HIPAA

Ace your homework & exams now with Quizwiz!

HIPAA civil penalties include fines from ___ to ____

$100 to $1.5 million

All ages over _____ are indicative of age according to PHI

89

What is the federal civil penalty for knowingly violating HIPAA Privacy and Security regulations

A fine ranging from $100 up to $1.5 million per violation depending on the harmful intent of the violation.

HIPAA Security Rule enforces:

Confidentiality, Integrity, Availability

What should I do if I need to see my personal medical record (electronic or paper record) or my spouse's record?

Contact Health Information Management or the physician's office for copies.

As a rule, first contact _____ for PHI to be used for IRB-approved research protocols.

Health Information Management

What happens to media (i.e. CDs, disks, or thumb drives) that contain PHI or other sensitive information that is no longer being used?

It must be cleaned or sanitized before reallocating or destroying. Once they are sanitized, place them in specially marked secure containers for destruction.

What happens to physical documents that contain PHI or other sensitive information that is no longer being used?

It must be shredded immediately or placed in securely locked boxes or rooms to await shredding.

What is the fine for criminal penalties for "wrongful disclosure"?

Large fines of $50K to $250K and up to 10 years in prison

What are privacy core standards?

Privacy core standards govern how UAB/UABHS and its workforce shall operate in order to meet the HIPAA Privacy Rule. In particular:1) Use and Disclosure of Dealth Information2) Use and Disclosure of Health Information for Marketing3) Use and Disclosure of Health Information for Fundraising4) Use and Disclosure of Identifiable Health Information for Research5) Patient Health Information Rights

HIPAA

The Health Insurance Portability and Accountability Act

Which department is responsible for enforcing criminal penalties for noncompliance with the HIPAA Privacy Rule?

U.S. Department of Justice

Who are the owner's of our patients PHI?

UAB/UABHS

PHI can be accessed only for

UAB/UABHS business/work-related purposes

Any one of the 18 identifiers combined with ______ is PHI

a reference to a diagnosis or medical condition

Which of the following is the acceptable guidance for emailing PHI? a. Do not email PHI unless the transmission is within the UAB/UABHS's email systems. For all other email, contact your information systems representative for assistance. b. PHI can always be sent in an attachment to an email c. Email is not an approved means of communication at UAB/UABHS d. None of the above

a. Do not email PHI unless the transmission is within the UAB/UABHS's email systems. For all other email, contact your information systems representative for assistance.

Privacy

an individual's right to keep certain information to himself or herself, with the understanding that their protected health information (PHI) will only be used or disclosed with their permission or as permitted by law.

Privileged PHI

information about abuse or neglect, alcohol or drug abuse, sexually transmitted diseases, HIV, or psychiatric treatment,

Types of data protected by HIPAA

written documentation, paper records, medicine labels, ID bracelets, spoken and verbal info including voicemail, electronic databases, photographs, digital images

T/F: All types of protected health information (written, verbal, or spoken, and electronic) are protected by HIPAA.

True

What are examples of wrongful disclosures?

Accessing health information under false pretenses, releasing patient information with harmful intent, selling PHI, etc.

Which Department through the Office for Civil Rights enforces civil monetary penalties for noncompliance with HIPAA

Department of Health and Human Services

True or False - Deleting a file removes the data from the media.

FALSE

True or False - All types of protected health information (written, verbal or spoken, and electronic) are protected by HIPAA.

True

Principle investigators or designated researchers must provide a ________ to the covered entity holding that data before the data can be released for research.

copy of the fully executed IRB approval form

What steps should be taking before sending PHI via a fax machine? a. ensure you are using your entity's approved fax coversheet b. verify the fax number is correct c. limit the PHI contained in the fact to the minimum necessary, but do not put any PHI on the coversheet d. all of the above

d. all of the above

Which of the following is/are defined as PHI data elements under HIPAA? a. patient's name b. patient's photograph c. vehicle identifiers d. all of the above

d. all of the above

Why is it important to put away papers, such as folders, files, and reports, containing patient and other confidential information when you leave your work area? a. an unauthorized person could take the documents b. people with access to your area may not be authorized to access the information c. information could be mistakenly discarded d. all of the above

d. all of the above

What are some examples of breaching?

1) Accessing PHI without a work-related need to know 2) Sharing PHI with those who do not ned it for work purposes 3) Copying or removing PHI from the appropriate area 4) Having patient-related conversations in public settings 5) Sending a fax containing PHI to the wrong destination 6) Loss or theft of records containing PHI

Often principal investigators are also clinicians. Therefore, additional guidance must be followed:

1) Principal investigators or their designees should not use their clinical access to search patient records for potential research participants. 2) Physicians who are involved in research activities may contact only their own patients while recruiting for research activities.

