HCCA - CHPC Study Questions 2023/2024

Questions and Answers

The Office for Civil Rights (OCR) is the entity that oversees HIPAA, and the agency's goal is to ensure that patients' health information is properly protected while allowing for the flow of health information needed. OCR also provides excellent guidance on steps to take if an entity experiences a cyberattack.

True

A cyberattack could result in negative press against the organization and lack of trust from patients. It could also result in a privacy breach, which puts patients at risk for identity theft and other fraudulent activity.

True

If disclosing PHI to legal authorities/government/public officials, CE must verify identity, for instance asking for a government badge/ID, credential, or some proof of government status.

True

How are computerized data medical records destroyed?

Magnetic degaussing

Covered entities participating in an Organized Health Care Arrangement are permitted to:

Utilize a single notice of privacy practices

In cases where CE is making fundraising communications to individuals, the individual must be provided with an opportunity to object/elect to receive such communications.

True

Covered entities can use or disclose PHI by these 4 areas: 1. for treatment, payment, healthcare operations (TPO), 2. for public interest in disaster relief or public emergency, 3. with an opportunity to _____, 4. with authorization granted.

object

What are covered entities?

Health plans, healthcare clearinghouses, healthcare providers who transmit health information electronically, and their business associates.

What is a Controlling Health Plan (CHP)?

A health plan that controls its own business, actions, activities, and policies.

What should you do with a 'required' implementation specification?

Implement the specification as presented.

What should you do with an 'addressable' implementation specification?

Implement as presented, or if not reasonable and appropriate, implement an equivalent alternative measure.

What does a Designated Record Set (DRS) include?

Medical/billing records, enrollment/payment/claims adjudication/case management records, and other records used to make decisions about individuals.

What records are excluded from the Designated Record Set (DRS)?

Administrative data, incident reports, quality assurance data, statistical reports.

How are DVD medical records destroyed?

Shredding and cutting

Give examples of use or disclosure of PHI other than treatment, payment, and healthcare operations (TPO).

Public health interest, research, serious threat, organ/tissue donation, decedent information, worker's compensation insurers.

Give examples of administrative safeguards.

Policies and procedures, training and education, designation of individuals, contingency planning.

Give examples of physical safeguards.

Facility security, access control, disposal processes, data backup and storage.

Give examples of technical safeguards.

Passwords, encryption, auto log off, unique user identification.

What are the key differences between HIPAA 'consent' and 'authorization'?

Consent is voluntary for TPO, while authorization is required by the Privacy Rule for use and disclosure of PHI.

What is the primary difference between HIPAA authorization and Right of Access regarding disclosure?

HIPAA authorization is a permitted disclosure, while Right of Access is a required disclosure.

What is excluded from the Right of Access?

Information not part of the Designated Record Set, psychotherapy notes, records gathered for legal proceedings.

What are the ranges of HIPAA Civil Penalties?

Did not know: $100 to $50K, reasonable cause: $1,000 to $50K, willful neglect corrected: $10K to $50K, willful neglect not corrected: $50K; max per year: $1.5 million.

What are the ranges of HIPAA Criminal Penalties?

Knowingly: up to 1 year in prison + $50,000; under false pretense: 5 years + $100,000; with intent: 10 years + $250,000.

What makes it a criminal offense under HIPAA?

Submitting claims based on incorrect codes or medically unnecessary services.

How long must a covered entity maintain written records according to the Security Rule documentation requirements?

At least 6 years from the date records were created or the effective date.

What is the purpose of HIPAA?

Protect PHI from unauthorized disclosure/use; Prevent fraud, waste and abuse; Make health insurance portable under ERISA; Move health care onto a nationally standardized electronic billing platform.

HIPAA resides in which CFR section?

45 CFR sections 164.102 through 164.534.

What are the subparts of HIPAA part 164?

Subpart A - General rules, Subpart C - Security, Subpart D - Breach notification, Subpart E - Privacy.

How do you determine if an organization is a 'Covered Entity'?

Compare if the organization meets one of the 3 types of CE and determine if it electronically transmits one of the 9 defined transactions.

What Act established restrictions on how government can share personal information?

The Privacy Act of 1974.

Which of the following is not considered a HIPAA Entity Designation?

Contract arrangement with FEDEX carrier

What is the Gramm-Leach-Bliley Act (GLBA)?

GLBA, also known as the Financial Services Modernization Act of 1999, includes The Financial Privacy Rule and The Safeguards Rule which require all financial institutions to protect customer's personal financial information.

What is an OHCA?

Organized Health Care Arrangement, a clinically integrated care setting where individuals receive health care from more than one provider.

What is an ACE?

Affiliated Covered Entity, legally separate entities that share common control/ownership and comply with HIPAA Privacy standards.

