HIPAA

¡Supera tus tareas y exámenes ahora con Quizwiz!

The documentation for policies and procedures of the Security Rule must be kept for....

6 years.

Another name for the Title II portion of HIPAA law is....

Administrative Simplification

The Medicare Electronic Health Record Incentive Program is part of Affordable Care Act (ACA) and is under the direction of

Centers for Medicare and Medicaid Services (CMS).

What step is part of reporting of security incidents?

Change passwords to protect from further invasion.

The adopted standard identifier for employers is the

EIN.

The main reason for unique identifiers is so....

Each entity on a standard transaction will be uniquely identified.

"At home" workers such as transcriptionists are not required to follow the workstation security rules for passwords, viewing of monitors by others, or locking of computer screens.

False

A refusal by a patient to sign a receipt of the NOPP allows the physician to refuse treatment to that patient.

False

In HIPAA usage, TPO stands for treatment, payment, and optional care.

False

The response, "She was taken to ICU because her diabetes became acute" is an example of HIPAA-compliant disclosure of information.

False

The source documents for original federal documents such as the Federal Register can be found at

Government Printing Office Web site.

What is a major point of the Title I portion of HIPAA?

Guarantee of renewability

Under HIPAA, providers may choose to submit claims either on paper or electronically.

HIPAA officer

What is the name of the format that allows other providers to access another physician's record of a patient?

Health Information Exchange (HIE)

The Centers for Medicare and Medicaid Services (CMS) set up the ICD-9-CM Coordination and maintenance Committee to

Maintain a crosswalk between ICD-9-CM and ICD-10-CM.

HIPAA training is

Mandated by law to be reviewed periodically with all employees and staff.

List the four key words that summarize the areas of health care that HIPAA has addressed.

Privacy,Transactions, Security, Identifiers

Under HIPAA, members of the press can....

Receive the same information as any other person would when asking for a patient by name.

Keeping e-PHI secure includes which of the following?

Safeguards are in place to protect e-PHI against unauthorized access or loss.

Coded identifiers for all parties included in a claims transaction are needed to

Simplify electronic transmission of claims information

Health care professionals have generally found that HIPAA has simplified claims submissions.

True

Protected health information (PHI) requires an association between an individual and a diagnosis.

True

During an investigation by the Office for Civil Rights, each provider is expected to have the following EXCEPT

a workforce trained in state law.

Which group of providers would be considered covered entities?

a. Rehabilitation center, same-day surgical center, mental health clinic b. Clinical laboratory, durable medical equipment store, rural-based physician c. Home help personnel assisting homebound patients, ambulance service, clinic pharmacy d. All of the above

Integrity of e-PHI requires confirmation that the data

is accurate and has not been altered, lost, or destroyed in an unauthorized manner.

Including employers in the standard transaction

is necessary for Workers' Compensation claims and when verifying enrollment in a plan.

The required areas of the Security Rule

must be achieved and documented.

Which safeguard is not required for patients to access their Patient Portal...

Provider key

HIPAA training must be provided to....

all workforce employees and nonemployees.

Which federal office has the responsibility to enforce updated HIPAA mandates?

OCR

Which group is not one of the three covered entities?

Patients

Which law takes precedence when there is a difference in laws?

State law when it is more restrictive

Use and disclosure of PHI is permitted without authorization with the EXCEPTION of which of the following?

When releasing process or psychotherapy notes

Since 1996 when HIPAA was written, why are more laws passed relating to HIPAA regulations?

a. New technologies are developed that were not included in the original HIPAA

What type of health information does the Security Rule address?

Electronic PHI held by a covered entity

The acronym EDI stands for

Electronic data interchange.

Which of the following items is a technical safeguard of the Security Rule?

Entity authentication

All four parties on a health claim now have unique identifiers.

False

All four type of entities written in the original law have been issued unique identifiers.

False

An employer who has fewer than 50 employees and is self-insured is a covered entity.

False

If a business visitor is also a Business Associate, that individual does not need to be escorted in the building to ensure protection of PHI.

False

If a medical office does not use electronic means to send its insurance claims, it is considered a covered entity.

False

Prescriptions may only be picked up by the patient to protect the privacy of the individual's health information.

