HIPAA
The Privacy Rule allows a Business Associate to use or disclose Protected Health Information in accordance with its contract with the Covered Entity, even if the use or disclosure would violate HIPAA.
False
The Security Rule and Privacy Rule cover the exact same health information.
False
The minimum necessary standard applies to Covered Entities, but not to Business Associates.
False
When a Covered Entity improperly discloses Protected Health Information (PHI), the improper disclosure always compromises the PHI.
False
When it passed the Health Insurance Portability and Accountability Act of 1996 on August 21, 1996, Congress adopted specific privacy protections for health information and imposed specific security requirements on entities that handle such information?
False
HIPAA lists 18 different identifiers, but a Covered Entity only has to focus on those that directly identify a patient.
False - there are 18 different identifies but that is not true of covered entities
Preemption is a legal doctrine that _________________(choose the answer that best completes the sentence). Gives precedence to state law over federal law Give precedence to federal law over state law Never occurs because state law is always consistent with federal law. is unrelated to HIPAA.
Give precedence to federal law over state law
Select the correct definition of the term "Breach" under HIPAA.
Improper acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule which compromises the security or privacy of the PHI.
Select the answer that best describes the minimum necessary standard. The standard is not a relevant concept under HIPAA. The standard does not limit disclosures pursuant to a patient's valid authorization. The standard authorizes a hospital to refuse to produce medical records to HHS in an enforcement proceeding. The standard allows a health care provider to deny a patient access to his or her own medical records if the patient has no need for them.
The standard does not limit disclosures pursuant to a patient's valid authorization.
Which of these statements is consistent with HIPAA's definition of a Business Associate. An actuary can never be a BA. A BA can create, receive, maintain, or transmit PHI to help a CE perform its health care functions. An employee of a hospital is a BA of the hospital by virtue of his/her employment. The services or functions the BA performs must not involve PHI.
A BA can create, receive, maintain, or transmit PHI to help a CE perform its health care functions.
The HIPAA regulations do not specifically address authorization. Instead, the courts have developed rules that determine whether an authorization is valid.
False
A covered entity is ___________. (choose all the correct responses). A health care clearinghouse. An automobile insurance company that routinely pays for medical care rendered to injured drivers. All health care providers. An employer-sponsored health plan with more than 50 participants.
A health care clearinghouse. An employer-sponsored health plan with more than 50 participants.
Select the provisions a Business Associate contract must contain (choose all correct responses). Specify that the BAs employees must all be licensed health care providers. A requirement that the BA return or destroy PHI when the contract is over. Payment terms. A provision that exempts the BA from having to implement safeguards to protect PHI.
A requirement that the BA return or destroy PHI when the contract is over.
Choose all the correct answers: Individually identifiable information is . . . A subset of health information. Health information that actually identifies a person. Is not a defined term under HIPAA. Is limited to demographic information about a patient. May include indirect identifiers that could be used to figure out who a patient is.
A subset of health information. Health information that actually identifies a person. May include indirect identifiers that could be used to figure out who a patient is.
Part 2, which addresses substance abuse treatment records, is a sub-part of HIPAA.
False
Which of the following are objectives HIPAA sought to accomplish? Help workers keep health insurance coverage when they change jobs (portability) Combat health care fraud (accountability) Increase efficiency and reduce costs of health care All of the above
All of the above
Choose the most correct response. TPO stands for which of the following permissible uses and disclosures of PHI: Payment Treatment Operations All of the answers are correct because TPO stands for treatment, payment, and operations.
All of the answers are correct because TPO stands for treatment, payment, and operations.
The Security Rule's purpose is to protect and ensure which of the following: All of the answers are correct. Confidentiality of electronic Protected Health Information. Availability of electronic Protected Health Information. Integrity of electronic Protected Health Information.
All of the answers are correct.
The HITECH Act created the Security Rule.
False
Choose all correct responses. Protected health information is ____________. Could includes things like email addresses, license plate numbers, and health insurance paperwork. Is fundamentally different from electronic PHI. A subset of individually identifiable health information. Does not include verbal descriptions or accounts of a patient's condition.
Could includes things like email addresses, license plate numbers, and health insurance paperwork. A subset of individually identifiable health information.
A Business Associate does not have to comply with the Security Rule.
False
A CE may use and disclose PHI for its own TPO activities, but may not disclose PHI to another CE for that CE's TPO functions.
False
A Covered Entity's "use" or "disclosure" of Protected Health Information are not restricted by or subject to the Minimum Necessary Rule.
False
Any state law that conflicts with HIPAA is preempted.
False
Congress mandated the use of specific methods and technologies to comply with the Security Rule's Administrative, Physical, and Technical Safeguards.
False
HIPAA is only a regulation adopted by the U.S. Department of Health and Human Services?
False
Health information under HIPAA does not include documents related to payment for past health care services rendered to the individual.
False
If a nurse works on an ICU, the nurse may access and review the records of all ICU patients, including those he/she is not taking care of and has no need to see.
