HIPAA & Privacy

Which of the following does not fall within the definition of "treatment" under the HIPAA Privacy Rule?

The provision of health care. Consultations. Referrals. Utilization review. - correct

Which of the following is not protected health information (PHI)?

An education record protected by FERPA. A student treatment record excepted from FERPA. An employment record held by a covered entity in its role as an employer. All of the above. - Correct

Which of the following is not a public benefit activity (PBA) under the HIPAA Privacy Rule?

Disclosures of protected health information (PHI) as required by law. Disclosures of protected health information (PHI) for health oversight activities. Disclosures of protected health information (PHI) to law enforcement officers. Disclosures of protected health information (PHI) to make money. - Correct

Which of the following is a public benefit activity (PBA) under the HIPAA Privacy Rule?

Disclosures of protected health information for payment. Disclosures of protected health information for research. - Correct Disclosures of protected health information for treatment. Disclosures of protected health information for health care operations.

The HIPAA Privacy Rule regulates covered entities' and business associates' uses and disclosures of which of the following?

Information. Health information. Protected health information. - Correct Individually identifiable health information.

Which of the following does not fall within the definition of "health care operations" under the HIPAA Privacy Rule?

Payment. - Correct Premium rating. Due diligence relating to the acquisition of one covered entity by a second covered entity. Fundraising for the benefit of the covered entity conducted in accordance with 45 C.F.R. § 164.514.

Is gender considered an identifier under the HIPAA Privacy Rule?

gender (male, female, etc.) is not considered an identifier under the HIPAA Privacy Rule (although arguably it should be, especially if there are only a certain number of transgender individuals, for example, in a very small town). So, the correct answer is the gender of a patient's spouse. On the other hand, a license plate is considered an identifier, and remember the identifier can relate not only to the patient herself but also the patient's family member, relatives, or household members. A roommate is a household member.

Is HIPAA a federal statute? Enacted by whom?

the HIPAA Privacy Rule is a federal regulation promulgated by an administrative agency (HHS). The HIPAA statute is a federal statute enacted by Congress.

Which of the following statements by a covered physician does not contain protected health information (PHI)?

"I removed skin cancer from a 95-year-old female patient today." "I did a tonsillectomy on a 50-year-old male patient today." - Correct "Yeah, I live on Lindsey Avenue in Norman, Oklahoma. Speaking of, my next-door neighbor is a patient of mine and she has really bad toe fungus." "What do I do? I am a psychiatrist and treat patients with narcissistic personality disorder. Speaking of, I saw [Donald Trump or Joe Biden -- take your pick and insert one name!] today at my clinic."

Which of the following uses or disclosures of protected health information (PHI) is not allowed under 45 C.F.R. § 164.506 without the patient's prior written authorization?

A covered hospital that is being audited by the Internal Revenue Service (IRS) discloses some of its billing records to its accountant. A covered nursing home sends protected health information (PHI) to a covered hospice to help the hospice defend itself in a medical malpractice and institutional liability lawsuit. - Correct A covered oncologist consults with a covered pathologist regarding a cancer patient's treatment plan. A teaching physician shares protected health information (PHI) with her medical residents for teaching purposes.

In which of the following cases would a prior written authorization be required before the covered entity could make the disclosure under the HIPAA Privacy Rule?

A covered, nonprofit hospital wishes to use a patient's demographic information to mail the patient a generic fundraising/solicitation letter that is sent to all past and current hospital patients. A covered pathologist would like to disclose information regarding a patient's cause of death to the local coroner. A covered obstetrician would like to sell a pregnant patient's home address to a diaper marketing company. - Correct A covered hospital would like to disclose patient identifiable billing records to the State Medicaid Fraud Unit after the hospital discovers it has overbilled the State Medicaid Program.

Which of the following protected health information (PHI) uses or disclosures would be permitted under 45 C.F.R. § 164.506(c)(4) without the prior written authorization of the patient who is the subject of the PHI?