False

Requirements that are identified as "addressable" under the Security Rule may be omitted by the Security Officer.

False

Risk management for the HIPAA Security Officer is a "one-time" task.

False

Security and privacy of protected health information really cover the same issues.

False

Protected health information (PHI) includes....

Both medical and financial records of patients.

A covered entity does not have to disclose PHI to the Office for Civil Rights if they come to investigate a complaint. That is not allowed by HIPAA law.

False

Choose the correct acronym for Public Law 104-91.

HIPAA

Patients are given access to their physician's EMR to view their own records through a (an)...

Patient portal.

During an investigation by the Office for Civil Rights, the inspector will depend upon the HIPAA Officer to know the details of the written policies of the organization.

True

With the ruling in the Omnibus Rule of 2013, any genetic information is now covered by HIPAA Privacy and Security Rule.

True

What does HIPAA define as a "covered entity"? a. Health care clearinghouse b. Health plan c. Patient d. Provider e. a, b, and d f. c and d

e. a, b, and d

Medical identity theft is...

obtaining personal medical information for use in submitting false claims or seeking medical care or goods.

The Office for Civil Rights receives complaints regarding the Privacy Rule. About what percentage of these complaints have been ruled either no violation or the entity is working toward compliance?

About 75%

To comply with HIPAA, it is vital to... a. Maintain integrity and security of protected health information (PHI). b. Ensure that protected health information (PHI) is kept private. c. Use proper codes to secure payment of medical claims.

All of the above

How many titles are included in the Public Law 104-91?

7

Risk analysis in the Security Rule considers

a balance between what is cost-effective and the potential risks of disclosure.

Many pieces of information can connect a patient with his diagnosis. Which pair does not show a connection between patient and diagnosis?

Phone number and provider name

HIPAA serves as a national standard of protection.

True

When patients "opt-out" of the facility directory, it means...

their name will not be disclosed on a published list of patients being treated at the facility.

When there is an alleged violation to HIPAA Privacy Rule....

there is no option to sue a health care provider for HIPAA violations.

Access privilege to protected health information is

what allows an individual to enter a computer system for an authorized purpose.

A signed receipt of the facility's Notice of Privacy Practices (NOPP) is mandated by the Privacy Rule in order for a patient to receive services from a health care provider.

False

According to HIPAA, written consent is required for treatment of a patient.

False

Financial records fall outside the scope of HIPAA.

False

HIPAA allows disclosure of PHI in many new ways.

False

The Office of HIPAA Standards seeks voluntary compliance to the Security Rule.

True

Medical identity theft is a growing concern today for health care providers.

True

For individuals requesting to amend their medical record

the provider has the option to reject the amendment.

Genetic information is

Unique information about you and the characteristics found in your DNA.

Meaningful Use program included incentives for physicians to begin using all but which of the following?

Voice mail messages

Privacy of PHI includes

both medical and financial records of patients.

COBRA (Consolidated Omnibus Budget Reconciliation Act of 1985) helps workers who have coverage with a....

group health plan.

Business Associate contracts must include

implementation of safeguards to ensure data integrity.

HIPAA requires that using unique identifiers

improve efficiency, effectiveness, and safety of the health care system.

Funding to pay for oversight and compliance to HIPAA is provided by...

monies received from government to pay for HIPAA services.

A hospital or other inpatient facility may include patients in their published directory

only when the patient or family has not chosen to "opt-out" of the published directory.

Electronic messaging is one important means for patients to confer with their physicians. What platform is used for this?

patient portal

Use of e-mail for transmitting PHI is...

permitted only if a security algorithm is in place.

A HIPAA investigator seeks to find willingness in each organization to comply with what is------- for their particular situation.

reasonable

When visiting a hospital, clergy members are

receive a list of patients who have identified themselves as members of the same particular denomination.

Whenever a device has become obsolete, the Security Office must....

record when and how it is disposed of and that all data was deleted from the device.

The HIPAA Security Officer is responsible for

safeguarding all electronic patient health information.

To ensure minimum opportunity to access data, passwords......

should be changed every ninety days or sooner.

In keeping with the "minimum necessary" policy, an office may leave....

the date, time, and doctor's name on voicemail.

Which are the five areas the DHHS has mandated each covered entity to address so that e-PHI is maintained securely?

