Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP/US > Ch 7 - Medical Privacy > Flashcards

Ch 7 - Medical Privacy Flashcards

You may prefer our related Brainscape-certified flashcards:
U.S. Geography flashcards
1
Q

The Health Insurance Protection and Accountability Act (HIPAA):

a. Does not preempt stricter state privacy laws
b. Preempts state laws
c. Preempts all state and federal privacy laws
d. None of the above

A

a. Does not preempt stricter state privacy laws

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

HIPAA only applies to:

a. All entities who store any kind of personal health information
b. All entities who transmit any kind of personal health information
c. Covered entities such as healthcare providers, insurers, and business associates who receive data from covered entities
d. None of the above

A

c. Covered entities such as healthcare providers, insurers, and business associates who receive data from covered entities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The Confidentiality of Substance Use Disorder Patient Records Rule:

a. Covers disclosure and use of patient identifying information by alcohol and drug abuse treatment programs
b. Restricts use of personal information that could be used against a patient concerning their criminal use of alcohol or drugs
c. Applies to any program that receives federal funding
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A condition under which entities other than those defined as a “program” under the Confidentiality of Substance Use Disorder Patient Records Rule that may be subject to the regulation include:

a. They are subject to the 1974 Privacy Act
b. A state licensing agency requires them to comply
c. The President has asked them to comply
d. None of the above

A

b. A state licensing agency requires them to comply

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The Confidentiality of Substance Use Disorder Patient Records Rule defines “program” as:

a. An individual or entity who provides alcohol or substance abuse diagnosis, treatment, or referral for treatment
b. An identified unit within a general medical facility that provides alcohol or substance abuse diagnosis, treatment, or referral for treatment
c. Medical personnel or other staff in a general medical facility whose primary function is provision of alcohol or substance abuse diagnosis, treatment, or referral for treatment
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A condition under which entities other than those defined as a “program” under the Confidentiality of Substance Use Disorder Patient Records Rule may be subject to the regulation include:

a. They are subject to the 1974 Privacy Act
b. They are asked to comply by the state attorney general
c. A clinician uses controlled substances for detoxification, requiring licensing through the U.S. Drug Enforcement Administration (DEA)
d. None of the above

A

c. A clinician uses controlled substances for detoxification, requiring licensing through the U.S. Drug Enforcement Administration (DEA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When is redisclosure of information obtained from a program prohibited under the Confidentiality of Substance Use Disorder Patient Records Rule?

a. When it would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment
b. Only when it would identify an individual whose drug abuse was related to criminal activity
c. Only when it would directly identify an individual who has been diagnosed, treated, or referred for treatment
d. None of the above

A

a. When it would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is an exception to consent requirements under the Confidentiality of Substance Use Disorder Patient Records Rule?

a. Routine doctor visits, dental exams, and school registrations
b. Scientific research, medical emergencies, and audits and evaluations
c. Service vendors that supply weekly linens, crimes that occurred prior to the patient entering the program
d. All of the above

A

b. Scientific research, medical emergencies, and audits and evaluations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A consent form to disclose a “general designation” for information subject to the Confidentiality of Substance Use Disorder Patient Records Rule:

a. May allow disclosure to either individuals or entities that have a treating provider relationship with the patient
b. Allow the consumer to receive a list of entities to whom their information has been disclosed
c. Must explicitly describe the type of information being disclosed
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following is an exception to consent requirements under the Confidentiality of Substance Use Disorder Patient Records Rule?

a. Routine doctor visits, dental exams, and school registrations
b. Food service vendors, law enforcement requests for petty theft
c. Communications with qualified service organizations, crimes on program premises or against program personnel
d. All of the above

A

c. Communications with qualified service organizations, crimes on program premises or against program personnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following includes exceptions to consent requirements under the Confidentiality of Substance Use Disorder Patient Records Rule?

a. Routine doctor visits, dental exams, and school registrations
b. Child abuse reporting, and court orders
c. Security guard service, law enforcement requests for petty theft
d. All of the above

