Healthstream:EMTALA+HIPPA+Professional Compliance
The Privacy Rule allows for a patient to request that no information be shared with others even to the point of not acknowledging the patient's presence in the covered entity.
A. True
Workforce training on policies and procedures related to the Privacy Rule is a requirement.
A. True
You should identify questions that, if the answers were known, would assist in the evaluation of your compliance program.
A. True
Can a patient request to be contacted in a specific manner?
A. Yes, as long as they provide specific means for the communication of bills for treatment and services
The OIG recommends that organizations assess their compliance program .
A. annually
Professional Compliance 02: Compliance Program Conducting a risk assessment is considered to be .
A. best practice
Healthcare organizations that handle PHI are known as if they use electronic means to process transactions or transmit information.
A. covered entities
A review of systems (ROS) inquires about the system(s) .
A. directly related to the patient's symptoms
Workforce is defined as .
A. employees, volunteers, trainees and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct control of such covered entity or Business Associate, whether or not they are paid by the covered entity or Business Associate
Your hospital has a duty under EMTALA to accept a transfer if it .
A. has the specialized capability that the patient requires and the capacity to accept the transfer
The U.S. Sentencing Guidelines state "an organization shall exercise due diligence to prevent and detect criminal conduct and ".
A. promote a culture that encourages ethical conduct and a commitment to compliance with the law
CMS does not allow physicians to order observation services until .
A. the physician has seen and evaluated the patient
What does the term financial relationship include as defined in the Stark regulation?
B. Direct or indirect compensation arrangements between a referring physician (or an immediate family member) and an entity furnishing designated health services
A patient may request a transfer to another hospital only if his or her medical condition is stable.
B. False
All warrants, court orders and subpoenas are legitimate and therefore authorize the disclosure of PHI.
B. False
Federal regulations do not require Emergency Departments to post signage in hospital public entrances, and waiting, registration or treatment areas.
B. False
HIPAA does not require legal obligations on both the part of the covered entity and the Business Associate.
B. False
If a patient walks out during a medical screening examination and treatment without informing staff, no follow-up steps need to be taken by the Emergency Department nurse or physician.
B. False
PHI does NOT include any information that identifies the individual or could reasonably be used to identify the individual.
B. False
Under EMTALA, the obligation to provide services ceases when there is suspicion of medical identity theft.
B. False
What is a Business Associate?
C. A person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the Business Associate to protected health information
EMTALA permits contacting the patient's regular physician for information relevant to treating the patient. However, this cannot delay a medical screening examination (MSE) and stabilizing treatment. What else is permitted, as long it does not delay an MSE or stabilizing treatment?
C. Conducting a reasonable registration process
Providers should check____ and ____ documents for activity that may be suspicious for medical identity theft.
C. Explanation of Benefits and Remittance Advice
____are subject to the Security Rule.
C. Health plans, healthcare providers and healthcare clearinghouses that transmit PHI electronically
Professional Compliance 03: Compliance Risk Areas The Office of Inspector General has the authority to exclude individuals and entities from participation in the federal healthcare programs. For which offense(s) would enforcement action be taken against a provider?
C. Hiring, contracting with or doing business in any way with an excluded person
HIPAA Compliance 03: Privacy Rule Introduction The Privacy Rule requires the designation of a .
C. Privacy Officer
The Anti-Kickback Statute prohibits offering or receiving anything of value or of perceived value in exchange for referrals. The statute also uses the term remuneration. What does remuneration mean under the Anti-Kickback Statute?
C. Remuneration means cash, gifts, discounts, grants, loans or anything else of value or perceived value that is not offered to others on an equitable basis
HIPAA Compliance 05: Patient Rights What should a patient do if they discover incorrect information in their medical record?
C. Request an amendment of their PHI
Professional Compliance 05: Stark Law, Part II With regard to fair market value (FMV), industry best practice suggests that you in order to better withstand government scrutiny.
D. B and C
Two reasons for the value of healthcare information are ___and___ .
D. B and C
With regard to physicians and teaching hospitals, what does the Physician Payments Sunshine Act, commonly known as Open Payments, require device and pharmaceutical manufacturers to report?
