HCCA CHC/CHPC Compliance Exam Study Test bank (Latest 2026/2027 Release) – Q&A |100% correct

HCCA CHC/CHPC Compliance Exam Study Test bank (Latest 2026/2027 Release) – Q&A |100% correct What is the purpose of HIPAA? • Protect PHI from unauthorized disclosure/use; • Prevent fraud, waste and abuse (via Administrative Simplification); • Make health insurance portable under ERISA; • Move health care onto a nationally standardized electronic billing platform Ref. More on HIPAA: HIPAA resides in which CFR section? 45 CFR sections 164.102 through 164.534 What are the subparts of HIPAA part 164? HIPAA - 45 CFR 164, subparts: Subpart A - General rules Subpart C - Security Subpart D - Breach notification Subpart E - Privacy How do you determine if an organization is a "Covered Entity"? 1. compare if the organization meets one of the 3 types of CE (provider, health plan, clearinghouse) and 2. determine if the organization electronically transmits one of the 9 defined transactions: • Health claims or equivalent encounter information • Health claims attachments • Enrollment and disenrollment in a health plan • Eligibility for a health plan • Health care payment and remittance advice • Health plan premium payments • First report of injury • Health claim status • Referral certification and authorization In addition, business associates of covered entities must follow parts of the HIPAA regulations. This Act established in 1974 was created for government agencies placing restrictions on how the government can share the information maintained in Federal systems of records that might infringe on an individual's privacy rights with other individuals and agencies. The Privacy Act of 1974 Which of the following is not considered a HIPAA Entity Designation: 1. Affiliated covered entity 2. Entity that performs healthcare and non-healthcare component activities including both covered and non-covered functions 3. A group health plan 4. Contract arrangement with FEDEX carrier 4. Contract arrangement with FEDEX carrier What is Gramm-Leach-Bliley Act (GLBA)? Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, includes The Financial Privacy Rule and The Safeguards Rule requires all financial institutions to protect customer's personal financial information. What is an OHCA? OHCA (Organized Health Care Arrangement) it's a clinically integrated care setting where individuals receive health care from more than one provider. These are joint arrangements/activities and have an Integrated Delivery System for easy exchange of PHI data. See 45 CFR 160.103. OHCAs can also utilize a joint NPP. See 45 CFR § 164.520(d). ACE (Affiliated Covered Entity) do not have an Integrated Delivery System because these are legally separate covered entities that are associated in business, or affiliated as a result of some common control or ownership. Both the OHCA and the ACE would allow sharing of PHI across participating entity lines for treatment, payment, operations purposes (TPO). What's an ACE? ACE (Affiliated Covered Entity) Legally separate covered entities that share common control/ownership and designate themselves as a single CE for the purpose of complying with the HIPAA Privacy standards. ACEs do not have an Integrated Delivery System, while OHCA do, and can share a single NPP. See 45 CFR § 164.520(d) ACE example: a health system composed on several affiliated hospitals. Both the OHCA and the ACE would allow sharing of PHI across participating entity lines for treatment, payment, operations purposes (TPO). What's a Hybrid Entity? Entity that conducts both covered functions (or healthcare-functions) and non-covered functions (other biz/non-healthcare functions) to elect to be a "hybrid entity." For instance, a University System that has a research laboratory or academic medical center. The post-secondary functions (non-healthcare components) do NOT need to comply with HIPAA. The research lab/med center functions (healthcare component) needs to comply with HIPAA provisions to protect the use/disclosure of PHI involved. The transmission of information between two parties to carry out financial or administrative activities related to health care is called: Transaction (healthcare transaction). Few examples of healthcare transactions: healthcare claims; coordination of benefits; health plan premium payments; remittance advice (or ETF, electronic fund transfer); referral certification and authorization What are examples of a BA? BA (Business Associate) - performs functions or activities on behalf of a covered entity that involve access by the business associate to protected health information. Examples: claims processing data analysis billing benefit management quality assurance quality improvement practice management legal actuarial accounting accreditation other administrative services True or False: A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient's medical chart for treatment purposes. TRUE Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization True or False: Business Associates After HITECH: HITECH made business associates directly responsible for HIPAA compliance within their individual businesses that would not otherwise be subject to HIPAA regulations and penalties TRUE Even if no written contract exists between the covered entity and a contracted company performing services related to handling PHI in some form, the company is deemed a business associate by law. This deemed status essentially classifies contracted vendors or individuals as business associates solely by the nature of the services they provide to a covered entity, regardless of whether they intended to be classified as business associates or were aware of their status as such. HIPAA and HITECH may hold these vendors to business associate obligations as long as they act as business associates. Likewise, a subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business associate is a business associate. A subcontractor of a subcontractor is a business associate as well, and so on down the line. Ref. 2023 HCCA Complete Healthcare Compliance Manual Ref. HITECH Act and OCR's 2013 final rule True or False: Under HIPAA and HITECH, individuals or entities who have been identified as business associates are obligated to enter into a business associate agreement with their contracted covered entities. TRUE Business associate agreement mandate under the HIPAA Privacy Rule. There are some exceptions such: - for purposes of TPO, including payment for health plan premiums - for determining health plan eligibility and enrollment - when there is no involvement of use/disclosure of PHI (e.g., building maintenance) True or False: Under HIPAA and HITECH, individuals or entities who have been identified as business associates are obligated to enter into a business associate agreement with their contracted covered entities. Except for TPO, list two examples where a CE requires an authorization to use/disclose PHI 1. Sales and marketing 2. Psychotherapy notes How do you determine if an entity is subject to HIPAA? By understanding the applicability (healthcare component), entities that transmit health information and fall under the 3 types of CE (health plans, clearinghouses, and providers) HIPAA provide standards for the access, disclosure, transmission, and retention of PHI, and created a national baseline for health information Privacy and Security. At the state level, they can also develop health information statutes but only adding higher or more restrictive standards than the Federal HIPAA rules. This is referred as: a. HIPAA status b. HIPAA assurance