UNDERSTANDING HIPAA EXAM
QUESTIONS AND ANSWERS
Authentication - Answer-is the process by which a user or system is identified.
Authentication is based on one or more factors. In classic security terminology, these
are ownership factors (what someone has), knowledge factors (what someone knows)
and inherence factors (what someone is or does)
Business associate - Answer-is a third party who provides a service for a covered entity,
and who will be exposed regularly to PHI
Business association agreement - Answer-is established to get the business associate
to officially acknowledge that they will protect the privacy rights of the subject individual.
It allows a covered entity to prove that the associate knows that it cannot engage in any
unauthorized uses or disclosures of any PHI they may come into contact with
Chain of trust agreement - Answer-is where each party promises that information will be
properly transmitted and stored. It is often a central part of a business associate
agreement. A chain of trust agreement involves identifying each time information is
received and processed along its transmission path
Chain of trust - Answer-applies primarily to information in electronic form. However,
chain of trust applies regardless of whether information is transmitted electronically or
shipped via regular mail. Whenever you and a recipient have taken steps to ensure that
information is properly sent and received, you have established a chain of trust. A chain
of trust involves the following three elements: The creation of security mechanisms,
including forms of authentication, to determine identity as well as provide encryption to
ensure data privacy
Charts - Answer-are documents that include detailed information kept by the doctor on a
patient
Civil penalties - Answer-are those that involve private parties against each other
Covered entity - Answer-is an organization that must follow HIPAA rules. Examples
include: Health care professionals from any and all disciplines, as well as their
assistants. Clinics, pharmacies and hospitals. Health insurance companies. Health care
clearing houses. Health care providers with financial or administrative duties, including
those who transmit information in electronic form. And federal and state government
employees involved with medical professionals
Criminal penalties - Answer-are those penalties that would involve charges in a criminal
court. The federal government would bring these charges up and prosecute accordingly
, Database - Answer-are places where information is stored so that it can be easily
retrieved and manipulated
De-identified information - Answer-contains statistics about disease penetration into
specific demographics, like gender or race. De-identified information never includes
specific names of people
Electronically Protected Information - Answer-is another way to refer to confidential
patient information
Encryption - Answer-is the process of applying a specific algorithm to data to change
the appearance of the data. This process makes the data incomprehensible to those
who are not authorized to view the information
Exclusion period - Answer-is the maximum amount of time that individuals need to wait
for coverage of a pre-existing condition. It can be no longer than 12 months, or 18
months if the individual has not enrolled during the open enrollment period
Health Insurance Portability and Accountability Act (HIPAA) - Answer-is a set of
mandatory laws, rules and standards meant to help individuals ensure that their medical
information is properly gathered, stored and managed. It also ensures that individuals
have access to their own medical information and that individuals are properly informed
about choices that are available to them in regards to their private information. It made a
federal law in 1996, was designed to ensure that all parties associated with the health
care industry clearly understand their rights and responsibilities
HIPAA compliance officer - Answer-HIPAA requires that each covered entity have an
employee referred to as the "privacy officer" or the "privacy official." It is often someone
in middle or possibly senior management. Responsibilities include establishing HIPAA-
compliant procedures and policies; making sure rules and policies are posted; training
individuals to conform to HIPAA regulations; fielding questions about procedures;
authorizing the transfer of information between covered entities; handling HIPAA-related
complaints from customers and workers; requesting changes to information; and
handling special circumstances, such as processing particularly sensitive information,
like AIDS data
HIPAA privacy acknowledgment form - Answer-explains the rights individuals have, as
well as the responsibilities health care providers have
Hybrid entity - Answer-refers to a larger company that is designated as the covered
entity. It is designated as such because some departments and divisions in the
company are directly involved in medical information, and are therefore covered entities.
However, other departments and divisions will have nothing to do with processing PHI
Incidental exposure - Answer-exists only if the covered entity has taken reasonable
steps to ensure that it has tried to protect patient information
QUESTIONS AND ANSWERS
Authentication - Answer-is the process by which a user or system is identified.
Authentication is based on one or more factors. In classic security terminology, these
are ownership factors (what someone has), knowledge factors (what someone knows)
and inherence factors (what someone is or does)
Business associate - Answer-is a third party who provides a service for a covered entity,
and who will be exposed regularly to PHI
Business association agreement - Answer-is established to get the business associate
to officially acknowledge that they will protect the privacy rights of the subject individual.
It allows a covered entity to prove that the associate knows that it cannot engage in any
unauthorized uses or disclosures of any PHI they may come into contact with
Chain of trust agreement - Answer-is where each party promises that information will be
properly transmitted and stored. It is often a central part of a business associate
agreement. A chain of trust agreement involves identifying each time information is
received and processed along its transmission path
Chain of trust - Answer-applies primarily to information in electronic form. However,
chain of trust applies regardless of whether information is transmitted electronically or
shipped via regular mail. Whenever you and a recipient have taken steps to ensure that
information is properly sent and received, you have established a chain of trust. A chain
of trust involves the following three elements: The creation of security mechanisms,
including forms of authentication, to determine identity as well as provide encryption to
ensure data privacy
Charts - Answer-are documents that include detailed information kept by the doctor on a
patient
Civil penalties - Answer-are those that involve private parties against each other
Covered entity - Answer-is an organization that must follow HIPAA rules. Examples
include: Health care professionals from any and all disciplines, as well as their
assistants. Clinics, pharmacies and hospitals. Health insurance companies. Health care
clearing houses. Health care providers with financial or administrative duties, including
those who transmit information in electronic form. And federal and state government
employees involved with medical professionals
Criminal penalties - Answer-are those penalties that would involve charges in a criminal
court. The federal government would bring these charges up and prosecute accordingly
, Database - Answer-are places where information is stored so that it can be easily
retrieved and manipulated
De-identified information - Answer-contains statistics about disease penetration into
specific demographics, like gender or race. De-identified information never includes
specific names of people
Electronically Protected Information - Answer-is another way to refer to confidential
patient information
Encryption - Answer-is the process of applying a specific algorithm to data to change
the appearance of the data. This process makes the data incomprehensible to those
who are not authorized to view the information
Exclusion period - Answer-is the maximum amount of time that individuals need to wait
for coverage of a pre-existing condition. It can be no longer than 12 months, or 18
months if the individual has not enrolled during the open enrollment period
Health Insurance Portability and Accountability Act (HIPAA) - Answer-is a set of
mandatory laws, rules and standards meant to help individuals ensure that their medical
information is properly gathered, stored and managed. It also ensures that individuals
have access to their own medical information and that individuals are properly informed
about choices that are available to them in regards to their private information. It made a
federal law in 1996, was designed to ensure that all parties associated with the health
care industry clearly understand their rights and responsibilities
HIPAA compliance officer - Answer-HIPAA requires that each covered entity have an
employee referred to as the "privacy officer" or the "privacy official." It is often someone
in middle or possibly senior management. Responsibilities include establishing HIPAA-
compliant procedures and policies; making sure rules and policies are posted; training
individuals to conform to HIPAA regulations; fielding questions about procedures;
authorizing the transfer of information between covered entities; handling HIPAA-related
complaints from customers and workers; requesting changes to information; and
handling special circumstances, such as processing particularly sensitive information,
like AIDS data
HIPAA privacy acknowledgment form - Answer-explains the rights individuals have, as
well as the responsibilities health care providers have
Hybrid entity - Answer-refers to a larger company that is designated as the covered
entity. It is designated as such because some departments and divisions in the
company are directly involved in medical information, and are therefore covered entities.
However, other departments and divisions will have nothing to do with processing PHI
Incidental exposure - Answer-exists only if the covered entity has taken reasonable
steps to ensure that it has tried to protect patient information