D. B and C
Misrepresentation is a serious form of healthcare fraud. Which form is commonly called upcoding?
D. Billing for the same product or service, but at a higher level than what was performed
Physicians and non-physician practitioners are increasingly at risk for identity theft. What elements of a physician's professional identity should be safeguarded to the extent possible?
D. Drug Enforcement Agency (DEA) number, license number, photo I.D., Tax I.D. Number and National Provider Identifier (NPI)
What is a patient required to do in order for a request to restrict the use or disclosure of their PHI to their health plan to be granted?
D. The patient is required to pay out of pocket for the service related to the PHI being requested to be restricted
The definition of referral is .
D. anytime a physician does something that directs a patient to a provider or allows the patient to receive care or continue receiving care from that provider
Documentation of history consists of up to four components: history of present illness; review of systems; past, family and social history; and .
D. chief complaint
Healthcare providers or organizations that use electronic means to process transactions or transmit PHI and thus subject to HIPAA are called .
D. covered entities
Under the Security Rule Technical Safeguards, encryption is defined as the process of converting .
D. information or data into a code, the purpose of which is to prevent unauthorized access
Once a patient with a psychiatric illness is medically screened and cleared, which of the following is the next appropriate action to take under the EMTALA regulation?
E. A and C
To avoid conflict with the Anti-Kickback Statute, agreements should be crafted to satisfy any specific requirements. These may include that the agreement.
E. A, B and C
Which of the following are PHI Physical Safeguards?
E. A, B and C
Which of the following is a rule regarding passwords?
E. A, B and C
Which of the following is a permitted disclosure of PHI to a correctional institution or in a custodial law enforcement situation?
E. A, B and D
According to the EMTALA regulation, a transfer must be accepted regardless of the patient's .
E. All of the above
If you believe a privacy violation has taken place, you may report it immediately to .
E. All of the above
Which of the following Emergency Department employees have responsibilities under EMTALA?
E. All of the above
An indicator of a phishing attempt is that the email .
E. All the above
The foundation upon which an effective compliance program is built rests upon the U.S. Sentencing Guidelines' essential elements. What are they?
E. All the above
According to the Affordable Care Act, repayment of overpayments must be made within days.
B. 60
What is a Business Associate Agreement?
B. A legal document describing how the BA must comply with HIPAA and the BA's associated risks and responsibilities
The Stark Law primarily prohibits physicians from referring patients for designated health services to entities in which the physician or has a financial interest.
B. the physician's immediate family member
Diagnostic services under direct supervision require , ___while general supervision requires. ___ _
B. the supervising physician be physically in the office suite and immediately available; the physician to have overall direction and control but not be present during the procedure
Stark defines fair market value (FMV) as .
B. the value in an arm's-length transaction that is consistent with general market value
The original intent of Stark remains. It is .
B. to prevent abuse of the Medicare system by ordering unnecessary services
What are clinical trial routine costs as defined by Medicare?
C. Items or services generally available to Medicare beneficiaries for treatment of medical conditions when not involved in a clinical trial
Which type of vulnerable patient should not leave the hospital Emergency Department unless authorized by an appropriate party?
D. All of the above
You are an Emergency Department (ED) physician who discovers that a patient has walked out during an MSE without informing staff. What should you do?
D. All of the above
A typical reason for disclosing PHI to law enforcement is .
D. All the above
Choose the CORRECT statement(s) regarding the purpose of the Security Rule.
D. B and C
Minimum Necessary means to provide only the .
D. B and C
Stark covers designated health services that are reimbursed by .
D. B and C
Two exceptions allowable under Stark are.
E. A and C
False Claims Act liability is implicated when a provider knew or should have known of
E. All the above
For an inpatient admission, what questions involving severity of illness information should be addressed in your documentation?
E. All the above
Protected health information is information, including genetic and demographic information, that relates to
E. All the above
Which of the following is considered sensitive health information?
E. All the above
Choose the CORRECT statement regarding Minimum Necessary requirements.
