HI Exam #3

Question 1

Health Insurance Portability and Accountability Act

Answer 1

What does HIPAA stand for?

Question 2

1. Who and what is covered by HIPAA law?

Answer 2

1.) Health coverage
2.) Fraud and Abuse
3.) Reduction of healthcare cost
4.) Administrative simplification

Question 3

What are the 3 covered entities?

Answer 3

-Healthcare providers, Health Plan and the Healthcare clearing house

• Healthcare providers who transmit health information electronically, health plans (insurance companies), and healthcare clearinghouses(data warehouse).

Question 4

Who are considered workforces?

Answer 4

-Anyone who works with these covered entities
This includes:
-Employees
-Volunteers
-Trainees
-Others who conduct work for the CE or BA

Question 5

Parties that perform functions or activities on behalf of or provide services to, covered entities (e.g., IT companies, billing services, consultants). This includes HIO’s E-Scribing or other people that provide data transmission.

Answer 5

Business associates(BA):

Question 6

What is a Business associate Agreement?

Answer 6

Is a contract between a covered entity and a business associate required by HIPAA.

Question 7

Personal health information (PHI) related to an individual’s physical or mental health, healthcare services provided to them, and the payment for those services.

Answer 7

HIPAA protects:

Question 8

-Any health information that can identify an individual and relates to their past, present, or future physical or mental health or condition, healthcare provided, or payment for healthcare services.
-If you get a copy of your own record IT IS NO LONGER COVERED under HIPAA

Answer 8

What is a PHI?

Question 9

How can access be denied of a PHI?

Answer 9

-When the patient has not consented to release their information.

-If access is requested by someone who does not have proper authorization.

-If the request is for records that are confidential or protected by privilege (e.g., psychotherapy notes).

Question 10

Who can access PHI?

Answer 10

-A parent, guardian, or custodian of a minor patient under 18 years of age.
-A parent, guardian, or custodian of an incompetent patient.
-Legal healthcare representative.
-Power of attorney for healthcare.
-Personal representative or executor or administrator of a deceased patient’s estate.

Question 11

What is De-Identification?

Answer 11

-The process of removing personal identifiers from health data so that the individual cannot be readily identified.
- Is useful in areas such as research, decision support, and education in health profession to support the secondary use of data for comparative effectiveness studies and other endeavors.

Question 12

Two methods of De-Identification?

Answer 12

-Expert Determination:
-Safe Harbor Method:

Question 13

-Expert Determination:

Answer 13

A qualified expert applies statistical or scientific methods to ensure that the risk of re-identifying individuals is very low.
-When you apply statistical/scientific principles there is a very small risk that the recipient could identify individual.

Question 14

Measures to protect physical access to facilities and devices storing PHI (e.g., locked doors, surveillance, workstation security).

Answer 14

Physical Safeguards:

Question 15

Physical Safeguards Standards

Answer 15

1.) Facility Access Control:
2.) Workstation Use:
3.) Device and Media Controls:

Question 16

Safe Harbor Method:

Answer 16

-18 types of identifiers (e.g., name, address, phone number) are removed.
-There is no actual knowledge of residual information that can identify individuals

Question 17

What are other identifiers?

Answer 17

Names, Geographic, dates, Telephone numbers, Email address, social security number, URL’s, Dates

Question 18

What happens when we get ready to Re-Identify the data?

Answer 18

There is a unique code assigned
-To the set of de-identified health information to permit re-identification by the CE. This code or other means of record identification can be used provided that the code is not derived from information about the individual and cannot be translated in some manner to identify the individual.

Question 19

Purpose of de-identification:

Answer 19

To allow for data sharing, research, and analysis without compromising patient privacy.

Question 20

What data is considered PHI?

Answer 20

Any health data that includes identifiable personal information, such as:
-Name, address, birth date, Social Security number

-Health conditions, diagnoses, treatment information

-Payment information for healthcare services
IP Address, Health Care Plane Number

Examples: Patient medical records, billing information, lab results, prescriptions.

Question 21

What is Personal Information?

Answer 21

-This would be your personnel records or educational records. Or any health information that is created or received by an entity that is not considered a covered entity or a BA

-An example would be: in your educational records you have information about a disability. This would not be covered. BECAUSE it is in your personal record.

Question 22

Policies and procedures to manage the selection, development, and maintenance of security measures to protect PHI (e.g., security training, risk assessments, access control policies).

