HCCA CHPC Exam | 100% Correct| Study
Questions and Verified Answers| 2023/ 2024
QUESTION
What is a Controlling Health Plan (CHP)?
Answer:
Health plan that controls its own business, actions, activities, and policies;
Controls the subhealth plan (SHP).
This applies to state Medicaid plans. For instance, the CHC is the state Medicaid, and the SHP
would be the local administrator.
Re: HCCA Privacy Compliance Handbook
QUESTION
Describe what to do with a "required" implementation specification
Answer:
Implement the specification as presented
QUESTION
Describe what to do with an "addressable" implementation specification
Answer:
Implement as presented, or if not reasonable and appropriate implement an equivalent alternative
measure.
QUESTION
Designated Record Set (DRS) - includes:
,Answer:
Group of records maintained by or for a Covered Entity that comprises the following:
1. medical/billings records
2. enrollment/payment/claims adjudication/case management by health plan
3. other records used by or for covered entity to make decisions about individuals
QUESTION
Designated Record Set (DRS) - records excluded from DRS:
Answer:
Administrative data (audit trails, appointment schedules, that don't imbed PHI).
Incident reports.
Quality Assurance Data.
Statistical reports.
QUESTION
DVD medical records are destroyed by
Answer:
Shredding and cutting
QUESTION
Few other examples for use or disclosure of PHI other that TPO:
Answer:
Public health interest, research, serious threat, organ/tissue donation decedent information,
worker's compensation insurers.
QUESTION
Give examples of administrative safeguards
Answer:
• Policies and procedures
,• Training and education
• Designation of individuals (Ex. Security Officer)
• Contingency Planning
QUESTION
Give examples of physical safeguards
Answer:
• Facility security or access plan
• Disposal processes and media reuse
• Data backup and storage
QUESTION
Give examples of technical safeguards
Answer:
• Passwords
• Encryption
• Auto Log Off
• Unique User Identification
QUESTION
HIPAA "consent" and "authorization" have key differences, what are they?
Answer:
Consent is voluntary for TPO, while authorization is required by the Privacy Rule for use and
disclosure of PHI
https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-
and-authorization/index.html
QUESTION
What is the primary difference between HIPAA authorization and Right of Access? (regarding
disclosure)
, Answer:
HIPAA authorization is a PERMITTED disclosure.
and
Right of Access is a REQUIRED disclosure
https://www.law.cornell.edu/cfr/text/45/164.524
QUESTION
What is excluded from the Right of Access?
Answer:
1. any information that is not part of the Designated Records Set
2. Psychotherapy notes/records (see 45 CFR 164.524(a)(1)(i) and 164.501)
3. Records gathered in anticipation of, or for use in, a civil, criminal, or administrative action or
proceeding (45 CFR 164.524(a)(1)(ii))
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
QUESTION
HIPAA Civil Penalties
Answer:
Did not know: $100 to $50K
Reasonable cause: $1000 to $50K
Willful neglect, correct in 30 days: $10K to $50K
Willful neglect, not corrected in 30 days: $50K: Max per year: $1.5 million
QUESTION
HIPAA Criminal Penalties
Answer:
Committed offense Knowingly - up to 1 year in prison + $50,000
Committed offense under False Pretense: 5 years + $100,000
Committed offense with Intent, Harm/Personal Gain: 10 years + $250,000
Questions and Verified Answers| 2023/ 2024
QUESTION
What is a Controlling Health Plan (CHP)?
Answer:
Health plan that controls its own business, actions, activities, and policies;
Controls the subhealth plan (SHP).
This applies to state Medicaid plans. For instance, the CHC is the state Medicaid, and the SHP
would be the local administrator.
Re: HCCA Privacy Compliance Handbook
QUESTION
Describe what to do with a "required" implementation specification
Answer:
Implement the specification as presented
QUESTION
Describe what to do with an "addressable" implementation specification
Answer:
Implement as presented, or if not reasonable and appropriate implement an equivalent alternative
measure.
QUESTION
Designated Record Set (DRS) - includes:
,Answer:
Group of records maintained by or for a Covered Entity that comprises the following:
1. medical/billings records
2. enrollment/payment/claims adjudication/case management by health plan
3. other records used by or for covered entity to make decisions about individuals
QUESTION
Designated Record Set (DRS) - records excluded from DRS:
Answer:
Administrative data (audit trails, appointment schedules, that don't imbed PHI).
Incident reports.
Quality Assurance Data.
Statistical reports.
QUESTION
DVD medical records are destroyed by
Answer:
Shredding and cutting
QUESTION
Few other examples for use or disclosure of PHI other that TPO:
Answer:
Public health interest, research, serious threat, organ/tissue donation decedent information,
worker's compensation insurers.
QUESTION
Give examples of administrative safeguards
Answer:
• Policies and procedures
,• Training and education
• Designation of individuals (Ex. Security Officer)
• Contingency Planning
QUESTION
Give examples of physical safeguards
Answer:
• Facility security or access plan
• Disposal processes and media reuse
• Data backup and storage
QUESTION
Give examples of technical safeguards
Answer:
• Passwords
• Encryption
• Auto Log Off
• Unique User Identification
QUESTION
HIPAA "consent" and "authorization" have key differences, what are they?
Answer:
Consent is voluntary for TPO, while authorization is required by the Privacy Rule for use and
disclosure of PHI
https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-
and-authorization/index.html
QUESTION
What is the primary difference between HIPAA authorization and Right of Access? (regarding
disclosure)
, Answer:
HIPAA authorization is a PERMITTED disclosure.
and
Right of Access is a REQUIRED disclosure
https://www.law.cornell.edu/cfr/text/45/164.524
QUESTION
What is excluded from the Right of Access?
Answer:
1. any information that is not part of the Designated Records Set
2. Psychotherapy notes/records (see 45 CFR 164.524(a)(1)(i) and 164.501)
3. Records gathered in anticipation of, or for use in, a civil, criminal, or administrative action or
proceeding (45 CFR 164.524(a)(1)(ii))
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
QUESTION
HIPAA Civil Penalties
Answer:
Did not know: $100 to $50K
Reasonable cause: $1000 to $50K
Willful neglect, correct in 30 days: $10K to $50K
Willful neglect, not corrected in 30 days: $50K: Max per year: $1.5 million
QUESTION
HIPAA Criminal Penalties
Answer:
Committed offense Knowingly - up to 1 year in prison + $50,000
Committed offense under False Pretense: 5 years + $100,000
Committed offense with Intent, Harm/Personal Gain: 10 years + $250,000
