Regulatory Compliance & Quality - Section 3: HIPAA

Question 1

What are the 3 rules in HIPAA governing data privacy and security?

Answer 1

Privacy, security, and breach notification

Question 2

True or False:

Clinics must have policies and procedures to address the privacy, security, and breach notification rules as well as documentation of implementation

Answer 2

True

Question 3

Clinic must have policies and procedures to address the privacy, security, and breach notification HIPAA rules, as well as documentation of ___

Answer 3

Implementation

Question 4

Which rule addresses all forms of protected health information - paper, electronic, and oral

Answer 4

Privacy Rule

Question 5

Which rule stipulates that safeguards must be implemented to prevent uses and disclosures of a patient’s protected health information without the patient’s authorization or expressed authorization within the rule itself.

Answer 5

Privacy Rule

Question 6

True or False:

The Privacy Rule stipulates that there are instances in which the patient’s permission to disclose protected health information is not required

Answer 6

True

Question 7

The Security Rule applies only to ___ forms of PHI

Answer 7

Electronic

Question 8

The primary goal of the Security Rule is to protect the privacy of individuals PHI while allowing covered entities to adopt new technologies for what purpose?

Answer 8

To improve the quality and efficiency of patient care

Question 9

Given tat the health care marketplace is diverse, the Security Rule is designed to be ___ and ___ so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ E-PHI

Answer 9

Flexible and scalable

Question 10

Breach notification objectives require covered entities and their business associates to report breaches in privacy or security due to ___ health information

Answer 10

Unprotected

Question 11

There is a set of ___ individually identifiable health information that could be used to identify a patient

Answer 11

18

Question 12

These are the safeguards that HIPAA expects to be in place

Answer 12

Standards

Question 13

The steps needed to achieve the requirements of a given standard

Answer 13

Implementation specification

Question 14

All standards are ___

Answer 14

Required

Question 15

Some implementation specifications are ___, which means that you must implement those standards

Answer 15

Required

Question 16

Addressable does not mean ___

Answer 16

Optional

Question 17

Addressable means that you must perform an assessment to determine if the implementation specification is ___ and ___ for your organization

Answer 17

Appropriate and reasonable

Question 18

Health plans, clearinghouses, and providers which electronically transmit or receive any PHI

Answer 18

Covered entity

Question 19

What are 3 examples of a covered entity?

Answer 19

Health plans, clearinghouses, and providers

Question 20

Any organization or process working in an association with or providing services to a covered entity who handles or discloses PHI or personal health records

Answer 20

Business associate

Question 21

What are the 3 situations when patients should receive the Notice of Privacy Practices?

Answer 21

The first time they visit the clinic, with every revision, and upon request

Question 22

Post the Notice of Privacy Practices in a ___ area of your clinic

Answer 22

Visible

Question 23

If you have a website, should you post the Notice of Privacy Practices on the website?

Answer 23

Yes

Question 24

True or False:

The Notice of Privacy Practice must contain the following statement: “This notice describes how medical information about you may be used and disclosed and how you can get access to this information, Please review it carefully.”

Answer 24

True

Question 25

A description and at least ___ example of the types of uses and disclosures that your clinic uses PHI for: treatment, payment, and healthcare options

Answer 25

One

Question 26

True or False: Notice of Privacy Practices Uses and Disclosures should include a statement and example of uses and disclosures that do and do not require authorization

Answer 26

True

Question 27

NPP Individual Rights Request ___ on certain uses and disclosures of PHI, including a statement that your clinic does not have to agree to a requested restriction

Answer 27

Restrictions

Question 28

True or False: If a patient requests restrictions on certain uses and disclosures of PHI, your clinic must agree to it

Answer 28

False; your clinic does not have to agree to a requested restriction

Question 29

NPP Individual Rights ``` Receive ___ communications Right to ___ and ___ PHI Right to request an ___ to PHI Right to receive an accounting of ___ Right to receive your NPP ___ and/or upon ___ ```