False
When a breach occurs and involves unsecured protected health information, the Covered Entity must notify the patient and the U.S. Department of Health and Human Services, and may have to notify the ________________________.
Media
__________________ information is a type of health information that receives specific protection under state law.
Mental Health or HIV
Unsecured PHI is . . . (choose all that apply): PHI that has not been rendered indecipherable to an unauthorized person. PHI that has not been rendered unusable to an unauthorized person. PHI that has not been rendered unverifiable by an unauthorized person. PHI that has not been rendered unreadable by an unauthorized person.
PHI that has not been rendered indecipherable to an unauthorized person. PHI that has not been rendered unusable to an unauthorized person. PHI that has not been rendered unreadable by an unauthorized person.
The rationale for the Privacy Rule's allowance of TPO uses and disclosures includes which of the following (select all the correct responses): Health care operations are only allowed for health plans. Patient consent is required before a CE can engage in TPO activities. Payment is essential to a CE's ability to render treatment or provide insurance coverage. Effective treatment depends of the free exchange of PHI among health care providers.
Payment is essential to a CE's ability to render treatment or provide insurance coverage. Effective treatment depends of the free exchange of PHI among health care providers.
Select the Administrative Safeguard from the following list. All of the above. Security training. Work station security. Encryption software.
Security training.
Administrative, Physical, and Technical Safeguards are composed of:
Standards
Which of the following is not a regulation that the U.S. Department of Health and Human Services issued to implement HIPAA? The Omnibus Rule The Data Protection and Modification Rule The Privacy Rule The Security Rule
The Data Protection and Modification Rule
The U.S. Department of Health and Human Services adopted the Omnibus Rule to carry out the requirements of what Act? The Genetic Information Nondiscrimination Act The HITECH Act The Texas Health & Safety Code None of the above
The HITECH Act
Select the answer that best describes the Standards for Privacy of Individually Identifiable Health Information, known as the Privacy Rule. The Privacy Rule controls how a CE or BA may use and disclose PHI. The Privacy Rule is not part of HIPAA. The Privacy Rule contains specific encryption requirements for electronic PHI. The Privacy Rule does not permit a CE to use PHI for treatment, payment, or operational activities.
The Privacy Rule controls how a CE or BA may use and disclose PHI.
Choose the category of PHI that HIPAA does not protect: Substance abuse records. Psychotherapy notes PHI that is covered by state law. This is a trick question, HIPAA protects all of these categories of PHI.
This is a trick question, HIPAA protects all of these categories of PHI.
Which of the following are not "health care" under HIPAA? This is a trick question, they are all health care under HIPAA. Treatment, services, and supplies related to an individual's health Diagnostic blood tests. Mental health assessments
This is a trick question, they are all health care under HIPAA.
A Business Associate can also be a Covered Entity.
True
A Covered Entity is entitled to deny a patient's request to amend her Protected Health Information if the information contained in the patient's designated record set is accurate and complete.
True
A Hybrid Entity is a Covered Entity that has identified the parts of its business that provide health care services, designated those parts as a health care component, and segregated them so that they safeguard PHI.
True
An authorization for research can be both compound and conditional.
True
Generally speaking, a Covered Entity cannot condition treatment, payment, coverage, or enrollment on the patient's provision of an authorization, though exceptions to this rule do exist.
True
HIPAA requires a Covered Entity to give the U.S. Department of Health and Human Services access to Protected Health Information, even without an authorization, so that HHS can evaluate the CE's compliance with HIPAA.
True
Health information can exist and be recorded, transmitted, and stored in any form or medium, including verbally, in writing on paper, and electronically.
True
The States may enhance or expand HIPAA's protections, but may not disregard, diminish, or limit those protections.
True
The minimum necessary rule applies to
Uses and disclosures of PHI for payment
HIPAA recognizes three _______________________ to the definition of breach.
exceptions
Assume HIPAA does not specifically permit or require a Covered Entity to use or disclose Protected Health Information. Can the CE still use or disclose the PHI?
Yes, if the CE obtains a valid authorization and confines the use/disclosure to what the patient has authorized.
A state law is contrary to HIPAA if . . .
a CE could not comply with the state law and HIPAA at the same time.
A Covered Entity must permit . . .
a patient to request restrictions on the Covered Entity's use and disclosure of Protected Health Information for treatment, payment, and health care operations activities.
Select each answer that is an element of a valid HIPAA authorization. a. A specific and meaningful description of the PHI to be use or disclosed. b. A statement of the purpose for the use or disclosure. c. A description of the charges the CE will require the patient to pay for treatment or insurance coverage. d. An expiration date or event
a. A specific and meaningful description of the PHI to be use or disclosed. b. A statement of the purpose for the use or disclosure. d. An expiration date or event
Authorization is not required for specific public interest disclosures, including the following (select all that apply): a. Disclosures to law enforcement in emergency circumstances. b. Disclosures to a public health authority or government authority to report child abuse. c. Convenience of the CE if the CE is involved in a high-volume practice and it would be too burdensome to obtain individual authorizations. d. Disclosures to a Health Oversight Agency conducting an audit.
a. Disclosures to law enforcement in emergency circumstances. b. Disclosures to a public health authority or government authority to report child abuse. d. Disclosures to a Health Oversight Agency conducting an audit.
