HIPAA Privacy Rule

Question 1

HIPAA acronym

Answer 1

Health Insurance Portability and Accountability Act

Question 2

Privacy Rule was passed in what year?

Answer 2

2003

Question 3

Security Rule was passed in what year?

Answer 3

2005

Question 4

The privacy rule establishes the ______

Answer 4

minimum

(NOTE: if state and federal are diff, follow the most stringent one)

Question 5

What is privacy?

Answer 5

Freedom from unauthorized intrusion

Question 6

What is confidentiality?

Answer 6

requires HC providers to protect heath records from unauthorized use

(NOTE: may be written or verbal)

Question 7

What title # of HIPAA pertains to privacy and security?

Answer 7

Title II

Question 8

What forms of info does the Privacy rule cover?

Answer 8

oral, written, and electronic

Question 9

What forms of info does the Security rule cover?

Answer 9

Only electronic info

Question 10

PHI acronym

Answer 10

Protected health info

Question 11

What does HIPAA lack?

Answer 11

a private right of action

(NOTE: means that a pt can’t sue for HIPAA violation, only an attorney or general gov)

Question 12

Purpose of HITECH (2009) (2)

Answer 12

• Strengthens privacy and security of PHI (i.e. use of EHRs)
• increased penalties

Question 13

What is health info per HIPAA?

Answer 13

Any info (whether oral or recorded in any form) that is created or received by a health care provider, health plan, employer, life insurer, school

AND relates to the past, present, or future phys/mental health of an individual

Question 14

What happens if health info is not dated?

Answer 14

Applies to the future

(no end date)

Question 15

What 6 things does HIPAA provide the patient the right of?

Answer 15

1. access
2. request amendment
3. accounting of disclosure
4. request confidential communications
5. request restrictions
6. complain of privacy rule violations

Question 16

Who does HIPAA apply to? (2)

Answer 16

1. Covered entities (+ workforces)
2. Business associates (+ workforce and subcontractors)

Question 17

What is covered under HIPAA?

Answer 17

PHI (and any “HIPAA identifiers” that point to a certain pt)

Question 18

What is NOT covered under HIPAA? (2)

Answer 18

• De-identifiied info
• personnel and edu records

Question 19

Three HIPAA CEs:

Answer 19

• Healthcare provider
• Health plan
• Healthcare clearinghouse

Question 20

CE: Healthcare provider description

Answer 20

doctor

Question 21

CE: Health plan description

Answer 21

insurance plan

Question 22

CE: Healthcare Clearinghouse description

Answer 22

3rd party billing vendor

Question 23

Should HIPAA be politicalized?

Answer 23

No

Question 24

An example of an organization that would need a business associate agreement is…

a) housekeeping service
b) Hospital where dr refers patients for surgery
c) Healthcare organization’s employees
d) Billing service that the healthcare organization uses

Answer 24

d) Billing service that the healthcare organization uses

Question 25

HIPAA Applicability: What is a Business Associate (BA)?

Answer 25

Any person or org that provides services around PHI or its disclosure

(ex: 3rd party vendors, consultants, etc)

Question 26

What is a Business associate agreement (BAA)? Does it apply to subcontractors?

Answer 26

Legally protects info handled by BA that complies with HIPAA

Yes

Question 27

Components of a BAA (3):

Answer 27

• written
• specifies permitted/prohibited uses
• assurances of safeguards to prevent unauthorized use

Question 28

What law added more BA categories?

Answer 28

HITECH

Question 28

If a health care facility accepts cash or provides free services, like a clinic that provides physical exams, administers vaccines, and gives well baby check-ups regulated by HIPAA?

Answer 28

No; free services are not CE

Question 29

Are wearable devices that collect PHI covered by HIPAA?

Answer 29

No

Question 29

Are artificial intelligence (AI) programs that analyze patient data considered BAs?

Answer 29

No

Question 30

What was added to the 2024 HIPAA update?

