250 4
The HIPAA-recognized consent is a patient's agreement to
Use or disclosure for TPO purposes
Jenny is completing an unpaid summer internship in the corporate compliance office of a CareNet, a for-profit organization that purchases and oversees physician practices. Jenny is a:
Workforce member
If a HIPAA security rule implementation specification is addressable, this means that
an alternative may be implemented...
waived authorization in a research study
approved by the Institutional Review Board or Privacy Board
The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of what type of security control?
audit trail
One of the four general requirements a covered entity must adhere to for compliance with the HIPAA security rule is to ensure the confidentiality, integrity and ___________ of ePHI.
availability
Terry has requested that all written communications from his cardiologist's office be sent to his work address instead of his home address. The cardiology practice__________.
b. Is not required to honor any confidential communication requests of this nature
Which of the following statements is true? A HIPAA authorization __________.
b. May be revoked as long as it is in writing.
If Sheri requests a copy of her health record from a provider, per HIPAA the provider
b. May charge for the cost of copying
HealthPartners has been the target of a network server hacking incident. 300 patients were affected. HealthPartners__________.
b. Must inform the patients of what occurred; the type of PHI involved; and what steps HealthPartners is taking to prevent future hacking incidents
Non-compliance with the HIPAA security rule can lead to
both civil penalties and criminal penalties
Charlie went to the HIM department at Langford Hospital to request an amendment to his PHI. The HIM staff required that he make the request in writing. He said this violated his HIPAA rights. Who is correct?
d. The HIM department, because the Privacy Rule allows covered entities to require amendment requests be made in writing
General Hospital has denied Crystal's request to access her medical record. The denial is not subject to appeal. Which of the following is the most likely reason for the denial?
d. The PHI contains psychotherapy notes
Copying data onto tapes and storing the tapes at a distant location is an example of
data backup
The HIPAA "Security Awareness and Training" administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except
disaster recovery plan..
What term is also used to denote the HIPAA requirement of Contingency Planning?
emergency mode of operation
preemption
federal law supersedes state law if federal and state laws conflict
Which of the following statements is false about the Security Officer? The Security Officer
holds a required full-time position under HIPAA security rule..
What is availability?
A requirement intended to ensure that systems work promptly and service is not denied to authorized users.
What is data integrity?
A requirement that information and programs are changed only in a specified and authorized manner. System integrity is a requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.
What is confidentiality?
A requirement that private or confidential information not be disclosed to unauthorized individuals.
The purpose of the implementation specifications of the HIPAA security rule is to provide
instruction for implementation of standards
immunization records
may be disclosed by pediatricians if requested verbally by the patient's parents
restriction requests
must be followed if disclosure would be to a health plan for payment and the PHI pertains to a service or item paid for in full by someone other than the health plan
state-mandated report of sexually transmitted disease
must be included in patient accounting of disclosures
The HIPAA security rule applies to which of the following covered entities?
A) Hospital that bills Medicare B) Physician electronic billing company C) BlueCross health insurance plan
IF A HIPPA SECURITY RULE IMPLEMENTATION SPECIFICATIONS IS ADDRESSABLE, THIS MEANS THAT:
AN ALTERNATIVE MAY BE IMPLEMENTED
While covered entity is legally responsible for their employees, they are not responsible for their actions of business visitors (True/False)
False
THE HIPPA SECURITY RULE APPLIES TO WHICH OF THE FOLLOWING COVERED ENTITIES?
HOSPITAL THAT BILLS MEDICARE; PHYSICIAN ELECTRONIC BILLING COMPANY; BLUE CROSS HEALTH INSURANCE PLAN
One of the medical staff committees at St. Vincent Hospital is responsible for reviewing cases of patients readmitted within 14 days after discharge. This review of the patients' medical records is __________.
Healthcare operations
THE PURPOSE OF THE IMPLEMENTATION SPECIFICATIONS OF THE HIPAA SECURITY RULE IS TO PROVIDE
INSTRUCTION FOR IMPLEMENTATION OF STANDARDS
What is Security?
It is protecting information from loss, unauthorized access or misuse, and keeping in confidential
The enforcement agency for the security rule is
Office for Civil Rights
Which of the following statements about HIPAA training is false?
Privacy and security training should be separated.
