Fundamentals of HIPPA Flashcards
Medical Savings Account (now Health Savings Account) is a means to shelter funds from taxes to pay for
medical expenses.
COBRA (Consolidated Omnibus Budget Reconciliation Act of 1985) helps workers who have coverage with a
group health plan.
Industry-wide standards for health claims bring simplification because
all transactions are the same format and any payer will accept claims.
Health care professionals have generally found that HIPAA has simplified claims submissions.
True
False
True
Choose the correct acronym for Public Law 104-91.
HIPO
HIPPA
HIPAA
HIPPO
HIPAA
Which group is the focus of Title I of HIPAA ruling?
Health plans
What type of health information does the Security Rule address?
Electronic PHI held by a covered entity
Which is the most efficient means to store PHI?
Audiotapes
Electronic storage
Which department would need to help the Security Officer most?
Information Services and Technology
Under HIPAA, providers may choose to submit claims either on paper or electronically.
It depends whether they are a small or large provider
The Department of Health and Human Services (DHHS) is responsible to notify all health care providers of changes in the HIPAA rulings.
True
False
False
The HIPAA Security Officer is responsible for
Group of answer choices
seeing that all facility doors are locked at night.
seeing that there is safe storage for paper medical records.
hiring security guards for the facility.
safeguarding all electronic patient health information.
safeguarding all electronic patient health information.
T or F with the passage of HIPAA, large health care providers would be treated with faster service since their volume of claims is larger than small rural providers
False
True or False: Privacy of PHI and security of PHI are the same thing.
False
Which group isnotone of the three covered entities?
Group of answer choices
Patients
Health care plans
Health care clearinghouses
Health care providers
Patients
The HIPAA Privacy Rule gives patients assurance that their personal health information will be treated the same no matter which state or organization receives their medical information.
Group of answer choices
True
False
True
During an investigation by the Office for Civil Rights, each provider is expected to have the following EXCEPT
Group of answer choices
business associate contracts with vendors to protect privacy of PHI.
written policy and procedures.
a designated privacy official.
a workforce trained in state law.
a workforce trained in state law.
The Privacy Rule
Group of answer choices
applies only to protected health information (PHI).
establishes policies for covered entities.
details when authorization to release PHI is needed.
No answers are correct.
applies only to protected health information (PHI) and details when authorization to release PHI is needed.
applies only to protected health information (PHI) and details when authorization to release PHI is needed.
Use and disclosure of PHI is permitted without authorization with the EXCEPTION of which of the following?
Group of answer choices
When incidental to a permitted use and disclosure
When releasing process or psychotherapy notes
For public interest and to benefit the public
When releasing to the individual whose health information it is
When releasing process or psychotherapy notes
When there is an alleged violation to HIPAA Privacy Rule
Group of answer choices
an individual may sue the offending health care provider.
an individual may join a class action lawsuit against the provider.
the individual should report the provider to the local county sheriff.
there is no option to sue a health care provider for HIPAA violations.
there is no option to sue a health care provider for HIPAA violations.
Who in the health care organization is responsible to know where the written policies are located regarding HIPAA compliance?
Group of answer choices
Only the HIPAA Officer
Office workers who send electronic PHI
All staff members, paid or not paid
All clinical staff members
All staff members, paid or not paid
A hospital or other inpatient facility may include patients in their published directory
Group of answer choices
for any advertising purpose
only when the patient or family has not chosen to “opt-out” of the published directory.
to announce on a radio station who has been admitted.
so that pharmaceutical organizations may offer the patients special offers on their drugs.
only when the patient or family has not chosen to “opt-out” of the published directory.
The Regional Offices of the Centers for Medicare and Medicaid Services (CMS) is the only way to contact the government about HIPAA questions and complaints.
Group of answer choices
True
False
False
The minimum penalty per incidence for violations that the Office for Civil Rights finds for noncompliance to the Privacy Rule is
Group of answer choices
$100.
$500.
$1,000.
$5,000.
$100
Nursing notes are not considered PHI since they are not physician’s notes and therefore are not protected by HIPAA.
Group of answer choices
True
False
false
Requesting to amend a medical record was a feature included in HIPAA because of
Group of answer choices
increase in theft of medical information for criminal purposes.
possible difference in opinion between patient and physician regarding the diagnosis and treatment.
ease of human entry error when posting patient information.
