HIT 101-Chapter 9
What are the sixteen circumstances where PHI can be used or disclosed without an individual's authorization: (More detail)
1.) AS required by law. *Disclosures are permitted when required by laws that meet the public-interest requirements of disclosure relating to victims of abuse, neglect, or domestic violence, judicial and administrative proceedings, and law enforcement purposes. 2.) Public Health Activities. *These include preventing r controlling disease, injuries, and disabilities, and reporting disease, injury, and vital events such as births and deaths. Examples include the reporting of adverse events or product defects to comply with US Food and Drug Administration (FDA) regulations and, when authorized by law, reporting a person who may have been exposed to a communicable disease and may be at risk for contracting or spreading it. Disclosure of students' immunization records may be considered a public health disclosure. Where applicable law requires that a school obtain a student's authorization records prior to enrollment, authorization is not required for the information to be disclosed to the school. An oral agreement from the student's legal guardian or the student (if age of majority has been reached) is, however, still required. 3.) Victims of abuse, neglect, or domestic violence. *An example is the reporting to authorities authorized by law to receive information about child or other abuse or neglect. In non-child abuse situations, the Privacy Rule requires the CE to promptly inform the Indvidual or personal representative that a report has been or will be made unless it believes that doing so would place the individual at risk of serious harm or not be in his or her best interest (such as informing the personal representative, who is believed to be responsible for the abuse, neglect, or other injury). 4.) Healthcare oversight activities. *An authorized health oversight agency may receive PHI for activities authorized by law such as audits, civil or criminal investigations, licensure, and other inspections. 5.) Judicial and administrative proceedings. *Disclosures of specified PHI are permitted in response to a court order or administrative agency order. For subpoenas and discovery requests, the party seeking the PHI must assure the CE that it has made reasonable efforts to make the request known to the subject individual. The CE also must be assured that the time for the individual to raise objections to the court or administrative agency has elapsed and that either no objections have been filed, all objections have been resolved, or a qualified protective order has been secured. 6.) Law enforcement purposes. *The Privacy Rule specifies six instances when disclosures to law enforcement do does not require patient authorization or the patient has no opportunity to agree or object: COME BACK pg 266 7.) Decedents *Disclosures to a coroner or medical examiner are permitted to identify a deceased person, determine a cause of death, or for other purposes required by law. In accordance with applicable law, disclosures to funeral directors are permitted, as necessary, to all of them to carry out their duties with respect to the decedent. This type of information also may be disclosed in reasonable anticipation of an individual's death 8.) Cadaveric Organ, eye, or tissue donation *PHI may be disclosed to organ procurement agencies or other entities to facilitate procurement, banking, or transplantation of cadaveric organs, eyes, or tissue 9.) Research Authorizations for the use of PHI in research are required except where IRB or privacy board alters or waives the authorization requirement (in whole or in part) and documents it. Table 9.3 provides a detailed analysis of the responsibilities of both the IRB and the researcher under the Privacy Rule requirements. A CE may combine conditioned authorizations (that is, those that condition research-related treatment upon research participation) and unconditioned authorizations (that is, those that do not condition research-related treatment upon research participation) as long as the conditioned and unconditioned components are clearly distinguished, and the individual is able to opt into the unconditioned research activities. This provision does not apply to psychotherapy notes. 10.) COME BACK pg 268
What are the sixteen circumstances where PHI can be used or disclosed without an individual's authorization:
1.) As required by law 2.) Public Health Activities 3.) Victims of abuse, neglect, or domestic violence 4.) healthcare oversite activities 5.) Judicial and administrative proceedings 6.) law enforcement purposes 7.) decedents 8.) cadaveric organ, eye, or tissue donation 9.) Research
What does PHI stand for?
Protected Health Information
What are the five categories of the red flag rule:
1.) Alters, notifications, or warnings from a consumer reporting agency 2.) Suspicious documents 3.) Suspicous personally identifying information such as a suspicious address 4.) Unusual use of, or suspicious activity relating to, a covered account 5.) Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account
What are the three documents that outline the Privacy Rule:
1.) Notice of Privacy Practices 2.) Consent to Use or Disclose PHI 3.) Authorization
Under usual circumstances, a covered entity must act on a patient's request to review or copy his or her health information within: a.) 10 days b.) 20 days c.) 30 days d.) 60 days
C.) 30 days
As a general rule, which of the following is a legally competent individual? a.) A minor with a developmental disability b.) An adult with a developmental disability c.) A minor without a development disability d.) A minor's personal representative
D.) A minor's personal representative Unless exceptions (such as emancipation) exist, a minor is deemed legally incompetent. Individuals with developmental disabilities must be assessed for legal competence. A such, an adult with a developmental disability may be legally incompetent. An individual assigned to serve as a minor's personal representative, to make healthcare decisions on the minor's behalf, is the most likely of the options to be deemed legally competent without additional facts to indicate otherwise.
