STS HIPAA/Omnibus Training Quiz

1. What does the acronym PHI mean?

The correct answer is "Protected Health Information" (PHI) which refers to any individually identifiable health information that is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse. This includes information about a person's past, present, or future physical or mental health, as well as any healthcare services provided to them. The term "protected health information" is typically used in the context of privacy and security regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), which aim to protect the confidentiality and integrity of individuals' health information.

Explanation

The correct answer is "Protected Health Information" (PHI) which refers to any individually identifiable health information that is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse. This includes information about a person's past, present, or future physical or mental health, as well as any healthcare services provided to them. The term "protected health information" is typically used in the context of privacy and security regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), which aim to protect the confidentiality and integrity of individuals' health information.

Submit

2. Within the context, HHS refers to The U.S. Department of Health and Human Services.

True

False

The given statement is true because within the context provided, HHS is indeed referring to The U.S. Department of Health and Human Services.

Explanation

The given statement is true because within the context provided, HHS is indeed referring to The U.S. Department of Health and Human Services.

3. PHI is any identifiable information which relates to an individual's past, present, or future physical health or condition for which there is a reasonable cause to believe it can be used to identify that individual.

True

False

The given statement is true. PHI stands for Protected Health Information and refers to any identifiable information related to an individual's physical health or condition. This information can include medical records, test results, diagnoses, treatments, and any other health-related data. The statement correctly states that PHI can be used to identify an individual, and therefore, it is important to protect this information to ensure privacy and confidentiality.

Explanation

The given statement is true. PHI stands for Protected Health Information and refers to any identifiable information related to an individual's physical health or condition. This information can include medical records, test results, diagnoses, treatments, and any other health-related data. The statement correctly states that PHI can be used to identify an individual, and therefore, it is important to protect this information to ensure privacy and confidentiality.

4. What does the acronym "HIPAA" stand for?

The correct answer is "Health Insurance Portability and Accountability Act." HIPAA stands for Health Insurance Portability and Accountability Act. This act was passed by the US Congress in 1996 and is designed to protect the privacy and security of individuals' health information. It sets standards for the electronic exchange, privacy, and security of health information. The act also includes provisions for the portability of health insurance coverage for individuals who change or lose their jobs.

Explanation

The correct answer is "Health Insurance Portability and Accountability Act." HIPAA stands for Health Insurance Portability and Accountability Act. This act was passed by the US Congress in 1996 and is designed to protect the privacy and security of individuals' health information. It sets standards for the electronic exchange, privacy, and security of health information. The act also includes provisions for the portability of health insurance coverage for individuals who change or lose their jobs.

Submit

5. It is okay to share PHI with trauma docs as long as the information is verbalized and does not leave a record.

True

False

Sharing PHI (Protected Health Information) with trauma docs, even if it is verbalized and not recorded, is not okay. PHI should only be shared with authorized individuals who have a legitimate need to know, and it should be done through secure and appropriate channels to ensure patient privacy and confidentiality. Verbalizing PHI without proper authorization and documentation can still lead to breaches of patient privacy and is not in compliance with HIPAA regulations.

Explanation

Sharing PHI (Protected Health Information) with trauma docs, even if it is verbalized and not recorded, is not okay. PHI should only be shared with authorized individuals who have a legitimate need to know, and it should be done through secure and appropriate channels to ensure patient privacy and confidentiality. Verbalizing PHI without proper authorization and documentation can still lead to breaches of patient privacy and is not in compliance with HIPAA regulations.

6. What is the largest monetary penalty that may be incurred for HIPAA violation in a year under the new Omnibus Rule?

$50,000

$500,000

$1.5 million

$750,000

Under the new Omnibus Rule, the largest monetary penalty that may be incurred for HIPAA violation in a year is $1.5 million. This means that if an organization fails to comply with HIPAA regulations and violates patient privacy and security, they can be fined up to $1.5 million in a single year. This significant penalty highlights the importance of protecting patient information and ensuring compliance with HIPAA regulations.

Explanation

Under the new Omnibus Rule, the largest monetary penalty that may be incurred for HIPAA violation in a year is $1.5 million. This means that if an organization fails to comply with HIPAA regulations and violates patient privacy and security, they can be fined up to $1.5 million in a single year. This significant penalty highlights the importance of protecting patient information and ensuring compliance with HIPAA regulations.

7. The Health Insurance Portability and Accountability Act or HIPAA was enacted by congress on October 16th, 2002.

True

False

1996 - page 11 of manual

Explanation

1996 - page 11 of manual

8. An entity (non-employee) that in the course of their work will directly or indirectly create, receive, maintain, or transmit PHI on behalf of a Covered Entity is considered under the Omnibus Rule to be a/an:

Healthcare Provider

Health Care Clearinghouse

Health Care Consultant

Business Associate

An entity that is not an employee but handles PHI on behalf of a Covered Entity is considered a Business Associate under the Omnibus Rule. This means that they have a legal obligation to protect the privacy and security of PHI and comply with HIPAA regulations. They may include entities such as IT companies, billing companies, or transcription services that have access to PHI.

