HIPAA Competency Test

1. Patients have a right to access their health information.

True

False

The Privacy Rule gives you, with few exceptions, the right to inspect, review, and receive a copy of your medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule.
Only you or your personal representative has the right to access your records.

Explanation

The Privacy Rule gives you, with few exceptions, the right to inspect, review, and receive a copy of your medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule.
Only you or your personal representative has the right to access your records.

2. Patients can request a copy of billing records associated with their care.

True

False

The Privacy Rule gives you, with few exceptions, the right to inspect, review, and receive a copy of your medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule.

Explanation

The Privacy Rule gives you, with few exceptions, the right to inspect, review, and receive a copy of your medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule.

3. Copies of patient information may be disposed of in any garbage can in the facility.

True

False

Covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. •For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.

Explanation

Covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. •For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.

4. Under the HIPAA Omnibus Rule, patients can ask for and receive copies of their medical records in an electronic form.

True

False

In the final Omnibus rule, Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

Explanation

In the final Omnibus rule, Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

5. What does PHI stand for?

Peoples Health Insurance

Probable Hospital Intake

Protected Health Information

Personal Home Information

PHI stands for Protected Health Information.

Explanation

PHI stands for Protected Health Information.

6. Patients who believe that their PHI has been compromised by the hospital have the right to make a complaint to the federal government.

True

False

If the patient feels their rights are being denied or the health information isn't being protected, they can file a complain with the provider and also with HHS, OCR division.

Explanation

If the patient feels their rights are being denied or the health information isn't being protected, they can file a complain with the provider and also with HHS, OCR division.

7. Under HIPAA, a patient has the following right:

To receive a Notice of Privacy Practices

To see or receive a copy of his/her protected health information (PHI).

To request that his/her PHI be corrected.

To ask for PHI to be sent to him/her at a different address or a different way.

To request limits on how his/her PHI is used and disclosed.

To receive a list of disclosures

All of the above.

Under HIPAA, patients have the following rights:
Notice of Privacy Practices.
Right to Access.
Right to Accounting of Disclosures.
Right to Amendment.
Right to Request Confidential Communications.
Right to Restrictions. Information on your right to restrict certain disclosures of your health information.
Right to Restrict Disclosure to Health Plan. Information on your right to request restrictions on disclosure of your health information when you paid for service out-of-pocket in full.
Right to Complain for Privacy Rights Violations.
Using and Disclosing Your Health Information.

Explanation

Under HIPAA, patients have the following rights:
Notice of Privacy Practices.
Right to Access.
Right to Accounting of Disclosures.
Right to Amendment.
Right to Request Confidential Communications.
Right to Restrictions. Information on your right to restrict certain disclosures of your health information.
Right to Restrict Disclosure to Health Plan. Information on your right to request restrictions on disclosure of your health information when you paid for service out-of-pocket in full.
Right to Complain for Privacy Rights Violations.
Using and Disclosing Your Health Information.

8. The criminal penalties for improperly disclosing patient health information can be as high as fines of $250,000 and prison sentences of up to 10 years.

True

False

Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

Explanation

Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

9. What kind of personally identifiable health information is protected by HIPAA privacy rule?

Paper

Electronic

Spoken word

All of the above

The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral.

Explanation

The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral.

10. A high profile case is happening in the area and you have been contacted by a news outlet for information regarding the medical records of one of the individuals involved. Since it's a well known media news outlet and you think it's important for the public to know about it, you process their request.

True

False

You are not allowed to release PHI without a signed HIPAA compliant authorization from the patient. Releasing the records without the proper authorization is grounds for immediate disciplinary action and may result in civil and criminal penalties.

Explanation

You are not allowed to release PHI without a signed HIPAA compliant authorization from the patient. Releasing the records without the proper authorization is grounds for immediate disciplinary action and may result in civil and criminal penalties.

11. PHI can be recorded on paper or verbally. The electronic documentation of PHI is not covered under the HIPAA rules.

True

False

The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information (PHI)2.

Explanation

The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information (PHI)2.

12. ________________ is defined as an impermissible disclosure of PHI that compromises the security or privacy of the patient.

Breach

Data dictionary

Notice of Privacy Practices

Disclosure

Definition of Breach. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

Explanation

Definition of Breach. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

13. When is the patient's written authorization to release information required?

A. In most cases, when patient information is going to be shared with anyone for reasons other than treatment, payment, or health care operations.

