HIPAA Training

Question 1

What does HIPAA stand for

Answer 1

Health Insurance Portability and AccountabilityAct

Question 2

When was HIPAA formed

Answer 2

1996

Question 3

What does Title 1 protect?

Answer 3

Workers and their families when they lose or change jobs

Question 4

What does Title 2 protect?

Answer 4

the right to keep healthcare information private

Question 5

When was the implementation of HIPAA mandatory?

Answer 5

April 2003

Question 6

What Act was created in 2011?

Answer 6

The Texas Medical Records Act

Question 7

What does the “ workforce” include?

Answer 7

• all clinical and clerical employees of the clinic
• all students doing clinical or clerical work in the clinic
• other employees who have access to clinical space and confidential records are also a part of the workforce

Question 8

What is the point of HB 300?

Answer 8

tightens the screws of HIPAA and extends the law to additional entities

Question 9

Who was responsible for HB300?

Answer 9

Rick Perry

Question 10

How often must training be renewed?

Answer 10

Every two years and must have a signed record of participation in the training must be achieved

Question 11

Is training general of specific?

Answer 11

training must be specialized to the agency and the work that the individual does

Question 12

How soon must training occur?

Answer 12

Training must occur within 60 days of employment and is required before handling and/or producing electronic PHI

Question 13

What does HB 300 do?

Answer 13

expands beyond the workforce to groups of people who might come into possession of PHI for other reasons than working for the covered entity, namely, any business associated with the covered entity who maintain the PHI

Question 14

Who is not a member of the clinic workforce?

Answer 14

• Anyone without assigned duties in the clinic workspace
• students not working in the clinic in the current semester of faculty members or administrators
• researchers approved to work in the clinic space
• clients
• anyone else from outside the university community not contracted with the university to do work in the clinic space

Question 15

When may persons who are not members of the clinic workforce enter the clinic workspace?

Answer 15

• during clinic hours by the outer door of the waiting room only binnion 101 and MUST state their need to be in the area, and then will be permitted to enter the area at an appropriate time as determined by the presence of clients and current clinic policy

Question 16

Can non members of the clinic workspace enter the clinic hall space and other space not under the control of the clinic at anytime the clinic is not open?

Answer 16

yes

Question 17

May non-member os the clinic workspace enter B106, B110,B102 or the archive room when the clinic is closed ?

Answer 17

No

Question 18

Who does the Ancillary members of the clinic workforce include?

Answer 18

administrative, custodial, police, service and maintenance personnel with assigned duties in the clinic space

Question 19

When may ancillary members of the clinic workforce enter the clinic space?

Answer 19

• they may enter any area in the clinic space to carry out their assigned duties when the clinic is open, only with the consent of the staff member in B101/B106, and should enter through the main entrance to clinic waiting room
• may enter any area in the clinic space to carry out their assigned duties when the clinic is closed, except B102, B106, B110, B124

Question 20

What rules should you follow when you are in the clinic as ancillary personnel?

Answer 20

• never pick up or look at a file folder with anything in it
• never read anything in a file folder or open a filing cabinet
• do not make eye contact or speak to persons you know who are not university employees assigned to the clinic

Question 21

What to do in genuine emergencies?

Answer 21

• If it’s your job, take care of it quickly as is appropriate
• if you must enter B106, B102, B1110, B124 in an emergency

Question 22

What is HIPAA’s definition of research?

Answer 22

” the systematic investigation including research development, testing, and evaluation, designed to develop and contribute to generalizable knowledge”

Question 23

What’s the deal with researchers in the clinic?

Answer 23

• must have appropriate HIPAA training, complying with both federal and local regulations for access to the clinic space
• will have assigned space in which to work and have points of entry
• will typically be assigned to work in the back wing of the clinic

Question 24

What official authorization should researchers in the clinic have?

Answer 24

• must have full IRB approval on file in the clinic office, informed consent ( general clinic forms required by HIPAA), and informed consent if required by the IRB agreement including specific written authorization to disclose the relevant protected health information for research purposes

Question 25

If you are a researcher in the clinic you should

Answer 25

• stay in your assigned area unless you are greeting a participant or using the kitchen or restroom
• call office if needed to see if coast is clear
• do not speak or make eye contact outside of your research team ( either inside or outside the clinic) unless they speak to you first
• do not look down the long hallway towards B101
• make every effort to avoid client contact

Question 26

What should you do as a researcher, if you encounter a client you know outside of the clinic

Answer 26

You should discuss the fact with the clinic director and any supervisor you might have conducting the research at hand

Question 27

Should researchers have their participants wait in the waiting room?

Answer 27

No, not when the clinic is open. They should wait in 102 when it is not in use by the clinic or elsewhere, outside of the clinic space

Question 28

Whose responsibility are the participants of the research?

