Regulatory Compliance & Quality - Section 3: HIPAA Flashcards
What are the 3 rules in HIPAA governing data privacy and security?
Privacy, security, and breach notification
True or False:
Clinics must have policies and procedures to address the privacy, security, and breach notification rules as well as documentation of implementation
True
Clinic must have policies and procedures to address the privacy, security, and breach notification HIPAA rules, as well as documentation of ___
Implementation
Which rule addresses all forms of protected health information - paper, electronic, and oral
Privacy Rule
Which rule stipulates that safeguards must be implemented to prevent uses and disclosures of a patient’s protected health information without the patient’s authorization or expressed authorization within the rule itself.
Privacy Rule
True or False:
The Privacy Rule stipulates that there are instances in which the patient’s permission to disclose protected health information is not required
True
The Security Rule applies only to ___ forms of PHI
Electronic
The primary goal of the Security Rule is to protect the privacy of individuals PHI while allowing covered entities to adopt new technologies for what purpose?
To improve the quality and efficiency of patient care
Given tat the health care marketplace is diverse, the Security Rule is designed to be ___ and ___ so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ E-PHI
Flexible and scalable
Breach notification objectives require covered entities and their business associates to report breaches in privacy or security due to ___ health information
Unprotected
There is a set of ___ individually identifiable health information that could be used to identify a patient
18
These are the safeguards that HIPAA expects to be in place
Standards
The steps needed to achieve the requirements of a given standard
Implementation specification
All standards are ___
Required
Some implementation specifications are ___, which means that you must implement those standards
Required
Addressable does not mean ___
Optional
Addressable means that you must perform an assessment to determine if the implementation specification is ___ and ___ for your organization
Appropriate and reasonable
Health plans, clearinghouses, and providers which electronically transmit or receive any PHI
Covered entity
What are 3 examples of a covered entity?
Health plans, clearinghouses, and providers
Any organization or process working in an association with or providing services to a covered entity who handles or discloses PHI or personal health records
Business associate
What are the 3 situations when patients should receive the Notice of Privacy Practices?
The first time they visit the clinic, with every revision, and upon request
Post the Notice of Privacy Practices in a ___ area of your clinic
Visible
If you have a website, should you post the Notice of Privacy Practices on the website?
Yes
True or False:
The Notice of Privacy Practice must contain the following statement: “This notice describes how medical information about you may be used and disclosed and how you can get access to this information, Please review it carefully.”
True
A description and at least ___ example of the types of uses and disclosures that your clinic uses PHI for: treatment, payment, and healthcare options
One
True or False:
Notice of Privacy Practices Uses and Disclosures should include a statement and example of uses and disclosures that do and do not require authorization
True
NPP Individual Rights
Request ___ on certain uses and disclosures of PHI, including a statement that your clinic does not have to agree to a requested restriction
Restrictions
True or False:
If a patient requests restrictions on certain uses and disclosures of PHI, your clinic must agree to it
False; your clinic does not have to agree to a requested restriction
NPP Individual Rights
Receive \_\_\_ communications Right to \_\_\_ and \_\_\_ PHI Right to request an \_\_\_ to PHI Right to receive an accounting of \_\_\_ Right to receive your NPP \_\_\_ and/or upon \_\_\_
Confidential Inspect and copy Amendment Disclosures Electronically and/or upon request
NPP Complaints
Information on how to file a privacy/security complaint with your clinic and with the ___ of ___
Secretary of HHS
NPP Contact
Contact information for the person in your clinic responsible for ___
Does not have to include their name, but must include a title such as “___ ___”
Privacy
Privacy Officer
NPP Effective date
The date the NPP became ___ and the date it was last ___
Effective
Revised
Who should access to PHI be limited to?
Those with a legitimate reason within their job duties to see PHI
Limit disclosures of PHI in your clinic to the amount reasonably necssary to achieve the purpose of ____ (i.e., referrals to other providers, disclosures to payers)
Disclosure
Develop a ___ (or policy) designed to limit the PHI within a given disclosure or access to PHI
Criteria
The business record generated at or for a healthcare organization
Legal record set
The record that would be released upon receipt of a request
Legal record set
The officially declared record of healthcare services provided to an individual delivered by a provider
Legal record set
A group of records maintained by or for a covered entity that is the medical and billing records about individuals; enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; information used in whole or in part by or for the HIPAA covered entity to make decisions about individuals
Designated record set
What is the purpose of the designated record set?
