria over lunch is a violation of the Privacy the Privacy

Rule.Rule.

True or False 6. PHI includes any personal information about past, present, or future health information in True or False 6. PHI includes any personal information about past, present, or future health information in oral, written, or oral, written, or

electronic communications.electronic communications.

True or False 7. PHI includes ONLY clinical data, it DOES NOT include admission, discharge, or death True or False 7. PHI includes ONLY clinical data, it DOES NOT include admission, discharge, or death dates.dates.

True or False 8. Disclosure of PHI is permitted for Treatment, Payment, or Health Care Operations (TPO) True or False 8. Disclosure of PHI is permitted for Treatment, Payment, or Health Care Operations (TPO) purposes.purposes.

True or False 9. Patient authorization MUST be obtained for ALL uses and disclosures of PHI True or False 9. Patient authorization MUST be obtained for ALL uses and disclosures of PHI INCLUDING TPO and INCLUDING TPO and

those mandated under law.those mandated under law.

True or False 10. The patient has the right to inspect and copy their medical information excluding True or False 10. The patient has the right to inspect and copy their medical information excluding psychotherapy notes.psychotherapy notes.

SCORE: _________________________SCORE: _________________________

56