B. Upon admission to a hospital

C. When patient information is to be shared among two or more clinicians.

D. When patient information is used for billing a private insurer.

Three of the examples describe uses of information related to TPO (Treatment, Payment, Operations) and do not require a written authorization. For the most part, any other uses beyond TPO will need a written authorization.

Explanation

Three of the examples describe uses of information related to TPO (Treatment, Payment, Operations) and do not require a written authorization. For the most part, any other uses beyond TPO will need a written authorization.

14. Members of the workforce who are not involved in a patient's care are allowed to review the patient's chart out of curiosity.

True

False

Viewing a medical record for the sake of curiosity is not allowed under HIPAA. Only those healthcare providers involved in the patient’s care should review the record, as needed for that care.

Explanation

Viewing a medical record for the sake of curiosity is not allowed under HIPAA. Only those healthcare providers involved in the patient’s care should review the record, as needed for that care.

15. What does IIHI stand for?

Individually Identifiable Health Information

Individually Identified Homeowners Insurance

Important Insurance Hospitalization Information

Included Insurance Health Information

HIPAA defines “individually identifiable health information” as information that is a subset of health information, including demographic information collected from an individual, and:
1.Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2.Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
1.That identifies the individual; or
2.With respect to which there is reasonable basis to believe the information can be used to identify the individual.

Explanation

HIPAA defines “individually identifiable health information” as information that is a subset of health information, including demographic information collected from an individual, and:
1.Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2.Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
1.That identifies the individual; or
2.With respect to which there is reasonable basis to believe the information can be used to identify the individual.

16. A "valid" authorization must contain specific elements including:

A patient’s right to revoke

A re-disclosure statement

Signed and dated by the patient or representative

All of the above

Under HIPAA, an authorization must contain the following elements in order to be valid:
1) Authorization is written in plain language.
2) Authorization identifies the name of the patient whose PHI is being disclosed.
3) Authorization identifies the type of information to be disclosed.
4) Authorization identifies the names or classes of persons or types of healthcare providers authorized to make the disclosure.
5) Authorization identifies the names or classes of persons or types of healthcare providers authorized to whom the organization may make the disclosure.
6) Authorization identifies the purpose of the disclosure.
7) Authorization contains the signature of the patient or patient's authorized legal representative.
8) If signed by an authorized legal representative, the authorization identifies the relationship of that person to the patient.
9) Authorization includes the date on which the authorization is signed.
10) Authorization identifies the time period for which the authorization is effective and expiration date or event.
11) Authorization contains a statement informing the individual regarding the right to revoke the authorization in writing and a description how to do so.
12) Authorization contains a statement informing the individual about the organization's ability or inability to condition treatment, payment, enrollment or eligibility for benefits.
13) Authorization contains a statement informing the individual about the potential for information to be redisclosed and no longer protected by the federal privacy rule.
14) Authorization contains a statement that if an organization is seeking the authorization, a copy must be provided to the individual signing the authorization.
15) Authorization contains statement that the individual may inspect or copy the health information disclosed.

Explanation

Under HIPAA, an authorization must contain the following elements in order to be valid:
1) Authorization is written in plain language.
2) Authorization identifies the name of the patient whose PHI is being disclosed.
3) Authorization identifies the type of information to be disclosed.
4) Authorization identifies the names or classes of persons or types of healthcare providers authorized to make the disclosure.
5) Authorization identifies the names or classes of persons or types of healthcare providers authorized to whom the organization may make the disclosure.
6) Authorization identifies the purpose of the disclosure.
7) Authorization contains the signature of the patient or patient's authorized legal representative.
8) If signed by an authorized legal representative, the authorization identifies the relationship of that person to the patient.
9) Authorization includes the date on which the authorization is signed.
10) Authorization identifies the time period for which the authorization is effective and expiration date or event.
11) Authorization contains a statement informing the individual regarding the right to revoke the authorization in writing and a description how to do so.
12) Authorization contains a statement informing the individual about the organization's ability or inability to condition treatment, payment, enrollment or eligibility for benefits.
13) Authorization contains a statement informing the individual about the potential for information to be redisclosed and no longer protected by the federal privacy rule.
14) Authorization contains a statement that if an organization is seeking the authorization, a copy must be provided to the individual signing the authorization.
15) Authorization contains statement that the individual may inspect or copy the health information disclosed.