c. HIPAA preemption d. HIPAA state law c. HIPAA preemption What is the intent of HIPAA? a. standardize healthcare billing and coding to comply with national accounting principles b. increase payment from providers given the rising cost of healthcare and fraud violations c. allow group health plans collect premiums after individual has left a job/employer d. improve healthcare programs and data flow between providers to data mine for fraudulent behavior d. improve healthcare programs and data flow between providers to data mine for fraudulent behavior The intent of HIPAA is to improve healthcare programs and the delivery of services through the two largest health plans in the U.S., This is accomplished by improved data flows that leads to better outcomes using national standards formats and specific transactions to increase accuracy and rapid way to data mine ad detect fraudulent behavior. The specific data flows are outlined in the Transaction & Code Set Rules 45 CFR 162.100 - 162.1902 True or False: A physician is required to have a business associate contract with a laboratory as a condition of disclosing protected health information for the treatment of an individual. FALSE Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization True or False: A hospital laboratory is not required to have a business associate contract to disclose protected health information to a reference laboratory for treatment of the individual. TRUE Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization True or False: Research use/disclosure with individual authorization does not expire or continue until the end of the research study TRUE True or False: Research use/disclosure with individual authorization may be combined with an authorization for a different research activity if research related treatment is conditioned on the provision of one of the authorizations TRUE True or False: Research use/disclosure with individual authorization may be combined with other legal permission or consent to participate in the research TRUE True of False: Is it possible for a facility with multiple provider functions to have certain isolated providers or groups who are subject to Part 2, while the facility as a whole is not subject to Part 2. For example, a large facility may have primary care providers and a separate unit that provides SUD services. TRUE Explanation: The SUD unit is subject to Part 2, but the rest of the facility is not. True or False: An individual provider who works in a general medical facility could also be a Part 2 program IF the provider's primary function is to provide SUD services. TRUE Explanation: For example, a primary care physician who provides medication-assisted treatment would only meet the requirement if providing services to persons with SUD is their primary function. However, If a patient were to receive both primary care and SUD treatment, the SUD providers are still subject to Part 2 and could not share information with the patient's primary care provider without consent. True or False: A program or facility that provides both, SUD services and Mental Health Services, and a patient has been admitted to receiving both services, his/her records will be subject to the Part 2 regulations FALSE Explanation: Mental health information is not subject to the standards in 42 CFR Part 2 and can be shared without consent for treatment purposes, including care coordination, as allowed under HIPAA. More details. Only records or information about patients receiving SUD services will be subject to Part 2 and its use/disclosure is more restrictive. However, to allow appropriate mental/behavioral health information sharing with SUD information, a Qualified Service Organization Agreement (QSOA) would be needed as defined in 42 CFR 2.11 "Qualified service organization" section. What are the 4 federal regulations and/or government agencies that govern the privacy of individually identifiable info in research 1. HHS-FDA (protections of human subject and IRBs) 2. HHS-NIH (certificate of confidentiality) 3. HHS-Office of Human Research Protections (Common Rule) 4. HHS-OCR - HIPAA Privacy Rule Ref. HCCA Privacy Handbook 3rd Ed Certificates of Confidentiality (CoC) is a formal confidentiality to protect the privacy of human research participants enrolled in biomedical, behavioral, clinical and other forms of sensitive research. CoC are issued by the NIH or the FDA, and are authorized by law by the P___ H___ S___ Act Public Health Services Act. The Privacy Act of 1974 was created in response to the government creating and using computer databases. The Act places restrictions on how government can share the information with other individuals and agencies, and ultimately protect the privacy of individuals that is maintained in Systems of Records by federal agencies. Before a federal agency begins to collect personal information for a system of records, an advanced public notice must be published in the Federal Register, which outlines the administrative, technical, and physical safeguards for protecting the personally identifiable information being collected. This "public notice" is called" - S____ of R_____ N__ (SORN) system of records notice (SORN) ref. HCCA privacy handbook 3rd ed. "Privacy Act 1974" section What is a research IRB? 1. Institutional Research Board 2. A group of executives that review all research activities conducted by the Board of Directors 3. A group of individuals that review proposed research to protect the privacy of subjects 4. Can make changes to the research or alter its content as they seemed appropriate 3. A group of individuals that review proposed research to protect the privacy of subjects An individual must authorize these marketing communications before they can occur, except: a. when the communication is not for the purpose of providing treatment advice b. communication from a health insurer to promote their products/services c. communication in training material using their photo d. hospital uses its patient list to announce the arrival of a new specialty group in general mailing Except: d. hospital uses its patient list to announce the arrival of a new specialty group This activity does not meet the "marketing" definition, for instance, the disclosure of PHI in this example is not for exchange of remuneration, or to encourage use of product, promote services. True or False: It is important that when contracting with payers or health plans they follow not only the HIPAA security but also the privacy rule to protect beneficiaries PHI including use/disclosure during payer's marketing activities TRUE Which of the following requires a Business Associate contract/agreement: a. independent medical transcriptionist b. entities that participate in an OHCA (organized healthcare arrangement) c. when a provider simply accepts a discounted rate to participate in the health plan's network d. US Postal Services or private carriers a. independent medical transcriptionist explanation: this is an outsourced service that handles PHI on behalf of the CE. The transcriptionist is performing an activity for the CE that contains PHI and a BAA is required to ensure proper use and disclosure. Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for public health purposes? Yes. This is in the covered entity's Notice of Privacy Practices (NPP). The Privacy Rule requires a covered entity to include in its NPP a description of the purposes, which would include public health purposes, for which the covered entity may use or disclose PHI without an individual's authorization. However, the Privacy Rule does not require a business associate (such as an HIE that is a business associate) to provide individuals with a NPP. True of False: OHCAs and ACEs are able to produce a joint Notice of Privacy Practice (NPP) FALSE Explanation: OHCAs are joint arrangements, have an Integrated Delivery System, and therefore agree to abide by the terms of the notice with respect to PHI created or received by the covered entity as part of its participation in the OHCA. ACEs are legally separate covered entities working together and unable to use a joint NPP and they might still have separate EHRs, separate HIM/ROI functions, etc. and therefore, the PHI data is not create or receive in the same manner. See 45 CFR 164.520(d) True or False: It is your last day at your pediatric clinical site and you are saying goodbye to all of your favorite patients. You take a picture on your phone of a few of the patients posing together and later post it to your private blog as an illustration of your last day. Since your blog is private and can only be accessed by those who know the URL, you are not in violation of HIPAA regulations. FALSE Fill in the blank: In the mid-1990s, OIG began to require providers settling civil health care fraud cases to enter into specific type of agreements as a condition for OIG not pursuing exclusion. These agreements are referred as: Corporate integrity Agreements (CIA) The foundation for establishing a good relationship with a vendor is the Contract. A contract is an exchange of promise, services for money, with a specific remedy for breach of contract. What are some of the key basic elements to contracts. Basic key elements to contacts include: I. Agreement (Offer and Acceptance) II. Capacity to contract (ability to perform, ask for proof, bios of staff that will perform the critical services) III. Consideration (remuneration must be defined) IV. Legal purpose (legal requirements, defined measures including subcontractors responsibilities) V. Legality of form (use key legal language or clauses, assurances) VI. Intention to create legal relations (statement of parties intent to be "legally bound" to abide to mandates) VII. Consent to contract (required signatures) VIII. Mistakes, undue influence (if things go wrong, list alternative options) True or False: Regarding vendor relations, the privacy professional must ensure that the contract supports the privacy profile. This includes clearly outlining privacy impacts, clauses, mandates, remedies from the vendor's services to ensure expectations are met, even when things go wrong. TRUE HCCA Privacy Compliance Handbook - Vendor Relations and Privacy Section A Covered Entity may denied an individual access to their PHI under specific circumstances set forth in 45 CFR 164.524 (a)(2), which of the following doesn't fall under those circumstances: a. Request for psychotherapy notes b. if it jeopardizes the health, safety, security, rehab of individual (e.g. inmate's' request, suicidal patient) c. during the course of research/clinical trial d. to request restrictions of their PHI a. Request for psychotherapy notes Under the HIPAA Privacy Rule, individual has the right to request a copy, an amendment and restrictions to their PHI, request confidential communications involving your PHI, and list of disclosures. See 45 CFR § 164.524 (a)(2) 38 U.S.C. 7332 deals with confidentially of patient medical record information related to: a. drug abuse, sexually transmitted diseases, and tuberculosis b. HIV/AIDS status c. drug abuse, alcoholism, infection with the HIV virus, and sickle cell anemia d. mental illness, HIV status, drug and alcohol abuse c. drug abuse, alcoholism, infection with the HIV virus, and sickle cell anemia True or False: The Minimum Necessary is a key concept under the HIPAA security rule FALSE It is a key concept under the PRIVACY Rule. Re: HIPAA Authorization Is there any information we can release to a person who is calling on behalf of a patient who is not authorized in a release form? Patient must be given an "opportunity to agree or object" keeping in mind: 1. you can obtain patient's agreement verbally, over the phone, BUT makes notes in file 2. only disclose the Minimum Necessary Re: HIPAA Authorization When my patients are being treated for car accident injuries, we often receive requests for PHI from lawyers. I am not sure if we should provide the information and don't know how to decide whether the request is legitimate. How do we validate the request is legitimate? Ensure is a valid HIPAA authorization: MUST have the authorization 6 core elements and 3 key statements as per 45 CFR § 164.508 (c)(1) and (2) Re: HIPAA Authorization One of my long term (dental) patients was recently diagnosed with cancer. His new oncologist's assistant called to request his PHI from our files. I don't know if the patient knows or has authorized this. Can the request be fulfilled? YES, no authorization is required for purposes of TPO. But, ensure the request is in writing including: Covered Entity's name; Patient's name; Date of the event/time of treatment; and Reason for the request. Re: HIPAA Authorization (suspected domestic violence) I strongly suspect that a patient is a victim of domestic violence, although the patient has not confided in me. The abuse seems to be escalating, judging by the injuries I've seen. May I do anything? You may, this may be an exception to the HIPAA Privacy Rule. IF you reasonably believe the patient to be a victim of adult abuse, neglect or violence, you may report to the appropriate government agency. You may also obtain patient's agreement, but not required. ARRA passed in 2009, key items to know: ARRA - also known as "Obama Stimulus" in response to the 2008 recession ARRA mandated government spending, tax cuts, and loan guarantees for financial relief to families. ARRA required hospitals to computerize medical records and modernize HIT systems (HITECH). And breach notification provision implemented under HITECH IIHI Individually Identifiable Health Information It's any part of an individual's health information, including demographic information (e.g. address, date of birth) collected from the individual PHI Protected Health Information Info transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. (PHI excludes IIHI education records covered by FERPA) What is de-identified information? Removing the HIPAA individual identifiable information. This is accomplish by two methods: Expert Determination: de-identification of PHI by an expert (statistical or scientific principles) Safe Harbor: removing the 18 identifiers What is re-identification? CE may assign a number for re-identification; however, the creation of the numbering system should not be based on the information and the CE is forbidden from disclosing the e-identification scheme. What's the Minimum Necessary? Use/disclose limited PHI to accomplish the intended purpose of the use, disclosure, or request. The Minimum Necessary DOES NOT apply to? does not apply to: TPO To the individual directly To the HHS Secretary or required by law When authorization is granted Where does Minimum Necessary link to in the Security rule? Role Based Access - can content filters be used to support the privacy concept Who can Deceased Individuals information be released to at anytime? coroners or medical examiners (and Funeral Directors as necessary to carry out their duties with respect to the decedent) Preemption under HIPAA means Federal law states that it preempts or overrides (supersedes) state law on a particular issue, then federal law is the law that