HIPAA and HITECH AHE 110

Question 1

What does HIPAA stand for

Answer 1

Health Insurance Portability and Accountability Act

Question 2

Which Year was HIPAA signed

Answer 2

1996

Question 3

HIPAA is a law with how many standards

Answer 3

4 standards meant to PROTECT and SECURE electronic patient information

Question 4

What is the purpose of HIPAA

Answer 4

To keep a person’s health information secure

Question 5

How does HIPAA keep Health Info secure?

Answer 5

1. Regulates who has the right to view a person’s medical records, data and other personal information
2. Sets standards on how a person’s protected health info is to be stored and transmitted,
3. Requires health care orgs to set policies allowing pt or res to have access to own med records

Question 6

Which Agency is Responsible for HIPAA

Answer 6

US Dept of Health and Human Services (HHS)

Question 7

Which Agency is Responsible for HIPAA violations?

Answer 7

HHS Office for Civil Rights (OCR)

Question 8

What is the goal of HIPAA? (why)

Answer 8

Administrative Simplification,

Simplify exchange of info through consistent Electronic Exchange of Information,

Same coding sys, same requirements = decreased clerical burden and increase elec transaction adoption

Question 9

How is HIPAA going to Simplify Administration

Answer 9

1. use same coding systems,

2. use same requirements for the exchange of information

Question 10

What is meant by CODING SYSTEM

Answer 10

Coding system uses characters like symbols and numbers to represent things like medical procedures or diseases

Question 11

HIPAA STANDARD 1

Answer 11

Related to TRANSACTIONS AND CODE SETS

Question 12

What happened Standard 1

Answer 12

HHS adopted standard transactions for the electronic exchange of administrative health care information

Question 13

Standard 1 includes:

Answer 13

insurance claims,
payments,
insurance eligibility information.
Also MANDATES universal coding systems

Question 14

Goal of Standard 1

Answer 14

to speed up the process of

a. identifying insurance benefits,
b. submitting insurance claims,
c. receiving payment

speed, money = identify, submit, receive $

Question 15

Why do we use universal systems

Answer 15

process is more efficient when everyone uses same system

Question 16

What is CPT

Answer 16

CPT is Current Procedural Terminology -

codes procedures and services

Question 17

What is ICD

Answer 17

ICD is international Classification of Disorders - codes diseases and disorders

Question 18

HIPAA STANDARD 2 Is concerned with

Answer 18

the PRIVACY RULE

Comprehensive federal protection guidelines for the privacy of health info

Question 19

What is the Privacy Rule

Answer 19

Personal Medical info shared with dr’s, hospitals etc. and those who provide and pay for Hc are protected.

health care facilities, insurance companies and other need to protect the written, electronic, oral patient health information

Question 20

What is the Goal of the Privacy Rule

Answer 20

imposes restrictions by defining and limiting situations when pt’s info can be Used and Disclosed,

Question 21

What 3 things does the privacy rule do?

Answer 21

1. imposes restrictions on use and disclose of personal health information,
2. gives pt greater access to med records,
3. gives pt greater protections of med records

restrictions on u and d, access, protection

Question 22

What Rights does Privacy Rule give patients

Answer 22

1. examine health records,
2. obtain copies of health records,
3. request corrections to be made if incorrect

examine, obtain copies, corrections

Question 23

What is Meant by Use

Answer 23

PHI is USED when

a. shared,
b. examined,
c. applied,
d. analyzed

Question 24

What is meant by Disclosure

Answer 24

PHI is DISCLOSED WHEN

a. released or transferred and
b. in any way made accessible to anyone outside of the CE

release, transfer, accessible to outsiders

Question 25

What is meant by a COVERED ENTITY

Answer 25

any facility, 
provider, 
plan or 
clearing house t
hat transmits protected health information electronically

Question 26

Who are included as Covered Entities?

Answer 26

PROVIDERS; MD,DO, NP, PA etc. Dentists, chiropractors, psychologists,

FACILITIES; nursing homes, pharmacies, ambul. Care

COMPANIES; health ins., govt insurance, HMOs,

CLEARINGHOUSES, BILLING SERVICES

Question 27

Rules Covered Entities must comply with

Answer 27

1. safeguard all pt info,
2. ensure BA keep PHI private,
3. written agreement with BA on how to safeguard PHI,
   4 CE cannot give PHI to BA without written signed agreements
4. only PHI required for the job can be given to the BA

Question 28

Define Claims Clearing house

Answer 28

an organization that accepts the claim data from the provider,
reformats the data to meet specifications outlined in ins. Plan
and submits the claim

accepts, reformats, submits claims

Question 29

Define Protected Health Information

Answer 29

ind. Identifiable health info

stored or transmitted by CE or business associates, i

incl verbal, paper, electronic

Question 30

Define Business Associate

Answer 30

a person or business that provides a service to a CE that involves access to PHI (legal, billing, accred, management, consulting firms, claims processing

Question 31

Define Permission

Answer 31

a reason for releasing or disclosing pt. info under HIPAA

Question 32

Define De-identify

Answer 32

remove all direct pt identifiers from the PHI which could link info to a specific person

Question 33

Define Limited Data Set

Answer 33

PHI which has all direct pt identifiers removed

Question 34

Examples of Patient Identifiers

Answer 34

name, dob, ss#, payment or billing info, physical or mental health conditions, test results, current meds, allergies

Question 35

When do providers require written authorization from a patient?

Answer 35

Written authorization is needed when PHI is being disclosed to a third party (person wants family to know, records transfer to another facility, life insurance)

Question 36

6 Permissions NOT requiring written authorization from patient to release PHI

Answer 36

1. TPO
2. to the individual,
3. use and disclosure with the opportunity to agree or object,
4. incidental use and disclosure (i.e. overheard on phone during course of job),
5. public interests and benefits, limited data sets

Question 37

What does TPO mean?

Answer 37

Treatment, payment, healthcare operations payment= activities related to payment or reimbursement for services (i.e.. If fail to pay bill can be turned over to collections),
HC OPERATIONS - financial, legal, quality improv that HC facilities need to do to run and support a business.

Question 38

When is written permission needed

Answer 38

when disclosing PHI to third party (pt wants someone else told, records transferred, life insurance

Question 39

What does Written authorization include?

Answer 39

dated, signed

Question 40

What is a Disclosure Authorization Form?

Answer 40

authorization to disclose form - pt gives written auth to transfer records,

Question 41

What does a Disclosure Authorization Form need to include?

Answer 41

expiration date, ,
patients name, 
date of request, 
info of facility receiving records, 
must notify  pt they can revoke permission,

Question 42

What is a Records Release?

Answer 42

When a pt wants records released to another fac. Must a. complete, b. sign, c. date medical records release form. Video and images may need separate form

Question 43

What is meant by “higher level of confidentiality”?

Answer 43

parts of pt record. May need separate release form.

Question 44

What is incl. in Higher level of confidentiality

Answer 44

1. psychotherapy notes.
2. HIV info,
3. Drug and Alcohol

Question 45

What is the

Confidentiality of Alcohol and Drug Abuse Patient Records statute?

Answer 45

many federal and state laws around D and A abuse. This one is HHS and restricts the release and use of pt records including substance use diagnoses and services

Question 46

What is HIPAA standard 3 ?

Answer 46

national standard for the protection of patient info that is stored or transmitted

Question 47

What is included in Standard 3

Answer 47

anything

a. created,
b. used,
3. received,
4. maintained

Question 48

What are the 3 types of safeguards in Standard 3

Answer 48

1. Administrative
2. Physical,
3. Technical

Question 49

What is the Administrative Safeguard

Answer 49

1. Security Officer resp for creating and carrying out security Policies and Procedures.
2. risks identified,
3. steps taken to prevent issues (cyber attacks huge issue)

Question 50

What is the Physical Safeguard in Standard 3

Answer 50

facilities, workstations and devices. Under resp of security officer, procedures and protocols

Question 51

What is the technology Safeguards in Standard 3

Answer 51

only authorized employees have access to ePHI,

p and p to audit, track, prevent alterations,

destruction, transmissions

Question 52

What does HITECH stand for?

