CCA EXAM DOMAIN 6 CONFIDENTIALITY AND PRIVACY
A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until _____ years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.
6 HIPAA Policies and Procedures and Documentation Requirements A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments. Updates. A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).
Determine an appropriate use of the emergency access procedure.
A patient is crashing. The attending physician is not in the hospital, so a physician who is available helps the patient. The correct answer is the attending physician is not in the hospital, so a physician who is available helps the patient. The emergency mode operation is used when someone who normally does not have access to the PHI needs access. This is generally used in patient care emergencies. It may also be called "breaking the ice." Wrong answers: Emergency access procedure indicates a loss of data and systems containing electronic protected health information due to an emergency. The following would not be appropriate use of the emergency access procedure 1) Data is collected for administrative purposes. 2) The coder who usually codes the emergency room health records is out sick and the health records are left on a desk in the ER admitting area. 3) An audit is being conducted by the OIG.
Identify the true statement regarding healthcare provider's use of mobile devices.
A specific procedure must be followed for reporting and addressing a lost device. There should be policies in place regarding how to handle lost and stolen mobile devices. Devices may be owned by the covered entity or the user. Mobile devices should use encryption if data is stored on the device however data can be stored remotely such as in the cloud.
Which of the following would be deleted in the process of de-identification of protected patient information?
Date of birth Patient identifiers include patient's full name, date of birth, social security number, contact information such as address and phone numbers, name and contact information of the next of kin, emergency contact information, and other personal information deemed necessary for health care delivery operations (e.g., employer information and insurance information). The facility NPI number—National Provider Identifier Number—is a 10-digit numerical identifier that identifies an individual provider or a health care entity. Principal diagnosis code establishes medical necessity for procedures provided to the patient. Place of service codes are two-digit codes placed on health care professional claims to indicate the setting in which a service was provided
HIPAA requires patient permission to be obtained before PHI can be used or disclosed. However, most states mandate health care professionals to report situations, such as suspected child abuse or a contagious disease diagnosis, to their Department of Health. This mandate overrides patient consent. HIM professionals must comply with
HIPAA, which permits reporting to the state to comply with mandates. When a state mandates the reporting of certain specific health concerns, such as contagious diseases or abuse and neglect, HIPAA permits the reporting for the good of public health.
According to the HIPAA Privacy Rule, which of the following would be considered a covered entity?
Health plans HIPAA rules define a covered entity as (1) health plans, (2) healthcare clearinghouses, and (3) healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Department of Health and Human Services was created to protect the health of all Americans and providing essential human services. Joint Commission evaluates healthcare organizations and inspiring them to excel in providing safe and effective care of the highest quality and value. Office of Inspector General is to detect and deter fraud, waste, and abuse.
This is an example of an administrative safeguard.
Implement policies and procedures to prevent, detect, and correct security violations. Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information. Locking offices and file cabinets, minimizing the amount of PHI on desktops, and shredding unneeded documents are physical safeguards.
When should the patient receive a copy of the Notice of Privacy Practices?
Initial encounter According to the HIPAA Privacy Rule the patient must be provided a copy of the Notice of Privacy Practices at the initial encounter. Here's a great link: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-health-information/index.html
Which of the following is an example of a physical safeguard?
Locking offices and file cabinets containing PHI Physical Safeguards are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion. Some examples of physical safeguards are the following: Controlling building access with a photo-identification/swipe card system. Locking offices and file cabinets containing PHI. Turning computer screens displaying PHI away from public view. Minimizing the amount of PHI on desktops. Shredding unneeded documents containing PHI. Audit controls and effective security safeguards are part of normal operational management processes to mitigate, control, and minimize risks that can negatively impact business operations and expose sensitive data. Dual authentication is a security safeguard—combination would be a username and password
Which of the following should never be destroyed?
