HCCA - CHPC Study Guide with Answers (300 Solved Questions)
HCCA - CHPC Study Guide with Answers provides real-world exam experience to sharpen your test-taking skills.
Michael Davis
Contributor
4.3
151
about 2 months ago
Preview (23 of 76)
Sign in to access the full document!
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
What is the purpose of HIPAA? - ANSWER--• Protect PHI from unauthorized disclosure/use;
• Prevent fraud, waste and abuse (via Administrative Simplification);
• Make health insurance portable under ERISA;
• Move health care onto a nationally standardized electronic billing platform
HIPAA resides in which CFR section? - ANSWER--45 CFR sections 164.102 through 164.534
What are the subparts of HIPAA part 164? - ANSWER--HIPAA - 45 CFR 164, subparts:
Subpart A - General rules
Subpart C - Security
Subpart D - Breach notification
Subpart E - Privacy
How do you determine if an organization is a "Covered Entity"? - ANSWER--1. compare if the
organization meets one of the 3 types of CE (provider, health plan, clearinghouse)
and
2. determine if the organization electronically transmits one of the 9 defined transactions:
• Health claims or equivalent encounter information
• Health claims attachments
• Enrollment and disenrollment in a health plan
Answers 100% Verified
What is the purpose of HIPAA? - ANSWER--• Protect PHI from unauthorized disclosure/use;
• Prevent fraud, waste and abuse (via Administrative Simplification);
• Make health insurance portable under ERISA;
• Move health care onto a nationally standardized electronic billing platform
HIPAA resides in which CFR section? - ANSWER--45 CFR sections 164.102 through 164.534
What are the subparts of HIPAA part 164? - ANSWER--HIPAA - 45 CFR 164, subparts:
Subpart A - General rules
Subpart C - Security
Subpart D - Breach notification
Subpart E - Privacy
How do you determine if an organization is a "Covered Entity"? - ANSWER--1. compare if the
organization meets one of the 3 types of CE (provider, health plan, clearinghouse)
and
2. determine if the organization electronically transmits one of the 9 defined transactions:
• Health claims or equivalent encounter information
• Health claims attachments
• Enrollment and disenrollment in a health plan
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
What is the purpose of HIPAA? - ANSWER--• Protect PHI from unauthorized disclosure/use;
• Prevent fraud, waste and abuse (via Administrative Simplification);
• Make health insurance portable under ERISA;
• Move health care onto a nationally standardized electronic billing platform
HIPAA resides in which CFR section? - ANSWER--45 CFR sections 164.102 through 164.534
What are the subparts of HIPAA part 164? - ANSWER--HIPAA - 45 CFR 164, subparts:
Subpart A - General rules
Subpart C - Security
Subpart D - Breach notification
Subpart E - Privacy
How do you determine if an organization is a "Covered Entity"? - ANSWER--1. compare if the
organization meets one of the 3 types of CE (provider, health plan, clearinghouse)
and
2. determine if the organization electronically transmits one of the 9 defined transactions:
• Health claims or equivalent encounter information
• Health claims attachments
• Enrollment and disenrollment in a health plan
Answers 100% Verified
What is the purpose of HIPAA? - ANSWER--• Protect PHI from unauthorized disclosure/use;
• Prevent fraud, waste and abuse (via Administrative Simplification);
• Make health insurance portable under ERISA;
• Move health care onto a nationally standardized electronic billing platform
HIPAA resides in which CFR section? - ANSWER--45 CFR sections 164.102 through 164.534
What are the subparts of HIPAA part 164? - ANSWER--HIPAA - 45 CFR 164, subparts:
Subpart A - General rules
Subpart C - Security
Subpart D - Breach notification
Subpart E - Privacy
How do you determine if an organization is a "Covered Entity"? - ANSWER--1. compare if the
organization meets one of the 3 types of CE (provider, health plan, clearinghouse)
and
2. determine if the organization electronically transmits one of the 9 defined transactions:
• Health claims or equivalent encounter information
• Health claims attachments
• Enrollment and disenrollment in a health plan
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
• Eligibility for a health plan
• Health care payment and remittance advice
• Health plan premium payments
• First report of injury
• Health claim status
• Referral certification and authorization
This Act established in 1974 was created for government agencies placing restrictions on how the
government can share the information maintained in Federal systems of records that might infringe on
an individual's privacy rights with other individuals and agencies. - ANSWER--The Privacy Act of 1974
Which of the following is not considered a HIPAA Entity Designation:
1. Affiliated covered entity
2. Entity that performs healthcare and non-healthcare component activities including both covered and
non-covered functions
3. A group health plan
4. Contract arrangement with FEDEX carrier - ANSWER--4. Contract arrangement with FEDEX carrier
What is Gramm-Leach-Bliley Act (GLBA)? - ANSWER--Gramm-Leach-Bliley Act (GLBA), also known as the
Financial Services Modernization Act of 1999, includes The Financial Privacy Rule and The Safeguards
Rule requires all financial institutions to protect customer's personal financial information.
What is an OHCA? - ANSWER--OHCA (Organized Health Care Arrangement) it's a clinically integrated
care setting where individuals receive health care from more than one provider.
These are joint arrangements/activities and have an Integrated Delivery System for easy exchange of PHI
data. See 45 CFR 160.103. OHCAs can also utilize a joint NPP. See 45 CFR § 164.520(d).
Answers 100% Verified
• Eligibility for a health plan
• Health care payment and remittance advice
• Health plan premium payments
• First report of injury
• Health claim status
• Referral certification and authorization
This Act established in 1974 was created for government agencies placing restrictions on how the
government can share the information maintained in Federal systems of records that might infringe on
an individual's privacy rights with other individuals and agencies. - ANSWER--The Privacy Act of 1974
Which of the following is not considered a HIPAA Entity Designation:
1. Affiliated covered entity
2. Entity that performs healthcare and non-healthcare component activities including both covered and
non-covered functions
3. A group health plan
4. Contract arrangement with FEDEX carrier - ANSWER--4. Contract arrangement with FEDEX carrier
What is Gramm-Leach-Bliley Act (GLBA)? - ANSWER--Gramm-Leach-Bliley Act (GLBA), also known as the
Financial Services Modernization Act of 1999, includes The Financial Privacy Rule and The Safeguards
Rule requires all financial institutions to protect customer's personal financial information.
What is an OHCA? - ANSWER--OHCA (Organized Health Care Arrangement) it's a clinically integrated
care setting where individuals receive health care from more than one provider.
These are joint arrangements/activities and have an Integrated Delivery System for easy exchange of PHI
data. See 45 CFR 160.103. OHCAs can also utilize a joint NPP. See 45 CFR § 164.520(d).
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
• Eligibility for a health plan
• Health care payment and remittance advice
• Health plan premium payments
• First report of injury
• Health claim status
• Referral certification and authorization
This Act established in 1974 was created for government agencies placing restrictions on how the
government can share the information maintained in Federal systems of records that might infringe on
an individual's privacy rights with other individuals and agencies. - ANSWER--The Privacy Act of 1974
Which of the following is not considered a HIPAA Entity Designation:
1. Affiliated covered entity
2. Entity that performs healthcare and non-healthcare component activities including both covered and
non-covered functions
3. A group health plan
4. Contract arrangement with FEDEX carrier - ANSWER--4. Contract arrangement with FEDEX carrier
What is Gramm-Leach-Bliley Act (GLBA)? - ANSWER--Gramm-Leach-Bliley Act (GLBA), also known as the
Financial Services Modernization Act of 1999, includes The Financial Privacy Rule and The Safeguards
Rule requires all financial institutions to protect customer's personal financial information.
