Volume 1 Unit 3 Part 3

Questions and Answers

What are two of the HIPAA’s privacy officer responsibilities?

• (1) Ensures initial and refresher privacy training to all the MAJCOM workforce and (2) Ensures continuous assessment, implementation, monitoring, and revision of the MTF HIPAA Privacy programs
• (1) Ensures initial and refresher advertisement training to all the MTF workforce and (2) Interrupt continuous assessment, implementation, monitoring, and revision of the MTF HIPAA Privacy programs
• (1) Acknowledgement of notice of privacy practices and (2) Ensures continuous assessment, implementation, monitoring, and revision of the MTF HIPAA Privacy programs
• (1) Ensures initial and refresher privacy training to all the MTF workforce and (2) Ensures continuous assessment, implementation, monitoring, and revision of the MTF HIPAA Privacy programs (correct)

Who must complete HIPAA training?

• Old MTF employees and commanders
• All MTF employees, and new commanders and first sergeants. (correct)
• Only new employees
• All MTF employees, and first sergeants.

The MHS use _______ to explain how the patient PHI may be used and disclosed.

What are some examples of when a patient authorization is required?

Patient requests a copy, patient is going downtown for care, medical records of minors, adopted infants, and release to insurance agencies, and other external recipients. (A)

What should you be cautious of when disclosing the records of minors to their legal guardians?

Pay special attention to sensitive issues (birth control, abortion, STD treatment) and consult MLC and/or SJA before releasing the information. (C)

What should you do when releasing adopted infant’s medical records?

Remove all reference to the child’s natural parents (B)

When you answer a request for information on injury cases that appear to involve medical affirmative claims actions, you should send a copy of the paperwork to __________________.

Disclosure with PHI should be released in accordance with the _________________ rule.

Who has commander designee, by virtue of their position, and does not require an appointment letter?

The deputy/vice commander and first sergeant (D)

What agency, such as the Office of Special Investigations, is authorized to use a blanket request? Explain.

Blanket requests are not permitted by any person or agency. (A)

What are examples of mandatory reporting that medical providers are required to adhere to?

Domestic abuse, and in some states, sexual assault. (B)

How does a patient request to restrict access to their medical information?

Complete a DD Form 2871, Request to Restrict Medical and Dental Information (D)

What information is required if a patient wants their medical information released?

Patient signature and date, description of the information to be released, be written in plain language, name/organization authorized to make the request, purpose of the request, name/organization where the information is going, an expiration date for the authorization, an individual’s right to revoke the authorization in writing, and name/organization authorized to release the information. (A)

When should you NOT release information?

If it’s known to be revoked, is an incomplete request, if the information provided is false, expired, is a compound authorization, and a conditional authorization. (C)

How far back can patients request an accounting for every disclosure?

For the previous six years. (D)

What are five of the disclosure categories?

Information about decedents, health oversight activities, judicial and administrative proceedings, medical facility patient directories, research purposes (A)

Whose social security numbers needs to be removed from copies of medical records?

Remove all providers’ and sponsors’ SSNs (B)

Where should all correspondence (request) be placed once the request has been filled?

In Section III of the health record. (C)

When should a routine request for copies of medical records be filled?

Within 20 days of receiving the request. (A)

What should you do if you receive a request for copies from an insurance company, but prepayment was not sent?

Use a locally developed form to identify the fees. Prepare the form in three copies; send the original to the requester, file the second copy in part three of the health record with the patient’s signed authorization for release of information, and forward the third copy to the Resource Management Office. (D)

When should you fax medical documentation?

Only when the original record or mail-delivered copies will not meet requirements for immediate patient care. (B)

Where should this statement be when faxing medical information? “THIS FAX IS INTENDED ONLY FOR THE USE OF THE PERSON OR OFFICE TO WHOM IT IS ADDRESSED, AND CONTAINS PRIVILEGED, SENSITIVE OR CONFIDENTIAL INFORMATION PROTECTED BY LAW. ALL RECIPIENTS ARE HEREBY NOTIFIED THAT INADVERTENT OR UNAUTHORIZED RECEIPT DOES NOT WAIVE SUCH PRIVILEGE, AND THAT UNAUTHORIZED DISSEMINATION, DISTRIBUTION, OR COPYING OF THIS COMMUNICATION IS PROHIBITED. IF YOU HAVE RECEIVED THIS FAX IN ERROR, PLEASE DESTROY THE ATTACHED DOCUMENT(S) AND NOTIFY THE SENDER OF THE ERROR BY CALLING...”

When should you use regular ‘Snail Mail”?

Utilize regular mail or messenger service for routine disclosure of information to insurance companies, attorneys, or other legitimate users. (C)

When is e-mailing PHI permissible?

Within the ‘.mil’ domain. (A)

What statement should be at the beginning of an e-mail when sending medical information?

‘FOR OFFICIAL USE ONLY. This electronic transmission contains For Official Use Only (FOUO) information which must be protected by the Privacy Act and AFI 33–332 and the Health Insurance Portability and Accountability Act and DOD 6025.18-R. The information may be exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. § 552. If you have received this message in error, please notify the sender by replying to this e-mail and delete all copies of this message.’ (D)

What does it mean to sequester medical records?

To store and secure a health record separate from other health records for added security or for legal purposes (C)

What steps should you take when sequestering medical records?

Place a cover sheet on the original medical record stating the record has been sequestered. Maintain a separate file on why the record has been sequestered, and the date (or occurrence of an event) when the record should be reviewed to determine the need for continued sequestering. Place a charge out in appropriate records room with a statement that the record has been sequestered. If a “Clinic Copy” is made, ensure that original documentation is forwarded to the sequestered file and a copy is placed in the “Clinic Copy.” (B)

What information may be released without the patients’ consent?

Unit assignment for personnel not assigned to routinely deployable or sensitive units and office the member is assigned to. (D)

What information may be release with the patients’ consent?

Name and rank, component occupation or job title, and present medical assessment of condition (stating condition stable, good, fair, serious, or critical). (A)

An acquisition, access, use, or disclosure of PII/PHI in a manner not permitted is a _______

If you become aware of an actual or possible breach, whom should you report the circumstances of the event to?

The organization’s Breach Response Coordinator (C)

What are the two areas your MTF has addressed to protect integrity, confidentiality and availability of PII and PHI?

Physical and electronic security. (D)

What two forms can you use to cover personnel information in printed/paper form?

AF Form 3227 (Privacy Act Cover Sheet) or DD Form 2923 (Privacy Act Data Cover Sheet) (C)

What is the most commonly used method for controlling electronic access?

The common access card (A)