A

b. Child abuse reporting, and court orders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Violations to the Confidentiality of Substance Use Disorder Patient Records Rule:

a. May result in fines from $500 to $5,000 per offense
b. Are considered criminal
c. Are reported to the U.S. Attorney’s Office
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Under HIPAA, ePHI is any protected health information that is:

a. Only sent in an email
b. Only provided over a public network
c. Transmitted or maintained in electronic media
d. None of the above

A

c. Transmitted or maintained in electronic media

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is not considered ePHI under HIPAA?

a. PHI transmitted over fax communications
b. PHI stored on a computer hard drive
c. PHI stored on a digital memory card
d. PHI transmitted through an email

A

a. PHI transmitted over fax communications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is not considered an entity covered under HIPAA?

a. Healthcare providers that conduct certain transactions in electronic form
b. Healthcare providers who only accept cash or credit cards for full payment
c. Health insurers
d. Healthcare clearinghouses

A

b. Healthcare providers who only accept cash or credit cards for full payment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following is included in the HIPAA definition of protected health information (PHI) for individually identifiable health information?

a. Transmitted or maintained in any form or medium
b. Held by a covered entity or its business associate
c. Identifies the individual or offers a reasonable basis for identification
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Under the HIPAA Privacy Rule, a Business Associate is:

a. Any person or organization that performs services or activities for, or on behalf of, a covered entity when the services involve the use or disclosure of PHI
b. Any organization, including its employees, that performs services or activities for, or on behalf of, a covered entity when the services involve the use of PHI
c. Any person or organization, or its employees, that performs services or activities on behalf of a covered entity when the services involve the disclosure of PHI
d. None of the above

A

a. Any person or organization that performs services or activities for, or on behalf of, a covered entity when the services involve the use or disclosure of PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following is included in the HIPAA definition of protected health information (PHI) for individually identifiable health information?

a. Created or received by a covered entity or an employer
b. Relates to a past, present or future physical or mental condition
c. Relates to provision of health care or payment for health care to that individual
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Under which of the following circumstances are health service providers not required to provide a privacy notice under HIPAA?

a. The healthcare provider offers standard routine treatments
b. The treatment relates to a past mental condition
c. The healthcare provider has an indirect relationship with the patient
d. All of the above

A

c. The healthcare provider has an indirect relationship with the patient

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Under which of the following circumstances are health service providers not required to provide a privacy notice under HIPAA?

a. Treatment for a physical to qualify for playing a sport
b. Treatment for a medical emergency
c. Treatment related to a chronic physical condition
d. All of the above

A

b. Treatment for a medical emergency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

HIPAA authorizes the use and disclosure of PHI for essential healthcare purposes including:

a. Treatment
b. Payment
c. Operations
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The HIPAA Security Rule applies to the protection of:

a. All PHI created, received, used, or maintained by covered entities
b. All PHI created, received, used, or maintained by both covered entities and individuals
c. All ePHI or electronic PHI that is created, received, used, or maintained by covered entities
d. None of the above

A

c. All ePHI or electronic PHI that is created, received, used, or maintained by covered entities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A focus of the HIPAA Security Rule is on:

a. Preventing the unauthorized use or disclosure of PHI
b. Preventing inefficient operations when disclosing PHI
c. Increasing public awareness of best practices for protecting their PHI
d. None of the above

A

a. Preventing the unauthorized use or disclosure of PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A focus of the HIPAA Security Rule is on:

a. Increasing public awareness about their rights under HIPAA
b. Preventing inefficient operations when disclosing ePHI
c. Maintaining the integrity and availability of ePHI
d. None of the above

A

c. Maintaining the integrity and availability of ePHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Administrative requirements for compliance with HIPAA Privacy Rule include:

a. Designation of a privacy official
b. Development and implementation of privacy protections
c. Trained personnel and complaint procedures
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

The primary enforcer of the HIPAA Privacy Rule is:

a. Office of Civil Rights, in Health and Human Services
b. Privacy Unit, Federal Trade Commission
c. U. S. Medical Board
d. None of the above

A

a. Office of Civil Rights, in Health and Human Services

27
Q

The primary enforcer of the HIPAA Privacy Rule with criminal enforcement authority is:

a. Office of Civil Rights, in Health and Human Services
b. Department of Justice
c. Privacy Unit, Federal Trade Commission
d. None of the above

