Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
175 Cards in this Set
- Front
- Back
|
ACCESS
|
One of the rights protected by the Privacy Rule, the right of access allows an individual to inspect and obtain a copy of their own PHI that is contained in a designated record set; also an information security term that refers to the ability to enter an electronic system and make use of the data within it.
|
|
|
ACCESS REPORT
|
Proposed by the Dept. of HHS in May 31, 2011, Notice of Proposed Rule-making, it would allow individuals (upon request) to receive a listing from covered entities with EHRs of every person who viewed the individual's designated record set during the previous three years.
|
|
|
ACCOUNTING OF DISCLOSURES
|
A list of all disclosures made of a patient's HI; Section 164.528 of the Privacy Rule states that an individual has the right to receive an accounting of certain disclosures made by a covered entity within the six years prior to the date on which the accounting was requested.
|
|
|
ADMINISTRATIVE SIMPLIFICATION
|
The original intent of HIPAA - the streamlining and standardization of the HC industry's non-uniform and seemingly inefficient business practices, such as billing and creating standards for the electronic transmission of data.
|
|
|
AFFILIATED COVERED ENTITIES
|
Legally separate covered entities, affiliated by common ownership or control; for purposes of the Privacy Rule, these legally separate entities may refer to themselves as a single covered entity.
|
|
|
AMENDMENT REQUEST
|
The right of individuals to ask that a covered entity amend their HRs as provided in Section 164.526 of the Privacy Rule.
|
|
|
AMERICAN RECOVERY AND REINVESTMENT ACT (ARRA)
|
Federal legislation that included significant funding for HIT and provided for significant changes to the HIPAA Privacy Rule.
|
|
|
AUTHORIZATION
|
A patient's permission to disclose PHI; the form or detailed document that gives covered entities permission to use PHI for specific purposes, generally other than for treatment, payment, or HC operations, or to disclose PHI to a third party specified by the individual.
|
|
|
BELMONT REPORT
|
A statement of ethical principles to prevent the unethical use of human subjects in research, sponsored by the Dept. of HHS
|
|
|
BREACH
|
an unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information and does not include discloses to unauthorized persons if they would not reasonably be able to retain the disclosed information.
|
|
|
BREACH OF NOTIFICATION
|
An ARRA requirement that mandates the notification of individuals following the unauthorized use or disclosure of their PHI, as the information's security or privacy may be compromised.
|
|
|
BUSINESS ASSOCIATE (BA)
|
A person or organization other than a member of a covered entity's workforce that performs functions or activities on behalf of or affecting a covered entity that involve the use or disclosure of individually identifiable HI
|
|
|
BUSINESS ASSOCIATE AGREEMENT (BAA)
|
A written and signed contract that allows covered entities to lawfully disclose PHI to business associates such as consultants, billing companies, accounting firms, or others that perform services for the provider, provided that the business associate agrees to abide by the provider's requirements to protect the information's security and confidentiality.
|
|
|
CENTER FOR DEMOCRACY & TECHNOLOGY
|
A nonprofit public interest organization that promotes privacy in communications technologies; it houses the Health Privacy Project
|
|
|
CLINICAL LABORATORY IMPROVEMENT ACT (CLIA)
|
A law that provides that clinical laboratories are to disclose test results or reports only to "authorized persons" - unless state law defines them otherwise, defined by the law as the person who orders the test.
|
|
|
COMPOUND AUTHORIZATION
|
An authorization that combines informed consent with an authorization for the use and/or disclosure of PHI
|
|
|
CONDITIONED AUTHORIZATION
|
Requires authorization in order to receive treatment or some other service or benefit.
|
|
|
CONDITIONS OF PARTICIPATION
|
The standards that govern providers receiving Medicare and Medicaid reimbursements.
|
|
|
CONFIDENTIAL COMMUNICATIONS
|
As defined by HIPAA, a request that PHI be routed to a alternative location or by an alternative method; must be honored by health plans under HIPAA.
|
|
|
CONSENT
|
1. A patient's acknowledgment that they understand a proposed intervention, including that interventions's risks, benefits, and alternatives; 2. A patient's agreement that PHI can be disclosed; the document that provides a record of the patient's consent.
|
|
|
COVERED ENTITIES (CE)
|
Persons or organizations that must comply with the HIPAA Privacy and Security Rules; include HC providers, health plans, and HC clearinghouses
|
|
|
DEIDENTIFIED INFORMATION
|
Information from which personal characteristics have been stripped and that, as a result, neither identifies nor provides a reasonable basis to believe it could identify an individual.