What is an OHCA? - ANSWER--OHCA (Organized Health Care Arrangement) it's a clinically integrated
care setting where individuals receive health care from more than one provider.
These are joint arrangements/activities and have an Integrated Delivery System for easy exchange of PHI
data. See 45 CFR 160.103. OHCAs can also utilize a joint NPP. See 45 CFR § 164.520(d).
Answers 100% Verified
• Eligibility for a health plan
• Health care payment and remittance advice
• Health plan premium payments
• First report of injury
• Health claim status
• Referral certification and authorization
This Act established in 1974 was created for government agencies placing restrictions on how the
government can share the information maintained in Federal systems of records that might infringe on
an individual's privacy rights with other individuals and agencies. - ANSWER--The Privacy Act of 1974
Which of the following is not considered a HIPAA Entity Designation:
1. Affiliated covered entity
2. Entity that performs healthcare and non-healthcare component activities including both covered and
non-covered functions
3. A group health plan
4. Contract arrangement with FEDEX carrier - ANSWER--4. Contract arrangement with FEDEX carrier
What is Gramm-Leach-Bliley Act (GLBA)? - ANSWER--Gramm-Leach-Bliley Act (GLBA), also known as the
Financial Services Modernization Act of 1999, includes The Financial Privacy Rule and The Safeguards
Rule requires all financial institutions to protect customer's personal financial information.
What is an OHCA? - ANSWER--OHCA (Organized Health Care Arrangement) it's a clinically integrated
care setting where individuals receive health care from more than one provider.
These are joint arrangements/activities and have an Integrated Delivery System for easy exchange of PHI
data. See 45 CFR 160.103. OHCAs can also utilize a joint NPP. See 45 CFR § 164.520(d).
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
ACE (Affiliated Covered Entity) do not have an Integrated Delivery System because these are legally
separate covered entities that are associated in business, or affiliated as a result of some common
control or ownership.
Both the OHCA and the ACE would allow sharing of PHI across participating entity lines for treatment,
payment, operations purposes (TPO).
What's an ACE? - ANSWER--ACE (Affiliated Covered Entity)
Legally separate covered entities that share common control/ownership and designate themselves as a
single CE for the purpose of complying with the HIPAA Privacy standards.
ACEs do not have an Integrated Delivery System, while OHCA do, and can share a single NPP. See 45 CFR
§ 164.520(d)
ACE example: a health system composed on several affiliated hospitals.
Both the OHCA and the ACE would allow sharing of PHI across participating entity lines for treatment,
payment, operations purposes (TPO).
What's a Hybrid Entity? - ANSWER--Entity that conducts both covered functions (or healthcare-
functions) and non-covered functions (other biz/non-healthcare functions) to elect to be a "hybrid
entity."
For instance, a University System that has a research laboratory or academic medical center.
The post-secondary functions (non-healthcare components) do NOT need to comply with HIPAA.
The research lab/med center functions (healthcare component) needs to comply with HIPAA provisions
to protect the use/disclosure of PHI involved.
Answers 100% Verified
ACE (Affiliated Covered Entity) do not have an Integrated Delivery System because these are legally
separate covered entities that are associated in business, or affiliated as a result of some common
control or ownership.
Both the OHCA and the ACE would allow sharing of PHI across participating entity lines for treatment,
payment, operations purposes (TPO).
What's an ACE? - ANSWER--ACE (Affiliated Covered Entity)
Legally separate covered entities that share common control/ownership and designate themselves as a
single CE for the purpose of complying with the HIPAA Privacy standards.
ACEs do not have an Integrated Delivery System, while OHCA do, and can share a single NPP. See 45 CFR
§ 164.520(d)
ACE example: a health system composed on several affiliated hospitals.
Both the OHCA and the ACE would allow sharing of PHI across participating entity lines for treatment,
payment, operations purposes (TPO).
What's a Hybrid Entity? - ANSWER--Entity that conducts both covered functions (or healthcare-
functions) and non-covered functions (other biz/non-healthcare functions) to elect to be a "hybrid
entity."
For instance, a University System that has a research laboratory or academic medical center.
The post-secondary functions (non-healthcare components) do NOT need to comply with HIPAA.
The research lab/med center functions (healthcare component) needs to comply with HIPAA provisions
to protect the use/disclosure of PHI involved.
Loading page 4...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
The transmission of information between two parties to carry out financial or administrative activities
related to health care is called: - ANSWER--Transaction (healthcare transaction).
Few examples of healthcare transactions:
healthcare claims;
coordination of benefits;
health plan premium payments;
remittance advice (or ETF, electronic fund transfer);
referral certification and authorization
What are examples of a BA? - ANSWER--BA (Business Associate) - performs functions or activities on
behalf of a covered entity that involve access by the business associate to protected health information.
Examples:
claims processing
data analysis
billing
benefit management
quality assurance
quality improvement
practice management
legal
actuarial
accounting
Answers 100% Verified
The transmission of information between two parties to carry out financial or administrative activities
related to health care is called: - ANSWER--Transaction (healthcare transaction).
Few examples of healthcare transactions:
healthcare claims;
coordination of benefits;
health plan premium payments;
remittance advice (or ETF, electronic fund transfer);
referral certification and authorization
What are examples of a BA? - ANSWER--BA (Business Associate) - performs functions or activities on
behalf of a covered entity that involve access by the business associate to protected health information.
Examples:
claims processing
data analysis
billing
benefit management
quality assurance
quality improvement
practice management
legal
actuarial
accounting
Loading page 5...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
True or False:
A hospital is not required to have a business associate contract with the specialist to whom it refers a
patient and transmits the patient's medical chart for treatment purposes. - ANSWER--TRUE
Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization
True or False:
Business Associates After HITECH:
HITECH made business associates directly responsible for HIPAA compliance within their individual
businesses that would not otherwise be subject to HIPAA regulations and penalties - ANSWER--TRUE
Even if no written contract exists between the covered entity and a contracted company performing
services related to handling PHI in some form, the company is deemed a business associate by law. This
deemed status essentially classifies contracted vendors or individuals as business associates solely by
the nature of the services they provide to a covered entity, regardless of whether they intended to be
classified as business associates or were aware of their status as such. HIPAA and HITECH may hold
these vendors to business associate obligations as long as they act as business associates.
Likewise, a subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business
associate is a business associate. A subcontractor of a subcontractor is a business associate as well, and
so on down the line.
Ref. 2023 HCCA Complete Healthcare Compliance Manual
Ref. HITECH Act and OCR's 2013 final rule
True or False:
Answers 100% Verified
True or False:
A hospital is not required to have a business associate contract with the specialist to whom it refers a
patient and transmits the patient's medical chart for treatment purposes. - ANSWER--TRUE
Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization
True or False:
Business Associates After HITECH:
HITECH made business associates directly responsible for HIPAA compliance within their individual
businesses that would not otherwise be subject to HIPAA regulations and penalties - ANSWER--TRUE
Even if no written contract exists between the covered entity and a contracted company performing
services related to handling PHI in some form, the company is deemed a business associate by law. This
deemed status essentially classifies contracted vendors or individuals as business associates solely by
the nature of the services they provide to a covered entity, regardless of whether they intended to be
classified as business associates or were aware of their status as such. HIPAA and HITECH may hold
these vendors to business associate obligations as long as they act as business associates.
