250 4

The HIPAA-recognized consent is a patient's agreement to

Use or disclosure for TPO purposes

Jenny is completing an unpaid summer internship in the corporate compliance office of a CareNet, a for-profit organization that purchases and oversees physician practices. Jenny is a:

Workforce member

If a HIPAA security rule implementation specification is addressable, this means that

an alternative may be implemented...

waived authorization in a research study

approved by the Institutional Review Board or Privacy Board

The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of what type of security control?

audit trail

One of the four general requirements a covered entity must adhere to for compliance with the HIPAA security rule is to ensure the confidentiality, integrity and ___________ of ePHI.

availability

Terry has requested that all written communications from his cardiologist's office be sent to his work address instead of his home address. The cardiology practice__________.

b. Is not required to honor any confidential communication requests of this nature

Which of the following statements is true? A HIPAA authorization __________.

b. May be revoked as long as it is in writing.

If Sheri requests a copy of her health record from a provider, per HIPAA the provider

b. May charge for the cost of copying

HealthPartners has been the target of a network server hacking incident. 300 patients were affected. HealthPartners__________.

b. Must inform the patients of what occurred; the type of PHI involved; and what steps HealthPartners is taking to prevent future hacking incidents

Non-compliance with the HIPAA security rule can lead to

both civil penalties and criminal penalties

Charlie went to the HIM department at Langford Hospital to request an amendment to his PHI. The HIM staff required that he make the request in writing. He said this violated his HIPAA rights. Who is correct?

d. The HIM department, because the Privacy Rule allows covered entities to require amendment requests be made in writing

General Hospital has denied Crystal's request to access her medical record. The denial is not subject to appeal. Which of the following is the most likely reason for the denial?

d. The PHI contains psychotherapy notes

Copying data onto tapes and storing the tapes at a distant location is an example of

data backup

The HIPAA "Security Awareness and Training" administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except

disaster recovery plan..

What term is also used to denote the HIPAA requirement of Contingency Planning?

emergency mode of operation

preemption

federal law supersedes state law if federal and state laws conflict

Which of the following statements is false about the Security Officer? The Security Officer

holds a required full-time position under HIPAA security rule..

What is availability?

A requirement intended to ensure that systems work promptly and service is not denied to authorized users.

What is data integrity?

A requirement that information and programs are changed only in a specified and authorized manner. System integrity is a requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.

What is confidentiality?

A requirement that private or confidential information not be disclosed to unauthorized individuals.

The purpose of the implementation specifications of the HIPAA security rule is to provide

instruction for implementation of standards

immunization records

may be disclosed by pediatricians if requested verbally by the patient's parents

restriction requests

must be followed if disclosure would be to a health plan for payment and the PHI pertains to a service or item paid for in full by someone other than the health plan

state-mandated report of sexually transmitted disease

must be included in patient accounting of disclosures

The HIPAA security rule applies to which of the following covered entities?

A) Hospital that bills Medicare B) Physician electronic billing company C) BlueCross health insurance plan

IF A HIPPA SECURITY RULE IMPLEMENTATION SPECIFICATIONS IS ADDRESSABLE, THIS MEANS THAT:

AN ALTERNATIVE MAY BE IMPLEMENTED

While covered entity is legally responsible for their employees, they are not responsible for their actions of business visitors (True/False)

False

THE HIPPA SECURITY RULE APPLIES TO WHICH OF THE FOLLOWING COVERED ENTITIES?

HOSPITAL THAT BILLS MEDICARE; PHYSICIAN ELECTRONIC BILLING COMPANY; BLUE CROSS HEALTH INSURANCE PLAN

One of the medical staff committees at St. Vincent Hospital is responsible for reviewing cases of patients readmitted within 14 days after discharge. This review of the patients' medical records is __________.

Healthcare operations

THE PURPOSE OF THE IMPLEMENTATION SPECIFICATIONS OF THE HIPAA SECURITY RULE IS TO PROVIDE

INSTRUCTION FOR IMPLEMENTATION OF STANDARDS

What is Security?

It is protecting information from loss, unauthorized access or misuse, and keeping in confidential

The enforcement agency for the security rule is

Office for Civil Rights

Which of the following statements about HIPAA training is false?

Privacy and security training should be separated.