What is a Hybrid Entity?

An entity that conducts both covered and non-covered functions and elects to be a hybrid entity.

What is defined as the transmission of information between two parties for health care activities?

Transaction (healthcare transaction).

What are examples of a BA?

Business Associate - provides functions or activities on behalf of a covered entity that involve access to protected health information.

A hospital is not required to have a business associate contract with the specialist to whom it refers a patient.

True

Business Associates After HITECH are directly responsible for HIPAA compliance.

True

Under HIPAA, individuals identified as business associates are obligated to enter into a business associate agreement.

True

Except for TPO, list two examples where a CE requires an authorization to use/disclose PHI.

Sales and marketing, Psychotherapy notes.

How do you determine if an entity is subject to HIPAA?

By understanding the applicability of the healthcare component and the types of Covered Entities.

What is referred to when HIPAA provides standards that states can add to?

HIPAA preemption

What is the intent of HIPAA?

Improve healthcare programs and data flow between providers

A physician is required to have a business associate contract with a laboratory when disclosing protected health information.

False

A hospital laboratory is required to have a business associate contract to disclose PHI to a reference laboratory.

True

Research use/disclosure with individual authorization does not expire until the end of the research study.

True

Research use/disclosure with individual authorization can be combined with other consents for participation in research.

True

A program providing both SUD services and Mental Health Services will have records subject to Part 2 regulations.

False

What are the 4 federal regulations/government agencies that govern the privacy of individually identifiable information in research?

1. HHS-FDA, 2. HHS-NIH, 3. HHS-Office of Human Research Protections, 4. HHS-OCR.

Certificates of Confidentiality (CoC) protect the privacy of human research participants enrolled in sensitive research. This is authorized by which act?

Public Health Services Act.

What is a system of records notice (SORN)?

A public notice outlining the safeguards for protecting personally identifiable information collected by federal agencies.

What is a research IRB?

A group of individuals that review proposed research

An individual must authorize these marketing communications before they can occur, except:

Hospital uses patient list to announce a new specialty group

When contracting with payers, they must follow HIPAA security and privacy rules.

True

Which of the following requires a Business Associate contract?

Independent medical transcriptionist

Is a covered entity required to provide notice to individuals about its disclosures of PHI to a public health authority?

True

OHCAs and ACEs are able to produce a joint Notice of Privacy Practice (NPP).

False

Since your blog is private, you are not in violation of HIPAA regulations by posting a picture of patients.

False

In the mid-1990s, OIG began to require providers settling civil health care fraud cases to enter into specific type of agreements as a condition for OIG not pursuing exclusion. These agreements are referred as:

Corporate Integrity Agreements (CIA)

What are some of the key basic elements to contracts?

Agreement (Offer and Acceptance), Capacity to contract, Consideration, Legal purpose, Legality of form, Intention to create legal relations, Consent to contract, Mistakes and undue influence.

The privacy professional must ensure that the contract supports the privacy profile in vendor relations.

True

Which of the following doesn't fall under the circumstances for a Covered Entity to deny an individual access to their PHI?

Request for psychotherapy notes

38 U.S.C. 7332 deals with confidentiality of patient medical record information related to:

Drug abuse, alcoholism, infection with HIV virus, and sickle cell anemia

The Minimum Necessary is a key concept under the HIPAA security rule.

False

Is there any information we can release to a person who is calling on behalf of a patient who is not authorized in a release form?

No, unless the patient is given an opportunity to agree or object.

How do we validate the request for PHI from lawyers?

Ensure it has a valid HIPAA authorization containing 6 core elements and 3 key statements.

A long-term dental patient's PHI can be requested and fulfilled without authorization for purposes of treatment.

True

You may report suspected domestic violence without the patient's authorization.

True

What is ARRA also known for?

American Recovery and Reinvestment Act (ARRA).

What does IIHI stand for?

Individually Identifiable Health Information

What does PHI stand for?

Protected Health Information

What is de-identified information?

Information from which all HIPAA identifiable information has been removed.

What is re-identification?

The process of assigning a number for re-identification while ensuring the disclosure scheme remains confidential.

What does Minimum Necessary refer to?

The principle of using or disclosing only the required amount of PHI necessary for the intended purpose.

The Minimum Necessary rule does not apply to which of the following?

To the individual directly

How does the Minimum Necessary concept link to the Security Rule?

It relates to Role Based Access and the use of content filters.

Who can deceased individuals' information be released to at any time?

Coroners or medical examiners.

What does preemption under HIPAA mean?

Federal law overrides state law on specific issues related to PHI.

What are the valid authorization core elements?

Meaningful description of information, name of the individual authorized, name of the recipient, purpose of the disclosure, expiration date, signature and date.