must be followed. In general, HIPAA preempts state law that is "contrary" to the federal rule. In many cases, complying with the stronger standard (more stringent) will allow you to comply with both state law and HIPAA. Example 1: if state law gives a provider 10 days to respond to a patient's request for a copy of his medical records, and HIPAA allows 30 days, you can comply with both state and federal law by responding within 10 days. Example 2: if state law requires longer period for record keeping than the federal law, then go with the longer period. Valid Authorization core elements (see 45 CFR § 164.508(c)(1)): 1. meaningful description of the information to be disclosed 2. name of the individual/person authorized to make the requested disclosure 3. name or other identification of the recipient of the information 4. description of each purpose of the disclosure 5. expiration date for the authorization 6. signature and date of the individual or their personal representative (someone authorized to make health care decisions on behalf of the individual) and Valid Authorization 3 key statements (see 45 CFR § 164.508(c)(2)): The statements are to be included in a valid Authorization: • A statement of the person's right to revoke the authorization, exceptions to this right, and a description of how to revoke: • A statement that treatment, payment, enrollment or eligibility for benefits may NOT be conditioned upon signing the authorization; • A statement regarding the potential that the information disclosed pursuant to the authorization may be re-disclosed by the recipient and, if so, it may no longer be protected by a federal confidentiality law; Note: the person signing the authorization has the right to (or will receive) a copy of the authorization. Fill in the blanks: The three types of AUTHORIZATION: VALID - must have all the 6 required core elements and 3 statements/notices D_______ - lacks any of the required elements/statements, or expiration date has passed, or revoked, etc. C_______ - typically allowed in research studies, this authorization may be combined with another written permission IF it's for the same research related studies Defective; Compound Request for Restrictions patient has the right to request restrictions on the U&D of information, even for the TPO exception. Provider must determine if it is reasonable, accommodate request, and abide to agreement. Ref § 164.520 - Notice of privacy practices for protected health information. Request for Confidential Communication Patient may request other communication channels not typical for the entity, such as email, or meeting in off-site locations. Which subpart of HIPAA part 164 sets limits on how PHI can be used and shared with others and gives patients rights over their information a. Part 164 Subpart E (Privacy Rule) b. Part 164 Subpart C (Security Rule) a. Part 164 Subpart E (Privacy Rule) Subpart C (Security Rule) sets the security standards (administrative, technical, and physical safeguards) to protect the confidentiality, integrity and availability of ePHI What is the difference between HIPAA security and privacy? Security - covers ePHI Privacy - covers all forms (electronic, oral, written) 45 CFR 164 - Subpart C outlines the three safeguards to ensure the _____, ____, ____ of ePHI that both, CE and BA must implement to ensure compliance and protect against anticipated threats, and/or reasonably anticipated uses/disclosures (incidental/inadvertent/unintentional) Confidentiality, integrity, availability Note: Accidental - must be reported. An accidental HIPAA violation refers to the unauthorized disclosure of PHI (protected health information) without intent. Despite having safeguards and protective measures in place, there is still a possibility of breaching HIPAA regulations. These types of violations could include an employee accidentally seeing a different patient's medical records, an email being sent to the wrong person or the loss or theft of a personal device that contains PHI. Research HIPAA Waiver criteria: Research Waiver In order for research to be conducted, it must meet a minimum set of waiver criteria elements. Elements that must be met to meet wavier criteria are: 1) the use or disclosure for the research involved minimum risk to the patient; 2) the research could not be conducted without proper access to the waiver being approved; and 3) the research could not be conducted without proper access to the use of the PHI. 45 CFR 164.512 (i)(2) What's malicious software? malware, is software that is used to control or take over applications, workstations, or servers, damage/disrupt a system. See Security Rule, definitions - 45 CFR 164.304 A covered entity may use or disclose PHI for TPO...what does TPO stand for Treatment Payment Health Care Operations True or False: Payer/health plans are allowed to use/disclose beneficiary's PHI in activities such as legal services, medical review, and fraud and abuse detection TRUE A provider receives a request from the Social Security Administration for PHI relating to a person's application for benefits. Which of the following is the correct method of release? A. Since it is to a federal agency, an authorization from the patient is not needed, so PHI can be released. B. The provider should review the PHI and make a decision on the minimum necessary and release. C. The provider should notify the patient and obtain a signed authorization prior to release. D. Release the information because the patient signed a consent for treatment. C. The provider should notify the patient and obtain a signed authorization prior to release Also known as the "Stimulus Act" or the "Recovery Act", enacted in 2009; its main purpose was to create jobs and stimulate economic growth; it also included provisions to promote health information technology American Recovery and Reinvestment Act (ARRA) C.I.A. (HIPAA) stands for? Confidentiality (not available or disclosed to unauthorized person) Integrity (unaltered or destroys in unauthorized manner)) Availability (accessible and usable by authorized person) Comprehensive legislation that ensures access to health coverage for those who change jobs or are temporarily out of work. It also provides the mechanism for funding the Department of Justice and the FBI for health care fraud investigations Health Insurance Portability and Accountability (HIPAA) Ref. True or False: The HIPAA Privacy and Security rules were promulgated to make health care interstate commerce equal, thus creating a national health care privacy and security baseline or floor TRUE One of the barriers before HIPAA was signed into law was the lack of access and national standards. The Privacy and Security provisions were integral elements as many States did not have privacy rights or individual right of access to healthcare records. Re: HCCA Privacy Compliance Handbook True or False: The Office for Civil Rights (OCR) is the entity that oversees HIPAA, and the agency's goal is to ensure that patients' health information is properly protected while allowing for the flow of health information needed. OCR also provides excellent guidance on steps to take if an entity experiences a cyberattack. TRUE True or False: A cyberattack could result in negative press against the organization and lack of trust from patients. It could also result in a privacy breach, which puts patients at risk for identity theft and other fraudulent activity. TRUE Cyberattacks threaten patient privacy, clinical outcomes, financial resources, and the organization's reputation within the community that it