A

b. Department of Justice

28
Q

Limits on the scope of the HIPAA Privacy Rule that do not require consent for the organization to share include:

a. De-identified personal information
b. Research that is consistent with Privacy Rule requirements
c. Public health activities
d. All of the above

A

d. All of the above

29
Q

For investigations of compliance with privacy rules, who is an organization required to release PHI to?

a. State Attorney General
b. U. S. Attorney General
c. Secretary of HHS
d. None of the above

A

c. Secretary of HHS

30
Q

The HIPAA Security Rule allows organizations to forego compliance with addressable implementation specifications under which of the following circumstances?

a. The entity has assessed that it is not an appropriate safeguard to adopt, and has documented why it is not reasonable, and any alternative measures adopted
b. The entity has assessed that it is not an appropriate safeguard to adopt, and has sent a detailed letter explaining why to the Secretary of HHS
c. The entity does not believe it is profitable to adopt the measure
d. None of the above

A

a. The entity has assessed that it is not an appropriate safeguard to adopt, and has documented why it is not reasonable, and any alternative measures adopted

31
Q

Limits on the scope of the HIPAA Privacy Rule that do not require consent for the organization to share include:

a. To report victims of abuse, neglect, or domestic violence
b. Information used in judicial and administrative proceedings
c. Information used in certain law enforcement activities, and for certain governmental functions
d. All of the above

A

d. All of the above

32
Q

Which of the following is not a requirement of the HIPAA Security Rule for an organization?

a. Conducting initial and ongoing risk assessments
b. Conducting background checks on all employees with direct access to ePHI
c. Implementing security awareness training for its workforce and disciplining those who do not comply
d. All of the above are requirements

A

b. Conducting background checks on all employees with direct access to ePHI

33
Q

In reviewing applicable state laws, particular attention should be paid to:

a. Additional patient rights
b. Added uses or disclosures for PHI
c. Shortened deadlines for action
d. All of the above

A

d. All of the above

34
Q

Organizations must consider which of the following when developing a security program that is compliant with the HIPAA Security Rule?

a. Size, complexity and capabilities of the covered entity
b. Technical infrastructure, hardware, and software security capabilities
c. Costs of security measures
d. All of the above

A

d. All of the above

35
Q

When HITECH was enacted in 2009, it incentivized healthcare providers to:

a. Create better filing systems for paper records
b. Adopt electronic health records
c. Extend billing periods to allow delayed payments
d. All of the above

A

b. Adopt electronic health records

36
Q

Organizations must consider which of the following when developing a security program that is compliant with the HIPAA Security Rule?

a. Technical infrastructure
b. Hardware and software security capabilities
c. Probability and criticality of potential risks to ePHI
d. All of the above

A

d. All of the above

37
Q

In the event of unauthorized acquisition, access, use or disclosure of information, under which of the following conditions is a breach notification not required?

a. The covered entity would be under financial hardship to notify the affected individuals
b. The covered entity is a type of business for which HITECH provides an exemption
c. The covered entity demonstrates through a risk assessment that there is low probability that the security or privacy of the information has been compromised
d. All of the above

A

c. The covered entity demonstrates through a risk assessment that there is low probability that the security or privacy of the information has been compromised

38
Q

Who has the burden of proof for showing that an impermissible use or disclosure did not constitute a data breach under HITECH?

a. The covered entity or business associate
b. The secretary of HHS
c. The state attorney general
d. None of the above

A

a. The covered entity or business associate

39
Q

Which of the following are requirements for breach notification by a covered entity?

a. Must notify affected individuals within 60 days of discovery
b. Must notify HHS immediately when 500 or more people are affected
c. Must notify the media if 500 or more people are affected within the same jurisdiction
d. All of the above

A

d. All of the above

40
Q

The term ‘limited data set’ under HITECH refers to:

a. PHI that includes direct identifiers of the individual
b. PHI that includes indirect identifiers of the individual
c. Expanded PHI that includes all available information on an individual
d. None of the above