|
|
|
DESIGNATED RECORED SET (DRS)
|
A group of records maintained by or for a covered entity encompassing medical records and billing records about individuals and enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan used, in whole or in part, by or for the covered entity to make decisions about individuals
|
|
|
DISCLOSURE
|
The act of making info known; the release of confidential HI about an identifiable person to another person or entity; release, transfer, provision of access to, or divulging in any other manner of info outside he entity holding the info.
|
|
|
ENFORCEMENT RULE
|
A rule that created standardized procedures and substantive requirements for investigating complaints and imposing civil monetary penalties for HIPAA violations, as well as a uniform compliance and enforcement mechanism that addresses all of the Administrative Simplification regs, including privacy, security, and transactions and code sets.
|
|
|
FACILITY DIRECTOR
|
A directory of patients being treated in a HC facility.
|
|
|
FREEDOM OF INFORMATION ACT OF 1967 (FOIA)
|
A law covering the right of disclosure to and access by the public regarding federal agency records.
|
|
|
FUNDRAISING
|
Money-generating activities that benefit a HIPAA-covered entity and are subject to the HIPAA Privacy Rule.
|
|
|
HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH (HITECH) ACT
|
Federal legislation that was passed a a portion of the American Recovery and Reinvestment Act; contains changes to the HIPAA Privacy Rule
|
|
|
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
|
A law enacted by Congress on August 21, 1996, governing various aspects of health information; federal legislation enacted to provide continuity of health coverage, control fraud and abuse in healthcare, reduce healthcare costs, and guarantee the security and privacy of health information.
|
|
|
HEALTH PRIVACY PROJECT
|
A nonprofit organization whose mission is to raise public awareness of the importance of ensuring health privacy in order to improve healthcare access and quality.
|
|
|
HYBRID ENTITY
|
An entity that performs both covered and non-covered functions under the Privacy Rule; for example, a university that educates students and maintains student educational records is not covered by the Privacy Rule. However the same university that operates a medical enter is covered by the Privacy Rule, as it meets the definition of "healthcare provider."
|
|
|
INDIVIDUAL
|
According to the HIPAA Privacy Rule, a person who is the subject of PHI
|
|
|
INSTITUTIONAL REVIEW BOARD (IRB)
|
A committee of at least five members with varying backgrounds that determines the acceptability of proposed human subjects research in accordance with institutional policies, applicable law, and standards of professional practice and conduct.
|
|
|
LIMITED DATA SET
|
PHI that excludes direct identifiers of the individual and the individual's relatives, employers, or household members but still does not de-identify the info.
|
|
|
MITIGATION
|
Required by the Privacy Rule, the lessening as much as possible of harmful effects that result from the wrongful use and disclosure of PHI; possible courses of action may include an apology, disciplinary action against the responsible employee(s), repair of the process that resulted in the breach, payment of a bill or financial loss that resulted from the infraction, or gestures of goodwill and good public relations that may assuage the individual.
|
|
|
NATIONAL RESEARCH ACT OF 1974
|
An act that required the Dept. of Health, Education, and Welfare (now the Dept. of HHS) to codify its policy for the protection human subjects into federal regs and created a commission that generated the Belmont Report.
|
|
|
NOTICE OF PRIVACY PRACTICES (NPP)
|
A statement (mandated by the HIPAA Privacy Rule) issued by a healthcare organization that informs individuals of the uses and disclosures of patient-identifiable health info that may be made by the organization, as well as the individual's rights and the organization's legal duties with respect to that info
|
|
|
ORGANIZED HEALTHCARE ARRANGEMENT (OHCA)
|
An agreement characterized by two or more covered entities that share PHI to manage and benefit their common enterprise and are recognized by the public as a single entity (HHS 2003)
|
|
|
PERSONAL REPRESENTATIVE
|
A person with legal authority to act on behalf of another individual and is treated the same as the individual regarding the use and disclosure of the individual's PHI
|
|
|
PREEMPTION
|
A legal doctrine that requires a covered entity to comply with federal law when federal and state law conflict (that is, federal law preempts contrary state law).
|
|
|
PRIVACY ACT OF 1974
|
A law that requires federal agencies to safeguard personally identifiable records and provides individuals with certain privacy rights
|
|
|
PRIVACY BOARD
|
A group formed by HIPAA-covered entity to review research studies in which authorization waivers are requested and to ensure the HIPAA privacy rights of research subjects
|
|
|
PRIVACY OFFICER
|
A position mandated under the HIPAA Privacy Rule - covered entities must designate an individual to be responsible for developing and implementing privacy policies and procedures.