serves. A recent study by the Ponemon Institute and IBM Security found that human error accounted for 95% of cybersecurity breaches. True or False: If disclosing PHI to legal authorities/government/public official, CE must verify identity, for instance asking for a gov badge/ID, credential, or some proof of gov status, such gov written letterhead, warrant, memorandum, etc. TRUE Computerized data medical records are destroyed by Magnetic degaussing Covered entities participating in an Organized Health Care Arrangement are permitted to A. act as a single covered entity B. utilize a single notice of privacy practices C. share psychotherapy notes D. operate as a hybrid entity B. utilize a single notice of privacy practices True or False: In cases where CE is making Fundraising communications to individuals, the individual must be provided with an Opportunity to Object/Elect to receive such communications (and to opt back if individual changes her/his opinion) TRUE Covered Entity can use or disclose PHI by these 4 areas: 1. for treatment, payment, healthcare operations (TPO) 2. for public interest in disaster relief or public emergency 3. with an opportunity to object (i.e. spouse picking up Rx) 4. with authorization granted Covered entity includes: • Health plan (payers) • Health care clearinghouse (process health information into standard data elements on behalf of the CE) • Health care provider who transmits any health info in electronic form AND • CE's business associate (when applicable) What is a Controlling Health Plan (CHP)? Health plan that controls its own business, actions, activities, and policies; Controls the subhealth plan (SHP). This applies to state Medicaid plans. For instance, the CHC is the state Medicaid, and the SHP would be the local administrator. Re: HCCA Privacy Compliance Handbook Describe what to do with a "required" implementation specification Implement the specification as presented Describe what to do with an "addressable" implementation specification Implement as presented, or if not reasonable and appropriate implement an equivalent alternative measure. Designated Record Set (DRS) - includes: Group of records maintained by or for a Covered Entity that comprises the following: 1. medical/billings records 2. enrollment/payment/claims adjudication/case management by health plan 3. other records used by or for covered entity to make decisions about individuals Designated Record Set (DRS) - records excluded from DRS: Administrative data (audit trails, appointment schedules, that don't imbed PHI). Incident reports. Quality Assurance Data. Statistical reports. DVD medical records are destroyed by Shredding and cutting Few other examples for use or disclosure of PHI other that TPO: Public health interest, research, serious threat, organ/tissue donation decedent information, worker's compensation insurers. Give examples of administrative safeguards • Policies and procedures • Training and education • Designation of individuals (Ex. Security Officer) • Contingency Planning Give examples of physical safeguards • Facility security or access plan • Disposal processes and media reuse • Data backup and storage Give examples of technical safeguards • Passwords • Encryption • Auto Log Off • Unique User Identification HIPAA "consent" and "authorization" have key differences, what are they? Consent is voluntary for TPO, while authorization is required by the Privacy Rule for use and disclosure of PHI What is the primary difference between HIPAA authorization and Right of Access? (regarding disclosure) HIPAA authorization is a PERMITTED disclosure. and Right of Access is a REQUIRED disclosure What is excluded from the Right of Access? 1. any information that is not part of the Designated Records Set 2. Psychotherapy notes/records (see 45 CFR 164.524(a)(1)(i) and 164.501) 3. Records gathered in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding (45 CFR 164.524(a)(1)(ii)) HIPAA Civil Penalties Did not know: $100 to $50K Reasonable cause: $1000 to $50K Willful neglect, correct in 30 days: $10K to $50K Willful neglect, not corrected in 30 days: $50K: Max per year: $1.5 million HIPAA Criminal Penalties Committed offense Knowingly - up to 1 year in prison + $50,000 Committed offense under False Pretense: 5 years + $100,000 Committed offense with Intent, Harm/Personal Gain: 10 years + $250,000 HIPAA of 1996, examples of criminal offense Makes it a criminal offense to submit claims based on incorrect codes or medically unnecessary services and the government has the power to exclude the organization from Medicare, Medicaid, and a long list of other government programs. Security Rule Documentation requirements: how long does the CE must maintain written records for? at least 6 years from date records was created or effective date Risk Assessment to determine LoProCo: 1. Nature and extent of PHI involved including type of identifiers and likelihood of reidentification; 2. The unauthorized person who used the PHI or to whom the disclosure was made; 3. Whether the PHI was actually acquired or viewed; and 4. The extent to which the risk to the PHI has been mitigated. HITECH is part of what? American Recovery and Reinvestment Act (ARRA) How long is PHI protected after the person's death? 50 years How many identifiers are listed in the HIPAA Privacy Rules? 18 Laser Discs medical records are destroyed by Pulverizing Levels of Confidentiality Confidential Anonymous Need to Know Magnetic Tape medical records are destroyed by Demagnetizing Methods to de-identify PHI Expert Determination (Statistical) de-identification Safe harbor method Microfilm medical records are destroyed by Recycling and pulverizing Name the process of identifying potential security risks and determining the probability of occurrence and magnitude of risks. Risk Analysis Path or 7 steps to HIPAA Compliance: 1. Perform comprehensive risk and security analysis 2. Identify threats and vulnerabilities 3. Select and develop safeguards 4. Create policies, procedures, and practices 5. Train the staff 6. Implement all safeguards 7. Manage, monitor, and modify Paper medical records are destroyed by Burning, shredding, pulverizing, and pulping Permissions and Required under the HIPAA rule are NOT the same thing. Explain "Permissions" can still be denied, and "Required" is mandatory PHI or protected health information that is collected by an individual or received by a covered entity can be used or disclosed by these four areas. Name them. 1- TPO (Tx, Pymt, Healthcare Operations) 2- public interest/public crisis or emergency 3-with an opportunity to object 4-authorization, permission granted Privacy incident categories Unintentional or inadvertent violation (accidental); Failure to follow established policies and procedures; Deliberate or purposeful violation without harmful intent; Willful and malicious violation with harmful intent. The Social Security Act Section 1128C(a), as established by the ___ ___ ___ and ___ Act, created the Health Care Fraud and Abuse Control Program, a far reaching program to combat fraud and abuse in health care, including both public and private health plans Health Insurance Portability and Accountability (HIPAA) The two instances PHI does not require authorization: 1 - directly to patient 2 - to government or HHS for investigation of alleged privacy violation True or False A vendor that stores encrypted copies of files from a CE is not a Business Associate of that CE because the ePHI is unreadable, unusable, and indecipherable. FALSE - the vendor is a Business Associate as it is maintaining (through its storage functions) the encrypted ePHI. True or False Covered Entities and their Business Associates must comply with all of the Security and Privacy Rules FALSE - Business Associates are not required to comply with all of the Privacy Rules. True or False Encryption is required under HIPAA FALSE - it is an addressable implementation specification. True or False The designated privacy official and the designated security official under HIPAA must be different individuals FALSE - the same official may be designated both roles. True of False: Certificates of Confidentiality (Certificate or CoC) protect the privacy of research participants by prohibiting disclosure of identifiable, sensitive research information to anyone not connected to the research except when the participant consents or in a few other specific situations. TRUE True or False: Protection of human subjects in research at 45CFR 46 Subpart A - Common Rule, list the protections for all research involving human subjects TRUE Re: Privacy and Reproductive Health Care An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy. Is the hospital required to report individuals to law enforcement? a. yes, hospital is required to do so IF state law expressly requires such reporting b. no, this would be impermissible and constitute a breach regardless of state law requirements a. yes, hospital is required to do so IF state law expressly requires such reporting. For instance Louisiana is one of 28 states that require the reporting of abortion complications, even if the procedure was done legally for medical reasons. Re: Privacy and Reproductive Health Care A law enforcement official goes to a reproductive health care clinic and requests records of abortions performed at the clinic. Would the clinic be required to fulfill the request? a. yes, clinic is required to disclose PHI without patient's authorization to any law enforcement without question b. no, it would be impermissible and considered a breach, unless the request is a court order or other mandate enforceable in a court of law b. no, it would be impermissible and considered a breach, unless the request is a court order or other mandate enforceable in a court of law. Note: When the request is a court order and enforceable in a court of law, the clinic may disclose ONLY the PHI expressly authorized by the court order. The four key terms to evaluate when assessing to determine or presumed if there was in fact a "Breach". This four key terms are carefully looked during the assessment, which is also referred as LoProCo. Four terms are: AAUD (Access, Acquired, Used, Disclosed) Re: Privacy and Reproductive Health Care A pregnant individual in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state where abortion is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. Would the Privacy Rule permit the disclosure of PHI to law enforcement in this scenario? a. yes, provider wants to do the right thing b. no, Privacy Rule would NOT permit the disclosure because it does not qualify as a "serious and imminent threat to the health or safety of a person or the public" and it compromises the integrity of patient-provider relationship b. no, Privacy Rule would NOT permit the disclosure because it does not quality as a "serious and imminent threat to the health or safety of a person or the public" and it compromises the integrity of patient-provider relationship. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected. What are the 3 components that make up security? Security CIA: Confidentiality Integrity Availability What is a Business Associate (BA)? What do they do in healthcare? BA is an entity that performs/assist Covered Entities in activities involving the use/disclosure of individually identifiable health information (IHI) on behalf of a Covered Entity or provides services such as legal, actuarial, accounting, data aggregation, or financial services for a covered entity What is a Health Care Clearinghouse? Entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. What is De-identified PHI? Health information that does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. What is HIPAA Administrative Simplification? These are national standards covering transactions, identifiers, code sets, and operating rule. Objectives: 1. reduce paperwork, 2. increase electronic transaction adoption, 3. standardize operating rules (claims), 4. overall, improve security in Electronic Data Interchange (EDI) Key elements included in the HIPAA Administrative Simplification: Administrative Simplification Rule: • Electronic transaction standards - rules for electronic exchange (e.g. claims, eligibility, payments) • Standard code sets (e.g. ICD-10, CPT) • Unique Identifiers - healthcare plan (HPID), national provider (NPI), employer (EIN) See 45 CFR 162: What is HIPAA? Comprehensive legislation that protects health information, ensure access to health coverage for those who change jobs or temporarily out of work, and provides funding to DOJ and FBI for Medicare fraud investigations What is Limited Data Sets? Provide HIPAA Minimum Necessary (excluding the direct identifiers) - Applies to areas such as Public Health, Research, Healthcare operations. CE must have a DUA in order to disclose the Limited Data Set What is the record retention period for HIPAA related work product? 6 years What is the timeframe requirement to train new employees about HIPAA? "within a reasonable period of time after the person joins the covered entity's workforce" What is Unsecured PHI? PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance What subpart in Part 164 deals with Privacy Subpart E (Hint: Privacy....Privacy-E) What subpart in Part 164 deals with Security Subpart C (Hint: "C"-curity) Which of the following would be considered an incidental disclosure of PHI? a. Patient overhearing a nurse on the phone discussing lab results with another patient b. An email containing a large list of patients (names, addresses, and Medicare ID Numbers) was sent unsecured to a email address c. An email sent to another employee on a secure server, but the employee who received it was the wrong employee d. A and C are correct e. None of the above are correct a. Patient overhearing a nurse on the phone discussing lab results with another patient. Incidental vs. Accidental: Accidental and incidental can both mean "something happening by chance," but usage suggests that "accidental" also implies an element of carelessness or inattention while "incidental" implies the occurrence would have happened with or without attention or care. An incidental Use or Disclosure is a secondary use or disclosure that cannot reasonably be prevented. An Accidental Use of Disclosure is sending an email to the wrong recipient and an employee accidentally viewing a patient's report, which leads to an unintentional HIPAA violation Which of the three rules in Part 164 apply to PHI in all of its formats? Part E (Privacy) applies to PHI in all of its formats BONUS: also Part D since breaches can involve PHI in all of its formats as well What defines and limits the circumstances in which an individual's PHI may be used or disclosed by covered entities? a. Constitution b. First Amendment c. OIG d. Privacy Rule d. Privacy Rule Note: practice question from AAPC CPCO Ch4 PHI may be disclosed without the patient's authorization for ___________________. a. Death, operations, and birth certificates b. Treatment, pictures, and operations c. Injections, shots, and research d. Treatment, payment, and operations d. Treatment, payment, and operations (TPO) PHI can