HIPAA Basics
Testing and Revision Procedure
-Application and Data -Criticality Analysis -Evaluation
Contingency Plan
-Data Backup Plan -Disaster Recovery Plan -Emergency Mode Operation Plan
Authorized access under the Minimum Necessary requirements include:
-Disclosure to a healthcare provider for treatment -Disclosure to the patient -Disclosure that has been explicitly authorized by the patient -Disclosure to HHS for compliance or enforcement -Disclosure required by law enforcement, such as in suspected child abuse cases -Disclosure required for HIPAA Transactions or Administrative Simplification
Information Access Management
-Isolating Healthcare -Clearinghouse Function -Access Authorization -Access Establishment and Modification
Security Management Process
-Risk analysis -Risk management -Sanction Policy -Information System Activity Review
Various administrative safeguards that may be required in an organization.
-Security Management Process -Assigned Security Responsibility -Information Access Management -Security Awareness & Training -Security Incident Procedures -Contingency Plan -Testing and Revision Procedure -Business Associates -Workstation Use
Security Awareness & Training
-Security Reminders -Protection from Malicious -Software -Log-in Monitoring -Password Management
Assigned Security Responsibility
-Workforce Security -Authorization and/or Supervision -Supervision -Workforce Clearance -Procedure -Termination Procedures
Workstation Use
-Workstation Security -Deivce and Media Controls -Media Disposal -Media Re-use -Media Accountability -Data Backup and Storage (during transfer)
Business Associates
-Written Contract or Other Arrangement -Physical Safeguards -Facility Access Controls -Contingency Operations -Facility Security Plan -Access Control and Validation Procedures -Maintenance Records
The HIPAA Privacy Rule went into effect in what year?
2003
business associate
A business that provides services to a covered entity and may come into contact with PHI
Protected Health Information (PHI)
Any identifiable health information in any form—written, electronic, or verbal—is protected by the Privacy Rule. With few exceptions, this information is restricted against release or use without patient authorization, other than for the purposes of treatment, payment, and certain healthcare operations.
Criminal enforcement of HIPAA violations is carried out by what?
DOJ
Which of the following administers HIPAA?
Department of Health and Human Services (DHHS)
Electronic Protected Health Information (ePHI)
Electronic PHI is any identifiable patient data that is either stored or transmitted in electronic form.
Any company or group that pays for medical care is a healthcare provider.
False
As long as employees can truthfully report to an auditor that the organization complies with HIPAA, it is not necessary to document policies and procedures.
False
Prior to HIPAA, Medicare and insurance companies had unified electronic billing formats and codes for medical diagnostics and treatment.
False
Suspected child abuse can only be reported with the patient's consent.
False
Two doctors collaborating on treating a patient must sign business associate agreements.
False
give State Attorney's General the authority to enforce HIPAA civil penalties
HITECH Act
provides incentives for the adoption of EHR systems
HITECH Act
HIPAA is an acronym that stands for _____.
Health Insurance Portability and Accountability Act
HIPAA identifies a variety of providers as covered entities, who must comply with the regulations:
Health plans -Any company or group that pays for medical care. Examples include Medicare; Medicaid; Health Plans (medical, dental, vision, prescription); HMOs; and self-funded plans by groups and businesses (except plans with less than 50 participants that are administered by the employer). Healthcare providers -Any provider (hospital, doctor, dentist, pharmacy) that electronically transmits health information for transactions. Healthcare clearinghouses -Organizations that process certain health information (such as converting diagnostic and treatment information into electronic bills).
A _____ must be provided to each patient informing them of their privacy rights, the organization's security officer, and how to file a complaint.
Notice of Privacy Practices
The HIPAA section that protects health information in any form is known as the _____.
Privacy Rule
established Minimum Necessary rule
Privacy Rule
governs the use and disclosure of PHI
Privacy Rule
What does PHI stand for?
Protected Health Information
Security Incident Procedures
Response and Reporting
protects electronic health information
Security Rule
Criminal provisions are enforced by the U.S. Department of Justice.
True
HIPAA includes both civil and criminal penalties for violations.
True
Patients may provide written authorization to share their records.
True
business associate
a person or organization that performs services for a covered entity that involve the use or disclosure of protected health information (PHI).
The principle of Minimum Necessary
access guides all sharing of PHI. Only the minimum amount of information needed to meet a legitimate purpose should be shared. Policies should be written that limit access to patient data. Procedures should be implemented to limit access to PHI based on organizational roles and responsibilities.
About half of HIPAA Security Rule requirements are actually in the _____ Safeguard section.
administrative
Covered entities under HIPAA include which of the following? -healthcare providers -health insurance companies -pharmacies -all the above
all the above
HIPAA includes penalties for which of the following? -lost data, even if the data is not released -data sold to health equipment companies to solicit new business -lost data that was not reported -all the above
all the above
HIPAA provides for which of the following? -portability of health insurance -privacy of health information -security of electronic health information -all the above
all the above
Violating the Privacy Rule can result in _____. -loss of your job -a major fine -going to jail -all the above
all the above
What did the HITECH Act do? -provided funding incentives to encourage the adoption of electronic health record (EHR) systems -increased the civil penalties for HIPAA violations -gave state Attorneys General the authority to enforce HIPAA civil penalties -all the above
all the above
A business associate is a person or business that performs services to covered entities that involves the disclosure of what? -medical lab reports -diagnoses and treatment information -doctor's dictation for transcription -any or all the above
any or all the above
An electronic health records software publisher is considered a ______.
business associate
The HIPAA Security Rule is designed to support the _____ of electronic protected health information.
confidentiality, integrity, and availability
Which of the following is an example of a business associates? -doctor -hospital -document company -insurance company
document company
The HIPAA Security Rule is focused on protecting _____ protected health information.
electronic
The Security Rule primarily protects which of the following?
electronic PHI
HIPAA is _____ legislation.
federal
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
included the requirement that business associates comply with HIPAA to the same extent as covered entities. The federal government finalized these new rules through a set of regulations known as the HIPAA Omnibus Final Rule, which came into effect on September 23, 2013.
Which of the following is an example of an administrative safeguard? -unique user identification -media re-use -data backup plan -Notice of Privacy Practices
media re-use
A guiding principle of the Privacy Rule is that only the _____ information is shared between people not responsible for providing treatment.
minimum necessary
The HIPAA obligations of business associates are best described how?
must comply like covered entities
Which of the following is NOT part of HIPAA? -the Privacy Rule -the Patient Rule -the Security Rule -Administrative Simplification
the Patient Rule
Which section of HIPAA governs the confidentiality, integrity, and availability (CIA) of electronic health information?
the Security Rule
A business associate agreement must include what requirement?
the business associate may only use PHI for specified purposes
Health Insurance Portability and Accountability Act (HIPAA)
was passed by Congress in 1996 to protect patients' personal health information.