The designated record set includes a(n): a.) Strategic Plan b.) Policies and Procedures c.) Audits d.) Billing Records
D.) Billing Records
Personal Representative
Person with legal authority to act on a patient's behalf
What are the three criteria to be a creditor:
1.) Obtains or uses consumer reports in connection with a credit transaction 2.) Furnishes information to consumer reporting agencies in connection with a credit transaction 3.) Advances funds to-or on behalf of-someone, except for funds for expenses incidental to a service provided by the creditor to that person
What must a covered entity (CE) do to deidentify information so it can be used in data analyzes/Data mining?
1.) The covered entity (CE) can strip certain elements to ensure the patient's information is truly deidentified. These elements are list in figure 9.3 2.) The covered entity (CE) has an expert apply generally accepted statistical and scientific principles and methods to minimize the risk that the information might be used to identify an individual
What are the two goals to the Privacy Rule:
1.) To provide greater privacy protection for one's health information (this also serves to limit access by others) 2.) To provide an individual with greater rights with respect to his or her health information
According to HIPAA, once an individual signs a valid authorization for the release of information, the information_____: a.) Can only be redisclosed for payment purposes b.) May be subject to redisclosure and no longer protected by the Privacy Rule c.) Will never be redisclosed until the individual signs a new form to authorize redisclosure d.) Can be redisclosed, but only to the individual's attorney
B.) May be subject to redisclosure and no longer protected by the Privacy Rule
Identify the scenario where patient authorization is required prior to disclosure a.) To an insurance company for payment b.) To the patient's attorney c.) To public health authorities are required by law d.) To another provider for treatment
B.) To the patient's attorney
Under the HIPAA Privacy Rule, an impermissible use or disclosure should be presumed to be a breach unless the covered entity or business associate demonstrates that the probability the PHI has been compromised is: a.) High b.) Moderate c.) Low d.) Non-existent
C.) Low
Fair and Accurate Credit Transactions Act (FACTA)
Law passed in 2003 that contains provisions and requirements to reduce identity theft
Minimum Necessary Standard
Requires that uses, disclosures, and requests must be limited to only the amount needed to accomplish an intended purpose
The HIPAA Privacy Rule requires that covered entities limit use, access, and disclosure of PHI to the least amount necessary to accomplish the intended purpose. This concept is: a.) Minimum Necessary b.) Notice of Privacy Practice c.) Authorization d.) Consent
A.) Minimum Necessary
Notice of Privacy Practice
As amended by Health Information Technology for Economic and Clinical Health Act (HITECH), a statement (mandated by the HIPAA Privacy Rule) issued by a healthcare organization that informs individuals of the uses and disclosures of patient-identifiable health information that may be made by the organization, as well as the individual's rights and the organization's legal duties with respect to the information
Red Flag Rule
Consists of five categories of red flags that are used as triggers to alter the organization to a potential identity theft; These categories are: (1) Alters, notifications, or warnings from a consumer reporting agency (2) Suspicious documents (3) Suspicous personally identifying information such as a suspicious address (4) Unusual use of, or suspicious activity relating to, a covered account (5) Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account
Business Associate (BA)
(1) A person or organization other than a member of a covered entity's workforce that performs functions or activities on behalf of or affecting a covered entity that involve the use or disclosure of individually identifiable health information. (2) As amended by Health Information Technology for Economic and Clinical Health Act (HITECH), with respect to a covered entity, a person who creates, receives, maintains, or transmits protected health information for a function or activity regulated by HIPAA, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.
What are the steps of managing the disclosure of health information: (More information)
1.) Enter the request in the disclosure of health information database *Generally, information such as patient name, date of birth, health record number, name of requester, address of requester, telephone number of requester, purpose of the request, and specific health record information requested is entered in the computer. (Figure 9.4) 2.) Determine the validity of authorization The HIM professional will compare the authorization form signed by the patient with organizational requirements for authorization to determine the validity of the authorization form. The healthcare organization's requirements are based on state and federal regulations. Certain types of information such as substance abuse treatment records, behavioral health records, and HIV records require that specific components be included in the authorization form per state and federal regulations. If the request is valid, the HIM professional proceeds to the next step. If the authorization is invalid, the problem with the authorization is noted in the disclosure of health information database and it is returned to the requester with an explanation. 3.) Verify the patient's identity The HIM professional must verify that the patient has been a patient at the healthcare organization. To do this, the HIM professional compares the information on the authorization form with information in the master patient index. The patient's name, date of birth, Social Security number, address, and phone number are used to verify the identity of the patient whose record is requested. The patient's signature in the health record is compared with the patient's signature on the authorization for disclosure of health information form. 4.) Process the Request The health record is retrieved (paper or electronic) and only the information authorized for release is copied or printed and released. The patient information may also be faxed or otherwise released directly from the EHR.