17. All of the following pieces of information are considered individually identifiable health information, EXCEPT:

Birth Date

Diagnosis

Name

Social Security Number

A subset of health information that identifies the individual or can reasonably be used to identify the individual; HIPAA protects individually identifiable health information. Common individual identifiers include name, address, and social security number, but may also include date of birth, Zip Code, or county location. If the information is not individually identifiable, such as healthcare research information that only identifies a particular population, not individuals, then it is not protected by HIPAA. In research, this can get complicated, and further inquiry should be made when seeking a determination on a small population. IIHI only becomes PHI when a covered entity creates, receives, or maintains the information.

Explanation

A subset of health information that identifies the individual or can reasonably be used to identify the individual; HIPAA protects individually identifiable health information. Common individual identifiers include name, address, and social security number, but may also include date of birth, Zip Code, or county location. If the information is not individually identifiable, such as healthcare research information that only identifies a particular population, not individuals, then it is not protected by HIPAA. In research, this can get complicated, and further inquiry should be made when seeking a determination on a small population. IIHI only becomes PHI when a covered entity creates, receives, or maintains the information.

18. If a person has the ability to access facility or company systems or applications, they have a right to view any information contained in that system or application.

True

False

The “need to know” rule states protected health information should only be used or disclosed as necessary to perform your job duties.

Explanation

The “need to know” rule states protected health information should only be used or disclosed as necessary to perform your job duties.

19. If a patient is deceased, a covered entity may disclose to a family member who was involved in the patient's care or payment for healthcare prior to the death, PHI of the deceased unless there is an expressed statement to the contrary.

True

False

The Privacy Rule permits a covered entity to disclose protected health information about a decedent to a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity. This may include disclosures to spouses, parents, children, domestic partners, other relatives, or friends of the decedent, provided the information disclosed is limited to that which is relevant to the person’s involvement in the decedent’s care or payment for care.

Explanation

The Privacy Rule permits a covered entity to disclose protected health information about a decedent to a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity. This may include disclosures to spouses, parents, children, domestic partners, other relatives, or friends of the decedent, provided the information disclosed is limited to that which is relevant to the person’s involvement in the decedent’s care or payment for care.

20. It would be appropriate to release patient information to:

The patient’s (non-attending) physician brother

Personnel from the hospital the patient transferred from 2 days ago checking on the patient

The respiratory therapy personnel doing an ordered procedure

A retired physician who is a friend of the family

The respiratory therapy personnel that are doing an ordered procedure is the only example that can receive and use patient information without written authorization because it is covered under TPO (treatment, payment, operations).

Explanation

The respiratory therapy personnel that are doing an ordered procedure is the only example that can receive and use patient information without written authorization because it is covered under TPO (treatment, payment, operations).

21. You have received a request from the mother of a 17 year-old married patient to release his medical records. The parents consented for the 17 year-old to marry and marriage is grounds for emancipation in the state. The mother wants the records to complete the personal health record she has compiled and wishes to give to her son. You:

Copy the records for the mom because when the patient was a child, the mom was listed as next of kin.

Copy the records because the age of majority in the state is 18.

Tell the mom that her son must sign the authorization now that he is an emancipated minor.

Tell the mom that her son’s wife must sign the authorization now that she is the next of kin.

The following patients are considered adults regardless of their age for purposes of consenting to medical care and access to their medical care records regardless of the type of care they receive:
◾Married individuals
Since this individual is considered an adult by marriage, he would need to request his own medical records.

Explanation

The following patients are considered adults regardless of their age for purposes of consenting to medical care and access to their medical care records regardless of the type of care they receive:
◾Married individuals
Since this individual is considered an adult by marriage, he would need to request his own medical records.

22. A covered entity must act upon a request for access to PHI no later than ______ days after receipt of the request, under normal circumstances.

15

30

14

45

In providing access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part (if certain access may be denied as explained below), no later than 30 calendar days from receiving the individual’s request.

Explanation

In providing access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part (if certain access may be denied as explained below), no later than 30 calendar days from receiving the individual’s request.

23. Which of the following if the appropriate person with whom to share patient information even if the patient has NOT specifically authorized the release of information to the individual?