|
|
|
PRIVACY RULE
|
HIPAA ACT OF 1996
|
|
|
PROTECTED HEALTH INFORMATION (PHI)
|
A term defined in the HIPAA Pivacy Rule as "individually identifiable health info that is transmitted by electronic media, maintained in electronic medium, or transmitted or maintained in any other form or medium."
|
|
|
PSYCHOTHERAPY NOTES
|
Behavioral notes recorded by a mental health professional that document the content and impressions of conversations that are part of private counseling sessions; they are not part of the health record and do not contain info such as diagnosis, prescriptions, treatment modalities and test results
|
|
|
REDISCLOSURE
|
Disclosure by a healthcare organization of info that was created by and received from another entity.
|
|
|
REQUESTS
|
Ways in which access, use, and disclosure of patient info are made, which may include mail, telephone, physical presence of the requester, fax or email
|
|
|
REQUEST RESTRICTIONS
|
Under the Privacy Rule, the right of an individual to request that a covered entity limit the uses and disclosures of PHI to carry out treatment, payment, or healthcare operations
|
|
|
RETALIATION AND WAIVER
|
Rights protected under the Privacy Rule. To ensure the integrity of individual's rights to complain about alleged Privacy Rule violations, covered entities are expressly prohibited from retaliating against anyone who exercises their under the Privacy Rule, assists in an investigation by the Dept. of HHS or other appropriate investigative authority, or opposes as act or practice that they believe is a violation of the Privacy Rule; individuals cannot be required to waived the rights that they hold under the Privacy Rule in order to obtain treatment, payment, or eligibility for enrollment or benefits.
|
|
|
SAFE HARBOR METHOD
|
The removal of 18 specified identifiers bout an individual or the individual's relatives employers or household members to de-identify protected health information.
|
|
|
STAND-ALONE AUTHORIZATION
|
An authorization for the use or disclosure of one's protected health info that is separate from an informed consent for treatment or participation in a research study.
|
|
|
TREATMENT, PAYMENT AND HEALTHCARE OPERATIONS (TPO)
|
Collectively, these three actions are functions of a covered entity that are necessary for the covered entity to successfully conduct business; thus, many of the Privacy Rule's requirements are relaxed or removed where PHI is needed for purposes of treatment, payment, or healthcare operations.
|
|
|
UNCONDITIONED AUTHORIZATION
|
Authorization is not required in order to receive treatment or some other service or benefit.
|
|
|
USE
|
HIPAA definition with respect to individually identifiable health info, the sharing, employment, application, utilization, examination, or analysis of such info within an entity that maintains such info.
|
|
|
WORKFORCE
|
Under the HIPAA Privacy Rule, employees, volunteers, trainees, and other persons, whether paid or not, who work for and are under the direct control of the covered entity.
|
|
|
The Privacy Rule resides in the adminstration simplification provision of Title II of HIPAA
|
True
|
|
|
The HITECH Act of ARRA of 2009 made significant changes to the HIPAA Privacy Rule
|
True
|
|
|
The FOIA was enacted to address the privacy of health info
|
False
|
|
|
Drug an alcohol abuse treatment records have received protection under federal law
|
True
|
|
|
The Conditions of Participation regulate only providers who receive funds from Medicare and Medicaid programs
|
True
|
|
|
A CE needs only consider its employees when evaluating HIPAA compliance within the organization
|
False
|
|
|
The HITECH Act has strengthened BA requirements regarding compliance with the Privacy Rule
|
True
|
|
|
In part, info must be individually identifiable to meet the definition of PHI
|
True
|
|
|
De-identified info receives Privacy Rule protection
|
False
|
|
|
A BA is anyone who might have access to a CE's PHI
|
False
|
|
|
Under the Privacy Rule, a personal rep must be treated the same as the individual regarding the use and disclosure of the individual's PHI
|
True
|
|
|
By definition, a DRS includes billing records.
|
True
|
|
|
A hospital employee's pre-employment physical examination is in his personnel file in Human Resources; this report is PHI
|
False
|
|
|
A university with a medical center is a hybrid entity under the Privacy Rule
|
True
|
|
|
Some of the Privacy Rule's requirements are relaxed or removed where PHI is needed for purposes of TPO
|
True
|
|
|
The HIPAA consent explains an individual's rights and the CE's legal duties with respect to PHI
|
False
|
|
|
Per the HIPAA Privacy Rule, patient authorization is required for the use or disclosure of PHI unless it meets an exception whereby authorization is not required.
