HIPAA Privacy and Security

Course #91140 - $30 -


Study Points

  1. Outline the history of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States.
  2. Describe the Privacy Rule of HIPAA, including entities who must comply.
  3. Identify protected health information and approaches to guarding and appropriately disclosing protected information.
  4. Define patient rights and employers' responsibilities as delineated by HIPAA.
  5. Evaluate the requirements of the HIPAA Security Rule.
  6. Discuss sources of potential security breaches and approaches to avoidance and notifications.
  7. Explain potential disciplinary actions for not complying with the HIPAA Privacy or Security Rule.

    1 . The HHS published a final Privacy Rule in
    A) 1958.
    B) 1989.
    C) 2000.
    D) 2012.

    INTRODUCTION

    The HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule sets national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers who conduct standard healthcare transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (or April 14, 2004, for small health plans) [1].

    Click to Review



    2 . Compliance with the Security Rule was required as of
    A) April 20, 1995 (or April 20, 1996 for small health plans).
    B) April 20, 2005 (or April 20, 2006, for small health plans).
    C) December 31, 2000 (or December 31, 2001 for small health plans).
    D) December 31, 2020 (or December 31, 2021 for small health plans).

    INTRODUCTION

    The HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule sets national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers who conduct standard healthcare transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (or April 14, 2004, for small health plans) [1].

    Click to Review



    3 . According to the Privacy Rule, as well as all the Administrative Simplification rules, a covered entity is a
    A) health plan.
    B) healthcare clearinghouse.
    C) healthcare provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.
    D) All of the above

    HIPAA PRIVACY RULE

    As noted, the Privacy Rule, as well as all the Administrative Simplification Rules, apply to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA [3]. These groups are referred to collectively as covered entities.

    Click to Review



    4 . Which of the following insurance entities is considered a health plan?
    A) HMOs
    B) Entities providing only workers' compensation
    C) Entities providing only automobile insurance
    D) Entities providing only property and casualty insurance.

    HIPAA PRIVACY RULE

    Individual and group plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions—a group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity. Two types of government-funded programs are not health plans: those whose principal purpose is not providing or paying the cost of health care (e.g., the food stamps program), and those programs whose principal activity is directly providing health care (e.g., a community health center) or the making of grants to fund the direct provision of health care. Certain types of insurance entities are also not health plans, including entities providing only workers' compensation, automobile insurance, or property and casualty insurance. If an insurance entity has separable lines of business, one of which is a health plan, the HIPAA regulations apply to the entity with respect to the health plan line of business [3].

    Click to Review



    5 . Which of the following is NOT generally considered individually identifiable health information?
    A) Sex
    B) Name
    C) Address
    D) Birthdate

    HIPAA PRIVACY RULE

    Individually identifiable health information is defined as information, including demographic data, that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual and relates to the [3]:

    • Individual's past, present, or future physical or mental health or condition

    • Provision of health care to the individual

    • Past, present, or future payment for the provision of health care to the individual

    Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

    Click to Review



    6 . The minimum necessary standard does not apply to
    A) disclosures to or requests by a healthcare provider for treatment purposes.
    B) disclosures to the individual who is the subject of the information.
    C) uses or disclosures made pursuant to an individual's authorization.
    D) All of the above

    HIPAA PRIVACY RULE

    The Privacy Rule generally requires covered entities to take reasonable steps to limit the use of, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to [11]:

    • Disclosures to or requests by a healthcare provider for treatment purposes

    • Disclosures to the individual who is the subject of the information

    • Uses or disclosures made pursuant to an individual's authorization

    • Uses or disclosures required for compliance with the HIPAA Administrative Simplification Rules

    • Disclosures to the HHS when disclosure of information is required under the Privacy Rule for enforcement purposes

    • Uses or disclosures that are required by other law

    Click to Review



    7 . Which of the following statements regarding PHI uses and disclosures is TRUE?
    A) A covered entity may disclose PHI to the individual who is the subject of the information.
    B) A covered entity may NOT disclose PHI for the payment activities of another covered entity.
    C) The Privacy Rule requires that every risk of an incidental use or disclosure of PHI be eliminated.
    D) Most uses and disclosures of psychotherapy notes for treatment, payment, and healthcare operations purposes do not require an authorization.

    HIPAA PRIVACY RULE

    A covered entity may use and disclose PHI for its own treatment, payment, and healthcare operations activities. A covered entity also may disclose PHI for the treatment activities of any healthcare provider, the payment activities of another covered entity and of any healthcare provider, or the healthcare operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the PHI pertains to the relationship [3].

