HIPPA FINAL EXAM
Who must comply with the Security Rule? A. All covered entities and business associates B. Any person or organization that stores or transmits individually identifiable health information electronically C. Any government agency D. Any for profit organization
B. Any person or organization that stores or transmits individually
Under what circumstances can a covered entity disclose PHI without an authorization? A. To an employer B. To the media C. When required by law D. At their discretion
C. When required by law
Of the following, which are implications of non-compliance with HIPAA? A. Increased operation costs B. Financial penalties C. Litigation damages D. All of the above
D. All of the above
The purpose of Administrative Simplification is: A. Improve the efficiency and effectiveness of the national health care system B. Protect patient rights C. Reduce fraud and abuse D. All of the above
D. All of the above
What is a key to success for HIPAA compliance? A. Managerial expertise B. Education C. Organizational structure D. Apathy
B. Education
Within HIPAA how does Security differ from Privacy?
Security defines safeguards for ePHI versus Privacy which defines safeguards for PHI
The Security Rule's requirements are organized into which of the following three categories: A. Administrative, Non-Administrative, and Technical safeguards B. Physical, Technical, and Non-Technical safeguards C. Administrative, Physical, and Technical safeguards D. Privacy, Security, and Electronic Transactions
C. Administrative, Physical, and Technical safeguards
What does PHI stand for? A. Private Health Information B. Privileged Health Information C. Protected Health Information D. Public Health Information
C. Protected Health Information
Which of the following statements is accurate regarding the "Minimum Necessary" rule in the HIPAA regulations? A. Covered entities and business associates are required to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended or specified purpose. B. Minimum necessary provisions do not apply to uses or disclosures of PHI to business associates under a Business Associate Contract. C. Minimum Necessary does not apply when PHI is used for marketing purposes D. The covered entity must rely on the requesting party to determine the minimum necessary information to be provided.
A. Covered entities and business associates are required to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended or specified purpose.
Which of the following is a Technical Security? A. Passwords B. Training C. Locked media storage cases D. Designating a security officer
A. Passwords
Which standard is for safeguarding of PHI specifically in electronic form (ePHI)? A. Security Standards B. Transaction Standards C. Unique Identifiers and Code Sets D. Privacy Standards
A. Security Standards
What is the purpose of Physical security safeguards? A. To provide security for physical facilities, computer systems, and associated equipment B. To prevent unauthorized access across a communications network C. To ensure security plans, policies, procedures, training, and contractual agreements exist D. To protect, control, and monitor individual access to electronically stored information
A. To provide security for physical facilities, computer systems, and associated equipment
Incidental Use and Disclosures refers to disclosures that are incidental to an otherwise permitted use or disclosure. A. True B. False
A. True
Minimum Necessary Disclosure refers to disclosing only the the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure A. True B. False
A. True
The HIPAA Security Rule is a technology neutral, federally mandated "floor" of protection whose primary objective is to protect the confidentiality, integrity, and availability of individually identifiable health information in electronic form when it is stored, maintained, or transmitted. A. True B. false
A. True
The HIPAA regulations provide a federal floor for healthcare privacy and security standards and do NOT override more strict state laws which potentially requires providers to support two systems and follow the more stringent state law. A. True B. False
A. True
Which of the following are EXEMPT from the HIPAA Security Rule? A. Large health plans B. Covered entities that do not create, receive, maintain or transmit ePHI C. Hospitals D. Business Associates
B. Covered entities that do not create, receive, maintain or transmit ePHI
Who enforces HIPAA? A. Surgeon General B. Department of Health and Human Services C. Department of Health Information Security D. Local Police Department
B. Department of Health and Human Services
Each of the following are ways that Texas HB 300 expands individual privacy protections beyond HIPAA EXCEPT: A. Expanding the definition of a covered entity B. Expands the definition of HIPAA Minimum Necessary Disclosure C. Expanding breach notification scope and penalties D. Expanding patient rights around Electronic Health Records E. Expanding training requirementsF. Stronger enforcement/penalties to deter violations and breaches
B. Expands the definition of HIPAA Minimum Necessary Disclosure
De-Identification refers to ensuring that all of the individually identifiable information is identified and included in any HIPAA standard transaction. A. True B. False
B. False
Which of the following is NOT an example of a health care provider? A. Physician B. HMO C. Dentist D. Chiropractor