A disclosure of PHI by a covered hospital to a second hospital for the second hospital's physician peer review activities. Assume that both hospitals have or have had a relationship with the patients whose PHI is being disclosed and that the PHI pertains to that relationship. - Correct A disclosure of PHI by a covered physician to a durable medical equipment (DME) company for purposes of ordering a wheelchair for a particular patient. A disclosure of PHI by a covered group practice to an insurance company to obtain reimbursement for the health care services provided to a particular patient. A disclosure of PHI by a covered occupational therapist to a second covered occupational therapist to help the second covered occupational therapist defend herself in a malpractice lawsuit.

Which of the following information uses or disclosures would be permitted by a covered entity under 45 C.F.R. § 164.506(c)(1) without prior written authorization?

A disclosure of PHI by a covered hospital to an ambulance company to help the ambulance company bill for transportation services provided to a patient transported to the hospital. A disclosure of PHI by a covered hospital (Hospital A) to a second covered hospital (Hospital B) for the second hospital's quality assurance activities. A disclosure of PHI by a covered hospital to a covered nursing home to help the covered nursing home treat a patient being transferred from the hospital to the nursing home. A disclosure from a covered oncologist to a covered pathologist to enable the covered oncologist to better treat the patient. - Correct

Which of the following is most likely to be protected health information (PHI)? Correct!

A medical record created and maintained by a hospital about the labor and delivery of a nurse who also happens to be employed by the hospital. - Correct An employment record showing that an employed nurse tested negative for SARS-CoV-2 and was permitted to continue her employment. The following statement by a covered physician: "I deliver babies in Texas." The following statement by a covered hospital: "We are a general, acute-care hospital. Among other services, we have a top-ranked neonatal intensive care unit."

Which of the following is not protected health information (PHI)?

A medical record created and maintained by a physician that contains a named woman patient's genetic test results showing that she does not have variant in her BRCA1 gene and, therefore, that she has a normal probability of developing breast cancer. Assume the medical record also contains no indication that the woman currently has breast cancer. A medical record created and maintained by a covered physician stating that Tipper Gore had been diagnosed with a particular mental disorder twenty years ago. A statement by a covered physician that she specializes in treating pediatric patients with HIV/AIDS. - correct A statement by a covered physician that her oldest patient, who is 103 years old, has an amazing 90/60 blood pressure!

Which of the following is not a "health care provider" under the HIPAA Privacy Rule

A physician (e.g., Dr. Phil). A hospital (e.g., Norman Regional Health System). A pharmacy (e.g., CVS or Walgreens). An attorney (e.g., Stacey Tovino). - Correct

Which of the following is not a "provider of medical or health services" for purposes of the HIPAA Privacy Rule's definition of "health care provider"?

A psychologist. A home health agency. - Correct A nurse mid-wife. A clinical social worker.

Which of the following individuals or institutions does not fall within the definition of a "business associate" under the HIPAA Privacy Rule?

A reference laboratory that provides clinical diagnostic laboratory services to a covered referring/ordering physician on behalf of patients whose urine, blood, and other specimens are collected for testing. - Correct A lawyer (i.e., outside counsel) who provides medical malpractice defense services to a covered physician and needs access to the covered physician's medical records. The Joint Commission on Accreditation of Health Care Organizations. An accountant who provides accounting services to a covered hospital's billing and financial aid department and who requires access to patient billing records to provide such accounting services.

Which of the following falls within the definition of a "covered entity" under the HIPAA Privacy Rule?

A self-insured group health plan that is self-administered and has 50 participants. - Correct An employer that has no health care components. An insured group health plan that is self-administered and has 25 participants. None of the above.

Which of the following is not an education record protected by FERPA?

An application for admission to the University of Oklahoma College of Law by a named applicant stating that her grades were bad her junior year of college due to her struggles with alcoholism. A named student's request for an exam accommodation at the University of Oklahoma College of Law stating that the student has dyslexia. The medical record of an MLS student at the University of Oklahoma College of Law that was created and is still in the hands of the student's personal physician stating that the student has bipolar disorder. - Correct An email written by a student who uses a wheelchair telling the Dean of Students at the University of Oklahoma College of Law that Classroom A is inaccessible to the student because it does not have a ramp.

Which of the following organizational options allows a covered entity that is a single legal entity to apply the HIPAA Privacy Rule to only one part or some parts of its legal entity?

An organized health care arrangement (OHCA). A single affiliated covered entity (SACE). A hybrid entity that has both health care and non-health care components. - Correct None of the above.

Which of the following statements is true about a business associate (BA) after the enactment of the American Recovery and Reinvestment Act (ARRA)? That is, post-2009, which of the following statements is true?

Business associates are directly regulated by the HIPAA Privacy Rule and can be subject to civil penalties for violations of the HIPAA Privacy Rule. Business associates are directly regulated by the HIPAA Privacy Rule and can be subject to criminal penalties for violations of the HIPAA Privacy Rule Both of the above. - Correct Business associates are not directly regulated by the HIPAA Privacy Rule.

Which of the following statements was true about a business associate (BA) before the enactment of the American Recovery and Reinvestment Act (ARRA)? That is, pre-2009, which of the following statements was true?

Business associates were directly regulated by the HIPAA Privacy Rule and could be subject to civil penalties for violations of the HIPAA Privacy Rule. Business associates were directly regulated by the HIPAA Privacy Rule and could be subject to criminal penalties for violations of the HIPAA Privacy Rule. Business associates were directly regulated by the HIPAA Privacy Rule and could be subject to civil and criminal penalties for violations of the HIPAA Privacy Rule. None of the above. - Correct

Which of the following does not fall within the definition of "payment" under the HIPAA Privacy Rule?

Coordination of care - Correct Claims management Collection Billing

Which of the following is not a public benefit activity (PBA) under the HIPAA Privacy Rule?

Disclosures of protected health information for workers' compensation activities. Disclosures of protected health information to avert a serious threat to health or safety. Disclosures of protected health information for gossip purposes. - Correct Disclosures of protected health information to organ procurement organizations for organ procurement and transplantation purposes

If a covered entity would like to freely use and disclose health information without regulation by the HIPAA Privacy Rule, the covered entity should:

Email the information but not print out the information. De-identify the information in accordance with the Privacy Rule's de-identification safe harbor. - correct Speak about the information but not email or text the information. Post the information to Instagram, Twitter, and FaceBook all at the same time.

Which of the following constitutes protected health information (PHI) for purposes of the HIPAA Privacy Rule?

Employment records maintained by Norman Regional Health System in its role as an employer of nurses. Medical and other treatment records made and maintained by the University of Oklahoma's (OU's) Goddard Health Center (Goddard) relating to OU students who are treated at Goddard if those medical records are not released to anyone else. An individually identifiable medical record of a patient who has been deceased for fifty-five (55) years. A statement by a covered physician that "a patient named Stacey whose employer is the University of Oklahoma has tested positive for COVID-19." - Correct

The HIPAA Privacy Rule does not regulate which of the following:

Health plans Health care clearinghouses Health care providers that transmit health information in electronic form in connection with certain standard transactions, including health care claims. None of the above. - Correct

Which of the following statements best describes the HIPAA Privacy Rule?

The HIPAA Privacy Rule is a federal statute governing health information confidentiality. The HIPAA Privacy Rule is a state statute governing health information confidentiality. The HIPAA Privacy Rule is a federal regulation governing health information confidentiality. - Correct The HIPAA Privacy Rule is a state regulation governing health information confidentiality.

Which of the following statements is true?

The University of Oklahoma (OU) is not a "hybrid entity" under the HIPAA Privacy Rule because no component within OU performs covered functions. The University of Oklahoma (OU) is a "hybrid entity" under the HIPAA Privacy Rule because some components of OU (e.g., Goddard Health Center, the College of Medicine, and OU Physicians) perform covered functions. - Correct The University of Oklahoma (OU) is a "hybrid entity" under the HIPAA Privacy Rule because some components of OU (e.g., the College of Law and the OU Golf Team) perform covered functions. None of the above.

The HIPAA Privacy Rule contains two methods of de-identifying information. These two methods are known as:

The expert determination method and the safe harbor method. - Correct The safe harbor method and the redaction method. The redaction method and the stripping method. The stripping method and the expert determination method.

Which of the following is not an identifier that must be removed from information in order for the information to be de-identified in accordance with the HIPAA Privacy Rule's De-identification Safe Harbor?

The gender of a patient's spouse. - Correct A full-facial photograph of a patient's mother. The license plate number of a patient's roommate. The Internet Protocol (IP) address of a patient's employer.