What are the steps of managing the disclosure of health information:
1.) Enter the request in the disclosure of health information database 2.) Determine the Validity of Authorization 3.) Verify the Patient's Identity 4.) Process the Request
What are the three types of Covered Entities (CE) that are applicable of the Privacy Rule
1.) Healthcare Providers, But only those that conduct certain transactions (financial or administrative) electronically. Healthcare providers include hospitals, long-term care facilities, physicians, and pharmacies. 2.) Health Plans, which pay for the cost of medical care (for example, a health insurance company). 3.) Healthcare Clearinghouses, which process claims between a healthcare provider and payer (for example, an intermediary that processes a hospital claim to Medicare to facilitate payment).
What are the five titles of Health Insurance Portability and Accountability Act (HIPAA)
1.) Insurance Portability 2.) Administrative Simplification 3.) Medical Savings and Tax Deductions 4.) Group Health Plan Provisions 5.) Revenue Offset Provisions
What are the four-risk assessment to determine whether PHI has been compromised:
1.) Nature and extent of PHI (Protected Health Information) involved, including types of identifiers involved and how likely it is that reidentification can occur 2.) Who the unauthorized recipient of the PHI was 3.) Whether the PHI actually obtained or viewed 4.) Degree to which the CE or BA mitigated the risk (for example, immediate destruction of the PHI)
What are the exceptions to the right of access When can a covered entity (CE) deny an individual access to PHI (Reminder, right of access is the second part to the HIPAA Privacy Rule)
1.) The protected health information (PHI) is in Psychotherapy Notes 2.) The protected health information (PHI) was compiled in reasonable anticipation of, or for use in, civil or criminal litigation or administrative action 3.) The covered entity (CE) is a correctional institution or provider that has acted under the direction of a correctional institution, and an inmate's request for his or her protected health information (PHI) creates health or safety concerns 4.) The protected health information (PHI) is created or obtained by a covered healthcare provider in research that includes treatment, and an individual receiving treatment as part of a research study agrees to suspend his or her right to access protect health information (PHI) temporarily, while the study is in progress 5.) The protect health information (PHI) was obtained from someone other than a healthcare provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of information 6.) the protected health information (PHI) is contained in records that are subject to the federal Privacy Act if the denial of access under the Privacy Act would meet the requirement of that law 7.) The protected health information (PHI) is maintained by a covered entity (CE) that is subject to the Clinical Laboratory Improvement Amendments (CLIA) of 1988, which regulates the quality of laboratory testing, and CLIA would prohibit access 8.) The protected health information (PHI) is maintained by a covered entity (CE) exempt from CLIA requirements
What are the three exceptions to the definition of breach:
1.) Unintentional acquisitions made in good faith and within the scope of authority 2.) Disclosures where the recipient would not reasonably be able to retain the information 3.) Disclosure by a person authorized to access Protected Health Information (PHI) another authorized person at the covered entity (CE) or Business Associate (BA)
What is the three-part test for Protected Health Information (PHI)
1.) the information must be held or transmitted by a covered entity (CE) or a business associate (BA) in any of the forms listed previously. 2.) It must be individually identifiable health information. To be individually identifiable, the information must either identify the person or provide a reasonable basis to believe the person could be identified from the information. 3.) it must relate to a person's past, present, or future physical or mental health condition, the provision of healthcare, or payment for the provision of healthcare.
Privacy Officer
A position mandated under the HIPAA Privacy Rule-covered entities must designate an individual to be responsible for developing and implementing privacy policies and procedures
Medical Identity Theft
A type of healthcare fraud that includes both financial fraud and identity theft; it involves either (a) the inappropriate or unauthorized misrepresentation of one's identity (for example, the use of one's name and Social Security number) to obtain medical services or goods, or (b) The falsifying of claims for medical services in an attempt to obtain money
Which of the following is a member of a hospital workforce? a.) A clerk working in the hospital's registration office b.) A lawn care service for the hospital grounds c.) An employee of a company that picks up laundry from the hospital every day d.) An employee of one the hospital's business associates who is on the hospital premises occasionally
A.) A clerk working in the hospital's registration office
A funeral home is contacted to retrieve a patient's body. This contact and disclosure of information about the decedent is: a.) A public interest and benefit exception to the authorization requirement b.) Only permissible if the decedent's next of kin has given written authorization for information about the decedent c.) A violation of the HIPAA Privacy Rule d.) Subject to a HIPAA consent by the next of kin
A.) A public interest and benefit exception to the authorization requirement This disclosure of information is a public interest and benefit exception (regarding decedents). As such, written authorization is not required, and it is not a violation of the Privacy Rule. HIPAA consent is optional by nature, so this disclosure is not subject to the HIPAA consent.
