Scenarios Flashcards
The privacy officer for a hospital has updated the Notice of Privacy Practices to reflect a material change because the previous notice did not have a description that individuals have the right to amend their Protected Health Information. This deficiency was noticed when a third party came to the hospital and did a walk thru to assess the organization’s current state of compliance with the HIPAA Privacy and Security Rules. The third party review team identified that the notice did not have the required information to let individuals know of their right to amend PHI. What is the BEST course of action that reflects the regulator requirements within HIPAA of what the privacy officer should now do given that the notice has been corrected?
A. Make arrangements to have copies of the new NPP mailed to all patients seen within the last year at the hospital
B. Make arrangements to have the new notice distributed to new patients that come to the hospital
C. Post a copy of the new notice on the hospital’s internal intranet so that all employees can see the updated version of the notice
D. Meet with legal to discuss how to best self-disclose to the OCR that the hospital was in violation of the NPP requirements and has since corrected the deficiency
B. Make arrangements to have the new notice distributed to new patients that come to the hospital
The Smith family has two children attending State University (State U). Child 1 is 19 years old and Child 2 is 22 years old. Because of the income level of the Smith family and that both Child 1 and Child 2 are claimed as dependents on the federal tax return of Mr. and Mrs. Smith, both children were able to get grants to attend State U and live on campus. Child 1 is doing very well and often shares information about her grades and progress with her parents. Child 2 is not doing so well and rarely shares any information about her grades her progress with her parents. Mr. and Mrs. Smith are concerned and contact State U and ask for information about Child’s 2 grades. Child 2’s parents do not have a consent from Child 2 to obtain information about Child’s 2 grades. Which of the following is correct?
A. The school may release the grade information if it has consent from Child 1.
B. The school may release the grade information if it does not have consent from Child 1.
C. Both A and B
D. Neither A nor B
D. Neither A nor B
Child 1 and 2 are dependents for tax purposes; the school does not need consent from the children.
A workforce member is using Word 2016 to compile a list of patients and their PHI to send to a private insurance payer. The workforce member password protects the Word document and sends it using the CE’s email system. The CE’s email server has software that detects attachments and flags the outgoing software for review by IT. the IT person contacts the workforce member about the email and asks if any PHI included in the email or its attachment was sent in an encrypted manner. The workforce member shares that a password was used to save the document that contained PHI. The IT worker is required to report any outgoing emails that are sent when any associated PHI either in the body, subject, or attachments of the email are not encrypted. Will the IT worker need to report the incident?
A. Yes
B. No
B. No
because PHI in password protected document was encrypted.
A privacy official is asked to approve a transfer form that would have the patient’s SS# on the top of the page to read as “ABC12345679” to go with a patient from the privacy officer’s facility to another facility when a patient is transferred. The nursing leadership at the facility is insisting that they “have to have” the patient’s SS# when making transfer arrangements from one facility to another. The BEST course of action for the privacy officer to take is:
A. Ask the nursing leadership to update the policy on transfers to include that social security numbers must be included on transfer paperwork.
B. Have the appropriate forms updated/revised/edited so that they can now accommodate the social security numbers.
C. Confirm with nursing any regulations or other requirements that state social security numbers must be included on transfer forms
D. Contact the legal department.
C. Confirm with nursing any regulations or other requirements that state social security numbers must be included on transfer forms
When an investigator presents to a facility with a search warrant, the FIRST things an employee should do is:
A. verify the credentials of the investigator.
B. request a copy of the search warrant.
C. call the compliance professional.
D. notify the Chairperson of the BOD
A- verify the credentials of the investigator.
Home health coverage criteria include the beneficiary must
A. have been hospitalized within the past 72 hours and under the care of a physician.
B. be currently enrolled in a Medicare managed care plan and have a condition needing skilled services.
C. require the services of a skilled nurse and not be able to leave place of residence.
D. be homebound, require skilled services and be under the care of a physician.
D- be homebound, require skilled services and be under the care of a physician.
Which of the following have been identified as high risk areas by the OIG: 1) duplicate billing; 2) 15 minute interval billing; 3) billing for medically unnecessary service; 4) pay and per visit reimbursement mechanism? A. 1 and 3 only B. 2 and 4 only C. 2, 4, and 5 only D. 2, 3, and 4 only
A- 1 and 3 only.
