MLT 112 Week 1 Media Lab HIPAA Privacy and Security Rules
The Privacy Rule requires covered entities to have which of the following measures in place? -Safeguards that encourage sharing protected health information (PHI) with everyone -A policy that forbids anyone except the patient from accessing a patients PHI -A HIPAA training program that requires participation by all staff -A Privacy Officer or Official
A HIPAA training program that requires participation by all staff AND A Privacy Officer or Official
You work in a laboratory microbiology department that provides a local nursing home with information about the effectiveness of various antibiotics it uses to treat infections. You print the requested information, including patient first and last names, birthdates, and medical record numbers. You also print the bacterial organisms identified and the organisms' sensitivities to various antibiotics. What information should you provide to the nursing home? -The information as printed. -The information without the last names of the patients. -A listing of bacterial organisms, antibiotic sensitivities, and antibiotics used, without any patient identification.
A listing of bacterial organisms, antibiotic sensitivities, and antibiotics used, without any patient identification.
As a manager, you guided a group of students through your clinical laboratory. You did not explain the laboratory's privacy policy to the teacher and students because you thought they would have little access to PHI. However, during the tour, the students overheard names of patients and associated blood tests, saw laboratory reports lying on desks, and viewed test results on computer screens. This is acceptable under the HIPAA Privacy Regulation since these were incidental disclosures that could not reasonably be prevented. True or False?
False
The HIPAA Privacy Rule regulations apply only to health information about a patient when it is in electronic form. True or False?
False
You work for a family physician and your family members are his patients. Printing your mother's chest X-ray report without a physician request for a copy of the report is an acceptable privacy practice. True or False?
False. Although individuals can request that a covered entity release their radiology and other test results directly to themselves, it is preferable that patients get results from their own physician. In any event, you may not use your access to the information system to view a friend's or relative's laboratory or other results just because you are curious about the result.
You work in a physician office and your PC contains electronic copies of letters to patients requesting payment of overdue bills. You decide to take the information home using a USB flash drive so you can work on it at night. This is okay as long as you load the letter to your own computer at home and do not share them with anyone. True or False?
False. The HIPAA Security Rule requires that all electronic media, including flash drive, be controlled. Taking PHI home would violate your institutions policies and procedures for the control of portable digital media. It also compromises the security of the PHI stored on that drive.
HIPAA stands for:
Health Insurance Portability and Accountability Act
You are the customer service representative in a clinical laboratory. You get a call from a nurse at one of your outreach clinic offices requesting that you fax test results on a patient. The physician is currently seeing the patient and needs the test results immediately. Under the HIPAA Privacy Regulations, you can comply with this request, without getting written authorization from the patient. True or False?
True
You should never keep your password on a piece of paper beside your computer. You should always log off your computer when you leave. True or False?
True
If a healthcare professional needed to review the entire medical record of a patient for treatment purposes, he/she could do so. True or False?
True Under the Privacy Rule regulations, the healthcare professional could have access to the entire medical record on a patient IF all this information were required for treatment.
All of the following are considered protected health information EXCEPT for: -Your laboratory test results -Your nationality and race -Your credit card information -Your doctor's office address
Your doctor's office address
The Omnibus Rule created which of the following modifications? More than one answer is correct. -Strengthened patient rights by requiring any number of data breaches to be notified and inspected -Incorporated safeguards to protect both PHI and ePHI -Incorporated safeguards to protect only PHI -Enforced that business associates are liable and subject to civil penalties in the event of a HIPAA violation
-Strengthened patient rights by requiring any number of data breaches to be notified and inspected -Incorporated safeguards to protect both PHI and ePHI -Enforced that business associates are liable and subject to civil penalties in the event of a HIPAA violation
You are a ward clerk responsible for inserting laboratory reports into a patient's medical records. You open their medical record directly to the laboratory tab and insert the report. Flipping through and reading other sections of the medical record that are not applicable to your job responsibilities would be a violation of the HIPAA Privacy Rule. True or False?
True
You are checking your hospital email. You open an email from an unknown sender offering you a free program that will show you the current time of day in all world time zones. You click to download the program. You may have inadvertently downloaded spyware or a virus onto your computer. True or False?
True
As a healthcare worker, I have the right to access anyone's medical records whenever I want to. True or False?
False
The HIPAA privacy regulation prohibits faxing of PHI to other healthcare providers.
False
You are answering the office phone today. A person claiming to be a patient, whose voice you do not recognize, calls demanding all his test results for the past 6 months. He threatens to complain to the government if you won't immediately read him the results over the phone. Under the HIPAA Privacy Regulations, you must immediately give the patient the requested information over the phone, regardless of your office policy as it pertains to release of patient results. True or False?
False
You may provide medical records to researchers, police, and clergy. All they need to do is ask. True or False?
False
You have access to your friend's laboratory results. She asks you to look up the results for her. What should you do? -Give the friend the laboratory results. -Ask the friend to contact her doctor to obtain the results. -Leave the laboratory results on her voicemail. -Fax laboratory results to her office.
-Ask the friend to contact her doctor to obtain the results.