Organization requirements; policies, procedures, and documentation; technical safeguards; administrative safeguards; and physical safeguards

The purpose of health information exchanges (HIE) is so

Other health care providers can access the medical record of a patient for better coordination of care.

The Department of Health and Human Services (DHHS) is responsible to notify all health care providers of changes in the HIPAA rulings.

False

Record of HIPAA training is to be maintained by a health care provider for

6 years.

Which organization directs the Medicare Electronic Health Record Incentive Program?

CMS

HIPAA Security Rule applies to data contained in...

any computer storage media.

The Security Officer is responsible to review all...

Business Associate contracts for compliancy issues.

Complaints about security breaches may be reported to...

Office of E-Health Standards and Services.

Enforcement of the unique identifiers is under the direction of

Office of E-Health Standards and Services.

Investigation of complaints of violations to the Security Rule are under the direction of the...

Office of HIPAA Standards.

Fraud and abuse investigation of HIPAA Privacy Rule is under the direction of

Officer for Civil Rights.

According to AHIMA report, the most common problem that health care providers face in relation to PHI is....

lack of a standardized process to release PHI.

A result of this federal mandate brought increased transparency and better efficiency, and empowered patients to utilize the electronic health record of their physician to view their own medical records. This mandate is called

meaningful use

Medical Savings Account (now Health Savings Account) is a means to shelter funds from taxes to pay for....

medical expenses.

Psychotherapy notes or process notes include

the therapist's impressions of the patient.

The Employer Identification Number (EIN) contains...

two digits, a hyphen, then nine other digits without intelligence.

Which governmental agency wrote the details of the Privacy Rule?

Department of Health and Human Services

What year did Public Law 104-91 pass both houses of Congress?

1996

The Health Information Technology for Economic and Clinical Health (HITECH) is part of...

American Recovery and Reinvestment Act (ARRA) of 2009.

The HIPAA Security Officer is to see that each job description is evaluated to...

Disclose the "minimum necessary" PHI to perform the particular job function.

When a patient is transferred to another facility, access to the medical records by the receiving facility is no longer permitted under HIPAA.

False

One benefit of personal health records (PHR) is that...

Each patient can add or adjust the information included in the record.

The ability to continue after a disaster of some kind is a requirement of Security Rule. What item is considered part of the contingency plan or business continuity plan?

Emergency mode operation plan

Compliance to the Security Rule is solely the responsibility of the Security Officer.

False

Research organizations are permitted to receive

a limited data set that has been de-identified for research purposes.

What is the intent of the clarification Congress passed in 1996?

d. To mandate that medical billing have a nationwide standard to transmit electronically using electronic data interchange

Consent as defined by HIPAA is for..... a. permission to reveal PHI for payment of services provided to a patient. b. permission to reveal PHI for comprehensive treatment of a patient. c. permission to reveal PHI for normal business operations of the provider's facility. d. all of the above. e. both A and B

d. all of the above.

All health care staff members are responsible to..... a. Protect access to the electronic devices assigned to them. b. See that patients are given the Notice of Privacy Practices for their specific facility. c. Be aware of HIPAA policies and where to find them for reference. d. Report any incident or possible breach of protected health information (PHI). e. All of the above.

e. All of the above.

The implementation of unique Health Plan Identifiers (HPID) was mandated in which ruling?

Affordable Care Act (ACA) of 2009

Which federal act mandated that physicians use the Health Information Exchange (HIE)?

Affordable Care Act (ACA) of 2010

Health Information Exchanges (HIE) are designed to allow authorized physicians to exchange health information. Which federal law(s) influenced the implementation and provided incentives for HIE? a. American Recovery and Reinvestment Act (ARRA) of 2009 b. Affordable Care Act (ACA) of 2009 c. Omnibus Rule of 2013 d. All of these

All of these

The Meaningful Use mandate is part of

American Recovery and Reinvestment Act (ARRA) of 2009.

What government agency approves final rules released in the Federal Register?

Department of Health and Human Services

A workstation login and password should be set to allow access to information needed for the particular location of the workstation, rather than the job description of the user.

False

Any changes or additions made by patients in their Personal Health record are automatically updated in the Electronic Medical Record (EMR).

False

Closed circuit cameras are mandated by HIPAA Security Rule.

