Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Compliance > HIPAA Lesson 11 > Flashcards

HIPAA Lesson 11 Flashcards

1
Q

The ______ program serves as a new part of OCR’s health information privacy and security compliance program. OCR will use the _______ program to assess HIPAA compliance efforts by a range of covered entities. _______ present a new opportunity to examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.

OCR will broadly share best practices gleaned through the ______ process and guidance targeted to observed compliance challenges via this website and other outreach portals.

A

Audit(s)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Lawmakers didn’t want hospitals, doctors’ offices, and other covered entities to start using new technologies just for the sake of using them. Instead, they want CEs to use the technologies ______.

A

Meaningfully

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Meaningful use first appeared in the ______ legislation that required all healthcare providers to use an electronic health record (EHR).

A

ARRA/HITECH

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CMS began a program to provide financial incentives for the meaningful use of EHR technology to accomplish these five tasks. List the tasks.

A
  1. Improve quality, safety, and efficiency
  2. Engage patients and families in their healthcare
  3. Improve care coordination
  4. Improve public health
  5. Maintain privacy and security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The meaningful use incentive programs require proof (called an _____) that covered entities have met certain meaningful use core requirements within specified timeframes.

A

Attestation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Meaningful Use - Maintain Privacy & Security core elements:

A
  1. Provide patients with an electronic copy of their health information upon request.
  2. Protect electronic health information.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The ACA established two identifiers: ______ & _____. It also set some new requirements for HIPAA transactions called _____ rules, and it required _______ of electronic funds transfers (EFT).

A
  1. HPID
  2. OEID
  3. Operating
  4. Standardization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Compliance date for implementation of the ICD-10-CM and ICD-10-PCS code sets.

A

October 1, 2015

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Certification, Part 1—Health plan must certify data and information systems are in compliance with applicable standards and operating rules for:
• Eligibility for a health plan
• Health claim status
• Health care electronic funds transfers and remittance advice

A

December 31, 2013

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Effective date of operating rules for health care electronic funds transfers and remittance advice

A

January 1, 2014

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Effective date of standards for electronic funds transfers

A

January 1, 2014

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Controlling health plans must obtain health plan identifier.

A

November 5, 2014

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Small health plans must obtain health plan identifier.

A

November 5, 2015

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Certification, Part 2—Health plans must certify that their data and information systems comply with applicable standards and operating rules for:
• Health claims or equivalent encounter information
• Enrollment and disenrollment in a health plan
• Health plan premium payments
• Referral certification and authorization
• Health claims attachments

A

December 31, 2015

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Effective date of operating rules for:
• Health claims or equivalent encounter information
• Enrollment and disenrollment in a health plan
• Health plan premium payments
• Referral certification and authorization
Effective date of standard and operating rules for health claims attachments

A

January 1, 2016

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Covered entities must use HPID to identify health plans in transactions.

A

November 7, 2016

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A _____ is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

A

Breach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

An impermissible use or disclosure of protected health information is presumed to be a _____ unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a _____.

A
  1. Breach
  2. Risk Assessment
    3.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

List the four Risk Assessment factors:

A
  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of reidentification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Is this incident a breach?
The accessed information was deidentified (stripped of identifying information), or it’s unlikely that the patient or patients can be reidentified.

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Is this incident a breach?

The person who obtained the information wasn’t a threat (in other words, nobody used the information wrongfully).

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Is this incident a breach?

Someone acquired or viewed the information.

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Is this incident a breach?

Someone discovered and did not correct the disclosure.

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Is this incident a breach?

Unintentional access by a workforce member if access was made in good faith and within scope of authority

A

No

25
Q

Is this incident a breach?
Inadvertent disclosure of PHI by a person with authorized access to another person without authorized access outside the healthcare arrangement.

A

Yes

26
Q

Is this incident a breach?
If the unauthorized person to whom the disclosure was made would not have been able to retain the information (for example, if the information appeared and disappeared so quickly that there was no time to memorize or copy it)

A

No

27
Q

This rule applies to any CE that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information. When a CE discovers any breach of this information, it must notify each individual whose unsecured PHI was, or is reasonably believed to have been, accessed, acquired, or disclosed due to the breach.

A

The Covered Entity Rule

28
Q

This rule specifies that a business associate that discovers a breach must provide the covered entity with notice of the breach, including identification of each individual affected by it.