Elizabeth has requested a copy of her Protected Health Information (PHI) from Memorial Hospital. Which of the following is acceptable for Memorial Hospital to charge Elizabeth? a.) A reasonable cost-based fee b.) It may not charge Elizabeth at all c.) It may impose any fee authorized by state statue d.) It can charge only for the cost of the paper on which the information is printed.
A.) A reasonable cost-based fee A reasonable cost-based fee is permitted, but it must be based on actual costs incurred for that request. If state statute permits an individual to be charged more than the HIPAA-permitted reasonable cost-based fee, then the state statute is preempted by HIPAA.
Per the Fair and Accurate Credit Transactions Act (FACTA), Which of the following is not a red flag category? a.) An account held by a person who is over 80 years old b.) Warnings from a consumer reporting agency c.) Unusual activity relating to a cover account d.) Suspicous documents
A.) An account held by a person who is over 80 years old Red flag categories reflect suspicious characteristics. Merely referring to an account held by an elderly person, is not on its face a suspicious characteristic.
A covered entity's notice of privacy practices should include: a.) An authorization must contain an expiration date or event b.) A consent for use and disclosure of information must be obtained from every patient c.) An authorization must be obtained for uses and disclosures for treatment, payment, and operations. d.) A notice of privacy practices must give ten examples of a use or disclosure for healthcare operations
A.) An authorization must contain an expiration date or event
A nurse called Dee by her first name in a physician's office when Dee was to be seen by the physician. This was: a.) An incidental disclosure b.) Not subject to the minimum necessary requirement c.) A disclosure for payment purposes d.) An automatic violation of the Privacy Rule
A.) An incidental disclosure Calling a patient by name is subject to the minimum necessary requirement, but it is a permissible incidental disclosure, necessary for the office to conduct its business. It is a disclosure for operational purposes, not payment purposes.
A covered entity's notice of privacy practices should include a: a.) Description with one example of disclosures made for treatment purposes b.) Description of one other purposes for which a covered entity is permitted or required to disclose PHI without consent or authorization c.) Statement of the healthcare organization's right d.) Patient's signature and e-mail address
A.) Description with one example of disclosures made for treatment purposes
Which of the following is the true statement regarding the facility directory? a.) Disclosures from the directory need not be included in an accounting disclosure b.) Individuals must provide a written authorization before information can be placed in the directory c.) The directory must contain only the patient's name and birth date d.) The directory may contain diagnostic information as long as it is kept confidential
A.) Disclosures from the directory need not be included in an accounting disclosure
Deidentified information: a.) Does not identify an individual d.) Is information from which only a person's name has been stripped c.) Can be constituted later or combined to reidentify an individual d.) Is subject to the HIPAA Privacy Rule
A.) Does not identify an individual Deidentified information does not identify an individual or provide a reasonable basis to believe the individual could be identified. To be deidentified, information has been removed such that it cannot be constituted later or combined to reidentify an individual. Deidentified information is not subject to the HIPAA Privacy Rule.
Misty is the privacy officer for a large physician practice. She is preparing training sessions about HIPAA Privacy policies and procedures that have been recently updated. Misty is working with administration to make some decisions about the training sessions. Which of the following is correct: a.) Every member of the covered entity's workforce should be trained b.) Only individuals employed by the covered entity should be trained c.) Training material, such as PowerPoints, are to be retained for five years d.) Training attendance logs do not have to be retained
A.) Every member of the covered entity's workforce should be trained The covered entity is responsible to train all members of its workforce, not only employees. The retention period for HIPAA-related records is six years.