A

a. PHI that includes direct identifiers of the individual

41
Q

As part of the disclosure requirements of HIPAA, covered entities must provide a requesting individual with a copy of their electronic health records (EHRs) and must account for all non-oral disclosures made within __________ of the request.

a. 1 year
b. 2 years
c. 3 years
d. 5 years

A

c. 3 years

42
Q

Which of the following pieces of legislation were amended by GINA?

a. Federal Housing Act (HIPAA), Social Security Act, and Civil Rights Act
b. Federal Trade Act, Social Security Act, and Civil Rights Act
c. Employee Retirement Income Security Act (ERISA), Social Security Act, and Civil Rights Act
d. All of the above

A

c. Employee Retirement Income Security Act (ERISA), Social Security Act, and Civil Rights Act

43
Q

Which of the following is an amendment to ERISA made by GINA?

a. Prohibits group health plan providers from adjusting premiums on the basis of genetic information after the data subject has been diagnosed with a disease or disorder
b. Prohibits group health plan providers from adjusting premiums on the basis of genetic information when the data subject has no signs of the disease or disorder
c. Prohibits employers from offering health plans that may be more beneficial to people with a predisposition to a certain disease or disorder
d. None of the above

A

b. Prohibits group health plan providers from adjusting premiums on the basis of genetic information when the data subject has no signs of the disease or disorder

44
Q

The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits:

a. Health insurance companies from discriminating on the basis of genetic predispositions
b. Health insurance companies from requesting that applicants receive genetic testing
c. Employers from using genetic information in making employment decisions
d. All of the above

A

d. All of the above

45
Q

Which of the following is an amendment to ERISA made by GINA?

a. Prohibits group health plan providers from adjusting premiums on the basis of genetic information after the data subject has been diagnosed with a disease or disorder
b. Prohibits group health plan providers from requesting or requiring genetic testing in connection with the offering of group health plans
c. Prohibits employers from offering health plans that may be more beneficial to people with a predisposition to a certain disease or disorder
d. None of the above

A

b. Prohibits group health plan providers from requesting or requiring genetic testing in connection with the offering of group health plans

46
Q

Which of the following must be met (and stated in a letter to the HHS secretary) to qualify for the research exception of the GINA amendment to ERISA which allows health plan providers to request voluntary testing in connection with research?

a. Compliance is voluntary
b. Research will have no effect on enrollment or contributions
c. No genetic information will be used for underwriting purposes
d. All of the above

A

d. All of the above

47
Q

Statutory penalties for noncompliance with the GINA amendments to ERISA are:

a. $100 each day of noncompliance for each plan participant or beneficiary
b. No more than $15,000 per day
c. $100 for each day of noncompliance, minus the beginning date and date the issue was resolved)
d. None of the above

A

a. $100 each day of noncompliance for each plan participant or beneficiary

48
Q

GINA amendments to the Public Health Service Act are:

a. Unique from amendments made to other pieces of legislation
b. Are more favorable for health insurance companies
c. Very similar to those made to the Employee Retirement Income Security Act (ERISA)
d. None of the above

A

c. Very similar to those made to the Employee Retirement Income Security Act (ERISA)

49
Q

Exceptions to the GINA requirement prohibiting employers from requiring, requesting genetic information about employees or family members include when requests are:

a. Inadvertent
b. Part of an employer-offered wellness program with voluntary participation
c. Made to comply with the FMLA of 1993
d. All of the above

A

d. All of the above

50
Q

GINA includes a directive to amend HIPAA to:

a. Exclude genetic information in the scope of health information
b. Include genetic information in the scope of health information
c. Delete the term health information
d. None of the above

A

b. Include genetic information in the scope of health information

51
Q

The parts of GINA that prohibit employers from requiring, requesting, or purchasing genetic information about employees or family members also apply to:

a. Unions and training programs
b. Banks and credit unions
c. Law enforcement
d. All of the above

A

a. Unions and training programs

52
Q

Which of the following best describes how an employer should treat genetic information they have about an employee?

a. The information may be kept with other employee files as long as it is in a locked filing cabinet
b. The information must be kept with other employee files, but must be treated as confidential records
c. The information must be kept on separate forms in separate medical files and treated as confidential employee medical records
d. None of the above

