Download HCCA – CHPC Exam Actual Exam and Study Guide: Comprehensive 300 Questions and Answers and more Quizzes Applied Computing in PDF only on Docsity!
HCCA – CHPC EXAM ACTUAL EXAM AND
STUDY GUIDE LATEST COMPLETE
COMPREHENSIVE 300 QUESTIONS AND
CORRECT DETAILED ANSWERS (SITED)JUST
RELEASED ALREADY GRADED A+
"What is a Controlling Health Plan (CHP)? - CORRECT ANSWER=> Health plan that controls its own
business, actions, activities, and policies; Controls the subhealth plan (SHP). This applies to state Medicaid plans. For instance, the CHC is the state Medicaid, and the SHP would be the local administrator. Re: HCCA Privacy Compliance Handbook"
"Describe what to do with a "required" implementation specification - CORRECT ANSWER=>
Implement the specification as presented"
"Describe what to do with an "addressable" implementation specification - CORRECT ANSWER=>
Implement as presented, or if not reasonable and appropriate implement an equivalent alternative measure."
"Designated Record Set (DRS) - includes: - CORRECT ANSWER=> Group of records maintained by or for
a Covered Entity that comprises the following:
- medical/billings records
- enrollment/payment/claims adjudication/case management by health plan
- other records used by or for covered entity to make decisions about individuals"
"Designated Record Set (DRS) - records excluded from DRS: - CORRECT ANSWER=> Administrative data
(audit trails, appointment schedules, that don't imbed PHI). Incident reports. Quality Assurance Data. Statistical reports."
"DVD medical records are destroyed by - CORRECT ANSWER=> Shredding and cutting"
"Few other examples for use or disclosure of PHI other that TPO: - CORRECT ANSWER=> Public health
interest, research, serious threat, organ/tissue donation decedent information, worker's compensation insurers."
"What are examples of a BA? - CORRECT ANSWER=> BA (Business Associate) - performs functions or
activities on behalf of a covered entity that involve access by the business associate to protected health information. Examples: claims processing data analysis billing benefit management quality assurance quality improvement practice management legal actuarial accounting accreditation other administrative services https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html" "True or False: A hospital is not required to have a business associate contract with the specialist to whom it refers a
patient and transmits the patient's medical chart for treatment purposes. - CORRECT ANSWER=> TRUE
Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization" "True or False: Business Associates After HITECH: HITECH made business associates directly responsible for HIPAA compliance within their individual
businesses that would not otherwise be subject to HIPAA regulations and penalties - CORRECT
ANSWER=> TRUE
Even if no written contract exists between the covered entity and a contracted company performing services related to handling PHI in some form, the company is deemed a business associate by law. This deemed status essentially classifies contracted vendors or individuals as business associates solely by the nature of the services they provide to a covered entity, regardless of whether they intended to be classified as business associates or were aware of their status as such. HIPAA and HITECH may hold these vendors to business associate obligations as long as they act as business associates. Likewise, a subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business associate is a business associate. A subcontractor of a subcontractor is a business associate as well, and so on down the line. Ref. 2023 HCCA Complete Healthcare Compliance Manual Ref. HITECH Act and OCR's 2013 final rule"
The specific data flows are outlined in the Transaction & Code Set Rules 45 CFR 162.100 - 162. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162" "True or False: A physician is required to have a business associate contract with a laboratory as a condition of disclosing
protected health information for the treatment of an individual. - CORRECT ANSWER=> FALSE
Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization" "True or False: A hospital laboratory is not required to have a business associate contract to disclose protected health
information to a reference laboratory for treatment of the individual. - CORRECT ANSWER=> TRUE
Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization" "True or False: Research use/disclosure with individual authorization does not expire or continue until the end of the
research study - CORRECT ANSWER=> TRUE
https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html" "True or False: Research use/disclosure with individual authorization may be combined with an authorization for a different research activity if research related treatment is conditioned on the provision of one of the
authorizations - CORRECT ANSWER=> TRUE
https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html" "True or False: Research use/disclosure with individual authorization may be combined with other legal permission or
consent to participate in the research - CORRECT ANSWER=> TRUE