Julie wants to review her health records, but she is asking about the Privacy Rule's requirements pertaining to record retention. HIPAA establishes that a patient has the right of access to inspect and obtain a copy of her PHI: a.) For as long as it is maintained b.) For six years c.) Forever d.) For a 12 months
A.) For as long as it is maintained HIPAA does not specify a length of time that protected health information (PHI) must be maintained; however, the right of access exists for as long as the PHI exists
Which of the following is a situation where a covered entity may deny an individual's amendment request? a.) If the PHI in question is not part of the designated record set b.) If the PHI in question was created by the covered entity and therefore cannot be amended c.) If the PHI in question cannot be amended in an electronic health record d.) If the PHI in question was created over a year ago
A.) If the PHI in question is not part of the designated record set
Which of the following statements is true regarding the Health Insurance Portability and Accountability Act (HIPAA). a.) Provides a federal floor for healthcare privacy b.) Duplicates state laws c.) Does not need to be followed if it is not feasible to do so d.) Duplicates Joint Commision standards
A.) Provides a federal floor for healthcare privacy
Critique this statement: According to HIPAA, workforce members include students. a.) This is a true statement b.) This is a false statement as students are not employees in the organization c.) This is a false statement as workforce includes employees only d.) This is a false statement as the workforce includes employees and physicians only
A.) This is a true statement
Medical identity theft includes: a.) Using another person's name to obtain durable medical equipment b.) Purchasing an EHR c.) Purchasing surgical equipment d.) Using another healthcare provider's national provider identifier to submit a claim
A.) Using another person's name to obtain durable medical equipment Medical identity theft is a fraudulent act committed to obtain medical services or goods or to obtain money and it damages the integrity of an individual's health information
Mary's PHI has been breached. She must be informed of all of the following except: a.) Who committed the breach b.) Date the breach was discovered c.) Types of unsecured PHI involved d.) What she may do to protect herself
A.) Who committed the breach The HIPAA Privacy Rule does not require the identity of the culprit in a breach be disclosed. All other information must be included when informing an individual about a breach of their PHI.
Right of Access
Allows an individual to inspect and obtain a copy of his or her PHI (protected health information) contained within a designated record set, such as a health record.
Covered Entity (CE)
As amended by Health Information Technology for Economic and Clinical Health Act (HITECH), (1) A health plan, (2) A health care clearinghouse, (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter
Business Associate Agreement (BAA)
As amended by Health Information Technology for Economic and Clinical Health Act (HITECH), a contract between the covered entity and a business associate must establish the permitted and required uses and disclosures of protected health information by the business associate and provide specific content requirements of the agreement. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of HIPAA and requires termination of the contract if the covered entity or business associate are aware of noncompliant activities of the other.
Per the opportunity to verbally agree or object a.) A patient may disallow information to be sent to his or her health plan for payment purposes b.) A hospital may communicate with family members involved in the patient's care c.) A patient may verbally revoke an authorization d.) A hospital may disclose PHI to law enforcement
B.) A hospital may communicate with family members involved in the patient's care The opportunity to agree or object pertains to a patient's verbal agreement (or objection) to being included in the facility directory or to communications with family or friends involved in the patient's care
A valid authorization must contain all the following except: a.) A description of the information to be used or disclosed b.) A signature and stamp by a notary c.) A statement that the information being used or disclosed may be subject to redisclosure by the recipient d.) An expiration date or event
B.) A signature and stamp by a notary Written authorization do not have to be notarized.
The term minimum necessary means that healthcare providers and other covered entities must limit use, access, and disclosure to the least amount to: a.) Retain records need for patient care b.) Accomplish the intended purpose c.) Treat an individual d.) Perform research
B.) Accomplish the intended purpose The minimum necessary standard requires that uses, disclosures, and requests be limited to only the amount needed to accomplish an intended purpose
PHI loses its protected status: a.) If health information is not identified by the person's name b.) After an individual has been deceased more than 50 years c.) When it is being used for research d.) When it is in the hands of a business associate
B.) After an individual has been deceased more than 50 years
Treatment of an individual can be conditioned on the signing of the: a.) Authorization b.) HIPAA consent c.) Notice of Privacy Practices d.) Research Waiver
B.) HIPAA Consent Refusal by an individual to sign a HIPAA consent enables the provider to refuse to provide treatment. The HIPAA consent is optional and does not have to be presented or signed at all if the covered entity chooses not to provide it
The Right of Privacy a.) Has been granted by the US Constitution b.) Has been granted via court decisions c.) Does not apply to health information d.) Does not exist
B.) Has been granted via court decision The right of privacy, which does apply to health information, has been granted by court decisions that interpret the US Constitution.
