HIPAA Lesson 4

Question 1

The ________ Rule lays the foundation—or floor—for standardized, national protections. These protections attempt to reduce the risks of inappropriate disclosures and uses of individuals’ health information.

Answer 1

Privacy

Question 2

A privacy breach of PHI in electronic form is a ________.

Answer 2

Security Breach

Question 3

Name the Four Core Areas of the Privacy Rule

Answer 3

1. Individual control of health information
2. Boundaries on use and release of health information by covered entities
3. Establishment of policies, procedures, and appropriate safeguards to protect privacy
4. Accountability for violations with civil and criminal penalties

Question 4

The Privacy Rule creates national standards for the protection of healthcare information. Its basic intent is to _______ individuals’ medical records and other identifiable health information.

Answer 4

Protect

Question 5

This core area of the Privacy Rule outlines how covered entities can use and disclose an individual’s protected health information.

Answer 5

Individual control of health information

Question 6

This core area of the Privacy Rule outlines in detail what information is protected, how and when entities can release it, and under what circumstances they may disclose it. This includes any information in any form: electronic, paper-based, or verbal.

Answer 6

Boundaries on use and release of health information by covered entities

Question 7

This core area of the Security Rule lays out the technical requirements to comply with the policies, procedures, and safeguards that the Privacy Rule establishes.

Answer 7

Establishment of policies, procedures, and appropriate safeguards to protect privacy

Question 8

This core area of the Privacy Rule establishes the civil and criminal penalties for violations of the Privacy and the Security Rules and designates which organizations must oversee compliance.

Answer 8

Accountability for violations with civil and criminal penalties

Question 9

If a healthcare entity maintains any health information that identifies an individual in any possible way, it’s ________.

Answer 9

PHI

Question 10

The Privacy Rule regulates how institutions must protect PHI, and it establishes penalties for _________.

Answer 10

Noncompliance

Question 11

The ________ Rule supports the protections that the Privacy Rule requires.

Answer 11

Security

Question 12

It’s important to point out that the Privacy Rule represents the _______ level of protection.

Answer 12

Floor or Minimum

Question 13

_______ laws can require covered entities to implement more stringent privacy practices. If the _______ laws are more stringent, then the _______ law can supersede HIPAA’s Privacy Rule.

Answer 13

State

Question 14

List the Privacy Rule Requirements

Answer 14

1. Adopt Written Privacy Policies, Procedures, and Contract Provisions
2. Designate a Privacy Officer or a Compliance Officer
3. Train Employees and Other Workforce Members
4. Establish Privacy Safeguards
5. Ensure that Health Information Is Not Used for Non health Purposes
6. Establish Clear, Strong Protections Against Marketing
7. Provide the Minimum Amount of Information Necessary
8. Support Individual Privacy Rights
9. Obey Authorization Policies

Question 15

Covered entities must develop ________ to describe how they will use and disclose PHI, protect individual rights, including BAs.

Answer 15

Policies, Procedures, and Provisions

Question 16

Each covered entity must have one named person in its organization who is ultimately accountable for the CE’s Privacy Rule compliance. The buck stops with that person!

Answer 16

Designate a Privacy Officer or a Compliance Officer

Question 17

Covered entities must ________ all employees on privacy policies and procedures, including volunteers, part-time employees, and contractors.

Answer 17

Train

Question 18

_______ can be a combination of procedures, practices, and physical and technical solutions. Privacy ________ enforce the CE’s policies and procedures about the appropriate use of protected health information.
Common ________ include things like locking or shutting doors, or keeping your voice down when talking. Other ________ might include using privacy screens on computer monitors or having a clear desk policy (no paper with PHI left in the open).

Answer 18

Safeguards

Question 19

Unless an individual gives explicit written permission, health information is for ________ purposes only.

Answer 19

Health

Question 20

The Privacy Rule has explicit requirements for that covered entities must first obtain the individual’s written authorization before sending any ______ materials. Only under very limited circumstances can they send _______ without authorization.

