HIPAA Training Flashcards
Pass this stupid test
1
Q
What does HIPAA stand for
A
Health Insurance Portability and AccountabilityAct
2
Q
When was HIPAA formed
A
1996
3
Q
What does Title 1 protect?
A
Workers and their families when they lose or change jobs
4
Q
What does Title 2 protect?
A
the right to keep healthcare information private
5
Q
When was the implementation of HIPAA mandatory?
A
April 2003
6
Q
What Act was created in 2011?
A
The Texas Medical Records Act
7
Q
What does the “ workforce” include?
A
- all clinical and clerical employees of the clinic
- all students doing clinical or clerical work in the clinic
- other employees who have access to clinical space and confidential records are also a part of the workforce
8
Q
What is the point of HB 300?
A
tightens the screws of HIPAA and extends the law to additional entities
9
Q
Who was responsible for HB300?
A
Rick Perry
10
Q
How often must training be renewed?
A
Every two years and must have a signed record of participation in the training must be achieved
11
Q
Is training general of specific?
A
training must be specialized to the agency and the work that the individual does
12
Q
How soon must training occur?
A
Training must occur within 60 days of employment and is required before handling and/or producing electronic PHI
13
Q
What does HB 300 do?
A
expands beyond the workforce to groups of people who might come into possession of PHI for other reasons than working for the covered entity, namely, any business associated with the covered entity who maintain the PHI
14
Q
Who is not a member of the clinic workforce?
A
- Anyone without assigned duties in the clinic workspace
- students not working in the clinic in the current semester of faculty members or administrators
- researchers approved to work in the clinic space
- clients
- anyone else from outside the university community not contracted with the university to do work in the clinic space
15
Q
When may persons who are not members of the clinic workforce enter the clinic workspace?
A
- during clinic hours by the outer door of the waiting room only binnion 101 and MUST state their need to be in the area, and then will be permitted to enter the area at an appropriate time as determined by the presence of clients and current clinic policy
16
Q
Can non members of the clinic workspace enter the clinic hall space and other space not under the control of the clinic at anytime the clinic is not open?
A
yes
17
Q
May non-member os the clinic workspace enter B106, B110,B102 or the archive room when the clinic is closed ?
A
No
18
Q
Who does the Ancillary members of the clinic workforce include?
A
administrative, custodial, police, service and maintenance personnel with assigned duties in the clinic space
19
Q
When may ancillary members of the clinic workforce enter the clinic space?
A
- they may enter any area in the clinic space to carry out their assigned duties when the clinic is open, only with the consent of the staff member in B101/B106, and should enter through the main entrance to clinic waiting room
- may enter any area in the clinic space to carry out their assigned duties when the clinic is closed, except B102, B106, B110, B124
20
Q
What rules should you follow when you are in the clinic as ancillary personnel?
A
- never pick up or look at a file folder with anything in it
- never read anything in a file folder or open a filing cabinet
- do not make eye contact or speak to persons you know who are not university employees assigned to the clinic
21
Q
What to do in genuine emergencies?
A
- If it’s your job, take care of it quickly as is appropriate
- if you must enter B106, B102, B1110, B124 in an emergency
22
Q
What is HIPAA’s definition of research?
A
” the systematic investigation including research development, testing, and evaluation, designed to develop and contribute to generalizable knowledge”
23
Q
What’s the deal with researchers in the clinic?
A
- must have appropriate HIPAA training, complying with both federal and local regulations for access to the clinic space
- will have assigned space in which to work and have points of entry
- will typically be assigned to work in the back wing of the clinic
24
Q
What official authorization should researchers in the clinic have?
A
- must have full IRB approval on file in the clinic office, informed consent ( general clinic forms required by HIPAA), and informed consent if required by the IRB agreement including specific written authorization to disclose the relevant protected health information for research purposes
25
If you are a researcher in the clinic you should
- stay in your assigned area unless you are greeting a participant or using the kitchen or restroom
- call office if needed to see if coast is clear
- do not speak or make eye contact outside of your research team ( either inside or outside the clinic) unless they speak to you first
- do not look down the long hallway towards B101
- make every effort to avoid client contact
26
What should you do as a researcher, if you encounter a client you know outside of the clinic
You should discuss the fact with the clinic director and any supervisor you might have conducting the research at hand
27
Should researchers have their participants wait in the waiting room?
