HCCA - CHPC Study Questions (MASTER FLASHCARDS). Questions and answers. Verified.

HCCA - CHPC Study Questions (MASTER FLASHCARDS). Questions and answers. Verified. 1. What are the required core elements of a VALID Authorization. Ref. 45 CFR 164.508(b) - -1. Description 2. Purpose use/disclosure 3. Recipient 4. Authorized person making the disclosure 5. Expiration date 6. Signature/dates 38 U.S.C. 7332 deals with confidentially of patient medical record information related to: a. drug abuse, sexually transmitted diseases, and tuberculosis b. HIV/AIDS status c. drug abuse, alcoholism, infection with the HIV virus, and sickle cell anemia d. mental illness, HIV status, drug and alcohol abuse - -c. drug abuse, alcoholism, infection with the HIV virus, and sickle cell anemia 45 CFR 164 - Subpart C outlines the three safeguards to ensure the _____, ____, ____ of ePHI that both, CE and BA must implement to ensure compliance and protect against anticipated threats, and/or reasonably anticipated uses/disclosures (incidental/inadvertent/unintentional) - -Confidentiality, integrity, availability Note: Accidental - must be reported. An accidental HIPAA violation refers to the unauthorized disclosure of PHI (protected health information) without intent. Despite having safeguards and protective measures in place, there is still a possibility of breaching HIPAA regulations. These types of violations could include an employee accidentally seeing a different patient's medical records, an email being sent to the wrong person or the loss or theft of a personal device that contains PHI. A clinic has patient data that an independent researcher would like to access. The researcher only needs de-identified information, but the clinic does not have the resources to strip the patients identifiers from the data being requested. The researcher does have the resources and offers to remove the identifiers before beginning the research. A privacy official should inform that it can provide the PHI to the researcher if the clinic: a. notifies each patient whose information is disclosed b. modifies the hospital's NPP c. requires the researcher to obtain waiver of authorization d. has the researcher show proof of privacy training - -c. requires the researcher to obtain waiver of authorization A co-worker is called away for a short errand and leaves the clinic PC logged onto the confidential information system. You need to look up information using a computer. Aside from notifying the appropriate person, what is the best approach you should take? a. To save time, just continue working under your co-worker's User-ID. b. Log you co-worker off and re-login under your own User-ID and password. c. Do nothing. d. All of the answers. - -b. Log you co-worker off and re-login under your own User-ID and password. A Covered Entity may denied an individual access to their PHI under specific circumstances set forth in 45 CFR 164.524 (a)(2), which of the following doesn't fall under those circumstances: a. Request for psychotherapy notes b. if it jeopardizes the health, safety, security, rehab of individual (e.g. inmate's' request, suicidal patient) c. during the course of research/clinical trial d. to request restrictions of their PHI - -a. Request for psychotherapy notes Under the HIPAA Privacy Rule, individual has the right to request a copy, an amendment and restrictions to their PHI, request confidential communications involving your PHI, and list of disclosures. See 45 CFR § 164.524 (a)(2) A covered entity may disclose protected health information (PHI) without a patient's written permission for: a. Treatment purposes b. Payment c. Health care operations activities d. All of the above - -d. All of the above (a covered entity may use or disclose PHI for TPO) A covered entity may use or disclose PHI for TPO...what does TPO stand for - -Treatment Payment Health Care Operations A covered entity must designate a ___________________ who is responsible for developing and implementing its security policies and procedures. a. physician b. security official c. police officer d. custodian - -b. security official A covered entity must obtain the patient's written authorization for any use or disclosure of protected health information (PHI) in which circumstances? a. Marketing activities b. Research c. PHI sales and licensing d. Information sharing needed for treatment e. A and C only f. All of the above - -e. A and C only Ref. Permitted Uses and Disclosures section - A health care provider wants to disclose protected health information (PHI) about a student to a school nurse or physician. Does the HIPAA Privacy Rule allow this? Yes. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about students to school nurses, physicians, or other health care providers for treatment purposes, without the authorization of the student or student's parent. OR No. The HIPAA Privacy Rule mandates parental consent in this case. - -Yes! Ref. A health system implemented an EHR in 55 clinics. The privacy professional is told employees are inconsistently interpreting the policy addressing employee access to EHR. Which of the following is the privacy professional's BEST strategy? a. Collaborate with HR to ensure appropriate discipline b. Perform an audit under Attorney-Client Privilege c. Conduct surveys of clinic employees concerns d. Audit a random sampling of clinics across the organization - -c. Conduct surveys of clinic employees concerns A HIPAA Valid Authorization must include all 6 core elements and 3 required statements, lack of any of these elements would be considered a _________ authorization. - -Defective Authorization. For instance: (i) The authorization expiration date has passed or the expiration event is known by the covered entity to have occurred; (ii) The authorization has not been filled out completely (missing core elements and required statements) (iii) The authorization is known by the covered entity to have been revoked; (iv) The authorization violates provision of a compound or prohibition on conditioning of authorizations if applicable; (v) Any material information in the authorization is known by the covered entity to be false. Ref. 45 CR 164.508(b)(2) A photo of a nurse doing a procedure on a patient in the hospital has been posted on a social networking site. HR has identified the nurse in the photo and the patient. HR asks the privacy professional for a recommendation for disciplianary action. Before providing a recommendation, the privacy professional should determine if the a. 60-day timeline for reporting the breach to DHHS has lapsed b. photo was posted during work hours or an unpaid break c. nurse was aware that she was being photographed d. patient says they gave permission for the photo - -c. nurse was aware that she was being photographed A privacy professional has been notified that there had been a data breach of a clinical system containing PHI. Which of the following is the source of the notification requirements? a. FERPA Provisions b. HIPAA Security Rule c. HITECH Act d. Privacy Act - -c. HITECH Act Remember, HITECH was signed into law as part of ARRA 2009 to promote adoption of meaningful use A privacy professional is assisting IT with the development of proper controls to protect the privacy of the organization's data. Which of the following is an employee-related control? a. Breach response procedures b. Annual evaluations c. Contractual requirements d. User passwords - -d. User passwords A privacy professional is preparing an education session in follow-up to a recent increase of lost or misplaced thumb drives that may have contained PHI including patient SSNs. Which of the following would be the MOST beneficial for the privacy professional to review when preparing the education session? a. GINA b. HITECH