Flashcard sets, textbooks, questions
Free trial
HCCA - CHPC Study Questions AND
ANSWERS
1. What are the required core elements of a VALID Authorization. Ref. 45 CFR 164.508(b)
1. Description
2. Purpose use/disclosure
3. Recipient
4. Authorized person making the disclosure
5. Expiration date
6. Signature/dates
38 U.S.C. 7332 deals with confidentially of patient medical record information related to:
a. drug abuse, sexually transmitted diseases, and tuberculosis
b. HIV/AIDS status
c. drug abuse, alcoholism, infection with the HIV virus, and sickle cell anemia
d. mental illness, HIV status, drug and alcohol abuse c. drug abuse, alcoholism, infection
with the HIV virus, and sickle cell anemia
45 CFR 164 - Subpart C outlines the three safeguards to ensure the _____, ____, ____ of ePHI
that both, CE and BA must implement to ensure compliance and protect against anticipated
threats, and/or reasonably anticipated uses/disclosures (incidental/inadvertent/unintentional)
Confidentiality, integrity, availability
Note: Accidental - must be reported. An accidental HIPAA violation refers to the unauthorized
disclosure of PHI (protected health information) without intent. Despite having safeguards and
protective measures in place, there is still a possibility of breaching HIPAA regulations. These
types of violations could include an employee accidentally seeing a different patient's medical
records, an email being sent to the wrong person or the loss or theft of a personal device that
contains PHI. https://www.hipaajournal.com/accidental-hipaa-violation/
A clinic has patient data that an independent researcher would like to access. The researcher only
needs de-identified information, but the clinic does not have the resources to strip the patients
identifiers from the data being requested. The researcher does have the resources and offers to
remove the identifiers before beginning the research. A privacy official should inform that it can
provide the PHI to the researcher if the clinic:
a. notifies each patient whose information is disclosed
,b. modifies the hospital's NPP
c. requires the researcher to obtain waiver of authorization
d. has the researcher show proof of privacy training c. requires the researcher to obtain waiver of
authorization
A co-worker is called away for a short errand and leaves the clinic PC logged onto the
confidential information system. You need to look up information using a computer. Aside from
notifying the appropriate person, what is the best approach you should take?
a. To save time, just continue working under your co-worker's User-ID.
b. Log you co-worker off and re-login under your own User-ID and password.
c. Do nothing.
d. All of the answers. b. Log you co-worker off and re-login under your own User-ID and
password.
A Covered Entity may denied an individual access to their PHI under specific circumstances set
forth in 45 CFR 164.524 (a)(2), which of the following doesn't fall under those circumstances:
a. Request for psychotherapy notes
b. if it jeopardizes the health, safety, security, rehab of individual (e.g. inmate's' request, suicidal
patient)
c. during the course of research/clinical trial
d. to request restrictions of their PHI a. Request for psychotherapy notes
Under the HIPAA Privacy Rule, individual has the right to request a copy, an amendment and
restrictions to their PHI, request confidential communications involving your PHI, and list of
disclosures. See 45 CFR § 164.524 (a)(2)
https://www.hhs.gov/hipaa/for-professionals/faq/2046/under-what-circumstances-may-a-
covered-entity/index.html
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
A covered entity may disclose protected health information (PHI) without a patient's written
permission for:
a. Treatment purposes
b. Payment
c. Health care operations activities
d. All of the above d. All of the above (a covered entity may use or disclose PHI for TPO)
A covered entity may use or disclose PHI for TPO...what does TPO stand for Treatment
Payment
Health Care Operations
A covered entity must designate a ___________________ who is responsible for developing and
implementing its security policies and procedures.
a. physician
b. security official
c. police officer
d. custodian b. security official
A covered entity must obtain the patient's written authorization for any use or disclosure of
protected health information (PHI) in which circumstances?
a. Marketing activities
b. Research
c. PHI sales and licensing
,d. Information sharing needed for treatment
e. A and C only
f. All of the above e. A and C only
Ref. Permitted Uses and Disclosures section -
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
A health care provider wants to disclose protected health information (PHI) about a student to a
school nurse or physician. Does the HIPAA Privacy Rule allow this?
Yes. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about
students to school nurses, physicians, or other health care providers for treatment purposes,
without the authorization of the student or student's parent.
OR
No. The HIPAA Privacy Rule mandates parental consent in this case. Yes!
Ref. https://www.hhs.gov/hipaa/for-professionals/faq/ferpa-and-hipaa/index.html
A health system implemented an EHR in 55 clinics. The privacy professional is told employees
are inconsistently interpreting the policy addressing employee access to EHR. Which of the
following is the privacy professional's BEST strategy?
a. Collaborate with HR to ensure appropriate discipline
b. Perform an audit under Attorney-Client Privilege
c. Conduct surveys of clinic employees concerns
d. Audit a random sampling of clinics across the organization c. Conduct surveys of clinic
employees concerns
A HIPAA Valid Authorization must include all 6 core elements and 3 required statements, lack
of any of these elements would be considered a _________ authorization. Defective
Authorization.
For instance:
(i) The authorization expiration date has passed or the expiration event is known by the covered
entity to have occurred;
(ii) The authorization has not been filled out completely (missing core elements and required
statements)
(iii) The authorization is known by the covered entity to have been revoked;
(iv) The authorization violates provision of a compound or prohibition on conditioning of
authorizations if applicable;
(v) Any material information in the authorization is known by the covered entity to be false.
Ref. 45 CR 164.508(b)(2)
A photo of a nurse doing a procedure on a patient in the hospital has been posted on a social
networking site. HR has identified the nurse in the photo and the patient. HR asks the privacy
professional for a recommendation for disciplianary action. Before providing a recommendation,
the privacy professional should determine if the
a. 60-day timeline for reporting the breach to DHHS has lapsed
b. photo was posted during work hours or an unpaid break
c. nurse was aware that she was being photographed
d. patient says they gave permission for the photo c. nurse was aware that she was being
photographed
, A privacy professional has been notified that there had been a data breach of a clinical system
containing PHI. Which of the following is the source of the notification requirements?
a. FERPA Provisions
b. HIPAA Security Rule
c. HITECH Act
d. Privacy Act c. HITECH Act
Remember, HITECH was signed into law as part of ARRA 2009 to promote adoption of
meaningful use
A privacy professional is assisting IT with the development of proper controls to protect the
privacy of the organization's data. Which of the following is an employee-related control?
a. Breach response procedures
b. Annual evaluations
c. Contractual requirements
d. User passwords d. User passwords
A privacy professional is preparing an education session in follow-up to a recent increase of lost
or misplaced thumb drives that may have contained PHI including patient SSNs. Which of the
following would be the MOST beneficial for the privacy professional to review when preparing
the education session?
a. GINA
b. HITECH
c. Sarbanes-Oxley
d. Social Security Act b. HITECH
A privacy professional is reviewing a program for an academic medical center that include a
faculty group practice, hospital, student health center, and self-funded group health plan. The
privacy professional should evaluate if the program has notices for:
a. GINA
b. FMLA
c. HIPAA
d. FISMA b. HIPAA
A privacy professional verified that a Business Associate is selling an individual's PHI. The BA
can claim they were complaint with regulatory requirements if they obtained:
a. authorization from the individual
b. consent from the individual
c. authorization from the healthcare entity
d. consent from the healthcare entity a. authorization from the individual
A provider receives a request from the Social Security Administration for PHI relating to a
person's application for benefits. Which of the following is the correct method of release?
A. Since it is to a federal agency, an authorization from the patient is not needed, so PHI can be
released.
B. The provider should review the PHI and make a decision on the minimum necessary and
release.
C. The provider should notify the patient and obtain a signed authorization prior to release.
D. Release the information because the patient signed a consent for treatment. C. The
provider should notify the patient and obtain a signed authorization prior to release
Free trial
HCCA - CHPC Study Questions AND
ANSWERS
1. What are the required core elements of a VALID Authorization. Ref. 45 CFR 164.508(b)
1. Description
2. Purpose use/disclosure
3. Recipient
4. Authorized person making the disclosure
5. Expiration date
6. Signature/dates
38 U.S.C. 7332 deals with confidentially of patient medical record information related to:
a. drug abuse, sexually transmitted diseases, and tuberculosis
b. HIV/AIDS status
c. drug abuse, alcoholism, infection with the HIV virus, and sickle cell anemia
d. mental illness, HIV status, drug and alcohol abuse c. drug abuse, alcoholism, infection
with the HIV virus, and sickle cell anemia
45 CFR 164 - Subpart C outlines the three safeguards to ensure the _____, ____, ____ of ePHI
that both, CE and BA must implement to ensure compliance and protect against anticipated
threats, and/or reasonably anticipated uses/disclosures (incidental/inadvertent/unintentional)
Confidentiality, integrity, availability
Note: Accidental - must be reported. An accidental HIPAA violation refers to the unauthorized
disclosure of PHI (protected health information) without intent. Despite having safeguards and
protective measures in place, there is still a possibility of breaching HIPAA regulations. These
types of violations could include an employee accidentally seeing a different patient's medical
records, an email being sent to the wrong person or the loss or theft of a personal device that
contains PHI. https://www.hipaajournal.com/accidental-hipaa-violation/
A clinic has patient data that an independent researcher would like to access. The researcher only
needs de-identified information, but the clinic does not have the resources to strip the patients
identifiers from the data being requested. The researcher does have the resources and offers to
remove the identifiers before beginning the research. A privacy official should inform that it can
provide the PHI to the researcher if the clinic:
a. notifies each patient whose information is disclosed
,b. modifies the hospital's NPP
c. requires the researcher to obtain waiver of authorization
d. has the researcher show proof of privacy training c. requires the researcher to obtain waiver of
authorization
A co-worker is called away for a short errand and leaves the clinic PC logged onto the
confidential information system. You need to look up information using a computer. Aside from
notifying the appropriate person, what is the best approach you should take?
a. To save time, just continue working under your co-worker's User-ID.
b. Log you co-worker off and re-login under your own User-ID and password.
c. Do nothing.
d. All of the answers. b. Log you co-worker off and re-login under your own User-ID and
password.
A Covered Entity may denied an individual access to their PHI under specific circumstances set
forth in 45 CFR 164.524 (a)(2), which of the following doesn't fall under those circumstances:
a. Request for psychotherapy notes
b. if it jeopardizes the health, safety, security, rehab of individual (e.g. inmate's' request, suicidal
patient)
c. during the course of research/clinical trial
d. to request restrictions of their PHI a. Request for psychotherapy notes
Under the HIPAA Privacy Rule, individual has the right to request a copy, an amendment and
restrictions to their PHI, request confidential communications involving your PHI, and list of
disclosures. See 45 CFR § 164.524 (a)(2)
https://www.hhs.gov/hipaa/for-professionals/faq/2046/under-what-circumstances-may-a-
covered-entity/index.html
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
A covered entity may disclose protected health information (PHI) without a patient's written
permission for:
a. Treatment purposes
b. Payment
c. Health care operations activities
d. All of the above d. All of the above (a covered entity may use or disclose PHI for TPO)
A covered entity may use or disclose PHI for TPO...what does TPO stand for Treatment
Payment
Health Care Operations
A covered entity must designate a ___________________ who is responsible for developing and
implementing its security policies and procedures.
a. physician
b. security official
c. police officer
d. custodian b. security official
A covered entity must obtain the patient's written authorization for any use or disclosure of
protected health information (PHI) in which circumstances?
a. Marketing activities
b. Research
c. PHI sales and licensing
,d. Information sharing needed for treatment
e. A and C only
f. All of the above e. A and C only
Ref. Permitted Uses and Disclosures section -
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
A health care provider wants to disclose protected health information (PHI) about a student to a
school nurse or physician. Does the HIPAA Privacy Rule allow this?
Yes. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about
students to school nurses, physicians, or other health care providers for treatment purposes,
without the authorization of the student or student's parent.
OR
No. The HIPAA Privacy Rule mandates parental consent in this case. Yes!
Ref. https://www.hhs.gov/hipaa/for-professionals/faq/ferpa-and-hipaa/index.html
A health system implemented an EHR in 55 clinics. The privacy professional is told employees
are inconsistently interpreting the policy addressing employee access to EHR. Which of the
following is the privacy professional's BEST strategy?
a. Collaborate with HR to ensure appropriate discipline
b. Perform an audit under Attorney-Client Privilege
c. Conduct surveys of clinic employees concerns
d. Audit a random sampling of clinics across the organization c. Conduct surveys of clinic
employees concerns
A HIPAA Valid Authorization must include all 6 core elements and 3 required statements, lack
of any of these elements would be considered a _________ authorization. Defective
Authorization.
For instance:
(i) The authorization expiration date has passed or the expiration event is known by the covered
entity to have occurred;
(ii) The authorization has not been filled out completely (missing core elements and required
statements)
(iii) The authorization is known by the covered entity to have been revoked;
(iv) The authorization violates provision of a compound or prohibition on conditioning of
authorizations if applicable;
(v) Any material information in the authorization is known by the covered entity to be false.
Ref. 45 CR 164.508(b)(2)
A photo of a nurse doing a procedure on a patient in the hospital has been posted on a social
networking site. HR has identified the nurse in the photo and the patient. HR asks the privacy
professional for a recommendation for disciplianary action. Before providing a recommendation,
the privacy professional should determine if the
a. 60-day timeline for reporting the breach to DHHS has lapsed
b. photo was posted during work hours or an unpaid break
c. nurse was aware that she was being photographed
d. patient says they gave permission for the photo c. nurse was aware that she was being
photographed
, A privacy professional has been notified that there had been a data breach of a clinical system
containing PHI. Which of the following is the source of the notification requirements?
a. FERPA Provisions
b. HIPAA Security Rule
c. HITECH Act
d. Privacy Act c. HITECH Act
Remember, HITECH was signed into law as part of ARRA 2009 to promote adoption of
meaningful use
A privacy professional is assisting IT with the development of proper controls to protect the
privacy of the organization's data. Which of the following is an employee-related control?
a. Breach response procedures
b. Annual evaluations
c. Contractual requirements
d. User passwords d. User passwords
A privacy professional is preparing an education session in follow-up to a recent increase of lost
or misplaced thumb drives that may have contained PHI including patient SSNs. Which of the
following would be the MOST beneficial for the privacy professional to review when preparing
the education session?
a. GINA
b. HITECH
c. Sarbanes-Oxley
d. Social Security Act b. HITECH
A privacy professional is reviewing a program for an academic medical center that include a
faculty group practice, hospital, student health center, and self-funded group health plan. The
privacy professional should evaluate if the program has notices for:
a. GINA
b. FMLA
c. HIPAA
d. FISMA b. HIPAA
A privacy professional verified that a Business Associate is selling an individual's PHI. The BA
can claim they were complaint with regulatory requirements if they obtained:
a. authorization from the individual
b. consent from the individual
c. authorization from the healthcare entity
d. consent from the healthcare entity a. authorization from the individual
A provider receives a request from the Social Security Administration for PHI relating to a
person's application for benefits. Which of the following is the correct method of release?
A. Since it is to a federal agency, an authorization from the patient is not needed, so PHI can be
released.
B. The provider should review the PHI and make a decision on the minimum necessary and
release.
C. The provider should notify the patient and obtain a signed authorization prior to release.
D. Release the information because the patient signed a consent for treatment. C. The
provider should notify the patient and obtain a signed authorization prior to release