Answer 29

``` Confidential Inspect and copy Amendment Disclosures Electronically and/or upon request ```

Question 30

NPP Complaints Information on how to file a privacy/security complaint with your clinic and with the ___ of ___

Answer 30

Secretary of HHS

Question 31

NPP Contact Contact information for the person in your clinic responsible for ___ Does not have to include their name, but must include a title such as "___ ___"

Answer 31

Privacy | Privacy Officer

Question 32

NPP Effective date The date the NPP became ___ and the date it was last ___

Answer 32

Effective | Revised

Question 33

Who should access to PHI be limited to?

Answer 33

Those with a legitimate reason within their job duties to see PHI

Question 34

Limit disclosures of PHI in your clinic to the amount reasonably necssary to achieve the purpose of ____ (i.e., referrals to other providers, disclosures to payers)

Answer 34

Disclosure

Question 35

Develop a ___ (or policy) designed to limit the PHI within a given disclosure or access to PHI

Answer 35

Criteria

Question 36

The business record generated at or for a healthcare organization

Answer 36

Legal record set

Question 37

The record that would be released upon receipt of a request

Answer 37

Legal record set

Question 38

The officially declared record of healthcare services provided to an individual delivered by a provider

Answer 38

Legal record set

Question 39

A group of records maintained by or for a covered entity that is the medical and billing records about individuals; enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; information used in whole or in part by or for the HIPAA covered entity to make decisions about individuals

Answer 39

Designated record set

Question 40

What is the purpose of the designated record set?

Answer 40

To comply with the Privacy Rule requirements for uses, disclosures, patient right of access and amendment

Question 41

The contents of a designated record set are not supported for ___ requests for disclosures

Answer 41

External

Question 42

A partially de-identified record

Answer 42

Limited record set

Question 43

The following record types are included in the designated record set: ___ record ___ clinical data ___ records and reports

Answer 43

Clinical Source External

Question 44

A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity

Answer 44

Business associate

Question 45

A member of a covered entity's workforce IS or IS NOT a business associate

Answer 45

Is not

Question 46

True or False You must enter into a BAA with every business associate

Answer 46

True

Question 47

You should periodically ___ your BAAs

Answer 47

Review

Question 48

You should periodically assess your business associate's ___ with your BAA

Answer 48

Compliance

Question 49

True or False Patient do not have the right to access their designated record set

Answer 49

False; do have the right to access

Question 50

Requests to release PHI to patients or personal representative must be done in ___

Answer 50

Writing

Question 51

Patients should be provided access to their PHI within ___ calendar days of the request (___ 30-day extension is permissible under certain circumstances)

Answer 51

30 | One

Question 52

True or False OCR is increasing enforcement on patient access to records

Answer 52

True

Question 53

Provision, coordination, or management of healthcare and related services amount healthcare providers, provider with a third party, or consultation between healthcare providers

Answer 53

Treatment disclosure

Question 54

Referrals from one healthcare provider to another DO or DO NOT require authorization from the patient

Answer 54

Do not

Question 55

Activities involved to obtain payment or be reimbursed for their services: Determining ___ or ___ Billing and ___ activities Reviewing healthcare services for medical ___, coverage, justification for charges Utilization ___ Disclosure to ___ reporting agencies Verify dates of ___ prior to disclosing patient information to payer

Answer 55

``` Eligibility or coverage Collection Necessity Review Consumer Coverage ```

Question 56

Healthcare operations disclosure: Conducting ___ assessment and improvement activities Patient ___ activities Protocol ___ Case ___ Reviewing the competence or ___ of healthcare professionals Training ___ Accreditation, certification, licensing, or ___ activities Fraud and abuse ___ and compliance programs Conducting or arranging for medical ___ Business planning and ___

Answer 56

``` Quality Safety Development Management Qualifications Programs Credentialing Detection Review Development ```

Question 57

A clinic may ___ choose to obtain a patient's consent, even when not required, to release PHI

Answer 57

Voluntarily

Question 58

Patients have the right to request ___ on how your clinic uses and discloses their information

Answer 58

Restrictions

Question 59

Patients have the right to request restrictions on how your clinic uses and discloses their information. You are not required to adhere to such requests, but you are ___ by any restrictions you agree to

Answer 59

Bound

Question 60

Patient have the right to pay in ___ for their treatment and limit or restrict disclosures to their ___ company

Answer 60

Full | Insurance

Question 61

RHCs may charge patients a ___ fee for copies of their record

Answer 61

Reasonable

Question 62

RHCs MAY or MAY NOT withhold patient records if they have not paid for services rendered

Answer 62

May not

Question 63

RHCs may not charge patients for accessing records. They can only charge for what?

Answer 63

For costs associated with making copies and supplies required to make the copies

Question 64

Acceptable fees for record copies: ___ for copying the PHI (does not include the costs for retrieving the records) Supplies for ___ (paper, ink, USB drive, or other paper or electronic medium supplies necessary to process the request) Labor to prepare a ___ of explanation of PHI ___ when records are requested to be mailed

Answer 64

Labor Copying Summary Postage

Question 65

Acceptable labor charges for record copies: ___ PHI Scanning paper PHI into ___ format Converting electronic PHI from one format into the format ___ by the individual Transferring electronic PHI to a ___ portal Creating and executing a mailing or ___ of PHI

Answer 65