Under the HIPAA Privacy Rule, a covered entity includes a: a.) Business Associate b.) Healthcare Clearinghouse c.) Physician Office d.) Document Disposal Company
B.) Healthcare Clearinghouse
The Privacy Rule extends to protected health information: a.) In any form or medium, except paper and oral form b.) In any form or medium, including paper and oral form c.) That pertains to mental health treatment only d.) That exists in electronic form only
B.) In any form or medium, including paper and oral form The Privacy Rules extends to protected health information in any form or medium, including paper and oral forms
Which of the following is a true statement about the notice of privacy practices? a.) It must be made available at the corporate headquarters b.) It must be posted in a prominent place c.) Its content cannot be changed d.) It cannot be posted on the website
B.) It must be posted in a prominent place
Which of the following is the true statement about the notice of privacy practices? a.) It gives the covered entity permission to use information for treatment purposes b.) It must be provided to every individual at the first time of contact or service with the covered entity c.) It must be provided to the individual by the covered entity within 10 days after receipt of treatment or service d.) It serves the same purpose as the authorization
B.) It must be provided to every individual at the first time of contact or service with the covered entity
Notices if privacy practices must be available at the site where the individual is treated and: a.) Must be posted next to the entrance b.) Must be posted in a prominent place where it is reasonable to expect that patient will read them c.) May be posted anywhere at the site d.) Do not have to be posted at the site
B.) Must be posted in a prominent place where it is reasonable to expect that patient will read them The HIPAA Privacy Rule requires the Notice of Privacy Practices be available at the site where the individual is treated and posted in a prominent place where patients can reasonably be expected to read them
Business associate agreements are developed to cover the use of Protected Health Information (PHI) by: a.) The covered entity's employees b.) Organizations outside the covered entity's workforce that use PHI to perform functions on behalf of the covered entity c.) The covered entity's entire workforce d.) The covered entity's janitorial staff
B.) Organization outside the covered entity's workforce that use PHI to perform functions on behalf of the covered entity Organizations outside the covered entity's workforce that use PHI to perform functions on behalf of the covered entity includes the definition of a business associate
The use or disclosure of PHI for marketing: a.) Always requires written authorization from the patient b.) Does not require written authorization for face-to-face communication with the individual c.) Requires written authorization from the patient when products or services of nominal value are introduced d.) Never requires written authorization from the patient
B.) Requires written authorization for face-to-face communication with the individual Face-to-face communications do not require written authorization. Not all activities identified as marketing require written authorization. Use of an individual's PHI for the introduction of products or services of nominal value specifically do not require authorization
The breach notification requirement applies to: a.) All PHI b.) Unsecured PHI only c.) Electronic PHI only d.) PHI on paper only
B.) Unsecured PHI only
What are the Components of a Business Associate Agreement (BAA)?
BAA-Business Associate Agreement BA-Business Associate CE-Covered Entity HIPAA-Health Insurance Portability and Accounting Act ARA- Affordable Care Act PHI-Protected Health Information
A covered entity has _____ to respond to an individual's request for access to his or her PHI when the PHI is stored off-site. a.) 10 days beyond the original requirement b.) 30 days c.) 60 days d.) 90 days
C.) 60 days If stored onsite it would have been 30days
The King's Hospital Foundation is reviewing its protocol for an upcoming fundraising appeal. Which of the following is true regarding the HIPAA Privacy Rule and fundraising? a.) Fundraising material do not have to include opt-out instructions b.) Prior authorization is required if individuals are not targeted based on diagnosis c.) Individuals must be informed in the Notice of Privacy Practices that their information may be used for fundraising purposes d.) Authorization is always required for fundraising solicitations
C.) Individuals must be informed in the Notice of Privacy Practices that their information may be used for fundraising purposes Individuals must be informed in advance in the Notice of Privacy Practices. Opt-out instructions are required. Prior authorization is required if individuals are targeted for fundraising based on their diagnosis. There are exceptions to the authorization requirement for fundraising.
Release of birth and death information to public health authorities: a.) Is prohibited without patient consent b.) Is prohibited without patient authorization c.) Is a public interest and benefit disclosure that does not require patient authorization d.) Requires both patient consent and authorization
C.) Is a public interest and benefit disclosure that does not require patient authorization Release of vital statistic information is a public interest and benefit exception to the written authorization requirement, so neither consent nor authorization is required. Consent is optional under the Privacy Rule.
Jill's information is included in the facility directory. This listing: a.) Could occur only with Jill's written authorization b.) Is automatic upon Jill's admission to the hospital c.) Is present because Jill informally agreed to it d.) Includes all PHI in Jill's designated record set
C.) Is present because Jill informally agreed to it Written authorization is not required for inclusion in the facility directory. Inclusion in the facility directory is not automatic upon a patient's admission to a hospital. Facility directory listings cannot include all PHI in a designated record set.
The American Recovery and Reinvestment Act expanded the definition of business associates to include: a.) Consultants b.) Billing Companies c.) Patient Safety Organizations d.) Transcription Companies
C.) Patient Safety Organizations
HIPAA regulations: a.) Never preempt state statues b.) Always preempts state statues c.) Preempt less strict state statues where they exist d.) Preempt stricter state statues where they exist
C.) Preempt less strict state statues where they exist Where state statue protects PHI to a lesser degree (is less strict (than HIPAA, that state statue will be preempted by HIPAA. This must be analyzed on a case-by-case basis, so preemption is not automatically granted or denied when HIPAA is analyzed relative to a state statue.