A. A covered entity is required to limit the access of ePHI to a workforce member to only that which is necessary to do his or her job
The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the Technical and nontechnical Safeguards that covered entities must put in place to secure individuals' ePHI.
A. True
Personal supervision requires that the supervising physician .
A. be in attendance in the room in which the procedure is being performed
The Medicare Inpatient-Only Procedure list .
D. A and C
Which of the following can help avoid risks associated with social media?
D. A and C
05: Transferring and Receiving Patients When may a patient who is not completely stable be transferred to another hospital?
D. All of the above
A financial relationship may include a direct or indirect compensation arrangement involving .
D. All of the above
According to the Minimum Necessary Standard, access to PHI includes access that is.
D. All of the above
Professional Compliance 04: Stark Law, Part I Examples of designated health services (DHS) are .
D. All of the above
The information within the NPP .
D. All of the above
Under Stark regulations, government sanctions may include .
D. All of the above
Under the Anti-Kickback Statute, physicians and hospitals should be wary of their relationships with other healthcare-related businesses because .
D. All of the above
Identify the ways in which the Anti-Kickback Statute differs from the Stark Law.
D. A and B
In order to bill for incident-to services, the service must be .
D. A and B
Professional Compliance 07: Basic Documentation Which of the following do third-party payers consider to be a documentation failure?
A. Fill-in-the-blank documentation that does not reflect the individual patient's circumstances
If you have a concern as to the legitimacy of an email, you can always .
B. pick up the phone and call the company from a number you already have, not one listed in the email
Prior to disclosing PHI directly to law enforcement, be sure you have .
B. the authority to make such a release
What does the abbreviation NPP stand for?
C. Notice of Privacy Practices
Which of the following statements is true?
D. A and B
Violators of the Anti-Kickback Statute are subject to both civil and criminal penalties. If convicted, such penalties may include .
D. All the above
The Notice of Privacy Practices .
E. All of the above
You have a duty to follow your organization's policies and procedures regarding notification, should you .
E. All the above
HIPAA Compliance 02: HIPAA Awareness HIPAA includes the Minimum Necessary Standard. Essentially, this means.
E. B and C
Which of the following is a form of medical identity theft?
E. B and C
Billing Medicare for routine costs of a clinical trial involving Medicare beneficiaries that fail to meet qualifying criteria may result in which of the following?
E. B, C and D
The consequences of Stark violations include .
E. B, C and D
Mitigation of a violation of PHI means to .
A. lessen any actual or potential harm caused by the inappropriate PHI use or disclosure
To assist with compliance program assessment, industry best practice suggests.
B. use of a tool that allows assessment of each of the seven essential elements
What is the purpose of the Business Associate Agreement?
C. To safeguard PHI
Compliance programs for healthcare providers are .
D. mandatory
Why are healthcare providers targeted by identity thieves?
B. Because of the quality and quantity of the information they maintain
To which government agency should a potential Stark violation be disclosed?
B. CMS
Always billing the same code for similar patient visits, tests or diagnostic conditions expose providers to which type of billing fraud?
D. Assumption billing
If all the PHI identifiers are removed, the information is no longer PHI.
A. True
PHI is NOT information maintained in employment records within the Human Resources Department or student files in an academic medical facility.
A. True
Patient-related identity theft may cause a medical record to contain comingled health information of more than one individual.
A. True
Physician registration in the Open Payments system is voluntary; however, registration is required in order for the physician to review and/or dispute any data reported.
A. True
Professional Compliance 06: Anti-Kickback Statute Parties on both sides of a kickback arrangement are liable under the Anti-Kickback Statute.
A. True
Rented or leased devices used in health care, such as copiers, fax machines and scanners, should be stripped of all information prior to returning to the owners.
A. True
The EMTALA regulation states that a transfer cannot be refused based on a patient's instability or stability.
A. True
A patient who presented at your Emergency Department (ED) has just told you that he intends to leave before the completion of the MSE and treatment against your medical advice. You have informed the patient of his rights, the risks of leaving and the benefits of completing the MSE and treatment, and encouraged the patient to stay. You have documented all this in the medical record and requested that the patient sign a refusal of medical care form. The patient refuses to sign the form and leaves. What should you do now?