A former physician of the patient who is concerned about the patient

A colleague who needs information about the patient to provide proper care

A friend of the patient

A pharmaceutical salesman who is offering a fee for a list of patients to who he could send a free sample of his product.

The only example that falls under TPO (Treatment, Payment, Operations) is when a colleague needs information about the patient to provide proper care. All other examples need a written authorization to release information.

Explanation

The only example that falls under TPO (Treatment, Payment, Operations) is when a colleague needs information about the patient to provide proper care. All other examples need a written authorization to release information.

24. Consents and Authorizations are the same?

True

False

Consents are used to get the patient’s permission to use or disclose health information for treatment, payment, or business operations. Authorizations are used to obtain permission to disclose PHI for activities outside the realm of treatment, payment, or operations.

Explanation

Consents are used to get the patient’s permission to use or disclose health information for treatment, payment, or business operations. Authorizations are used to obtain permission to disclose PHI for activities outside the realm of treatment, payment, or operations.

25. What does the HIPAA acronym stand for?

Health Identification Privacy and Affordability Act

Health Information Portability and Affordability Act

Health Information Privacy and Accountability Act

Health Insurance Portability and Accountability Act

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Explanation

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

26. Can a provider in your organization use the database to access the medical record of a patient who was seen by another provider in the organization?

No, he/she must create a new record for the patient based on his/her personal interactions with the patient.

No, he/she must obtain written consent from the patient.

Yes, as long as he/she will be treating that patient or the provider is assisting another provider with the coordination of the patient’s care.

Yes, he/she can access any information available in the database.

A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities.19 A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship.

Explanation

A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities.19 A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship.

27. For PHI disclosures in which there is personal gain, or for malicious purposes, federal penalties can include up to _________ year(s) in prison.

5

1

15

10

Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

Explanation

Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

28. What does "minimum necessary" mean?

I am only expected to complete the minimum requirements of my job.

A workforce member’s access to PHI is limited to only what is needed to perform his/her responsibilities.

Requests for and disclosures of PHI are limited to what is needed to perform the task.

A medical center is no longer allowed to provide information about patients to the media under any circumstances.

B and C

The HIPAA Privacy Rule states the Minimum Necessary Standard applies when using or disclosing protected health information (PHI), or when requesting PHI from others, a covered entity must take reasonable steps to limit uses and disclosures of PHI to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."

Explanation

The HIPAA Privacy Rule states the Minimum Necessary Standard applies when using or disclosing protected health information (PHI), or when requesting PHI from others, a covered entity must take reasonable steps to limit uses and disclosures of PHI to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."

29. Which of the following scenarios is considered an incidental disclosure?

A member of the housekeeping staff overhears two physicians discussing a case in the break room

A nurse practitioner leaves a laptop containing protected health information on the subway

A nurse tells a 10-year-old patient’s parents the details of their child’s case

A physician tells his or her spouse that he saw their neighbor in the hospital

An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule.

Explanation

An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule.

30. A step-parent has sent in a request for her stepchild's medical records. Because she is married to the parent and the parent has joint custody, she is allowed access to the records.

True

False

Unless the step-parent is a legal guardian and the provider has the guardianship papers on file, or a legal guardian has provided authorization. Step-parents may call to schedule appointments, but do not have access to their stepchildren’s PHI without authorization by a legal guardian.

Explanation

Unless the step-parent is a legal guardian and the provider has the guardianship papers on file, or a legal guardian has provided authorization. Step-parents may call to schedule appointments, but do not have access to their stepchildren’s PHI without authorization by a legal guardian.

31. Signed authorizations for release of information are considered invalid if there is no expiration date.

True

False

The Privacy Rule requires that an Authorization contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. For example, an Authorization may expire "one year from the date the Authorization is signed," "upon the minor’s age of majority," or "upon termination of enrollment in the health plan."

Explanation

The Privacy Rule requires that an Authorization contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. For example, an Authorization may expire "one year from the date the Authorization is signed," "upon the minor’s age of majority," or "upon termination of enrollment in the health plan."

32. When patients pay for their healthcare bills "out of their own pocket", they can have information kept private from their health insurance plan.

True

False

The Omnibus rule states that when individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.

Explanation

The Omnibus rule states that when individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.