Likewise, a subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business
associate is a business associate. A subcontractor of a subcontractor is a business associate as well, and
so on down the line.
Ref. 2023 HCCA Complete Healthcare Compliance Manual
Ref. HITECH Act and OCR's 2013 final rule
True or False:
Loading page 6...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
Under HIPAA and HITECH, individuals or entities who have been identified as business associates are
obligated to enter into a business associate agreement with their contracted covered entities. -
ANSWER--TRUE
Business associate agreement mandate under the HIPAA Privacy Rule. There are some exceptions such:
- for purposes of TPO, including payment for health plan premiums
- for determining health plan eligibility and enrollment
- when there is no involvement of use/disclosure of PHI (e.g., building maintenance)
True or False:
Under HIPAA and HITECH, individuals or entities who have been identified as business associates are
obligated to enter into a business associate agreement with their contracted covered entities. -
ANSWER--
Except for TPO, list two examples where a CE requires an authorization to use/disclose PHI - ANSWER--1.
Sales and marketing
2. Psychotherapy notes
How do you determine if an entity is subject to HIPAA? - ANSWER--By understanding the applicability
(healthcare component), entities that transmit health information and fall under the 3 types of CE
(health plans, clearinghouses, and providers)
HIPAA provide standards for the access, disclosure, transmission, and retention of PHI, and created a
national baseline for health information Privacy and Security. At the state level, they can also develop
health information statutes but only adding higher or more restrictive standards than the Federal HIPAA
rules. This is referred as:
a. HIPAA status
b. HIPAA assurance
c. HIPAA preemption
d. HIPAA state law - ANSWER--c. HIPAA preemption
Answers 100% Verified
Under HIPAA and HITECH, individuals or entities who have been identified as business associates are
obligated to enter into a business associate agreement with their contracted covered entities. -
ANSWER--TRUE
Business associate agreement mandate under the HIPAA Privacy Rule. There are some exceptions such:
- for purposes of TPO, including payment for health plan premiums
- for determining health plan eligibility and enrollment
- when there is no involvement of use/disclosure of PHI (e.g., building maintenance)
True or False:
Under HIPAA and HITECH, individuals or entities who have been identified as business associates are
obligated to enter into a business associate agreement with their contracted covered entities. -
ANSWER--
Except for TPO, list two examples where a CE requires an authorization to use/disclose PHI - ANSWER--1.
Sales and marketing
2. Psychotherapy notes
How do you determine if an entity is subject to HIPAA? - ANSWER--By understanding the applicability
(healthcare component), entities that transmit health information and fall under the 3 types of CE
(health plans, clearinghouses, and providers)
HIPAA provide standards for the access, disclosure, transmission, and retention of PHI, and created a
national baseline for health information Privacy and Security. At the state level, they can also develop
health information statutes but only adding higher or more restrictive standards than the Federal HIPAA
rules. This is referred as:
a. HIPAA status
b. HIPAA assurance
c. HIPAA preemption
d. HIPAA state law - ANSWER--c. HIPAA preemption
Loading page 7...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
What is the intent of HIPAA?
a. standardize healthcare billing and coding to comply with national accounting principles
b. increase payment from providers given the rising cost of healthcare and fraud violations
c. allow group health plans collect premiums after individual has left a job/employer
d. improve healthcare programs and data flow between providers to data mine for fraudulent behavior -
ANSWER--d. improve healthcare programs and data flow between providers to data mine for fraudulent
behavior
The intent of HIPAA is to improve healthcare programs and the delivery of services through the two
largest health plans in the U.S., This is accomplished by improved data flows that leads to better
outcomes using national standards formats and specific transactions to increase accuracy and rapid way
to data mine ad detect fraudulent behavior.
True or False:
A physician is required to have a business associate contract with a laboratory as a condition of
disclosing protected health information for the treatment of an individual. - ANSWER--FALSE
Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization
True or False:
A hospital laboratory is not required to have a business associate contract to disclose protected health
information to a reference laboratory for treatment of the individual. - ANSWER--TRUE
Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization
Answers 100% Verified
What is the intent of HIPAA?
a. standardize healthcare billing and coding to comply with national accounting principles
b. increase payment from providers given the rising cost of healthcare and fraud violations
c. allow group health plans collect premiums after individual has left a job/employer
d. improve healthcare programs and data flow between providers to data mine for fraudulent behavior -
ANSWER--d. improve healthcare programs and data flow between providers to data mine for fraudulent
behavior
The intent of HIPAA is to improve healthcare programs and the delivery of services through the two
largest health plans in the U.S., This is accomplished by improved data flows that leads to better
outcomes using national standards formats and specific transactions to increase accuracy and rapid way
to data mine ad detect fraudulent behavior.
True or False:
A physician is required to have a business associate contract with a laboratory as a condition of
disclosing protected health information for the treatment of an individual. - ANSWER--FALSE
Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization
True or False:
A hospital laboratory is not required to have a business associate contract to disclose protected health
information to a reference laboratory for treatment of the individual. - ANSWER--TRUE
Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization
Loading page 8...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
True or False:
Research use/disclosure with individual authorization does not expire or continue until the end of the
research study - ANSWER--TRUE
True or False:
Research use/disclosure with individual authorization may be combined with an authorization for a
different research activity if research related treatment is conditioned on the provision of one of the
authorizations - ANSWER--TRUE
True or False:
Research use/disclosure with individual authorization may be combined with other legal permission or
consent to participate in the research - ANSWER--TRUE
True of False:
Is it possible for a facility with multiple provider functions to have certain isolated providers or groups
who are subject to Part 2, while the facility as a whole is not subject to Part 2. For example, a large
facility may have primary care providers and a separate unit that provides SUD services. - ANSWER--
TRUE
Explanation:
The SUD unit is subject to Part 2, but the rest of the facility is not.
True or False:
An individual provider who works in a general medical facility could also be a Part 2 program IF the
provider's primary function is to provide SUD services. - ANSWER--TRUE
Explanation:
Answers 100% Verified
True or False:
Research use/disclosure with individual authorization does not expire or continue until the end of the
research study - ANSWER--TRUE
True or False:
Research use/disclosure with individual authorization may be combined with an authorization for a
different research activity if research related treatment is conditioned on the provision of one of the
authorizations - ANSWER--TRUE
True or False:
Research use/disclosure with individual authorization may be combined with other legal permission or
consent to participate in the research - ANSWER--TRUE
True of False:
Is it possible for a facility with multiple provider functions to have certain isolated providers or groups
who are subject to Part 2, while the facility as a whole is not subject to Part 2. For example, a large
facility may have primary care providers and a separate unit that provides SUD services. - ANSWER--
TRUE
Explanation:
The SUD unit is subject to Part 2, but the rest of the facility is not.
True or False:
An individual provider who works in a general medical facility could also be a Part 2 program IF the
provider's primary function is to provide SUD services. - ANSWER--TRUE
Explanation:
Loading page 9...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
For example, a primary care physician who provides medication-assisted treatment would only meet the
requirement if providing services to persons with SUD is their primary function. However, If a patient
were to receive both primary care and SUD treatment, the SUD providers are still subject to Part 2 and
could not share information with the patient's primary care provider without consent.
True or False:
A program or facility that provides both, SUD services and Mental Health Services, and a patient has
been admitted to receiving both services, his/her records will be subject to the Part 2 regulations -
ANSWER--FALSE
Explanation:
Mental health information is not subject to the standards in 42 CFR Part 2 and can be shared without
consent for treatment purposes, including care coordination, as allowed under HIPAA. More details.
Only records or information about patients receiving SUD services will be subject to Part 2 and its
use/disclosure is more restrictive. However, to allow appropriate mental/behavioral health information
sharing with SUD information, a Qualified Service Organization Agreement (QSOA) would be needed as
defined in 42 CFR 2.11 "Qualified service organization" section.
What are the 4 federal regulations and/or government agencies that govern the privacy of individually
identifiable info in research - ANSWER--1. HHS-FDA (protections of human subject and IRBs)
2. HHS-NIH (certificate of confidentiality)
3. HHS-Office of Human Research Protections (Common Rule)
4. HHS-OCR - HIPAA Privacy Rule
Ref. HCCA Privacy Handbook 3rd Ed
Certificates of Confidentiality (CoC) is a formal confidentiality to protect the privacy of human research
participants enrolled in biomedical, behavioral, clinical and other forms of sensitive research. CoC are
issued by the NIH or the FDA, and are authorized by law by the P___ H___ S___ Act - ANSWER--Public
Health Services Act.
The Privacy Act of 1974 was created in response to the government creating and using computer
databases. The Act places restrictions on how government can share the information with other
Answers 100% Verified
For example, a primary care physician who provides medication-assisted treatment would only meet the
requirement if providing services to persons with SUD is their primary function. However, If a patient
were to receive both primary care and SUD treatment, the SUD providers are still subject to Part 2 and
could not share information with the patient's primary care provider without consent.
True or False:
A program or facility that provides both, SUD services and Mental Health Services, and a patient has
been admitted to receiving both services, his/her records will be subject to the Part 2 regulations -
ANSWER--FALSE
Explanation:
Mental health information is not subject to the standards in 42 CFR Part 2 and can be shared without
consent for treatment purposes, including care coordination, as allowed under HIPAA. More details.
Only records or information about patients receiving SUD services will be subject to Part 2 and its
use/disclosure is more restrictive. However, to allow appropriate mental/behavioral health information
sharing with SUD information, a Qualified Service Organization Agreement (QSOA) would be needed as
defined in 42 CFR 2.11 "Qualified service organization" section.
What are the 4 federal regulations and/or government agencies that govern the privacy of individually
identifiable info in research - ANSWER--1. HHS-FDA (protections of human subject and IRBs)
2. HHS-NIH (certificate of confidentiality)
3. HHS-Office of Human Research Protections (Common Rule)
4. HHS-OCR - HIPAA Privacy Rule
Ref. HCCA Privacy Handbook 3rd Ed
Certificates of Confidentiality (CoC) is a formal confidentiality to protect the privacy of human research
participants enrolled in biomedical, behavioral, clinical and other forms of sensitive research. CoC are
issued by the NIH or the FDA, and are authorized by law by the P___ H___ S___ Act - ANSWER--Public
Health Services Act.
The Privacy Act of 1974 was created in response to the government creating and using computer
databases. The Act places restrictions on how government can share the information with other
Loading page 10...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
individuals and agencies, and ultimately protect the privacy of individuals that is maintained in Systems
of Records by federal agencies. Before a federal agency begins to collect personal information for a
system of records, an advanced public notice must be published in the Federal Register, which outlines
the administrative, technical, and physical safeguards for protecting the personally identifiable
information being collected. This "public notice" is called" - S____ of R_____ N__ (SORN) - ANSWER--
system of records notice (SORN)
ref. HCCA privacy handbook 3rd ed. "Privacy Act 1974" section
What is a research IRB?
1. Institutional Research Board
2. A group of executives that review all research activities conducted by the Board of Directors
3. A group of individuals that review proposed research to protect the privacy of subjects
4. Can make changes to the research or alter its content as they seemed appropriate - ANSWER--3. A
group of individuals that review proposed research to protect the privacy of subjects
An individual must authorize these marketing communications before they can occur, except:
a. when the communication is not for the purpose of providing treatment advice
b. communication from a health insurer to promote their products/services
c. communication in training material using their photo
d. hospital uses its patient list to announce the arrival of a new specialty group in general mailing -
ANSWER--Except:
d. hospital uses its patient list to announce the arrival of a new specialty group
This activity does not meet the "marketing" definition, for instance, the disclosure of PHI in this example
is not for exchange of remuneration, or to encourage use of product, promote services.
True or False:
Answers 100% Verified
individuals and agencies, and ultimately protect the privacy of individuals that is maintained in Systems
of Records by federal agencies. Before a federal agency begins to collect personal information for a
system of records, an advanced public notice must be published in the Federal Register, which outlines
the administrative, technical, and physical safeguards for protecting the personally identifiable
information being collected. This "public notice" is called" - S____ of R_____ N__ (SORN) - ANSWER--
system of records notice (SORN)
ref. HCCA privacy handbook 3rd ed. "Privacy Act 1974" section
What is a research IRB?
1. Institutional Research Board
2. A group of executives that review all research activities conducted by the Board of Directors
3. A group of individuals that review proposed research to protect the privacy of subjects
4. Can make changes to the research or alter its content as they seemed appropriate - ANSWER--3. A
group of individuals that review proposed research to protect the privacy of subjects
An individual must authorize these marketing communications before they can occur, except:
a. when the communication is not for the purpose of providing treatment advice
b. communication from a health insurer to promote their products/services
c. communication in training material using their photo
d. hospital uses its patient list to announce the arrival of a new specialty group in general mailing -
ANSWER--Except:
d. hospital uses its patient list to announce the arrival of a new specialty group
This activity does not meet the "marketing" definition, for instance, the disclosure of PHI in this example
is not for exchange of remuneration, or to encourage use of product, promote services.
True or False:
Loading page 11...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
It is important that when contracting with payers or health plans they follow not only the HIPAA security
but also the privacy rule to protect beneficiaries PHI including use/disclosure during payer's marketing
activities - ANSWER--TRUE
Which of the following requires a Business Associate contract/agreement:
a. independent medical transcriptionist
b. entities that participate in an OHCA (organized healthcare arrangement)
c. when a provider simply accepts a discounted rate to participate in the health plan's network
d. US Postal Services or private carriers - ANSWER--a. independent medical transcriptionist
explanation: this is an outsourced service that handles PHI on behalf of the CE. The transcriptionist is
performing an activity for the CE that contains PHI and a BAA is required to ensure proper use and
disclosure.
Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for
public health purposes? - ANSWER--Yes.
This is in the covered entity's Notice of Privacy Practices (NPP).
The Privacy Rule requires a covered entity to include in its NPP a description of the purposes, which
would include public health purposes, for which the covered entity may use or disclose PHI without an
individual's authorization.
However, the Privacy Rule does not require a business associate (such as an HIE that is a business
associate) to provide individuals with a NPP.