General Rule #2 is:
Protecting against any anticipated threats or hazards to the security
General Rule #3 is:
Protecting against reasonably anticipated unauthorized uses or disclosures
copy of health record
the provider may charge for the cost of copying
12-month period
the time period in which a covered entity must provide the first accounting of disclosures at no cost
1. The HIPAA privacy rule __________.
Sets a minimum (floor) of privacy requirements
You are a member of the hospital's health information management committee. The committee has created a HIPAA-complaint authorization form. Which of the following items would you advise the committee to remove, as the privacy rule not require it?
Signature of the patient's attending physician
THE GOAL OF THE SECURITY RULE IS TO ENSURE THAT PATIENT INFORMATION IS PROTECTED FROM UNAUTHORIZED ACCESS, ALTERATION, DELETION, AND TRANSMISSION
TRUE
THE SECURITY RULE CONTAINS BOTH REQUIRED AND ADDRESSABLE STANDARDS
TRUE
What does HIPAA Administrative Simplification include?
--PHI --ePHI --Security Rule --Privacy Rule
Computer System Security:
--The need for ready access to patient information by those involved in patient care
Computer System Security:
--The need to protect against unauthorized access and loss of critical health inforamtion
What are the primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule?
.both The security rule applies to all forms of patients' PHI, whether electronic, written, or oral, but the security rule covers only electronic PHI and the security rule provides for far more comprehensive security requirements than the security rule and includes a level of detail not provided in the security rule..
WHAT ARE THE PRIMARY DISTINCTIONS BETWEEN THE HIPPA SECURITY RULE AND THE HIPPA PRIVACY RULE?
1 -THE PRIVACY RULE APPLIES TO ALL FORMS OF PATIENT'S PHI, WHETHER ELECTRONIC, WRITTEN, OR ORAL, BUT THE SECURITY RULE COVERS ONLY THE ELECTRONIC PHI; 2 - THE SECURITY RULE PROVIDES FOR FAR MORE COMPREHENSIVE SECURITY REQUIREMENTS THAN THE PRIVACY RULE AND INCLUDES A LEVEL OF DETAIL NOT PROVIDED IN THE PRIVACY RULE.
The HIPAA privacy rule __________.
Both a and b are incorrect
General Rule #1 is:
Confidentiality, integrity, and availability of all e-PHI they create, receive,maintain, or transmit
_______changes readable text into a series of "garbed" characters that scramble data before it is transmitted
Encryption
CE'S CAN DECIDE TO APPLY WITH ONLY THE PRIVACY RULE AND DON'T HAVE TO COMPLY WITH THE SECURITY RULE
FALSE
CENTERS FOR MEDICARE & MEDICAID SERVICES (CMS) IS THE ENFORCEMENT AGENCY FOR THE SECURITY RULE
FALSE
ONLY HC PROVIDERS ARE REQUIRED TO COMPLY WITH THE SECURITY RULE
FALSE
THE CONDITION OF PARTICIPATION RESTRICT PAYMENT TO PROVIDERS WHO ARE NOT COMPLIANT WITH THE SECURITY RULE
FALSE
THE SECURITY RULE CONTAINS ENCRYPTION SPECIFICATIONS THAT ALL CE'S MUST COMPLY
FALSE
THE SECURITY RULE CONTAINS PROVISIONS THAT CE'S CAN IGNORE
FALSE
THE SECURITY RULE IS COMPLETELY TECHNICAL AND REQUIRES COMPUTERS PROGRAMMERS TO ADDRESS
FALSE
THE SECURITY RULE REQUIRES CE'S TO ENSURE THE INTEGRITY OF PATIENT INFO
FALSE
A covered entity is not responsible for the HIPAA training of staff. This is the responsibility of the individual employee (True/False)
False
Access Privilege is what allows an individual to enter a computer system for authorized purpose (True/False)
False
Each covered entity must have a Security Officer in addition to the HIPAA Officer (True/False)
False
Physical Safeguards include policies and management of employees and their passwords and access codes (True/False)
False
Administrative Safeguards are the policies or the required management of employees in relation to protection of patient information (True/False)
True
It currently takes an experienced hacker less than a minute to guess any combination of four character password (True/False)
True
The Security Rule requires protection of health information when being transmitted (True/False)
True
An original goal of HIPAA Administrative Simplification was to standardize __________.
The electronic transmission of health data
Access is defined as:
The exposure necessary to read, write, modify, or communicate data and information
Champion Hospital retains Hall, Hall, and Hall, a law firm, to perform all of its legal work, including representation during medical malpractice lawsuits. Which of the following statement(s) is (are) correct?
The law firm is not a business associate because it is a legal, not a medical, organization. b. The law firm is a business associate because it performs activities on behalf of the hospital.
Technical Safeguards include:
The security of the computer server, hubs, switches, connecting wires, terminals and desk units in which protected health information (PHI) is stored accessed, or transmitted
How are HIPAA's Security Rule standards?
The standards are essentially technology neutral
30 days
The time allowed for a physician's office to respond to requests for copies of health records
What is another thing that a provider can be liable for?
They can also be liable for privacy and security breaches that result from permitting access to EHRs by unauthorized personnel or from inadequately safeguarding the EHR from destruction
What can a provider be liable for?
They can be liable if records are so highly guarded that information is not readily available to those treating a patient
What does flexibility and scalability of the standards do?
They make it possible for all CEs, regardless of size, to be compliant with the rules
What do covered entities use under HIPAA Privacy Rule?
They may use any security methods that enable them "to reasonably and appropriately implement" the security standards of the rule
How are HIPAA Security Standards unique?
They state fairly general objectives, but provide no detailed instructions concerning how to meet them
What does the Privacy Rule govern?
This governs the privacy and confidentiality of all PHI, regardless of medium
What does the Security Rule govern?
This only governs the PHI transmitted by or maintained in some form of electronic media
requirements for covered entity to issue a denial for a request amendment
a) a description of how the individual may complain to the covered entity, b) the basis for the denial, c) a statement that the individual may submit a written disagreement
Which of the following is not required when a covered entity issues a denial of a requested amendment?
a. A pre-printed form on which the individual may dispute the denial
Kyle likes to request frequent accounting of disclosure reports from all of his providers so he knows where his PHI is being disseminated.
a. Each covered entity must provide the first accounting within a 12-month period at no cost
Comparing HIPAA to the Federal Privacy Act of 1974, __________.
a. HIPAA applies more specifically to medical information
Mercy Hospital personnel need to review the medical records of Katie Grace for utilization review purposes (#1). They will also be sending her records to her physician for continuity of care (#2). As they pertain to Mercy Hospital, these two functions are:
a. Use (#1) and disclosure (#2)
Privacy Rule
allows covered entities to require amendment requests be made in writing
The minimum necessary standard __________.
c. Applies to both uses and disclosures of PHI
Emma is getting ready to begin kindergarten. Her school is requesting her immunization records, as required by state law. Per HIPAA, Emma's pediatrician may__________.
c. Disclose this PHI with verbal permission from Emma's parent
Gwen's PHI was erroneously recorded on another person's voicemail. Regarding an accounting of disclosures, this disclosure__________.
c. Has to be included even though it was an oral communication
Of the following options, a sign-in sheet at a physician's office is best described as __________.
c. Incidental disclosure
According to the January 2013 Final Rule, an impermissible use or disclosure__________.
c. Is presumed to be a breach unless a low probability of compromise is demonstrated
Restriction requests__________.
c. Must be followed if disclosure would be to a health plan for payment and the PHI pertains to a service or item paid for in full by someone other than the health plan
Today, Janet Kim visited her new dentist for an appointment. She was not presented with a Notice of Privacy Practices. Is this acceptable?
c. No. It is a violation of the HIPAA Privacy Rule.
1. Sally Mitchell was treated for kidney stones at Graham Hospital last year. She now wishes to review her medical record in person. She has requested to review them by herself in a closed room. Which of the following is true?
c. Sally's request does not have to be granted because the hospital is responsible for the integrity of the medical record.
Barbara requested a copy of her PHI from her physician office on August 31. It is now October 10 and she has not heard anything from the physician office. Which of the following statements is correct?
c. This is a HIPAA violation because the physician's office did not respond within 30 days.
Which of the following is not required to be included in an accounting of disclosures?
d. Disclosure to the health department reporting the birth of Shelly's son
incident report
not part of the designated record set
opting out of facility directory
only the patient's general condition and acknowledgment of admission are given to callers
denial of access to medical records
psychotherapy patients can be denied access to their medical records
The HIPAA security rule contains the following safeguards except
reliability
healthcare facility
responsible for the integrity of the health record
January 2013 Final Rule
states that impermissible use or disclosure is presumed to be a breach unless a low probability of compromise is demonstrated