Chapter 2 Review: Compliance, Privacy, Fraud, and Abuse in Insurance Billing
Define protected health information (PHI)
Any data that identify an individual and describe his or her health status, age, sex, ethnicity, or other demographic characteristics, whether or not that information is stored or transmitted electronically
If you give, release, or transfer information to another entity, this is known as
Disclosure
HIPAA requirements protect disclosure of protected health information outside of the organization but does not protect against internal use of health information
False
If fraud and abuse are detected, ZPIC contractors report to the DOJ for further investigation
False
In the event of an OIG audit, the presence of an OIG compliance program will prevent penalties and fines from being imposed
False
In the federal health care program, accepting discounts, rebates, or other types of reductions in price is encouraged
False
The focus on the health care practice setting and reduction of administrative costs and burdens are the goals of which part of HIPAA?
HIPAA Title II: Administrative Simplification
What is the first step health insurance specialists should take toward achieving compliance so they do not violate laws, which may result in penalties or fines?
Identifying the laws that regulate the industry
At a patient's first visit under HIPAA guidelines, the document that must be given so the patient ackowledges the provider's confidentiality of his or her protected health information is the _____
Notice of Privacy Practices (NPP)
What is the primary purpose of HIPAA Title I: Insurance Reform?
To provide continuous insurance coverage for workers and their insured dependents when they change or lose jobs
It is necessary to turn documents over or lock them in a secure drawer if you are only leaving your desk for a few moments
True
Organizations who hire or contract with individuals who have been convicted of a misdemeanor or criminal offense and are on the OIG's list of excluded individuals may be subject to civil monetary penalties
True
Part III True/False Individually identifiable health information (IIHI) is any part of a person's health data (e.g., demographic information, address, date of birth) obtained from the patient that is created or received by a covered entity
True
Recovery audit contractors are highly motivated to find claim errors as they are paid a percentage of the money they recovery
True
The HITECH Act requires that business associates comply with the HIPAA Security Rule in the same manner that a covered entity would
True
To submit an insurance claim for medical services that were not medically necessary is a violation of the False Claims Act (FCA)
True
Under HIPAA Privacy regulations, patients do not have the right to access psychotherapy notes
True
Under HIPAA, patients may request confidential communications and may restrict certain disclosures of protected health information
True
Under HITECH, civil penalties for HIPAA violations are $100 for each violation with a maximum penalty of $25,000 for all violations of the same provision in a calendar year
True
Name the three main sections of the HIPAA Security Rule for protecting electronic health information
a. Adminstrative safeguards b. Technical safeguards c. Physical safeguards
The initiative that established hotlines for the public to report issues that might indicate fraud, abuse, or waste id a. ORT b. CMP c. HEAT d. RAC
a. ORT
Under HIPAA, exceptions to the privacy are those records involving
a. When the patient is a member of a managed care organization (MCO) and the physician has signed a contract with the MCO that has a clause that says "for quality care purposes, the MCO has a right to access the medical records of their patients, and for utilization management purposes, " the MCO has a right to audit those patients' financial records b. When patients have certain communicable diseases that are highly contagious or infectious and state health agencies require providers to report, even if the patient does not want the information reported c. When a medical device breaks or malfunctions, the Food and Drug Administration (FDA) requires providers to report certain information d. When a patient is suspect in a criminal investigation or to assist in locating a missing person, material witness, or suspect, police have the right to request certain information e. When the patient's records are subpoenaed or there is a search warrant. The courts have the right to order providers to release patient information f. When there is a suspicious death or suspected crime victim, providers must report cases g. When the physician examines a patient at the request of a third party who is paying the bill, as in workers' compensation cases h. When state law requires the release of information t police that is for the good of society, such as reporting cases of child abuse, elder abuse, domestic violence, or gunshot wounds
24. The Notice of Privacy Practices (NPP) document is given to patients a. at the first visit to the practice b. at every visit to the practice c. on an annual basis d. only on request of the patient
a. at the first visit to the practice
An individual's formal written permission to use or disclose his or her personally identifiable health information for purposes other than treatment, payment, or health care operations is called a. authorization b. disclosure c. release d. consent
a. authorization
Name the three specific areas of significant change that resulted from the HITECH act
a. business associates b. notification of breach c. civil penalties for noncompliance with the provisions of HIPAA
Indicate whether each of the following situations is one of fraud or abuse a. Under the False Claims Act, billing a claim for services not medically necessary b. Changing a figure on an insurance claim form to get increased payment c. Dismissing the copayment owed by a Medicare patient d. Neglecting a refund an overpayment to the patient e. Billing for a complex fracture when the patient suffered a simple break