Answer 22

Administrative Safeguards:

Question 23

Administrative Action Standards used to protect EPHI

Answer 23

1.) Security Management Process:
2.) Security Officer Official
3.) Workforce Security
4.) Information Access Management
5.) Security Awareness and Training
6.) Security Incident Procedure:
7.) Contingency Plan
8.) Evaluation
9.) Business Associate Contracts and Other Arrangements

Question 24

Measures to protect physical access to facilities and devices storing PHI (e.g., locked doors, surveillance, workstation security).

Answer 24

Physical Safeguards:

Question 25

Technology-based measures to protect electronic health information (e.g., encryption, firewalls, secure data transmission, user authentication).

Answer 25

Technical Safeguards

Question 26

5 Elements of Technical Safeguards:

Answer 26

1.) Access Control: Unique user ID (each person get a login)
2.) Audit Control
3.) Integrity
4.) Person or Entity Authtication
5.) Transmission Security

Question 27

Red flag/ Box Rules:

Answer 27

These are regulations designed to detect, prevent, and mitigate identity theft and fraud in healthcare.

-Purpose: The rules require covered entities to implement an identity theft prevention program that identifies and addresses (indicators of potential identity theft).

Question 28

Examples of Red Flags

Answer 28

Suspicious medical records, suspicious documents, suspicious behavior, inconsistent billing information, or unauthorized access to records.

Question 29

-This is the practice of collecting, keeping, and using data securely, efficiently, and effectively.
Its whole purpose is to make sure we are in control of our data.

Answer 29

What is Data Management?

Question 30

-The goal of it is to identify any gaps in the current recovery capability and to develop a strategy for meeting the identified RTO and RPO.
-A process to assess the impact of potential disruptions to business operations and determine recovery priorities.

Answer 30

Business Impact Analysis (BIA)

Question 31

2. The Data Governance Process (First 2 steps) Hint:2 D’s

Answer 31

1.) Discover: Requires business user to be involved. Know where the data is stored and know the meaning of the data(what is the purpose).

2.) Design: Require a lot of involvement for clinicians.

Question 32

The maximum acceptable amount of data loss, measured in time.Represents the length of time that you can operate without a particular application.

Answer 32

RPO (Recovery Point Objective):

Question 33

2. The Data Governance Process (Last 3 steps)

Answer 33

3.) Enable: Very time-consuming and is done by IT staff. Apply any new standards from the organizations. You go in after it \has been created to make sure all of the data is correct.

4.) Maintain: The monitoring and reporting system to make sure collect data is doing what we want. Regular updates and audits to maintain data quality and relevance.

5.) Archive/Retire: Data is thrown out/ no longer used. Ex: after 7 years the charts are now thrown out.

Question 34

The maximum acceptable downtime, or the time it takes to recover systems and resume operations after a disaster. The maximum amount of time tolerable for data loss and capture.

Answer 34

RTO (Recovery Time Objective):

Question 35

The overall administration through defined procedures and plans, assures the availability, integrity, security, and usability of the structure and unstructured data available to an organization.

Answer 35

Data Governance

Question 36

What is Data Managment?

Answer 36

This is the practice of collecting, keeping, and using data securely, efficiently, and effectively.
Its whole purpose is to make sure we are in control of our data.

Question 37

Data Management(decided by the people): Involves making and implementing decisions, whereas data governance is concerned with what decisions should be made to ensure the effective management of data.

-Data Governance: Happens from the top-down; data management happens from the bottom up

Answer 37

Major differences between Data Management and Data Governance:

Question 38

Data Governance Framework 5 points

Answer 38

1.) Data Principle: Is the usage of external data in a regulatory environment
2.) Data Quality: Impacts the operational and strategic operations of an organization.
3.) Metadata: Data about the date. Data that interprets the data tells, you the size, and so on.
4.) Data Access: The accessibility to retrieve data and how easy you can pull the data back up.
5.) Data Life Cycle: All data goes through useless and retirement.

Question 39

Making decisions and exercising authority for data-related matters; establishing a culture where quality data is obtained and valued to drive the business

Answer 39

What is driving Data Governance?

Question 40

Accuracy: Correct and free of errors. No major error

Comprehensiveness: All bits of data are included/are complete.

Consistency: Data is uniform and reliable.
Timeliness: Data is up-to-date and accessible when needed.

Conformance: Data adheres to standards and rules.

Relevance: Data is appropriate for the intended use.

Answer 40

Name some data quality characteristics

Question 41

The Data Governance Process

Answer 41

Discover: Requires business user to be involved. Know where the data is stored and know the meaning of the data(what is the purpose).
-Identify the databases or data sets or applications that store data, the relationships between the different data sets, the meaning of the data to the organization, and who has responsibility for the data. This step requires the business users to be involved.