MPI Master patient index (MPI)—A permanent database that includes every single patient ever admitted or treated by the facility; it usually includes patient's full name, patient's date of birth, patient's address, patient's phone numbers, patient's health record number, attending physician's name, admission dates and discharge dates, patient's disposition at discharge, patient's marital status, patient's gender, patient's race, and patient's emergency contact. Case Mix Index (CMI)—The average relative weight of all cases treated at a given facility that reflects the resource intensity of a specific group in relation to another group. Computerized physician order entry (CPOE) is used primarily for ePrescriptions and electronic orders for imaging and lab work. Source Oriented Record (SOR)—Traditional patient record format that maintains reports according to source of the document.
Which of the following is an example of an external data threat?
Malware and phishing attempts to steal log in credentials One of the most challenging issues dealing with malware is that it only takes one seemingly authentic link to introduce a malicious cyber presence into the network. Sophisticated malware and phishing attempts can plant malicious scripts on a computer or steal login credentials that can compromise an entire system. Unlocked workstation computer and Intern accessing celebrity medical records are examples of an internal breach.
The health care facility is running a contingency plan drill where the EHR is inaccessible. Where would the medical documentation forms that replace the EHR documentation be located?
Medical bylaws The medical staff bylaws are a document approved by the hospital's board and establishes the requirements for the members of the medical staff to perform their duties, as well as the standards for the performance of those duties. The facility bylaws should contain every medical form used at the health care facility. The hospital board of directors' role is to serve as the governing body of the hospital. The board is responsible for oversight of the hospital. State medical boards are the agencies that license medical doctors, investigate complaints, discipline physicians who violate the medical practice act, and refer physicians for evaluation and rehabilitation when appropriate.
A document requirement of health organizations pursuant to HIPAA legislation, that informs patient how a covered entity intends to use and disclose protected health information is called
Notice of Privacy Practices (NPP) Notice of Privacy Practices is a requirement of HIPAA's Privacy Rule. None of the other documents are related to HIPAA.
The HIPAA enforcement agency is the
Office for Civil Rights The Office for Civil Rights (OCR) is the HIPAA enforcement agency. OCR laws protect the rights of individuals and entities from unlawful discrimination based on race, color, national origin, disability, age, or sex in health and human services. Department of Health and Human Services was created to protect the health of all Americans and providing essential human services. Joint Commission evaluates health care organizations and inspiring them to excel in providing safe and effective care of the highest quality and value. Office of Inspector General is to detect and deter fraud, waste, and abuse.
Identify the type of health records that the patient cannot have access to.
Psychotherapy notes Psychotherapy notes are not part of the designated record set and therefore cannot be released to the patient. They are for use by the health care professional only. AIDS records, mental health assessments, and alcohol and drug records can be released at the request of the patient.
Which of the following is an exception to the HIPAA "Minimum Necessary" standard?
Requests from patients for copies of their own medical records The HIPAA "Minimum Necessary" standard applies to most uses and disclosures of PHI, but there are six exceptions as detailed below. Health care providers making requests for PHI for the purpose of providing treatment to a patient Requests from patients for copies of their own medical records Requests for PHI when there is a valid authorization from the subject of the PHI Requests for PHI that are required for compliance with the HIPAA Administrative Simplifications Rules Requests for a disclosure of PHI by the Department of Health and Human Services required for the enforcement of compliance with HIPAA Rules under 45 CFR Part 160 Subpart C Requests for PHI that are otherwise required by law
Alisa has trouble remembering her password. She taped the password to the bottom of her keyboard. As the chief privacy officer, your appropriate response is:
This is inappropriate and must be removed. This is inappropriate and must be removed. Wrong answers: 1) Passwords should not be written down anywhere 2) Passwords should be unique 3) never use personal information such as your daughter's name or birth date.
The admissions clerk asks why he has to check the patient's driver's license to ensure that this is the correct patient. Educate the admissions clerk.
