HIPAA Lesson 6

Question 1

List the seven fundamental privacy rights that patients have under the Privacy Rule.

Answer 1

1. The right to a notice of privacy practices (NPP)
2. The right to request access to their own health information
3. The right to request amendments to their own designated record sets
4. The right to request restrictions to the use and disclosure of information about them
5. The right to request an accounting of disclosures (in other words, a list of who has seen and used that person’s health information)
6. The right to request the use of alternate communication (email rather than phone calls, for instance)
7. The right to authorizations for use and disclosure

Question 2

The Privacy Rule doesn’t require which CEs to develop a notice:

Answer 2

1. Healthcare clearinghouses, if the only protected health information they create or receive is as a business associate of another CE
2. A correctional institution that is a CE (for example, one that has a covered healthcare provider component)
3. A group health plan that provides benefits only through contracts with health insurance issuers or HMOs (The group health plan must not create or receive protected health information other than summary health information. It also must not handle enrollment or disenrollment information.)

Question 3

What’s in the Notice of Privacy Practices?

Answer 3

1. How the CE may use and disclose protected health information about an individual.
2. The individual’s rights concerning that information.
3. The CE’s legal duties with respect to the information.
4. A contact for further information about the CE’s privacy policies.

Question 4

What language in the NoPP is required to be capitalized and in bold print as a prominent header?

Answer 4

THIS NOTICE DESCRIBES HOW YOUR PATIENT INFORMATION WILL BE USED AND DISCLOSED. PLEASE REVIEW IT CAREFULLY.

Question 5

When are Health plans required to provide the NoPP to new enrollees.

Answer 5

At the time of enrollment

Question 6

Providers who treat patients directly must provide the notice to an individual no later than:

Answer 6

The date of first service delivery.

Question 7

In an emergency, providers must give the notice _____.

Answer 7

As soon as is reasonably possible.

Question 8

Health plans also must provide a revised notice to covered individuals within _____ days of the revision. And at least once every _____ years, they must notify covered individuals that the notice is available and tell them how to get it.

Answer 8

1. 60

2. Three

Question 9

CEs must also make a good-faith effort to obtain a _______ that the individual received the notice.

Answer 9

written acknowledgment

Question 10

If a patient refuses to sign NoPP acknowledgment, the organization must record that it _______receive acknowledgement.

Answer 10

didn’t

Question 11

When sending an electronic version of the notice automatically, the provider must make a good-faith effort to get a _______ indicating that the individual received the notice.

Answer 11

return receipt

Question 12

Certain CEs must provide a notice of privacy practices to all patients at the ______.

Answer 12

first encounter.

Question 13

The NoPP must list all the _______ that will have access to that patient’s PHI, following the legal requirements that the Privacy Rule sets out.

Answer 13

organizations

Question 14

A CE must respond to an individuals request for medical records within ____ days unless the information is off-site. In that case, the CE has ____ days to respond.

Answer 14

1. 30

2. 60

Question 15

The CE can have a ___-day extension if it notifies the person making the request within 30 days. And in the notification, the CE must include the ______ for the delay and the ______ the patient will get the information. The law permits the CE only ______ extension.

Answer 15

1. 30
2. 30
3. reason
4. date
5. one

Question 16

If the CE cannot provide the requested information in the requested format, the CE and individual can agree on a _______ format.

Answer 16

Different

Question 17

Individuals do not have the right to access records that a CE compiled in anticipation of ________.

Answer 17

Court Action

Question 18

CLIA

Answer 18

Clinical Laboratory Improvements Amendment

Question 19

CLIA’s goal is to ensure high-quality ________ testing.

Answer 19

Laboratory

Question 20

Name two automatic denials.

Answer 20

1. The requested information is part of other research, and the individual previously agreed to denial of access.
2. An inmate makes a request, and special conditions apply.

Question 21

Which denial is subject to the right to review?

Answer 21

If a CE or healthcare professional determines that access to the records would endanger someone’s life.

Question 22

If a CE denies a request, the denial must be in ______, and contain the following: ______, ______. _____, & _____.

Answer 22

1. Writing
2. A description of the organization’s compliant procedures.
3. Name of the contact person
4. Title of the contact person
5. Telephone number of the contact person

Question 23

Name the three considerations that go along with a request to correct/amend a medical record.

Answer 23

1. Timing
2. Notifying the Organizations
3. Documenting Amendments

Question 24

The CE must respond within _____ days to a medial record correction request, and can have one _____ day extension to respond, provided it ______ the individual making the request. The notice must include the _____ for the delay and the _____ the CE will respond.

Answer 24

1. 60
2. 30
3. notifies
4. reason
5. date

Question 25

List reasons CE would deny a request for amendment and what they must provide. The individual can provide a written ______ to keep with the record set.

Answer 25

1. Denial Reasons:
   o Doesn't have the information
   o Disagrees with the request
2. The denial must state in plain language the basis for the denial.
3. Dispute

Question 26

List the Accounting of Disclosure Exceptions:

Answer 26

1. Disclosures TPO
2. Disclosures made to the individual
3. Disclosures made because of the individual’s authorization
4. Disclosures made before April 14, 2003
5. Disclosures made for national security reasons
6. Disclosures made to prisons or jails if the individual was incarcerated
7. Disclosures for facility directories (A hospital phone operator or information desk clerk uses a facility directory to find a patient’s room number, or in some cases a patient’s status—stable, critical, and so on—when someone asks about that patient.)

Question 27

What disclosures does a CE need to track?

