HCCA CHC ACTUAL UPDATED QUESTIONS AND
ANSWERS GUARANTEE A+
✔✔What are examples of a BA? - ✔✔BA (Business Associate) - performs functions or
activities on behalf of a covered entity that involve access by the business associate to
protected health information.
Examples:
claims processing
data analysis
billing
benefit management
quality assurance
quality improvement
practice management
legal
actuarial
accounting
accreditation
other administrative services
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-
associates/index.html
✔✔True or False:
A hospital is not required to have a business associate contract with the specialist to
whom it refers a patient and transmits the patient's medical chart for treatment
purposes. - ✔✔TRUE
Remember, use and disclosure of PHI for purposes of TPO requires no specific
authorization
✔✔True or False:
Business Associates After HITECH:
HITECH made business associates directly responsible for HIPAA compliance within
their individual businesses that would not otherwise be subject to HIPAA regulations
and penalties - ✔✔TRUE
Even if no written contract exists between the covered entity and a contracted company
performing services related to handling PHI in some form, the company is deemed a
business associate by law. This deemed status essentially classifies contracted vendors
or individuals as business associates solely by the nature of the services they provide to
a covered entity, regardless of whether they intended to be classified as business
associates or were aware of their status as such. HIPAA and HITECH may hold these
vendors to business associate obligations as long as they act as business associates.
,Likewise, a subcontractor that creates, receives, maintains, or transmits PHI on behalf
of a business associate is a business associate. A subcontractor of a subcontractor is a
business associate as well, and so on down the line.
Ref. 2023 HCCA Complete Healthcare Compliance Manual
Ref. HITECH Act and OCR's 2013 final rule
✔✔True or False:
Under HIPAA and HITECH, individuals or entities who have been identified as business
associates are obligated to enter into a business associate agreement with their
contracted covered entities. - ✔✔TRUE
Business associate agreement mandate under the HIPAA Privacy Rule. There are
some exceptions such:
- for purposes of TPO, including payment for health plan premiums
- for determining health plan eligibility and enrollment
- when there is no involvement of use/disclosure of PHI (e.g., building maintenance)
✔✔True or False:
Under HIPAA and HITECH, individuals or entities who have been identified as business
associates are obligated to enter into a business associate agreement with their
contracted covered entities. - ✔✔
✔✔Except for TPO, list two examples where a CE requires an authorization to
use/disclose PHI - ✔✔1. Sales and marketing
2. Psychotherapy notes
✔✔How do you determine if an entity is subject to HIPAA? - ✔✔By understanding the
applicability (healthcare component), entities that transmit health information and fall
under the 3 types of CE (health plans, clearinghouses, and providers)
✔✔HIPAA provide standards for the access, disclosure, transmission, and retention of
PHI, and created a national baseline for health information Privacy and Security. At the
state level, they can also develop health information statutes but only adding higher or
more restrictive standards than the Federal HIPAA rules. This is referred as:
a. HIPAA status
b. HIPAA assurance
c. HIPAA preemption
d. HIPAA state law - ✔✔c. HIPAA preemption
✔✔What is the intent of HIPAA?
a. standardize healthcare billing and coding to comply with national accounting
principles
b. increase payment from providers given the rising cost of healthcare and fraud
violations
,c. allow group health plans collect premiums after individual has left a job/employer
d. improve healthcare programs and data flow between providers to data mine for
fraudulent behavior - ✔✔d. improve healthcare programs and data flow between
providers to data mine for fraudulent behavior
The intent of HIPAA is to improve healthcare programs and the delivery of services
through the two largest health plans in the U.S., This is accomplished by improved data
flows that leads to better outcomes using national standards formats and specific
transactions to increase accuracy and rapid way to data mine ad detect fraudulent
behavior.
The specific data flows are outlined in the Transaction & Code Set Rules 45 CFR
162.100 - 162.1902
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162
✔✔True or False:
A physician is required to have a business associate contract with a laboratory as a
condition of disclosing protected health information for the treatment of an individual. -
✔✔FALSE
Remember, use and disclosure of PHI for purposes of TPO requires no specific
authorization
✔✔True or False:
A hospital laboratory is not required to have a business associate contract to disclose
protected health information to a reference laboratory for treatment of the individual. -
✔✔TRUE
Remember, use and disclosure of PHI for purposes of TPO requires no specific
authorization
✔✔True or False:
Research use/disclosure with individual authorization does not expire or continue until
the end of the research study - ✔✔TRUE
https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html
✔✔True or False:
Research use/disclosure with individual authorization may be combined with an
authorization for a different research activity if research related treatment is conditioned
on the provision of one of the authorizations - ✔✔TRUE
https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html
✔✔True or False:
, Research use/disclosure with individual authorization may be combined with other legal
permission or consent to participate in the research - ✔✔TRUE
https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html
✔✔True of False:
Is it possible for a facility with multiple provider functions to have certain isolated
providers or groups who are subject to Part 2, while the facility as a whole is not subject
to Part 2. For example, a large facility may have primary care providers and a separate
unit that provides SUD services. - ✔✔TRUE
Explanation:
The SUD unit is subject to Part 2, but the rest of the facility is not.
✔✔True or False:
An individual provider who works in a general medical facility could also be a Part 2
program IF the provider's primary function is to provide SUD services. - ✔✔TRUE
Explanation:
For example, a primary care physician who provides medication-assisted treatment
would only meet the requirement if providing services to persons with SUD is their
primary function. However, If a patient were to receive both primary care and SUD
treatment, the SUD providers are still subject to Part 2 and could not share information
with the patient's primary care provider without consent.
✔✔True or False:
A program or facility that provides both, SUD services and Mental Health Services, and
a patient has been admitted to receiving both services, his/her records will be subject to
the Part 2 regulations - ✔✔FALSE
Explanation:
Mental health information is not subject to the standards in 42 CFR Part 2 and can be
shared without consent for treatment purposes, including care coordination, as allowed
under HIPAA. More details.
Only records or information about patients receiving SUD services will be subject to Part
2 and its use/disclosure is more restrictive. However, to allow appropriate
mental/behavioral health information sharing with SUD information, a Qualified Service
Organization Agreement (QSOA) would be needed as defined in 42 CFR 2.11
"Qualified service organization" section.
✔✔What are the 4 federal regulations and/or government agencies that govern the
privacy of individually identifiable info in research - ✔✔1. HHS-FDA (protections of
human subject and IRBs)
2. HHS-NIH (certificate of confidentiality)
3. HHS-Office of Human Research Protections (Common Rule)
4. HHS-OCR - HIPAA Privacy Rule
Ref. HCCA Privacy Handbook 3rd Ed
ANSWERS GUARANTEE A+
✔✔What are examples of a BA? - ✔✔BA (Business Associate) - performs functions or
activities on behalf of a covered entity that involve access by the business associate to
protected health information.
Examples:
claims processing
data analysis
billing
benefit management
quality assurance
quality improvement
practice management
legal
actuarial
accounting
accreditation
other administrative services
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-
associates/index.html
✔✔True or False:
A hospital is not required to have a business associate contract with the specialist to
whom it refers a patient and transmits the patient's medical chart for treatment
purposes. - ✔✔TRUE
Remember, use and disclosure of PHI for purposes of TPO requires no specific
authorization
✔✔True or False:
Business Associates After HITECH:
HITECH made business associates directly responsible for HIPAA compliance within
their individual businesses that would not otherwise be subject to HIPAA regulations
and penalties - ✔✔TRUE
Even if no written contract exists between the covered entity and a contracted company
performing services related to handling PHI in some form, the company is deemed a
business associate by law. This deemed status essentially classifies contracted vendors
or individuals as business associates solely by the nature of the services they provide to
a covered entity, regardless of whether they intended to be classified as business
associates or were aware of their status as such. HIPAA and HITECH may hold these
vendors to business associate obligations as long as they act as business associates.
,Likewise, a subcontractor that creates, receives, maintains, or transmits PHI on behalf
of a business associate is a business associate. A subcontractor of a subcontractor is a
business associate as well, and so on down the line.
