HIPAA Regulations: Ch.9

Questions and Answers

What does HIPAA stand for?

Health Information Portability and Accessibility Act

Health Insurance Privacy and Accountability Act

Health Information Protection and Accessibility Act

Health Information Portability and Accountability Act (correct)

Which title of HIPAA addresses administrative simplification?

Title I

Title IV

Title III

Title II (correct)

What does the HITECH Act provide in relation to the HIPAA Privacy Rule?

It creates a new privacy rule separate from HIPAA

It makes no changes to the HIPAA Privacy Rule

It provides important changes to the HIPAA Privacy Rule (correct)

It repeals the HIPAA Privacy Rule

Which of the following is not a covered entity under HIPAA?

Business associates

What is the role of the Office of the National Coordinator for Health Information Technology (ONC)?

To coordinate national efforts to implement and use health information technology

Which of the following is not a characteristic of a business associate under HIPAA?

Works for the healthcare organization

Which of the following is true regarding an individual's right to access their own protected health information (PHI)?

Covered entities are not required to provide access to psychotherapy notes.

Under the ARRA and HITECH Acts, what is required of covered entities with electronic health records (EHRs) when an individual requests access to their PHI?

They must make the PHI available or send it electronically if requested.

What is the maximum time period a covered entity can take to respond to an individual's request for access to their PHI?

30 days from receipt of the request, with a possible 30-day extension

Which of the following fees is a covered entity permitted to charge an individual for providing access to their PHI?

A reasonable fee for copying, supplies, labor, and postage

Which of the following is an exception to an individual's right to access their PHI under the HIPAA Privacy Rule?

Information compiled for civil or criminal actions

According to HIPAA regulations, what is a requirement for covered entities and business associates in terms of compensation for an individual's PHI?

Direct or indirect compensation for an individual's PHI requires authorization from that individual.

Under HIPAA, what administrative requirements must covered entities and business associates adhere to?

Designating a privacy officer and establishing privacy safeguards.

In the context of HIPAA, what actions are prohibited regarding the sale of an individual's PHI?

Receiving any form of compensation for an individual's PHI without their authorization.

What must be prominently stated when any remuneration is involved in a communication under HIPAA guidelines?

Any remuneration must be prominently stated.

In accordance with ARRA and HITECH, what is prohibited regarding an individual's PHI?

Receiving direct or indirect compensation in exchange for an individual's PHI without that individual's authorization.

What is required in a Business Associate Agreement (BAA) regarding communication standards to comply with HIPAA?

Consistent communication standards despite any payment involved.

Study Notes

HIPAA Overview

• HIPAA stands for Health Insurance Portability and Accountability Act, enacted in 1996
• The main goal is to improve the portability and continuity of health insurance coverage
• The Act consists of five titles, including Title II, which addresses medical liability reform, health care fraud and abuse prevention, and administrative simplification

HIPAA Privacy and Security Standards

• Privacy standards protect individually identifiable health information (PHI)
• Security standards protect electronic PHI (ePHI) from unauthorized access, use, or disclosure
• Transactions, identifiers, and code set standards regulate the exchange of health information
• National provider identifiers are assigned to healthcare providers

HIPAA Applicability

• HIPAA applies to covered entities, including healthcare providers, health plans, and healthcare clearinghouses
• Business associates (BAs) are also subject to HIPAA, as they handle patients' health information
• Examples of BAs include third-party billing companies and consultants

Individual Rights

• Right of access: individuals have the right to access their own PHI in a designated record set
• Right to request amendment: individuals can request corrections to their PHI
• Right to accounting of disclosures: individuals can request a list of disclosures of their PHI
• Right to request restrictions: individuals can request restrictions on the use of their PHI
• Right to request confidential communications: individuals can request confidential communications

Access to PHI

• Individuals can request access to their PHI in a designated record set
• Covered entities must respond to requests within 30 days
• Individuals can request electronic copies of their PHI
• Covered entities can charge a reasonable fee for copying and postage
• Individuals can direct that their PHI be transmitted to a third party

Sale of Information

• Covered entities or BAs are prohibited from selling PHI without individual authorization
• Exceptions exist for public health activities, research, and treatment

Fundraising

• PHI can be used for fundraising, but individuals must be informed in the Notice of Privacy Practices
• Individuals have the right to opt-out of fundraising communications
• No authorization is required if only specific, limited information is disclosed

Administrative Requirements

• Designation of a privacy officer is required
• Standards for policies and procedures must be established
• Workforce privacy training is required
• Privacy safeguards must be established and practices regarding sanctions, retaliation, and waiver must be defined
• Document and record retention policies must be implemented

Description

Test your knowledge on HIPAA regulations regarding the sale of information, communication requirements, and authorization for remuneration. Questions are based on guidelines provided by AHIMA, ARRA, and HITECH.