False

Covered entities who violate HIPAA law are only punished with civil, monetary penalties.

False

If a covered entity has disclosed some protected health information (PHI) in violation of HIPAA, a patient can sue the covered entity for damages.

False

Notice of Privacy Practices (NOPP) must be given to patients every time they visit the facility.

False

Only a serious security incident is to be documented and measures taken to limit further disclosure.

False

Only monetary fines may be levied for violation under the HIPAA Security Rule.

False

The HITECH (Health information Technology for Economic and Clinical Health) mandates all health care providers adopt high standards of technology without any compensation for the cost to individual providers

False

The Office of HIPAA Standards may not initiate an investigation without receiving a formal complaint.

False

How can you easily find the latest information about HIPAA?

From Department of Health and Human Services website

Integrity of e-PHI requires confirmation that the data

Is accurate and has not been altered, lost, or destroyed in an unauthorized manner.

Which federal government office is responsible to investigate HIPAA privacy complaints?

Office for Civil Rights

Enforcement of Health Insurance Portability and Accountability Act (HIPAA) is under the direction of....

Office for Civil Rights (OCR)

Which federal government office is responsible to investigate non-privacy complaints about HIPAA law?

Office of E-Health Services and Standards.

After a patient downloads personal health information, all the Security and Privacy measures of HIPAA are gone.

True

Faxing PHI is still permitted under HIPAA law.

True

HIPAA seeks to protect individual PHI and discloses that information only when it is in the best interest of the patient.

True

One good requirement to ensure secure access control is to install automatic logoff at each workstation.

True

One reason not to use the SSN for patient identifiers is that there is no check digit for verification of the number.

True

Some covered entities are exempted under HIPAA from submitting claims electronically using the standard transaction format.

True

The Centers for Medicare and Medicaid Services (CMS) have information on their Web site to help a HIPAA Security Officer know the required and addressable areas of securing e-PHI.

True

The HIPAA Privacy Rule gives patients assurance that their personal health information will be treated the same no matter which state or organization receives their medical information.

True

There is a 24-month grace period after the effective date for the HIPAA rules before a covered entity must comply with the ruling.

True

Under HIPAA, all covered entities will be treated equally regarding payment for health care services.

True

Written policies are a responsibility of the HIPAA Officer.

True

American Health Information Management Association (AHIMA) has found that the problems of complying with HIPAA Privacy Rule are mainly those that

account for the release of PHI.

The policy of disclosing the "minimum necessary" e-PHI addresses....

authorizing personnel to view PHI.

Physicians were given incentives to use "e-prescribing" under which federal mandate?

b. Health Information Technology for Economic and Clinical Health (HITECH)

Typical Business Associate individuals are

biometric device repairmen, legal counsel to a clinic, and outside coding service.

Telemedicine videoconference tapes are

covered by HIPAA Security Rule if they are not erased after the physician's report is signed.

Responsibilities of the HIPAA Security Officer include

developing and implementing policies and procedures for the facility.

Protected health information is an association between a(n)

diagnosis and an individual.

The long range goal of HIPAA and further refinements of the original law is... a. So all patients can maintain their own personal health record (PHR). b. To develop interoperability so all medical information is electronic. c. To develop health information exchanges (HIE) for providers to view the medical records of other providers for better coordination of care. d. To have the electronic medical record (EMR) used in a meaningful way. e. All of the above

e. All of the above

Filing a complaint with the government about a violation of HIPAA is possible...

if you access the Web site to complete an official form.

Written policies and procedures relating to the HIPAA Privacy Rule

must be available to all employees.

Health plan identifiers defined for HIPAA are....

the HPID (health plan identifier).

The HIPAA Privacy Officer is responsible for....

tracking who has access to PHI.

Audit trails of computer systems include

who logged in, what was done, when it was done, and what equipment was accessed.

When policies for a facility are in both ------and ------form, the Office for Civil Rights will assume the policies are the most trustworthy.

written/electronic

A health care clearinghouse functions as

An intermediary to submit claims on behalf of a provider

The Administrative Safeguards mandated by HIPAA include which of the following?

Workforce security training

The National Provider Identifier (NPI) issued by Centers for Medicare and Medicaid Services (CMS) replaces only those numbers issued by private health plans.