33. Which division of The Department of Health and Human Services (HHS) is responsible for administering and enforcing HIPAA privacy and security standards?

Centers of Medicare and Medicaid Services (CMS)

Office of Civil Rights (OCR)

Office of Inspector General (OIG)

Office of the National Coordinator for Health Information Technology (ONC)

The Office for Civil Rights (OCR) ensures equal access to certain health and human services and protects the privacy and security of health information.

Explanation

The Office for Civil Rights (OCR) ensures equal access to certain health and human services and protects the privacy and security of health information.

34. A request from a law office comes in with a subpoena attached. It does not have a patient's authorization. The subpoena is signed by the lawyer. It is okay to release records.

True

False

A subpoena issued by someone other than a judge, such as a court clerk or an attorney in a case, is different from a court order.

A HIPAA-covered provider or plan may disclose information to a party issuing a subpoena only if the notification requirements of the Privacy Rule are met. Before responding to the subpoena, the provider or plan should receive evidence that there were reasonable efforts to:
•Notify the person who is the subject of the information about the request, so the person has a chance to object to the disclosure, or
•Seek a qualified protective order for the information from the court.

Explanation

A subpoena issued by someone other than a judge, such as a court clerk or an attorney in a case, is different from a court order.

A HIPAA-covered provider or plan may disclose information to a party issuing a subpoena only if the notification requirements of the Privacy Rule are met. Before responding to the subpoena, the provider or plan should receive evidence that there were reasonable efforts to:
•Notify the person who is the subject of the information about the request, so the person has a chance to object to the disclosure, or
•Seek a qualified protective order for the information from the court.

35. A breach is treated as discovered:

The moment that the breach occurs.

On the first day the breach is known to the covered entity, or in the exercise of reasonable diligence, it should have been known to the covered entity.

The moment the patient discovers the breach.

After the organization has notified all parties of the breach.

A breach is treated as discovered:
On first day the breach is known to the covered entity, or
In the exercise of reasonable diligence, it should have been known to the covered entity.
Notification time period for a breach begins when the organization did or should have known it existed

Explanation

A breach is treated as discovered:
On first day the breach is known to the covered entity, or
In the exercise of reasonable diligence, it should have been known to the covered entity.
Notification time period for a breach begins when the organization did or should have known it existed

36. A covered entity must obtain an individual's written authorization for use or disclosure of protected health information in which of the following scenarios?

A coder must review a patient’s chart to code a recent hospital stay.

A consulting physician needs to access a patient’s record to inform his/her opinion.

A hospital administrator needs to access patient data to create a report about how many patients were treated for diabetes in the last six months.

None of the above

All of these examples fall under the category of TPO (Treatment, Payment, Operations) and would not require written authorization.

Explanation

All of these examples fall under the category of TPO (Treatment, Payment, Operations) and would not require written authorization.

37. Which of the following would be considered a Business Associate?

Healthcare provider

Government agency

Quest Records

Covered Entity

As defined by the Health Information Portability and Accountability Act (HIPAA), a business associate is any organization or person working in association with or providing services to a covered entity who handles or discloses Personal Health Information (PHI) or Personal Health Records (PHR).

Explanation

As defined by the Health Information Portability and Accountability Act (HIPAA), a business associate is any organization or person working in association with or providing services to a covered entity who handles or discloses Personal Health Information (PHI) or Personal Health Records (PHR).

38. A non-custodial parent requests a copy of their child's medical record. The parent provides documentation that she is indeed the child's parent. The non-custodial parent has a right to access the medical record in Missouri.

True

False

Check your current state guidelines. According to Missouri:
Unless a parent has been denied custody rights pursuant to this section or visitation rights under section 452.400, both parents shall have access to records and information pertaining to a minor child, including, but not limited to, medical, dental, and school records. If the parent without custody has been granted restricted or supervised visitation because the court has found that the parent with custody or the child has been the victim of domestic violence, as defined in section 455.200, RSMo, by the parent without custody, the court may order that the reports and records made available pursuant to this subsection not include the address of the parent with custody or the child. Unless a parent has been denied custody rights pursuant to this section or visitation rights under section 452.400, any judgment of dissolution or other applicable court order shall specifically allow both parents access to such records and reports.

