HIPAA Privacy and Security
Which of the following are examples of Protected Health Information (PHI)?
All of the above All of the above are PHI. A patient's birth year--not birthdate-- could be considered de-identified PHI.
What best describes a Risk Analysis?
Both C & D The Risk Analysis is intended to evaluate where an organization gets the ePHI it uses, how it is stored and used as well as risks to the processes.
Which is true with regard to electronic message of patient information?
CMS allows texting of patient information on a secured platform but not for patient orders Great caution should be taken with any social media or mobile platforms. It is not ok to express your concern via these methods or to communicate via text in the pharmacy when it may not be allowed or doesn't concern treatment. This often happens in spite of policy, according to the ISMP survey. CMS does allow texting on secured platforms but never for patient orders.
The Health Insurance Portability and Accountability Act of 1996 was designed to do all of the following EXCEPT:
Create a framework for protecting genetic information so it is not used to discriminate in determining treatment While health plans have to disclose they can't use genetic information for underwriting purposes--in other words, to raise the cost of your plan or deny coverage, it can be used to determine treatment course by providers.
Requiring employees to scan a unique badge to enter your facility is an example of:
Facility access controls Physical controls include badges, locks and surveillance.
One of your close friends and classmates was on rotation during their APPEs at the same pharmacy you are currently finishing your rotation. He became close to a patient who was diagnosed with cancer. He asks you how the patient is doing when you are together during class. Is it ok to tell him?
NO It is not ok for you to disclose to your friend how the patient is doing. The question is outside the boundaries of treatment, payment or operations. If you were both working at the pharmacy and a clinical question arose from another provider in relation to the patient, that might be a different situation.
Developing a process to discipline employees for failure to protect ePHI is:
Sanction policy Deterrence processes and discipline are part of sanction policies, intended to promote compliance.
Which of the following statements are FALSE regarding the HIPAA Security Rule?
The Rule protects patient privacy rights The HIPAA Privacy Rule protects patient privacy rights.
True or False: A required implementation specification must be put into place as written in the Rule.
True Only addressable specifications may have alternate implementations.
True or False: The "minimum necessary" requirement of HIPAA refers to using or disclosing/releasing only the minimum PHI necessary to accomplish the purpose of use, disclosure or request.
True The minimum necessary requirement in HIPAA give guidance to only disclose what is necessary for the intended use (treatment, operations, payment) or the release/disclosure.