HCCA - CHPC Study Questions
(MASTER FLASHCARDS) CORRECT
ANSWERS
What is the purpose of HIPAA? - CORRECT ANSWER-• Protect PHI from unauthorized
disclosure/use;
• Prevent fraud, waste and abuse (via Administrative Simplification);
• Make health insurance portable under ERISA;
• Move health care onto a nationally standardized electronic billing platform
Ref. https://quizlet.com/6202453/hcca-chpc-overview-flash-cards/
More on HIPAA: https://www.hhs.gov/hipaa/index.html
HIPAA resides in which CFR section? - CORRECT ANSWER-45 CFR sections 164.102
through 164.534
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
What are the subparts of HIPAA part 164? - CORRECT ANSWER-HIPAA - 45 CFR
164, subparts:
Subpart A - General rules
Subpart C - Security
Subpart D - Breach notification
Subpart E - Privacy
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
How do you determine if an organization is a "Covered Entity"? - CORRECT ANSWER-
1. compare if the organization meets one of the 3 types of CE (provider, health plan,
clearinghouse)
and
2. determine if the organization electronically transmits one of the 9 defined
transactions:
• Health claims or equivalent encounter information
• Health claims attachments
• Enrollment and disenrollment in a health plan
• Eligibility for a health plan
,• Health care payment and remittance advice
• Health plan premium payments
• First report of injury
• Health claim status
• Referral certification and authorization
In addition, business associates of covered entities must follow parts of the HIPAA
regulations.
https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
This Act established in 1974 was created for government agencies placing restrictions
on how the government can share the information maintained in Federal systems of
records that might infringe on an individual's privacy rights with other individuals and
agencies. - CORRECT ANSWER-The Privacy Act of 1974
Which of the following is not considered a HIPAA Entity Designation:
1. Affiliated covered entity
2. Entity that performs healthcare and non-healthcare component activities including
both covered and non-covered functions
3. A group health plan
4. Contract arrangement with FEDEX carrier - CORRECT ANSWER-4. Contract
arrangement with FEDEX carrier
What is Gramm-Leach-Bliley Act (GLBA)? - CORRECT ANSWER-Gramm-Leach-Bliley
Act (GLBA), also known as the Financial Services Modernization Act of 1999, includes
The Financial Privacy Rule and The Safeguards Rule requires all financial institutions to
protect customer's personal financial information.
What is an OHCA? - CORRECT ANSWER-OHCA (Organized Health Care
Arrangement) it's a clinically integrated care setting where individuals receive health
care from more than one provider.
These are joint arrangements/activities and have an Integrated Delivery System for
easy exchange of PHI data. See 45 CFR 160.103. OHCAs can also utilize a joint NPP.
See 45 CFR § 164.520(d).
ACE (Affiliated Covered Entity) do not have an Integrated Delivery System because
these are legally separate covered entities that are associated in business, or affiliated
as a result of some common control or ownership.
Both the OHCA and the ACE would allow sharing of PHI across participating entity lines
for treatment, payment, operations purposes (TPO).
What's an ACE? - CORRECT ANSWER-ACE (Affiliated Covered Entity)
Legally separate covered entities that share common control/ownership and designate
themselves as a single CE for the purpose of complying with the HIPAA Privacy
standards.
,ACEs do not have an Integrated Delivery System, while OHCA do, and can share a
single NPP. See 45 CFR § 164.520(d)
ACE example: a health system composed on several affiliated hospitals.
Both the OHCA and the ACE would allow sharing of PHI across participating entity lines
for treatment, payment, operations purposes (TPO).
What's a Hybrid Entity? - CORRECT ANSWER-Entity that conducts both covered
functions (or healthcare-functions) and non-covered functions (other biz/non-healthcare
functions) to elect to be a "hybrid entity."
For instance, a University System that has a research laboratory or academic medical
center.
The post-secondary functions (non-healthcare components) do NOT need to comply
with HIPAA.
The research lab/med center functions (healthcare component) needs to comply with
HIPAA provisions to protect the use/disclosure of PHI involved.
https://www.hhs.gov/hipaa/for-professionals/faq/315/when-does-a-covered-entity-have-
discretion-to-determine-covered-
functions/index.html#:~:text=For%20example%2C%20a%20hybrid%20entity,hybrid%20
entity's%20health%20care%20component.
https://privacyruleandresearch.nih.gov/pr_06.asp
The transmission of information between two parties to carry out financial or
administrative activities related to health care is called: - CORRECT ANSWER-
Transaction (healthcare transaction).
Few examples of healthcare transactions:
healthcare claims;
coordination of benefits;
health plan premium payments;
remittance advice (or ETF, electronic fund transfer);
referral certification and authorization
What are examples of a BA? - CORRECT ANSWER-BA (Business Associate) -
performs functions or activities on behalf of a covered entity that involve access by the
business associate to protected health information.