Answer 30

• strengthened reproductive privacy
• reward, similar to qui tam
• increased care coordination for SUD records

Question 31

What is a workforce?

Answer 31

Any individual working under the CE’s direct control

(paid employees, volunteers, trainers, interns, outsourced vendors)

Question 32

What are the three components for determining PHI?

Answer 32

1. identifies a person or a reasonable basis to believe a person could be identified
2. relates to one’s health condition
3. is held or transmitted by a CE or its BA

Question 33

Decedents according to 2013 Omnibus Final Rule

Answer 33

PHI does not have to be retained after 50 yrs

Question 34

What happens with the HIPAA privacy rule under emergencies?

Answer 34

Specific parts can be suspended for up to 72 hours

Question 35

What Act covered edu records?

Answer 35

Federal Education Records Privacy Act (FERPA)

Question 36

PHI disclosure

Answer 36

Dissemination of PHI from a CE/NA

Question 37

PHI Use

Answer 37

Handling PHI internal to a CE/BA

Question 37

PHI Request

Answer 37

Asking for access to PHI

Question 38

Minimum necessary

Answer 38

“need to know” concept

Limits PHI uses, disclosures and request to only the “minimum necessary” amt to accomplish an intended purpose

Question 39

Two situations where HIPAA requires use or disclosure of PHI without an individual’s authorization:

Answer 39

1. Indv or rep requests access
2. US Dept H&HS is investigating

Question 40

What is TPO? Does it require authorization?

Answer 40

Treatment, payment, operations

No but may do it as a courtesy

Question 41

2 Situations where indv can informally agree or object

Answer 41

1. Pt admission directory
2. Notification to fam/friends

Question 42

For what things is a valid authorization for disclosure of info required? (5)

Answer 42

• PHI that cannot be released w/out authorization
• psychotherapy notes
• marketing
• research
• sale of PHI

Question 43

What is marketing in HC?

Answer 43

Communication about a product or service that encourages the recipient to purchase or use it

Question 44

What did HITECH do in terms of marketing?

Answer 44

Limited the def of HC operations to increase the marketing authorization requirement

Question 44

What is the problem with marketing?

Answer 44

CEs often classify marketing activities as HC operations NOT requiring authorization

Question 45

When can fundraising be considered part of operations?

Answer 45

When it uses de-identified info to raise funds to benefit the org

Question 46

What pt info can be used for fundraising purposes? (6)

Answer 46

• demographics
• date of HC provided
• department of service info
• treating physician
• outcome info
• health insurance status

Question 46

HITECH imposes additional requirements on CEs and ____ patients’ ability to easily and inexpensively opt out of fundraising solicitations that use or disclose PHI

Answer 46

strengthens

Question 47

When does the notice of privacy practice have to be given?

Answer 47

before on on the first visit

Question 47

How long does the notice of privacy practice have to be kept?

Answer 47

3 years

Question 47

What is the notice of privacy practices?

Answer 47

• lays out how a CE will use and disclose PHI
• CE legal duties regarding PHI

Question 47

What does the use and disclosure of psychotherapy notes require?

Answer 47

Authorization

Question 48

Is selling PHI a violation of the Notice of Privacy Practices?

Answer 48

Yes

Question 49

What happens if the pt refuses to sign the Notice of Privacy Practices?

Answer 49

Must be documented; care can’t be withheld

Question 50

Does consent has an expiration date?

Answer 50

No

Question 50

T/F: Providers are required to obtain a pt’s signed consent to use/disclose PHI for TPO purposes?

Answer 50

False; not required

Question 51

What is authorization?

Answer 51

Written permission for specific disclosure (things other than TPO)

Question 52

Key HIPAA elements included in authorization (9)

Answer 52

• name of individual
• who is making disclosure
• to whom info is going to
• type of info disclosed
• signature of individual
• date signed
• expiration date
• statement of right to revoke
• redisclosure statement

Question 53

Providing a copy of an emergency room visit report to a PCP is an example of which of the following under HIPAA?