Which of the following individuals, organizations, or agencies are covered by HIPAA? More than one answer is correct. -Doctor -Hospital -Health insurance company -Subcontractor who creates, receives, maintains, or transmits PHI on behalf of a business associate
-Doctor -Hospital -Health insurance company -Subcontractor who creates, receives, maintains, or transmits PHI on behalf of a business associate -All of the above
The HIPAA Privacy Rule applies to covered entities. Which of the following are examples of covered entities? -Hospitals and physicians' offices -Patients who are seeking health care -Health care billing companies -Hospital and laboratory accrediting agencies
Hospitals and physicians' offices AND Health care billing companies Covered entities include health care providers including hospitals and physician offices; health plans, such as health insurance companies; and healthcare clearinghouses, such as billing companies The privacy of individuals who are seeking health care is protected under HIPAA, but patients are not considered covered entities. Hospital and laboratory ACCREDITING AGENCIES are considered business associates and NOT covered entities. Business associates provide services to covered entities and must have a business associate agreement (BAA) in place.
You are a phlebotomist at a specimen collection center. A patient arrives with orders for a blood glucose test and a lipid profile. You get the patient's address, phone number, health insurance coverage, and when he ate his most recent meal. You then ask him about his recent car accident, his wound infection, and his family. You write down all the extra information. Under the HIPAA Privacy Regulations, which of the following information requests are acceptable? More than one answer is correct. -Number and age of the patient's children -Patient's address, phone number, health coverage -Fasting information -Information about the patient's car accident and wound
-Patient's address, phone number, health coverage -Fasting information
Which of these actions could lead to unauthorized access to electronic protected health information (ePHI)? -Creating computer access codes (security codes) the will limit users' access to only those functions they are authorized to us -Requiring password entry into the computer system -Memorizing your password rather than writing it down
-Requiring password entry into the computer system
Which of the following is an appropriate way to dispose of unneeded patient reports containing PHI? -Shred paper reports -Crumple the paper report before throwing it into the trash -Wipe, shred, or in some manner destroy if stored on electronic media
-Shred paper reports AND -Wipe, shred, or in some manner destroy if stored on electronic media
You have several sets of logins and passwords to access various information systems. The login is your own first initial and last name, but you have difficulty remembering the passwords, so you write them down on a sticky note which you keep on your desk. This is not a good idea, because: More than one answer is correct. -Someone else might see it and use or misuse your password. -Your facilities' procedures require you to keep your logins and passwords private. -If someone else uses or misuses your password, you might be responsible for anything they did under your name. -If you lose the sticky note and haven't memorized your password, you would no longer have access to the systems.
-Someone else might see it and use or misuse your password. -Your facilities' procedures require you to keep your logins and passwords private. -If someone else uses or misuses your password, you might be responsible for anything they did under your name. -If you lose the sticky note and haven't memorized your password, you would no longer have access to the systems. -All of the above
You are a supervisor of a health clinic. During orientation of a new employee, you instruct him to keep the door leading from a patient area to a computer work area locked at all times. On several occasions, he forgets to make sure the door is locked as he leaves. Which of the following are true regarding this situation? More than one answer is correct. -You should counsel the employee regarding the importance of work area security and the need to keep appropriate doors locked. -If he continues to leave the doors open, disciplinary action will be necessary. -You must immediately terminate the employee after the first offense. -You should remind all employees about the importance of work area security.
-You should counsel the employee regarding the importance of work area security and the need to keep appropriate doors locked. -If he continues to leave the doors open, disciplinary action will be necessary. -You should remind all employees about the importance of work area security.
All of the following are examples of HIPAA‐regulated business associates EXCEPT for: -A law firm that accesses PHI to file a case -An insurance company that requires PHI to confirm a treatment -A financial consultant that accesses PHI to determine the best financial plan for a client -A management company that requires PHI to process data
An insurance company that requires PHI to confirm a treatment
You are the scientist in charge of the hematology department in a hospital laboratory. The laboratory manager and the pathologist who oversee the laboratory's Quality Management Program have asked you to review blood count results for 100 patients as part of an internal quality assurance project. You review only the clinical findings in the electronic medical record that are relevant to this study and correlate the findings with the laboratory results. The QA report that you develop does not include any personal information, such as patient names. The following week, you get a call from your hospital security officer. She says that a routine computer system audit has revealed that you accessed the records of 100 patients and she would like to know why. What would be a correct response to her concern, considering the reason you accessed the information? -That she is interfering with your right to privacy. -That you needed clinical information to correlate with the blood counts as part of your quality control program. -That you are working with the laboratory manager and pathologist on an internal quality assurance project. -That you are sorry, you will never do it again.
That you are working with the laboratory manager and pathologist on an internal quality assurance project.
You are working in a physician's office. The doctor orders laboratory and other diagnostic tests on a patient with suspected Alzheimer's disease. The doctor then asks you to give the patient's name and contact information to the local Alzheimer's support group, without getting permission from the patient or the patient's legal guardian. Does the doctor need authorization from the patient or the patient's legal guardian to do this? -Yes, authorization IS needed before information is provided to the support group. -No, authorization is NOT needed before the information is provided to the support group.
Yes, authorization IS needed before information is provided to the support group.