1 . The HHS published a final Privacy Rule in
Show
INTRODUCTIONThe HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule sets national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers who conduct standard healthcare transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (or April 14, 2004, for small health plans) [1]. Click to Review2 . Compliance with the Security Rule was required as of
INTRODUCTIONThe HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule sets national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers who conduct standard healthcare transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (or April 14, 2004, for small health plans) [1]. Click to Review3 . According to the Privacy Rule, as well as all the Administrative Simplification rules, a covered entity is a
HIPAA PRIVACY RULEAs noted, the Privacy Rule, as well as all the Administrative Simplification Rules, apply to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA [3]. These groups are referred to collectively as covered entities. Click to Review4 . Which of the following insurance entities is considered a health plan?
HIPAA PRIVACY RULEIndividual and group plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions—a group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity. Two types of government-funded programs are not health plans: those whose principal purpose is not providing or paying the cost of health care (e.g., the food stamps program), and those programs whose principal activity is directly providing health care (e.g., a community health center) or the making of grants to fund the direct provision of health care. Certain types of insurance entities are also not health plans, including entities providing only workers' compensation, automobile insurance, or property and casualty insurance. If an insurance entity has separable lines of business, one of which is a health plan, the HIPAA regulations apply to the entity with respect to the health plan line of business [3]. Click to Review5 . Which of the following is NOT generally considered individually identifiable health information?
HIPAA PRIVACY RULEIndividually identifiable health information is defined as information, including demographic data, that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual and relates to the [3]:
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). Click to Review6 . The minimum necessary standard does not apply to
HIPAA PRIVACY RULEThe Privacy Rule generally requires covered entities to take reasonable steps to limit the use of, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to [11]:
7 . Which of the following statements regarding PHI uses and disclosures is TRUE?
HIPAA PRIVACY RULEA covered entity may use and disclose PHI for its own treatment, payment, and healthcare operations activities. A covered entity also may disclose PHI for the treatment activities of any healthcare provider, the payment activities of another covered entity and of any healthcare provider, or the healthcare operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the PHI pertains to the relationship [3]. For the purposes of the Privacy Rule, treatment is defined as the provision, coordination, or management of health care and related services for an individual by one or more healthcare providers, including consultation between providers regarding a patient and referral of a patient by one provider to another. Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a healthcare provider to obtain payment or be reimbursed for the provision of health care to an individual [3]. Healthcare operations are any of the following activities [3]:
Most uses and disclosures of psychotherapy notes for treatment, payment, and healthcare operations purposes require an authorization. Obtaining consent (written permission from individuals to use and disclose their PHI for treatment, payment, and healthcare operations) is optional under the Privacy Rule for all covered entities. The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent [3]. Click to Review8 . In each of the following cases, covered entities may disclose PHI to law enforcement officials, EXCEPT:
HIPAA PRIVACY RULECovered entities may disclose PHI to law enforcement officials for law enforcement purposes under the following circumstances, and subject to specified conditions [3]:
9 . Which of the following statements regarding authorizations for PHI release is FALSE?
HIPAA PRIVACY RULEA covered entity must obtain the individual's written authorization for any use or disclosure of PHI that is not for treatment, payment, or healthcare operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances [3]. Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures or requests for disclosures that limits the PHI disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. For non-routine, non-recurring disclosures or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually in accordance with the established criteria. An authorization must be written in specific terms. It may allow use and disclosure of PHI by the covered entity seeking the authorization or by a third party. Examples of disclosures that would require an individual's authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes [3]. All authorizations must be in plain language and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data [3]. Click to Review10 . A covered healthcare provider with a direct treatment relationship with individuals must have delivered a privacy practices notice to patients
HIPAA PRIVACY RULEA covered healthcare provider with a direct treatment relationship with individuals must have delivered a privacy practices notice to patients [3]:
11 . Which of the following PHI examples is excepted from the patient's right of access?
HIPAA PRIVACY RULEExcept in certain circumstances, individuals have the right to review and obtain a copy of their PHI in a covered entity's designated record set. The designated record set is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider's medical and billing records about individuals or a health plan's enrollment, payment, claims adjudication, and case or medical management record systems. The Rule excepts from the right of access the following PHI:
12 . The maximum disclosure accounting period is
HIPAA PRIVACY RULEIndividuals have a right to an accounting of the disclosures of their PHI by a covered entity or the covered entity's business associates. The maximum disclosure accounting period is the six years immediately preceding the accounting request, except a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date. Click to Review13 . A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. Which of the following is considered a workforce member?
HIPAA PRIVACY RULEA covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. Workforce members include employees, volunteers, trainees, and other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity). A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule [3]. Click to Review14 . In accordance with the Security Rule, covered entities must
HIPAA SECURITY RULEThe Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must [5]:
15 . When a covered entity is deciding which security measures to use, the Rule requires the entity to consider all of the following, EXCEPT:
HIPAA SECURITY RULEWhen a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider [5]:
16 . The Security Rule stipulates that risk assessment
HIPAA SECURITY RULEThe Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule [5]. A risk analysis process includes, but is not limited to, the following [5]:
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly re-evaluates potential risks to e-PHI [5]. Click to Review17 . Following a breach of unsecured PHI, covered entities must provide notification of the breach to
HIPAA SECURITY RULEFollowing a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate. Click to Review18 . What group is responsible for enforcing the Privacy and Security Rules?
HIPAA ENFORCEMENTThe OCR is responsible for enforcing the Privacy and Security Rules. It does so through an established complaint resolution process. The OCR enforces the Privacy and Security Rules by [8]:
19 . Before a penalty is imposed, the covered entity will be notified and provided with an opportunity to provide written evidence of circumstances that would reduce or bar a penalty. This evidence must be submitted within
HIPAA ENFORCEMENTBefore the OCR imposes a penalty, it will notify the covered entity and provide the covered entity with an opportunity to provide written evidence of those circumstances that would reduce or bar a penalty. This evidence must be submitted to the OCR within 30 days of receipt of the notice. In addition, if the OCR states that it intends to impose a penalty, a covered entity has the right to request an administrative hearing to appeal the proposed penalty [3]. Click to Review20 . Preemption of a state law that is contrary to HIPAA will not occur if the HHS determines, in response to a request from a state or other entity or person, that the state law is necessary to
STATE LAWSIn addition, preemption of a contrary state law will not occur if the HHS determines, in response to a request from a state or other entity or person, that the state law [3]:
What information is not covered by the HIPAA security Rule?For example, messages left on answering machines, video conference recordings or paper-to-paper faxes are not considered ePHI and do not fall under the requirements of the Security Rule.
What is the HIPAA security rule quizlet?The HIPAA Security rules requires. covered entities (CEs) to ensure the integrity and confidentiality of information, to protect against any reasonable anticipated threats or risks to the security and integrity of info, and to protect against unauthorized uses or disclosure of info. Integrity.
Which of the following are factors that will determine the details of implementing the HIPAA security Rule?What Specific HIPAA Security Requirements Does the Security Rule Dictate?. Their size, complexity, and capabilities;. Their technical hardware, and software infrastructure;. The costs of security measures; and.. The likelihood and possible impact of the potential risk to ePHI.. Which of the following are regulated by the HIPAA privacy Rule quizlet?HIPAA Privacy Rule applies: to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
|