|
True
|
|
|
Although an individual must verbally agree to be included in a facility directory, written authorization is not required
|
True
|
|
|
One of the 12 public interest and benefit exceptions to the authorization requirements is disclosure to organ procurement agencies.
|
True
|
|
|
Incidental disclosures do not require an individual's written authorization
|
True
|
|
|
Under no circumstances should health records from other facilities be made part of a organizations DRS
|
False
|
|
|
The minimum necessary principle applies to disclosures made for TPO purposes
|
False
|
|
|
An individual has the right of access to her psychotherapy notes
|
False
|
|
|
Per HITECH, an accounting of disclosures will be required in the future for TPO disclosures made by covered entities with EHRs
|
True
|
|
|
Complaints about alleged Privacy Rule violations must be submitted to the covered entity
|
False
|
|
|
The threshold for required media notification in the event of a privacy breach is 300 affected individuals
|
False
|
|
|
All the activities that meet the HIPAA definition of marketing must receive prior written authorization from the individual
|
False
|
|
|
The breach notification requirement is new under HITECH
|
True
|
|
|
Fundraising activities that target individuals based on diagnosis require prior authorization
|
True
|
|
|
A conditioned authorization may be allowed by ARRA in certain situations
|
True
|
|
|
The privacy Rule provides a floor, or minimum, of privacy requirements
|
True
|
|
|
Breach notification is one type of mitigation under the Privacy Rule
|
True
|
|
|
In order to simplify processes, individuals may be required to waive their rights under the Privacy Rule to obtain treatment or benefits eligibility
|
False
|
|
|
Under HITECH, state attorneys general may bring civil actions in federal district court on behalf of residents believed to have been negatively affected by a HIPAA violation
|
True
|
|
|
Enforcement of the Privacy Rule will continue to operate exclusively on a complaint-based system
|
False
|
|
|
Mitigation is best described as:
|
lessening the harmful effects of wrongful use or disclosure of PHI
|
|
|
Linda Wallace is being admitted to the hospital. She is presented with a "Notice of Privacy Practices." In the Notice, it is explained that her PHI will be used and disclosed for treatment, payment and operations (TPO) purposes. Linda states that she does not want her PHI used for those purposes.
|
The hospital is not required to honor her wishes
|
|
|
The privacy rule resides in:
|
Title II of HIPAA
|
|
|
"Public interest and benefit" uses and disclosures under the privacy rule:
|
Don't require the patient's agreement or authorization
|
|
|
Which of the following statements is true? A HIPAA authorization:
|
May be revoked as long as it is in writing
|
|
|
Which of the following are elements that make information "PHI" under the HIPAA privacy rule?
|
Identifies an individual, In the custody of or transmitted by a CE or its BA, Relates to one's health condition
|
|
|
Blake Hospital retains Barry & Associates, an accounting firm, to handle its audit functions. Some of its functions include access to PHI. Which of the following statement(s) is/are true about Barry & Associates?
|
It is a business associate because it uses or discloses individually identifiable health information on behalf of the hospital
|
|
|
Debbie, an HIM professional, was recently hired as the privacy officer at a large physician practice. She observes the following practices. Which is a violation of the HIPAA privacy rule?
|
Dr. Lawson gives names of asthma patients to a pharmaceutical company
|
|
|
Today, Janet Kim visited her new dentist for an appointment. She was not presented with a Notice of Privacy Practices. Is this acceptable?
|
No, it is a violation of the HIPAA privacy rule
|
|
|
Per HIPAA, healthcare operations:
|
Are subject to the minimum necessary requirement
|
|
|
Jeremy was required to undergo a physical exam prior to becoming employed by San Fernando Hospital. Jeremy's medical information is:
|
Not protected by the privacy rule because it is part of a personnel record
|
|
|
The designated record set:
|
Includes medical and billing records
|
|
|
If Sheri requests a copy of her health record from a provider, according to HIPAA the provider:
|
May charge for the cost of copying
|
|
|
Of the following options, a sign-in sheet at a physician's office is best described as:
|
Incidental disclosure
|
|
|
Susan is completing her required high school community service hours by serving as a volunteer at the local hospital. Relative to the hospital, she is considered a(n):
|
Workforce member
|
|
|
Under HIPAA, which of the following is not considered a covered entity?