Explanation

An entity that is not an employee but handles PHI on behalf of a Covered Entity is considered a Business Associate under the Omnibus Rule. This means that they have a legal obligation to protect the privacy and security of PHI and comply with HIPAA regulations. They may include entities such as IT companies, billing companies, or transcription services that have access to PHI.

9. Regarding to the Omnibus Rule on HI TECH Law for any malicious posting on social networks; what is the potential penalty to the person or persons held directly responsible? [Be specific]

Social Media and HIPAA on page 16 of manual.

Explanation

Social Media and HIPAA on page 16 of manual.

Submit

10. Regarding to the Omnibus Rule on HI TECH Law, who is held directly responsible for any malicious posting on social networks?

The CEO or Business Owner

HIPAA Compliance Officer

The Employee

The Business Associate

According to the Omnibus Rule on HI TECH Law, the employee is held directly responsible for any malicious posting on social networks. This means that if an employee posts something malicious on a social network, they will be held accountable for their actions. This emphasizes the importance of training and educating employees on the proper use of social media and the potential consequences of their actions. It also highlights the need for businesses to have clear policies and guidelines in place to prevent such incidents from occurring.

Explanation

According to the Omnibus Rule on HI TECH Law, the employee is held directly responsible for any malicious posting on social networks. This means that if an employee posts something malicious on a social network, they will be held accountable for their actions. This emphasizes the importance of training and educating employees on the proper use of social media and the potential consequences of their actions. It also highlights the need for businesses to have clear policies and guidelines in place to prevent such incidents from occurring.

11. EHR or "Electronic HIPAA Records" refers to patient records that can be transmitted or copied and shared by electronic means: digital, fax, text, phone transmission or via internet.

True

False

Electronic HEALTH Records

Explanation

Electronic HEALTH Records

12. Under the Omnibus Rule, what three communication permissions are directly permissible and considered the course-of-doing business? [Check all three that apply]

Appointment Reminders

Patient Names

Treatment Information

Patient Home Address

Benefit Notifications

Patient Social Security Number

Under the Omnibus Rule, three communication permissions that are directly permissible and considered the course-of-doing business include appointment reminders, treatment information, and benefit notifications. These types of communication are essential for the proper functioning of healthcare services and are allowed under the rule to ensure effective patient care and communication. Patient names, patient home address, and patient social security number are not directly permissible and may require additional consent or authorization.

Explanation

Under the Omnibus Rule, three communication permissions that are directly permissible and considered the course-of-doing business include appointment reminders, treatment information, and benefit notifications. These types of communication are essential for the proper functioning of healthcare services and are allowed under the rule to ensure effective patient care and communication. Patient names, patient home address, and patient social security number are not directly permissible and may require additional consent or authorization.

Submit

13. NOPP stands for Notices of Privacy Protocols.

True

False

NOPP = Notices of Privacy Practices - page 22 in manual

Explanation

NOPP = Notices of Privacy Practices - page 22 in manual

14. How long do we currently keep patient consent forms at Specialty Telehealth Services?

0 days

30 days

60 days

90 days

A minimum of two years

Specialty Telehealth Services DOES NOT have patient consent forms.

Under the OMNIBUS RULE - Doctors offices are required by law to keep patient consent forms for 50 years. (This is not a doctor's office or hospital).

Explanation

Specialty Telehealth Services DOES NOT have patient consent forms.

Under the OMNIBUS RULE - Doctors offices are required by law to keep patient consent forms for 50 years. (This is not a doctor's office or hospital).

15. If you were to receive a CHS consultation request form from downrange with specific PHI of a patient in the name which is the best option below?

Forward the form to on-call trauma doctor.

Decide that it is inappropriate to forward the form and verbalize the information to the doctor.

Call downrange and ask them to change how they named the form.

Change the name of the form to something more appropriate then send to on-call doctor.

The best option is to change the name of the form to something more appropriate and then send it to the on-call doctor. This ensures that the patient's specific PHI is protected and the form is handled in a professional manner. Forwarding the form without changing the name may compromise patient confidentiality. Verbalizing the information to the doctor could also breach patient privacy. Calling downrange to request a change in the form's name may not be efficient or necessary, as it can be resolved internally by making the appropriate changes before sending it to the doctor.

Explanation

The best option is to change the name of the form to something more appropriate and then send it to the on-call doctor. This ensures that the patient's specific PHI is protected and the form is handled in a professional manner. Forwarding the form without changing the name may compromise patient confidentiality. Verbalizing the information to the doctor could also breach patient privacy. Calling downrange to request a change in the form's name may not be efficient or necessary, as it can be resolved internally by making the appropriate changes before sending it to the doctor.