A. Document the patient's refusal to sign the form in the medical record
Which of the following do third-party payers consider to be a documentation failure?
A. Fill-in-the-blank documentation that does not reflect the individual patient's circumstances
A process to easily identify trial participants in a hospital setting is important. Why?
A. In order to keep items and services rendered as part of the trial separate from those items or services that are billed as part of the regular billing process
Professional Compliance 10: Special Interest Topics A process to easily identify trial participants in a hospital setting is important. Why?
A. In order to keep items and services rendered as part of the trial separate from those items or services that are billed as part of the regular billing process
Medical screening examinations (MSEs) are required to be performed for every patient presenting in a dedicated Emergency Department of a hospital. What is an MSE?
A. The process required to reach, with reasonable clinical confidence, a determination as to whether or not a patient has an emergency condition
A Business Associate may use or disclose protected health information only as permitted or required by its Business Associate Agreement or as required by law.
A. True
A covered entity that is a correctional institution may use the PHI of inmates for any purpose for which such PHI may be disclosed under HIPAA.
A. True
A patient found trying to harm himself leaves the Emergency Department prior to the completion of the medical screening exam. When this type of vulnerable patient attempts to leave, Emergency Department staff should notify hospital security immediately upon discovery.
A. True
A unique and strong password contains a combination of uppercase and lowercase letters, numbers and symbols.
A. True
Disclosures of patient information for the purposes of treatment, payment or healthcare operations do not require the patient's authorization.
A. True
HIPAA Compliance 08: Security Rule Introduction Certain medical devices that contain ePHI can be wirelessly hacked for the protected information or to stop the device or alter its programming.
A. True
HIPAA Compliance 09: Administrative Safeguards The Technical Safeguards are the technology and the policies and procedures for its use that protect and control access to ePHI.
A. True
The Emergency Department Supervisor of a local hospital approved the destruction of the physician on-call log and central patient log containing all the patients who have presented to the ED or Labor and Delivery Department within the last three years. This would be a considered a violation of the EMTALA requirement that states this type of documentation must be maintained for at least how many years?
B. Five
What should you do if a patient approaches you complaining about a potential privacy violation?
B. Follow your organization's policies and procedures regarding a potential privacy violation
How can medical identity theft be a risk to an individual's health?
B. Medical information of the victim and the imposter are comingled creating potential for grave error
Professional Compliance 08: Medical Identity Theft How can medical identity theft be a risk to an individual's health?
B. Medical information of the victim and the imposter are comingled creating potential for grave error
Which of the following represents potential fraud?
B. Misrepresenting a service or product rendered or provided
What should you do, immediately upon discovery, if a vulnerable patient walks out of a dedicated Emergency Department without the authorization of an appropriate party?
B. Notify hospital security upon discovery
Which of these is a step to take when transferring a patient to another facility?
B. Obtain agreement from the receiving facility that it has the capability and capacity to receive the patient
Guidance for compliance programs is available online from .
B. Office of Inspector General (OIG)
ePHI is defined as .
B. PHI that is covered under the HIPAA Security Rule and is produced, saved, transferred or received in an electronic form
Which statement is correct?
B. Patients have a right to request access to and review their PHI
Documentation of evaluation and management services must support which of the following three key areas?
B. Problem-focused history, problem-focused physical examination and medical decision-making
Which of the following rights would you use if you want to see how your PHI has been used or disclosed?
B. The right to an accounting of disclosures of PHI but not those made for treatment, payment, healthcare operations or that were authorized by you, the patient
What is the primary purpose of documentation?
B. To support the provision of high quality patient care
For most Stark exceptions to apply,__ is required.
B. a written agreement
An important component of a compliance program is the establishment of a mechanism for reporting.
B. anonymous
Documentation of the supervision of a service should include .
B. any management or direction of the service that the supervising physician furnished, the level of supervision and signature of the supervising physician
One way to protect the privacy of a patient who has declined inclusion in the facility directory is .
B. check to confirm the patient's preferences before disclosing the patient's presence in the facility or any other information
A Business Associate has the same responsibility to protect patient information as a(n) .