https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html" "True of False: Is it possible for a facility with multiple provider functions to have certain isolated providers or groups who are subject to Part 2, while the facility as a whole is not subject to Part 2. For example, a large
facility may have primary care providers and a separate unit that provides SUD services. - CORRECT
ANSWER=> TRUE
Explanation: The SUD unit is subject to Part 2, but the rest of the facility is not." "True or False:
An individual provider who works in a general medical facility could also be a Part 2 program IF the
provider's primary function is to provide SUD services. - CORRECT ANSWER=> TRUE
Explanation: For example, a primary care physician who provides medication-assisted treatment would only meet the requirement if providing services to persons with SUD is their primary function. However, If a patient were to receive both primary care and SUD treatment, the SUD providers are still subject to Part 2 and could not share information with the patient's primary care provider without consent." "True or False: A program or facility that provides both, SUD services and Mental Health Services, and a patient has been admitted to receiving both services, his/her records will be subject to the Part 2 regulations -
CORRECT ANSWER=> FALSE
Explanation: Mental health information is not subject to the standards in 42 CFR Part 2 and can be shared without consent for treatment purposes, including care coordination, as allowed under HIPAA. More details. Only records or information about patients receiving SUD services will be subject to Part 2 and its use/disclosure is more restrictive. However, to allow appropriate mental/behavioral health information sharing with SUD information, a Qualified Service Organization Agreement (QSOA) would be needed as defined in 42 CFR 2.11 "Qualified service organization" section." "What are the 4 federal regulations and/or government agencies that govern the privacy of individually
identifiable info in research - CORRECT ANSWER=> 1. HHS-FDA (protections of human subject and
IRBs)
- HHS-NIH (certificate of confidentiality)
- HHS-Office of Human Research Protections (Common Rule)
- HHS-OCR - HIPAA Privacy Rule Ref. HCCA Privacy Handbook 3rd Ed" "Certificates of Confidentiality (CoC) is a formal confidentiality to protect the privacy of human research participants enrolled in biomedical, behavioral, clinical and other forms of sensitive research. CoC are
issued by the NIH or the FDA, and are authorized by law by the P___ H___ S___ Act - CORRECT
ANSWER=> Public Health Services Act."
"The Privacy Act of 1974 was created in response to the government creating and using computer databases. The Act places restrictions on how government can share the information with other individuals and agencies, and ultimately protect the privacy of individuals that is maintained in Systems of Records by federal agencies. Before a federal agency begins to collect personal information for a system of records, an advanced public notice must be published in the Federal Register, which outlines the administrative, technical, and physical safeguards for protecting the personally identifiable
information being collected. This "public notice" is called" - S____ of R_____ N__ (SORN) - CORRECT
ANSWER=> system of records notice (SORN)
ref. HCCA privacy handbook 3rd ed. "Privacy Act 1974" section"
"True of False:
OHCAs and ACEs are able to produce a joint Notice of Privacy Practice (NPP) - CORRECT ANSWER=>
FALSE
Explanation: OHCAs are joint arrangements, have an Integrated Delivery System, and therefore agree to abide by the terms of the notice with respect to PHI created or received by the covered entity as part of its participation in the OHCA. ACEs are legally separate covered entities working together and unable to use a joint NPP and they might still have separate EHRs, separate HIM/ROI functions, etc. and therefore, the PHI data is not create or receive in the same manner. See 45 CFR 164.520(d) https://www.law.cornell.edu/cfr/text/45/164.520" "True or False: It is your last day at your pediatric clinical site and you are saying goodbye to all of your favorite patients. You take a picture on your phone of a few of the patients posing together and later post it to your private blog as an illustration of your last day. Since your blog is private and can only be accessed by those who
know the URL, you are not in violation of HIPAA regulations. - CORRECT ANSWER=> FALSE"
"Fill in the blank: In the mid-1990s, OIG began to require providers settling civil health care fraud cases to enter into specific type of agreements as a condition for OIG not pursuing exclusion. These agreements are referred
as: - CORRECT ANSWER=> Corporate integrity Agreements (CIA)"
"The foundation for establishing a good relationship with a vendor is the Contract. A contract is an exchange of promise, services for money, with a specific remedy for breach of contract. What are some
of the key basic elements to contracts. - CORRECT ANSWER=> Basic key elements to contacts include:
I. Agreement (Offer and Acceptance) II. Capacity to contract (ability to perform, ask for proof, bios of staff that will perform the critical services) III. Consideration (remuneration must be defined) IV. Legal purpose (legal requirements, defined measures including subcontractors responsibilities) V. Legality of form (use key legal language or clauses, assurances) VI. Intention to create legal relations (statement of parties intent to be "legally bound" to abide to mandates) VII. Consent to contract (required signatures) VIII. Mistakes, undue influence (if things go wrong, list alternative options)" "True or False:
Regarding vendor relations, the privacy professional must ensure that the contract supports the privacy profile. This includes clearly outlining privacy impacts, clauses, mandates, remedies from the vendor's
services to ensure expectations are met, even when things go wrong. - CORRECT ANSWER=> TRUE
HCCA Privacy Compliance Handbook - Vendor Relations and Privacy Section" "A Covered Entity may denied an individual access to their PHI under specific circumstances set forth in 45 CFR 164.524 (a)(2), which of the following doesn't fall under those circumstances: a. Request for psychotherapy notes b. if it jeopardizes the health, safety, security, rehab of individual (e.g. inmate's' request, suicidal patient) c. during the course of research/clinical trial
d. to request restrictions of their PHI - CORRECT ANSWER=> a. Request for psychotherapy notes
Under the HIPAA Privacy Rule, individual has the right to request a copy, an amendment and restrictions to their PHI, request confidential communications involving your PHI, and list of disclosures. See 45 CFR § 164.524 (a)(2) https://www.hhs.gov/hipaa/for-professionals/faq/2046/under-what-circumstances-may-a-covered- entity/index.html https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html" "38 U.S.C. 7332 deals with confidentially of patient medical record information related to: a. drug abuse, sexually transmitted diseases, and tuberculosis b. HIV/AIDS status c. drug abuse, alcoholism, infection with the HIV virus, and sickle cell anemia
d. mental illness, HIV status, drug and alcohol abuse - CORRECT ANSWER=> c. drug abuse, alcoholism,
infection with the HIV virus, and sickle cell anemia" "True or False:
The Minimum Necessary is a key concept under the HIPAA security rule - CORRECT ANSWER=> FALSE
It is a key concept under the PRIVACY Rule." "Re: HIPAA Authorization Is there any information we can release to a person who is calling on behalf of a patient who is not
authorized in a release form? - CORRECT ANSWER=> Patient must be given an "opportunity to agree or
object" keeping in mind:
- you can obtain patient's agreement verbally, over the phone, BUT makes notes in file
- only disclose the Minimum Necessary https://thehipaaetool.com/hipaa-authorization-required/" "Re: HIPAA Authorization
"IIHI - CORRECT ANSWER=> Individually Identifiable Health Information
It's any part of an individual's health information, including demographic information (e.g. address, date of birth) collected from the individual"
"PHI - CORRECT ANSWER=> Protected Health Information
Info transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. (PHI excludes IIHI education records covered by FERPA)"
"What is de-identified information? - CORRECT ANSWER=> Removing the HIPAA individual identifiable
information. This is accomplish by two methods: Expert Determination: de-identification of PHI by an expert (statistical or scientific principles) Safe Harbor: removing the 18 identifiers https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html"
"What is re-identification? - CORRECT ANSWER=> CE may assign a number for re-identification;
however, the creation of the numbering system should not be based on the information and the CE is forbidden from disclosing the e-identification scheme. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html"
"What's the Minimum Necessary? - CORRECT ANSWER=> Use/disclose limited PHI to accomplish the
intended purpose of the use, disclosure, or request. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html"
"The Minimum Necessary DOES NOT apply to? - CORRECT ANSWER=> does not apply to:
TPO
To the individual directly To the HHS Secretary or required by law When authorization is granted"
"Where does Minimum Necessary link to in the Security rule? - CORRECT ANSWER=> Role Based
Access - can content filters be used to support the privacy concept"
"Who can Deceased Individuals information be released to at anytime? - CORRECT ANSWER=>
coroners or medical examiners (and Funeral Directors as necessary to carry out their duties with respect to the decedent) https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.512"
"Preemption under HIPAA means - CORRECT ANSWER=> Federal law states that it preempts or