Examples:
claims processing
data analysis
billing
benefit management
quality assurance
, quality qimprovement
practice qmanagement
legal
actuarial
accounting
accreditation
other qadministrative qservices
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-
associates/index.html
True qor qFalse:
A qhospital qis qnot qrequired qto qhave qa qbusiness qassociate qcontract qwith qthe qspecialist qto
qwhom qit qrefers qa qpatient qand qtransmits qthe qpatient's qmedical qchart qfor qtreatment
qpurposes. q- qCORRECT qANSWER-TRUE
Remember, quse qand qdisclosure qof qPHI qfor qpurposes qof qTPO qrequires qno qspecific
qauthorization
True qor qFalse:
Business qAssociates qAfter qHITECH:
HITECH qmade qbusiness qassociates qdirectly qresponsible qfor qHIPAA qcompliance qwithin
qtheir qindividual qbusinesses qthat qwould qnot qotherwise qbe qsubject qto qHIPAA qregulations
qand qpenalties q- qCORRECT qANSWER-TRUE
Even qif qno qwritten qcontract qexists qbetween qthe qcovered qentity qand qa qcontracted
qcompany qperforming qservices qrelated qto qhandling qPHI qin qsome qform, qthe qcompany qis
qdeemed qa qbusiness qassociate qby qlaw. qThis qdeemed qstatus qessentially qclassifies
qcontracted qvendors qor qindividuals qas qbusiness qassociates qsolely qby qthe qnature qof qthe
qservices qthey qprovide qto qa qcovered qentity, qregardless qof qwhether qthey qintended qto qbe
qclassified qas qbusiness qassociates qor qwere qaware qof qtheir qstatus qas qsuch. qHIPAA qand
qHITECH qmay qhold qthese qvendors qto qbusiness qassociate qobligations qas qlong qas qthey
qact qas qbusiness qassociates.
Likewise, qa qsubcontractor qthat qcreates, qreceives, qmaintains, qor qtransmits qPHI qon qbehalf
qof qa qbusiness qassociate qis qa qbusiness qassociate. qA qsubcontractor qof qa qsubcontractor qis
qa qbusiness qassociate qas qwell, qand qso qon qdown qthe qline.
Ref. q2023 qHCCA qComplete qHealthcare qCompliance qManual
Ref. qHITECH qAct qand qOCR's q2013 qfinal qrule
True qor qFalse:
Under qHIPAA qand qHITECH, qindividuals qor qentities qwho qhave qbeen qidentified qas
qbusiness qassociates qare qobligated qto qenter qinto qa qbusiness qassociate qagreement qwith
qtheir qcontracted qcovered qentities. q- qCORRECT qANSWER-TRUE
(MASTER FLASHCARDS) CORRECT
ANSWERS
What is the purpose of HIPAA? - CORRECT ANSWER-• Protect PHI from unauthorized
disclosure/use;
• Prevent fraud, waste and abuse (via Administrative Simplification);
• Make health insurance portable under ERISA;
• Move health care onto a nationally standardized electronic billing platform
Ref. https://quizlet.com/6202453/hcca-chpc-overview-flash-cards/
More on HIPAA: https://www.hhs.gov/hipaa/index.html
HIPAA resides in which CFR section? - CORRECT ANSWER-45 CFR sections 164.102
through 164.534
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
What are the subparts of HIPAA part 164? - CORRECT ANSWER-HIPAA - 45 CFR
164, subparts:
Subpart A - General rules
Subpart C - Security
Subpart D - Breach notification
Subpart E - Privacy
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
How do you determine if an organization is a "Covered Entity"? - CORRECT ANSWER-
1. compare if the organization meets one of the 3 types of CE (provider, health plan,
clearinghouse)
and
2. determine if the organization electronically transmits one of the 9 defined
transactions:
• Health claims or equivalent encounter information
• Health claims attachments
• Enrollment and disenrollment in a health plan
• Eligibility for a health plan
,• Health care payment and remittance advice
• Health plan premium payments
• First report of injury
• Health claim status
• Referral certification and authorization
In addition, business associates of covered entities must follow parts of the HIPAA
regulations.
https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
This Act established in 1974 was created for government agencies placing restrictions
on how the government can share the information maintained in Federal systems of
records that might infringe on an individual's privacy rights with other individuals and
agencies. - CORRECT ANSWER-The Privacy Act of 1974
Which of the following is not considered a HIPAA Entity Designation:
1. Affiliated covered entity
2. Entity that performs healthcare and non-healthcare component activities including
both covered and non-covered functions
3. A group health plan
4. Contract arrangement with FEDEX carrier - CORRECT ANSWER-4. Contract
arrangement with FEDEX carrier
What is Gramm-Leach-Bliley Act (GLBA)? - CORRECT ANSWER-Gramm-Leach-Bliley
Act (GLBA), also known as the Financial Services Modernization Act of 1999, includes
The Financial Privacy Rule and The Safeguards Rule requires all financial institutions to
protect customer's personal financial information.
What is an OHCA? - CORRECT ANSWER-OHCA (Organized Health Care
Arrangement) it's a clinically integrated care setting where individuals receive health
care from more than one provider.
