IAPP Questions with 100% Correct
Answers
Protected Health Information (PHI) Correct Answer: Individually identifiable
health info that: is transmitted or maintained in any form or medium, is held by a
covered entity or its business associate, identifies the individual or offers a
reasonable basis for ID, is created or received by a covered entity or employer,
and relates to past, present or future medical conditions, treatment and
payment for healthcar
Electronic Protected Health Information Correct Answer: Like what it sounds like,
includes hard drives, disks, memory cards, but not paper records, fax or
telephone conversations.
entities that are directly covered under HIPAA include: Correct Answer: i.
Healthcare providers that conduct certain transactions in electronic form
ii. Health plans
iii. Healthcare clearinghouses
(and biz associates under HITECH)
Business Associate Correct Answer: A person, who on behalf of the covered
entity, performs or assists in the performance of a function or activity involving
the use or disclosure of individually identifiable health information.
Exceptions to HIPAA Privacy Rule Notice Requirement Correct Answer: "indirect
treatment relationship" of covered entity;
,medical emergencies.
Primary Enforcer of HIPAA Correct Answer: Office of Civil Rights w/i HHS
Exceptions to HIPAA privacy rule Correct Answer: 1 - De-Identification (scrub it or
have expert certify that risk of re-identifying is very low)
2 - Research (if instutional review board says it's consistent with Privacy Rule)
3 - Public Health, reporting abuse or violence - Judicial Proceedings - Law
Enforcement Activities
HIPAA Security Rule (what is covered and what is the standard) Correct Answer:
ePHI and "reasonableness"
The Security Rule allows covered entities to use "any security measures that
allow [it to] reasonably and appropriately implement the" standards.
Health Information Technology for Economic and Clinical Health Act ("HITECH") -
Notice of Breach Correct Answer: Unauthorized access is a presumed breach
and burden is on the covered entity/business associate to prove otherwise.
60 days to notify if high probability they're affected.
, Breach of more than 500 --> notify HHS
Breach of more than 500 in same jdx --> notify media
Fair Credit Reporting Act (FCRA) regulates who? Correct Answer: "consumer
reporting agency" (CRA) that furnishes a "consumer report" used for assisting in
establishing a consumer's eligibility for credit.
Users of consumer reports must meet which 4 requirements under FCRA? Correct
Answer: i. Accurate - 3rd party data used for decisions must be accurate,
current, complete
ii. Notice - Notice to consumers when 3rd party data used to make adverse
decisions about them
iii. Permissible purpose - Consumer reports may be used only for permissible
purposes
iv. Access - Consumers must have access to their consumer reports and an
opportunity to dispute them or correct errors
Who enforces FCRA Correct Answer: 2. Shared federal responsibility for
enforcement between FTC and CFPB
FCRA required Notice from CRA to Users: Correct Answer: Users must have
permissible purpose (there are a lot)
Users must provide certification that use is for permissible purpose
Answers
Protected Health Information (PHI) Correct Answer: Individually identifiable
health info that: is transmitted or maintained in any form or medium, is held by a
covered entity or its business associate, identifies the individual or offers a
reasonable basis for ID, is created or received by a covered entity or employer,
and relates to past, present or future medical conditions, treatment and
payment for healthcar
Electronic Protected Health Information Correct Answer: Like what it sounds like,
includes hard drives, disks, memory cards, but not paper records, fax or
telephone conversations.
entities that are directly covered under HIPAA include: Correct Answer: i.
Healthcare providers that conduct certain transactions in electronic form
ii. Health plans
iii. Healthcare clearinghouses
(and biz associates under HITECH)
Business Associate Correct Answer: A person, who on behalf of the covered
entity, performs or assists in the performance of a function or activity involving
the use or disclosure of individually identifiable health information.
Exceptions to HIPAA Privacy Rule Notice Requirement Correct Answer: "indirect
treatment relationship" of covered entity;
,medical emergencies.
Primary Enforcer of HIPAA Correct Answer: Office of Civil Rights w/i HHS
Exceptions to HIPAA privacy rule Correct Answer: 1 - De-Identification (scrub it or
have expert certify that risk of re-identifying is very low)
2 - Research (if instutional review board says it's consistent with Privacy Rule)
3 - Public Health, reporting abuse or violence - Judicial Proceedings - Law
Enforcement Activities
HIPAA Security Rule (what is covered and what is the standard) Correct Answer:
ePHI and "reasonableness"
The Security Rule allows covered entities to use "any security measures that
allow [it to] reasonably and appropriately implement the" standards.
Health Information Technology for Economic and Clinical Health Act ("HITECH") -
Notice of Breach Correct Answer: Unauthorized access is a presumed breach
and burden is on the covered entity/business associate to prove otherwise.
60 days to notify if high probability they're affected.
, Breach of more than 500 --> notify HHS
Breach of more than 500 in same jdx --> notify media
Fair Credit Reporting Act (FCRA) regulates who? Correct Answer: "consumer
reporting agency" (CRA) that furnishes a "consumer report" used for assisting in
establishing a consumer's eligibility for credit.
Users of consumer reports must meet which 4 requirements under FCRA? Correct
Answer: i. Accurate - 3rd party data used for decisions must be accurate,
current, complete
ii. Notice - Notice to consumers when 3rd party data used to make adverse
decisions about them
iii. Permissible purpose - Consumer reports may be used only for permissible
purposes
iv. Access - Consumers must have access to their consumer reports and an
opportunity to dispute them or correct errors
Who enforces FCRA Correct Answer: 2. Shared federal responsibility for
enforcement between FTC and CFPB
FCRA required Notice from CRA to Users: Correct Answer: Users must have
permissible purpose (there are a lot)
Users must provide certification that use is for permissible purpose