overrides (supersedes) state law on a particular issue, then federal law is the law that must be followed. In general, HIPAA preempts state law that is "contrary" to the federal rule. In many cases, complying with the stronger standard (more stringent) will allow you to comply with both state law and HIPAA. Example 1: if state law gives a provider 10 days to respond to a patient's request for a copy of his medical records, and HIPAA allows 30 days, you can comply with both state and federal law by responding within 10 days. Example 2: if state law requires longer period for record keeping than the federal law, then go with the longer period. https://library.ahima.org/doc?oid=59816#.YlTLkOjMI2w"
"Valid Authorization core elements (see 45 CFR § 164.508(c)(1)): - CORRECT ANSWER=> 1. meaningful
description of the information to be disclosed
- name of the individual/person authorized to make the requested disclosure
- name or other identification of the recipient of the information
- description of each purpose of the disclosure
- expiration date for the authorization
- signature and date of the individual or their personal representative (someone authorized to make health care decisions on behalf of the individual) https://www.law.cornell.edu/cfr/text/45/164. and https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/authorization/ index.html"
"Valid Authorization 3 key statements (see 45 CFR § 164.508(c)(2)): - CORRECT ANSWER=> The
statements are to be included in a valid Authorization:
- A statement of the person's right to revoke the authorization, exceptions to this right, and a description of how to revoke:
- A statement that treatment, payment, enrollment or eligibility for benefits may NOT be conditioned upon signing the authorization;
- A statement regarding the potential that the information disclosed pursuant to the authorization may be re-disclosed by the recipient and, if so, it may no longer be protected by a federal confidentiality law; Note: the person signing the authorization has the right to (or will receive) a copy of the authorization. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508" "Fill in the blanks: The three types of AUTHORIZATION: VALID - must have all the 6 required core elements and 3 statements/notices D_______ - lacks any of the required elements/statements, or expiration date has passed, or revoked, etc.
- the research could not be conducted without proper access to the use of the PHI. 45 CFR 164.512 (i) (2)"
"What's malicious software? - CORRECT ANSWER=> malware, is software that is used to control or take
over applications, workstations, or servers, damage/disrupt a system. See Security Rule, definitions - 45 CFR 164. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.304"
"A covered entity may use or disclose PHI for TPO...what does TPO stand for - CORRECT ANSWER=>
Treatment Payment Health Care Operations" "True or False: Payer/health plans are allowed to use/disclose beneficiary's PHI in activities such as legal services,
medical review, and fraud and abuse detection - CORRECT ANSWER=> TRUE"
"A provider receives a request from the Social Security Administration for PHI relating to a person's application for benefits. Which of the following is the correct method of release? A. Since it is to a federal agency, an authorization from the patient is not needed, so PHI can be released. B. The provider should review the PHI and make a decision on the minimum necessary and release. C. The provider should notify the patient and obtain a signed authorization prior to release.
D. Release the information because the patient signed a consent for treatment. - CORRECT ANSWER=>
C. The provider should notify the patient and obtain a signed authorization prior to release" "Also known as the "Stimulus Act" or the "Recovery Act", enacted in 2009; its main purpose was to create jobs and stimulate economic growth; it also included provisions to promote health information
technology - CORRECT ANSWER=> American Recovery and Reinvestment Act (ARRA)"
"C.I.A. (HIPAA) stands for? - CORRECT ANSWER=> Confidentiality (not available or disclosed to
unauthorized person) Integrity (unaltered or destroys in unauthorized manner)) Availability (accessible and usable by authorized person) https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html" "Comprehensive legislation that ensures access to health coverage for those who change jobs or are temporarily out of work. It also provides the mechanism for funding the Department of Justice and the
FBI for health care fraud investigations - CORRECT ANSWER=> Health Insurance Portability and
Accountability (HIPAA) Ref. https://oig.hhs.gov/reports-and-publications/hcfac/index.asp" "True or False:
The HIPAA Privacy and Security rules were promulgated to make health care interstate commerce equal,
thus creating a national health care privacy and security baseline or floor - CORRECT ANSWER=> TRUE
One of the barriers before HIPAA was signed into law was the lack of access and national standards. The Privacy and Security provisions were integral elements as many States did not have privacy rights or individual right of access to healthcare records. Re: HCCA Privacy Compliance Handbook" "True or False: The Office for Civil Rights (OCR) is the entity that oversees HIPAA, and the agency's goal is to ensure that patients' health information is properly protected while allowing for the flow of health information needed.