The only expectations to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons:

1) Treatment 2) Purposes for which a patient authorization is signed 3) Disclosures required by law 4) Sharing information to the patient about himself/herself

HIPAA Privacy and Security regulations apply to research involving human subjects and:

1. Impact the use and disclosure of PHI for research 2. Do not replace other federal research regulations; therefore, all existing regulations related to human research remain in effect. 3. Apply whether or not the research is funded by the government.

What are the 8 core standards that govern how UAB/UABHS and its personnel shall operate in order to meet the HIPAA Security Regulations?

1. Information System and Account Management 2. Internet and Email Use 3. Media Reallocation and Disposal 4. Information Systems and Network Access 5. Contingency Planning 6. Risk Analysis and Management of EPHI 7. Security Incident Response 8. Use of Portable Devices for Computing and Data Storage

Safeguards to follow before sending PHI via Fax

1. approved fax cover sheet that includes a confidentiality statement. 2. No PHI on cover sheet 3. Limit PHI 4. Double check fax numbers 5. check confirmation sheets to verify that the transmission was successful and accurate 6. Ensure that confidential information is not left on the fax machine

18 identifiers that are considered PHI

1. name 2. geographic subdivisions smaller than a state 3. all elements of date (except year) 4. telephone numbers 5. fax numbers 6. electronic mail address 7. social security number 8. medical record numbers 9. health plan beneficiary numbers 10. account numbers 11. certificate/license numbers 12. vehicle identifies and serial numbers 13. device identifiers 14. URLs 15. IP addresses 16. biometric identifiers 17. full face images 18. any other unique identifying number

What is required before a covered entity can contract a third party individual or vendor (subcontractor) to perform activities or functions which will involve the use or disclosure of the covered entity's PHI.

A Business Associate Agreement (BAA)

What does a BAA do?

Binds the third party individual or vendor to the HIPAA regulations when performing the contracted services.

Which of the following is the acceptable guidance for emailing PHI?

Do not email PHI unless the transmission is within the UAB/UABHS's email systems. For all other email, contact your information systems representative for assistance.

True or False - It is okay to send. privileged PHI in a fax

FALSE

True or False - You can use your access to look up your own medical information or information on your family, friends, or co-workers.

FALSE

True or False - Formatting constitutes sanitizing the media.

FALSE Formatting does not constitute sanitizing the media.

True or False - HIPAA penalties and fines only apply to covered entities

FALSE - Penalties and fines apply to members of the work force and other individuals, NOT just to the covered entities.

True or False - PHI may always be disclosed to individuals involved in a patient's care or payment for care

FALSE - not if a patient objects

True or False - we are required to agree to patients' requests of their medical and dental information

FALSE - we are not required to agree to patient's request

True or False : Only employees of UAB must comply with HIPAA regulations.

False. All employees, students, and volunteers of the covered entities must comply with HIPAA regulations.

True or False- there is no harm in using public websites (Google, MS office) for storing PHI or research data.

False. Do not use public websites (Google, MS office) for storing PHI or research data.

True or False- It is okay to discuss PHI outside of work or with other employees who do not need to know the information to perform their jobs as long as they do not tell.

False. Do not discuss PHI outside of work or with other employees who do not need to know the information to perform their jobs

After using a clinic application on a shared workstation (nursing station), the user must take which of the following steps?

Logoff the application.

My password or other means of access to UAB/UABHS information systems can be shared with which of the following?

No one

Under what circumstances are you free to repeat to others PHI you hear while performing your UAB/UABHS job responsibilities?

Only when authorized for business purposes (TPO)

Routine requests and authorizations for PHI should be send through the _______ whenever possible.

Regular mail

Who can you report a suspected breach of HIPAA to?

Report to any of the following: 1. Your administrative supervisor 2. Your HIPAA Entity Privacy Coordinator (EPC) or your HIPAA Entity Security Coordinator (ESC) 3. The appropriate information systems help desk 4. The Privacy Office, the Office of Corporate Compliance, or the Office of University Compliance 5. The Institutional Review Board (IRB) if research data are involved

What are your rights regarding medical and dental information about yourself?

Right to: 1. inspect and copy 2. amend 3. accounting of disclosures 4. request restrictions 5. request that health info pertaining to services paid out of pocket not be send to insurance 6. request confidential communications 7. revoke authorization8. paper copy of this notice

________ also can pursue civil suits against persons who violate HIPAA privacy and security regulations.

State attorney generals

True or False - A HIPAA covered entity must use or disclose only the minimum necessary PHI required to accomplish the business purpose of the use or disclosure.

