HIPPA: Privacy and Confidentiality: Professional and Legal Responsibilities

Question 0

Includes any information that identifies or could reasonably identify an individual, his or her health/condition, treatment, or provision/payment for healthcare…

Answer 0

PHI (personal health information)

Question 1

What does PHI stand for?

Answer 1

Protected health information (PHI)

Question 2

What is defined as all individually identifiable health information created, transmitted, received, or maintained by a covered health entity?

Answer 2

Protected health information (PHI)

Question 3

What is included in identifying information?

Answer 3

-name
-address
-city
-zip code
-names of relatives
-names of employer
-birth date
-telephone number
-fax and email address
-social security number
-medical record number
-health plan beneficiary number
-account number
-certificate/license number
-any vehicle or other device serial number
-Web URL, Internet protocol address
-finger or voice print
photographic images, and any other unique identifying number, characteristic, or code

Question 4

What is PHI included on?

Answer 4

• encounter forms
• claims
• appointment schedule
• reports
• dietary cards
• requisitions
• prior authorizations
• test results
• logs
• pharmacy labels
• electronic data

Question 5

Name examples of PHI in the workplace.

Answer 5

• Communication: switchboard, hallway conversations, dictation, shift reports, telephone conversations, and meeting discussions
• Materials: medical records, meeting minutes, white boards, clinical reports, wristbands, encounter forms, medication vials, downtime logs, printers, paper files, and notes.
• Data: claims, computer screens, EKG strips, films, email, faxes. and electronic files

Question 6

When dealing with personal information, there does not have to be some middle ground between strict non-disclosure and full disclosure. True or False

Answer 6

False
When dealing with personal information, there has to be some middle ground between strict non-disclosure and full disclosure.

Question 7

Some public and private health information must be shared to properly treat populations and individuals. True or False

Answer 7

True

Question 8

With so much information now digitized, and therefore easily transmitted, must there be there be some protection of health information that must remain confidential to the individual?

Answer 8

Yes some information must remain confidential to the individual.

Question 9

Health information has one level of confidentiality. True or False

Answer 9

False… Health information has different levels of confidentiality.

Question 10

Information on HIV status or psychiatric diagnosis may have a higher level of confidentiality than something less revealing, such as a zip code. What is this an example of?

Answer 10

This is an example of the different levels of health information confidentiality.

Question 11

Some local and state laws may have higher documentation and disclosure requirement over special health information. True or False

Answer 11

True

Question 12

What is the synonym for Health Insurance Portability and Accountability Act

Answer 12

HIPPA

Question 13

When was HIPPA drafted?

Answer 13

HIPPA was drafted in 1996.

Question 14

What was HIPPA originally drafted for?

Answer 14

HIPPA was originally drafted to protect health insurance coverage for workers and families when they changed or lost their jobs

Question 15

PHI stands for Personal Health Information T/F

Answer 15

False PHI stands for Protected Health Information

Question 16

PHI is included on most healthcare forms, reports, and screens. T/F

Answer 16

True PHI is included on encounter forms, claims, appointment schedules, reports, dietary card, requisitions, prior authorizations, test results, logs, pharmacy labels, electronic data.

Question 17

All health information has the same level of confidentially T/F

Answer 17

False Health Information has different levels of confidentiality. For example, information on HIV status or psychiatric diagnosis may have a higher level of confidentiality.

Question 18

The HIPPA Security Rule requires healthcare entities to protect against any reasonably anticipated threats or hazards to PHI

Answer 18

True The security rule requires healthcare entities to ensure the confidentiality, integrity, and availability of all electronic protected health information

Question 19

HIPPA defines which types of technologies must be used to safe guard PHI

Answer 19

False One thing HIPPA does not specif is the type of technology to secure patient data. This is left to the health entities to figure out. It does specify that the technologies be appropriate to their operations and be supported by a thorough security.

Question 20

The HIPPA Privacy rule gives patients the right to request correction to their medical records.

Answer 20

True It gives them the right examine and obtain a copy of their own medical records and request corrections.