OCR also provides excellent guidance on steps to take if an entity experiences a cyberattack. - CORRECT
ANSWER=> TRUE"
"True or False: A cyberattack could result in negative press against the organization and lack of trust from patients. It could also result in a privacy breach, which puts patients at risk for identity theft and other fraudulent
activity. - CORRECT ANSWER=> TRUE
Cyberattacks threaten patient privacy, clinical outcomes, financial resources, and the organization's reputation within the community that it serves. A recent study by the Ponemon Institute and IBM Security found that human error accounted for 95% of cybersecurity breaches." "True or False: If disclosing PHI to legal authorities/government/public official, CE must verify identity, for instance asking for a gov badge/ID, credential, or some proof of gov status, such gov written letterhead, warrant,
memorandum, etc. - CORRECT ANSWER=> TRUE"
"Computerized data medical records are destroyed by - CORRECT ANSWER=> Magnetic degaussing"
"Covered entities participating in an Organized Health Care Arrangement are permitted to A. act as a single covered entity B. utilize a single notice of privacy practices C. share psychotherapy notes
D. operate as a hybrid entity - CORRECT ANSWER=> B. utilize a single notice of privacy practices"
"True or False: In cases where CE is making Fundraising communications to individuals, the individual must be provided with an Opportunity to Object/Elect to receive such communications (and to opt back if individual
changes her/his opinion) - CORRECT ANSWER=> TRUE"
- Records gathered in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding (45 CFR 164.524(a)(1)(ii)) https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html"
"HIPAA Civil Penalties - CORRECT ANSWER=> Did not know: $100 to $50K
Reasonable cause: $1000 to $50K Willful neglect, correct in 30 days: $10K to $50K Willful neglect, not corrected in 30 days: $50K: Max per year: $1.5 million"
"HIPAA Criminal Penalties - CORRECT ANSWER=> Committed offense Knowingly - up to 1 year in prison
Committed offense under False Pretense: 5 years + $100, Committed offense with Intent, Harm/Personal Gain: 10 years + $250,000"
"HIPAA of 1996, examples of criminal offense - CORRECT ANSWER=> Makes it a criminal offense to
submit claims based on incorrect codes or medically unnecessary services and the government has the power to exclude the organization from Medicare, Medicaid, and a long list of other government programs." "Security Rule Documentation requirements: how long does the CE must maintain written records for? -
CORRECT ANSWER=> at least 6 years from date records was created or effective date"
"Risk Assessment to determine LoProCo: - CORRECT ANSWER=> 1. Nature and extent of PHI involved
including type of identifiers and likelihood of reidentification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated."
"HITECH is part of what? - CORRECT ANSWER=> American Recovery and Reinvestment Act (ARRA)"
"How long is PHI protected after the person's death? - CORRECT ANSWER=> 50 years"
"How many identifiers are listed in the HIPAA Privacy Rules? - CORRECT ANSWER=> 18"
"Laser Discs medical records are destroyed by - CORRECT ANSWER=> Pulverizing"
"Levels of Confidentiality - CORRECT ANSWER=> Confidential
Anonymous Need to Know"
"Magnetic Tape medical records are destroyed by - CORRECT ANSWER=> Demagnetizing"
"Methods to de-identify PHI - CORRECT ANSWER=> Expert Determination (Statistical) de-identification
Safe harbor method"
"Microfilm medical records are destroyed by - CORRECT ANSWER=> Recycling and pulverizing"
"Name the process of identifying potential security risks and determining the probability of occurrence
and magnitude of risks. - CORRECT ANSWER=> Risk Analysis"
"Path or 7 steps to HIPAA Compliance: - CORRECT ANSWER=> 1. Perform comprehensive risk and
security analysis
- Identify threats and vulnerabilities
- Select and develop safeguards
- Create policies, procedures, and practices
- Train the staff
- Implement all safeguards
- Manage, monitor, and modify"
"Paper medical records are destroyed by - CORRECT ANSWER=> Burning, shredding, pulverizing, and
pulping"
"Permissions and Required under the HIPAA rule are NOT the same thing. Explain - CORRECT
ANSWER=> "Permissions" can still be denied, and "Required" is mandatory"
"PHI or protected health information that is collected by an individual or received by a covered entity can
be used or disclosed by these four areas. Name them. - CORRECT ANSWER=> 1- TPO (Tx, Pymt,
Healthcare Operations) 2- public interest/public crisis or emergency 3-with an opportunity to object 4-authorization, permission granted"
"Privacy incident categories - CORRECT ANSWER=> Unintentional or inadvertent violation (accidental);