All answers are correct.
possible difference in opinion between patient and physician regarding the diagnosis and treatment.
Protected health information is an association between a(n)
Group of answer choices
diagnosis and a payer.
individual and a physician.
health care provider and a patient or two businesses.
diagnosis and an individual.
diagnosis and an individual.
According to AHIMA report, the most common problem that health care providers face in relation to PHI is
Group of answer choices
complying with BA provisions.
confusion about the NOPP provisions.
releasing information to relatives of patients.
lack of a standardized process to release PHI.
lack of a standardized process to release PHI.
Insurance companies who provide automobile and life insurance come under the HIPAA ruling as covered entities.
Group of answer choices
True
False
False
Consent as defined by HIPAA is for
Group of answer choices
permission to reveal PHI for payment of services provided to a patient.
permission to reveal PHI for comprehensive treatment of a patient.
permission to reveal PHI for normal business operations of the provider’s facility.
All answers are correct.
All answers are correct.
A covered entity does not have to disclose PHI to the Office for Civil Rights if they come to investigate a complaint. That is not allowed by HIPAA law.
Group of answer choices
True
False
False
If a medical office does not use electronic means to send its insurance claims, it is considered a covered entity.
Group of answer choices
True
False
False
An emancipated minor is
Group of answer choices
a person younger than 21 who lives independently and is self-supporting.
a person younger than 18 who is married or divorced and possesses decision-making rights.
a person younger than 16 who lives independently and is self-supporting.
a person younger than 18 who is totally self-supporting and possesses decision-making rights.
a person younger than 18 who is totally self-supporting and possesses decision-making rights.
What specific government agency receives complaints about the HIPAA Privacy ruling?
Group of answer choices
Centers for Medicare and Medicaid Services
Department of Health and Human Services
Department of Justice
Office for Civil Rights
Office for Civil Rights
It is possible for a first name and zip code to be considered individually identifiable health information (IIHI).
Group of answer choices
True
False
False
For individuals requesting to amend their medical record
Group of answer choices
the replaced portion of the record is destroyed.
the provider has the option to reject the amendment.
there is a new file made just for the amendment.
it is not possible without a court order.
the provider has the option to reject the amendment.
Financial records fall outside the scope of HIPAA.
Group of answer choices
True
False
False
In HIPAA usage, TPO stands for treatment, payment, and optional care.
Group of answer choices
True
False
false
The Office for Civil Rights receives complaints regarding the Privacy Rule. About what percentage of these complaints have been ruled either no violation or the entity is working toward compliance?
Group of answer choices
About 25%
About 50%
About 75%
About 90%
About 75%
A signed receipt of the facility’s Notice of Privacy Practices (NOPP) is mandated by the Privacy Rule in order for a patient to receive services from a health care provider.
Group of answer choices
True
False
False
During an investigation by the Office for Civil Rights, the inspector will depend upon the HIPAA Officer to know the details of the written policies of the organization.
Group of answer choices
True
False
True
Written policies and procedures relating to the HIPAA Privacy Rule
Group of answer choices
are kept by the HIPAA officer only.
must be only in electronic format.
are not necessary.
must be available to all employees.
must be available to all employees.
Typical Business Associate individuals are
Group of answer choices
in-house lab technicians, transcriptionists, and billing specialists.
health plan agents, in-house transcriptionists, and office billing specialists.
biometric device repairmen, legal counsel to a clinic, and outside coding service.
nonclinical staff such as the hospital billing office, housekeeping staff, and maintenance workers.
biometric device repairmen, legal counsel to a clinic, and outside coding service.
Security and privacy of protected health information really cover the same issues.
True
False
False
HIPAA Security Rule applies to data contained in
any computer storage media.
Integrity of e-PHI requires confirmation that the data
is accurate and has not been altered, lost, or destroyed in an unauthorized manner.
Risk management for the HIPAA Security Officer is a “one-time” task.
True
False
False
The Office of HIPAA Standards seeks voluntary compliance to the Security Rule.
True
False
True
Business Associate contracts must include
implementation of safeguards to ensure data integrity.
only items as related to the Privacy Rule.
What step is part of reporting of security incidents?
Change passwords to protect from further invasion.