Explanation

Check your current state guidelines. According to Missouri:
Unless a parent has been denied custody rights pursuant to this section or visitation rights under section 452.400, both parents shall have access to records and information pertaining to a minor child, including, but not limited to, medical, dental, and school records. If the parent without custody has been granted restricted or supervised visitation because the court has found that the parent with custody or the child has been the victim of domestic violence, as defined in section 455.200, RSMo, by the parent without custody, the court may order that the reports and records made available pursuant to this subsection not include the address of the parent with custody or the child. Unless a parent has been denied custody rights pursuant to this section or visitation rights under section 452.400, any judgment of dissolution or other applicable court order shall specifically allow both parents access to such records and reports.

39. A 16-year old patient in Missouri was tested for a sexually transmitted disease. Her tests came back negative. The mother of the patient has requested a copy of these records. You are allowed to release those records to the mother.

True

False

Please always check individual state guidelines!
Missouri law permits, but does not require, healthcare providers to inform a parent or guardian if their minor child has been
diagnosed with or treated for pregnancy, STD, or drug or alcohol abuse. Such disclosure should only be made when doing so is consistent with the confidentiality policies of the practice setting and with professional ethical guidelines, and when it is in the minor’s best interest. The law does not permit healthcare providers to disclose any information if the minor patient is found not to be pregnant, afflicted with an STD, or suffering from drug or alcohol abuse.

Explanation

Please always check individual state guidelines!
Missouri law permits, but does not require, healthcare providers to inform a parent or guardian if their minor child has been
diagnosed with or treated for pregnancy, STD, or drug or alcohol abuse. Such disclosure should only be made when doing so is consistent with the confidentiality policies of the practice setting and with professional ethical guidelines, and when it is in the minor’s best interest. The law does not permit healthcare providers to disclose any information if the minor patient is found not to be pregnant, afflicted with an STD, or suffering from drug or alcohol abuse.

40. The Notice of Privacy Practices:

Explains how the medical center will use or disclose patients’ protected health information.

Is a list of private physicians who practice at the medical center.

Describes how the medical center will protect the privacy of employee records.

All of the above.

The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information.

Explanation

The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information.

41. Accounting of Disclosures Does Not Include Disclosures For:

Short term disability claims

Patient requests

Attorney requests

Treatment, Payment, or health care operations

Accounting of Disclosures Does Not Include Disclosures For:
Treatment (to persons involved in the individual’s care), payment or health care operations.
Individual subject of PHI.
Incident to an otherwise permitted disclosure.
Disclosure based on individual’s signed authorization.
For facility directory.
For national security or intelligence purposes.
To correctional facilities or law enforcement on behalf of inmates.
As part of a limited data set (see 45 CFR s. 164.514).

Explanation

Accounting of Disclosures Does Not Include Disclosures For:
Treatment (to persons involved in the individual’s care), payment or health care operations.
Individual subject of PHI.
Incident to an otherwise permitted disclosure.
Disclosure based on individual’s signed authorization.
For facility directory.
For national security or intelligence purposes.
To correctional facilities or law enforcement on behalf of inmates.
As part of a limited data set (see 45 CFR s. 164.514).

42. The daughter of a patient had requested records and she provides a Limited Financial Power of Attorney for documentation. This is sufficient to process the request.

True

False

An individual that has been given a health care power of attorney will have the right to access the medical records of the individual related to such representation to the extent permitted by the HIPAA Privacy Rule at 45 CFR 164.524.

Explanation

An individual that has been given a health care power of attorney will have the right to access the medical records of the individual related to such representation to the extent permitted by the HIPAA Privacy Rule at 45 CFR 164.524.

43. A patient is deceased. A friend of the family has requested records. What type of documentation is needed in order to comply with the request?

A letter from the family that it is okay to release records.

A Power of Attorney listing the friend as Power of Attorney.

Death Certificate listing the friend as the informant.

Executor/Administrator of the Estate paper listing the friend as the Exector/Administrator.

Either a OR b

Either c OR d

The HIPAA Privacy Rule recognizes that a deceased individual’s protected health information may be relevant to a family member’s health care. The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative.

First, disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative.

Second, a covered entity must treat a deceased individual’s legally authorized executor or administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased individual or his estate, as a personal representative with respect to protected health information relevant to such representation.