To comply with the Privacy Rule requirements for uses, disclosures, patient right of access and amendment
The contents of a designated record set are not supported for ___ requests for disclosures
External
A partially de-identified record
Limited record set
The following record types are included in the designated record set:
___ record
___ clinical data
___ records and reports
Clinical
Source
External
A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity
Business associate
A member of a covered entity’s workforce IS or IS NOT a business associate
Is not
True or False
You must enter into a BAA with every business associate
True
You should periodically ___ your BAAs
Review
You should periodically assess your business associate’s ___ with your BAA
Compliance
True or False
Patient do not have the right to access their designated record set
False; do have the right to access
Requests to release PHI to patients or personal representative must be done in ___
Writing
Patients should be provided access to their PHI within ___ calendar days of the request (___ 30-day extension is permissible under certain circumstances)
30
One
True or False
OCR is increasing enforcement on patient access to records
True
Provision, coordination, or management of healthcare and related services amount healthcare providers, provider with a third party, or consultation between healthcare providers
Treatment disclosure
Referrals from one healthcare provider to another DO or DO NOT require authorization from the patient
Do not
Activities involved to obtain payment or be reimbursed for their services:
Determining ___ or ___
Billing and ___ activities
Reviewing healthcare services for medical ___, coverage, justification for charges
Utilization ___
Disclosure to ___ reporting agencies
Verify dates of ___ prior to disclosing patient information to payer
Eligibility or coverage Collection Necessity Review Consumer Coverage
Healthcare operations disclosure:
Conducting ___ assessment and improvement activities
Patient ___ activities
Protocol ___
Case ___
Reviewing the competence or ___ of healthcare professionals
Training ___
Accreditation, certification, licensing, or ___ activities
Fraud and abuse ___ and compliance programs
Conducting or arranging for medical ___
Business planning and ___
Quality Safety Development Management Qualifications Programs Credentialing Detection Review Development
A clinic may ___ choose to obtain a patient’s consent, even when not required, to release PHI
Voluntarily
Patients have the right to request ___ on how your clinic uses and discloses their information
Restrictions
Patients have the right to request restrictions on how your clinic uses and discloses their information. You are not required to adhere to such requests, but you are ___ by any restrictions you agree to
Bound
Patient have the right to pay in ___ for their treatment and limit or restrict disclosures to their ___ company
Full
Insurance
RHCs may charge patients a ___ fee for copies of their record
Reasonable
RHCs MAY or MAY NOT withhold patient records if they have not paid for services rendered
May not
RHCs may not charge patients for accessing records. They can only charge for what?
For costs associated with making copies and supplies required to make the copies
Acceptable fees for record copies:
___ for copying the PHI (does not include the costs for retrieving the records)
Supplies for ___ (paper, ink, USB drive, or other paper or electronic medium supplies necessary to process the request)
Labor to prepare a ___ of explanation of PHI
___ when records are requested to be mailed
Labor
Copying
Summary
Postage
Acceptable labor charges for record copies:
___ PHI
Scanning paper PHI into ___ format
Converting electronic PHI from one format into the format ___ by the individual
Transferring electronic PHI to a ___ portal
Creating and executing a mailing or ___ of PHI
Photocopying Electronic Requested Web Emailing
Labor charges for record copies do NOT include ___ the request
Reviewing
Labor charges for record copies do NOT include searching for, retrieving, or otherwise ___ for processing the request
Preparing
Labor charges for record copies do NOT include information already electronically ___ through the RHC’s patient portal
Available
If the RHC chooses to charge for record copies, when must it inform the patient of this?
At the time of the request the patient must be informed that charges apply to record copies
What are the 3 manners to charge for record copies?
___ cost - the actual cost of labor and supplies
___ cost - in lieu of calculating actual costs, RHC may create a table of average labor and supply costs for similar record copy requests
___ fee - RHC may choose to charge a flat fee of $6.50 for record copies inclusive of all labor and supplies
Actual
Average
Flat
If the RHC chooses to charge for records, it must apply across ___ patients for similar record requests
All
Within the Security Rule, what are the 3 safeguards?
Administrative, physical, and technical
The Security Rule only applies to ___ PHI
Electronic
What are the 2 types of implementation specification in the Security Rule?
Required and addressable
Addressable does not mean ___
Optional
For implementation specifications, your clinic must assess whether or not the specification is ___ in your clinic
Reasonable
For implementation specifications, your clinic must assess whether or not the specification is reasonable in your clinic. If it is deemed to not be reasonable, you must implement an ___ process to achieve the goal and ___ the reasoning on why you have opted to not implement the specification
Alternate
Document
Administrative safeguards
___ implementation specifications
23
Physical safeguards
___ implementation specifications
10
Technical safeguards
___ implementation specifications
9
Your security program should include the following requirements:
Security risk ___
Creating a risk ___ plan
Creating ___ and procedures
Analysis
Management
Policies
How does your security program being?
By conducting a risk analysis
Your security program will be built to protect against discovered or potential ___ and vulnerabilities
Threats
Security rule basis - the risk analysis
Identify ___ threats and vulnerabilities to your clinic
Create a risk management plan to mitigate identified or potential ___ and vulnerabilities
Adopt or create policies/procedures which address ___ issues
Realistic
Threats
Security
True or False
HIPAA requires an annual risk analysis
False; does not require an annual risk analysis
True or False
Your EMR does not conduct your risk analysis for you
True
True or False
There are many ways to conduct a risk analysis
False
HIPAA requires all clinics to send out periodic ___ ___
Security reminders
HIPAA requires you to train your employees on what?
YOUR security and privacy procedures - not just a HIPAA 101
Having policies in place is just a ___ of your HIPAA compliance obligation
Fraction
Why must your clinic develop a plan of implementation?
To ensure your clinic and staff are adhering to your policies and procedures
You should ___ your implementation efforts
Document
Train your staff on your policies and procedures. HIPAA ___ training is not sufficient to train your staff on how to protect the privacy and security of your patient information
Basic