Which are the five areas the DHHS has mandated each covered entity to address so that e-PHI is maintained securely?
Organization requirements; policies, procedures, and documentation; technical safeguards; administrative safeguards; and physical safeguards
Compliance to the Security Rule is solely the responsibility of the Security Officer.
True
False
False
HIPAA training must be provided to
all workforce employees and nonemployees.
Strengthened restrictions on security redefineed the subcontractors of business associates who might have even incidental exposure to Personal Health Information (PHI) as
Business associates.
After a patient downloads personal health information, all the Security and Privacy measures of HIPAA are gone.
Group of answer choices
True
False
True
Meaningful Use program included incentives for physicians to begin using which of the following?
Check all that apply.
Group of answer choices
E-prescribing
Computerized order entry
Voice mail messages
Instant messaging to patients
Patient portal
Cellphone texting
E-prescribing
Computerized order entry
Instant messaging to patients
Patient portal
The Personal Health Record (PHR) is the legal medical record.
Group of answer choices
True
False
False
HIPAA in 1996 enacted security measures that do not need updating and are valid today as written.
Group of answer choices
True
False
False
The Health Information Technology for Economic and Clinical Health (HITECH) is part of
Group of answer choices
American Recovery and Reinvestment Act (ARRA) of 2009.
Affordable Care Act (ACA) of 2010.
Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Omnibus Rule of 2013.
American Recovery and Reinvestment Act (ARRA) of 2009.
What is the name of the format that allows other providers to access another physician’s record of a patient?
Group of answer choices
Patient Portal
Electronic Medical Record (EMR)
Personal Health Record (PHR)
Health Information Exchange (HIE)
Health Information Exchange (HIE)
When there is a difference in state law and HIPAA, HIPAA will always supersede the local or state law.
Group of answer choices
True
False
False
What information is not to be stored in a Personal Health Record (PHR)?
Group of answer choices
Operative reports
Immunization records
List of allergies to medications
Financial payments to providers
Tax return information
List of prescriptions
Tax return information
What is the difference between Personal Health Record (PHR) and Electronic Medical Record (EMR)?
Group of answer choices
PHR is in paper format; EMR is electronic
PHR is not password protected; EMR is password protected
PHR is the legal medical record; EMR is just physician notes
PHR can be modified by the patient; EMR is the legal medical record
PHR can be modified by the patient; EMR is the legal medical record
Which department would need to help the Security Officer most?
Group of answer choices
Nursing staff
Maintenance Department
Medical Records
Information Services and Technology
Information Services and Technology
The HIPAA Privacy Officer is responsible for
Group of answer choices
keeping staff names secret.
tracking who has access to PHI.
checking that passwords are changed weekly.checking that passwords are changed weekly.
securing the computer server room from outside visitors.
tracking who has access to PHI.
Information access is a required administrative safeguard under HIPAA Security Rule. It is defined as
Group of answer choices
access to the medical record for treatment purposes.
limiting access to the minimum necessary for the particular job assigned to the particular login.
restricting access to only clinical staff for treatment purposes, medical records department for coding purposes, and the billing department for purposes of claim submission.
only allowing patients access to their medical records if it is court ordered.
limiting access to the minimum necessary for the particular job assigned to the particular login.
Only a serious security incident is to be documented and measures taken to limit further disclosure.
Group of answer choices
True
False
FALSE
Investigation of complaints of violations to the Security Rule are under the direction of the
Group of answer choices
Department of Justice.
Department of Health and Human Services.
Office of HIPAA Standards.
Office of Inspector General.
Office of HIPAA Standards.
The Centers for Medicare and Medicaid Services (CMS) set up the ICD-9-CM Coordination and maintenance Committee to
Group of answer choices
Maintain a crosswalk between ICD-9-CM and ICD-10-CM.
Ensure the Patient Portal rule is enforced.
Define who are covered entities.
Oversee implementation of Health Plan Identifiers (HPID).
Maintain a crosswalk between ICD-9-CM and ICD-10-CM.
The Medicare Electronic Health Record Incentive Program is part of Affordable Care Act (ACA) and is under the direction of
Group of answer choices
Department of Health and Human Services (DHHS).
Centers for Medicare and Medicaid Services (CMS).
Affordable Care Act (ACA) of 2009.
Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Centers for Medicare and Medicaid Services (CMS).