A

c. The information must be kept on separate forms in separate medical files and treated as confidential employee medical records

53
Q

Exceptions to the GINA requirement prohibiting employers from requiring, requesting genetic information about employees or family members include when requests are:

a. Purchased by an employer as part of commercially and publicly available materials that include the information
b. Used for legally required genetic monitoring for toxin exposure in the workplace with voluntary participation
c. Made by the employer to conduct DNA analysis for law enforcement or for quality-control purposes such as identity contamination
d. All of the above

A

d. All of the above

54
Q

A private right of action:

a. Is included in GINA’s provisions for violations
b. Is not included in GINA’s provisions, however, may be included in the amended legislation as well as state laws
c. Is not included in GINA’s provisions or the provisions of the amended legislation
d. None of the above

A

b. Is not included in GINA’s provisions, however, may be included in the amended legislation as well as state laws

55
Q

A commission is mandated by GINA to:

a. Review the developments in the science of genetics and make recommendations for determining any disparate impact cause of action under GINA
b. Review the developments in the science of genetics and make recommendations for furthering the rights of health insurance providers
c. Review the developments in the science of genetics and make recommendations for identifying groups of people who should pay more for health insurance
d. None of the above

A

a. Review the developments in the science of genetics and make recommendations for determining any disparate impact cause of action under GINA

56
Q

The Cures Act exempts information from disclosure under the Freedom of Information Act, when it:

a. Has been anonymized
b. May expose the identity of an individual involved in biomedical research
c. The individual is unaware of the information
d. All of the above

A

b. May expose the identity of an individual involved in biomedical research

57
Q

The purpose of the 21st Century Cures Act is to:

a. Expedite the research process for new medical devices and prescription drugs
b. Quicken the process for drug approval
c. Reform mental health treatment
d. All of the above

A

d. All of the above

58
Q

Under what conditions are researchers permitted to remotely view PHI under the Cures Act?

a. When it meets strict organizational policy requirements
b. When it meets the minimum requirements of the FTC’s Safeguards Rule
c. When it meets minimum safeguards consistent with HIPAA’s Privacy and Security Rules
d. None of the above

A

c. When it meets minimum safeguards consistent with HIPAA’s Privacy and Security Rules

59
Q

Which of the following is prohibited from information blocking under the Cures Act?

a. Health information technology (HIT) providers
b. Health information exchanges (HIEs) or networks
c. Health care providers
d. All of the above

A

d. All of the above

60
Q

Which of the following best describes Information Blocking under the Cures Act?

a. Any conduct that is likely to interfere with the exchange of electronic health information
b. Unreasonable conduct that is likely to interfere with the exchange of electronic health information, in balance with HIPAA’s requirements concerning PHI
c. Conduct that is likely to interfere with the exchange of electronic health information, unless it is beneficial for health care providers
d. None of the above

A

b. Unreasonable conduct that is likely to interfere with the exchange of electronic health information, in balance with HIPAA’s requirements concerning PHI

61
Q

Compassionate sharing of mental health or substance abuse information under the Cures Act is:

a. A mandate for HHS to issue guidance concerning the prohibition of information sharing with family members and caregivers about an adult being treated for substance abuse
b. A mandate for HHS to determine civil penalties for violations of information sharing with family and caregivers
c. A mandate for HHS to issue guidance to HIPAA regarding the conditions under which a covered entity may discuss the treatment of an adult with family members or caregivers
d. None of the above

A

c. A mandate for HHS to issue guidance to HIPAA regarding the conditions under which a covered entity may discuss the treatment of an adult with family members or caregivers

62
Q

The purpose of a certificate of confidentiality required to be issued by the National Institutes of Health (NIH) by the Cures Act is:

a. Issued for federally funded research
b. May be issued at the NIH’s discretion for non-federally funded research
c. Certifies that the research material cannot be used in any legal or administrative proceeding without the consent of the individual involved
d. All of the above

A

d. All of the above

63
Q

An information blocking violation under the Cures Act can result in:

a. Fines up to $1 million
b. Prison time up to 5 years
c. Private right of action
d. All of the above

A

a. Fines up to $1 million

CIPP/US (14 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions