HIPAA

Question 1

What are the three core components of the HIPAA Privacy Rule?

Answer 1

Privacy Rule
Security Rule
Breach Notification Rule

Question 2

Describe HIPAA Privacy Rule

Answer 2

1) Restricts covered entities’ and business associates’ use and disclosure of an
individual’s “protected health information” (PHI)

2) also provides for “individual rights” such as a
patient’s right to access their PHI, restrict disclosures, request amendments or an accounting of disclosures and their right to complain without retaliation.

OCR audits for Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.

• Applies to both paper and electronic
• Overseen by Office of Civil Rights (OCR)

Question 3

Decribe HIPAA Security Rule

Answer 3

The Security Rule requires covered physician practices to implement a number of what are known as “administrative, technical, and physical safeguards” to ensure the confidentiality, integrity, and availability of electronic PHI.

• Applies only to electronic PHI
• Overseen by CMS

Question 4

Describe the HIPAA Breach Rule

Answer 4

All breaches now presumed reportable unless, after completing a risk analysis
applying the following four factors, it is determined that there is a “low probability of PHI compromise.”
The four factors to be considered include:
1) The nature and extent of the PHI involved – issues to be considered include the sensitivity of
the information from a financial or clinical perspective and the likelihood the information can be re-identified;
2) The person who obtained the unauthorized access and whether that person has an independent obligation under HIPAA to protect the confidentiality of the information;
3) Whether the PHI was actually acquired or accessed, determined after conducting a forensic
analysis; and
4) The extent to which the risk has been mitigated, such as by obtaining a signed confidentiality
agreement from the recipient.

Question 5

Define User “Authentication” versus “Authorization”

Answer 5

Authentication = Who you are.  
Authorization = What you can do

Question 6

What is “non repudiation”

Answer 6

Can’t say “I didn’t write that”

Question 7

What are the 5 Rights of Decision Support?

Answer 7

right information to the 
right person in the 
right format through the 
right channel at the 
right time (i.e., when the information is needed).

Question 8

Which of the following recommendations is mandated by HIPAA with respect to these systems?

A) All electronic transfers of electronic protected health information (PHI) must be encrypted
B) All systems that access electronic PHI must include an automatic log off
C) All individuals who have security permission to access electronic PHI must regularly change their passwords
D) All electronic PHI must be backed up every 24 hours
E) All databases that contain electronic PHI must be encrypted

Answer 8

B) All systems that access electronic PHI must include auto logoff

The HIPAA legislation contains sections related to the security of electronic personal health information (PHI). The law and its implementation guidance provided by the Department of Health and Human Services does not state single strategies for complying with the law but instead provides general guidance that requires local interpretation and implementation. Electronic transfers of data must be secure, but that can be accomplished by a number of different mechanisms. Encryption is one of these mechanisms but not the only one. All individuals who access electronic PHI must have unique passwords, but the passwords do not have to be changed at a specified frequency. Ninety days is a commonly used requirement for password changes, as is the requirement that all passwords be strong or contain different types of characters, upper-case letters, lower-case letters, numbers, and special characters, and be at least a set length but none of these factors is specified in the final guidance requirements. Back up and data recovery plans must be in place for all electronic PHI, but the schedule for that process is not specified. Databases that contain electronic PHI must be protected for unauthorized access. Encryption is one such approach to help protect a database but it is not a required approach if other physical technical approaches have been instituted. All systems that allow users to access electronic PHI must have automatic log off features, but the exact timing is left to the local health entity. Generally, automatic log offs that occur in less than 5 minutes are considered appropriate.

Question 9

Confidentiality Definition

Answer 9

A condition in which information is shared or released in a controlled manner.

e-PHI not available or disclosed to unauthorized persons

Question 10

Security Definition

Answer 10

A number of measures that organinzations implement to protect ePHI. Admin, Physical, and Technical.

Question 11

Privacy Definition

Answer 11

An individual’s desire to limit disclosure of personal information

Question 12

Changes to HIPAA as part of ARRA (and further specified in Omnibus)

Answer 12

1) Requirement expanded to Business Associates
2) Data Restrictions (limited data sets, restrictions on marketing, use for charitable fundraising, or Sale
3) Breach Reporting Requirements and Enforcement (raising fines)