B. HMO
Authorization is required for which of the following? A. Minimum necessary disclosures of PHIB. Non-routine disclosures of PHIC. ReferralsD. Treatment B. Non-routine disclosures of PHI C. Referrals D. Treatment
B. Non-routine disclosures of PHI
When does state privacy law supersede HIPAA? A. When state privacy law is less protective than HIPAA B. When state privacy law is more protective than HIPAA C. It is up to the discretion of the covered entity D. State privacy law never supersedes HIPAA
B. When state privacy law is more protective than HIPAA
All of the following are true about Business Associate Contracts EXCEPT: A. Both Covered Entities and Business Associates are required to ensure that a Business Associate Contract is in place in order to be compliant with the HIPAA regulations B. Business Associates are required to ensure that Business Associate Contracts are in place with any of the Business Associate's subcontractors C. Covered Entities are required to obtain "satisfactory assurances" (i.e., that their PHI will be protected as required by HIPAA law) from Business Associates D. Business Associates are NOT required to obtain "satisfactory assurances" (i.e., that their PHI will be protected as required by HIPAA law) from their subcontractors
D. Business Associates are NOT required to obtain "satisfactory assurances" (i.e., that their PHI will be protected as required by HIPAA law) from their subcontractors
Penalties for non-compliance can be which of the following types? A. Civil and Accidental B. Criminal and Incidental C. Accidental and Purposeful D. Civil and Criminal
D. Civil and Criminal
Which of the following is NOT an example of physical security? A. Lock file cabinets B. Lock office doors C. Locked media storage cases D. Data encryption
D. Data encryption
Covered Entities may also use or disclose PHI without authorization in the following circumstances EXCEPT: A. Emergencies involving imminent threat to health or safety (to the individual or the public) B. Where required by law C. Law enforcement D. Medical research with information that identifies the individual E. Public health activities F. Workers' compensation
D. Medical research with information that identifies the individual
Which of these statements accurately reflects the definition of protected health information (PHI)? A. PHI does not include PHI in transit. B. PHI does not include a physician's hand written notes about the patient's treatment. C. PHI does not include data that is stored or processed. D. PHI includes PHI stored on any form of media.
D. PHI includes PHI stored on any form of media.
Which standard is for controlling and safeguarding of PHI in all forms? A. Security Standards B. Transaction Standards C. Unique Identifiers and Code Sets D. Privacy Standards
D. Privacy Standards
The Privacy and Security rules specified by HIPAA are reasonable and scalable to account for the nature of each organization's culture, size, and resources. Each organization will determine its own privacy policies and security practices within the context of the HIPAA requirements and its own capabilities and needs. A. True B. False
A. True
The acronym HIPAA stands for A. Health Insurance Premium Administration Act B. Health Information Portability and Accountability Act C. Health Insurance Portability and Accountability Act D. Health Information Profile Accountability Act
C. Health Insurance Portability and Accountability Act
An authorization is required for which of the following? A. Medical referrals B. Treatment, Payment, and Operations C. Non-routine disclosures D. Where required by law enforcement
C. Non-routine disclosures
When should you promote HIPAA awareness? A. After the policies and procedures have been written B. After rollout and implementation C. The first step in the compliance process D. After the risk assessment
C. The first step in the compliance process
Which of the following are NOT characteristics of an "authorization"? A. The authorization may condition future medical treatment on the individual's approval B. An authorization is written in broad terms C. An authorization is needed for all purposes including those for treatment, payment, and operations D. All of the above
D. All of the above
Which of the following are examples of health care plans? A. An HMO B. The Medicaid program C. Employer group health plans D. All of the above
D. All of the above
Which of these entities could be considered a business associate? A. Billing service B. Lawyer C. Document and record storage company D. All of the above
D. All of the above
A Business Associate Contract must specify the following? A. Each business associate to which the covered entity intends to disclose PHI B. That the business associate now has sole responsibility for the PHI C. That covered entities are not liable for the violations of the Privacy Rule by their business associates D. The PHI to be disclosed and the uses that may be made of that information
D. The PHI to be disclosed and the uses that may be made of that information
The Security Rule allows covered entities and business associates to take into account: A. Their size, complexity, and capabilities B. Their technical infrastructure, hardware, and software security capabilities C. The costs of security measures D. The probability and criticality of potential risks to ePHI E. Their access to and use of ePHI F. All of the above
F. All of the above