Relias: HIPAA and Behavioral Health

Questions and Answers

Is it permissible for a pharmaceutical company to receive a list of individuals from your practice if each individual signed an authorization?

True

For which of the following types of PHI does HIPAA require a signed authorization for use or disclosure?

Medical records

Appointment scheduling

Psychotherapy notes (correct)

Billing information

Which of the following is most likely to be a business associate of a healthcare provider that is a Covered Entity?

Government agency

Health insurance company

Answering service (correct)

Patient

Which of the following is one of the three primary parts of HIPAA?

The Security Rule

What does HIPAA stand for?

Health Insurance Portability and Accountability Act

Who should HIPAA complaints be directed to within the Covered Entity?

Privacy Officer

When must the provider distribute a HIPAA Notice of Privacy Practices (NPP)?

At the first encounter the provider has with the individual, unless the first encounter is an emergency

If other customers overhear a pharmacist discussing a customer's allergies, would that be a violation of HIPAA?

True

Does HIPAA require a practice to comply with a request to stop making appointment confirmation calls if a patient fears for their safety?

True

An individual is allowed to request information about how their personal health information has been used.

True

Under HIPAA, should a psychotherapist provide a copy of a client's treatment record to their parents?

False

What is the first step toward security rule compliance?

To complete a risk assessment

Which of the following actions would cause a healthcare provider to become a Covered Entity?

Filing a claim for payment electronically

Which of the following is an exception to the definition of a 'breach'?

A physician accidentally overhears a nurse discussing the condition of an individual that he does not treat

Which of the following is considered PHI under HIPAA?

All of the above

Did Mary violate HIPAA after reporting suspected abuse made in good faith?

False

Do HIPAA's Privacy and Security Rules dictate exactly how covered entities and business associates must dispose of records?

False

Under what circumstances would a provider need to comply with Title 42 CFR Part 2?

For treatment of a substance use disorder

The changes to HIPAA's privacy, security, and enforcement requirements issued by DHHS in January 2013 are known as what?

The omnibus rule

What does the Security Rule protect?

Electronic PHI

What information must be included when notifying individuals of a breach of their protected health information?

A brief description of what the Covered Entity is doing to investigate the breach and mitigate the harm

Study Notes

HIPAA Compliance and Behavioral Health

• A pharmaceutical company's request for a patient list is permissible only if individuals authorize the release of their Protected Health Information (PHI) for marketing.

• HIPAA mandates a signed authorization for the use or disclosure of psychotherapy notes.

• An answering service is commonly recognized as a business associate of a healthcare provider classified as a Covered Entity.

• Key components of HIPAA include the Security Rule, one of its three primary parts.

• HIPAA stands for the Health Insurance Portability and Accountability Act.

• Complaints regarding HIPAA violations should be directed to the Privacy Officer within the Covered Entity.

• The HIPAA Notice of Privacy Practices (NPP) must be distributed at the initial encounter with the individual, except in emergencies.

• Breaching HIPAA occurs when confidential patient information, like allergies, is overheard in public settings, as demonstrated in a scenario involving pharmacist John.

• Patients, like Karen, can request that practices limit communication methods, especially for safety concerns, which HIPAA requires healthcare providers to honor.

• Individuals have the right to request information regarding how their personal health information has been utilized under HIPAA.

• Psychotherapists cannot disclose patient treatment records to parents without consent, as outlined by HIPAA’s privacy rights.

• Completing a risk assessment is crucial for achieving compliance with the Security Rule.

• A healthcare provider becomes a Covered Entity by filing claims for payment electronically.

• Accidental overhearing of patient information by a physician is considered an exception to HIPAA’s definition of a "breach."

• Psychotherapy notes are classified as Protected Health Information (PHI) under HIPAA guidelines.

• Reporting suspected abuse in good faith does not violate HIPAA, as illustrated by Mary's scenario with Child Protective Services.

• HIPAA's Privacy and Security Rules provide general guidance but do not specify exact disposal methods for records.

• Compliance with Title 42 CFR Part 2 is essential for providers treating substance use disorders.

• In January 2013, significant updates to HIPAA regulations were implemented, known collectively as the omnibus rule.

• The Security Rule specifically protects electronic PHI from unauthorized access and breaches.

• When notifying individuals of a PHI breach, Covered Entities must include details on their investigative actions and efforts to reduce harm.

Description

Test your knowledge on HIPAA regulations related to behavioral health with these flashcards. Understand the nuances of patient information handling and authorization requirements. Perfect for professionals in the behavioral health field seeking to reinforce their compliance knowledge.