True of False:
OHCAs and ACEs are able to produce a joint Notice of Privacy Practice (NPP) - ANSWER--FALSE
Explanation:
Answers 100% Verified
It is important that when contracting with payers or health plans they follow not only the HIPAA security
but also the privacy rule to protect beneficiaries PHI including use/disclosure during payer's marketing
activities - ANSWER--TRUE
Which of the following requires a Business Associate contract/agreement:
a. independent medical transcriptionist
b. entities that participate in an OHCA (organized healthcare arrangement)
c. when a provider simply accepts a discounted rate to participate in the health plan's network
d. US Postal Services or private carriers - ANSWER--a. independent medical transcriptionist
explanation: this is an outsourced service that handles PHI on behalf of the CE. The transcriptionist is
performing an activity for the CE that contains PHI and a BAA is required to ensure proper use and
disclosure.
Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for
public health purposes? - ANSWER--Yes.
This is in the covered entity's Notice of Privacy Practices (NPP).
The Privacy Rule requires a covered entity to include in its NPP a description of the purposes, which
would include public health purposes, for which the covered entity may use or disclose PHI without an
individual's authorization.
However, the Privacy Rule does not require a business associate (such as an HIE that is a business
associate) to provide individuals with a NPP.
True of False:
OHCAs and ACEs are able to produce a joint Notice of Privacy Practice (NPP) - ANSWER--FALSE
Explanation:
Loading page 12...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
OHCAs are joint arrangements, have an Integrated Delivery System, and therefore agree to abide by the
terms of the notice with respect to PHI created or received by the covered entity as part of its
participation in the OHCA.
ACEs are legally separate covered entities working together and unable to use a joint NPP and they
might still have separate EHRs, separate HIM/ROI functions, etc. and therefore, the PHI data is not
create or receive in the same manner.
True or False:
It is your last day at your pediatric clinical site and you are saying goodbye to all of your favorite
patients. You take a picture on your phone of a few of the patients posing together and later post it to
your private blog as an illustration of your last day. Since your blog is private and can only be accessed
by those who know the URL, you are not in violation of HIPAA regulations. - ANSWER--FALSE
Fill in the blank:
In the mid-1990s, OIG began to require providers settling civil health care fraud cases to enter into
specific type of agreements as a condition for OIG not pursuing exclusion. These agreements are
referred as: - ANSWER--Corporate integrity Agreements (CIA)
The foundation for establishing a good relationship with a vendor is the Contract. A contract is an
exchange of promise, services for money, with a specific remedy for breach of contract. What are some
of the key basic elements to contracts. - ANSWER--Basic key elements to contacts include:
I. Agreement (Offer and Acceptance)
II. Capacity to contract (ability to perform, ask for proof, bios of staff that will perform the critical
services)
III. Consideration (remuneration must be defined)
IV. Legal purpose (legal requirements, defined measures including subcontractors responsibilities)
V. Legality of form (use key legal language or clauses, assurances)
Answers 100% Verified
OHCAs are joint arrangements, have an Integrated Delivery System, and therefore agree to abide by the
terms of the notice with respect to PHI created or received by the covered entity as part of its
participation in the OHCA.
ACEs are legally separate covered entities working together and unable to use a joint NPP and they
might still have separate EHRs, separate HIM/ROI functions, etc. and therefore, the PHI data is not
create or receive in the same manner.
True or False:
It is your last day at your pediatric clinical site and you are saying goodbye to all of your favorite
patients. You take a picture on your phone of a few of the patients posing together and later post it to
your private blog as an illustration of your last day. Since your blog is private and can only be accessed
by those who know the URL, you are not in violation of HIPAA regulations. - ANSWER--FALSE
Fill in the blank:
In the mid-1990s, OIG began to require providers settling civil health care fraud cases to enter into
specific type of agreements as a condition for OIG not pursuing exclusion. These agreements are
referred as: - ANSWER--Corporate integrity Agreements (CIA)
The foundation for establishing a good relationship with a vendor is the Contract. A contract is an
exchange of promise, services for money, with a specific remedy for breach of contract. What are some
of the key basic elements to contracts. - ANSWER--Basic key elements to contacts include:
I. Agreement (Offer and Acceptance)
II. Capacity to contract (ability to perform, ask for proof, bios of staff that will perform the critical
services)
III. Consideration (remuneration must be defined)
IV. Legal purpose (legal requirements, defined measures including subcontractors responsibilities)
V. Legality of form (use key legal language or clauses, assurances)
Loading page 13...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
VI. Intention to create legal relations (statement of parties intent to be "legally bound" to abide to
mandates)
VII. Consent to contract (required signatures)
VIII. Mistakes, undue influence (if things go wrong, list alternative options)
True or False:
Regarding vendor relations, the privacy professional must ensure that the contract supports the privacy
profile. This includes clearly outlining privacy impacts, clauses, mandates, remedies from the vendor's
services to ensure expectations are met, even when things go wrong. - ANSWER--TRUE
HCCA Privacy Compliance Handbook - Vendor Relations and Privacy Section
A Covered Entity may denied an individual access to their PHI under specific circumstances set forth in
45 CFR 164.524 (a)(2), which of the following doesn't fall under those circumstances:
a. Request for psychotherapy notes
b. if it jeopardizes the health, safety, security, rehab of individual (e.g. inmate's' request, suicidal
patient)
c. during the course of research/clinical trial
d. to request restrictions of their PHI - ANSWER--a. Request for psychotherapy notes
Under the HIPAA Privacy Rule, individual has the right to request a copy, an amendment and restrictions
to their PHI, request confidential communications involving your PHI, and list of disclosures. See 45 CFR
§ 164.524 (a)(2)
38 U.S.C. 7332 deals with confidentially of patient medical record information related to:
a. drug abuse, sexually transmitted diseases, and tuberculosis
b. HIV/AIDS status
Answers 100% Verified
VI. Intention to create legal relations (statement of parties intent to be "legally bound" to abide to
mandates)
VII. Consent to contract (required signatures)
VIII. Mistakes, undue influence (if things go wrong, list alternative options)
True or False:
Regarding vendor relations, the privacy professional must ensure that the contract supports the privacy
profile. This includes clearly outlining privacy impacts, clauses, mandates, remedies from the vendor's
services to ensure expectations are met, even when things go wrong. - ANSWER--TRUE
HCCA Privacy Compliance Handbook - Vendor Relations and Privacy Section
A Covered Entity may denied an individual access to their PHI under specific circumstances set forth in
45 CFR 164.524 (a)(2), which of the following doesn't fall under those circumstances:
a. Request for psychotherapy notes
b. if it jeopardizes the health, safety, security, rehab of individual (e.g. inmate's' request, suicidal
patient)
c. during the course of research/clinical trial
d. to request restrictions of their PHI - ANSWER--a. Request for psychotherapy notes
Under the HIPAA Privacy Rule, individual has the right to request a copy, an amendment and restrictions
to their PHI, request confidential communications involving your PHI, and list of disclosures. See 45 CFR
§ 164.524 (a)(2)
38 U.S.C. 7332 deals with confidentially of patient medical record information related to:
a. drug abuse, sexually transmitted diseases, and tuberculosis
b. HIV/AIDS status
Loading page 14...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
c. drug abuse, alcoholism, infection with the HIV virus, and sickle cell anemia
d. mental illness, HIV status, drug and alcohol abuse - ANSWER--c. drug abuse, alcoholism, infection with
the HIV virus, and sickle cell anemia
True or False:
The Minimum Necessary is a key concept under the HIPAA security rule - ANSWER--FALSE
It is a key concept under the PRIVACY Rule.