|
Outsourced transcription company
|
|
|
The minimum necessary standard:
|
Applies to both uses and disclosures of PHI
|
|
|
The HIPAA privacy rule:
|
Sets a minimum (floor) of privacy requirements
|
|
|
Per the HIPAA privacy rule, a hybrid entity is defined as one that:
|
Performs both covered and non-covered functions under the privacy rule
|
|
|
Mercy Hospital personnel need to review the medical records of Katie Grace for utilization review purposes (#1). They will also be sending her records to her physician for continuity of care (#2). As they pertain to Mercy Hospital, these two functions are:
|
Use (#1) and disclosure (#2)
|
|
|
The privacy rule generally requires documentation related to its requirements to be retained:
|
6 years
|
|
|
Breach notification requirements apply to:
|
HIPAA covered entities, HIPAA covered entities and their BAs, Non-HIPAA covered entities and BA
|
|
|
Under the privacy rule, the following must be included in a patient accounting of disclosures:
|
State-mandated report of a sexually transmitted disease
|
|
|
Medical information loses PHI status and is no longer protected by the HIPAA privacy rule when it:
|
Is de-identified
|
|
|
Which of the following is not a HIPAA identifier?
|
Gender
|
|
|
St. Joseph s Hospital has a psychiatric service on the sixth floor of the hospital. A 31-year-old male has come to the HIM department and requested to see a copy of his medical record. He has told your clerk he was a patient of Dr. Schmidt, a psychiatrist, and was on the sixth floor of St. Joseph s for the last two months. These records are not psychotherapy notes. The best course of action for you to take, as the HIM director, is: A) prohibit the patient from accessing his record, as it contains psychiatric diagnoses that may greatly upset him. B) allow the patient to access his record. C) allow the patient to access his record if, after contacting his physician, his physician does not feel it will be harmful to the patient. D) deny access because HIPAA prevents patients from reviewing their psychiatric records. allow the patient to access his record if, after contacting his physician, his physician does not feel it will be harmful to the patient
|
C
|
|
|
The Kids Foundation, a foundation related to Children s Hospital, is mailing fundraising information to the families of all patients who have been treated at Children s in the past three years. Based on the facts given: A) Children s Hospital violated the privacy rule by giving information to the foundation. B) The privacy rule was not violated as long as the fundraising activity was not based on the patients diagnoses. C) Children s Hospital must have notified the patients/patients guardians of this disclosure in the Notice of Privacy Practices. D) b and c. E) none of the above
|
D
|
|
|
Shirley Denton has written to request an amendment to her PHI from Bon Voyage Hospital, stating that incorrect information is present on the document in question. The document is an incident report from Bon Voyage Hospital, which was erroneously placed in Ms. Denton's health record. The covered entity declines to grant her request based on which privacy rule provision? A) It was not created by the covered entity. B) It is not part of the designated record set. C) Both a and b D) None. The covered entity must grant her request.
|
B
|
|
|
Champion Hospital retains Hall, Hall and Hall, a law firm, to perform all of its legal work, including representation during medical malpractice lawsuits. Which of the following statement(s) is/are correct? A) The law firm is not a business associate because it is a legal, not a medical, organization. B) The law firm is a business associate because it performs activities on behalf of the hospital. C) The law firm is a business associate because it uses or discloses individually identifiable information. D) The law firm is not a business associate because the privacy rule prohibits it from using individually identifiable information. E) a and d F) b and c
|
F
|
|
|
Which of the following is not an identifier under the privacy rule? A) Visa account 2773 985 0468 B) vehicle license plate BZ LITYR C) age 75 D) street address 265 Cherry Valley Road
|
C
|
|
|
Lane Hospital has a contract with Ready-Clean, a local company, to come into the hospital to pick up all of the facility s linens for off-site laundering. Ready-Clean is: A) a business associate because Lane Hospital has a contract with it. B) not a business associate because it is a local company. C) a business associate because its employees may see PHI. D) not a business associate because it does not use or disclose individually identifiable health information.
|
D
|
|
|
Jeremy Lykins was required to undergo a physical exam prior to becoming employed by San Fernando Hospital. Jeremy s medical information is: A) protected by the privacy rule because it is individually identifiable. B) not protected by the privacy rule because it is part of a personnel record. C) protected by the privacy rule because it contains his physical exam results. D) protected by the privacy rule because it is in the custody of a covered entity.
|
B
|
|
|
Which of the following statements does the privacy rule not require the Notice of Privacy Practices to contain: A) a description (including at least one example) of the types of uses and disclosures the covered entity is permitted to make for treatment, payment, and healthcare operations. B) a description of each of the other purposes for which the covered entity is permitted or required to use or disclose PHI without the individual s written consent or authorization. C) a statement that other uses and disclosures will be made only with the individual s written authorization and that the individual may revoke such authorization. D) a statement that all disclosures will be prohibited from future redisclosures.
