AHIMA ROI Microcredential Study Guide
Latest Updated
Security Rule - ANS-establishes national standards to protect individuals' electronic
personal health information that is created, received, used, or maintained by a covered
entity
What is another name for the Security Rule? - ANS-The Security Standards for the
Protection of Electronic Protected Health Information
Who enforces the Security Rule? - ANS-the Office for Civil Rights (OCR)
Who does the Security Rule apply to? - ANS-health plans, health care clearinghouses,
and to any health care provider who transmits HI in electronic form in connection with a
transaction for which the Secretary of HHS has adopted standards under HIPAA (the
CEs) and to their BAs
Administrative Safeguards provision in the Security Rule - ANS-requires covered
entities to perform risk analysis as part of their security management processes
Administrative safeguard examples - ANS-security management process, security
personnel, information access management, workforce training and management, and
evaluation
Physical safeguard examples - ANS-facility access and control, and workstation and
device security
Technical safeguard examples - ANS-access control, audit controls, integrity controls,
and transmission security
Minimum Necessary standard - ANS-practice that protected health information should
not be used or disclosed when it is not necessary to satisfy a particular purpose or carry
out a function
Can an entire medical record be disclosed? - ANS-A CE may not use, disclose, or
request the entire medical record for a particular purpose, unless it can specifically
justify the whole record as the amount reasonably needed for the purpose
Final Omnibus Rule - ANS-implements a number of provisions of the HITECH Act,
enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen
the privacy and security protections for health information established under HIPAA
, The four final rules of the Omnibus Rule - ANS-modifications to the HIPAA Privacy,
Security, and Enforcement Rules mandated by the HITECH Act, and certain other
modifications to improve the Rules
adopting changes to the HIPAA Enforcement Rule to incorporate the increased and
tiered civil penalty structure provided by the HITECH Act
Breach Notification for Unsecured PHI under the HITECH Act, which replaces the
breach notification rule's ''harm'' threshold with a more objective standard
modifying the HIPAA Privacy Rule as required by the Genetic Information
Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing
genetic information for underwriting purposes
What must happen before a provider can respond to a subpoena? - ANS-the provider
must receive satisfactory assurance from the requesting party that reasonable efforts
have been made by the requesting party to ensure that the patient who is the subject of
the PHI has been given notice of the request
When can a disclosure of pHI in response to a subpoena occur? - ANS-The information
may be disclosed if the subpoena is accompanied by a proper written authorization. The
authorization form must include all of the elements described in HIPAA's authorization
rule and must be signed by the appropriate person (the patient himself, or the patient's
personal representative)
The information may be disclosed without the individual's authorization if it is
accompanied by a court order for the information
The information may be disclosed without the individual's authorization or a court order
if written notice that the information has been subpoenaed is given to the individual who
is the subject of the PHI, or if a qualified protective order is obtained from a court
What are the three responses a health department can give to a subpoena? - ANS-Ask
the department's attorney to formally challenge the subpoena. The attorney may file a
motion to quash the subpoena, or to modify the subpoena
Ask the department's attorney to informally request that the party who issued the
subpoena excuse the department from the subpoena's requirements
Comply with the subpoena by appearing at the place and time designated in the
subpoena along with any records requested by the subpoena. The person who appears
should not testify about confidential health information or release confidential records
until the provisions of both HIPAA and state law have been satisfied (judge order or
written, compliant authorization)
Latest Updated
Security Rule - ANS-establishes national standards to protect individuals' electronic
personal health information that is created, received, used, or maintained by a covered
entity
What is another name for the Security Rule? - ANS-The Security Standards for the
Protection of Electronic Protected Health Information
Who enforces the Security Rule? - ANS-the Office for Civil Rights (OCR)
Who does the Security Rule apply to? - ANS-health plans, health care clearinghouses,
and to any health care provider who transmits HI in electronic form in connection with a
transaction for which the Secretary of HHS has adopted standards under HIPAA (the
CEs) and to their BAs
Administrative Safeguards provision in the Security Rule - ANS-requires covered
entities to perform risk analysis as part of their security management processes
Administrative safeguard examples - ANS-security management process, security
personnel, information access management, workforce training and management, and
evaluation
Physical safeguard examples - ANS-facility access and control, and workstation and
device security
Technical safeguard examples - ANS-access control, audit controls, integrity controls,
and transmission security
Minimum Necessary standard - ANS-practice that protected health information should
not be used or disclosed when it is not necessary to satisfy a particular purpose or carry
out a function
Can an entire medical record be disclosed? - ANS-A CE may not use, disclose, or
request the entire medical record for a particular purpose, unless it can specifically
justify the whole record as the amount reasonably needed for the purpose
Final Omnibus Rule - ANS-implements a number of provisions of the HITECH Act,
enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen
the privacy and security protections for health information established under HIPAA
, The four final rules of the Omnibus Rule - ANS-modifications to the HIPAA Privacy,
Security, and Enforcement Rules mandated by the HITECH Act, and certain other
modifications to improve the Rules
adopting changes to the HIPAA Enforcement Rule to incorporate the increased and
tiered civil penalty structure provided by the HITECH Act
Breach Notification for Unsecured PHI under the HITECH Act, which replaces the
breach notification rule's ''harm'' threshold with a more objective standard
modifying the HIPAA Privacy Rule as required by the Genetic Information
Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing
genetic information for underwriting purposes
What must happen before a provider can respond to a subpoena? - ANS-the provider
must receive satisfactory assurance from the requesting party that reasonable efforts
have been made by the requesting party to ensure that the patient who is the subject of
the PHI has been given notice of the request
When can a disclosure of pHI in response to a subpoena occur? - ANS-The information
may be disclosed if the subpoena is accompanied by a proper written authorization. The
authorization form must include all of the elements described in HIPAA's authorization
rule and must be signed by the appropriate person (the patient himself, or the patient's
personal representative)
The information may be disclosed without the individual's authorization if it is
accompanied by a court order for the information
The information may be disclosed without the individual's authorization or a court order
if written notice that the information has been subpoenaed is given to the individual who
is the subject of the PHI, or if a qualified protective order is obtained from a court
What are the three responses a health department can give to a subpoena? - ANS-Ask
the department's attorney to formally challenge the subpoena. The attorney may file a
motion to quash the subpoena, or to modify the subpoena
Ask the department's attorney to informally request that the party who issued the
subpoena excuse the department from the subpoena's requirements
Comply with the subpoena by appearing at the place and time designated in the
subpoena along with any records requested by the subpoena. The person who appears
should not testify about confidential health information or release confidential records
until the provisions of both HIPAA and state law have been satisfied (judge order or
written, compliant authorization)