This meets the HIPAA requirement of verification. Patient verification is ensuring that the patient is who they say they are. Authentication is verifying that the USER of the information system is who they say they are. Authorization is gaining the patient's consent to utilize PHI. Access control is controlling who can access an information and what they can do.
Which of the following HIPAA regulation titles require the Department of Health and Human Service to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers?
Title II: HIPAA Administrative Simplification The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data. Title I of the Health Insurance Portability and Accountability Act of 1996 protects health insurance coverage for workers and their families when they change or lose their jobs. Title III provides for certain deductions for medical insurance and makes other changes to health insurance law. Title V includes HIPAA provisions related to company-owned life insurance, treatment of individuals who lose U.S. Citizenship for income tax purposes and repeals the financial institution rule to interest allocation rules.
Determine which one of the following is NOT a technical security control employed by electronic health record systems.
automatic log off Automatic log off after a period of inactivity is an administrative safeguard, not a technical security control employed by electronic health record systems. Technical safeguards consist of five categories: access controls, audit controls, integrity, person or identity authentication, and transmission security.
The three components of a data security program are confidentiality, integrity, and
availability. The three components of a security plan are confidentiality, integrity, and availability.
The chief security officer has recommended a security measure that utilizes fingerprints or retina scans. The chief security officer recommended
biometrics. Retinal scans and fingerprints are two methods of biometric identification. Encryption is turning health information into unintelligible data. Authentication is the process of identifying an individual. Audit trail is a tool used to monitor the actions of the users.
The health facility uses an answering system business. Medical information is never included, only the name and number of a patient for a callback. The answering system business is considered a(n)
business associate. The answering system business is considered a business associate because PHI is more than a medical diagnosis (or complaint). A name alone, or a phone number alone, in connection with a request for health care is PHI, and by answering the phone for a health care provider they are "receiving" PHI. Adjunct employee is a nonfaculty title given to a healthcare provider under special circumstances by the Medical School to provide health care in university settings. Clearinghouses include organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations. A corporate entity is a business structure formed specifically to perform activities, such as running an enterprise or holding assets.
It is recommended that all but which of the following information should be permanently retained in some format, even when the remainder of the health record is destroyed?
dates of admission, discharge, and encounters Although most of the medical record information can be destroyed after a certain time constraint, dates of admission, discharge, and encounters are permanently retained in the facility's master patient index (MPI). The following is recommended to be permanently retained in some format, even when the remainder of the health record is destroyed: physician names, nursing notes, and discharge summaries.
All of these details must be included in the documentation of record destruction EXCEPT
dates the patient had surgery Record destruction documentation should include the dates of service of the records that are being destroyed, but not specific dates of service. Documentation of record destruction should also include: a statement that records were destroyed in the normal course of business; the method of destruction; and signatures of the individuals supervising and witnessing the destruction.
The expert determination method is a method of
de-identification. The expert determination method is one method that can be used to deidentify protected health information. It removes all identifiers so that the patient cannot be identified. The criticality assessment is determining how important an information system is. The information systems that are the most critical are given priority if multiple information systems are down. Disclosure is providing health information outside of the healthcare organization. The emergency mode operation plan is the process that allows a user to gain access to health information in an emergency. De-identification is removing all identifying data elements from the health record.
You have been given the responsibility of destroying the PHI contained in the information system's old server before it is trashed. Recommend an appropriate destruction method.
degaussing Degaussing is an appropriate method of destruction for electronic data as it renders it irretrievable. Crushing is usually used for destroying CDs and DVDs. Shredding is used for paper PHI. Incineration can also be used for paper PHI.
All of these are acceptable destruction methods when health records are no longer required, EXCEPT
deleting files from the server. Simply deleting files from a computer or server does not sufficiently destroy them. In the absence of any state law to the contrary, medical offices must ensure paper and electronic records are destroyed by a method that provides for no possibility that the protected health information can be reconstructed. A common destruction method is magnetic degaussing for computerized data.
