CLA-100 HIPAA Certification Exam

All of the following pieces of information are considered individually identifiable health information, EXCEPT:

Diagnosis

Which of the following would be considered a BUSINESS ASSOCIATE?

Documentation consultant

Under the HIPAA privacy rule, it is ILLEGAL to:

Fail to adequately protect health information from release.

The FTC is charged with protecting consumers which requires banking and other industries to implement "red flag" standards to detect and prevent identity theft related to customer and service accounts. This includes Healthcare Institutions.

True

The non-compliance of HIPAA rules could lead to civil AND criminal penalties.

True

When patients pay for their healthcare bills, "out of their own pocket", they can have information kept private from their health insurance plan.

True

The requirements of the federal HIPAA/HITECH regulations, state privacy laws, and employer policies and procedures that protect the privacy and security of confidential data include:

What information must be protected How you can protect confidential and sensitive information Your responsibilities for good computer practices How to report privacy breaches and security incidents

It is okay to put PHI in the Recycle bin because the Recycling Company does not look at documents before shredding them.

No

The "90/10" Rule means:

10% of security safeguards are technical and 90% on the computer user.

There are ______ personal identifiers in association with health information.

18

What does the acronym BAA stand for?

Business Associate Agreement

_______________ is defined as an impermissible disclosure of PHI that compromises the security or privacy of the patient.

Breach

The HITECH Act updated the existing HIPAA by including:

Breach notification requirements Fine and penalty increases for privacy violations Right of the patient to request copies of the electronic health care record in electronic format Mandates that Business Associates are civilly and criminally liable for privacy and security violations

Copies (NOT ORIGINALS) of patient information may be disposed of properly in the regular garbage of the healthcare facility.

False

HIPAA is the only source of federal law governing patient privacy.

False

It is my job to see PHI, but while opening lab reports, I saw my supervisor's pregnancy test results. Her pregnancy test was positive! I congratulated her, so this was not a misuse of PHI.

False

PHI can be recorded on paper or verbally. The electronic documentation of PHI is not covered under the HIPAA rules.

False

Patients, generally, will NOT be informed of their rights under HIPAA, but have the right to view the information on the government web site.

False

Students who are participating in clinical practicums in hospitals are NOT subject to HIPAA penalties because of their student designation.

False

The CIVIL Penalties for HIPAA violations can include imprisonment up to 10 years.

False

Under HIPAA, a patient has the right to request an amendment to his/her medical record, and the hospital has a duty to comply.

False

Under HIPAA, patients are NOT ALLOWED to view their PHI.

False

You CANNOT be fired for violating HIPAA.

False

Joan, my co-worker and friend, forgot her newly assigned password. Is it OK if I let her use mine just for today?

No

Because I have access to confidential patient information as part of my job, I can look up anybody's record, as long as I keep the information to myself.

False. I can only look at records when it is required by my job.

Which federal agency requires the protection of the privacy and confidentiality of PATIENTS?

HHS

What does the HITECH acronym stand for?

Health Information Technology for Economic and Clinical Health Act

What does the HIPAA acronym stand for?

Health Insurance Portability and Accountability Act

HIPAA seeks to do ALL of the following EXCEPT:

Make your job easier.

Which of the following are PHI Identifiers?

Name Medical Record number Social Security Number Telephone number

A person calls the main switchboard to see if a particular patient has been admitted, but can't verify they know important information about the patient. May they be told if the patient is admitted?

No

I called and left a lab report with a wrong number, but it's okay because I tried again and left the message at the correct number.

No

I work in the laboratory and my friend, who works in ICU, told me that she just saw a famous politician get on the elevator. My friend saw in the internet that this senator has cancer and asked me to find out what floor he is on. Can I give my friend the information?

No, it is not necessary for my job, so I would be violating the patient's privacy by checking on his location and by sharing this information with my friend

A document that explains your organization's rules for releasing a patient's medical information is called:

Notice of Privacy Practices

Which of the following is a procedure that protects the confidentiality of patient information?

Passwords to access computerized medical records are not shared. Medical record file cabinets and file room doors are kept locked. There are rules that prohibit employees from looking at records unless they have a need to know the information.

Using PHI for patient registration or coding purposes would fall under which portion of the allowed purposes for release of PHI?

Payment

PHI stands for:

Protected Health Information

What does the acronym PHI stand for?

Protected Health Information

What does the Federal Child Abuse Prevention and Treatment Act require healthcare workers to do if they suspect abuse?

Report it to the proper authorities.

If you suspect someone is violating your employer's privacy policies, you should:

Report your suspicions to your supervisor

What does the acronym FDA stand for?

The Food and Drug Administration

In order to use or disclose PHI:

The health provider must give each patient a Notice of Privacy Practices Advises the patient of his/her privacy rights The provider must attempt to obtain the patient's signature acknowledging receipt of the Notice, except in emergency situations.

Which of the following is an example of IMPLIED consent?

The patient makes an appointment and arrives for the procedure.

The HIPAA Omnibus Rule provides ________ penalties for violation of HIPAA rules.

Tougher

The acronym TPO stands for:

Treatment, Payment, Operations

A COVERED ENTITY can be the healthcare provider, a healthcare clearinghouse that transmits information for a provider, and the actual health plan.

True

A Health Provider must have a BAA with vendors who will use PHI when providing a service to the Provider

True

A facility's Notice of Privacy Practices must be given to a patient on the first visit.

True

Evidence of Child Abuse is exempt from HIPAA.

True

Federal penalties can be taken against a hospital or an individual for PHI breaches.

True

If a patient requests copies of their PHI, the covered entity may impose a MODEST fee for labor, photocopying, supplies and postage.

True

In certain situations, it is permissible to disclose PHI WITHOUT an authorization if a client may be harmed and the information you have could prevent that harm.

True

It is the responsibility of the employer to offer adequate HIPAA education and training to their employees.

True

Knowingly releasing PHI can result in a one-year to 10-year jail sentence and a $50,000 fine.

True

MINIMUM NECESSARY means that, when PHI is used, disclosed, or requested, reasonable efforts must be taken to determine how much information will be sufficient to serve the intended purpose.

True

Patients who believe that their PHI has been compromised by the hospital have the right to make a complaint to the federal government.

True

Prior to a student entering into a clinical practicum at a hospital, HIPAA training must be provided to the student.

True

Self-administered health plans with fewer than 50 participants are exempt from privacy compliance.

True

HIPAA Privacy Policies and Procedures cover use or disclosure of PHI in the following format:

Written documents Electronic transactions Oral communications

A patient wants a lab test in their medical report deleted, because it is an erroneous value. Can they have this change made?

Yes

In the Radiology waiting room, an x-ray technologist calls the next patient by saying, "Mary Jo Carson, We are ready to do your sonogram now." Is this a HIPAA violation?

Yes

While at her daughter's open house at the elementary school, Brittany, a receptionist at Dr. Walden's Neurology practice, mentions to a friend that she saw a mutual friend at the office last Friday. Is this a violation of HIPAA?

Yes

You MAY access the electronic medical record of a co-worker WHEN:

You are involved in his/her care and have a job-related need to know.

I do not work with patients nor do I have access to medical records, however I see patients pass by my desk in the clinic. Can I talk about the patients with my coworkers, family and friends even if it has nothing to do with my job?

You may not discuss any patient information with anyone unless required for your job.