HIPAA
Which of the following is an appropriate method of recruiting a patient for a research study?
A patient's treating clinician sends a letter giving the patient information about a research study and information on how to enroll.
It's ok to store unencrypted and identified ePHI on a memory stick/flash drive as long as you keep the memory stick locked up or in your possession at all times.
False
It's ok to use someone else's password to access ePHI if you are both authorized for the same access.
False
It's ok to wait to report a suspected breach of Protected Health Information until you return from vacation if you discover a potential breach the day prior to leaving.
False
PHI includes all health information that is used/disclosed except PHI in oral form.
False
Under the right to access, workforce members have the right to access their own medical records directly, using their user name and password into the NSU clinical computer system.
False
All of the following are key points about the HIPAA Privacy Rule and Research...
HIPAA Privacy Rule applies in addition to the Common Rule and FDA regulations and HIPAA Privacy Rule generally requires patient authorization unless an exception or waiver is granted.
What are exceptions to using PHI without an individual's HIPAA Authorization?
IRB Waiver of HIPAA Authorization, De-Identified Information, reviews preparatory to research by staff of the covered component, and research involving a decedent's information.
You enter a conference room for a meeting and notice that several reports with patient information are on the table. What do you do?
If you can determine who left the reports, return the reports to them. Otherwise, give the reports to your supervisor or HIPAA Liaison.
What types of Protected Health Information may be used in research without specific authorization from patients?
Limited Data Set if the identity of the patient is protected and De-Identified Data.
Violation of the HIPAA Privacy Rules can result in the following penalty...
a fine, jail sentence, and/or NSU discipline, including termination or expulsion.
A breach is considered discovered...
as of the first day it is known (or reasonably should have been known) by the Covered Entity or Business Associate.
The elements of a HIPAA Authorization contain...
focuses on privacy risks, discusses how, why, and whom the PHI will be used/disclosed, and the individual agrees to the use/disclosure of PHI in a particular study.
You can protect patient information by...
protecting verbal, written, and electronic information utilizing safe computing skills, reported suspected privacy and security incidents, and following university policies.
Accounting of Disclosures of PHI is NOT required under HIPAA when...
the disclosure was conducted with the written authorization of the patient.
You are called a Covered Entity if you are a health care provider, health plan, or health care clearinghouse who transmits information in an electronic form.
True
The HIPAA Privacy Rule protects a patient's fundamental right to privacy and confidentiality.
True
The Notice of Privacy Practices gives patients notice about the use/disclosure of their PHI, as well as their rights in general.
True
It is not appropriate for me to access or use patient protected health information:
To find out about my best friend's condition after seeing her in the waiting area of a practice.
Accessing patient information electronically can be traced back to your User ID and computer.
True
De-Identified information has all 18 HIPAA identifiers removed.
True
In general, disclosure of PHI must be limited to the least amount needed to accomplish the intended purpose of the use, disclosure, or request.
True
Your supervisor (a physician/health care provider) is very busy and asks you to log into the clinical information system using his user ID and password to retrieve some patient reports. What should you do?
Decline the request and refer him to the NSU HIPAA Security Policies.
Because I have access to confidential patient information as part of my job, I can look up anybody's record, even if they are not my patient, as long as I keep the information to myself.
I can only look at records when it is required by my job.
Who should a suspected breach of HIPAA Security Rules and/or policies and procedures be reported to?
The Clinic HIPAA Liaison and/or NSU HIPAA Security Officer.
Discussion about patients or patient information in public areas, such as the cafeteria, may be overheard by unauthorized listeners and may violate the patient's right to privacy.
True
Unsecured Protected Health Information can include information in any form or medium, including electronic, paper, or verbal.
True
A HIPAA authorization has which of the following characteristics?
Uses plain language that the research participant can understand.
The HIPAA authorization requirement can be bypassed for all of the following...
use of the information from deceased individuals, with certain representations by the researcher, activities preparatory to research, with certain representations by the researcher, and limited data set with an approved data use agreement.