The patient has the right to agree or object to disclosure of protected health information when
disclosing information to a family member who is directly involved in the patient's care. There are two circumstances when patients have the right to agree or object to disclosure of protected health information. This includes facility directory and disclosing information to family member who is directly involved in care.
Under the HIPAA Privacy Rule, all the following are considered workforce members EXCEPT for a
electrician.
A physician has come to the HIM department because he wants a new smartphone to be able to access patient records. This way he can enter orders when he is outside of the hospital. You need to direct the IT department to
encrypt the phone so access is protected. All transmissions to and from the hospital should be encrypted, especially mobile devices, such as a smartphone. The HIPAA Privacy Rule establishes national standards for giving patients the right to access and request amendment of their protected health information (PHI) as well as requesting restrictions on the use or disclosure of such information. The HIPAA Security Rule establishes a national set of security standards for the confidentiality, integrity, and availability of electronic protected health information. The HIPAA Privacy and Security Rules apply to covered entities. Covered entities include health care providers and professionals such as doctors, nurses, psychologists, dentists, and chiropractors. Individuals and organizations that meet the definition of a covered entity and who transmit health information in electronic form in connection with certain transactions must comply with the Rules' requirements to protect the privacy and security of health information, even when using mobile devices.
An employee in the admission department stole the patient's name, Social Security number, and other information and used it to get a credit card in the patient's name. This is an example of
identity theft Identity theft is using an individual's Social Security number and other identifying information to obtain credit cards or otherwise represent them. Mitigation is limiting the negative impact on a patient when there is a privacy or security breach. Disclosure is releasing patient information outside of the healthcare organization. Release of information is the process of releasing health information.
According to the HIPAA privacy rule, protected health information includes
individually identifiable health information in any format stored by a health care provider or business associate. Individually identifiable health information in any format stored by a health care provider or business associate. PHI includes all individually identified health information, regardless of format. ePHI, however, includes only electronic PHI. Incorrect answers: 1) non-individually identifiable health information in any format stored by a health care provider. 2) Only electronic individually identifiable health information. 3) Only paper individually identifiable health information.
Ensuring that data have been modified or accessed only by individuals who are authorized to do so is a function of data
integrity. Data integrity refers to the assurance that information can only be accessed and modified by those authorized to do so.
A mechanism used to ensure that PHI has not been altered or destroyed inappropriately is known as
integrity. Integrity is ensuring that data is not inappropriately changed. This can be in motion or at rest. Access control is determining who has access to an information and what they have access to. Audit controls are methods of monitoring the information system for security breaches and incidents. Entity authentication is determining if an information system user is who he or she claims to be.
If the health care facility uses a business associate offshore, the business associate
is required to follow HIPAA. Offshore business associates are permitted under HIPAA and the law applies to them in the same way it applies to ones located within the United States. As a covered entity, you will want your business associate agreement to require them to agree to the jurisdiction of U.S. courts.
All the following are examples of a Business Associate EXCEPT
janitor service. Business associates are vendors (to a covered entity) that create, receive, maintain, or transmit protected health information (PHI). A member of the covered entity's workforce is NOT a business associate, nor is someone who may encounter patient information by chance (like a janitor service or an electrician).
John is a 45-year-old male who is mentally disabled. Identify who can authorize release of his health record.
legal guardian Even though John is of age, he is mentally incompetent and therefore requires a guardian to sign the release. John's sister could only sign the authorization if she was his legal guardian. The executive of his will only applies if John is deceased.
A health care facility has made a decision to destroy computerized data. AHIMA recommendations identify which of the following methods as the preferred method of destruction for computerized data?
magnetic degaussing Computerized data can be erased by neutralizing the magnetic field. This destruction method is called magnetic degaussing. Incorrect answers: Disk reformatting is the process of preparing or revising a device such as a USB flash drive to store new or different data. Overwriting the backup tapes is a recycling process by overwriting backup tapes with new backup data. This is usually done on a schedule, for example, daily or weekly. This deletion process is not secure. Overwriting data with a series of characters is a process to remove data by overwriting the data with algorithms. This deletion method is never secure.
