HIPAA and Privacy Act Training Challenge Exam

Questions and Answers

Which of the following are common causes of breaches? (Select all that apply)

• Theft and intentional unauthorized access to PHI and PII
• Human error (e.g., misdirected communication containing PHI or PII)
• Lost or stolen electronic media devices or paper records containing PHI or PII
• All of the above (correct)

Under HIPAA, a covered entity (CE) is defined as: (Select all that apply)

• A health plan
• A health care clearinghouse
• A health care provider engaged in standard electronic transactions covered by HIPAA
• All of the above (correct)

The e-Government Act promotes the use of electronic government services by the public and improves the use of information technology in the government.

True (A)

Which of the following is NOT electronic PHI (ePHI)?

Health information stored on paper in a file cabinet (C)

When must a breach be reported to the U.S. Computer Emergency Readiness Team?

Within 1 hour of discovery

A breach as defined by the DoD is broader than a HIPAA breach (or breach defined by HHS).

True (A)

Which of the following are breach prevention best practices? (Select all that apply)

All of the above (D)

A covered entity (CE) must have an established complaint process.

True (A)

The minimum necessary standard: (Select all that apply)

All of the above (D)

What are administrative safeguards?

Policies and procedures that manage security measures to protect ePHI.

HIPAA provides individuals with the right to request an accounting of disclosures of their PHI.

True (A)

Which of the following statements about the Privacy Act are true? (Select all that apply)

All of the above (D)

A Systems of Records Notice (SORN) must: (Select all that apply)

All of the above (D)

Which of the following are examples of personally identifiable information (PII)? (Select all that apply)

All of the above (D)

What are the categories for punishing violations of federal health care laws? (Select all that apply)

All of the above (D)

What are technical safeguards?

Policies and procedures used to protect and control access to ePHI.

What are physical safeguards?

Measures to protect electronic information systems from unauthorized intrusion.

The HIPAA Security Rule applies to which of the following:

PHI transmitted electronically (A)

If an individual believes that a DoD CE is not complying with HIPAA, he or she may file a complaint with: (Select all that apply)

All of the above (D)

Which HHS Office is charged with protecting an individual patient's health information privacy and security through the enforcement of HIPAA?

Office for Civil Rights (OCR)

Flashcards are hidden until you start studying

Study Notes

Breaches of PHI and PII

• Common causes of breaches include theft, human error, and lost or stolen media/devices.
• Human error examples: misdirected communications containing PHI.

Covered Entities under HIPAA

• Covered entities include health plans, health care clearinghouses, and providers conducting standard electronic transactions.

e-Government Act

• Promotes electronic government services and enhances the government's IT usage.

Electronic PHI (ePHI)

• ePHI does not include health information stored on paper.

Breach Reporting Requirements

• Breaches must be reported to the U.S. Computer Emergency Readiness Team within one hour of discovery.

Definitions of Breach

• Department of Defense (DoD) defines breaches more broadly than HIPAA.

Breach Prevention Best Practices

• Follow the minimum necessary access to PHI/PII.
• Log off or lock workstations when unattended.
• Promptly retrieve documents from printers.

Complaint Processes

• Covered entities must have an established complaint process.

Minimum Necessary Standard

• Limits disclosures and requests to the minimum necessary PHI.
• Does not apply to provider exchanges treating the same patient or to authorized individual disclosures.

Administrative Safeguards

• Include policies and procedures for managing ePHI security measures and workforce conduct.

Individual Rights under HIPAA

• Individuals have the right to request an accounting of disclosures of their PHI.

Privacy Act of 1974

• Balances individual privacy rights with governmental needs for collecting information.
• Regulates federal agencies in collecting and maintaining PII, setting requirements for PII use and disclosure.

Systems of Records Notice (SORN)

• Serves public notice about record systems, specifying routine uses of information.
• Must be republished upon creating new routine uses and provided to OMB and Congress.

Examples of Personally Identifiable Information (PII)

• PII includes Social Security numbers, home addresses, and telephone numbers.

Categories for Violating Federal Health Care Laws

• Violations can incur criminal penalties, civil money penalties, and sanctions.

Technical Safeguards

• Encompass IT measures and procedures protecting access to ePHI.

Physical Safeguards

• Focus on measures that protect electronic systems and buildings from hazards and unauthorized access.

HIPAA Security Rule

• Applies specifically to PHI transmitted electronically.

Filing Complaints Regarding HIPAA Compliance

• Individuals can file complaints with the DHA Privacy Office, HHS Secretary, or MTF HIPAA Privacy Officer if they suspect non-compliance by a DoD covered entity.

HHS Office for HIPAA Enforcement

• The Office for Civil Rights (OCR) is responsible for protecting patient health information privacy and enforcement of HIPAA regulations.