HIPAA

Question 1

What does it stand for

Answer 1

Health insurance portability and accountability act

Question 2

HIPAA requires health care organizations to protect the

Answer 2

confidentiality, integrity, and availability of patient’s protected health information (PHI)

Question 3

HIPAA provides legal

Answer 3

protections for patients relative to their PHI

Question 4

HIPAA complements or strengthens

Answer 4

state law protections

Question 5

PHI and ePHI is protected when

Answer 5

It is confidential
It has integrity
It is available

Question 6

PHI and ePHI is protected when - it is confidential when

Answer 6

the info is accessible only by authorized people and processes

Question 7

PHI and ePHI is protected when - it has integrity when

Answer 7

the info hasn’t been inappropriately altered or destroyed

Question 8

PHI and ePHI is protected when - it is available when

Answer 8

the info is available when needed

Question 9

HIPAA applies to

Answer 9

covered entities
CEs workforce
CEs business associates

Question 10

Covered entities include

Answer 10

health care providers, health plans, health care clearinghouse

Question 11

CEs workforce

Answer 11

employees, medical staff, contractors, residents, students and volunteers

Question 12

CEs business associates

Answer 12

entities that handle PHI on behalf of the CE

Question 13

DMUs HIPAA responsibilities

Answer 13

Legal obligation as a CE (our clinics and research)
Educational mission (prepare students for workplace)

Question 14

Student at DMU are considered

Answer 14

part of the CE workforce

Question 15

PHI

Answer 15

Individually identifiable information that is created or received by a CE and relates to the past, present or future physical or mental health or condition, the provision of health care, or payment of health care

Question 16

PHI in any form is

Answer 16

private and protected under HIPAA and state laws

Question 17

EX of PHI and ePHI

Answer 17

Content of medical record or billing
Photo of pt injury
Diagnostic imaging
Fact that patient is scheduled for a visit
Type of insurance a patient has
Demographic info in records (name, address, account number, social, phone number)

Question 18

Identifiable info

Answer 18

Name, addresses, date of service, phone, fax, social, health plan ID, medial record #, email, relatives name, voice, fingerprints, photo, IP addresses, employer, device serial #, other numbers and codes

Question 19

HIPAA is a statute of

Answer 19

prohibition

Question 20

HIPAA is a statute of prohibition - you are prohibited from

Answer 20

1. accessing or using PHI unless the use fits into an exception or is explicity permitted - treatment, payment, healthcare operations
2. disclosing PHI to third party unless disclosure fits into an exception or is explicitly permitted (if no exception, patient signed authorization is required)

Question 21

Common exceptions to accessing, using, or disclosing

Answer 21

Provision, coordination or management of health care
Consultation between pts health care providers
Referral of patient between providers
Disclosure to family or friends involved in patients care - unless patient objects

Question 22

Common exceptions to accessing, using, or disclosing - payment

Answer 22

Eligibility determinations
Precertification for services
Coverage
Billing
Claims management 
Collection activities
Utilization review

Question 23

Common exceptions to accessing, using, or disclosing - operations

Answer 23

Business management and administrative functions such as risk management, compliance, customer service
Quality assessment and improvement activities
Accreditation
Medical review
NOT MARKETING OR FUNDRAISING

Question 24

Common exceptions to accessing, using, or disclosing - OTHER (as permitted or required by law)

Answer 24

Emergency - patient incapacitated 
Abuse reporting
Law enforcement
Public health reporting
Legal processes 
Research

Question 25

Workforce members can obtain, use and disclose only

Answer 25

minimum necessary info to do a job or handle a request

Question 26

The minimum necessity rule does not apply to uses and disclosures

Answer 26

Between health care providers for tx purposed | To the pt or a the request of the pt

Question 27

HIPAA is a basic floor - at federal level it provides

Answer 27

minimum rights and protections for all patients

Question 28

Patient rights under HIPAA

Answer 28

Receive a notice of privacy practices Access PHI and receive copy of records Receive an accounting of disclosures made by CE Request restriction on use and disclosure of PHI to others, including restriction on disclosures if patient is a self pay for service Request amendment to PHI Request alternative means of communication Be notified of any breaches of their PHI Make complaint without fear of retaliation

Question 29

Required safeguards

Answer 29

``` Technical controls limiting access to systems containing ePHI Unique user IDs/Logins with monitoring Authentication (password) Encryption of ePHI Audits Policies Trainings for workforce ```

Question 30

Breaches are defined as

Answer 30

Unauthorized acquisition, access, use, or disclosure of PHI which poses a significant risk of financial, reputational, or other harm to the patient

Question 31

Breaches - covered entities must report

Answer 31

internally and evaluate all potential breaches

Question 32

After mandated risk assessment by Privacy Officer --

Answer 32

may have obligation to notify patient of breach Must report breaches to gov. Must take appropriate disciplinary or remedial action

Question 33

Incidental disclosures - define

Answer 33

unintended or unavoidable disclosures of PHI occurring as a part of a permitted disclosure

Question 34

Ex of Incidental disclosure

Answer 34

Another employee or visitor overhearing Nurse and tech discussing a test order for pt Physician discussing tc options with pt and family members in room (Sharing with other patient) Registration staff member collecting demographic info in waiting area

Question 35

Penalties for non-compliance

Answer 35

Potential civil and criminal penalties at state and federal level Potential exclusion from federal health care programs Potential licensure revocation Potential malpractice civil liabilities Potential institutional disciplinary action

Question 36

HIPAA ad research - HIPAA defines research as any

Answer 36

systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge

Question 37

HIPAA permits use for research if

Answer 37

Data has been de-identified or patient has signed authorization

Question 38

HIPAA and research - several limited exceptions may allow minimum necessary use

Answer 38

IRB or Privacy board approves waiver Preparatory to research Research on decedents Use of limited data set under a data use agreement

Question 39

Risk Areas

Answer 39

``` Technology Email/text Digital photos and videos Virus Snooping and curiosity Social media ```

Question 40

DMUs social media policy for students

Answer 40

Do not post any info regarding a patient Do not post photos related to patient care or surgical cases Do not discuss personal characteristics of a patient Do not discuss hospital/clinic procedures Do not discuss any info pertaining to a cadaver or describe dissection stages

Question 41

General protective behaviors

Answer 41

Prevent casual observers from seeing screens Never share your user ID or passwords Log out or lock devices - never leave unattended Properly dispose of PHI and ePHI

Question 42

Your fundamental obligations

Answer 42

Access PHI only if you have a job related need Access only the amount of PHI that you need Only share PHI with other who need it to do their jobs De-identify patient info before presenting case study Report violations or breaches to Privacy Officer or Information Security Officer

Question 43

Mandatory reporting

Answer 43

Loss of PHI or equipment containing PHI Misuse of PHI, system access, passwords Accidental or unauthorized disclosures