No, not when the clinic is open. They should wait in 102 when it is not in use by the clinic or elsewhere, outside of the clinic space
28
Whose responsibility are the participants of the research?
Ultimately, they are the responsibility of the research team as far as the implementation of HIPAA and clinic requirements is concerned. Any liability incurred by the university in the course of your dealing with those participants is he responsibly of the researcher alone unless the participant is also a clinical client
29
When was the Privacy Rule enacted?
April 3, 2003
30
What does the Privacy Rule entail?
- it regulates the use and disclosure of PHI by providers, insurance carries, clearing houses, etc. which engage in covered transactions
- a conservative view argues that the clinic engages in covered transactions and this must be HIPAA- complaint. we are thus a " covered entity"
- HIPAA violations, which we must report by law, originally entailed entailed to the institution of up to $250,000. ( it is more now)
31
What act binds HIPAA implementation?
The HITECH Act of 2009 - which increased the penalty of 1.5 million
32
What is Protected Health Information ?
it is any information held in any form by a concerned entity that concerns health status, or payment for health care that can be linked to any individual
33
When must disclosure of PHI be given after a written request?
-Within 30 days ( 15 days if electronic, and must b electronic if stored as such unless waived by client)
-written disclosure
documents must expire in 6 or fewer months or when a minor reaches the age of majority or dies
34
When can we discuss PHI?
- to facilitate Treatment, ( Including diagnostic assessment), Payment, or Healthcare Operations
35
When do we need to disclose discussion of PHI to the client?
- we need to keep a record of all such disclosures
| - anytime we disclose information about them, except in instances of treatment, payment or healthcare operations
36
If Electronic disclosure of PHI is possible...
- clients must be told in advance of the possibility
37
What are the options to disclose the possibility of electronic PHI disclosure to a client?
- can be posted in the covered entity's website
- can be posted in the covered entity's place of business
- can be posted in any other place client is apt to see it
38
What are covered entity's under HB300?
- any person who comes into possession of PHI or obtains and stores PHI
- employee, agent, or contractor if the person creates, receives, obtains, maintains, uses or transmits PHI, under Texas Law is a covered entity
39
What are the exemptions that are relevant to the clinic as far as covered entities are concerned ?
- information and records of offenders with " mental impairments" and some educational records
40
What are the prohibited acts under HB 300?
- RE-identification of PHI, or an attempt to do so
- Most marketing, unless face to face, necessary for certain operations, or requested orally by the client in a clear and unambiguous way
- sale of PHI, except to another covered entity to facilitate treatment, healthcare operations of Insurance/ HMO functions
41
What is the Privacy Notice?
- it is our notification of privacy rights which specifies the ways in which we observe the privacy rule
- this notice describes how medical information about you can be used and disclosed, and how you can get access to the information
42
When can health information be viewed?
It may be viewed directly by any member of the workforce of the clinic, but only when necessary in order to carry out clinically appropriate assessment or interventions with either individually or a group
43
Are clerical members of the workforce able to review a chart?
Yes, but only on a need to know basis, and to determine if account is current and secure needed payments for services provided
44
When will files be removed from the secure area?
a designated member of the workforce will remove the files from a secure area for relevant review by the clinicians working with the case or the supervisors
45
Who can handle a client's chart?
All members of the workforce may at times handle and review portions of the chart in order to ensure that normal operations involved in assessment, intervention and orderly record keeping are carried out
46
When are the exemptions to confidentiality of health information?
If the client presents an immediate danger to themselves or others, especially a threat to a particular minor child or elderly person. Authorities can be contacted.
47
What is a clinician has another relationship with a clinic client?
That clinician will recuse themselves from clinic activities in which discussion of the client's case occurs. That person of the clinic workforce may NOT access the client's file.
48
When will electronic copies of records be made?
-only in the production of formal evaluative report ( psychological assessments, discharge summaries, and case summaries)
49
How will EPHI be stored?
- behind two locked doors in the clinic at all times when not in use.
- once placed in use, the remote storage device will become the property of the clinic and may not be removed from the premises.
- no electronic record containing any PHI will be removed from the clinic or stored on the hard drive of any computers, even those in the clinic
50
Who has access to EPHI?
- only authorized persons
51
How will PHI and EPHI be moved?
