HIM 320 Exam Two ✅
60 Days
A CE must act on a request for amendment within how many days of receiving a request?
Privacy Official
A covered entity must designate and document a ________ and a security official who are responsible for developing the entity's required policies and procedures
15 Days
According to Louisiana Law, a copy of your medical record should be made available in _______ days following receipt of the request and written authorization.
Three
According to Louisiana law, if there is any violation, a provider will be provided with a written notice and will be given ______ days to correct the noticed violation.
Common Rule
All federally funded research involving human subjects must comply with the "Federal Policy for the Protection of Human Subjects", which is generally referred to as?
State Law
Any type of rule, regulation, statue, common law, or other state authority having the effect of law.
Yes
Are providers allowed to send individuals unencrypted emails if they advise the patient of the risks and they still prefer this mode of delivery?
No
Are we required to record downstream disclosures of PHI?
Complaint
Audits and investigations used to be _______ driven.
Altered/Waived Authorization
Authorization is not required.
Exercise their other rights under the rule Monitor how covered entities are complying with the rule Address any privacy concerns they may have with the covered entity
By giving patients the access to disclosures of their PHI, what does this enable them to do?
Compound Authorization
Combines authorization with informed consent for research.
How it will use and disclose PHI The policies and procedures it has adopted to protect the privacy of PHI To inform them of their rights with respect to their PHI
Covered entities must inform individuals of:
Common Rule
Delineates broad requirements relating to research involving human subjects.
By first-class mail to the individual or next of kin at their last known address or if the individual has previously specified that they'd prefer to receive notices by email.
How do we notify individuals about a potential breach of their PHI?
60 Days
How long after a request for accounting of disclosures does a CE have to respond?
60 Calendar Days
How long after the discovery of a breach must we put out notices to prominent media outlets?
Six years
How long must documentation be maintained?
$1.00 per page for the first 25 pages $0.50 per page for pages 26-350 $0.25 per page thereafter A handling charge not to exceed $25 Actual postage Each request shall be subject to only one handling charge
How much does Louisiana Law charge for copying paper records?
All of it
How much of the NPP must be posted in the hospital?
Every 12 Months
How often are individuals entitled to a free accounting of disclosures?
No later than 60 days.
How soon should notifications be made after discovery of a breach?
It must be documented: A simple note in the record is sufficient A standard form included in the health record is also acceptable Documentation may be electronic Documentation must be retained for six years
If a CE agrees to the restriction, what must happen?
A copy of the acknowledgment indicating that it was mailed.
If the acknowledgement is mailed and the patient fails to return the acknowledgment, what should be documented?
The provider should send the notice and request for acknowledgement to the patient by mail or email the same day if possible.
If the first service is not face-to-face (ex—via telephone), how should the notice be given?
No
If the initial contact was just for obtaining pretreatment information or scheduling an appointment, do we send a NPP?
The occurrence and the reason given.
If the patient refuses to sign the NPP, what should we document?
Make a good faith effort to obtain a written acknowledgement of receipt of the notice Document its good faith efforts If the provider is unable to obtain an acknowledgement, it must document the reasons why the acknowledgement was not obtained
In an emergency situation, how do we obtain patient authorization for the NPP?
Stand-Alone Authorization
Requires core elements of valid authorization.
Resolution Agreements
Settlements compelling the CE to perform obligations per the agreements and to submit reports to HHS for 3 years.
Entity's Labor Cost
The CE may impose a fee that is not greater than the ________ in responding to the request for the copy
Clinical
The FDA Protection of Human Subject Regulations govern all ________ investigations regulated by the FDA
Disclosures
The Privacy Rule gives an individual the right to request a list of a covered entity's _________ of his or her PHI.
Right to Request Confidential Communications
The Privacy rule entitles individuals to request that CEs communicate PHI by at alternative locations or alternative method.
Writing, electronically, by telephone, or orally.
The accounting requirement includes disclosures that are made in:
Privacy Rule and by state law.
The authority to charge duplication fees and the amounts of those fees are governed by the:
False.
True or False: A CE is not allowed to deny individual access to PHI without providing an opportunity to review or appeal the denial.
True
True or False: In future disclosures, the CE must attach to the DRS: the request for amendment, its denial, any statement of disagreement, and any rebuttal statements if the individual requests it.
True
True or False: Individuals do NOT have the right to unsupervised off premises inspection and copying of records under the Privacy Rule
True
True or False: Per HITECH, if the CE has an EHR, they must provide patient with an electronic copy, or send it to a designated person electronically.
False
True or False: The accounting is or disclosures and uses both.