Answer 27

1. Disclosures HIPAA permits, but not any of the disclosure exceptions.
2. Disclosures for marketing purposes
3. Accidental disclosures
4. Disclosures revealed by an audit trail

Question 28

List the CE’s responsibilities for regarding disclosure requests:

Answer 28

1. Must respond withing 60 days with one 30 day ext.

2. Must provide one free accounting in a 12-month period.

Question 29

What should the accounting of disclosures contain?

Answer 29

1. Date of disclosure
2. Name and address of the receiving party
3. Brief description of what was disclosed and why

Question 30

A CE ______ have to agree to an individuals additional restrictions. However, if the CE agrees, that agreement is binding until one of three things happen.

Answer 30

1. doesn’t
2. Agreement binding until
   o The individual agrees in writing to terminate the agreement
   o The individual agrees orally to terminate the agreement and there’s documentation of the oral agreement.
   o The CE informs the individual that it is terminating the restriction, which is only effective after the individual is informed.

Question 31

In case of an emergency, a restriction agreement is not _______ on the CE.

Answer 31

Binding

Question 32

Individuals have the right to request that a CE use a specific address, phone number, or email address when ______ health information.

Answer 32

Communicating

Question 33

If an individual indicates that he or she may be in danger if the CE refuses to use an alternate address, the CE ______ accommodate the request.

Answer 33

Must

Question 34

A CE needs an individual’s authorization to disclose health information for the following:

Answer 34

1. If the individual wishes to be part of a research project (except in some limited cases)
2. Disclosures to someone who’s not part of the healthcare system
3. Disclosures to an employer
4. Disclosures to a doctor or provider who isn’t involved in the patient’s treatment
5. Disclosures to an insurance company or a payer that is not involved in paying the individual’s claims
6. Disclosures to other types of insurance companies (life or disability, for example)
7. Disclosures to a lawyer
8. Disclosures to family members or friends

Question 35

An individual may revoke an _______ at any time. But the revocation must be in writing, and the CE can’t make _______ a condition of treatment or payment.

Answer 35

Authorization

Question 36

Some employers may make _______ a condition of employment.

Answer 36

Authorization

Question 37

If a CE seeks an authorization, the individual must get a ______ of it. State laws require some types of authorizations to have built-in _______ dates.

Answer 37

1. Copy

2. Expiration

Question 38

List the six core elements that an authorization form must include:

Answer 38

1. A description of the information that the organization plans to use
2. The name of the person who will make the authorized disclosure
3. The name of the person who will receive the information
4. A description of the purpose for the disclosure (it can say simply “at the individual’s request”)
5. An expiration date or an expiration event
6. The individual’s signature and date

Question 39

There are a few other authorization requirements. The authorization must be in ______ language, and the CE must document it and keep it (electronically or in writing) for ______ years.

Any revocation of the authorization must also be in ______. Plus the authorization must include instructions for ______ it. And the authorization must include a statement that after the patient gives the information, that information may no longer be under the protection of ______ and could be redisclosed.

Answer 39

1. Plain
2. Six
3. Writing
4. Revoking
5. HIPAA

Question 40

My family doctor referred me to a specialist down the hall to treat my sinus condition. When I went to the specialist, the receptionist told me that I needed to sign an authorization form in order to get my medical records from my family doctor. Since both doctors were involved in treating me, why did I need to sign an authorization?

Answer 40

According to HIPAA, an authorization form isn’t required in a circumstance like the one you describe. However, remember that HIPAA is the floor, not the ceiling, and doctors can interpret the Privacy Rule as strictly as they like. Also, it’s sad to say, but many office staffers don’t fully understand the Privacy Rule. So they usually err on the side of caution.

Question 41

Is a consent form required under the Privacy Rule?

Answer 41

Consent forms were common in the health industry before HIPAA. The Privacy Rule doesn’t require consent forms, and a valid authorization would serve the same purposes of a consent form. In some cases, doctors may still use consent forms for various purposes. That’s completely up to each healthcare organization, and HIPAA doesn’t regulate it.

Question 42

What must a covered entity do when it changes any of its privacy practices?
o It must promptly revise its notice of privacy practices and distribute it again.
o It must highlight the changes on its notice of privacy practices in all capital letters and bold print.
o It must enclose a copy of the revised notice of privacy practices with an individual’s next billing.
o Nothing.

Answer 42

It must promptly revise its notice of privacy practices and distribute it again.

Question 43

When an individual requests access to his or her own health information that's maintained onsite, how long does a covered entity have to respond?
o 90 days.
o 60 days, with one 30-day extension.
o 30 days, with one 30-day extension.
o 10 days.

Answer 43

30 days, with one 30-day extension

Question 44

What happens if a patient requests his or her own medical record in a Microsoft Word file, and the covered entity doesn’t use that particular software?
o The CE must provide the information in the format the patient requests.
o The CE can require the patient to view the record in person instead.
o The CE is only required to provide the record in the format it chooses.
o The CE and the patient can agree on a different format.

Answer 44

The CE and the patient can agree on a different format.

Question 45

If a covered entity denies a patient’s request for access to his or her own health information, on what grounds can the patient request a review?
o If the records are psychotherapy notes.
o If the records are compiled in anticipation of a court action.
o If the records are subject to the Clinical Laboratory Improvements Amendment.
o If a CE determines that access to the records would endanger someone’s life.

Answer 45

If a CE determines that access to the records would endanger someone’s life.

Question 46

A covered entity needs a patient’s authorization for which of the following disclosures?
o Disclosures involving treatment, payment, or healthcare operations.
o Disclosures to a provider who isn’t involved in the patient’s treatment.
o Disclosures to avert a risk to public health.
o Disclosures to a coroner to help identify a body.

Answer 46

Disclosures to a provider who isn’t involved in the patient’s treatment.