- will be delivered o the clinician for use in the clinic only by a clinic director, principal administrative graduate assistant, or a designated paid member of he clinic workforce
- a written record of PHI and EPHI transfer to clinic employees
- will be made at the time of the transaction
- clinicians preparing reports n computers will close all relevant files and remove the remote storage device from the computer when leaving the room
52
What information must be provided when someone calls the clinic asking about a case?
1) they must name the client,
2) give code number,
3) give own name,
4 ) state the nature of the inquiry
53
What is standard operating procedure for answering the phone?
- ask for needed information without acknowledging one way or the other whether a person is actually a client or that you have ever heard of the client name they give
- nobody gets seen without appropriate and certain written consent
54
Thapar V Zezulka was argued and decided on what dates?
Argued: November 18, 1998
Decided: June 24, 1999
55
Who comprises the clinic privacy board
members of the clinic policy council
56
When may we disclose private health information?
-In the course of any administrative or judicial proceeding
57
To whom may we disclose personal health information?
- Researchers conducting research that has been approved by the IRB or the privacy board of the clinic
- appropriate persons in order to prevent or lessen a serious imminent threat to the health and safety of a person or the general public
58
What will happen to a client's personal health information in the event that the clinic is sold or merged with another organization?
The health information will become the property of the new owner or organization
59
The clinic may not use or disclose your health information without what?
Your written authorization
60
When and how may a client revoke a written authorization to disclose health information?
At ANY time in WRITING
61
What forms will be used to secure authorization to disclose PHI?
- The legally adequate form generated by the Attorney General of Texas
- May also use one of our two disclosure forms in a SUPPLEMENTAL way
62
What rights do clients have with regard to their health information?
- request restrictions on certain uses and disclosures of your health information
- receive your health information through a reasonable alternative means or at an alternative location
- inspect a copy of your health information
63
What must a client do in order to inspect a copy of their health information?
Contact the clinic by phone or in writing and make an appointment and copy their documents
64
Who is the current clinic Privacy officer?
Dr. Ball since June 8, 2009
65
Where should complaints go?
To Dr. Ball first then to the clinic privacy board
66
Who comprises the clinic privacy board/
members of the clinic policy council
67
What may a client do if they are not satisfied with the manner in which we handle a complaint?
The client may submit a formal complaint to the Department of Health and Human Services office of civil rights
68
BY LAW what must be reported by the clinic?
We are required by law to report a HIPAA violation that occurs in the clinic
69
Who can enter the staff room , office, active case filing room or archive room during clinic hours or when a clinician is working on a file entailing EPHI in that space ?
Only members of the clinic workforce
70
How many people are allowed to be in the main office and chart room at any time combined?
Only members of the workforce
71
If working in a school district you are bound by
FERPA - Family Educational Rights and Privacy Act
72
Who may not enter the clinic area during operating hours 9 except for waiting room and approved research)?
1) Anyone who is not a member of the clinic, scheduled client escorted by clinician or a custodian or maintenance employee of the university assigned to the area by that employee's supervisor
AND
2) escorted by a clinic member
73
What is the Security Rule?
it is specifically aimed at EPHI but is relevant to "ordinary PHI" as well
74
Progress Notes
- will be created on paper in physical charts according to the specifications provided in the clinic manual
- the format will be dictated by the nature of the note's content and the strategies of the clinic's supervisor
BUT
- they will not name anyone but the client and members of the clinic workforce
- and will describe progress at the intermediate level of specificity designed by clinic supervisor
75
Process Notes
- in some states process notes ( private reminders etc) are exempt from routine subpoena
- in texas, all notes made by the therapist or assessment professional are by definition, progress notes
76
What are the 3 layers of security that are necessary in order to secure compliance?
1) Administrative ( our rules)
2) Physical ( maintenance and storage practices)
3) Technical ( security of our electronic storage practices)
77
What type of information was the Security Rule designed to protect?
Electronic Protected Health Information
| *this is relevant to ordinary PHI as well
78
What was the Date the Security Rule enacted?
April 21, 2003
79
What are the three layers of security safe guards necessary for protecting electronic PHI?
- Administrative.
- Physical (maintenance and storage Practices)
- Technical (Security of our electronic storage practices)
80
How will Progress Notes be created?
On paper, in physical charts according to specifications provided in the clinical manual
81
How will the format of the Progress Notes be dictated?
by the nature of the note's content and the strategies of the clinician's supervisor
82
Who all can be named in a progress note?
the Client and members of the clinic workforce contacting the client in a relevant way
