HIPAA Lesson 5

Question 1

A disclosure of PHI to the Office of Civil Rights for enforcement purposes is what kind of disclosure?
o Permitted disclosure.
o Internal disclosure.
o Routine disclosure.
o Required disclosure.

Answer 1

Required Disclosure

Question 2

If a passerby overhears two doctors conferring about a patient, what kind of PHI disclosure would this be?
o Incidental disclosure.
o Required disclosure.
o Nonroutine disclosure.
o Routine disclosure.

Answer 2

Incidental Disclosure

Question 3

Under what circumstances would the conditions of minimum necessary apply?
o Disclosure of PHI to the individual who is the subject of the information.
o Disclosure of PHI to a health care provider for treatment purposes.
o Disclosure of PHI within the workforce.
o Disclosure of PHI as a result of a signed authorization.

Answer 3

Disclosure of PHI within the workforce.

Question 4

If a researcher with documented approval from an institutional review board requests PHI, which Privacy Rule provision would allow disclosure?
o Reasonable effort.
o Verification.
o Reasonable reliance.
o Minimum necessary.

Answer 4

Reasonable reliance.

Question 5

When an individual is legally unable to exercise his or her own rights, who is authorized to make that person's health care decisions?
o A physician.
o A personal representative.
o An executor.
o The OCR.

Answer 5

A personal representative.

Question 6

Does the Privacy Rule allow me to pick up a prescription for a friend? What if my friend wants me to go to the doctor with her?

Answer 6

The Privacy Rule allows both of these. If you take a friend or a family member with you to the doctor, the doctor can reasonably assume that he or she can talk to you about your healthcare in front of your friend. If your friend calls back later and asks the doctor a question about your appointment or your condition on your behalf, the doctor can share information with your friend because she was present at your appointment. However, the doctor wouldn’t be able to discuss other health matters or other conditions with your friend.

Question 7

What two entities does the Privacy Rule require disclosure of PHI?

Answer 7

1. The Patient

2. OCR

Question 8

What is DRS?

Answer 8

Designated Record Set

Question 9

What information is in a DRS?

Answer 9

1. Medical and billing records
2. Enrollment, payment, claims adjudication
3. Health plan or healthcare provider records used to make healthcare decisions.

Question 10

What information is not part of the DRS and does not have to be released to anyone for any reason?

Answer 10

Psychotherapy Notes

Question 11

The OCR is granted rights to PHI to:

Answer 11

1. Investigate Complaints
2. Determine Compliance Status
3. For Enforcement

Question 12

The Privacy Rule permits some disclosures without ______ under certain circumstances

Answer 12

Authorization

Question 13

Name two conditions in which disclosures are permitted without authorization.

Answer 13

1. When state and other law requires the disclosure

2. When the disclosure meets certain conditions specified by the Privacy Rule.

Question 14

List the permitted disclosures:

Answer 14

1. TPO
2. Limited marketing & fund-raising
3. When required by law
4. Public health activities
5. Health oversight activities
6. Victims of abuse, neglect, or domestic violence
7. Court order or subpoena
8. Limited law enforcement purposes
9. Information about decedents to a coroner, medical examiner, or funeral director
10. Organ, eye, or tissue donation from a cadaver
11. Research, if approved by an institutional review board (an ethics committee that monitors experiments on people)
12. Averting serious threat to health or safety
13. Specialized government functions related to military, veterans, armed forces, correctional institutions, and custodial situations
14. Government programs providing public benefits
15. Workers’ compensation

Question 15

_______ is always subject to minimum necessary requirements.

Answer 15

Disclosure

Question 16

What type of disclosure requires a CE to first evaluate all workforce members’ need to access PHI and establish mechanisms to reasonably limit access to the specific PHI necessary for the job.

Answer 16

Internal Disclosures

Question 17

________ disclosures are those that happen periodically. They often have specific known requirements, forms, and formats. Most covered entities’ ________ disclosures are for treatment, payment, and healthcare operations purposes.

Answer 17

Routine

Question 18

What must be identified about routine disclosures in a covered entity’s policies and procedures?