These are joint arrangements/activities and have an Integrated Delivery System for
easy exchange of PHI data. See 45 CFR 160.103. OHCAs can also utilize a joint NPP.
See 45 CFR § 164.520(d).
ACE (Affiliated Covered Entity) do not have an Integrated Delivery System because
these are legally separate covered entities that are associated in business, or affiliated
as a result of some common control or ownership.
Both the OHCA and the ACE would allow sharing of PHI across participating entity lines
for treatment, payment, operations purposes (TPO).
What's an ACE? - CORRECT ANSWER-ACE (Affiliated Covered Entity)
Legally separate covered entities that share common control/ownership and designate
themselves as a single CE for the purpose of complying with the HIPAA Privacy
standards.
,ACEs do not have an Integrated Delivery System, while OHCA do, and can share a
single NPP. See 45 CFR § 164.520(d)
ACE example: a health system composed on several affiliated hospitals.
Both the OHCA and the ACE would allow sharing of PHI across participating entity lines
for treatment, payment, operations purposes (TPO).
What's a Hybrid Entity? - CORRECT ANSWER-Entity that conducts both covered
functions (or healthcare-functions) and non-covered functions (other biz/non-healthcare
functions) to elect to be a "hybrid entity."
For instance, a University System that has a research laboratory or academic medical
center.
The post-secondary functions (non-healthcare components) do NOT need to comply
with HIPAA.
The research lab/med center functions (healthcare component) needs to comply with
HIPAA provisions to protect the use/disclosure of PHI involved.
https://www.hhs.gov/hipaa/for-professionals/faq/315/when-does-a-covered-entity-have-
discretion-to-determine-covered-
functions/index.html#:~:text=For%20example%2C%20a%20hybrid%20entity,hybrid%20
entity's%20health%20care%20component.
https://privacyruleandresearch.nih.gov/pr_06.asp
The transmission of information between two parties to carry out financial or
administrative activities related to health care is called: - CORRECT ANSWER-
Transaction (healthcare transaction).
Few examples of healthcare transactions:
healthcare claims;
coordination of benefits;
health plan premium payments;
remittance advice (or ETF, electronic fund transfer);
referral certification and authorization
What are examples of a BA? - CORRECT ANSWER-BA (Business Associate) -
performs functions or activities on behalf of a covered entity that involve access by the
business associate to protected health information.
Examples:
claims processing
data analysis
billing
benefit management
quality assurance
, quality qimprovement
practice qmanagement
legal
actuarial
accounting
accreditation
other qadministrative qservices
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-
associates/index.html
True qor qFalse:
A qhospital qis qnot qrequired qto qhave qa qbusiness qassociate qcontract qwith qthe qspecialist qto
qwhom qit qrefers qa qpatient qand qtransmits qthe qpatient's qmedical qchart qfor qtreatment
qpurposes. q- qCORRECT qANSWER-TRUE
Remember, quse qand qdisclosure qof qPHI qfor qpurposes qof qTPO qrequires qno qspecific
qauthorization
True qor qFalse:
Business qAssociates qAfter qHITECH:
HITECH qmade qbusiness qassociates qdirectly qresponsible qfor qHIPAA qcompliance qwithin
qtheir qindividual qbusinesses qthat qwould qnot qotherwise qbe qsubject qto qHIPAA qregulations
qand qpenalties q- qCORRECT qANSWER-TRUE
Even qif qno qwritten qcontract qexists qbetween qthe qcovered qentity qand qa qcontracted
qcompany qperforming qservices qrelated qto qhandling qPHI qin qsome qform, qthe qcompany qis
qdeemed qa qbusiness qassociate qby qlaw. qThis qdeemed qstatus qessentially qclassifies
qcontracted qvendors qor qindividuals qas qbusiness qassociates qsolely qby qthe qnature qof qthe
qservices qthey qprovide qto qa qcovered qentity, qregardless qof qwhether qthey qintended qto qbe
qclassified qas qbusiness qassociates qor qwere qaware qof qtheir qstatus qas qsuch. qHIPAA qand
qHITECH qmay qhold qthese qvendors qto qbusiness qassociate qobligations qas qlong qas qthey
qact qas qbusiness qassociates.
Likewise, qa qsubcontractor qthat qcreates, qreceives, qmaintains, qor qtransmits qPHI qon qbehalf
qof qa qbusiness qassociate qis qa qbusiness qassociate. qA qsubcontractor qof qa qsubcontractor qis
qa qbusiness qassociate qas qwell, qand qso qon qdown qthe qline.
Ref. q2023 qHCCA qComplete qHealthcare qCompliance qManual
Ref. qHITECH qAct qand qOCR's q2013 qfinal qrule
True qor qFalse:
Under qHIPAA qand qHITECH, qindividuals qor qentities qwho qhave qbeen qidentified qas
qbusiness qassociates qare qobligated qto qenter qinto qa qbusiness qassociate qagreement qwith
qtheir qcontracted qcovered qentities. q- qCORRECT qANSWER-TRUE