False

The Security Rule requires that all paper files of medical records be copied and kept securely locked up.

False

The new National Provider Identifier (NPI) has "intelligence" that allows you to find out the provider's specialty.

False

The unique identifier for employers is the Social Security Number (SSN) of the business owner.

False

To protect e-PHI that is sent through the Internet, a covered entity must use encryption technology to minimize the risks. E-PHI that is "at rest" must also be encrypted to maintain security.

False

When a patient refuses to sign a receipt of the NOPP, the facility will ask the patient to leave since they cannot treat the patient without a signature.

False

When registering a patient for outpatient or inpatient services, the office does not need to enter complete information prior to the encounter. It can be found out later.

False

When there is a difference in state law and HIPAA, HIPAA will always supersede the local or state law.

False

The law Congress passed in 1996 mandated identifiers for which four categories of entities?

Health care providers, health plans, patients, employers

What are the three types of covered entities that must comply with HIPAA?

Health plans, health care providers, and health care clearinghouses

Reliable accuracy of a personal health record is limited

Since the electronic medical record (EMR) is the legal medical record kept by each provider who generated the record.

If an individual feels that a covered entity has violated the HIPAA Privacy Rule, a complaint is to be filed with the

Office for Civil Rights

What specific government agency receives complaints about the HIPAA Privacy ruling?

Office for Civil Rights

Any Business Associate who finds a breach of protected health information (PHI) must report it to....

The covered entity responsible for the original health information.

All covered entities must keep e-PHI secure to ensure data integrity, yet keep it available for access by those who treat patients.

True

Home help personnel, taxicab companies, and carpenters may fit the definition of a covered entity.

True

Privacy Rule covers disclosure of protected health information (PHI) in any form or media.

True

Risk management, as written under Administrative Safeguards, is a continuous process to re-evaluate electronic hardware and software for possible weaknesses in security.

True

An emancipated minor is

a person younger than 18 who is totally self-supporting and possesses decision-making rights.

If there has been a breach in the security of medical information systems, what are the steps a covered entity must take?

A written report is created and all parties involved must be notified in writing of the event.

What are the three areas of safeguards the Security Rule addresses?

Administrative, physical, and technical safeguards

Regarding the listed disclosures of their PHI, individuals may see

All disclosures, authorized or not.

The minimum necessary policy encouraged by HIPAA allows disclosure of

Enough PHI to accomplish the purposes for which it will be used.

Protecting e-PHI against anticipated threats or hazards

Ensures data is secure, and will survive with complete integrity of e-PHI.

Which is not a responsibility of the HIPAA Officer?

Ensuring all wastepaper is shredded

Compliance with the Security Rule is the sole responsibility of the Security Officer.

False

If a patient does not sign the receipt of a Notice of Privacy Practices (NOPP), the physician can refuse to treat the patient under HIPAA law.

False

Insurance companies who provide automobile and life insurance come under the HIPAA ruling as covered entities.

False

It is possible for a first name and zip code to be considered individually identifiable health information (IIHI).

False

Nursing notes are not considered PHI since they are not physician's notes and therefore are not protected by HIPAA.

False

Only clinical staff need to understand HIPAA.

False

State or local laws can never override HIPAA.

False

The Regional Offices of the Centers for Medicare and Medicaid Services (CMS) is the only way to contact the government about HIPAA questions and complaints.

False

With the passage of HIPAA, large health care providers would be treated with faster service since their volume of claims is larger than small rural providers.

False

The Privacy Rule a. applies only to protected health information (PHI). b. establishes policies for covered entities. c. details when authorization to release PHI is needed. d. none of the above. e. both answers A and C.

both answers A and C.

PHI (protected health information) is

c. health information related to a physical or mental condition.

What are the main areas of health care that HIPAA addresses? Select the best answer.

d. Identifiers, electronic transactions, security of e-PHI, and privacy of PHI

The HIPAA Officer is responsible to train which group of workers in a facility? a. Nursing staff, radiology department staff, laboratory staff, and medical staff b. Housekeeping staff and maintenance staff c. Office workers (medical records and business office/patient accounts staff) d. a and c e. a, b, and c

e. a, b, and c

Which group is the focus of Title I of HIPAA ruling?