|
D
|
|
|
Jack Mitchell, a patient in Ross Hospital, is being treated for gallstones. He has not opted out of the facility directory. Callers who request information about him may be given: A) no information due to the highly sensitive nature of his illness. B) admission date and location in the facility. C) general condition and acknowledgement of admission. D) location in the facility and diagnosis.
|
C
|
|
|
Which of the following disclosures provides an individual with the opportunity to agree? A) facility directory B) treatment, payment and operations C) regarding Workers Compensation D) information regarding decedents
|
A
|
|
|
Central City Clinic has requested that Ghent Hospital send its hospital records from Susan Hall s most recent admission to the clinic for her follow-up appointment. Which of the following statements is true? A) The privacy rule requires that Susan Hall complete a written authorization. B) The hospital may send only discharge summary, history and physical, and operative report. C) The privacy rules minimum necessary requirement does not apply. D) This public interest and benefit disclosure does not require the patient s authorization.
|
C
|
|
|
Per the privacy rule, which of the following requires authorization for research purposes? A) use of Mary's information about her myocardial infarction, de-identified B) use of Mary's information about her asthma, in a limited data set C) use of Mary's individually identifiable information related to her asthma treatments D) use of medical information about Jim, Mary's deceased husband
|
C
|
|
|
The privacy rule permits charging patients for labor and supply costs associated with copying health records. Mercy Hospital is located in a state where state law allows charging patients a $100 search fee associated with locating records that have been requested. A) State law will not be preempted in this situation. B) The privacy rule will preempt state law in this situation. C) The privacy rule never preempts existing state law. D) The privacy rule always preempts existing state law
|
B
|
|
|
Comparing HIPAA to the Federal Privacy Act of 1974: A) HIPAA applies more specifically to medical information. B) both HIPAA and the Federal Privacy Act apply to all Medicare records. C) HIPAA applies only to Medicare and Medicaid records. D) the Federal Privacy Act applies only to records of insured patients.
|
A
|
|
|
The administrative simplification portion of Title II of HIPAA addresses the following
|
-privacy rule of confidentiality of patient health information -security regulations for protected health information -uniform standards for transactions and code sets
|
|
|
Under HIPAA, the following are named as a covered entity:
|
-health plan -healthcare clearinghouse -healthcare provider
|
|
|
If a treatment, payment, and operation (TPO) is presented and the patient does not want it
|
the facility is not required to honor her wishes
|
|
|
An original goal of HIPAA Administrative Simplification was to standardize:
|
the electronic transmission of health data
|
|
|
The HIPAA-recognized consent is a patient's agreement to:
|
use or disclosure for TPO purposes
|
|
|
What does the privacy rule not require:
|
signature of the patient's attending physician
|
|
|
Which of the following is not an element that makes information "PHI" under the HIPAA privacy rules?
|
contained within a personnel file
|
|
|
When a staff member hast to review a patients case for readmitted purposes within 14 days after discharge; the review of the patients' medical records is
|
healthcare operations
|
|
|
a volunteer at a local hospital is considered a (an)
|
workforce member
|
|
|
Explain why it meets HIPAA's definition of BA:
|
under HIPAA as originally written, BAs were bound by the law by virtue of their association (via contract) with one or more CEs. BUT HITECH has changed this by directly requiring organizations or individuals meeting the definition of BA to comply with certain provisions of HIPAA
|
|
|
What are the differences between the privacy and security rules:
|
privacy rule protects PHI(protected health information) regardless of the medium on which is resides -security rules protects electronic PHI
|
|
|
What are examples of a hospital's business associate (BA):
|
transcriptionist, accounting firms
|
|
|
You do not need to worry about oral communications involving PHI since verbal exchanges are not governed by the HIPAA privacy rule.
|
False-PHI can be transmitted or maintained in any form or medium, including hardcopy, verbal exchanges, and electronic exchanges, such as e-mail.
|
|
|
As long as patient information is not contained on NSU forms or records, it is not PHI and therefore not governed by the privacy rule and policies.
|
False-PHI can be maintained in any form or medium. For example, if you make handwritten notes for your own use or write a paper that identifies a patient, the information becomes PHI regardless of whether it is on official NSU forms or contained in NSU records.
|
|
|
NSU students are responsible for complying with the HIPAA policies implemented in the NSU clinics in which they train.
|
True-Like clinic staff and faculty providing services in the various NSU clinics, students must comply with the HIPAA policies implemented by the applicable NSU departments. Moreover, when training at affiliate locations, students will be responsible for complying with the policies implemented by the NSU affiliate institutions and clinics.
|
|
|
NSU clinics are responsible for providing patients with NSU's HIPAA Notice at each patient visit.
|
False-The HIPAA Notice must be given to all patients only one time. Unlike informed consents and similar documents, providing the HIPAA Notice is not a continuing obligation.
|
|
|
A patient who has been provided NSU's HIPAA Notice can request an additional copy at another visit.
|
True-Although affirmatively providing the patient with a Notice is a one-time obligation, clinic employees are responsible for providing another copy to a patient who requests another copy.
|
|
|
When signing the Acknowledgment form, the patient's signature means that he/she agrees with the Notice.
|
False-As part of providing the Notice to the patient, the privacy rule requires that NSU clinics make a good faith effort to obtain a signed or initialed Acknowledgment from the patient or the patient's personal representative. This Acknowledgment form simply states that the patient received the Notice. The patient is not signing that he/she agrees with the Notice.
|
|
|
If a patient is a competent adult, the NSU clinic staff should request that the patient sign all HIPAA forms such as the acknowledgment of Notice.
|
True-The personal representative provisions of HIPAA only come into play with incompetent adults, minors and deceased patients. Accordingly, competent adults should act on their own behalf.
|
|
|
In general, due to the sensitivity of health information a 16-year-old patient should always act on his or her own behalf for HIPAA privacy purposes.
|
False-Unless the 16-year-old has been emancipated, he or she has a personal representative for HIPAA purposes. In Florida, a minor is emancipated if he or she is married, is 18 years of age, a court has entered an emancipated order, or he or she has been adjudicated an adult and is in the custody or under supervision of the Florida Department of Corrections.
|
|
|
A child's non-custodial parent may not request the child's medical records unless the custodial parent has given consent.
|
False-Under Florida law, the child's non-custodial parent is considered a personal representative and thus can request copies of the child's records under HIPAA unless there is a specific court order restricting the non-custodial parent's access to medical records.
|
|
|
Clinic staff, students and faculty are not permitted to disclose a patient's PHI to a billing company or billing department or billing personnel unless a written authorization has been obtained from the patient.
|
False-The HIPAA privacy rule allows uses and disclosures of a patient's PHI without obtaining a consent or authorization for purposes of getting paid for services. This includes disclosing PHI to those providing billing services for the clinic.
|
|
|
Prior to communicating about a patient for purposes of coordination of care with another health care provider outside of the NSU department, the patient's written authorization must be obtained.
|
False-The HIPAA privacy rule allows the use and disclosure of a patient's PHI without obtaining a consent or authorization for purposes of treatment. This includes exchanges of information for coordination of care, consultations and referrals.
|
|
|
NSU students are permitted to use a patient's PHI in the clinic in connection with the student's involvement with the patient's treatment at the clinic without obtaining a HIPAA authorization from the patient.
|
True-Students' use of PHI in the clinic is considered part of the clinic's health care operations. The clinic's health care operations include conducting student-training programs.
|
|
|
Unless the patient is given the verbal opportunity to object, clinic staff should not discuss billing information involving the patient's diagnosis with the patient's husband.
|
True-Unless a limited exception applies, a patient must be given the verbal opportunity to object to disclosures made to family members.
|
|
|
A patient's PHI should never be discussed with a family member unless a written HIPAA authorization is on file.
|
False-The HIPAA privacy rule allows disclosures of a patient's PHI to a family member or friend who is involved in the patient's health care or payment of health care provided the information is relevant to their involvement. Although the patient must be given the opportunity to verbally object to most disclosures to family members, a written HIPAA authorization need not be obtained.
|
|
|
If a patient objects to a disclosure to a family member, clinic staff should not discuss the patient's PHI with the family member.
|
True-The HIPAA privacy rule does not allow disclosures of PHI to family members when the patient objects to the disclosure.
|
|
|
Unless a HIPAA authorization is on file signed by the patient, a patient's PHI can never be disclosed in connection with a Medicare audit of a NSU clinic.
|
False-The HIPAA privacy rule allows disclosures of a patient's PHI, without an authorization, for health oversight activities such as audits and investigations of health care providers.
|
|
|
In most cases, disclosures of PHI under the special circumstances categories must be documented.
|
True-The HIPAA privacy rule requires that most special circumstances disclosures be documented as patients have the right to request an accounting of such disclosures. The documentation of the disclosures must contain: date of the disclosure; name of the receiver of the information; description of the PHI disclosed; and a brief statement of the purpose of the disclosure.