Answer 28

Ultimately, they are the responsibility of the research team as far as the implementation of HIPAA and clinic requirements is concerned. Any liability incurred by the university in the course of your dealing with those participants is he responsibly of the researcher alone unless the participant is also a clinical client

Question 29

When was the Privacy Rule enacted?

Answer 29

April 3, 2003

Question 30

What does the Privacy Rule entail?

Answer 30

• it regulates the use and disclosure of PHI by providers, insurance carries, clearing houses, etc. which engage in covered transactions
• a conservative view argues that the clinic engages in covered transactions and this must be HIPAA- complaint. we are thus a “ covered entity”
• HIPAA violations, which we must report by law, originally entailed entailed to the institution of up to $250,000. ( it is more now)

Question 31

What act binds HIPAA implementation?

Answer 31

The HITECH Act of 2009 - which increased the penalty of 1.5 million

Question 32

What is Protected Health Information ?

Answer 32

it is any information held in any form by a concerned entity that concerns health status, or payment for health care that can be linked to any individual

Question 33

When must disclosure of PHI be given after a written request?

Answer 33

-Within 30 days ( 15 days if electronic, and must b electronic if stored as such unless waived by client)
-written disclosure
documents must expire in 6 or fewer months or when a minor reaches the age of majority or dies

Question 34

When can we discuss PHI?

Answer 34

• to facilitate Treatment, ( Including diagnostic assessment), Payment, or Healthcare Operations

Question 35

When do we need to disclose discussion of PHI to the client?

Answer 35

• we need to keep a record of all such disclosures

- anytime we disclose information about them, except in instances of treatment, payment or healthcare operations

Question 36

If Electronic disclosure of PHI is possible…

Answer 36

• clients must be told in advance of the possibility

Question 37

What are the options to disclose the possibility of electronic PHI disclosure to a client?

Answer 37

• can be posted in the covered entity’s website
• can be posted in the covered entity’s place of business
• can be posted in any other place client is apt to see it

Question 38

What are covered entity’s under HB300?

Answer 38

• any person who comes into possession of PHI or obtains and stores PHI
• employee, agent, or contractor if the person creates, receives, obtains, maintains, uses or transmits PHI, under Texas Law is a covered entity

Question 39

What are the exemptions that are relevant to the clinic as far as covered entities are concerned ?

Answer 39

• information and records of offenders with “ mental impairments” and some educational records

Question 40

What are the prohibited acts under HB 300?

Answer 40

• RE-identification of PHI, or an attempt to do so
• Most marketing, unless face to face, necessary for certain operations, or requested orally by the client in a clear and unambiguous way
• sale of PHI, except to another covered entity to facilitate treatment, healthcare operations of Insurance/ HMO functions

Question 41

What is the Privacy Notice?

Answer 41

• it is our notification of privacy rights which specifies the ways in which we observe the privacy rule
• this notice describes how medical information about you can be used and disclosed, and how you can get access to the information

Question 42

When can health information be viewed?

Answer 42

It may be viewed directly by any member of the workforce of the clinic, but only when necessary in order to carry out clinically appropriate assessment or interventions with either individually or a group

Question 43

Are clerical members of the workforce able to review a chart?

Answer 43

Yes, but only on a need to know basis, and to determine if account is current and secure needed payments for services provided

Question 44

When will files be removed from the secure area?

Answer 44

a designated member of the workforce will remove the files from a secure area for relevant review by the clinicians working with the case or the supervisors

Question 45

Who can handle a client’s chart?

Answer 45

All members of the workforce may at times handle and review portions of the chart in order to ensure that normal operations involved in assessment, intervention and orderly record keeping are carried out

Question 46

When are the exemptions to confidentiality of health information?

Answer 46

If the client presents an immediate danger to themselves or others, especially a threat to a particular minor child or elderly person. Authorities can be contacted.

Question 47

What is a clinician has another relationship with a clinic client?

Answer 47

That clinician will recuse themselves from clinic activities in which discussion of the client’s case occurs. That person of the clinic workforce may NOT access the client’s file.

Question 48

When will electronic copies of records be made?

Answer 48

-only in the production of formal evaluative report ( psychological assessments, discharge summaries, and case summaries)

Question 49

How will EPHI be stored?

Answer 49

• behind two locked doors in the clinic at all times when not in use.
• once placed in use, the remote storage device will become the property of the clinic and may not be removed from the premises.
• no electronic record containing any PHI will be removed from the clinic or stored on the hard drive of any computers, even those in the clinic

Question 50

Who has access to EPHI?

Answer 50

• only authorized persons

Question 51

How will PHI and EPHI be moved?

Answer 51

• will be delivered o the clinician for use in the clinic only by a clinic director, principal administrative graduate assistant, or a designated paid member of he clinic workforce
• a written record of PHI and EPHI transfer to clinic employees
• will be made at the time of the transaction
• clinicians preparing reports n computers will close all relevant files and remove the remote storage device from the computer when leaving the room

Question 52

What information must be provided when someone calls the clinic asking about a case?