General Rule #2 is:

Protecting against any anticipated threats or hazards to the security

General Rule #3 is:

Protecting against reasonably anticipated unauthorized uses or disclosures

copy of health record

the provider may charge for the cost of copying

12-month period

the time period in which a covered entity must provide the first accounting of disclosures at no cost

1. The HIPAA privacy rule __________.

Sets a minimum (floor) of privacy requirements

You are a member of the hospital's health information management committee. The committee has created a HIPAA-complaint authorization form. Which of the following items would you advise the committee to remove, as the privacy rule not require it?

Signature of the patient's attending physician

THE GOAL OF THE SECURITY RULE IS TO ENSURE THAT PATIENT INFORMATION IS PROTECTED FROM UNAUTHORIZED ACCESS, ALTERATION, DELETION, AND TRANSMISSION

TRUE

THE SECURITY RULE CONTAINS BOTH REQUIRED AND ADDRESSABLE STANDARDS

TRUE

What does HIPAA Administrative Simplification include?

--PHI --ePHI --Security Rule --Privacy Rule

Computer System Security:

--The need for ready access to patient information by those involved in patient care

Computer System Security:

--The need to protect against unauthorized access and loss of critical health inforamtion

What are the primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule?

.both The security rule applies to all forms of patients' PHI, whether electronic, written, or oral, but the security rule covers only electronic PHI and the security rule provides for far more comprehensive security requirements than the security rule and includes a level of detail not provided in the security rule..

WHAT ARE THE PRIMARY DISTINCTIONS BETWEEN THE HIPPA SECURITY RULE AND THE HIPPA PRIVACY RULE?

1 -THE PRIVACY RULE APPLIES TO ALL FORMS OF PATIENT'S PHI, WHETHER ELECTRONIC, WRITTEN, OR ORAL, BUT THE SECURITY RULE COVERS ONLY THE ELECTRONIC PHI; 2 - THE SECURITY RULE PROVIDES FOR FAR MORE COMPREHENSIVE SECURITY REQUIREMENTS THAN THE PRIVACY RULE AND INCLUDES A LEVEL OF DETAIL NOT PROVIDED IN THE PRIVACY RULE.

The HIPAA privacy rule __________.

Both a and b are incorrect

General Rule #1 is:

Confidentiality, integrity, and availability of all e-PHI they create, receive,maintain, or transmit

_______changes readable text into a series of "garbed" characters that scramble data before it is transmitted

Encryption

CE'S CAN DECIDE TO APPLY WITH ONLY THE PRIVACY RULE AND DON'T HAVE TO COMPLY WITH THE SECURITY RULE

FALSE

CENTERS FOR MEDICARE & MEDICAID SERVICES (CMS) IS THE ENFORCEMENT AGENCY FOR THE SECURITY RULE

FALSE

ONLY HC PROVIDERS ARE REQUIRED TO COMPLY WITH THE SECURITY RULE

FALSE

THE CONDITION OF PARTICIPATION RESTRICT PAYMENT TO PROVIDERS WHO ARE NOT COMPLIANT WITH THE SECURITY RULE

FALSE

THE SECURITY RULE CONTAINS ENCRYPTION SPECIFICATIONS THAT ALL CE'S MUST COMPLY

FALSE

THE SECURITY RULE CONTAINS PROVISIONS THAT CE'S CAN IGNORE

FALSE

THE SECURITY RULE IS COMPLETELY TECHNICAL AND REQUIRES COMPUTERS PROGRAMMERS TO ADDRESS

FALSE

THE SECURITY RULE REQUIRES CE'S TO ENSURE THE INTEGRITY OF PATIENT INFO

FALSE

A covered entity is not responsible for the HIPAA training of staff. This is the responsibility of the individual employee (True/False)

False

Access Privilege is what allows an individual to enter a computer system for authorized purpose (True/False)

False

Each covered entity must have a Security Officer in addition to the HIPAA Officer (True/False)

False

Physical Safeguards include policies and management of employees and their passwords and access codes (True/False)

False

Administrative Safeguards are the policies or the required management of employees in relation to protection of patient information (True/False)

True

It currently takes an experienced hacker less than a minute to guess any combination of four character password (True/False)

True

The Security Rule requires protection of health information when being transmitted (True/False)

True

An original goal of HIPAA Administrative Simplification was to standardize __________.

The electronic transmission of health data

Access is defined as:

The exposure necessary to read, write, modify, or communicate data and information

Champion Hospital retains Hall, Hall, and Hall, a law firm, to perform all of its legal work, including representation during medical malpractice lawsuits. Which of the following statement(s) is (are) correct?