The standard that requires all HIPAA covered entities and business associates to restrict the uses and disclosures of protected health information (PHI) is called
minimum Necessary. The HIPAA "Minimum Necessary" standard requires all HIPAA covered entities and business associates to restrict the uses and disclosures of protected health information (PHI) to the minimum amount necessary to achieve the purpose for which it is being used, requested, or disclosed. Patient consent—The process of informed consent occurs when communication between a patient and physician results in the patient's authorization or agreement to undergo a specific medical intervention. The Past, Family and/or Social History (PFSH) includes a review in three areas: Past History: The patient's past illnesses, operations, injuries, medications, allergies, and/or treatments.
Identify the purpose of the notice of privacy practices.
notify the patient of uses of PHI. The purpose of the notice of privacy practices is to notify the patient how the covered entity will use the PHI and what the patient's rights are related to PHI. It notifies the patient of typical uses of the health information but does not tell the patient of any audits that their health record is involved in. The notice of privacy practices is given to patients not researchers or the OIG.
Identify the requester that requires patient authorization before releasing PHI.
patient's attorney An authorization is not required for TPO, which includes business associates. It is also not required for public health activities. It is, however, required for release to the patient's attorney.
In most situations the person who authorizes release of medical information is the
patient. Medical facilities frequently receive medical record release requests from multiple sources, including subpoenas, attorney letters, and patients themselves. However, in most situations the patient signs a release form including signature, printed name, date, and records desired. Release a copy only, not the original. CFO—A health care chief financial officer is the person who ensures that a hospital or hospital systems runs in the most cost-effective manner. CEO—Chief Executive Officer—the executive who holds the position to ensure that almost every aspect of the health care facilities under their care perform efficiently while ensuring that all employees have the equipment and resources, they need to deliver the best quality patient. Provider—an individual health professional or a health facility organization licensed to provide healthcare diagnosis and treatment services including medication, surgery, and medical devices.
HIPAA allows health care providers to charge patients reasonable cost-based charges for copies of their health record. Identify when the patient can be charged.
preparing a summary HIPAA allows patients to be charged for preparing a summary; however, nonpatients may be charged for the other listed fees.
The HIPAA Privacy Rule allows patients access to their personal health information. The exception to this rule is
psychotherapy notes The Privacy Rule generally requires HIPAA covered entities (health plans and most healthcare providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more "designated record sets" maintained by or for the covered entity. An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. Two categories of information are expressly excluded from the right of access: Psychotherapy notes, which are the personal notes of a mental healthcare provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient's medical record. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
A staff member, Louis, in Admissions, occasionally brings his nephew to work after school and permits him to access social media on his computer. He posts selfies and sometimes shares what he sees and hears in the office. As the HIM manager, you must
require Louis to go through HIPAA training again and explain to him the illegality of posting any protected information on social media. As the HIM manager, you must require Louis to go through HIPAA training again, as well as instructing Louis not to let his nephew access social media on facility computers. Training isn't just a recommendation, either - all workforce members are required to learn about HIPAA compliance requirements. The regulation states that this should happen in 3 cases - when a new employee is hired, whenever there are changes to the regulations, and periodically, just to make sure everyone understands HIPAA Privacy and Security rules.
The minimum length of time for retaining original medical records is primarily governed by
state law. The statute of limitations for each state is information that is crucial in determining record retention schedules.The wrong answers: Readmission rates, medical staff and the Joint Commission must abide by the state law when it comes to the minimum length of time set for retaining original medical records.