What are the valid authorization 3 key statements?

Right to revoke authorization, treatment not conditioned upon signing, potential re-disclosure may not be protected.

The three types of AUTHORIZATION: VALID - must have all the 6 required core elements and 3 statements/notices; D_______ - lacks any of the required elements/statements, or expiration date has passed, or revoked, etc.; C_______ - typically allowed in research studies, this authorization may be combined with another written permission IF it's for the same research related studies.

Defective; Compound

What is Request for Restrictions?

Patients have the right to request restrictions on the use and disclosure of their information.

What is Request for Confidential Communication?

Patients may request alternative channels for communication regarding their PHI.

Which subpart of HIPAA part 164 sets limits on how PHI can be used and shared with others?

Part 164 Subpart E (Privacy Rule)

What is the difference between HIPAA security and privacy?

Security covers ePHI while privacy covers all forms of health information (electronic, oral, written).

45 CFR 164 - Subpart C outlines the three safeguards to ensure the _____, ____, ____ of ePHI.

Confidentiality, integrity, availability

What are the Research HIPAA Waiver criteria?

The use or disclosure for research must pose minimum risk, cannot be conducted without it, and requires access to PHI.

What is malicious software?

Malware used to control or disrupt applications, workstations, or servers.

A covered entity may use or disclose PHI for TPO. What does TPO stand for?

Treatment, Payment, Health Care Operations

Payer/health plans are allowed to use/disclose beneficiaries' PHI in activities such as legal services, medical review, and fraud detection.

True

Which is the correct method of releasing PHI to the Social Security Administration for benefits application?

Notify the patient and obtain signed authorization.

The American Recovery and Reinvestment Act is also known as?

ARRA

C.I.A. (HIPAA) stands for?

Confidentiality, Integrity, Availability

What comprehensive legislation ensures access to health coverage for those who change jobs?

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Privacy and Security rules were established to create a national health care privacy and security standard.

True

Study Notes

HIPAA Overview

• HIPAA's purpose includes protecting protected health information (PHI) from unauthorized access and ensuring privacy.
• It aims to prevent fraud, simplify administrative processes, and standardize electronic billing in healthcare.

HIPAA Regulations

• HIPAA regulations are found in 45 CFR sections 164.102 to 164.534.
• Key subparts include:
  • Subpart A: General Rules
  • Subpart C: Security
  • Subpart D: Breach Notification
  • Subpart E: Privacy

Covered Entities and Transactions

• Covered Entities (CE) include healthcare providers, health plans, and clearinghouses that electronically transmit health information.
• Defined healthcare transactions include health claims, eligibility checks, and payment advice.

Business Associates and Responsibilities

• A Business Associate (BA) performs functions on behalf of a CE and has access to PHI.
• Business associates are directly responsible for HIPAA compliance post-HITECH, regardless of existing contracts.

Organizational Structures

• An Organized Health Care Arrangement (OHCA) facilitates integrated care among multiple providers.
• Affiliated Covered Entities (ACE) consist of legally separate entities that share control but do not integrate their delivery systems.

Compliance and Authorizations

• Use and disclosure of PHI for treatment, payment, and operations (TPO) typically do not require specific authorization.
• Situations requiring authorization include marketing and psychotherapy notes.

Specific Regulations and Acts

• The Privacy Act of 1974 restricts how government agencies share personal information, necessitating a System of Records Notice (SORN) for new data collections.
• The Gramm-Leach-Bliley Act (GLBA) mandates the protection of customer financial information.

Research Considerations

• Research activities involving PHI must comply with HIPAA and be reviewed by Institutional Review Boards (IRBs).
• Certificates of Confidentiality protect sensitive research participant data under the Public Health Service Act.

Marketing and Public Disclosure

• Covered entities must notify individuals about PHI disclosures, while business associates are not required to provide notices for health information they handle.
• Hospitals and providers can communicate about services without being classified as engaging in marketing activities if no remuneration is involved.

Contractual Obligations

• Contracts establish the exchange of services and remedies for breaches. Key elements of contracts include offer and acceptance.
• Business Associate Agreements (BAAs) are required for independent medical transcriptionists and other BAs handling PHI.

Miscellaneous Facts

• Certain healthcare functions may not require a BAA when sharing PHI among providers for TPO.
• Part 2 regulations for Substance Use Disorder (SUD) services provide additional protections beyond HIPAA.### Contractual Elements
• Capacity to Contract: Ensure parties can perform services; request proof and biographies of staff involved in critical services.
• Consideration: Clearly define remuneration within the contract.
• Legal Purpose: Establish legal requirements and responsibilities for subcontractors and measures.
• Legality of Form: Utilize precise legal language and clauses to ensure compliance.
• Intention to Create Legal Relations: Include explicit statements of intent to be legally bound by the contract.
• Consent to Contract: Obtain required signatures from all parties involved.
• Mistakes and Undue Influence: Outline alternative options if issues arise during contract fulfillment.

Vendor Relations and Privacy

• Privacy professionals must ensure contracts align with the privacy profile and outline privacy impacts, mandates, and remedies.

HIPAA Regulations

• An individual may be denied access to their PHI under certain circumstances; psychotherapy notes are not among them.
• 38 U.S.C. 7332 pertains to confidentiality of medical records related to drug abuse, alcoholism, HIV, and sickle cell anemia.
• Minimum Necessary concept is critical under the Privacy Rule, not the Security Rule.
• Patients can request restrictions on use and disclosure of their information.

HIPAA Authorization and Guidelines

• Valid HIPAA authorizations must include core elements such as the description of information to be disclosed and requisite signatures.
• Three key statements include the right to revoke authorization and potential for re-disclosure of information.
• Authorization validity types: Valid, Defective (lacks required elements), and Compound (for combined research studies).

Privacy and Security in Health Information

• TPO stands for Treatment, Payment, and Health Care Operations, allowing disclosure without patient authorization in certain situations.
• HIPAA includes both privacy (covers all forms of PHI) and security (focused on electronic PHI).
• Covered Entities must verify identity when disclosing PHI to legal or government officials.

Controlled Health Plans and Specifications

• Controlling Health Plans oversee their own actions and those of subordinate plans; relevant in Medicaid contexts.
• Implementation specifications are categorized as "required" (must be implemented as stated) or "addressable" (can be adjusted if not reasonable).

Designated Record Set (DRS) Definition

• DRS includes medical records, billing data, and other records used to make decisions about individuals; excludes administrative data and quality assurance reports.

Breach Notification and Cybersecurity

• ARRA mandated breach notification provisions under HITECH and aimed to promote health information technology.
• Cyberattacks pose risks to patient privacy, clinical outcomes, and organizational reputation, necessitating robust cybersecurity measures.### Destruction of Medical Records
• DVD medical records must be destroyed through shredding and cutting.

Use or Disclosure of PHI

• Examples beyond Treatment, Payment, and Healthcare Operations (TPO) include:
  • Public health interests
  • Research purposes
  • Serious threats to health or safety
  • Organ or tissue donation involving decedent information
  • Worker’s compensation claims by insurers

Administrative Safeguards

• Key components include:
  • Development of policies and procedures
  • Providing training and education
  • Designating individuals responsible (e.g., Security Officer)
  • Implementing contingency planning

Physical Safeguards

• Important measures consist of:
  • Establishing facility security or access plans
  • Ensuring proper disposal processes and media reuse
  • Regular data backup and secure storage solutions

Technical Safeguards

• Essential tools and practices include:
  • Utilizing passwords for access control
  • Implementing encryption for data protection
  • Enforcing automatic log-off features
  • Assigning unique user identification for accountability

HIPAA Consent vs. Authorization

• Consent for TPO is voluntary, while authorization is mandated by the Privacy Rule for PHI use and disclosure.

HIPAA Authorization vs. Right of Access

• Authorization allows permitted disclosures of PHI, whereas the Right of Access mandates required disclosures.

Exclusions from Right of Access

• Information not included in the Right of Access:
  • Any content not part of the Designated Records Set
  • Psychotherapy notes
  • Records collected for anticipated legal proceedings (civil, criminal, or administrative)

HIPAA Civil Penalties

• Civil penalties for non-compliance range from:
  • $100 for cases of ignorance to $50,000 for severe violations
  • $1,000 to $50,000 for reasonable cause
  • $10,000 to $50,000 for willful neglect corrected within 30 days
  • $50,000 for willful neglect not corrected; maximum annual penalty of $1.5 million

HIPAA Criminal Penalties

• Criminal penalties include:
  • Up to 1 year in prison and a $50,000 fine for knowingly committing offenses
  • Up to 5 years and a $100,000 fine for offenses under false pretense
  • Up to 10 years and a $250,000 fine for offenses committed with intent to harm or for personal gain

Criminal Offenses Under HIPAA of 1996

• Submission of claims based on incorrect codes or medically unnecessary services is considered a criminal offense, risking exclusion from government healthcare programs.

Security Rule Documentation Requirements

• Covered entities must maintain written records for a minimum of 6 years from the record creation date or its effective date.

Description

Dive into vital concepts of HIPAA and its role in protecting patient health information. This quiz provides a comprehensive overview of the Health Care Compliance Association's certification topics, ensuring you're well-prepared for your CHPC exam.