Ref. 2023 HCCA Complete Healthcare Compliance Manual
Ref. HITECH Act and OCR's 2013 final rule
✔✔True or False:
Under HIPAA and HITECH, individuals or entities who have been identified as business
associates are obligated to enter into a business associate agreement with their
contracted covered entities. - ✔✔TRUE
Business associate agreement mandate under the HIPAA Privacy Rule. There are
some exceptions such:
- for purposes of TPO, including payment for health plan premiums
- for determining health plan eligibility and enrollment
- when there is no involvement of use/disclosure of PHI (e.g., building maintenance)
✔✔True or False:
Under HIPAA and HITECH, individuals or entities who have been identified as business
associates are obligated to enter into a business associate agreement with their
contracted covered entities. - ✔✔
✔✔Except for TPO, list two examples where a CE requires an authorization to
use/disclose PHI - ✔✔1. Sales and marketing
2. Psychotherapy notes
✔✔How do you determine if an entity is subject to HIPAA? - ✔✔By understanding the
applicability (healthcare component), entities that transmit health information and fall
under the 3 types of CE (health plans, clearinghouses, and providers)
✔✔HIPAA provide standards for the access, disclosure, transmission, and retention of
PHI, and created a national baseline for health information Privacy and Security. At the
state level, they can also develop health information statutes but only adding higher or
more restrictive standards than the Federal HIPAA rules. This is referred as:
a. HIPAA status
b. HIPAA assurance
c. HIPAA preemption
d. HIPAA state law - ✔✔c. HIPAA preemption
✔✔What is the intent of HIPAA?
a. standardize healthcare billing and coding to comply with national accounting
principles
b. increase payment from providers given the rising cost of healthcare and fraud
violations
,c. allow group health plans collect premiums after individual has left a job/employer
d. improve healthcare programs and data flow between providers to data mine for
fraudulent behavior - ✔✔d. improve healthcare programs and data flow between
providers to data mine for fraudulent behavior
The intent of HIPAA is to improve healthcare programs and the delivery of services
through the two largest health plans in the U.S., This is accomplished by improved data
flows that leads to better outcomes using national standards formats and specific
transactions to increase accuracy and rapid way to data mine ad detect fraudulent
behavior.
The specific data flows are outlined in the Transaction & Code Set Rules 45 CFR
162.100 - 162.1902
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162
✔✔True or False:
A physician is required to have a business associate contract with a laboratory as a
condition of disclosing protected health information for the treatment of an individual. -
✔✔FALSE
Remember, use and disclosure of PHI for purposes of TPO requires no specific
authorization
✔✔True or False:
A hospital laboratory is not required to have a business associate contract to disclose
protected health information to a reference laboratory for treatment of the individual. -
✔✔TRUE
Remember, use and disclosure of PHI for purposes of TPO requires no specific
authorization
✔✔True or False:
Research use/disclosure with individual authorization does not expire or continue until
the end of the research study - ✔✔TRUE
https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html
✔✔True or False:
Research use/disclosure with individual authorization may be combined with an
authorization for a different research activity if research related treatment is conditioned
on the provision of one of the authorizations - ✔✔TRUE
https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html
✔✔True or False:
, Research use/disclosure with individual authorization may be combined with other legal
permission or consent to participate in the research - ✔✔TRUE
https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html
✔✔True of False:
Is it possible for a facility with multiple provider functions to have certain isolated
providers or groups who are subject to Part 2, while the facility as a whole is not subject
to Part 2. For example, a large facility may have primary care providers and a separate
unit that provides SUD services. - ✔✔TRUE
Explanation:
The SUD unit is subject to Part 2, but the rest of the facility is not.
✔✔True or False:
An individual provider who works in a general medical facility could also be a Part 2
program IF the provider's primary function is to provide SUD services. - ✔✔TRUE
Explanation:
For example, a primary care physician who provides medication-assisted treatment
would only meet the requirement if providing services to persons with SUD is their
primary function. However, If a patient were to receive both primary care and SUD
treatment, the SUD providers are still subject to Part 2 and could not share information
with the patient's primary care provider without consent.
✔✔True or False:
A program or facility that provides both, SUD services and Mental Health Services, and
a patient has been admitted to receiving both services, his/her records will be subject to
the Part 2 regulations - ✔✔FALSE
Explanation:
Mental health information is not subject to the standards in 42 CFR Part 2 and can be
shared without consent for treatment purposes, including care coordination, as allowed
under HIPAA. More details.
Only records or information about patients receiving SUD services will be subject to Part
2 and its use/disclosure is more restrictive. However, to allow appropriate
mental/behavioral health information sharing with SUD information, a Qualified Service
Organization Agreement (QSOA) would be needed as defined in 42 CFR 2.11
"Qualified service organization" section.
✔✔What are the 4 federal regulations and/or government agencies that govern the
privacy of individually identifiable info in research - ✔✔1. HHS-FDA (protections of
human subject and IRBs)
2. HHS-NIH (certificate of confidentiality)
3. HHS-Office of Human Research Protections (Common Rule)
4. HHS-OCR - HIPAA Privacy Rule
Ref. HCCA Privacy Handbook 3rd Ed