Health plans

What information is not to be stored in a Personal Health Record (PHR)?

Tax return information

The act of changing readable text into a vast series of "garbled" characters using complex mathematical algorithms is called...

encryption

The Personal Health Record (PHR) is the legal medical record.

False

What is the difference between Personal Health Record (PHR) and Electronic Medical Record (EMR)?

PHR can be modified by the patient; EMR is the legal medical record

Who is responsible to update and maintain Personal Health Records?

Patient

The Security Officer is to keep record of.....

all computer hardware and software used within the facility when it comes in and when it goes out of the facility.

Standardization of claims allows covered entities to... a. communicate efficiently and quickly, which saves time and money. b. save the cost of new computer systems. c. simplify the billing process since all claims fit the same format. d. all of the above. e. both A and C.

e. both A and C.

Two of the reasons for patient identifiers are

enhanced quality of care and coordination of medications to avoid adverse reactions.

Reasonable physical safeguards for patient care areas include....

having monitors turned away from viewing by visitors.

What are the three covered entities that must comply with HIPAA?

health plan, health care provider, health care clearinghouse

Who in the health care organization is responsible to know where the written policies are located regarding HIPAA compliance?

All staff members, paid or not paid

Requesting to amend a medical record was a feature included in HIPAA because of

possible difference in opinion between patient and physician regarding the diagnosis and treatment.

The HIPAA definition for marketing is when

A patient is encouraged to purchase a product that may not be related to his treatment.

Which is the most efficient means to store PHI?

Electronic storage

Authorization is not needed to disclose protected health information (PHI) in which of the following circumstances?

Patient treatment, payment purposes, and other normal operations of the facility

The minimum penalty per incidence for violations that the Office for Civil Rights finds for noncompliance to the Privacy Rule is...

$100.

Health care providers set up patient portals to

Allow patients secure, encrypted access to their own medical record held by the provider.

The purpose of Health Information Exchange (HIE) is to facilitate secure encrypted transport of health information between...

Authorized providers treating the same patient.

HIPAA in 1996 enacted security measures that do not need updating and are valid today as written.

False

Strengthened restrictions on security redefineed the subcontractors of business associates who might have even incidental exposure to Personal Health Information (PHI) as...

Business associates.

Which government department did Congress direct to write the HIPAA rules?

Department of Health and Human Services

Where is the best place to find the latest changes to HIPAA law?

Department of Health and Human Services (DHHS) Website

Questions other people have asked about HIPAA can be found by searching FAQ at...

Department of Health and Human Services Web site.

The Security Rule addresses four areas in order to provide sufficient physical safeguards. Which of the following is NOT one of them?

Electronic signatures

The HIPAA Security Officer has many responsibilities. Which of the following is not a job of the Security Officer?

Ensure that authorizations to disclose protected health information (PHI) are compliant with HIPAA rules

Genetic Information is now protected as all other Personal Health Information (PHI) with the passing of which federal law?

Omnibus Rule of 2013

If any staff member is found to have violated HIPAA rules, what is a possible result?

The incident retained in personnel file and immediate termination

A health care provider who is compliant with the Privacy and Security Rules of HIPAA has greatly improved protection against medical identity theft.

True

Administrative Simplification focuses on reducing the time it takes to submit health claims. The unique identifiers are part of this simplification.

True

One additional benefit of completely electronic medical records is that more accurate data can be obtained from a greater population, so efficient research can be done to improve our country's health status.

True

One process mandated to health care providers is writing prescriptions via e-prescribing.

True

Security of e-PHI has to do with keeping the data secure from a breach in the information system's security protocols.

True

Administrative Simplification means that all

health claims will be submitted on the same form.

Congress passed HIPAA to focus on four main areas of our health care system. They are to

keep electronic information secure, keep all information private, allow continuation of health coverage, and standardize the claims process.

Information access is a required administrative safeguard under HIPAA Security Rule. It is defined as

limiting access to the minimum necessary for the particular job assigned to the particular login.

Use of the EIN on a standard transaction is required

when the sponsor of health plan is a self-insured employer.


Conjuntos de estudio relacionados

PrepU Chp 28: Assessment of Hematologic Function and Treatment Modalities

View Set

NCLEX study set questions incorrect

View Set