|
|
|
Clinic staff are responsible for obtaining a patient's signed authorization for using the patient's information in connection with the clinic's payment activities.
|
False-As discussed in previous lessons, the HIPAA privacy rule allows NSU clinics to use and disclose a patient's PHI without obtaining an authorization in a number of circumstances including for payment purposes.
|
|
|
Clinic staff can request that patients sign a blank authorization form, which can be used by the NSU clinic to disclose the patient's PHI at any time.
|
False-The HIPAA authorization differs from typical blanket releases that are often used by health care providers. As discussed in previous lessons, the HIPAA privacy rule allows NSU clinics to use and disclose a patient's PHI without obtaining an authorization in a number of circumstances including for payment purposes.
|
|
|
Prior to discussing a patient's PHI with their employer, the NSU clinic must have a HIPAA authorization signed by the patient for such disclosure.
|
True-As the disclosure is for purposes outside of the clinic's own treatment, payment and operations, the HIPAA privacy rule requires the NSU clinic to obtain the patient's authorization prior to discussing or sharing PHI with the patient's employer.
|
|
|
A handwritten note with a patient's diagnosis and room number is protected health information.
|
False-The patient's diagnosis and room number are not "identifiers". Therefore, the information is de-identified and is no longer protected health information.
|
|
|
Handwritten notes containing a patient's name and diagnosis cannot be removed from the clinical setting without de-identification.
|
True-The handwritten notes are protected health information (PHI). In general, you will not be permitted to remove this information from the clinical setting without de-identification. Information could be de-identified in this scenario by blacking out the patient's name.
|
|
|
You would be permitted to prepare a case study to present to your fellow students including the following information: the patient's sex, age (if less than 89), diagnosis, list of medications, list of past surgeries, and symptoms.
|
True-In this circumstance, the information has been de-identified and can be taken from the clinical setting.
|
|
|
Although patients may request copies of their medical records, they are not generally allowed to see copies of the original records.
|
False-With regard to requesting access to records, NSU clinic patients can request to receive a copy of their medical records or billing records. Also, they are allowed to inspect the original records.
|
|
|
In general, NSU clinics must amend a patient's medical record at their request.
|
False-Unlike the request to access records, many requests to amend records can be appropriately denied. For example, the NSU clinic may deny amendment requests when the information is accurate and complete or when the information has not been created by the NSU clinic
|
|
|
Although in most cases a patient is entitled to get copies of his or her records, NSU clinics do not have to respond in a specific time frame.
|
False-Under the HIPAA privacy rule, NSU clinics are responsible for timely acting on patient requests for copies of their records within 30 days for records stored on-site and 60 days for records stored off-site.
|
|
|
NSU clinic patients should be encouraged to refrain from filing privacy complaints.
|
False-The HIPAA privacy rule prohibits health care providers from intimidating, threatening or otherwise retaliating against patients who file privacy complaints. This would include trying to persuade patients from filing complaints, as they are entitled to file complaints if they feel their privacy has been violated.
|
|
|
It is not appropriate for clinic staff, students or faculty to request that a patient waive their right to file a compliant directly with the federal government.
|
True-The HIPAA privacy rule does not permit health care providers to request that patients waive their right to file privacy complaints with the government. Also remember that patients who file complaints with the clinic or the government cannot be treated differently than other patients.
|
|
|
Clinic staff, students and faculty could be subject to disciplinary action for violating a patient's privacy.
|
True-Under the HIPAA privacy rule, the NSU clinics are required to take appropriate action in response to breaches of patient privacy. As part of the NSU clinics' policies on complaints, departments will determine whether disciplinary action should be taken and the type of action to be taken.
|
|
|
Since students are involved in treating patients, they are allowed free access to all patient medical records stored in the clinic.
|
False-The HIPAA privacy rule considers the operation of training programs as health care operations and not treatment and thus the minimum necessary rules have to be followed. Accordingly, NSU students are not allowed to freely access patient records if the student is not participating in the care of the patient.
|
|
|
Clinic staff should only access patient information in connection with performing their clinic job duties.
|
True-The minimum necessary requirements in the HIPAA privacy rule are intended to ensure that patient information is only accessed by those with a need to know the information. For example, it would not be appropriate for a staff member to access information out of curiosity.
|
|
|
HIPAA's minimum necessary rule and the NSU clinic policies on only accessing information on a need to know basis are not intended to interfere with proper patient treatment.
|
True-It is important to keep in mind that the clinic policies should not be interpreted in any way that would comprise patient treatment. The HIPAA privacy rule recognizes that need to know policies should not interfere with proper patient care.
|