be disclosed to another entity for treatment purposes; for quality or competency assurance activities; or fraud and abuse detection and compliance activities if both entities have or had a professional relationship with the patient and the PHI pertains to the relationship. Note: practice question from AAPC CPCO Ch5 When can patients instruct their provider not to share information about their treatment with their health plan? a. Never, patients must disclose all information to their health plan. b. Only if the patient tells the secretary when scheduling an appointment that their information should not be given to their health plan. c. If, when scheduling an appointment, the patient indicates that they are paying cash for the visit and do not want their information to be given to the health plan. d. Never, because the health plan has a contract with the provider. c. If, when scheduling an appointment, the patient indicates that they are paying cash for the visit and do not want their information to be given to the health plan. Remember: Patients also have the right to request restrictions on the use and disclosure of their PHI to carry out treatment, payment, and healthcare operations. These requests do not have to be agreed to by the covered entity, except when a patient pays by cash, which allows the patient to instruct the provider not to share information about their treatment with the health plan. Note: practice question from AAPC CPCO Ch5 Are there certain rules for PHI disclosure in cases of an emergency? a. No, especially if the patient is not able to provide consent. b. No, there is not a separation of emergency treatment. c. Yes, PHI can be released for emergency treatment. d. No, PHI cannot ever be disclosed without patient consent. c. Yes, PHI can be released for emergency treatment. Note: practice question from AAPC CPCO Ch5 Is it acceptable for practices to call and remind patients of their appointments? a. Yes, if it is stated in the Notice of Privacy Practices b. Yes, if the patient has signed a waiver giving the practice permission to call c. No, practices can no longer call and remind patients of their appointments d. Yes, but only if the reminder calls are between 6 pm and 8 pm a. Yes, if it is stated in the Notice of Privacy Practices Appointment reminders are considered part of treatment of an individual and, therefore, can be made without authorization. Note: practice question from AAPC CPCO Ch5 Health information that does not identify an individual is called _______________. a. Cloned information b. De-identified information c. Re-identified information d. Misidentified information b. De-identified information Note: practice question from AAPC CPCO Ch5 What policy is written to encourage communication? a. Attendance policy b. Electronic protected information policy c. Non-retaliation policy d. Safety and security management policy c. Non-retaliation policy Note: practice question from AAPC CPCO Ch5 Is it okay to send X-rays to specialists when referring patients if our email is not encrypted? a. Always b. Never c. It depends c. It depends Explanation: Encryption is strongly recommended as the best practice. If the individual is requesting PHI in the form of X-rays be sent to the third party and the individual is notified prior to sending via unencrypted email and the individual agrees to sending via unencrypted email, this is permitted under HIPAA . HHS provides clear guidance on sending PHI in an e-mail . Please remember that state laws may apply as well. Ref. from 1st HC Compliance When can you use or disclose PHI? A. When the patient has authorized, in writing, its release. B. For the treatment of a patient, if that is part of my job. C. For obtaining payment for services, if that is part of my job. D. All of the answers. D. All of the answers. True or False: An email request from a client to communicate with them, as long as it is secured, is sufficient for a staff member to use that method of communication. TRUE True or False: Signed authorizations for release of information are considered invalid if there is no expiration date or an event that triggers expiration. TRUE A valid authorization must have all required core elements set forth in 45 CFR 164.508(c): 1. description of info to be disclosed 2. name of individual authorized to make the requested disclosure 3. name of the recipient 4. a description of each purpose of the disclosure(s) 5. expiration date 6. signature of individual (or representative) and date Which of the following is NEVER acceptable to leave in a message on an answering machine: a. The caller's name. b. The minimum necessary information to request that the client return the phone call if necessary. c. Test results. d. All of the answers. c. Test results. How does a patient learn about privacy under HIPAA? a. He looks it up on the internet. b. The government sent this out in the mail to every U.S. Citizen prior to April 14, 2003. c. He asks his doctor or nurse. d. At the patient' s first visit he or she is given the Provider's Notice of Privacy Practices, and signs an acknowledgment that he or she has received a copy of it. d. At the patient' s first visit he or she is given the Provider's Notice of Privacy Practices, and signs an acknowledgment that he or she has received a copy of it. A co-worker is called away for a short errand and leaves the clinic PC logged onto the confidential information system. You need to look up information using a computer. Aside from notifying the appropriate person, what is the best approach you should take? a. To save time, just continue working under your co-worker's User-ID. b. Log you co-worker off and re-login under your own User-ID and password. c. Do nothing. d. All of the answers. b. Log you co-worker off and re-login under your own User-ID and password. What does HIPAA do? A. Protects the privacy and security of a patient's health information. B. Prevents health care fraud and abuse. C. Provides for electronic and physical security of a patient's health information. D. All of the answers. D. All of the answers. What is PHI (Protected Health Information)? a. Information that can be used to identify a patient. b. Covered transactions (eligibility, enrollment, health care claims, payment, etc.) performed electronically. c. Information about a past or present mental or physical condition of a patient. d. All of the answers. d. All of the answers. A covered entity must designate a ___________________ who is responsible for developing and implementing its security policies and procedures. a. physician b. security official c. police officer d. custodian b. security official A covered entity may disclose protected health information (PHI) without a patient's written permission for: a. Treatment purposes b. Payment c. Health care operations activities d. All of the above d. All of the above (a covered entity may use or disclose PHI for TPO) A covered entity must obtain the patient's written authorization for any use or disclosure of protected health information (PHI) in which circumstances? a. Marketing activities b. Research c. PHI sales and licensing d. Information sharing needed for treatment e. A and C only f. All of the above e. A and C only Ref. Permitted Uses and Disclosures section - Name examples for which an authorization is required, other than for use/disclosure of Psychotherapy notes: marketing and sales of PHI Fill in the blank: 45 CFR 46 Subpart A lists the HHS regulations for the protection of human subjects in research. This subpart is also known as the ____ ____. Common Rule. Which