Answer 20

Marketing

Advertising

Question 21

What are these?
Right to Inspect or Copy
Right to Request Amendments
Right to Receive a Notice of Privacy Practices
Right to Request Restrictions
Right to Request Alternate Communications
Right to Accounting of Disclosures
Right to File a Complaint

Answer 21

Individual Privacy Rights

Question 22

The Privacy Rule requires an individual’s ________ to use or disclose PHI for purposes not explicitly stated.

Answer 22

Written Permission or Authorization

Question 23

Sometimes individual states enact laws that provide greater privacy protections than HIPAA provides. These laws ________ the HIPAA Privacy Rule.

Answer 23

Preempt (replace)

Question 24

If part of the state rule supersedes HIPAA, then the covered entity must comply with ________ the state’s and HIPAA’s requirements.

Answer 24

Both

Question 25

Covered entities who fail (accidentally or intentionally) to comply with the Privacy Rule and its safeguards are ________.

Answer 25

Noncompliant

Question 26

Noncompliance is subject to civil penalties, based on four categories: _____, _____, _____, & _____.
When I say civil penalties, I mean that the court could fine you and your colleagues, but it ________ send any of you to prison.

Answer 26

Unknowing
Reasonable cause
Willful Neglect (corrected)
Willful Neglect (uncorrected)
Couldn't

Question 27

________ applies to any unauthorized individual who accidentally or intentionally accesses, uses, or discloses protected health information. Wrongful disclosure is subject to _______ penalties based on the intent of that access, use, or disclosure. ________ penalties may include fines, prison time, or both.

Answer 27

Wrongful access, use, or disclosure
Criminal
Criminal

Question 28

The term Omnibus regulations means:

Answer 28

Rules on a variety of subjects.

Question 29

In January 2013, the U.S. Department of Health and Human Services issued the _______ rules—final regulations that modified the _______ policies on privacy, security, enforcement, and breach notification.

Answer 29

Omnibus

HIPAA/HITECH

Question 30

The HIPAA final Omnibus rule imposes privacy and security obligations directly on _______ . It also changes the definition of a _______ and created new categories of _______ .

Answer 30

Business Associate

Question 31

List the four levels of civil monetary penalties (CMP) of noncompliance.

Answer 31

Unknowing
Reasonable cause
Willful Neglect (corrected)
Willful Neglect (uncorrected)

Question 32

The covered entity or business associate did not know and reasonably should not have known of the violation.

Answer 32

Unknowing $100 to $50,000 $1,500,000

Question 33

The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation. But the covered entity or business associate didn’t act with willful neglect.

Answer 33

Reasonable Cause $1,000 to $50,000 $1,500,000

Question 34

The violation was the result of intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery.

Answer 34

Willful Neglect - Corrected $10,000 to $50,000 $1,500,000

Question 35

The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate didn’t correct the violation within 30 days of discovery. Examples of willful neglect include a hospital that fails to train its receptionists in privacy law, or an insurance company that lets its employees take home laptops that contain unsecured PHI.

Answer 35

Willful Neglect—Uncorrected At least $50,000

$1,500,000

Question 36

HHS must consider the following before imposing any penalty:

Answer 36

1. The nature and extent of the violation.
2. The nature and extent of the harms resulting from the violation.
3. The history of prior compliance.
4. The financial condition of the covered entity or business associate.

Question 37

This HHS consideration includes the number of individuals affected and the time period during which the violation occurred.

Answer 37

The nature and extent of the violation

Question 38

HHS must consider whether the violation caused physical harm, whether the violation resulted in financial harm, whether there was harm to an individual’s reputation, and whether the violation hindered an individual’s ability to obtain healthcare.

Answer 38

The nature and extent of the harms resulting from the violation.

Question 39

This HHS consideration includes previous violations.

Answer 39

The history of prior compliance.