a. fraud b.fraud c. fraud d. fraud e. fraud
Measurable solutions that have been taken, based on accepted standards and are periodically monitored to demonstrate that an office is in compliance with HIPAA Privacy rules is referred to as a. reasonable safeguards b.privacy safeguards c. security safeguards d. standards
a. reasonable safeguards
Privacy regulations allow patients the right to obtain a copy of PHI a. under all circumstances b. if they have a court order c. only if the health care provider has determined that it would be appropriate and would not endanger the patient or any other person d. only if the patient can pay the associated fee for the copies
a. under all circumstances
When faced with the discovery of an offense or an error, the health insurance specialist should immediately report concerns a. using the established chain of command outlined in your compliance plan b. to the OIG through their telephone hotline c. to the OIG through their e-mail address d. directly to the Department of Health and Human Services
a. using the established chain of command outlined in your compliance plan
The OIG recommends that health care staff should attend trainings in "general" compliance a. as part of their initial orientation b. at least annually c. every 6 months d. every 6 years
b. at least annually
Verbal or written agreement that gives approval to some action, situation, or statement is called a. authorization b. consent c. disclosure d. release
b. consent
HIPAA transaction standards apply to the following, which are called covered entities. They are a. health care third-party payers b. health care providers c. health care clearinghouses d. all of the above
b. health care providers
The FCA provision that allows a private citizen to bring civil action for a violation on behalf of the federal government and share in any money recovered is referred to as a. minimum necessary b. qui tam c. privileged information d. exclusion statue
b. qui tam
Under the Criminal False Claims Act, fines and imprisonment penalties for making a false claim in connection with payment for health care benefits can be imposed on a. the physician who provided the services b. the health care billing specialist who prepared the claim c. the health care administrator who oversees the practice or organization d. anyone who knowingly and willfully participated in the scheme
d. anyone who knowingly and willfully participated in the scheme
Under HITECH, if a breach occurs, the covered entity a. does not have to notify the affected party b. only has to notify the affected party if they feel it is reasonable c. must notify the affected party no later than 30 calendar days after the discovery of the breach d. must notify the affected party no later than 60 calendar days after the discovery of the breach
d. must notify the affected party no later than 60 calendar days after the discovery of the breach
Compliance is the process of
meeting regulations, recommendations, and expectations of federal and state agencies that pay for health care services and regulate the industry
If a breach of privacy is discovered, the health care provider is required to take affirmative action to respond to the breach and alleviate the severity of it. This is known as ____
mitigation
An individual designated to assist the provider by putting compliance policies and procedures in place and training office staff is known as a/an
privacy officer or private official (PO)
Part II Multiple Choice 19. One of the agencies charged with enforcing laws that regulate the health care industry is: a. Drug Enforcement Agency (DEA) b. Office of Inspector General (OIG) c. National Committee on Vital and Health Statistics (NCVHS) d. Department of Internal Affairs (DIA)
19. b. Office of Inspector General (OIG)
Under HIPAA guidelines, a health care coverage carrier, such as Blue Cross/Blue Shield, that transmits health information in electronic form in connection with a transaction is called a/an
covered entity
A confidential communication related to the patient's treatment and progress that may be disclosed only with the patient's permission is known as
Confidential communication
Unauthorized release of a patient's health information is called
breach of confidential communication
Dr. John Doe contracts with an outside billing company to manage claims and accounts receivable. Under HIPAA guidelines, the billing company is considered a/ an ____ of the provider
business associate
Enforcement of the privacy standards of HIPAA is the responsibility of a. Health Care Fraud and Abuse Control Program (HCFAP) b. National Committee on Vital and Health Statistics (NCVHS) c. Office for Civil Rights (OCR) d. Federal bureau of Investigation (FBI)
c. Office of Civil Rights
Health care providers who determine that they have submitted false claims, should resolve the issue by seeking the HHS and OIG guidelines established in 2006 and referred to as a. Operation Restore Trust b. Stark I and II c. Self-Disclosure Protocol d. Safe Harbor
c. Self-Disclosure Protocol
Under HIPAA, patient sign-in sheets a. are never permissible b. are permissible c. are permissible but limit the information that is requested d. are permissible but require the practice to give the patient a number to be used when calling the patient
c. are permissible but limit the information that is requested
Stealing money that has been entrusted in one's care is referred to as a. fraud b. abuse c. embezzlement d. obstruction
c. embezzlement
An independent organization that receives insurance claims from the physician's office, performs edits, and transmits claims to insurance carriers is known as a/an
clearinghouse