HIPAA True/False
You do not need to worry about oral communications involving PHI since verbal exchanges are not governed by the HIPAA privacy rule.
False - PHI can be transmitted or maintained in any form or medium, including hardcopy, verbal exchanges, and electronic exchanges, such as e-mail.
Clinic staff are responsible for obtaining a patient's signed authorization for using the patient's information in connection with the clinic's payment activities.
False - As discussed in previous lessons, the HIPAA privacy rule allows NSU clinics to use and disclose a patient's PHI without obtaining an authorization in a number of circumstances including for payment purposes.
If a patient objects to a disclosure to a family member, clinic staff should not discuss the patient's PHI with the family member.
True - The HIPAA privacy rule does not allow disclosures of PHI to family members when the patient objects to the disclosure.
NSU students are responsible for complying with the HIPAA policies implemented in the NSU clinics in which they train.
True - Like clinic staff and faculty providing services in the various NSU clinics, students must comply with the HIPAA policies implemented by the applicable NSU departments. Moreover, when training at affiliate locations, students will be responsible for complying with the policies implemented by the NSU affiliate institutions and clinics.
NSU students are permitted to use a patient's PHI in the clinic in connection with the student's involvement with the patient's treatment at the clinic without obtaining a HIPAA authorization from the patient.
True - Students' use of PHI in the clinic is considered part of the clinic's health care operations. The clinic's health care operations include conducting student-training programs.
Since students are involved in treating patients, they are allowed free access to all patient medical records stored in the clinic.
False - Great! The HIPAA privacy rule considers the operation of training programs as health care operations and not treatment and thus the minimum necessary rules have to be followed. Accordingly, NSU students are not allowed to freely access patient records if the student is not participating in the care of the patient.
NSU clinics are responsible for providing patients with NSU's HIPAA Notice at each patient visit.
False - The HIPAA Notice must be given to all patients only one time. Unlike informed consents and similar documents, providing the HIPAA Notice is not a continuing obligation.
Clinic staff, students and faculty are not permitted to disclose a patient's PHI to a billing company or billing department or billing personnel unless a written authorization has been obtained from the patient.
False - The HIPAA privacy rule allows uses and disclosures of a patient's PHI without obtaining a consent or authorization for purposes of getting paid for services. This includes disclosing PHI to those providing billing services for the clinic.
A handwritten note with a patient's diagnosis and room number is protected health information.
False - The patient's diagnosis and room number are not "identifiers". Therefore, the information is de-identified and is no longer protected health information.
A child's non-custodial parent may not request the child's medical records unless the custodial parent has given consent.
False - Under Florida law, the child's non-custodial parent is considered a personal representative and thus can request copies of the child's records under HIPAA unless there is a specific court order restricting the non-custodial parent's access to medical records.
In general, due to the sensitivity of health information a 16-year-old patient should always act on his or her own behalf for HIPAA privacy purposes.
False - Unless the 16-year-old has been emancipated, he or she has a personal representative for HIPAA purposes. In Florida, a minor is emancipated if he or she is married, is 18 years of age, a court has entered an emancipated order, or he or she has been adjudicated an adult and is in the custody or under supervision of the Florida Department of Corrections.
Although patients may request copies of their medical records, they are not generally allowed to see copies of the original records.
False - With regard to requesting access to records, NSU clinic patients can request to receive a copy of their medical records or billing records. Also, they are allowed to inspect the original records.
In general, NSU clinics must amend a patient's medical record at their request.
False -Great! Unlike the request to access records, many requests to amend records can be appropriately denied. For example, the NSU clinic may deny amendment requests when the information is accurate and complete or when the information has not been created by the NSU clinic
Prior to discussing a patient's PHI with their employer, the NSU clinic must have a HIPAA authorization signed by the patient for such disclosure.
True - As the disclosure is for purposes outside of the clinic's own treatment, payment and operations, the HIPAA privacy rule requires the NSU clinic to obtain the patient's authorization prior to discussing or sharing PHI with the patient's employer.
You would be permitted to prepare a case study to present to your fellow students including the following information: the patient's sex, age (if less than 89), diagnosis, list of medications, list of past surgeries, and symptoms.
True - In this circumstance, the information has been de-identified and can be taken from the clinical setting.
In most cases, disclosures of PHI under the special circumstances categories must be documented.
True - The HIPAA privacy rule requires that most special circumstances disclosures be documented as patients have the right to request an accounting of such disclosures. The documentation of the disclosures must contain: date of the disclosure; name of the receiver of the information; description of the PHI disclosed; and a brief statement of the purpose of the disclosure.
Handwritten notes containing a patient's name and diagnosis cannot be removed from the clinical setting without de-identification.