True
True or False: The amount of PHI disclosed does not affect whether the disclosure must be in the accounting.
False
True or False: We don't have to tell individuals of reports to public health agencies in the accounting of disclosures, because this might cause them to avoid treatment.
Breach
Unauthorized acquisition, use, or disclosure of PHI which compromises the security or privacy of such information.
Not Required
Under HIPAA, covered entities were _______ to agree to a restriction unless they were required to do so under state law
3 Years
Under the ARRA law that was proposed for accounting of disclosures by CEs that maintain PHI in EHRs, how far back do CEs have to be able to track disclosures?
Right to Request Restrictions
Under the Privacy Rule an individual is permitted the right to request that a covered entity restrict the use or disclosure of his or her PHI in connection with treatment, payment, or healthcare operations.
Duty to Mitigate
What are CEs supposed to do about harmful effects that result from the wrongful use and disclosure of PHI?
The uses and disclosures the covered entities may make of his or her PHI The individual's rights with respect to privacy of the PHI The covered entities' duties concerning the PHI
What are covered entities required to give an individual notice of?
Workforce member or individual acting on the CE or BAs authority unintentionally acquires, accesses, or uses the PHI if it was in good faith, within the scope of authority, or could not be further used or disclosed in an impermissible manner. An inadvertent disclosure by an individual at a CE or BA to another authorized person at a CE or BA and the information is not further disclosed or used in an impermissible manner.
What are exceptions to the definition of breach?
Standards for policies and procedures and changes to policies and procedures Designation of a privacy officer and a contact person for receiving complaints Requirements for privacy training Requirements for establishing data safeguards Prohibition against retaliation and waiver Requirements for documentation retention Mitigation of wrongful use and disclosure
What are some of the administrative requirements that govern implementation of the Privacy Rule?
Right of Access Right to Notice of Healthcare Entity's Privacy Practices Right to Request Amendment Right to an Accounting of Disclosure Right to Request Confidential Communications of PHI Right to Request Restrictions on Certain Uses and Disclosures
What are the individual rights that patients have over their information?
Stand-Alone Authorizations Compound Authorization Altered/Waived Authorizstion
What are the kinds of research authorizations?
Determine whether a state law is contrary to the Privacy Rule. Determine whether an exception to the HIPAA general preemption rule applies.
What are the steps of preemption analysis to determine which law prevails?
Did not know Reasonable cause Willful neglect
What are the three types of penalty tiers?
Directly to the covered entity To the Secretary of DHHS
What are the two methods for filing complaints if an individual believes a CE has failed to comply with the Privacy Rule?
Disclosures needed to: Carry out TPO To the individual Incidental to a use or disclosure otherwise permitted or required by the Privacy Rule Pursuant to an authorization properly completed by the individual For the CE's directory or to family and other involved in the individual's care or for other notifications permitted by the regulations. To meet national security requirements To correctional institutions or law enforcement officials for the purposes specified in the Privacy Rule As part of the limited data set That occurred prior to the HIPAA compliance date.
What disclosures do NOT have to be accounted for?
The CE must maintain a log of any breach occurring in the year and ANNUALLY submit the log to the Secretary within 60 days of the calendar year in which the breach was discovered.
What do CEs do to report breaches when there are less than 500 individuals affected?
Administrative, technical, and physical safeguards
What do CEs have implemented that protect PHI from any use or disclosure that would violate the Privacy Rule?
Date of Disclosure Name and Address of Person Receiving the PHI Brief Description of the Purpose of the Disclosure
What does the accounting of disclosures include?
Basis for the denial Notice of the individual's rights to submit a written statement disagreeing with the denial and instructions on how to submit it If no disagreement is submitted, the patient's right to ask that his original request and the covered entity's denial be included with any future disclosures of the PHI A description of how the individual may submit a complaint
What happens when a request for amendment is denied?
PHI that is NOT rendered unusable, unreadable, or indecipherable to unauthorized persons.
What is considered unsecured PHI?
The addition of the breach notification requirement.
What is one of the most significant changes presented by HITECH?
Training
What is the best way to prevent breaches?
To establish a standard of reasonable accuracy and completeness.
What is the goal of amendments to the PHI?
They are required to post a list identifying each CE involved in a breach.
What is the secretary's role in reporting of breaches?
Within 30 days of the request.
What is the time frame in which the PHI must be made available to the patient?
Unsecured PHI
What kind of PHI does the breach notification rule apply to?
Retrieval Fees
What kinds of fees are prohibited by the Privacy Rule for charging patients?
Training
What should be a major component of a CEs HIPAA compliance program?