B. covered entity
HIPAA Compliance 06: Working with Business Associates A Business Associate has the same responsibility to protect patient information as a(n) .
B. covered entity
Agreements must NOT.
B. include compensation that exceeds fair market value or vary compensation based on the volume or value of referrals
A corrective action plan is important because .
B. it allows areas where there are risks, gaps in controls and program deficiencies to be addressed and recurrence prevented
Documentation is effective when .
B. it includes who provided the service, what service was provided, when the service was provided, where the service was provided and why the service was provided
HIPAA Compliance 07: Law Enforcement Uses and Disclosures In regard to court orders, subpoenas or warrants, often define(s) the requirements of such documents.
B. local and state laws
The Anti-Kickback Statute has 25 safe harbors that protect certain types of arrangements. In order to be afforded legal protection under the safe harbor, the arrangement must .
B. precisely and fully meet the applicable safe harbor
If you believe you have identified a phishing email, the best approach would be to .
B. stop, and follow your organization's policy and procedure for a suspected phishing attempt
03) Emergency Department Personnel Responsibilities. EMTALA specifically prohibits delaying a medical screening examination due to .
B. the patient's ability to pay, diagnosis, race, color, national origin or disability
Medicare overpayments must be returned to the Medicare program within days of discovery.
C. 60
04: Emergency Department Walkouts You are a triage nurse in the Emergency Department (ED). A patient is refusing initiation of an MSE and treatment. You have informed the patient of the risks of leaving and the benefits of receiving an MSE and treatment. You have encouraged the patient to stay. What should you do if the patient still refuses the MSE and treatment?
C. A and B
Which of the following statements is correct?
C. A patient has a right to make a request of a covered entity; however, based on the associated legal requirements, fulfilling that request may not always be possible
The definition of Protected health information is information, including genetic and demographic information, that relates to an individual's past, present or future physical or mental health or condition, the provision of health care to the individual, the past, present or future payment for the provision of health care to the individual and .
C. any health information that can reasonably be used to identify an individual
Prior to any release of PHI directly to law enforcement, make sure you know what with law enforcement.
C. can and cannot be shared
Physicians who provide care to patients while lacking the training and competency levels to do so are committing a offense.
C. criminal
The Privacy Rule requires the of policies and procedures.
C. development and implementation
The Business Associate Agreement clarifies the uses and disclosures of PHI based on the services being performed by the BA.
C. permissible
Limited professional courtesies are an exception allowed under Stark. The amount allowed for professional courtesies is determined and published annually by .
C. the Centers for Medicare and Medicaid Services (CMS)
The level of physician supervision in a diagnostic service is determined by .
C. the Medicare Physician Fee Schedule Relative Value File
The definition of decryption is .
C. the process of taking encoded or encrypted text or other data and converting it back into text that you or the computer can read and understand
Under Stark, any agreement must NOT take into account.
C. the volume and/or value of referrals
Generally, the transfer of a stabilized patient to another hospital is permitted .
C. when your hospital does not have the capability and capacity to provide the best care for the patient
When is a patient's authorization to disclose his or her PHI NOT necessary?
D. A and C only
Clinical trial costs that are not covered by Medicare include .
D. All the above
Electronic media includes .
D. All the above
HIPAA Compliance 04: Protected Health Information PHI identifiers include .
D. All the above
Healthcare providers and entities are advised to perform background checks prior to new hire employment or vendor contract implementation by checking .
D. All the above
In documenting the need for intensity of services, what questions should a physician address?
D. All the above
In what ways are physicians and non-physician practitioners put at risk for medical identity theft?
D. All the above
Protected health information (PHI) can be .
D. All the above
To meet an exception under Stark, there must be compliance with all conditions of the exception. However, the exception is invalid unless there is also compliance with .
D. All the above
Which of the following is a Physical Safeguard?
D. All the above
Which of these is documentation that must be maintained for at least five years under EMTALA?
D. All the above
With regard to safe harbors and how they differ from exceptions in the Stark Law, which of the following statements is true?
D. All the above