Jance is a well-informed patient. She knows that the Privacy Rule requires that individuals be able to: a.) Be granted all requested restrictions on uses and disclosures of RHI b.) Be granted all requested amendments to their PHI c.) Receive a copy of the notice of privacy practices d.) Receive free copies of their protected health information
C.) Receive a copy of the notice of privacy practices Privacy Rule gives individuals the right to request restrictions and amendments. It does not give an automatic right for those requests to be granted. Individuals are to receive this PHI at a reasonable cost-based price; it does not allow them to receive it at no cost.
Beth is the privacy officer at Kings Hospital. She knows that she must report breaches to the Office for Civil Rights in the Department of Health and Human services. Which of the following breach notifications statements is correct? a.) She is only required to report breaches when 500 or more individuals are affected b.) She must report breaches of both secured and unsecured PHI c.) She must report a breach even when only one person's PHI is breached d.) Breach notification only applies when 20 or more individuals are affected
C.) She must report a breach even when only one person's PHI is breached Breach notification applies even if only one individual's PHI was breached
Identify the true statement about a CE's patient directory: a.) A written authorization from the patient is required before any information about the patient is placed in a facility directory b.) Only the patient's name may be placed in a facility directory c.) The covered entity must inform the individual of the information to be included in the facility directory d.) Because this is considered a normal hospital operation, an individual may not prohibit his or her inclusion in the directory
C.) The covered entity must inform the individual of the information to be included in the facility directory
One state's law protects the privacy of health information to a greater extent than HIPAA does. a.) The state law will be preempted by HIPAA b.) The state law is invalid because it does not provide the same level of protection as HIPAA c.) The state law may supersede HIPAA d.) The state's law must be consistent with HIPAA
C.) The state law may supersede HIPAA If state law provides a lesser degree of protection to health information than HIPAA provides, than the state law may be preempted. However, state laws that protect health information to a greater extent than HIPAA may supersede HIPAA.
Bob is exercising his HIPAA right to request confidential communications of both Memorial Hospital and TruePlus, his health plan. When asked by both entities how he will handle payments, he declines to provide them with any information. As a result: a.) TruePlus must still honor the request b.) Only memorial Hospital may deny the request c.) Memorial Hospital must still honor the request d.) Both Memorial Hospital and TruePlus may deny his request
D.) Both Memorial Hospital and TruePlus may deny his request Per the right to request confidential communications, both healthcare providers and health plans may refuse to accommodate the request if the individual does not provide information as to how payment will be handled.
The Privacy Rule applies for: a.) Healthcare providers only b.) Only healthcare providers that receive Medicare reimbursement c.) Only entities funded by the federal government d.) Covered entities and their business associates
D.) Covered entities and their business associates The Privacy Rule applies to healthcare providers that conduct transaction electronically, health plans, and healthcare clearinghouses. Together, these constitute covered entities. The Privacy Rule also applies to covered entities' business associates.
The privacy officer is responsible for all of the following except: a.) Handling complaints about the covered entity's violations of the Privacy Rule b.) Developing and implementing privacy policies and procedures c.) Providing information about the covered entity's privacy practices d.) Encrypting all electronic PHI
D.) Encrypting all electronic PHI While highly recommended, it is a security measure that does not fall within the usual scope of duties for a privacy officer
_____ provide the patient to right to agree or object a.) Disclosures for public health purposes b.) Disclosures of health oversite agencies c.) Disclosures regarding decedents d.) Facility directory disclosures
D.) Facility directory disclosures
An individual's authorization for research purposes: a.) Is always required b.) Is not required if the research involves a clinical trail c.) Is never required d.) Is not required if an IRB or privacy board alters or waivers the authorization requirement
D.) Is not required if an IRB or privacy board alters or waivers the authorization requirement Research is a public interest and benefit exception to the written authorization requirement. This does not mean that research always results in an exception to authorization. It does mean that an IRB or privacy board, which monitors the ethics or research studies and the human rights of research subjects, has reviewed the study and deemed the standard authorization requirement not necessary.