Re: HIPAA Authorization
Is there any information we can release to a person who is calling on behalf of a patient who is not
authorized in a release form? - ANSWER--Patient must be given an "opportunity to agree or object"
keeping in mind:
1. you can obtain patient's agreement verbally, over the phone, BUT makes notes in file
2. only disclose the Minimum Necessary
Re: HIPAA Authorization
When my patients are being treated for car accident injuries, we often receive requests for PHI from
lawyers. I am not sure if we should provide the information and don't know how to decide whether the
request is legitimate.
How do we validate the request is legitimate? - ANSWER--Ensure is a valid HIPAA authorization:
MUST have the authorization 6 core elements and 3 key statements as per 45 CFR § 164.508 (c)(1) and
(2)
Answers 100% Verified
c. drug abuse, alcoholism, infection with the HIV virus, and sickle cell anemia
d. mental illness, HIV status, drug and alcohol abuse - ANSWER--c. drug abuse, alcoholism, infection with
the HIV virus, and sickle cell anemia
True or False:
The Minimum Necessary is a key concept under the HIPAA security rule - ANSWER--FALSE
It is a key concept under the PRIVACY Rule.
Re: HIPAA Authorization
Is there any information we can release to a person who is calling on behalf of a patient who is not
authorized in a release form? - ANSWER--Patient must be given an "opportunity to agree or object"
keeping in mind:
1. you can obtain patient's agreement verbally, over the phone, BUT makes notes in file
2. only disclose the Minimum Necessary
Re: HIPAA Authorization
When my patients are being treated for car accident injuries, we often receive requests for PHI from
lawyers. I am not sure if we should provide the information and don't know how to decide whether the
request is legitimate.
How do we validate the request is legitimate? - ANSWER--Ensure is a valid HIPAA authorization:
MUST have the authorization 6 core elements and 3 key statements as per 45 CFR § 164.508 (c)(1) and
(2)
Loading page 15...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
Re: HIPAA Authorization
One of my long term (dental) patients was recently diagnosed with cancer. His new oncologist's
assistant called to request his PHI from our files. I don't know if the patient knows or has authorized this.
Can the request be fulfilled? - ANSWER--YES, no authorization is required for purposes of TPO.
But, ensure the request is in writing including:
Covered Entity's name;
Patient's name;
Date of the event/time of treatment; and
Reason for the request.
Re: HIPAA Authorization (suspected domestic violence)
I strongly suspect that a patient is a victim of domestic violence, although the patient has not confided in
me. The abuse seems to be escalating, judging by the injuries I've seen.
May I do anything? - ANSWER--You may, this may be an exception to the HIPAA Privacy Rule.
IF you reasonably believe the patient to be a victim of adult abuse, neglect or violence, you may report
to the appropriate government agency.
You may also obtain patient's agreement, but not required.
ARRA passed in 2009, key items to know: - ANSWER--ARRA - also known as "Obama Stimulus" in
response to the 2008 recession
ARRA mandated government spending, tax cuts, and loan guarantees for financial relief to families.
ARRA required hospitals to computerize medical records and modernize HIT systems (HITECH).
And breach notification provision implemented under HITECH
Answers 100% Verified
Re: HIPAA Authorization
One of my long term (dental) patients was recently diagnosed with cancer. His new oncologist's
assistant called to request his PHI from our files. I don't know if the patient knows or has authorized this.
Can the request be fulfilled? - ANSWER--YES, no authorization is required for purposes of TPO.
But, ensure the request is in writing including:
Covered Entity's name;
Patient's name;
Date of the event/time of treatment; and
Reason for the request.
Re: HIPAA Authorization (suspected domestic violence)
I strongly suspect that a patient is a victim of domestic violence, although the patient has not confided in
me. The abuse seems to be escalating, judging by the injuries I've seen.
May I do anything? - ANSWER--You may, this may be an exception to the HIPAA Privacy Rule.
IF you reasonably believe the patient to be a victim of adult abuse, neglect or violence, you may report
to the appropriate government agency.
You may also obtain patient's agreement, but not required.
ARRA passed in 2009, key items to know: - ANSWER--ARRA - also known as "Obama Stimulus" in
response to the 2008 recession
ARRA mandated government spending, tax cuts, and loan guarantees for financial relief to families.
ARRA required hospitals to computerize medical records and modernize HIT systems (HITECH).
And breach notification provision implemented under HITECH
Loading page 16...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
IIHI - ANSWER--Individually Identifiable Health Information
It's any part of an individual's health information, including demographic information (e.g. address, date
of birth) collected from the individual
PHI - ANSWER--Protected Health Information
Info transmitted by electronic media, maintained in electronic media, or transmitted or maintained in
any other form or medium. (PHI excludes IIHI education records covered by FERPA)
What is de-identified information? - ANSWER--Removing the HIPAA individual identifiable information.
This is accomplish by two methods:
Expert Determination: de-identification of PHI by an expert (statistical or scientific principles)
Safe Harbor: removing the 18 identifiers
What is re-identification? - ANSWER--CE may assign a number for re-identification; however, the
creation of the numbering system should not be based on the information and the CE is forbidden from
disclosing the e-identification scheme.
What's the Minimum Necessary? - ANSWER--Use/disclose limited PHI to accomplish the intended
purpose of the use, disclosure, or request.
Answers 100% Verified
IIHI - ANSWER--Individually Identifiable Health Information
It's any part of an individual's health information, including demographic information (e.g. address, date
of birth) collected from the individual
PHI - ANSWER--Protected Health Information
Info transmitted by electronic media, maintained in electronic media, or transmitted or maintained in
any other form or medium. (PHI excludes IIHI education records covered by FERPA)
What is de-identified information? - ANSWER--Removing the HIPAA individual identifiable information.
This is accomplish by two methods:
Expert Determination: de-identification of PHI by an expert (statistical or scientific principles)
Safe Harbor: removing the 18 identifiers
What is re-identification? - ANSWER--CE may assign a number for re-identification; however, the
creation of the numbering system should not be based on the information and the CE is forbidden from
disclosing the e-identification scheme.
What's the Minimum Necessary? - ANSWER--Use/disclose limited PHI to accomplish the intended
purpose of the use, disclosure, or request.
Loading page 17...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
The Minimum Necessary DOES NOT apply to? - ANSWER--does not apply to:
TPO
To the individual directly
To the HHS Secretary or required by law
When authorization is granted
Where does Minimum Necessary link to in the Security rule? - ANSWER--Role Based Access - can content
filters be used to support the privacy concept
Who can Deceased Individuals information be released to at anytime? - ANSWER--coroners or medical
examiners (and Funeral Directors as necessary to carry out their duties with respect to the decedent)
Preemption under HIPAA means - ANSWER--Federal law states that it preempts or overrides
(supersedes) state law on a particular issue, then federal law is the law that must be followed.
In general, HIPAA preempts state law that is "contrary" to the federal rule.
In many cases, complying with the stronger standard (more stringent) will allow you to comply with both
state law and HIPAA.
Example 1: if state law gives a provider 10 days to respond to a patient's request for a copy of his
medical records, and HIPAA allows 30 days, you can comply with both state and federal law by
responding within 10 days.
Example 2: if state law requires longer period for record keeping than the federal law, then go with the
longer period.