Answer 52

1) they must name the client,
2) give code number,
3) give own name,
4 ) state the nature of the inquiry

Question 53

What is standard operating procedure for answering the phone?

Answer 53

• ask for needed information without acknowledging one way or the other whether a person is actually a client or that you have ever heard of the client name they give
• nobody gets seen without appropriate and certain written consent

Question 54

Thapar V Zezulka was argued and decided on what dates?

Answer 54

Argued: November 18, 1998
Decided: June 24, 1999

Question 55

Who comprises the clinic privacy board

Answer 55

members of the clinic policy council

Question 56

When may we disclose private health information?

Answer 56

-In the course of any administrative or judicial proceeding

Question 57

To whom may we disclose personal health information?

Answer 57

• Researchers conducting research that has been approved by the IRB or the privacy board of the clinic
• appropriate persons in order to prevent or lessen a serious imminent threat to the health and safety of a person or the general public

Question 58

What will happen to a client’s personal health information in the event that the clinic is sold or merged with another organization?

Answer 58

The health information will become the property of the new owner or organization

Question 59

The clinic may not use or disclose your health information without what?

Answer 59

Your written authorization

Question 60

When and how may a client revoke a written authorization to disclose health information?

Answer 60

At ANY time in WRITING

Question 61

What forms will be used to secure authorization to disclose PHI?

Answer 61

• The legally adequate form generated by the Attorney General of Texas
• May also use one of our two disclosure forms in a SUPPLEMENTAL way

Question 62

What rights do clients have with regard to their health information?

Answer 62

• request restrictions on certain uses and disclosures of your health information
• receive your health information through a reasonable alternative means or at an alternative location
• inspect a copy of your health information

Question 63

What must a client do in order to inspect a copy of their health information?

Answer 63

Contact the clinic by phone or in writing and make an appointment and copy their documents

Question 64

Who is the current clinic Privacy officer?

Answer 64

Dr. Ball since June 8, 2009

Question 65

Where should complaints go?

Answer 65

To Dr. Ball first then to the clinic privacy board

Question 66

Who comprises the clinic privacy board/

Answer 66

members of the clinic policy council

Question 67

What may a client do if they are not satisfied with the manner in which we handle a complaint?

Answer 67

The client may submit a formal complaint to the Department of Health and Human Services office of civil rights

Question 68

BY LAW what must be reported by the clinic?

Answer 68

We are required by law to report a HIPAA violation that occurs in the clinic

Question 69

Who can enter the staff room , office, active case filing room or archive room during clinic hours or when a clinician is working on a file entailing EPHI in that space ?

Answer 69

Only members of the clinic workforce

Question 70

How many people are allowed to be in the main office and chart room at any time combined?

Answer 70

Only members of the workforce

Question 71

If working in a school district you are bound by

Answer 71

FERPA - Family Educational Rights and Privacy Act

Question 72

Who may not enter the clinic area during operating hours 9 except for waiting room and approved research)?

Answer 72

1) Anyone who is not a member of the clinic, scheduled client escorted by clinician or a custodian or maintenance employee of the university assigned to the area by that employee’s supervisor
AND
2) escorted by a clinic member

Question 73

What is the Security Rule?

Answer 73

it is specifically aimed at EPHI but is relevant to “ordinary PHI” as well

Question 74

Progress Notes

Answer 74

• will be created on paper in physical charts according to the specifications provided in the clinic manual
• the format will be dictated by the nature of the note’s content and the strategies of the clinic’s supervisor
  BUT
• they will not name anyone but the client and members of the clinic workforce
• and will describe progress at the intermediate level of specificity designed by clinic supervisor

Question 75

Process Notes

Answer 75

• in some states process notes ( private reminders etc) are exempt from routine subpoena
• in texas, all notes made by the therapist or assessment professional are by definition, progress notes

Question 76

What are the 3 layers of security that are necessary in order to secure compliance?

Answer 76

1) Administrative ( our rules)
2) Physical ( maintenance and storage practices)
3) Technical ( security of our electronic storage practices)

Question 77

What type of information was the Security Rule designed to protect?

Answer 77

Electronic Protected Health Information

*this is relevant to ordinary PHI as well

Question 78

What was the Date the Security Rule enacted?

Answer 78

April 21, 2003

Question 79

What are the three layers of security safe guards necessary for protecting electronic PHI?

Answer 79

• Administrative.
• Physical (maintenance and storage Practices)
• Technical (Security of our electronic storage practices)

Question 80

How will Progress Notes be created?

Answer 80

On paper, in physical charts according to specifications provided in the clinical manual

Question 81

How will the format of the Progress Notes be dictated?

Answer 81

by the nature of the note’s content and the strategies of the clinician’s supervisor

Question 82

Who all can be named in a progress note?

Answer 82

the Client and members of the clinic workforce contacting the client in a relevant way