CHPC - HIPAA - 1-20. Top Questions and answers, verified.

CHPC - HIPAA - 1-20. Top Questions and answers, verified. HIPAA Regs: What subpart in Part 164 deals with Privacy - -Subpart E: Hint: Privacy....Privac-E HIPAA Regs: What subpart in Part 164 deals with Breach Notifications - -Subpart D: "D"arn it! We have a breach! HIPAA Regs: What subpart in Part 164 deals with Security - -Subpart C: Hint: "C"-curity What are the 3 components that make up security? - -Confidentiality Integrity Availability What's wrong with this statement, "We need to identify if this breach is reportable?" - -All breaches are reportable. When is the deadline for reporting breaches to the Secretary - -• For breaches affecting 500 or more: 60 days from discovery. • For breaches affecting less than 500: By the 60th day of the year following when the breach was discovered. Covered Entities and their Business Associates must comply with the all of the Security and Privacy Rules - True or False - -False as Business Associates are not required to comply with all of the Privacy Rules. 8. The designated privacy official and the designated security official under HIPAA must be different individuals. - -False as the same official may be designated both roles. A health care provider has how long to redistribute its Notice of Privacy Practice to established patients after making a material - -There is no such requirement for a health care provider as making such a change does not include a requirement to redistribute the Notice of Privacy Practices. Encryption is required under HIPAA - True or False - -False. It is an addressable implementation specification. The difference between an addressable and a required implementation specification - -• Required - the specification must be implemented • Addressable - Either implement the specification or an equivalent alternative measure What are the four impermissibles - -Access Acquisition Use Disclosure When does the 60 day "clock" begin for breach notifications? - -When the "impermissible" is discovered by the Covered Entity What is the record retention period for HIPAA related work product? - -6 years A Security Risk Analysis must be done annually for a Covered Entity to comply with the Privacy Rules. - True or False - -False as the Risk Analysis is not required annually and the risk analysis is part of the Security Rules. PHI stands for - -Protected Health Information What is the timeframe requirement to train new employees about HIPAA? - -"within a reasonable period of time after the person joins the covered entity's workforce. A covered entity may use or disclose PHI for TPO...what does TPO stand for - -Treatment Payment Operations What rights of an individual must be contained in the Notice of Privacy Practices - -The right to request restrictions on certain