Valid Authorization core elements (see 45 CFR § 164.508(c)(1)): - ANSWER--1. meaningful description of
the information to be disclosed
Answers 100% Verified
The Minimum Necessary DOES NOT apply to? - ANSWER--does not apply to:
TPO
To the individual directly
To the HHS Secretary or required by law
When authorization is granted
Where does Minimum Necessary link to in the Security rule? - ANSWER--Role Based Access - can content
filters be used to support the privacy concept
Who can Deceased Individuals information be released to at anytime? - ANSWER--coroners or medical
examiners (and Funeral Directors as necessary to carry out their duties with respect to the decedent)
Preemption under HIPAA means - ANSWER--Federal law states that it preempts or overrides
(supersedes) state law on a particular issue, then federal law is the law that must be followed.
In general, HIPAA preempts state law that is "contrary" to the federal rule.
In many cases, complying with the stronger standard (more stringent) will allow you to comply with both
state law and HIPAA.
Example 1: if state law gives a provider 10 days to respond to a patient's request for a copy of his
medical records, and HIPAA allows 30 days, you can comply with both state and federal law by
responding within 10 days.
Example 2: if state law requires longer period for record keeping than the federal law, then go with the
longer period.
Valid Authorization core elements (see 45 CFR § 164.508(c)(1)): - ANSWER--1. meaningful description of
the information to be disclosed
Loading page 18...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
2. name of the individual/person authorized to make the requested disclosure
3. name or other identification of the recipient of the information
4. description of each purpose of the disclosure
5. expiration date for the authorization
6. signature and date of the individual or their personal representative (someone authorized to make
health care decisions on behalf of the individual)
Valid Authorization 3 key statements (see 45 CFR § 164.508(c)(2)): - ANSWER--The statements are to be
included in a valid Authorization:
• A statement of the person's right to revoke the authorization, exceptions to this right, and a
description of how to revoke:
• A statement that treatment, payment, enrollment or eligibility for benefits may NOT be conditioned
upon signing the authorization;
• A statement regarding the potential that the information disclosed pursuant to the authorization may
be re-disclosed by the recipient and, if so, it may no longer be protected by a federal confidentiality law;
Note: the person signing the authorization has the right to (or will receive) a copy of the authorization.
Fill in the blanks: The three types of AUTHORIZATION:
VALID - must have all the 6 required core elements and 3 statements/notices
D_______ - lacks any of the required elements/statements, or expiration date has passed, or revoked,
etc.
Answers 100% Verified
2. name of the individual/person authorized to make the requested disclosure
3. name or other identification of the recipient of the information
4. description of each purpose of the disclosure
5. expiration date for the authorization
6. signature and date of the individual or their personal representative (someone authorized to make
health care decisions on behalf of the individual)
Valid Authorization 3 key statements (see 45 CFR § 164.508(c)(2)): - ANSWER--The statements are to be
included in a valid Authorization:
• A statement of the person's right to revoke the authorization, exceptions to this right, and a
description of how to revoke:
• A statement that treatment, payment, enrollment or eligibility for benefits may NOT be conditioned
upon signing the authorization;
• A statement regarding the potential that the information disclosed pursuant to the authorization may
be re-disclosed by the recipient and, if so, it may no longer be protected by a federal confidentiality law;
Note: the person signing the authorization has the right to (or will receive) a copy of the authorization.
Fill in the blanks: The three types of AUTHORIZATION:
VALID - must have all the 6 required core elements and 3 statements/notices
D_______ - lacks any of the required elements/statements, or expiration date has passed, or revoked,
etc.
Loading page 19...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
C_______ - typically allowed in research studies, this authorization may be combined with another
written permission IF it's for the same research related studies - ANSWER--Defective; Compound
Request for Restrictions - ANSWER--patient has the right to request restrictions on the U&D of
information, even for the TPO exception.
Provider must determine if it is reasonable, accommodate request, and abide to agreement.
Ref § 164.520 - Notice of privacy practices for protected health information.
Request for Confidential Communication - ANSWER--Patient may request other communication
channels not typical for the entity, such as email, or meeting in off-site locations.
Which subpart of HIPAA part 164 sets limits on how PHI can be used and shared with others and gives
patients rights over their information
a. Part 164 Subpart E (Privacy Rule)
b. Part 164 Subpart C (Security Rule) - ANSWER--a. Part 164 Subpart E (Privacy Rule)
Subpart C (Security Rule) sets the security standards (administrative, technical, and physical safeguards)
to protect the confidentiality, integrity and availability of ePHI
What is the difference between HIPAA security and privacy? - ANSWER--Security - covers ePHI
Privacy - covers all forms (electronic, oral, written)
45 CFR 164 - Subpart C outlines the three safeguards to ensure the _____, ____, ____ of ePHI that both,
CE and BA must implement to ensure compliance and protect against anticipated threats, and/or
reasonably anticipated uses/disclosures (incidental/inadvertent/unintentional) - ANSWER--
Confidentiality, integrity, availability
Answers 100% Verified
C_______ - typically allowed in research studies, this authorization may be combined with another
written permission IF it's for the same research related studies - ANSWER--Defective; Compound
Request for Restrictions - ANSWER--patient has the right to request restrictions on the U&D of
information, even for the TPO exception.
Provider must determine if it is reasonable, accommodate request, and abide to agreement.
Ref § 164.520 - Notice of privacy practices for protected health information.
Request for Confidential Communication - ANSWER--Patient may request other communication
channels not typical for the entity, such as email, or meeting in off-site locations.
Which subpart of HIPAA part 164 sets limits on how PHI can be used and shared with others and gives
patients rights over their information
a. Part 164 Subpart E (Privacy Rule)
b. Part 164 Subpart C (Security Rule) - ANSWER--a. Part 164 Subpart E (Privacy Rule)
Subpart C (Security Rule) sets the security standards (administrative, technical, and physical safeguards)
to protect the confidentiality, integrity and availability of ePHI
What is the difference between HIPAA security and privacy? - ANSWER--Security - covers ePHI
Privacy - covers all forms (electronic, oral, written)
45 CFR 164 - Subpart C outlines the three safeguards to ensure the _____, ____, ____ of ePHI that both,
CE and BA must implement to ensure compliance and protect against anticipated threats, and/or
reasonably anticipated uses/disclosures (incidental/inadvertent/unintentional) - ANSWER--
Confidentiality, integrity, availability
Loading page 20...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
Note: Accidental - must be reported. An accidental HIPAA violation refers to the unauthorized disclosure
of PHI (protected health information) without intent. Despite having safeguards and protective
measures in place, there is still a possibility of breaching HIPAA regulations. These types of violations
could include an employee accidentally seeing a different patient's medical records, an email being sent
to the wrong person or the loss or theft of a personal device that contains PHI.
Research HIPAA Waiver criteria: - ANSWER--Research Waiver
In order for research to be conducted, it must meet a minimum set of waiver criteria elements.
Elements that must be met to meet wavier criteria are:
1) the use or disclosure for the research involved minimum risk to the patient;
2) the research could not be conducted without proper access to the waiver being approved; and
3) the research could not be conducted without proper access to the use of the PHI. 45 CFR 164.512
(i)(2)
What's malicious software? - ANSWER--malware, is software that is used to control or take over
applications, workstations, or servers, damage/disrupt a system.