A description of what happened A description of the types of unsecured PHI that were involved The steps individuals should take to protect themselves from potential harm resulting from the breach A brief description of what the CE is doing to investigate the breach Contact procedures for individuals to ask questions
What should be included in breach notifications?
Many of their actions and to retain various documentation in connection with use, disclosure, and protection of PHI.
What types of things are CE's required to document?
If the provider believes access could endanger the life or safety of patient or another individual. Refers to an individual who could be harmed. Request made by patient's representative and healthcare provider believes it could cause substantial harm to the individual or another person.
When can a CE deny access but the patient has the right for review by a licensed healthcare professional?
PHI contained in psychotherapy notes. PHI held by correctional institutions. Research participant who has agreed in advance to suspend right of access. If PHI was obtained by someone other than a healthcare provider under the promise of confidentiality and access would reveal the source. PHI contained in records that are subject to the federal Privacy Act if the denial of access under the Privacy Act would meet the requirements of that law.
When can a CE deny individual access to PHI WITHOUT providing an opportunity to review or appeal the denial?
If it isn't in the DRS.
When can a CE deny the access to a patient's PHI?
When it was not created by the CE. If it is not part of the DRS. If is accurate and complete as is.
When can a CE deny the request to amend PHI?
Except as otherwise required by law, the disclosure is to a health plan for purpose of carrying out payment of health care operations (and is not for purposes of carrying out treatment); and The PHI pertains solely to a health care item or service for which the health care provided involved has been paid out of pocket in full
When can a provider not deny a request for restrictions for TPO?
When the breach of unsecure PHI affects MORE than 500 residents of a state or jurisdiction and is or is reasonably believed to have been accessed, acquired, or disclosed during a breach.
When do notices HAVE to be provided to prominent media outlets?
If the CE cannot comply with both laws. Following state law would hinder the purpose of HIPAA.
When is a law considered "contrary"?
If the CE or BA demonstrates that there is a low probability that the PHI has been compromised.
When is impermissible use or disclosure of PHI not presumed to be a breach?
If the CE has insufficient or out-of-date contact information for 10 or more individuals.
When must a CE provide substitute notice through a conspicuous posting for a period of 90 days on the home page of its website or a conspicuous notice in major print or broadcast media where individuals affected by the breach may reside?
At first contact with the patient in order to allow individuals to decide whether to enter into the relationship.
When must covered entities give individuals the Notice of Privacy Practices?
On the first day on which the breach is known, or when it reasonably should have been known, not when investigation is complete.
When shall the breach be treated as discovered by a CE or a BA?
In a clear and prominent location for such individuals.
Where should the NPP be posted in hospitals?
Anyone who expresses their rights under the Privacy Rule Assists in an investigation by the HHS or other authority Opposes an act or practice that the person believes is a violation of the privacy rule
Who can a CE not retaliate against?
HHS
Who conducts audits of CEs and BAs?
CEs and BAs
Who do breach notification rules apply to?
Entities covered by HIPAA
Who does the HIPAA Preemption Rule apply to?
HITECH
Who expanded legal responsibility to CEs meaning that employees and other individuals can be legally prosecuted?
Privacy Official
Who is the person that patients may contact with complaints or questions regarding privacy?
A CE with a direct treatment relationship with a patient MUST provide notice to the patient and obtain the patient's written authorization that they have received the notice.
Who must receive and give acknowledgment of NPP?
ARRA
Who specifies the fees to be charged by the provider when delivering the information in electronic format?
No
Will HIPAA preempt or supersede more stringent state statutes that provide individuals with greater privacy OR give individuals greater rights with respect to their PHI?
Yes
Do business associates have to respond to individual requests made directly to them?
No
Do providers have to accept external portable media from individuals?
Civil Monetary Penalties (CMP)
Fines imposed on the CE for HIPAA violations, usually when a settlement cannot be reached.
Federal Law
For conflicting state law and federal law, who prevails?
Must be written in plain language Explains that the individual has a right to request review Describes how the individual can complain to the CE and DHH Will be reviewed by a licensed healthcare professional who did not participate in the original denial
How can a patient ask for a denial to be reviewed?
Laws that the Secretary of DHHS determines are necessary for certain purposes specified in the regulations. Laws that regulate the manufacture, registration, distribution, or dispensing of ANY controlled substance as identified by state law. Provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention, or Requires a health plan to report or provide access to information for management of financial audits, program monitoring and evaluation, or licensure or certification of facilities or individuals
The preemption rule applies to all state laws contrary to Privacy Rule except?