The law firm is not a business associate because it is a legal, not a medical, organization. b. The law firm is a business associate because it performs activities on behalf of the hospital.

Technical Safeguards include:

The security of the computer server, hubs, switches, connecting wires, terminals and desk units in which protected health information (PHI) is stored accessed, or transmitted

How are HIPAA's Security Rule standards?

The standards are essentially technology neutral

30 days

The time allowed for a physician's office to respond to requests for copies of health records

What is another thing that a provider can be liable for?

They can also be liable for privacy and security breaches that result from permitting access to EHRs by unauthorized personnel or from inadequately safeguarding the EHR from destruction

What can a provider be liable for?

They can be liable if records are so highly guarded that information is not readily available to those treating a patient

What does flexibility and scalability of the standards do?

They make it possible for all CEs, regardless of size, to be compliant with the rules

What do covered entities use under HIPAA Privacy Rule?

They may use any security methods that enable them "to reasonably and appropriately implement" the security standards of the rule

How are HIPAA Security Standards unique?

They state fairly general objectives, but provide no detailed instructions concerning how to meet them

What does the Privacy Rule govern?

This governs the privacy and confidentiality of all PHI, regardless of medium

What does the Security Rule govern?

This only governs the PHI transmitted by or maintained in some form of electronic media

requirements for covered entity to issue a denial for a request amendment

a) a description of how the individual may complain to the covered entity, b) the basis for the denial, c) a statement that the individual may submit a written disagreement

Which of the following is not required when a covered entity issues a denial of a requested amendment?

a. A pre-printed form on which the individual may dispute the denial

Kyle likes to request frequent accounting of disclosure reports from all of his providers so he knows where his PHI is being disseminated.

a. Each covered entity must provide the first accounting within a 12-month period at no cost

Comparing HIPAA to the Federal Privacy Act of 1974, __________.

a. HIPAA applies more specifically to medical information

Mercy Hospital personnel need to review the medical records of Katie Grace for utilization review purposes (#1). They will also be sending her records to her physician for continuity of care (#2). As they pertain to Mercy Hospital, these two functions are:

a. Use (#1) and disclosure (#2)

Privacy Rule

allows covered entities to require amendment requests be made in writing

The minimum necessary standard __________.

c. Applies to both uses and disclosures of PHI

Emma is getting ready to begin kindergarten. Her school is requesting her immunization records, as required by state law. Per HIPAA, Emma's pediatrician may__________.

c. Disclose this PHI with verbal permission from Emma's parent

Gwen's PHI was erroneously recorded on another person's voicemail. Regarding an accounting of disclosures, this disclosure__________.

c. Has to be included even though it was an oral communication

Of the following options, a sign-in sheet at a physician's office is best described as __________.

c. Incidental disclosure

According to the January 2013 Final Rule, an impermissible use or disclosure__________.

c. Is presumed to be a breach unless a low probability of compromise is demonstrated

Restriction requests__________.

c. Must be followed if disclosure would be to a health plan for payment and the PHI pertains to a service or item paid for in full by someone other than the health plan

Today, Janet Kim visited her new dentist for an appointment. She was not presented with a Notice of Privacy Practices. Is this acceptable?

c. No. It is a violation of the HIPAA Privacy Rule.

1. Sally Mitchell was treated for kidney stones at Graham Hospital last year. She now wishes to review her medical record in person. She has requested to review them by herself in a closed room. Which of the following is true?

c. Sally's request does not have to be granted because the hospital is responsible for the integrity of the medical record.

Barbara requested a copy of her PHI from her physician office on August 31. It is now October 10 and she has not heard anything from the physician office. Which of the following statements is correct?

c. This is a HIPAA violation because the physician's office did not respond within 30 days.

Which of the following is not required to be included in an accounting of disclosures?

d. Disclosure to the health department reporting the birth of Shelly's son

incident report

not part of the designated record set

opting out of facility directory

only the patient's general condition and acknowledgment of admission are given to callers

denial of access to medical records

psychotherapy patients can be denied access to their medical records

The HIPAA security rule contains the following safeguards except

reliability

healthcare facility

responsible for the integrity of the health record

January 2013 Final Rule

states that impermissible use or disclosure is presumed to be a breach unless a low probability of compromise is demonstrated