of the following created an ethical framework for the conduct of human subjects research: a. The Nuremberg Code b. The Belmont Report c. The Declaration of Helsinki d. all of the above d. all of the above These codes were written, primarily, to address research activities that were deemed to pose serious harm to the human subjects involved and to standardize the protections of human subjects going forward. The focus, then, was to protect the individuals with only a minor concern over the confidentiality of the data involved. Ref. HCCA Privacy Compliance Handbook Examples of proper disposal methods of protected health information (PHI) may include: a. tossing into the trashcan or recycle bin. b. clearing (using software or hardware products to overwrite media with non-sensitive data). c. purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains). d. destroying (disintegration, pulverization, melting, incinerating, or shredding). e. B and D f. B, C and D f. B, C and D. Depending on the circumstances, appropriate methods for removing ePHI from electronic media prior to reuse or disposal may be by clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media. If circumstances warrant the destruction of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media. Covered entities may contract with business associates to perform these services for them. Ref. True or False: A health care provider or other covered entity must obtain permission from a patient prior to notifying public health authorities of the occurrence of a reportable disease. FALSE The HIPAA Privacy Rule permits covered entities to disclose protected health information without authorization for specified public health purposes. OCR has issues guidance on how to disclose protected health information (PHI) for the public health activities of a public health authority (PHA).Ref. What is the Federal law that protects the privacy of student education records? FERPA (Family Educational Rights and Privacy Act) True or False: Private schools that don't receive funds from the Department of Education, are not subject to FERPA TRUE. FERPA applies to educational agencies and institutions that receive Federal funds under any program administered by the U.S. Department of Education. In some circumstances a private school would be required to comply with the HIPAA Privacy Rule when it is a HIPAA covered entity. See the HIPAA FERPA Joint Guidance Are Nursing Records considered part of the Educational Records: a. Yes, nurses don't diagnose or treat individuals, and by licensure, they can't practice medicine. For instance records created/maintained by a public health or school nurse providing immunizations to students b. No, student health or nurse records are not part of the Educational Records, even if they receive funding from the Department of Education a. Yes, nurses don't diagnose or treat individuals, and by licensure, they can't practice medicine. For instance records created/maintained by a public health or school nurse providing immunizations to students. School health records are considered part of the Educational Records. For instance the American with Disabilities (ADA) require schools to create certain health records about children with special health care needs. Which of the following is not listed as a physical safeguard in the Security Rule (Subpart C)? A. Facility Access Controls B. Automatic Log Off C. Workstation Use D. Workstation Security B. Automatic Log Off Automatic log off, passwords, encryption, unique user ID are examples of technical safeguards, not physical. Which of the following is not listed as a physical safeguard in the Security Rule (Subpart C)? A. Facility Access Plan B. Disposal processes C. Data backup and storage D. Unique user ID D. Unique user ID Automatic log off, passwords, encryption, unique user ID are examples of technical safeguards, not physical. True or False: Covered entities, such as physician's offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. TRUE The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii).Ref. In determining the amount of any civil money penalty for violations of HIPAA, the following factors are considered: a. The nature and extent of the violation. b. The nature and extent of the harm resulting from the violation. c. The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity or business associate. d. The financial condition of the covered entity or business associate. e. Such other matters as justice may require. f. All of the above f. All of the above Ref. Under HIPAA, a covered entity is required to disclose Protected Health Information (PHI) when: a. the disclosure is requested by the police department b. a subpoena signed by an attorney is received c. the disclosure is required by medical staff bylaws d. the Secretary of DHHS requests the information d. the Secretary of DHHS requests the information A privacy professional is reviewing a program for an academic medical center that include a faculty group practice, hospital, student health center, and self-funded group health plan. The privacy professional should evaluate if the program has notices for: a. GINA b. FMLA c. HIPAA d. FISMA b. HIPAA A health system implemented an EHR in 55 clinics. The privacy professional is told employees are inconsistently interpreting the policy addressing employee access to EHR. Which of the following is the privacy professional's BEST strategy? a. Collaborate with HR to ensure appropriate discipline b. Perform an audit under Attorney-Client Privilege c. Conduct surveys of clinic employees concerns d. Audit a random sampling of clinics across the organization c. Conduct surveys of clinic employees concerns A privacy professional is assisting IT with the development of proper controls to protect the privacy of the organization's data. Which of the following is an employee-related control? a. Breach response procedures b. Annual evaluations c. Contractual requirements d. User passwords d. User passwords The primary purpose of a privacy exit interview is to: a. Meet HITECH requirements b. Prevent whistleblower lawsuits c. Evaluate for rehire d. Determine the appropriate discipline b. Prevent whistleblower lawsuits Best practice is to conduct these far in advance (don't wait until last day); spend enough time to collect information, identify any issues for management that could be otherwise unknown. Exit Interviews are part of an effective compliance program. Should be perform by the Compliance Officer Create a policy to specify process Use open-ended questions, include questions such how their departing experience has been, if any concerns, issues, violations the employee would like to let you know for management to address, etc. Exit Interviews have the potential to change the workplace culture for the better! An employee responsible for quality assurance reviews was terminated for inappropriately accessing sensitive information of a health plan beneficiary. The employee appealed the decision, stating a colleague received a verbal warning for similar conduct just last month. Which of the following is the responsibility of the privacy official? a. Endure disciplinary action is imposed b. Develop corrective action for each disciplined employee c. Monitor disciplinary action consistently d. Document disciplinary action for all substantiated complaints c. Monitor disciplinary action consistently To provide patients with appointment reminders, an organization should: a. Confirm the appointment with the treating physician b. Speak directly with the patient regarding future ap