A. Use of protected health information
B. Provision of protected health information
C. Minimum necessary of protected health information
D. Disclosure of protected health information

Answer 53

D. Disclosure of protected health information

Question 54

What is the right to request restrictions?

Answer 54

Requesting restrictions on uses/disclosures of PHI outside of TPO;

(NOTE: not required to agree if too difficult to carry out request)

Question 55

What is the exception to the right to request restrictions?

Answer 55

If individual wishes to not use Health Plan and pay in full with cash

Question 56

What info is included in accounting of disclosures?

Answer 56

• date
• name/address of entity that recieved info
• info disclosure
• statement on purpose of disclosure

Question 57

Who investigates HIPAA violations?

Answer 57

HHS- OCR

Office of Civil Rights

Question 57

Who owns the pt record?

Answer 57

Provider/ org

Question 58

When a pt is requesting access to records, how long do CEs have to respond after the request was received?

Answer 58

30 days (15 days if electronic info)

Question 59

Instances when a pt can be denied access to PHI (3)

Answer 59

• psychotherapy notes
• correctional institutions if it jeopardizes safety
• if info was obtained other than provider and access would reveal source of info

Question 60

What did the 21st Century Cures Act do? (2)

Answer 60

• reiterates pt access
• prohibits info blocking

Question 61

Reasons for having a denied PHI request (2)

Answer 61

• endangers life or safety
• causes substantial harm to another person mentioned in PHI

Question 62

Explain if it is a HIPAA Privacy rule violation:

Natalie requested a list of people who have reviewed her record. This is her second request of the year. The hospital is charging her $150

Answer 62

Yes, excessive fee

Question 62

Explain if it is a HIPAA Privacy rule violation:

The hospital received a request to amend a patient record. They refused to accept the request

Answer 62

Yes, have to accept but may not honor request

Question 63

Explain if it is a HIPAA Privacy rule violation:

Bob refused to sign the Notice of Privacy Practice, but the hospital treated him anyway

Answer 63

No

Question 63

Explain if it is a HIPAA Privacy rule violation:

Mr. Smith requests a copy of his wife’s medical record but does not include a written authorization from his wife.

Answer 63

Yes, need the wife’s authorization

Question 63

What is a breach?

Answer 63

unauthorized access, use, or disclosure of PHI

Must demonstrate PHI was compromised

Question 64

Omnibus rule’s 3 exceptions to breach notification rule

Answer 64

1. PHI disclosure was not intentional
2. access to PHI was unintentional by a workforce member
3. HC org has good faith the PHI was not retained

Question 65

Breach notification notice is for… (2)

Answer 65

• individuals affected
• HSS via online portal

Question 66

HIPAA Breach Notification Requirements: 9-499 individuals

Answer 66

Web posting and media notification

Question 67

What does preemption do?

Answer 67

Gives legal precedence to federal law when it conflicts with state law

Question 67

HIPAA Breach Notification Requirements: 500+ individuals

Answer 67

notice to media outlets and Secretary of HHS

Question 68

Is this a HIPAA violation?

There was an overdose at 17 Tyler Road around 1:30 this morning. Charleston County responded and the female in the home was taken via ambulance to the hospital. Per the officers, it was cocaine and pills

Answer 68

No, the resident is not a CE or BA.

Question 69

How many tiers of HIPAA violation penalties are there?

Answer 69

4

Question 70

HIPAA Violation Penalties: Tier 1

Answer 70

Unaware of HIPAA violation

Question 71

HIPAA Violation Penalties: Tier 2

Answer 71

Had reasonable cause and not willful neglect

Question 72

HIPAA Violation Penalties: Tier 3

Answer 72

Had willful neglect and corrected within 30 days of discovery

Question 73

HIPAA Violation Penalties: Tier 4

Answer 73

Had willful neglect and not corrected as required