Answer 18

1. Purpose: Why does the covered entity need to share this information? (In this case, the patient’s school requires proof of immunization before a student can attend classes.).
2. Amount and types: What information is the person or institution requesting? (The school wants to know which vaccinations and immunizations the covered entity provided and when.)
3. Entity receiving: Who wants to know this information? (The child’s school has asked for this data.)

Question 19

“The ______ establishes a voluntary reporting system designed to enhance the data available to assess and resolve patient safety and healthcare quality issues.

Answer 19

PSQIA of 2005

Question 20

AHRQ

Answer 20

Agency for Healthcare Research and Quality

Question 21

PSOs

Answer 21

Patient Safety Organizations

Question 22

_______ disclosures are those that have little or no precedent. Or they are highly variable and require individual _______.

Answer 22

1. Nonroutine

2. Evaluation

Question 23

The Privacy Rule acknowledges that _______ disclosures might occur from time to time, which isn’t a violation of the Privacy Rule as long as the covered entities have reasonable _______ in place.

Answer 23

1. Incidental

2. Safeguards

Question 24

Disclosure for research purpose.

Answer 24

Permitted Disclosure

Question 25

Disclosure of an individual’s own health records to that individual.

Answer 25

Required Disclosure

Question 26

Disclosure that is overheard despite safeguards.

Answer 26

Incidental Disclosure

Question 27

Disclosure within a CE’s workplace.

Answer 27

Internal Disclosure

Question 28

Disclosure that happens periodically.

Answer 28

Routine Disclosure

Question 29

Disclosure that has no precedence.

Answer 29

Non-routine Disclosure

Question 30

_______ means whatever it takes, but just enough, to respond to the request.

Answer 30

Minimum Necesary

Question 31

The minimum necessary provisions don’t apply in some cases. What are they?

Answer 31

1. Disclosures to a healthcare provider for treatment purposes
2. Disclosures to the individual who is the subject of the information
3. Uses or disclosures made because of an authorization that an individual has signed
4. Uses or disclosures required for compliance with the standardized HIPAA transactions (The information required to complete the standard transaction you learned about in Lesson 3 is the minimum necessary information.)
5. Disclosures to the Office for Civil Rights (OCR) when it needs PHI to enforce the law
6. Uses or disclosures required by other laws, like a subpoena or court order

Question 32

What disclosure permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information needed?

Answer 32

Reasonable Reliance

Question 33

List the entities where a reasonable reliance disclosure is acceptable:

Answer 33

1. A public official or agency for a disclosure permitted under the Privacy Rule or state law
2. Another covered entity
3. A professional who is a workforce member or business associate of the covered entity holding the information
4. A researcher with appropriate documented approval from an institutional review board or a privacy board

Question 34

The Privacy Rule also requires a covered entity to make _______ to limit its own uses of, disclosures of, and requests for PHI.

Answer 34

Reasonable Efforts

Question 35

The Privacy Rule requires covered entities to _______ the identity and authority of anyone requesting PHI before disclosing the requested information.

Answer 35

Verify

Question 36

A person authorized to act on behalf of the individual in making healthcare decisions is that person’s _______.

Answer 36

Personal Representative

Question 37

A person with legal authority to make health care decisions on behalf of the individual (health care power of attorney, court-appointed legal guardian, general power of attorney)

Answer 37

An adult or emancipated minor

Question 38

A parent, guardian, or other person acting in place of the parent (in loco parentis) with legal authority to make health care decisions on behalf of the minor child

Answer 38

An unemancipated minor

Question 39

A person with legal authority to act on behalf of the deceased or the estate (executor of the estate, next of kin or other family member, durable power of attorney)

Answer 39

Deceased

Question 40

List three circumstances in which the parent isn’t the personal representative for a minor child

Answer 40

1. When state or other law doesn’t require the consent of a parent or other person before a minor can obtain a particular healthcare service, and the minor consents to the healthcare service (For instance, state law may allow an adolescent the right to obtain mental health treatment without parental consent.)
2. When a court determines, or another law authorizes, someone other than the parent to make treatment decisions for a minor
3. When a parent agrees to a confidential relationship between the minor and the physician (For example, a doctor asks the parent of a 16-year-old if the doctor can talk with the child confidentially about a medical condition, and the parent agrees.)

Question 41

List three instances where a personal representative is not recognized.

Answer 41

1. Abuse
2. Neglect
3. Endangerment