The Texas Medical Records Privacy Act does which of the following (select all that apply): a. Establishes a deadline for the production of electronic health information when a patient requests it. b. Conflicts with HIPAA in all respects and is preempted. c. Has a tiered penalty system that depends on the nature of the violation that occurred. d. Contains a broader definition of Covered Entity that HIPAA does.
a. Establishes a deadline for the production of electronic health information when a patient requests it. c. Has a tiered penalty system that depends on the nature of the violation that occurred. d. Contains a broader definition of Covered Entity that HIPAA does.
Select the required elements that a Notice of Privacy Practices must contain under HIPAA. a. Notice must be written in plain language. b. Notice must describe the uses and disclosures a Covered Entity can make for treatment, payment, and health care operations activities. c. Notice must inform the patient that, once signed, an authorization to use or disclose Protected Health Information cannot be revoked. d.Notice must reflect the applicability of more stringent state law.
a. Notice must be written in plain language. b. Notice must describe the uses and disclosures a Covered Entity can make for treatment, payment, and health care operations activities. d.Notice must reflect the applicability of more stringent state law.
Select all uses and disclosures of Protected Health Information that the Privacy Rule permits. a. Pursuant to a valid patient authorization. b. Disclosures to the individual who is the subject of the PHI. c. Incident to another legitimate use or disclosure. d. There are no permitted uses and disclosures of PHI because the Privacy Rule is only focused on patient protection.
a. Pursuant to a valid patient authorization. b. Disclosures to the individual who is the subject of the PHI. c. Incident to another legitimate use or disclosure.
When requesting an authorization from a patient, a CE must do which of the following (select all that apply): a. Use plain language b. Give patient a copy of the signed authorization. c. File the signed authorization in triplicate and send a copy to the state health authority. d. Hire an attorney to review the authorization to confirm validity.
a. Use plain language b. Give patient a copy of the signed authorization.
Select all answers that apply. A patient has the right to an accounting of disclosures of the patient's Protected Health Information by a Covered Entity for a 6-year period, except for: a. Uses and disclosures for treatment, payment, and health care operations activities. b. Uses and disclosures related to services for which the patient has not paid. c. In-patient services rendered to the patient in a hospital setting. d. Disclosures that occurred incident to a provider's legitimate health care activities.
a. Uses and disclosures for treatment, payment, and health care operations activities. d. Disclosures that occurred incident to a provider's legitimate health care activities.
A state law is more stringent than HIPAA if (choose all that apply): a. provides greater privacy protections to the patient than HIPAA provides. b.when it gives the patient fewer rights and a CE more latitude to use and disclose PHI. c. gives the patient less ability to change PHI. d. requires an authorization for more uses and disclosures than HIPAA.
a. provides greater privacy protections to the patient than HIPAA provides. d. requires an authorization for more uses and disclosures than HIPAA.
I believe the most important objective of the Security Rule is to ensure the ____________________________ of electronic Protected Health Information.
availability
Select all responses that accurately complete this sentence: The Privacy Rule prohibits a Covered Entity or Business Associate from using Protected Health Information unless . . . a. The health care provider and the patient are friends. b. The patient has authorized the use or disclosure. c. HIPAA allows the use or disclosure. d. HIPAA requires the use or disclosure.
b. The patient has authorized the use or disclosure. c. HIPAA allows the use or disclosure. d. HIPAA requires the use or disclosure.
Select all answers the apply. An authorization is invalid if . . . a. if it is not signed on the first day the patient visits a health care provider. b. violates the rules governing compound and conditioned authorizations. c. it is incomplete. d. the CE knows it has expired or that the terminating event has occurred.
b. violates the rules governing compound and conditioned authorizations. c. it is incomplete. d. the CE knows it has expired or that the terminating event has occurred.
Choose the answer that best describes a patient's right of access under HIPAA. a. Is subject to a fee that enables a Covered Entity to profit from responding to a patient's request for Protected Health Information. b. Is unreviewable under all circumstances. c. The right of access is absolute and unlimited. d. Encompasses the right to inspect and copy Protected Health Information, but is subject to limitations.
d. Encompasses the right to inspect and copy Protected Health Information, but is subject to limitations.
De-identified health information
is not PHI and is not subject to the Privacy Rule's restrictions.
Implementation specifications are either required or addressable, they are not ________________________.
optional
Health information is information that relates to the _____________ physical or mental health or condition of an individual.
past, present, or future
An authorization must notify the patient of the possibility of . . .
possible re-disclosure of the patient's PHI
A valid authorization must put the patient on notice of her right to ________________ the authorization in writing and give instructions for doing so.
revoke
The Security Rule is __________________________, which means that Covered Entities and Business Associates do not have to use specific technologies but instead have flexibility to identify, develop, and implement technical solutions to achieve security.
technology neutral