Organizations have the opportunity to reduce their culpability in accordance with the Federal Sentencing Guidelines by
A. establishing mandatory audits.
B. effectively dealing with any offense after it has occurred.
C. developing a codes of conduct and educating senior management.
D. voluntarily disclosing overpayments
B. effectively dealing with any offense after it has occurred.
Compliance audits indicate a five-year trend of decreasing numbers of compliance issues. The compliance professional is considering whether the auditing program needs to be continued because there is also a robust monitoring program in place. Which of the following is the MOST compelling reason to continue the auditing program?
A. Audits are part of an effective compliance program.
B. Necessary compliance training cannot be identified without auditing.
C. It helps the Board of Directors understand the compliance program.
D. Staff cannot recognize compliance issues without auditing.
A- Audits are part of an effective compliance program.
A provider receives a request from the Social Security Administration for PHI relating to a person’s application for benefits. Which of the following is the correct method of release?
A. Since it is to a federal agency, an authorization from the patient is not needed, so PHI can be released.
B. The provider should review the PHI and make a decision on the minimum necessary and release.
C. The provider should notify the patient and obtain a signed authorization prior to release.
D. Release the information because the patient signed a consent for treatment.
C- The provider should notify the patient and obtain a signed authorization prior to release.
A hospital is newly acquired by a health plan who’s Compliance Officer recently retired, therefore, is in need of a Compliance Professional. What characteristics should the board look for in hiring a Compliance Professional?
A. Someone that possesses an MBA and/or JD
B. Someone that has managed a compliance program for 10+ years
C. Someone that healthcare experience (i.e., RN, MD, etc.)
D. Someone that has strong interpersonal skills, good listener and is discrete
D. Someone that has strong interpersonal skills, good listener and is discrete
A patient has authorized that we disclose all of his health records relating to his recent treatment in our alcoholic rehabilitation center. We have received records from the patient’s previous encounters. Can we redisclose these records along with our records?
No. The patient should be referred back to the healthcare provider that originated the health records unless any part of the record was used in providing treatment or making a decision about the patient because then it becomes a part of the facility’s DRS.
A hospital is newly acquired by a health plan who’s Compliance Officer recently retired, therefore, is in need of a Compliance Professional. What characteristics should the board look for in hiring a Compliance Professional?
A. Someone that possesses an MBA and/or JD
B. Someone that has managed a compliance program for 10+ years
C. Someone that healthcare experience (i.e., RN, MD, etc.)
D. Someone that has strong interpersonal skills, good listener and is discrete
D. Someone that has strong interpersonal skills, good listener and is discrete
A patient who has private insurance requests access to his records by submitting an Access to PHI form to the hospital and indicates he is requesting a hardcopy of all paperwork associated with his visit to the Emergency Department for chest pain on 1/1/19 be sent to his primary care physician (PCP). The records are sent on 1/10/19.
On 1/17/19, the patient has his appointment with the PCP who suggests that the patient visit a specialist, a cardiologist. On 1/24/19, The patient visits a cardiologist as suggested by the PCP. The patient informs the cardiologist that the patient is going to pay for all services out of pocket and requests that the cardiologist does not submit any PHI to his insurance plan. The cardiologist is agreeable so long as all services are paid in full at the time when the patient leaves the office. The patient asks if he can make three monthly payments to pay for services.
The cardiologist contacts YOU, the designated privacy official and asks if the HIPAA regulations prohibit the cardiologist from requiring that all services be paid in full at the time the patient leaves the office.
No
A hospital medical staff office is conducting its monthly review of the Excluded Parties List System (EPLS). The compliance officer is called by the manager of the medical staff office and informed that Dr. Smith, a surgeon who took call 5 times last month for the Emergency Department, was excluded on a date prior to those dates when the surgeon took call. In other words, the effective date of the exclusion involving the surgeon was 4/1/2019 and the surgeon took call and provided surgical services to patients in the ED on 4/13/19, 4/20/19, and 4/27/2019. What is the NEXT action the compliance officer should do?
a. Contact the ED and make sure that the involved surgeon is removed from taking any more on call shifts.
b. Have the medical office check if the surgeon is listed on other exclusion lists.
c. Contact legal counsel to alert of the need to pay back reimbursement received for services provided by an excluded individual.
d. Hold all surgical service related bills associated with the ED so that none are released to any payers which may involve this surgeon.
b. Have the medical office check if the surgeon is listed on other exclusion lists.