A

The Business Associate Rule

29
Q

HITECH specifies that the preferred way to notify victims of a breach is by _____ notice—either by _____ or by _____ if the affected person requests it. However, the law allows covered entities to use the ______ or other expedited means of communication if there’s a risk of imminent danger.

A
  1. Written
  2. First-class mail
  3. Email
  4. Telephone
30
Q

CEs must also notify the _____ about the breach as quickly as possible—within _____ business days if a breach involves _____ or more individuals. Notifying HHS annually about breaches is acceptable if fewer than _____ individuals are affected. CEs must use the Office for Civil Rights portal to submit the breach notification to HHS.

A
  1. Department of Health and Human Services
  2. Five
  3. 500
  4. 500
31
Q

Business associates were responsible for ____% of breaches that involved more than 500 people. And breaches caused by BAs affected a startling ____% of all individuals whose PHI was disclosed in a breach incident.

A
  1. 22%

2. 60%

32
Q

Business associates are directly liable and subject to _____ penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.

A

Civil

33
Q

In the case of a breach at or by a business associate, the _____ ultimately maintains the obligation to notify affected individuals of the breach. However, a _____ is free to delegate the responsibility to the business associate that suffered the breach or to another of its business associates.

A

Covered Entity

34
Q

A business associate is directly _____ for failing to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

A

Liable

35
Q

HITECH did give state attorneys general the authority to bring _____ actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.

A

Civil

36
Q

A _____ is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.

A

BA

37
Q

A “business associate” also is a _____ that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

A

Subcontractor

38
Q

The law requires CEs to enter into _____ agreements with BAs to ensure that BAs will appropriately safeguard protected health information.

A

Contract

39
Q

The BA agreement must require the business associate to put _____ in place to protect the confidentiality, integrity, and availability of any PHI and EPHI that it handles. And the agreement must require business associates to report any _____ to the covered entity.

A
  1. Safeguards

2. Security Incident

40
Q

The BA agreement must state that the business associate will help the covered entity to comply with the _____ rights provisions.

A

Individual

41
Q

The BA agreement must establish the _____ uses and disclosures of protected health information by the business associate.

A

Permitted and required

42
Q

The BA will not _____ protected health information other than in ways that HIPAA permits.

A

Use or disclose

43
Q

The BA agrees to any damages caused by a violation of proper use or disclosure.

A

Mitigate

44
Q

The BA will require any agent or subcontractor to abide by the same terms with respect to _____.

A

PHI

45
Q

The BA agrees to _____ designated record sets as needed if they turn out to contain errors.

A

Amend

46
Q

The BA will document information necessary for _____.

A

Accounting of disclosures

47
Q

The CE can’t ask the BA to use protected health information in any way that _____ forbids.

A

HIPAA

48
Q

The BA agrees to use and reasonable efforts to prevent improper use or disclosure.

A

Safeguards

49
Q

The BA agrees to report to the covered entity any _____ of the agreement.

A

Violation

50
Q

The BA agrees to provide information in a _____ when an individual requests it.

A

Designated record set

51
Q

The BA agrees to make _____ regarding use of protected health information available to the covered entity or to the Secretary of Health and Human Services to allow determination of compliance with the Privacy and Security Rules.

A

Policies, procedures, and materials

52
Q

If the CE learns of a violation of a BA, it can _____ the agreement.

A

Terminate

53
Q

At termination of the agreement, the BA must either _____ all protected health information or _____ it to the covered entity.

A
  1. Destroy

2. Return

54
Q

The _____ can use protected health information for its own management, administration, and data aggregation.

A

BA

55
Q

Agreements between business associates and their subcontractors are subject to these same requirements as with a _____.

A

CE

56
Q

A covered entity isn’t _____ for the actions of its business associate. However, a CE isn’t completely off the hook if a BA is _____ the terms of its agreement.

A
  1. Liable

2. Violating

57
Q

HIPAA requires that the CE document whatever actions it takes with the circumstances and nature of the business relationship with a BA. If the breach is impossible to fix, or if violations continue, the CE must ____ the agreement

A

End

58
Q

True or False

The Privacy Rule provides for circumstances in which termination isn’t feasible.

A

True

Compliance (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions