Trivia Quiz Questions: Can You Pass This HIPAA Exam?

Patients not only have a right to request access to their PHI, but they also have a right to request that it be amended if they feel the information is somehow inaccurate or incomplete. A covered entity is not required to agree to the request if it determines the information is accurate and complete; however, it is required to give patients an opportunity to request the amendment.

Under HIPAA, a covered entity is responsible to maintain all PHI and to ensure that it is only utilized for purposes permitted under the Privacy Rule. Patient information does not belong to individual members of a covered entity’s workforce, and providers may not use PHI as they please simply because they created it.

HIPAA allows covered entities to disclose PHI to a relative, friend or other person if the patient is physically present at the time and they do not object to the disclosure.

All of the information cited in A-C could be used to identify a patient. Under HIPAA, individually identifiable information includes any information that actually identifies the patient, such as a name, or any information about which there is a “reasonable basis” to believe that the information can be used to identify the individual.

There are many times when a personal representative may act on behalf of a patient and HIPAA grants equal rights of access, amendment, etc. to these types of representatives in most cases.

Even if you may not technically be under a “legal” obligation to protect confidential information about a patient, everyone in the healthcare industry has an ethical obligation to protect the confidentiality of information learned about patients.

The only scenario that presents a legitimate “treatment-related” disclosure is the situation where the EMT is relaying the condition of the patient to the ER. All of the other choices present situations where an individual was sharing healthcare information about a patient where it was not necessary for the treatment of the patient.

The HIPAA Security Rule requires covered entities to implement three main types of safeguards to protect electronic protected health information (e-PHI). They are: physical, technical, and administrative safeguards.

HIPAA permits covered entities to share PHI with law enforcement whenever “required by law.” State laws require that you produce information pursuant to a valid subpoena, summons, or warrant, so HIPAA permits disclosure of PHI pursuant to these types of the legal processes.

You may always follow up by sending a copy of your organization’s NPP to the patient after the transport. However, HIPAA does state that in non-emergency situations you should provide the notice to the patient no later than the date of the first service delivery.

“None of the above” is the correct answer here. First of all, HIPAA does not permit the posting of PHI on any website without the patient’s express authorization. Secondly, even if you think you are not posting PHI (since you do not post any names or other identifying information), pictures and other information may nevertheless reasonably identify the patient. Finally, even if the information is not PHI, posting information on the Internet about patient-related incidents is unprofessional and may also violate your agency’s policies and state regulations.

If you are relaying information to a receiving facility for the purpose of treatment, HIPAA permits you to use any means necessary to convey that information.

When in doubt about any HIPAA disclosure, you should contact your HIPAA Compliance Officer regarding the disclosure. If time does not permit, you should err on the side of not disclosing the protected health information and refer the law enforcement officer to the patient or their representative, as appropriate.

HIPAA prohibits the release of any PHI to the media absent written patient authorization. You may not even disclose PHI to confirm what a reporter may claim are “facts” about an incident.

Only healthcare providers who meet the definition of a “covered entity” under HIPAA are required to have a HIPAA Compliance Officer or Privacy Officer in place. It has nothing to do with the size of the organization or whether or not the organization uses electronic health records. Healthcare providers are generally going to be “covered entities” if they (or their billing company) submit claims electronically to Medicare or other insurers.

Because the EMS providers are involved in the treatment when they conduct an interfacility transport, they have a right to view any information that would aid in the treatment of the patient.

You may freely share PHI with other EMS providers who are providing care on scene when it is related to providing treatment to your patients. It does not matter whether or not the other organization has any other relationship to your organization.

Billing personnel are permitted under HIPAA to share patient information with patients if they request it. One of the fundamental rights under HIPAA is the right of the patient to have access to his/her own protected health information (PHI).

Clearly, C is the best answer because it is the only choice that evidences that the HIPAA covered entity took affirmative steps to ensure that only the minimum amount of PHI necessary to accomplish the intended purpose, here healthcare operations, was utilized. All of the other choices involve scenarios where the individuals clearly divulged more PHI than was necessary to accomplish the purpose of the disclosure.

All of the courses of action would be appropriate here except for C. You should never tell patients that they have an absolute duty to disclose their protected health information to law enforcement. However, HIPAA does permit you to disclose PHI if the patient consents to the disclosure, and it also freely allows the patient to speak directly with law enforcement and disclose as much PHI as they wish.

You should report any incidents where you even suspect that there has been an improper use or disclosure of PHI. Ultimately, it is up to the organization to decide whether or not a breach incident has occurred. But the organization must be made aware of any suspected or questionable HIPAA violations.

This statement is false because HIPAA permits what are called “incidental disclosures.” This is, if you need to make a disclosure of PHI for an otherwise permissible purpose (such as treatment), you do not have to take drastic measures to ensure that no one else can hear the disclosure. Sometimes a patient will overhear PHI about another patient who is close by, and HIPAA recognizes this by allowing for “incidental disclosures.”

HIPAA requires that covered entities furnish a copy of its NPP the first time that the organization treats the patient and whenever the organization revises its privacy notice. This is so individuals are aware of new rights and new ways that your organization may use or disclose their PHI.

A patient has a right to review their protected health information gathered by your organization by making a request to do so, and in accordance with the organization’s policies on receiving patient requests. Answer B is incorrect because the patient does not have the right to review the patient care report before it is submitted by you to the hospital.

HIPAA allows covered entities and their business associates to utilize PHI for “payment” purposes – without the express permission of the patient - and this includes the submission of claims for reimbursement.