Explanation

The HIPAA Privacy Rule recognizes that a deceased individual’s protected health information may be relevant to a family member’s health care. The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative.

First, disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative.

Second, a covered entity must treat a deceased individual’s legally authorized executor or administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased individual or his estate, as a personal representative with respect to protected health information relevant to such representation.

44. If a breach of PHI involves more than _______ patient(s), a press release must be issued to the major media informing the public of the breach.

100

500

1

250

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.

Explanation

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.

45. Using PHI for patient registration or coding purposes would fall under which portion of the allowed purposes for release of PHI?

Operations

Payment

Treatment

Administration

•“Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.

Explanation

•“Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.

46. Any healthcare provider, regardless of size, is considered a covered entity under the HIPAA Privacy Rule, so long as the provider:

Demonstrates meaningful use of electronic health records (EHR)

Electronically transmits health information in connection with certain transactions

Handles health information in any way

Receives reimbursement from a government health program

This includes providers such as:
•Doctors
•Clinics
•Psychologists
•Dentists
•Chiropractors
•Nursing Homes
•Pharmacies

...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

Explanation

This includes providers such as:
•Doctors
•Clinics
•Psychologists
•Dentists
•Chiropractors
•Nursing Homes
•Pharmacies

...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

47. You receive a request from a worker's compensation carrier requesting records relating to the injured body part. It does not contain a signed authorization for the patient. You reject the request because it is lacking an authorization.

True

False

Disclosures Without Individual Authorization. The Privacy Rule permits covered entities to disclose protected health information to workers’ compensation insurers, State administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization:
•As authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault. This includes programs established by the Black Lung Benefits Act, the Federal Employees’ Compensation Act, the Longshore and Harbor Workers’ Compensation Act, and the Energy Employees’ Occupational Illness Compensation Program Act. See 45 CFR 164.512(l).
•To the extent the disclosure is required by State or other law. The disclosure must comply with and be limited to what the law requires. See 45 CFR 164.512(a).
•For purposes of obtaining payment for any health care provided to the injured or ill worker. See 45 CFR 164.502(a)(1)(ii) and the definition of “payment” at 45 CFR 164.501.

Explanation

Disclosures Without Individual Authorization. The Privacy Rule permits covered entities to disclose protected health information to workers’ compensation insurers, State administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization:
•As authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault. This includes programs established by the Black Lung Benefits Act, the Federal Employees’ Compensation Act, the Longshore and Harbor Workers’ Compensation Act, and the Energy Employees’ Occupational Illness Compensation Program Act. See 45 CFR 164.512(l).
•To the extent the disclosure is required by State or other law. The disclosure must comply with and be limited to what the law requires. See 45 CFR 164.512(a).
•For purposes of obtaining payment for any health care provided to the injured or ill worker. See 45 CFR 164.502(a)(1)(ii) and the definition of “payment” at 45 CFR 164.501.

48. A patient can request an accounting of disclosures as far back as _____ years before the time of the request.

1

3

6

10

Individual may request accounting of disclosures as far back as six years before the time of the request.

Explanation

Individual may request accounting of disclosures as far back as six years before the time of the request.

49. Under HIPAA, a patient has the right to request an amendment to his/her medical record, and the hospital has a duty to comply.

True

False

Under HIPAA, the patient has a right to request an amendment to the medical record, but the hospital doesn't have to comply. They have an obligation to review the request for amendment and consider it but are under no obligation to comply.

Explanation

Under HIPAA, the patient has a right to request an amendment to the medical record, but the hospital doesn't have to comply. They have an obligation to review the request for amendment and consider it but are under no obligation to comply.

50. The monetary penalties for improperly disclosing patient health information can be as high as:

$125,000

$250,000

$500,000

$1,500,000

The monetary penalties for violating HIPAA are broken into a tier system as follows:
1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.
$100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year

2. The HIPAA violation had a reasonable cause and was not due to willful neglect.
$1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year

3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.
$10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year

4. The HIPAA violation was due to willful neglect and was not corrected.
$50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year

Explanation

The monetary penalties for violating HIPAA are broken into a tier system as follows:
1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.
$100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year

2. The HIPAA violation had a reasonable cause and was not due to willful neglect.
$1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year

3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.
$10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year

4. The HIPAA violation was due to willful neglect and was not corrected.
$50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year