Answer 52

Health Information Technology and Clinical Health Act

Question 53

What is HITECH?

Answer 53

an act that expands HIPAA privacy

Question 54

What is included in HITECH?

Answer 54

1. patient rights,
2. requirements for BA,
3. breach notifications,
4. marketing provisions,
5. penalties for non-compliance

Question 55

Who is covered under HITECH?

Answer 55

a. CE,
b. hc providers,
c. health plans,
d. health care clearing house,
e. business assoc with access to pt records

Question 56

What is different about BA in HITECH

Answer 56

BA’s must comply with use and disclosure requirements of HIPAA’s privacy rule. Subject to same penalties

Question 57

What is meant by patients rights in HITECH

Answer 57

pts have added rights regarding use of EHR or ePHI, CE’s must agree to patient requests to restrict disclosure of ePHI if
a. it is to health plan used for carrying out payment or hc operations, NOT TREATMENT IF PAID IN FULL

Question 58

in HITECH pts have right to access their info by

Answer 58

a. can receive account of all non-routine disclosures of EHR,
b. request an accounting of disclosures they authorized in past 3 years,
c. designate 3rd party to be recipient of eHealth info

receive, request, designate

Question 59

Consent for routine health care is option BUT

Answer 59

consent for routine health care is optional but signature is req for use and disclosure PHI for purposes OTHER THAN TPO

Question 60

What is included in an authorization form?

Answer 60

use and disclosure outlined in whatever is in the form.

a. descript of PHI being used, what purpose,
b. who will u and d PHI,
c. if there is financial gain for the CE,
d. pt right to revoke,
e. signature,
f. date,
g. expirations date

Question 61

Authorization is not required

Answer 61

a. to maintain a pt directory,
b. inform identified people about care,
c. inform approp agencies in disaster relief,
d. public health activities, report victims of a, n, dom viol.,
e. health oversite for license,
f. coroners, med examiners, tissue donations,
g. avert serious threat to health and safety

Question 62

What is meant by minimum necessary (need to know)

Answer 62

the minimum of info needed to get the job done right

Question 63

how do CE’s ensure minimum necessary

Answer 63

a. dev. P and p,
b. employees who access ePHI are identified,
c. types of PHI needed and conditions for access. (NOTE does not apply for u and d of med records for treatment)

Question 64

What is the privacy notice

Answer 64

pt have right to adequate notice about u and d of PHI on First Day of Treatment

Question 65

What is the purpose of Privacy Notice

Answer 65

a. pts rights and CE legal duties,
b. made avail in print,
c. be displayed and on internet, (NOTE - must try to get written ack or note about why not possible)

Question 66

What are the Patient Rights

Answer 66

a. receive privacy notice on 1st day,
b. restrict u and d,
c. have PHI communicated in different ways,
d. designate a 3rd party to be recip of PHI,
e. inspect, correct, amend PHI and obtain copies,
f. request hx of PHI disclosures,
g. able to report concerns over breach of privacy

Question 67

What about privacy of minors

Answer 67

parents are de facto except

a. HIV testing,
b. cases of abuse,
c. parents have given up control

Question 68

What resp do Admins have for Privacy under HIPAA and HITECH

Answer 68

a. allow pt to see and have copies of PHI,
b. designate official person resp for progs.
C. dev Notice of Privacy Practices,
d. develop policies and safeguards to protect PHI and limit incidental u and d,
e. training prog,
f. complaints process,
g. make sure BA’s comply with Privacy Rule and HITECH

Question 69

What are the notification requirements for data breach under HITECH act

Answer 69

breach - inapp or unauth u or d of PHI.
A. CE must notify pts,
b. incl unauth disclose of PHI to 3rd party AND internal access to PHI,
c. must be notified w/in 60 days,
d. if more than 500 contact HHS, and print and broadcast

Question 70

Violations under HITECH

Answer 70

tiered increase in civil and criminal penalties