Failure to follow established policies and procedures; Deliberate or purposeful violation without harmful intent; Willful and malicious violation with harmful intent." "The Social Security Act Section 1128C(a), as established by the ___ ___ ___ and ___ Act, created the Health Care Fraud and Abuse Control Program, a far reaching program to combat fraud and abuse in
health care, including both public and private health plans - CORRECT ANSWER=> Health Insurance
Portability and Accountability (HIPAA)"
"The two instances PHI does not require authorization: - CORRECT ANSWER=> 1 - directly to patient
2 - to government or HHS for investigation of alleged privacy violation"
For instance Louisiana is one of 28 states that require the reporting of abortion complications, even if the procedure was done legally for medical reasons. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/ index.html#footnote10_jc1ucm2" "Re: Privacy and Reproductive Health Care A law enforcement official goes to a reproductive health care clinic and requests records of abortions performed at the clinic. Would the clinic be required to fulfill the request? a. yes, clinic is required to disclose PHI without patient's authorization to any law enforcement without question b. no, it would be impermissible and considered a breach, unless the request is a court order or other
mandate enforceable in a court of law - CORRECT ANSWER=> b. no, it would be impermissible and
considered a breach, unless the request is a court order or other mandate enforceable in a court of law. Note: When the request is a court order and enforceable in a court of law, the clinic may disclose ONLY the PHI expressly authorized by the court order. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/ index.html#footnote10_jc1ucm2" "The four key terms to evaluate when assessing to determine or presumed if there was in fact a "Breach". This four key terms are carefully looked during the assessment, which is also referred as LoProCo. -
CORRECT ANSWER=> Four terms are: AAUD (Access, Acquired, Used, Disclosed)"
"Re: Privacy and Reproductive Health Care A pregnant individual in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state where abortion is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. Would the Privacy Rule permit the disclosure of PHI to law enforcement in this scenario? a. yes, provider wants to do the right thing b. no, Privacy Rule would NOT permit the disclosure because it does not qualify as a "serious and imminent threat to the health or safety of a person or the public" and it compromises the integrity of
patient-provider relationship - CORRECT ANSWER=> b. no, Privacy Rule would NOT permit the
disclosure because it does not quality as a "serious and imminent threat to the health or safety of a person or the public" and it compromises the integrity of patient-provider relationship. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/ index.html#footnote10_jc1ucm2"
"What are the 3 components that make up security? - CORRECT ANSWER=> Security CIA:
Confidentiality Integrity Availability"
"What is a Business Associate (BA)? What do they do in healthcare? - CORRECT ANSWER=> BA is an
entity that performs/assist Covered Entities in activities involving the use/disclosure of individually identifiable health information (IHI) on behalf of a Covered Entity or provides services such as legal, actuarial, accounting, data aggregation, or financial services for a covered entity"
"What is a Health Care Clearinghouse? - CORRECT ANSWER=> Entity that processes or facilitates the
processing of nonstandard data elements of health information into standard data elements."
"What is De-identified PHI? - CORRECT ANSWER=> Health information that does not identify an
individual and there is no reasonable basis to believe that the information can be used to identify an individual."
"What is HIPAA Administrative Simplification? - CORRECT ANSWER=> These are national standards
covering transactions, identifiers, code sets, and operating rule. Objectives:
- reduce paperwork,
- increase electronic transaction adoption,
- standardize operating rules (claims),
- overall, improve security in Electronic Data Interchange (EDI)"
"Key elements included in the HIPAA Administrative Simplification: - CORRECT ANSWER=>
Administrative Simplification Rule:
- Electronic transaction standards - rules for electronic exchange (e.g. claims, eligibility, payments)
- Standard code sets (e.g. ICD-10, CPT)
- Unique Identifiers - healthcare plan (HPID), national provider (NPI), employer (EIN) See 45 CFR 162: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162"
"What is HIPAA? - CORRECT ANSWER=> Comprehensive legislation that protects health information,
ensure access to health coverage for those who change jobs or temporarily out of work, and provides funding to DOJ and FBI for Medicare fraud investigations"
"What is Limited Data Sets? - CORRECT ANSWER=> Provide HIPAA Minimum Necessary (excluding the
direct identifiers) - Applies to areas such as Public Health, Research, Healthcare operations. CE must have a DUA in order to disclose the Limited Data Set