You submitted your resignation from Coastal Hospital. Your last day is today. You should no longer have access to the EHR and other information systems as of 5:00 PM today. The removal of your information system privileges is known as
terminating access. Terminating access is eliminating an employee's access to an information system once they leave the organization. Password management is the process of establishing policies and processes related to passwords. Isolating access is completely separating data between two parts of an organization. For example, a company owns a home health organization and a widget manufacturing company. The home health organization must design their information systems to prevent the widget portion of the company from accessing PHI.
To ensure that protected health information (PHI) is kept secure, internal audits are necessary to confirm the facility's compliance with
the Security Rule. HIPAA's Security Rule is a federal law the covers administrative, physical, and technical safeguards to protect patient PHI. The False Claims Act, Stark Law, and Anti-Kickback Statute (AKS) are three other important federal fraud and abuse laws that apply to physicians. The False Claim Act (FCA) is a federal law that makes it a crime for any person or organization to knowingly make a false record or file a false claim regarding any federal health care program which is funded directly, in whole or in part, by the United States Government or any state health care system. The physician Self-Referral Law, commonly referred to as the Stark Law, prohibits physicians from referring patients to receive "designated health services" payable by Medicare or Medicaid from entities with which the physician or an immediate family member has a financial relationship, unless an exception applies. Financial relationships include both ownership/investment interests and compensation arrangements. The Anti-Kickback Statute (AKS) is a criminal law that prohibits the knowing and willful payment of "remuneration" to induce or reward patient referrals or the generation of business involving any item or service payable by the Federal health care programs.
The patient was admitted through the Emergency Department and she is anxious about notifying her spouse and her sister. Her spouse is out of town on business and her sister lives in another state. The patient is worried about how they can get updates when she is in surgery, when they cannot prove how they are related to her to clear HIPAA limitations. You tell her not to worry, because
the hospital can assign special pass codes. The hospital can assign a special pass code for the patient which she can share with whomever she wants to permit a HIPAA release for information. This will identify them as approved by the patient to be informed on her condition. There are required disclosures, according to HIPAA regulations which include those to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information.
Using a Role-Based Access Control methodology to determine who gets access to which files within an electronic health record (EHR) means that password controls will be identified by
the individual's job description. Role-Based Access Control to an EHR is determined by the individual's job description, identifying which records they are permitted to access and whether they can read and write or read only.
The purpose of HIPAA Title I Health Insurance Reform is
to protect health insurance coverage for workers and their families when they change or lose their jobs. Title I of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health insurance coverage for workers and their families when they change or lose their jobs. Title II The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 require the Department of Health and Human Services to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers. Title III provides for certain deductions for medical insurance and makes other changes to health insurance law. Title IV specifies conditions for group health plans regarding coverage of persons with preexisting conditions and modifies continuation of coverage requirements. Title V includes HIPAA provisions related to company-owned life insurance, treatment of individuals who lose U.S. Citizenship for income tax purposes and repeals the financial institution rule to interest allocation rules.
Identify when the covered entity has to notify CMS immediately.
when 500 or more patients are impacted CMS must be notified immediately when 500 or more patients are impacted. Below that number, the notification can be done at the end of the year.
It has been decided that the coders will have access to all e-PHI in the EHR but they will not be able to add or edit data. This process is known as
workforce clearance procedure Workforce clearance procedure is the process of determining what a user has access to in an information system and what they can do. The information system activity review is monitoring the information for unauthorized access. The limited data set is a subset of health information that HIPAA allowed to be released for research, public health and other approved purposes. Incidental disclosure is the release of limited risk such as calling the patient's name.
The final HITECH Omnibus Rule expanded some of HIPAA's original requirements, including changes in immunization disclosures. As a result, where states require immunization records of a minor prior to admitting a student to a school, a covered entity is permitted to disclose proof of immunization to a school without
written authorization of the parent. The "Disclosure of Student Immunizations to Schools" provision of the final rule permits a covered entity to disclose proof of immunization to a school (where state law requires it prior to admitting a student) without written authorization of the parent. An agreement must still be obtained and documented, but no signature by the parent is required.
