EHR Lesson 6 The Privacy and Security of EHI

Health care organizations and professionals that provide health care in the normal course of business and that electronically transmit information that is protected under HIPAA:

Covered entities

An authorization document must include all of the following:

Description of information to be used or disclosed, identification of person(s) authorized to use or disclose information, name of person or group to whom PHI may be given, purpose of use or disclosure, expiration date, valid signature and date

The release of PHI to an outside provider or organization is:

Disclosure

The HIPAA legislation was designed to accomplish:

Discontinue health insurance coverage for employees changing jobs

The HIPAA Privacy Rule applies to all forms of protected health information, while the Security Rule only covers:

Electronic protected health information (e-PHI)

The most significant types of threats to the security of data on computers by individuals does not include:

Employees who fail to shut down their computers before leaving at night

In the 1990s, a significant portion of each health care dollar was going toward administrative costs except:

Entering patient information into computer systems

A covered entity that has a contract with a business associate is always responsible for the actions of the business associate.

False

A signed authorization for disclosure of information is valid for an indefinite period of time.

False

All patient information is subject to HIPAA regulations.

False

The HIPAA Security Rule covers physical devices such as computers, USB flash drives, CDs and magnetic tapes as well as computer networks and information sent or received over the Internet

True

The HIPAA Security Rule only covers protected health information that is transmitted in electronic form.

True

The addition of new users to a computer system can create a security threat.

True

The best protection against loss of computer data due to environmental hazards is regular backup of the data and storing the backup files at a remote location.

True

There are exceptions to the rules for release of PHI.

True

U.S. health care entities are outsourcing certain services such as transcription to foreign countries. Offshore vendors are not covered entities under HIPAA and do not have to comply with HIPAA privacy and security legislation.

True

When important medical decisions are made without a complete picture of a patient's health, the patient is not provided with the safest, most effective care.

True

Under HIPAA, which of the following is not considered a covered entity:

Business associates

Technical safeguards are automated processes that protect data and control access to data

True

Patients can request accommodation of reasonable alternate communications. This does not include:

Communicating strictly by e-mail

Certain health plan benefits are exempt from HIPAA standards even when provided by health plans except:

Coverage for walk-in medical clinics

Legal services, information technology services, transcription services and collection agencies are examples of:

Business associates

Which of the following is not considered electronic protected health information (e-PHI)? Protected health information that is:

Accessed electronically

A specific authorization must be obtained for release of information pertaining to:

Alcohol and drug abuse, sexually transmitted diseases, human immunodeficiency virus and behavioral and mental health services

Patients must be given a copy of the Notice of Privacy Practices at the time of their first encounter and:

At least once every three years thereafter

Access controls include:

Authentication, authorization, passwords, biometric techniques, role-based authorization, encryption techniques and audit trails

As health information is kept on computer systems more and more, threats to protected health information declines

False

Authentication is the process of determining whether an individual has been granted access rights to information.

False

Authorization is a confirmation of the identity of a user.

False

Complaints of violations of privacy rights must first be filed with the health care covered entity.

False

Disclosures made in connection with TPO must be documented.

False

HIPAA Security standards are very specific about the actions covered entities must take to protect ePHI.

False

HIPAA applies to every health care organization and professional.

False

If a covered entity is below a certain minimum size, it is not required to appoint a privacy official.

False

If an electronic data network crosses state lines, the privacy laws of the state with the stricter laws automatically apply.

False

Paper records in a physician's office are easy for unauthorized people to access.

False

Patients must be given a paper copy of the Notice of Privacy Practices at the time of their first encounter; it is not acceptable to send it electronically.

False

Records that show who has accessed a computer or network and what operations were performed are password trails.

False

To release information pertaining to mental health services, a covered entity must obtain a general authorization from a patient.

False

Confidentiality, integrity, availability of e-PHI:

Goals of HIPAA security standards

The increased use of information technology in health care puts protected health information at greater risk. Reasons for this do not include:

Increased use of computers and electronic technology has led people to take security for granted and pay less attention to it

Which of the following statements is not required on a valid authorization:

Information used or disclosed after the authorization may not be disclosed again by the recipient without another authorization from the patient

In certain circumstances, the rules for use and disclosure do not apply. Which of the following is not an exception to the rules?

Insurance company request to process application for life insurance

Intrusion detection systems do not:

Log attempted intrusions and report them to security personnel

For a physician, the designated record set (DRS) includes:

Medical and billing records

Using reasonable safeguards to protect PHI from being accidentally released - to those who do not need access to the information - during an appropriate use or disclosure:

Minimum necessary standard

Anyone who believes a privacy right has been violated can file a complaint with:

Office for Civil Rights

Technical safeguards used to protect data and control access to data include all but:

Passwords

Which of the following is not a result of the public's concern over the privacy of their health information:

Patients not complying with treatment plans

PHI is:

Protected health information

Which of the following is not a right given to patients by the HIPAA Privacy Rule?

Receive notification whenever additions are made to their records

An access control system that prevents users from viewing or modifying any part of the record that is not directly related to their jobs is:

Role-based authorization

Administrative Simplification provisions does not include:

Secure Internet connections

Since the Medicare and Medicaid legislation in 1965, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) legislation is the most significant legislation to affect health care.

True

A designated record set (DRS) is a group of records (any item, collection or grouping of information) that includes PHI and is maintained by a covered entity.

True

A firewall acts as a gatekeeper, deciding who has legitimate access to a network and what data should be allowed in and out.

True

A major challenge facing the health care field today is convincing patients that their personal data is secure and can be protected when it is computerized and exchanged electronically.

True

Automobile medical payment insurance is exempt from HIPAA standards even when provided by a medical plan

True

Before the HIPAA Privacy Rule, the privacy of health information was under the protection of each state's privacy laws.

True

Biometric techniques use some measurable feature of an individual to authenticate their identity

True

By signing the Acknowledgment of Receipt of Notice of Privacy Practices, a patient is stating that they have received, read and understand how the provider intends to protect their privacy rights.

True

Clearinghouses are companies that process health information and transmit electronic transactions on behalf of providers.

True

Covered entities may use or disclose PHI for treatment, payment and operations (TPO) purposes without special permission from a patient.

True

Covered entities under HIPAA must notify patients about their privacy rights and how their information can be used or disclosed.

True

De-identified health information neither identifies nor provides a reasonable basis for identifying an individual.

True

Encryption techniques make it possible to determine whether information has been altered in any way.

True

If the public does not trust that their health information can be kept private and secure, they will not support electronic health records or a nationwide health information network.

True

It is a HIPAA requirement that authorization documents be easy to understand.

True

Many entities offer personal health records (PHR) directly to individuals. If the organization providing the service doesn't fit the definition of a covered entity or business associate, the data in the PHR may not be protected.

True

Physical safeguards that protect electronic systems, equipment and data include reinforced doors, locks and identification badge readers.

True

Protected health information (PHI) is individually identifiable health information that is transmitted or maintained by electronic media.

True

Providers who do not send claims electronically are not subject to HIPAA rules.

True

Regular updating is required for antivirus software to maintain its effectiveness.

True