Question 21

An insurer, responsible for payment, is entitled to see all data in a patient’s health record.

Answer 21

False Generally limits release of information to a minimum needed for treatment, payment, operations.

Question 22

What data a person can see in an EHR is dependent on his or her role.

Answer 22

True The role you have will dictate what you have the right to access.

Question 23

An employee responsible for scheduling will have access to the same EHR functions as a nurse

Answer 23

False The role you have dictates the amount of patient information you have the right to access and disclose, so a scheduler on needs access to demographics and insurance information

Question 24

If you accidentally view information you should not have access to, report the event to your supervisor.

Answer 24

True

Question 25

As an employee in a healthcare organization, you have the right to access the maximum information needed to care for the patient

Answer 25

False

Question 26

If an individual access a record inappropriately, he she is protected from being fired as long as he/she has completed HIPPA training

Answer 26

False It is becoming common that immediate employment termination could be the consequence of reviewing information that you do not have the right and need to know

Question 27

HIPPA's Privacy and Security policies became law in

Answer 27

1996

Question 28

The HIPPA security rule requires healthcare entities to ensure

Answer 28

the confidentiality, integrity, and availability of PHI

Question 29

HIPPA of 1996 continues to amend with

Answer 29

HITECH

Question 30

What is Title I under HIPPA

Answer 30

Protects health insurance coverage for those who lose or change jobs

Question 31

What is Title II under HIPPA

Answer 31

Standardizes electronic data exchange and protects the confidentiality and security of health data

Question 32

What are the four Parts to Title II of HIPPA

Answer 32

* Standards for electronic transactions * Unique identifiers for providers, employers, and health plans * The security rule * The privacy rule

Question 33

HIPPA Security Rule states

Answer 33

- Security, integrity, and availability of PHI (disclosures of PHI that are not permitted - Safeguard physical access to PHI (protected networks and computers

Question 34

What is Protected Health Information and list for examples

Answer 34

- All individually identifiable health information created, transmitted, received or maintained by a healthcare institution - Identification of an individual - Health condition - Treatment - Provision/payment for healthcare

Question 35

List some examples of identifying information

Answer 35

- Name, address, city, address, county, names of relatives. names of employers, photographic images. DOB, telephone number, fax number. email address social security number, medical record number, certificate/license

Question 36

Name the Safeguards in HIPPA's security Rule

Answer 36

Administrative, Physical, Technical

Question 37

Name some examples of Administrative Safeguard

Answer 37

1. Clear roles and responsibility for who can see what information 2. Documented policies including password policies 3. Security awareness training 4. Security risk assessment 5. Privacy and Security Officer

Question 38

Name some examples of Technical Control Safeguards

Answer 38

1. Firewalls 2. Encryption - Transmission Security 3. Audit trails 4. Antivirus programs 5. Use of passwords or other authentication methods - ---ex----encryption and decryption---------

Question 39

A technical control audit trail consist of

Answer 39

- A log of each user and what is viewed and accessed in any given amount of time - Evaluated for inappropriate access to function or information

Question 40

Technical Controls consists of Data Integrity which is

Answer 40

Required to maintain data integrity so organizations should have - a disaster recovery to protect against the loss of data - ensuring data validity which means having good clean data and: - --editing against list of values - --required fields (can not go any further without being filled in - --required values - -compliance with data standards

Question 41

Technical Control Authentication consist of

Answer 41

The way a system knows who you are and what access and control to give you

Question 42

Authentication is based on

Answer 42

1. What you have (A special card or token) 2. What you know (Password or personal identification number PIN) 3. Who you are - fingerprint or other biometric scan

Question 43

Name the Do's and Don'ts of passwords

Answer 43

1. Do Not Share passwords or cards 2. Do not log on for someone else 3. Do not keep passwords in an obvious place 4. Make sure system has a time-out and auto log off 5. Use a strong password

Question 44

What are the characteristics of a strong password

Answer 44

Upper case, number and symbol

Question 45

Explain Role-Based security

Answer 45

- The job you have will dictate what you have the right to access and to disclose - ONLY access information that you absolutely need to know and have the right to know - Authentication may include electronic signature required for a document ( example is the Practice Fushion Encounter Note)

Question 46

What is the minimum necessary concept (rule)

Answer 46

In all uses/disclosures of PHI under the Privacy Rule, healthcare entities must use.disclose the minimum amount of PHI NECESSARY TO ACHIEVE THE PURPOSE OF THE USE/DISCLOSURE

Question 47

What is a Limited data set?