See Security Rule, definitions - 45 CFR 164.304
A covered entity may use or disclose PHI for TPO...what does TPO stand for - ANSWER--Treatment
Payment
Health Care Operations
True or False:
Payer/health plans are allowed to use/disclose beneficiary's PHI in activities such as legal services,
medical review, and fraud and abuse detection - ANSWER--TRUE
Answers 100% Verified
Note: Accidental - must be reported. An accidental HIPAA violation refers to the unauthorized disclosure
of PHI (protected health information) without intent. Despite having safeguards and protective
measures in place, there is still a possibility of breaching HIPAA regulations. These types of violations
could include an employee accidentally seeing a different patient's medical records, an email being sent
to the wrong person or the loss or theft of a personal device that contains PHI.
Research HIPAA Waiver criteria: - ANSWER--Research Waiver
In order for research to be conducted, it must meet a minimum set of waiver criteria elements.
Elements that must be met to meet wavier criteria are:
1) the use or disclosure for the research involved minimum risk to the patient;
2) the research could not be conducted without proper access to the waiver being approved; and
3) the research could not be conducted without proper access to the use of the PHI. 45 CFR 164.512
(i)(2)
What's malicious software? - ANSWER--malware, is software that is used to control or take over
applications, workstations, or servers, damage/disrupt a system.
See Security Rule, definitions - 45 CFR 164.304
A covered entity may use or disclose PHI for TPO...what does TPO stand for - ANSWER--Treatment
Payment
Health Care Operations
True or False:
Payer/health plans are allowed to use/disclose beneficiary's PHI in activities such as legal services,
medical review, and fraud and abuse detection - ANSWER--TRUE
Loading page 21...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
A provider receives a request from the Social Security Administration for PHI relating to a person's
application for benefits. Which of the following is the correct method of release?
A. Since it is to a federal agency, an authorization from the patient is not needed, so PHI can be released.
B. The provider should review the PHI and make a decision on the minimum necessary and release.
C. The provider should notify the patient and obtain a signed authorization prior to release.
D. Release the information because the patient signed a consent for treatment. - ANSWER--C. The
provider should notify the patient and obtain a signed authorization prior to release
Also known as the "Stimulus Act" or the "Recovery Act", enacted in 2009; its main purpose was to create
jobs and stimulate economic growth; it also included provisions to promote health information
technology - ANSWER--American Recovery and Reinvestment Act (ARRA)
C.I.A. (HIPAA) stands for? - ANSWER--Confidentiality (not available or disclosed to unauthorized person)
Integrity (unaltered or destroys in unauthorized manner))
Availability (accessible and usable by authorized person)
Comprehensive legislation that ensures access to health coverage for those who change jobs or are
temporarily out of work. It also provides the mechanism for funding the Department of Justice and the
FBI for health care fraud investigations - ANSWER--Health Insurance Portability and Accountability
(HIPAA)
True or False:
The HIPAA Privacy and Security rules were promulgated to make health care interstate commerce equal,
thus creating a national health care privacy and security baseline or floor - ANSWER--TRUE
Answers 100% Verified
A provider receives a request from the Social Security Administration for PHI relating to a person's
application for benefits. Which of the following is the correct method of release?
A. Since it is to a federal agency, an authorization from the patient is not needed, so PHI can be released.
B. The provider should review the PHI and make a decision on the minimum necessary and release.
C. The provider should notify the patient and obtain a signed authorization prior to release.
D. Release the information because the patient signed a consent for treatment. - ANSWER--C. The
provider should notify the patient and obtain a signed authorization prior to release
Also known as the "Stimulus Act" or the "Recovery Act", enacted in 2009; its main purpose was to create
jobs and stimulate economic growth; it also included provisions to promote health information
technology - ANSWER--American Recovery and Reinvestment Act (ARRA)
C.I.A. (HIPAA) stands for? - ANSWER--Confidentiality (not available or disclosed to unauthorized person)
Integrity (unaltered or destroys in unauthorized manner))
Availability (accessible and usable by authorized person)
Comprehensive legislation that ensures access to health coverage for those who change jobs or are
temporarily out of work. It also provides the mechanism for funding the Department of Justice and the
FBI for health care fraud investigations - ANSWER--Health Insurance Portability and Accountability
(HIPAA)
True or False:
The HIPAA Privacy and Security rules were promulgated to make health care interstate commerce equal,
thus creating a national health care privacy and security baseline or floor - ANSWER--TRUE
Loading page 22...
HCCA - CHPC Study Guide - 300 Questions And
Answers 100% Verified
One of the barriers before HIPAA was signed into law was the lack of access and national standards. The
Privacy and Security provisions were integral elements as many States did not have privacy rights or
individual right of access to healthcare records.
Re: HCCA Privacy Compliance Handbook
True or False:
The Office for Civil Rights (OCR) is the entity that oversees HIPAA, and the agency's goal is to ensure that
patients' health information is properly protected while allowing for the flow of health information
needed.
OCR also provides excellent guidance on steps to take if an entity experiences a cyberattack. - ANSWER--
TRUE
True or False:
A cyberattack could result in negative press against the organization and lack of trust from patients. It
could also result in a privacy breach, which puts patients at risk for identity theft and other fraudulent
activity. - ANSWER--TRUE
Cyberattacks threaten patient privacy, clinical outcomes, financial resources, and the organization's
reputation within the community that it serves.
A recent study by the Ponemon Institute and IBM Security found that human error accounted for 95% of
cybersecurity breaches.
True or False:
If disclosing PHI to legal authorities/government/public official, CE must verify identity, for instance
asking for a gov badge/ID, credential, or some proof of gov status, such gov written letterhead, warrant,
memorandum, etc. - ANSWER--TRUE
Computerized data medical records are destroyed by - ANSWER--Magnetic degaussing
Covered entities participating in an Organized Health Care Arrangement are permitted to
A. act as a single covered entity
Answers 100% Verified
One of the barriers before HIPAA was signed into law was the lack of access and national standards. The
Privacy and Security provisions were integral elements as many States did not have privacy rights or
individual right of access to healthcare records.
Re: HCCA Privacy Compliance Handbook
True or False:
The Office for Civil Rights (OCR) is the entity that oversees HIPAA, and the agency's goal is to ensure that
patients' health information is properly protected while allowing for the flow of health information
needed.
OCR also provides excellent guidance on steps to take if an entity experiences a cyberattack. - ANSWER--
TRUE
True or False:
A cyberattack could result in negative press against the organization and lack of trust from patients. It
could also result in a privacy breach, which puts patients at risk for identity theft and other fraudulent
activity. - ANSWER--TRUE
Cyberattacks threaten patient privacy, clinical outcomes, financial resources, and the organization's
reputation within the community that it serves.
A recent study by the Ponemon Institute and IBM Security found that human error accounted for 95% of
cybersecurity breaches.
True or False:
If disclosing PHI to legal authorities/government/public official, CE must verify identity, for instance
asking for a gov badge/ID, credential, or some proof of gov status, such gov written letterhead, warrant,
memorandum, etc. - ANSWER--TRUE
Computerized data medical records are destroyed by - ANSWER--Magnetic degaussing
Covered entities participating in an Organized Health Care Arrangement are permitted to
A. act as a single covered entity
Loading page 23...
20 more pages available. Scroll down to load them.
Preview Mode
Sign in to access the full document!
100%
Study Now!
XY-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
AI Assistant
Document Details
Subject
Health Care Compliance Association