    For the purposes of the Privacy Rule, treatment is defined as the provision, coordination, or management of health care and related services for an individual by one or more healthcare providers, including consultation between providers regarding a patient and referral of a patient by one provider to another. Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a healthcare provider to obtain payment or be reimbursed for the provision of health care to an individual [3].

    Healthcare operations are any of the following activities [3]:

    • Quality assessment and improvement activities, including case management and care coordination

    • Competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation

    • Conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs

    • Specified insurance functions, such as underwriting, risk rating, and reinsuring risk

    • Business planning, development, management, and administration

    • Business management and general administrative activities of the entity, including but not limited to:

      • De-identifying PHI

      • Creating a limited data set

      • Certain fundraising for the benefit of the covered entity

    Most uses and disclosures of psychotherapy notes for treatment, payment, and healthcare operations purposes require an authorization. Obtaining consent (written permission from individuals to use and disclose their PHI for treatment, payment, and healthcare operations) is optional under the Privacy Rule for all covered entities. The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent [3].

    Click to Review



    8 . In each of the following cases, covered entities may disclose PHI to law enforcement officials, EXCEPT:
    A) When a covered entity wishes to seek retaliation for a perceived injustice
    B) To identify or locate a suspect, fugitive, material witness, or missing person
    C) To alert law enforcement of a person's death, if the covered entity suspects that criminal activity caused the death
    D) As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests

    HIPAA PRIVACY RULE

    Covered entities may disclose PHI to law enforcement officials for law enforcement purposes under the following circumstances, and subject to specified conditions [3]:

    • As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests

    • To identify or locate a suspect, fugitive, material witness, or missing person

    • In response to a law enforcement official's request for information about a victim or suspected victim of a crime

    • To alert law enforcement of a person's death, if the covered entity suspects that criminal activity caused the death

    • When a covered entity believes that PHI is evidence of a crime that occurred on its premises

    • By a covered healthcare provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime

    Click to Review



    9 . Which of the following statements regarding authorizations for PHI release is FALSE?
    A) Individual review of each disclosure is not required.
    B) In almost all cases, a covered entity may condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization.
    C) A covered entity must obtain the individual's written authorization for any use or disclosure of PHI that is not for treatment, payment, or healthcare operations or otherwise permitted or required by the Privacy Rule.
    D) Covered entities must establish and implement policies and procedures for routine, recurring disclosures or requests for disclosures that limits the PHI disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure.

    HIPAA PRIVACY RULE

    A covered entity must obtain the individual's written authorization for any use or disclosure of PHI that is not for treatment, payment, or healthcare operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances [3]. Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures or requests for disclosures that limits the PHI disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. For non-routine, non-recurring disclosures or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually in accordance with the established criteria.

    An authorization must be written in specific terms. It may allow use and disclosure of PHI by the covered entity seeking the authorization or by a third party. Examples of disclosures that would require an individual's authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes [3].

    All authorizations must be in plain language and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data [3].

    Click to Review



    10 . A covered healthcare provider with a direct treatment relationship with individuals must have delivered a privacy practices notice to patients
    A) by prompt mailing for electronic service delivery.
    B) not later than the third service encounter by personal delivery for patient visits.
    C) by posting the notice at each service delivery site in a clear and prominent place.
    D) by automatic and contemporaneous electronic response for telephonic service delivery.

    HIPAA PRIVACY RULE

    A covered healthcare provider with a direct treatment relationship with individuals must have delivered a privacy practices notice to patients [3]:

    • Not later than the first service encounter by personal delivery (for patient visits), by automatic and contemporaneous electronic response (for electronic service delivery), and by prompt mailing (for telephonic service delivery)

    • By posting the notice at each service delivery site in a clear and prominent place where people seeking service may reasonably be expected to be able to read the notice

    • In emergency treatment situations, as soon as practicable after the emergency abates

    Click to Review



    11 . Which of the following PHI examples is excepted from the patient's right of access?
    A) Treatment plans
    B) Psychotherapy notes
    C) Diagnostic imaging results
    D) Documented patient histories

    HIPAA PRIVACY RULE

    Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI in a covered entity's designated record set. The designated record set is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider's medical and billing records about individuals or a health plan's enrollment, payment, claims adjudication, and case or medical management record systems. The Rule excepts from the right of access the following PHI:

    • Psychotherapy notes

    • Information compiled for legal proceedings

    • Laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access

    • Information held by certain research laboratories

    Click to Review



    12 . The maximum disclosure accounting period is
    A) six months immediately preceding the accounting request.
    B) two years immediately preceding the accounting request.
    C) six years immediately preceding the accounting request.
    D) nine years immediately preceding the accounting request.