``` Photocopying Electronic Requested Web Emailing ```

Question 66

Labor charges for record copies do NOT include ___ the request

Answer 66

Reviewing

Question 67

Labor charges for record copies do NOT include searching for, retrieving, or otherwise ___ for processing the request

Answer 67

Preparing

Question 68

Labor charges for record copies do NOT include information already electronically ___ through the RHC's patient portal

Answer 68

Available

Question 69

If the RHC chooses to charge for record copies, when must it inform the patient of this?

Answer 69

At the time of the request the patient must be informed that charges apply to record copies

Question 70

What are the 3 manners to charge for record copies? ___ cost - the actual cost of labor and supplies ___ cost - in lieu of calculating actual costs, RHC may create a table of average labor and supply costs for similar record copy requests ___ fee - RHC may choose to charge a flat fee of $6.50 for record copies inclusive of all labor and supplies

Answer 70

Actual Average Flat

Question 71

If the RHC chooses to charge for records, it must apply across ___ patients for similar record requests

Answer 71

All

Question 72

Within the Security Rule, what are the 3 safeguards?

Answer 72

Administrative, physical, and technical

Question 73

The Security Rule only applies to ___ PHI

Answer 73

Electronic

Question 74

What are the 2 types of implementation specification in the Security Rule?

Answer 74

Required and addressable

Question 75

Addressable does not mean ___

Answer 75

Optional

Question 76

For implementation specifications, your clinic must assess whether or not the specification is ___ in your clinic

Answer 76

Reasonable

Question 77

For implementation specifications, your clinic must assess whether or not the specification is reasonable in your clinic. If it is deemed to not be reasonable, you must implement an ___ process to achieve the goal and ___ the reasoning on why you have opted to not implement the specification

Answer 77

Alternate | Document

Question 78

Administrative safeguards | ___ implementation specifications

Answer 78

23

Question 79

Physical safeguards | ___ implementation specifications

Answer 79

10

Question 80

Technical safeguards | ___ implementation specifications

Answer 80

9

Question 81

Your security program should include the following requirements: Security risk ___ Creating a risk ___ plan Creating ___ and procedures

Answer 81

Analysis Management Policies

Question 82

How does your security program being?

Answer 82

By conducting a risk analysis

Question 83

Your security program will be built to protect against discovered or potential ___ and vulnerabilities

Answer 83

Threats

Question 84

Security rule basis - the risk analysis Identify ___ threats and vulnerabilities to your clinic Create a risk management plan to mitigate identified or potential ___ and vulnerabilities Adopt or create policies/procedures which address ___ issues

Answer 84

Realistic Threats Security

Question 85

True or False HIPAA requires an annual risk analysis

Answer 85

False; does not require an annual risk analysis

Question 86

True or False Your EMR does not conduct your risk analysis for you

Answer 86

True

Question 87

True or False There are many ways to conduct a risk analysis

Answer 87

False

Question 88

HIPAA requires all clinics to send out periodic ___ ___

Answer 88

Security reminders

Question 89

HIPAA requires you to train your employees on what?

Answer 89

YOUR security and privacy procedures - not just a HIPAA 101

Question 90

Having policies in place is just a ___ of your HIPAA compliance obligation

Answer 90

Fraction

Question 91

Why must your clinic develop a plan of implementation?

Answer 91

To ensure your clinic and staff are adhering to your policies and procedures

Question 92

You should ___ your implementation efforts

Answer 92

Document

Question 93

Train your staff on your policies and procedures. HIPAA ___ training is not sufficient to train your staff on how to protect the privacy and security of your patient information

Answer 93

Basic