Design: Require a lot of involvement for clinicians.
-Consolidation and coordination of organizational data and the environment focusing on consistency of any governing rules, consistency of the organizational data model, and consistency of the business processes. This step requires the involvement of the business users.

Enable: Very time-consuming and is done by IT staff. Apply any new standards from the organizations. You go in after it \has been created to make sure all of the data is correct.
-This is when the new data governance standards are applied to each data source, business process, and application. It is recommended that the standards be deployed to the entire network, rather than embedded in each source, process, or application.

Maintain: The monitoring and reporting system to make sure collect data is doing what we want. Regular updates and audits to maintain data quality and relevance.
-Required to ensure that the data remain fit-for-purpose for the organization. The monitoring requires involvement from both business users and IT.

Archive/Retire Data is thrown out/ no longer used. Ex: after 7 years the charts are now thrown out.
- It is important to ensure that the data that are no longer needed are retired in a methodical, considered fashion. This may involve complying with the legal requirements for maintaining the data,

Question 42

The overall administration through defined procedures and plans, assures the availability, integrity, security, and usability of the structure and unstructured data available to an organization.

Answer 42

What is Data Governance?

Question 43

What are the four steps in Data Quality Management Model?

Answer 43

1.) Application of Data: Purpose for collection

2.) Collection of Data: Process by which it’s collected

3.) Warehousing of data: Process and systems used to store it

4.) Analysis of data: Process of translating it for application

Question 44

The framework includes policies, procedures, roles, and responsibilities designed to ensure data quality, security, and compliance. It often integrates with other organizational management structures (e.g., IT governance).

Answer 44

Data Governance Framework:

Question 45

What are the five aspects of Big Data?

Answer 45

-1.) Volume: The large quantity

2.) Variety: A range of types of data

3.) Velocity: The high frequency/ or how often it is renewed

4.) Value: The usefulness of cost, workflow, complexity as well as governance. What is the need?

5.) Veracity: The complexity of the data(the level of detail) due to the accuracy or completeness

Question 46

Autonomy

Answer 46

The right of individuals to make their own decisions regarding their health and treatment.

Question 47

The obligation to act in the best interest of the patient, promoting good and well-being.

Answer 47

Beneficence

Question 48

The obligation to avoid causing harm to patients.

Answer 48

Nonmaleficence

Question 49

The principle of fairness, ensuring that patients have equal access to healthcare and resources, and that benefits and burdens are distributed equitably.

Answer 49

Justice

Question 50

5 different data points of Data Governance Framework:

Answer 50

1.) -Data Principle: Is the usage of external data in a regulatory environment that could influence the business uses of data.
2.)-Data Quality: Impacts the operational and strategic operations of an organization if done poorly
3.) -Metadata: Data about the date. Data that interprets the data tells, you the size, and so on.
4.) -Data Access: The accessibility to retrieve data in a database and how easily you can pull the data back up.
5.)-Data Life Cycle: refers to the fact that all data moves through life-cycle stages.

Question 51

1.) Application of Data: Purpose for collection
2.) Collection of Data: Process by which it’s collected
3.) Warehousing of data: Process and systems used to store/archive it
4.) Analysis of data: Process of translating it for application

Answer 51

What are the four steps in the Data Quality Management Model:

Question 52

Who are the two types of data consumers?

Answer 52

-Internal data
-External data

Question 53

-External data

Answer 53

Might include payers, public health agencies, and law enforcement agencies.

Question 54

consumers for healthcare data managers include patients, clinicians, administrators, and researchers.

Answer 54

-Internal data

Question 55

Applying the Ethical Decision-Making Matrix:

Answer 55

-1.) Assessing: all situations for their ethical sub contexts

2.) Identifying: the underlying ethical issues

3.) Evaluating: the situation including the perspectives of all involved in the situation

4.) Deciding: on a course of action.
After the event,

5.)Preventing : ongoing monitoring should be implemented to prevent future occurrences of similar situations.

Question 56

5 aspects of Big Data (The 5 V’s)

Answer 56

1.) Volume: The large quantity
2.) -Variety: A range of types of data
3.) -Velocity: The high frequency/ or how often it is renewed
4.) -Value: The usefulness of cost, workflow, complexity as well as governance. What is the need?
5.) -Veracity: The complexity of the data(the level of detail) due to the accuracy or completeness