    HIPAA PRIVACY RULE

    Individuals have a right to an accounting of the disclosures of their PHI by a covered entity or the covered entity's business associates. The maximum disclosure accounting period is the six years immediately preceding the accounting request, except a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date.

    Click to Review



    13 . A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. Which of the following is considered a workforce member?
    A) Trainee
    B) Employee
    C) Volunteer
    D) All of the above

    HIPAA PRIVACY RULE

    A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. Workforce members include employees, volunteers, trainees, and other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity). A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule [3].

    Click to Review



    14 . In accordance with the Security Rule, covered entities must
    A) outsource compliance activities to an approved officer.
    B) protect against unanticipated, permissible uses or disclosures.
    C) ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit.
    D) identify and protect against obscure and unanticipated threats to the security or integrity of the information.

    HIPAA SECURITY RULE

    The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must [5]:

    • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit

    • Identify and protect against reasonably anticipated threats to the security or integrity of the information

    • Protect against reasonably anticipated, impermissible uses or disclosures

    • Ensure compliance by their workforce

    Click to Review



    15 . When a covered entity is deciding which security measures to use, the Rule requires the entity to consider all of the following, EXCEPT:
    A) The costs of security measures
    B) Its size, complexity, and capabilities
    C) The ease by which it can provide trainings
    D) Its technical, hardware, and software infrastructure

    HIPAA SECURITY RULE

    When a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider [5]:

    • Its size, complexity, and capabilities

    • Its technical, hardware, and software infrastructure

    • The costs of security measures

    • The likelihood and possible impact of potential risks to e-PHI

    Click to Review



    16 . The Security Rule stipulates that risk assessment
    A) is an optional process.
    B) should be an ongoing process.
    C) occur no more often than annually.
    D) should not affect the safeguards implemented.

    HIPAA SECURITY RULE

    The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule [5].

    A risk analysis process includes, but is not limited to, the following [5]:

    • Evaluating the likelihood and impact of potential risks to e-PHI

    • Implementing appropriate security measures to address the risks identified in the risk analysis

    • Documenting the chosen security measures and, where required, the rationale for adopting those measures

    • Maintaining continuous, reasonable, and appropriate security protections

    Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly re-evaluates potential risks to e-PHI [5].

    Click to Review



    17 . Following a breach of unsecured PHI, covered entities must provide notification of the breach to
    A) affected individuals.
    B) the company executive.
    C) other companies in the same field.
    D) the Secretary of Homeland Security.

    HIPAA SECURITY RULE

    Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.

    Click to Review



    18 . What group is responsible for enforcing the Privacy and Security Rules?
    A) Office for Civil Rights
    B) Department of Justice
    C) Centers for Disease Control and Prevention
    D) Occupational Safety and Health Administration

    HIPAA ENFORCEMENT

    The OCR is responsible for enforcing the Privacy and Security Rules. It does so through an established complaint resolution process. The OCR enforces the Privacy and Security Rules by [8]:

    • Investigating filed complaints

    • Conducting compliance reviews to determine if covered entities are in compliance

    • Performing education and outreach to foster compliance with the Rules' requirements

    Click to Review



    19 . Before a penalty is imposed, the covered entity will be notified and provided with an opportunity to provide written evidence of circumstances that would reduce or bar a penalty. This evidence must be submitted within
    A) 7 days of receipt of the notice.
    B) 30 days of receipt of the notice.
    C) 60 days of receipt of the notice.
    D) 120 days of receipt of the notice.

    HIPAA ENFORCEMENT

    Before the OCR imposes a penalty, it will notify the covered entity and provide the covered entity with an opportunity to provide written evidence of those circumstances that would reduce or bar a penalty. This evidence must be submitted to the OCR within 30 days of receipt of the notice. In addition, if the OCR states that it intends to impose a penalty, a covered entity has the right to request an administrative hearing to appeal the proposed penalty [3].

    Click to Review



    20 . Preemption of a state law that is contrary to HIPAA will not occur if the HHS determines, in response to a request from a state or other entity or person, that the state law is necessary to
    A) seek payment for services.
    B) protect businesses from litigation.
    C) state reporting on health care delivery or costs.
    D) provide administrative support to state educational institutions.

    STATE LAWS

    In addition, preemption of a contrary state law will not occur if the HHS determines, in response to a request from a state or other entity or person, that the state law [3]:

    • Is necessary to prevent fraud and abuse related to the provision of or payment for health care

    • Is necessary to ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation

    • Is necessary for state reporting on health care delivery or costs

    • Is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy or Security Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served

    • Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances, or that is deemed a controlled substance by state law

    Click to Review