TRUE

True or False - Different departments of UAB may share medical and dental information to coordinate different things a patient needs

TRUE

True or False - If a research study has been approved by the IRB, then a principal investigator can use her clinical access to view medical records (electronic or paper) to identify potential research participants but only from records of those patients for whom she was directly involved in their care.

TRUE

True or False - If you are involved in a lawsuit or a dispute, we may disclose medical and dental information about you in response to a court or administrative order

TRUE

True or False - Individual employees are NOT authorized to sign contracts on behalf of UAB/UABHS

TRUE

True or False - One exception to "Do not email PHI": Emails with PHI can be transmitted in the UAB/UABHS email systems if you and the person to whom you are sending an email both have email addresses ending in either "uab.edu" or "uabmc.edu."

TRUE

True or False - UAB/UABHS has developed HIPAA core standards that govern how the organization and its personnel shall operate to comply with HIPAA regulations

TRUE

True or False - we are required to report child, elder, and domestic abuse or neglect to the state of Alabama

TRUE

True or False - we must notify patients in the case of a breach of their identifiable medical and dental information

TRUE

True or False- BAA must be approved in accordance with appropriate UAB/UABHS policies and procedures

TRUE

True or False- It is never allowed to forward your UAB/UABHS email account to another email system (gmail, AOL, hotmail, etc.)

TRUE

True or False - UAB can use patient's information for research, fundraising activities, marketing, and with business associates

TRUE - even though it seems to go against HIPAA, it states UAB has the right to all of these things in the patient information packet

If research study has been approved by the IRB, then a principle investigator can use her clinical access to view medical records (electronic or paper) to identify potential research participants but only from records of those patients for who she was directly involved in their care.

True

"Sanitize" means to eliminate:

confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media.

What should I do if I suspect a breach involving protected health information? a. discuss it with my administrative supervisor b. report it to the privacy office, the office of corporate compliance, or the office of university compliance c. report it to my HIPAA ESC or EPC d. any of the above

d. any of the above

What can you do to avoid having unauthorized persons from overhearing your conversation about a patient? a. ask others to leave until you finish your conversation b. Write down the message on a small marker board, taking care to erase it when finished c. Don't talk to others about patients even if for patient care d. go to a more private area; lower your voice

d. go to a more private area; lower your voice

_______ is responsible for the privacy and security of our patient's PHI

everyone

When HIPAA permits use or disclosure of PHI, a covered entity must use of disclose only the ________ PHI required to accomplish the purpose of the use or disclosure.

minimum necessary

What is a breach?

occurs when "unsecured PHI" is "acquired, accessed, used, or disclosed" in an unauthorized manner that compromises the security or privacy of the information

PHI can be sent via a fax machine if :

other more secure means of communication are not available or practical.

PHI

protected health information - any info that is created or received by a health care provider, health plan, or health care clearinghouse that relates to or describes the past, present, or future physical or mental health condition of an individual or past, present, or future payment for the provision of healthcare to the individual, and that can be used to identify the individual.

Portions of HIPAA most important for us

protecting the privacy and security of health data

Covered entities are permitted to use or disclose PHI for research purposes if...?

the Institutional Review Board (IRB) has approved the research and one or more of the following conditions exists: 1. a signed patient authorization is recorded 2. the research is decedent research 3. the process is preparatory to research 4. The research utilizes a Limited Data Set with a Data Use Agreement 5. The IRB grants a waiver for the required patient/participant signed authorization

Covered entities are permitted to use or disclose PHI for research purposes if

the Institutional Review Board (IRB) has approved the research and one or more of the following conditions exists:1. patient authorization2. decedent research3. preparatory to research4. Limited Data Set with a Data Use Agreement5. waiver

HIPAA states that PHI may be used and disclosed to facilitate

treatment, payment, and healthcare operations(TPO)

In addition, members of the UAB/UABHS work force are subject to what kind of disciplinary action?

up to and including termination of employment for noncompliance with HIPAA privacy and security regulations and standards

At UAB/UABHS, research is a_____ of PHI

use


Related study sets

11.)Precision Machining Technology, Section 3, Unit 2

View Set

Micro Chapter 3 Supply and Demand

View Set

mid term vocab study setostracize V: to exclude (someone) from a group appease V: relieve or satisfy (a demand or a feeling). augment V: make (something) greater by adding to it; increase. vapid Adj: lacking liveliness, dull extradite V: hand over (a

View Set

Antimicrobials Part 2 (Pharmacology Exam 2)

View Set

2050 iClicker and Practice questions

View Set

Geometry Honors Second Semester Final Exam Study Guide

View Set