Question 40

HHS must consider whether financial difficulties affected the entity’s ability to comply. HHS must also consider whether imposing the civil monetary penalty would jeopardize the ability of the covered entity to continue to provide or pay for healthcare.

Answer 40

The financial condition of the covered entity or business associate.

Question 41

________ can’t be levied if criminal penalties are imposed for a violation.

Answer 41

Civil penalties

Question 42

When a criminal violation occurs, the ________ takes over. Criminal penalties affect any ________ who unlawfully accesses, uses, or discloses healthcare information—not just covered entities or healthcare providers.

Answer 42

U.S. Department of Justice

Individual

Question 43

Pentalities for wrongful disclosure of individually identifiable health information

Answer 43

Up to $50,000 & Up to one year

Question 44

Pentalities for wrongful disclosure of individually identifiable health information committed under false pretenses

Answer 44

Up to $100,000 & Up to five years

Question 45

Pentalities for wrongful disclosure of individually identifiable health information committed under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm

Answer 45

Up to $500,000 & Up to 10 years

Question 46

The Department of Health and Human Services designated the ________ as the HIPAA enforcement agency for four areas.

Answer 46

Office of Civil Rights

Question 47

List the four areas that OCR is authorized to enforce HIPAA:

Answer 47

1. The HIPAA Privacy Rule
2. The HIPAA Security Rule
3. The HIPAA Breach Notification Rule
4. The confidentiality provisions of the Patient Safety Rule

Question 48

OCR reviews ________ and determines whether there is a violation.

Answer 48

Complaints

Question 49

If the OCR finds no violation, it _______ the complaint.

Answer 49

Drops

Question 50

If a violation has occurred, the OCR and the covered entity may be able to work out a ______ compliance, ______ action, or other agreement.

Answer 50

Voluntary

Corrective

Question 51

The OCR may make a formal finding of violation and impose ________.

Answer 51

Civil Penalties

Question 52

If the violation is ______ , the OCR sends the complaint to the Department of Justice. The DOJ will either pursue possible ______ action or give it back to the OCR for investigation and resolution.

Answer 52

Criminal

Question 53

Depending on the nature of the complaint, the OCR may take any of these actions:

Answer 53

1. Send the complaint to the Department of Justice.
2. Provide a resolution without an investigation.
3. Investigate and then provide a resolution

Question 54

Why do we need a federal law to enforce patient privacy? Weren’t there already laws in place?

Answer 54

No federal laws protected patient privacy or guaranteed patient rights in the way that HIPAA does. In fact, most of the current state laws became law after the enactment of HIPAA. Many doctors and hospitals have their own privacy policies, but the goal of the Privacy Rule is to establish a standard policy throughout the industry.

Question 55

All these laws are overwhelming me! How can I ever know and comply with all of them?

Answer 55

There are a lot of laws, especially now with all the new state privacy laws. For the most part, the various laws work together rather than against each other. If you understand what the spirit of each law is and what it’s trying to accomplish, you’ll find it easier to interpret its provisions.

Also, don’t be afraid to use your common sense. Sometimes the laws seem more complicated than they really are.

Question 56

What does “minimum necessary” mean in relation to the Privacy Rule?

Answer 56

Allowing employees and staff access to the smallest amount of protected information necessary to get the job done.

Question 57

Which Privacy Rule requirement can be a combination of procedures, practices, and technical or physical solutions?

Answer 57

Establishing privacy safeguards.

Question 58

When does a state’s privacy rules supersede HIPAA’s privacy rule?

Answer 58

When the state rule is more stringent than the HIPAA rule.

Question 59

Which of the following describes uncorrected willful neglect?

Answer 59

The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate didn’t fix the violation within 30 days of discovery.

Question 60

What’s the criminal penalty for wrongful disclosure of protected health information with the intent to sell, transfer, or use, out of malice or in an effort to harm an individual?

Answer 60

Fines up to $500,000 and up to 10 years in prison.