HIPAA Basics

Testing and Revision Procedure

-Application and Data -Criticality Analysis -Evaluation

Contingency Plan

-Data Backup Plan -Disaster Recovery Plan -Emergency Mode Operation Plan

Authorized access under the Minimum Necessary requirements include:

-Disclosure to a healthcare provider for treatment -Disclosure to the patient -Disclosure that has been explicitly authorized by the patient -Disclosure to HHS for compliance or enforcement -Disclosure required by law enforcement, such as in suspected child abuse cases -Disclosure required for HIPAA Transactions or Administrative Simplification

Information Access Management

-Isolating Healthcare -Clearinghouse Function -Access Authorization -Access Establishment and Modification

Security Management Process

-Risk analysis -Risk management -Sanction Policy -Information System Activity Review

Various administrative safeguards that may be required in an organization.

-Security Management Process -Assigned Security Responsibility -Information Access Management -Security Awareness & Training -Security Incident Procedures -Contingency Plan -Testing and Revision Procedure -Business Associates -Workstation Use

Security Awareness & Training

-Security Reminders -Protection from Malicious -Software -Log-in Monitoring -Password Management

Assigned Security Responsibility

-Workforce Security -Authorization and/or Supervision -Supervision -Workforce Clearance -Procedure -Termination Procedures

Workstation Use

-Workstation Security -Deivce and Media Controls -Media Disposal -Media Re-use -Media Accountability -Data Backup and Storage (during transfer)

Business Associates

-Written Contract or Other Arrangement -Physical Safeguards -Facility Access Controls -Contingency Operations -Facility Security Plan -Access Control and Validation Procedures -Maintenance Records

The HIPAA Privacy Rule went into effect in what year?

2003

business associate

A business that provides services to a covered entity and may come into contact with PHI

Protected Health Information (PHI)

Any identifiable health information in any form—written, electronic, or verbal—is protected by the Privacy Rule. With few exceptions, this information is restricted against release or use without patient authorization, other than for the purposes of treatment, payment, and certain healthcare operations.

Criminal enforcement of HIPAA violations is carried out by what?

DOJ

Which of the following administers HIPAA?

Department of Health and Human Services (DHHS)

Electronic Protected Health Information (ePHI)

Electronic PHI is any identifiable patient data that is either stored or transmitted in electronic form.

Any company or group that pays for medical care is a healthcare provider.

False

As long as employees can truthfully report to an auditor that the organization complies with HIPAA, it is not necessary to document policies and procedures.

False

Prior to HIPAA, Medicare and insurance companies had unified electronic billing formats and codes for medical diagnostics and treatment.

False

Suspected child abuse can only be reported with the patient's consent.

False

Two doctors collaborating on treating a patient must sign business associate agreements.

False

give State Attorney's General the authority to enforce HIPAA civil penalties

HITECH Act

provides incentives for the adoption of EHR systems

HITECH Act

HIPAA is an acronym that stands for _____.

Health Insurance Portability and Accountability Act

HIPAA identifies a variety of providers as covered entities, who must comply with the regulations:

Health plans -Any company or group that pays for medical care. Examples include Medicare; Medicaid; Health Plans (medical, dental, vision, prescription); HMOs; and self-funded plans by groups and businesses (except plans with less than 50 participants that are administered by the employer). Healthcare providers -Any provider (hospital, doctor, dentist, pharmacy) that electronically transmits health information for transactions. Healthcare clearinghouses -Organizations that process certain health information (such as converting diagnostic and treatment information into electronic bills).

A _____ must be provided to each patient informing them of their privacy rights, the organization's security officer, and how to file a complaint.

Notice of Privacy Practices

The HIPAA section that protects health information in any form is known as the _____.

Privacy Rule

established Minimum Necessary rule

Privacy Rule

governs the use and disclosure of PHI

Privacy Rule

What does PHI stand for?

Protected Health Information

Security Incident Procedures

Response and Reporting

protects electronic health information

Security Rule

Criminal provisions are enforced by the U.S. Department of Justice.

True

HIPAA includes both civil and criminal penalties for violations.

True

Patients may provide written authorization to share their records.

True

business associate

a person or organization that performs services for a covered entity that involve the use or disclosure of protected health information (PHI).

The principle of Minimum Necessary

access guides all sharing of PHI. Only the minimum amount of information needed to meet a legitimate purpose should be shared. Policies should be written that limit access to patient data. Procedures should be implemented to limit access to PHI based on organizational roles and responsibilities.

About half of HIPAA Security Rule requirements are actually in the _____ Safeguard section.

administrative

Covered entities under HIPAA include which of the following? -healthcare providers -health insurance companies -pharmacies -all the above

all the above

HIPAA includes penalties for which of the following? -lost data, even if the data is not released -data sold to health equipment companies to solicit new business -lost data that was not reported -all the above

all the above

HIPAA provides for which of the following? -portability of health insurance -privacy of health information -security of electronic health information -all the above

all the above

Violating the Privacy Rule can result in _____. -loss of your job -a major fine -going to jail -all the above

all the above

What did the HITECH Act do? -provided funding incentives to encourage the adoption of electronic health record (EHR) systems -increased the civil penalties for HIPAA violations -gave state Attorneys General the authority to enforce HIPAA civil penalties -all the above

all the above

A business associate is a person or business that performs services to covered entities that involves the disclosure of what? -medical lab reports -diagnoses and treatment information -doctor's dictation for transcription -any or all the above

any or all the above

An electronic health records software publisher is considered a ______.

business associate

The HIPAA Security Rule is designed to support the _____ of electronic protected health information.

confidentiality, integrity, and availability

Which of the following is an example of a business associates? -doctor -hospital -document company -insurance company

document company

The HIPAA Security Rule is focused on protecting _____ protected health information.

electronic

The Security Rule primarily protects which of the following?

electronic PHI

HIPAA is _____ legislation.

federal

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009

included the requirement that business associates comply with HIPAA to the same extent as covered entities. The federal government finalized these new rules through a set of regulations known as the HIPAA Omnibus Final Rule, which came into effect on September 23, 2013.

Which of the following is an example of an administrative safeguard? -unique user identification -media re-use -data backup plan -Notice of Privacy Practices

media re-use

A guiding principle of the Privacy Rule is that only the _____ information is shared between people not responsible for providing treatment.

minimum necessary

The HIPAA obligations of business associates are best described how?

must comply like covered entities

Which of the following is NOT part of HIPAA? -the Privacy Rule -the Patient Rule -the Security Rule -Administrative Simplification

the Patient Rule

Which section of HIPAA governs the confidentiality, integrity, and availability (CIA) of electronic health information?

the Security Rule

A business associate agreement must include what requirement?

the business associate may only use PHI for specified purposes

Health Insurance Portability and Accountability Act (HIPAA)

was passed by Congress in 1996 to protect patients' personal health information.