Answer 47

A "limited data set" means PHI with its patient identifiers removed. The Privacy Rule allows covered entities to use/disclosure limited data sets for certain purposes, if safeguards are put in place to protect the PHI remaining in the data.

Question 48

Name the allowed purposes for "limited data sets"

Answer 48

research, healthcare operations, and public health activities

Question 49

Give some examples of Physical Controls

Answer 49

-Locking down computer =Placement of computer relative to viewing by other -Computer does not allow the use of jump drives -Physically securing data center were servers are located

Question 50

Explain the HIPPA Privacy Rule

Answer 50

- Patients given more control/rights over their personal health information - Safeguards to protect the privacy of health information - Boundaries on use and release of health records - Balances public responsibility that may require disclosure of some data to protect public health - Patients have right to as to amend PHI if inaccurate or incomplete - Patients have right to request restriction on PHI disclosure, BUT covered entities so not have to agree to these requests

Question 51

What does the HIPPA Privacy Rule allow use/disclosure of PHI by a covered entity for its own:

Answer 51

T- treatment activities P- payment activities O- operations of the facility supporting healthcare activities

Question 52

CMS

Answer 52

Centers for Medicare and Medicaid Services

Question 53

EDI

Answer 53

Electronic data interchange

Question 54

EIN

Answer 54

Employer identification number

Question 55

PHI

Answer 55

Protected health information

Question 56

TPO

Answer 56

Treatment, payment or healthcare operations (to carry out)

Question 57

BAA

Answer 57

Business Associate Agreement

Question 58

Legislation focused on Privacy and Security

Answer 58

ARRA

Question 59

Uses a variety of characters

Answer 59

STRONG PASSWORD

Question 60

authorized uses for disclosure of PHI

Answer 60

TPO

Question 61

requires a key

Answer 61

ENCRYPTION

Question 62

protects against viruses

Answer 62

FIREWALL

Question 63

Used to ensure data integrity

Answer 63

REQUIRED FIELD

Question 64

type of safeguard

Answer 64

PHYSICAL

Question 65

removes patient identifiers

Answer 65

LIMITED DATA SET

Question 66

Requires additional disclosure

Answer 66

PSYCHIATRIC NOTE

Question 67

used to identify inappropriate access to PHI

Answer 67

AUDIT TRAIL

Question 68

use for authentication method

Answer 68

TOKEN

Question 69

Required before using an external transcription company

Answer 69

BAA

Question 70

identifies an individual

Answer 70

PHI

Question 71

legislation that included HITECH

Answer 71

HIPPA

Question 72

For providers and insureers, release of information is limited to the minimum needed for

Answer 72

TPO--treatment, payment, operations

Question 73

What is monitored to assess inappropriate access to a patient's record

Answer 73

audit trail

Question 74

What should the individual responsible for the security of health care data do first

Answer 74

perform a risk assessment

Question 75

Tokens and biometric devices are examples of

Answer 75

authentication methods

Question 76

For providers and insurers, release of information is limited to the minimum need for

Answer 76

TPO - treatment, payment, and operations

Question 77

Your screen saver should activate in how many minutes

Answer 77

5 minutes

Question 78

A clearinghouse that processes claims data must sign what kind of agreement

Answer 78

BAA - Business Associate Agreement

Question 79

In Practice Fusion assignment where each physician sent a SOAP Note to the instructor what was the security risk?

Answer 79

Lack of encryption, ability of instructor to download the SOAP note to a personal hard drive

Question 80

Encryption requires use of

Answer 80

a key

Question 81

The last steps in your workday should be to

Answer 81

ensure the computer is physically secure, complete a full logoff to the system