HIPAA Flashcards
What Is Health Insurance Portability And Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act (HIPAA) was originally passed in 1996. At the time, it was primarily intended to assist more Americans with obtaining health insurance coverage and to ensure that employees would not lose this coverage while they were changing jobs.
Soon, however, it became obvious that, with the advent of the internet and digital record-keeping, HIPAA would have to be amended multiple times to account for increasing privacy threats to patients’ private medical records.
HIPAA regulation today is a series of national standards concerning the security and privacy and confidentiality of protected health information.
As of 2022, HIPAA rules to comply with are as follows:
HIPAA Privacy Rule
HIPAA Privacy Rule (finalized in 2003) sets standards for patient use and access to “protected health information” (PHI), demographic info used to identify the patient:
Name
Address
Any personal dates related to the individual (birth, death, admission, discharge, etc.)
Telephone number
Fax number
Email address
Social Security number
Medical record number
Health plan beneficiary number
Account number
Certificate/license number
Vehicle identifiers/serial numbers/license plate
Device identifiers/serial numbers
Web URLs
IP address
Biometric identifiers (e.g. fingerprints, voiceprints, retinal scans, etc.)
Full-face photos
Any other unique identifying numbers/codes/characteristics
HIPAA Security Rule
The HIPAA Security Rule provides a set of safeguards to be instituted by all HIPAA-beholden entities, which involves administrative, technical, and physical standards for maintaining the security of PHI.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule sets standards for how data breaches are to be investigated, reported to the proper authorities, and communicated to affected patients.
A later piece of HITECH Act (2009), created a system of fines for violating HIPAA, elevating the potential costs for noncompliance with HIPAA to unprecedented heights.
HIPAA Omnibus Rule
Effective in 2013, the HIPAA Omnibus Rule states that all business associates of involved healthcare entities must be HIPAA-compliant.
Considering all the adjustments made to HIPAA regulations so far, one can expect more HIPAA updates added in the future.
Who Is Subject To HIPAA Law?
Legally, HIPAA law identifies two HIPAA-beholden categories: “covered entities” and “business associates”.
Covered Entities include:
Health Plans, e.g.: HMOs, health insurance companies, company health plans, and certain government programs like Medicare and Medicaid
The Majority of Health Care Providers: the healthcare providers that conduct business/store private information electronically (e.g. electronically billing health insurance)
Healthcare Clearinghouses: services that process nonstandard health information received from another entity into a standard (and vice versa)
Business Associates is a term that refers to any business associate of the above-specified covered entities in the form of a contractor, a subcontractor, or another person or company that is not an employee of the covered entity, such as:
Companies that help doctors get paid, billing companies, businesses that process healthcare claims
Companies that help administer health plans
External/independent professionals serving healthcare organizations, such as accountants, IT experts, attorneys, etc.
Who Enforces HIPAA Compliance?
Enforcing HIPAA compliance is primarily the jurisdiction of the Department of Health and Human Services’ (HHR) Office for Civil Rights (OCR). The Center for Medicare and Medicaid Services (CMS) has certain limited powers of HIPAA enforcement; the Federal Communications Commission (FCC) and US Food and Drug Administration (FDA) had been involved in past legal HIPAA interventions.
Q1: Updated HIPAA law must be complied with by:
- Every American business regardless of industry
- Covered entities and business associates in healthcare
- All physicians but not registered nurses in hospitals and clinics
- All US citizens and residents above the age of 18
- Covered entities and business associates in healthcare
Q2: Which of the following is NOT a patient right under HIPAA’s “Privacy Rule”?
- Patient right to ask to see/get a copy of their health records
- Patient right to have corrections added to their health information
- Patient right to request that the healthcare entity issue them an in-depth technical report of the breach, if there is a breach
- Patient right to be notified of how their health information is used/shared
- Patient right to request that the healthcare entity issue them an in-depth technical report of the breach, if there is a breach
Q3: The Notice of Privacy Practices must be:
1. Given to the patient to review on their first visit
- Given to the patent to review on every visit
- Provided to every individual entering the hospital/clinic waiting room, regardless of whether they are a patient or not
- Posted online: no need to provide a physical copy in-person
- Given to the patient to review on their first visit
Q4: The “minimum necessary” rule refers to:
- A minimal quota of patients to serve by a clinic within a calendar month
- The understanding that healthcare employees must only look at patient’s PHI on as-needed basis
- The minimum amount of days that must pass between changing company computer passwords
- None of the above
- The understanding that healthcare employees must only look at patient’s PHI on an as-needed basis
Q5: If an employee perceives a PHI “privacy incident” that could result in a data breach, they are required to notify the Privacy Officer
- True
- False
- True
Q6: Once digital PHI record-keeping devices get old, they must be:
- Thrown in the garbage
- Taken to a proper state recycling center for computer hardware
- Mailed to the patient (or their next of kin)
- Accounted for and kept secure until they can be safely wiped/physically destroyed
- Accounted for and kept secure until they can be safely wiped/physically destroyed
Q7: What kind of protected health information is covered by HIPAA?
- Electronic
- Spoken
- Paper
- All of the above
- All of the above
Q8: Under HIPAA, it is permitted to access patient health files out of curiosity:
- If you keep it to yourself
- Under no circumstances – it is a HIPAA breach that could get you fired
- If you know the patient very well
- If the patient’s family was asking about it
- Under no circumstances – it is a HIPAA breach that could get you fired.