True - The handwritten notes are protected health information (PHI). In general, you will not be permitted to remove this information from the clinical setting without de-identification. Information could be de-identified in this scenario by blacking out the patient's name.
If a patient is a competent adult, the NSU clinic staff should request that the patient sign all HIPAA forms such as the acknowledgment of Notice.
True - The personal representative provisions of HIPAA only come into play with incompetent adults, minors and deceased patients. Accordingly, competent adults should act on their own behalf.
Unless the patient is given the verbal opportunity to object, clinic staff should not discuss billing information involving the patient's diagnosis with the patient's husband.
True - Unless a limited exception applies, a patient must be given the verbal opportunity to object to disclosures made to family members.
HIPAA's minimum necessary rule and the NSU clinic policies on only accessing information on a need to know basis are not intended to interfere with proper patient treatment.
True -Great! It is important to keep in mind that the clinic policies should not be interpreted in any way that would comprise patient treatment. The HIPAA privacy rule recognizes that need to know policies should not interfere with proper patient care.
It is not appropriate for clinic staff, students or faculty to request that a patient waive their right to file a compliant directly with the federal government.
True -Great! The HIPAA privacy rule does not permit health care providers to request that patients waive their right to file privacy complaints with the government. Also remember that patients who file complaints with the clinic or the government cannot be treated differently than other patients.
Clinic staff should only access patient information in connection with performing their clinic job duties.
True -Great! The minimum necessary requirements in the HIPAA privacy rule are intended to ensure that patient information is only accessed by those with a need to know the information. For example, it would not be appropriate for a staff member to access information out of curiosity.
Clinic staff, students and faculty could be subject to disciplinary action for violating a patient's privacy.
True -Great! Under the HIPAA privacy rule, the NSU clinics are required to take appropriate action in response to breaches of patient privacy. As part of the NSU clinics' policies on complaints, departments will determine whether disciplinary action should be taken and the type of action to be taken.
When signing the Acknowledgment form, the patient's signature means that he/she agrees with the Notice.
False - As part of providing the Notice to the patient, the privacy rule requires that NSU clinics make a good faith effort to obtain a signed or initialed Acknowledgment from the patient or the patient's personal representative. This Acknowledgment form simply states that the patient received the Notice. The patient is not signing that he/she agrees with the Notice.
As long as patient information is not contained on NSU forms or records, it is not PHI and therefore not governed by the privacy rule and policies.
False - PHI can be maintained in any form or medium. For example, if you make handwritten notes for your own use or write a paper that identifies a patient, the information becomes PHI regardless of whether it is on official NSU forms or contained in NSU records.
Clinic staff can request that patients sign a blank authorization form, which can be used by the NSU clinic to disclose the patient's PHI at any time.
False - The HIPAA authorization differs from typical blanket releases that are often used by health care providers. As discussed in previous lessons, the HIPAA privacy rule allows NSU clinics to use and disclose a patient's PHI without obtaining an authorization in a number of circumstances including for payment purposes.
A patient's PHI should never be discussed with a family member unless a written HIPAA authorization is on file.
False - The HIPAA privacy rule allows disclosures of a patient's PHI to a family member or friend who is involved in the patient's health care or payment of health care provided the information is relevant to their involvement. Although the patient must be given the opportunity to verbally object to most disclosures to family members, a written HIPAA authorization need not be obtained.
Unless a HIPAA authorization is on file signed by the patient, a patient's PHI can never be disclosed in connection with a Medicare audit of a NSU clinic.
False - The HIPAA privacy rule allows disclosures of a patient's PHI, without an authorization, for health oversight activities such as audits and investigations of health care providers.
Prior to communicating about a patient for purposes of coordination of care with another health care provider outside of the NSU department, the patient's written authorization must be obtained.
False - The HIPAA privacy rule allows the use and disclosure of a patient's PHI without obtaining a consent or authorization for purposes of treatment. This includes exchanges of information for coordination of care, consultations and referrals.
NSU clinic patients should be encouraged to refrain from filing privacy complaints.
False -Great! The HIPAA privacy rule prohibits health care providers from intimidating, threatening or otherwise retaliating against patients who file privacy complaints. This would include trying to persuade patients from filing complaints, as they are entitled to file complaints if they feel their privacy has been violated.
Although in most cases a patient is entitled to get copies of his or her records, NSU clinics do not have to respond in a specific time frame.
False -Great! Under the HIPAA privacy rule, NSU clinics are responsible for timely acting on patient requests for copies of their records within 30 days for records stored on-site and 60 days for records stored off-site.
A patient who has been provided NSU's HIPAA Notice can request an additional copy at another visit.
True - Although affirmatively providing the patient with a Notice is a one-time obligation, clinic employees are responsible for providing another copy to a patient who requests another copy.