HIM 320 Study Questions with Verified Answers
Graded A+ | Assured Success
PHI (protected health information)
individually identifiable health information transmitted by electronic media, maintained in
electronic media, or transmitted or maintained in any other form or medium
the privacy rule addresses uses and disclosure of information that can be
__________________
identified with a particular individual
note: if the info is generalized and no individual can be associated with it, it is not subject to
HIPAA protection
3-part test to PHI
-must either identify the person or provide a reasonable basis to believe the person could be
identified form the information given
-it must be held or transmitted by a covered entity or its business associate in any form or
medium
-it must relate to one's past, present, or future physical or mental health condition; the provision
of healthcare; or payment for the provision of healthcare
ARRA revision
any individually identifiable health information of a person deceased more than 50 years is no
longer considered PHI under the privacy rule
,De-identified health information
information from which personal characteristics have been removed and that, as a result, neither
identifies nor provides a reasonable basis to believe it could identify an individual
note: if information is de-identified, providers can lawfully avoid privacy protection
requirements because de-identified information is not PHI
how to de-identify health information
the CE can remove 18 defined elements to ensure that the patient's information is truly de-
identified. this is the Safe Harbor Method. might render the data useless. the second way is to
have an expert apply generally accepted statistical and scientific principles and methods to
minimize the risk that the information may be used to identify an individual
if an outside source participates in de-identification of data ______________
the provider must follow the patient authorization and business associate agreements of the
privacy rule
note: there are specific requirements for business associate agreements for de-identification of
data
the disclosure of a means to re-identify de-identified information constitutes:
disclosure of PHI, and is therefore subject to requirements of the privacy rule
although an entity may be covered by the privacy rule _______________
, not all the information that entity maintains is covered by the privacy rule
excluded: employment records, including H&P, education records, including school health
records: instead will be covered by FERPA (federal education records privacy act)
individuals
-the privacy rule refers to "individuals" as opposed to using the terms "patients" or "clients"
-as defined by the privacy rule, an individual is the person who is subject of the PHI
personal representative
-those who are legally authorized to act on behalf of another adult, an emancipated minor, an
unemancipated minor, or deceased individual
-treated the same as the individual regarding the disclosure of the individual's PHI
what does the privacy rule allow individuals to do when it comes to their designated record
set?
inspect and obtain a copy of and amend information in their designated record set (DRS),
including information that exists in paper, imaged, and electronic form
what is a designated record set?
a group of records maintained by or for a CE that is:
1. medical and billing records about individuals maintained by or for a covered healthcare
provider
2. enrollment, payment, claims adjudication, and case or medical management record systems
Graded A+ | Assured Success
PHI (protected health information)
individually identifiable health information transmitted by electronic media, maintained in
electronic media, or transmitted or maintained in any other form or medium
the privacy rule addresses uses and disclosure of information that can be
__________________
identified with a particular individual
note: if the info is generalized and no individual can be associated with it, it is not subject to
HIPAA protection
3-part test to PHI
-must either identify the person or provide a reasonable basis to believe the person could be
identified form the information given
-it must be held or transmitted by a covered entity or its business associate in any form or
medium
-it must relate to one's past, present, or future physical or mental health condition; the provision
of healthcare; or payment for the provision of healthcare
ARRA revision
any individually identifiable health information of a person deceased more than 50 years is no
longer considered PHI under the privacy rule
,De-identified health information
information from which personal characteristics have been removed and that, as a result, neither
identifies nor provides a reasonable basis to believe it could identify an individual
note: if information is de-identified, providers can lawfully avoid privacy protection
requirements because de-identified information is not PHI
how to de-identify health information
the CE can remove 18 defined elements to ensure that the patient's information is truly de-
identified. this is the Safe Harbor Method. might render the data useless. the second way is to
have an expert apply generally accepted statistical and scientific principles and methods to
minimize the risk that the information may be used to identify an individual
if an outside source participates in de-identification of data ______________
the provider must follow the patient authorization and business associate agreements of the
privacy rule
note: there are specific requirements for business associate agreements for de-identification of
data
the disclosure of a means to re-identify de-identified information constitutes:
disclosure of PHI, and is therefore subject to requirements of the privacy rule
although an entity may be covered by the privacy rule _______________
, not all the information that entity maintains is covered by the privacy rule
excluded: employment records, including H&P, education records, including school health
records: instead will be covered by FERPA (federal education records privacy act)
individuals
-the privacy rule refers to "individuals" as opposed to using the terms "patients" or "clients"
-as defined by the privacy rule, an individual is the person who is subject of the PHI
personal representative
-those who are legally authorized to act on behalf of another adult, an emancipated minor, an
unemancipated minor, or deceased individual
-treated the same as the individual regarding the disclosure of the individual's PHI
what does the privacy rule allow individuals to do when it comes to their designated record
set?
inspect and obtain a copy of and amend information in their designated record set (DRS),
including information that exists in paper, imaged, and electronic form
what is a designated record set?
a group of records maintained by or for a CE that is:
1. medical and billing records about individuals maintained by or for a covered healthcare
provider
2. enrollment, payment, claims adjudication, and case or medical management record systems