Which of the following is a public interest and benefit exception to the authorization requirement? a.) Treatment, payment, and operations b.) Facility directory c.) Notification of relatives and friends d.) Judicial and administrative proceedings
D.) Judicial and administrative proceedings
DataSource is a business associate of Davis Health System. An individual who was a patient in the Davis Health System contacts DataSource, requesting an accounting of disclosure and stating that this is his right per the HIPAA Privacy Rule. DataSource: a.) Does not have to respond to the patient because it is not a covered entity b.) May refer the request to Davis Health System c.) Does not have to respond to the patient because this is not a HIPAA individual right d.) Must respond to the patient and provide an accounting of disclosures
D.) Must respond to the patient and provide an accounting of disclosures Business associates must respond to accounting requests that are made directly to them
Which of the following describes HIPAA consents? a.) They are the same as authorizations b.) They expire 60 days after they are executed c.) They are required under the Privacy Rule d.) They are not required to permit use and disclosure of PHI for treatment, payment, or operations.
D.) They are not required to permit use and disclosure of PHI treatment, payment, or operations A covered entity does not have to use it for PHI to be used or disclosed for TPO (Treatment, payment, and operations). The Notice of Privacy Practices informs the individual of TPO uses and disclosures; permission (consent) is not required.
Clinical Laboratory Improvement Amendments (CLA) of 1988
Established quality standards for all laboratory testing to ensure the accuracy, reliability, and timelines of patient test results regardless of where the test is.
Deidentified Information
Information from which personal characteristics have been striped in such a way that it cannot be later constituted or combined to reidentify an individual; it is commonly used in research
Health Information Technology for Economic and Clinical Health Act (HITECH)
Legislation created to promote the adoption and meaningful use of health information technology in the Unites States. Subtitle D of the Act provides for additional privacy and security requirements that will develop and support electronic health information, facilitate information exchange, and strengthen monetary penalties. Signed into law on February 17, 2009, as part of ARRA.
Treatment, Payment, and Operations (TPO)
The Privacy Rule provides a number of exceptions for PHI (protected health information) that being used or disclosed for TPO (treatment, payment and operations) purposes; treatment means providing, coordinating, or managing healthcare or healthcare-related services by one or more healthcare providers; payment includes activities by a health plan to obtain premiums, billing by healthcare providers or health plans to obtain reimbursement, claims management, claims collections, review of the medical necessity of care, and utilization review; the Privacy Rule provides a broad list of activities that are healthcare operations that includes quality assessment and improvement, case management, review of healthcare professionals' qualifications, insurance contracting, legal and auditing functions, and general business management functions such as providing customer service and conducting due diligence.
Department of Health and Human Services (HHS)
The cabinet-level federal agency, and principal agency for protecting the health of all Americans and providing essential human services, especially for those who are at least able to help themselves
Office for Civil Rights (OCR)
The federal agency within HHS (Department of Health and Human Services) that is responsible for enforcing the Privacy Rule
Health Insurance Portability and Accountability Act (HIPAA)
The federal legislation enacted to provide continuity of health coverage, control fraud and abuse in healthcare, reduce healthcare costs, and guarantee the security and privacy of health information; limits exclusion for pre-existing medical conditions, prohibits discrimination against employees and dependents based on health status, guarantees availability of health insurance to small employers, and guarantees renewability of insurance to all employees regardless of size; requires covered entities (most healthcare providers and organizations) to transmit healthcare claims in a specific format and to develop, implement, and comply with the standards of the Privacy Rule and the Security Rule; and mandates that covered entities apply for and utilize national identifiers in HIPAA transactions.
Privacy Rule
The federal regulations created to implement the privacy requirements of the simplification subtitle of the Health Insurance Portability and Accountability Act of 1996; effective in 2002; afforded patients certain rights to and about their protected health information.
Office of the National Coordinator for Health Information Technology (ONC)
The principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information. The position of National coordinator was created in 2004, through an executive Order, and legislatively mandated in the Health Information Technology for Economic and Clinical Health Act (HITECH) Act of 2009.
American Recovery and Reinvestment Act (ARRA)
The purposes of this act include the following: (1) To preserve and create jobs and promote economy recovery (2) To assist those most impacted by the recession (3) To provide investments needed to increase economic efficacy by spurring technological advances in science and health (4) To invest in transportation, environmental protection, and other infrastructures that will provide long0term economic benefits. (5) To stabilize state and local government budgets, in order to minimize and avoid reductions in essential services and counterproductive state and local tax increases
Breach
Under Health Information Technology for Economic and Clinical Health Act (HITECH), the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part that compromises the security or privacy of the protected health information
Identify the true statement about a business associate agreement. a.) It allows the business associate to use or disclose PHI for any purpose b.) It allows the business associate to maintain PHI indefinitely after termination of the contract c.) It requires the business associate to use or disclose PHI in limited ways d.) It requires the business associate to make available records relating to PHI use and disclosure to the HHS
d.) It requires the business associate to make available records relating to PHI use and disclosure to the HHS (Department of Health and Human Services)