AHIMA ROI Microcredential
Security Rule correct answersestablishes national standards to protect individuals' electronic personal
health information that is created, received, used, or maintained by a covered entity
What is another name for the Security Rule? correct answersThe Security Standards for the Protection of
Electronic Protected Health Information
Who enforces the Security Rule? correct answersthe Office for Civil Rights (OCR)
Who does the Security Rule apply to? correct answershealth plans, health care clearinghouses, and to
any health care provider who transmits HI in electronic form in connection with a transaction for which
the Secretary of HHS has adopted standards under HIPAA (the CEs) and to their BAs
Administrative Safeguards provision in the Security Rule correct answersrequires covered entities to
perform risk analysis as part of their security management processes
Administrative safeguard examples correct answerssecurity management process, security personnel,
information access management, workforce training and management, and evaluation
Physical safeguard examples correct answersfacility access and control, and workstation and device
security
Technical safeguard examples correct answersaccess control, audit controls, integrity controls, and
transmission security
Minimum Necessary standard correct answerspractice that protected health information should not be
used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function
,Can an entire medical record be disclosed? correct answersA CE may not use, disclose, or request the
entire medical record for a particular purpose, unless it can specifically justify the whole record as the
amount reasonably needed for the purpose
Final Omnibus Rule correct answersimplements a number of provisions of the HITECH Act, enacted as
part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security
protections for health information established under HIPAA
The four final rules of the Omnibus Rule correct answersmodifications to the HIPAA Privacy, Security, and
Enforcement Rules mandated by the HITECH Act, and certain other modifications to improve the Rules
adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil penalty
structure provided by the HITECH Act
Breach Notification for Unsecured PHI under the HITECH Act, which replaces the breach notification
rule's ''harm'' threshold with a more objective standard
modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA)
to prohibit most health plans from using or disclosing genetic information for underwriting purposes
What must happen before a provider can respond to a subpoena? correct answersthe provider must
receive satisfactory assurance from the requesting party that reasonable efforts have been made by the
requesting party to ensure that the patient who is the subject of the PHI has been given notice of the
request
When can a disclosure of pHI in response to a subpoena occur? correct answersThe information may be
disclosed if the subpoena is accompanied by a proper written authorization. The authorization form
must include all of the elements described in HIPAA's authorization rule and must be signed by the
appropriate person (the patient himself, or the patient's personal representative)
The information may be disclosed without the individual's authorization if it is accompanied by a court
order for the information
, The information may be disclosed without the individual's authorization or a court order if written notice
that the information has been subpoenaed is given to the individual who is the subject of the PHI, or if a
qualified protective order is obtained from a court
What are the three responses a health department can give to a subpoena? correct answersAsk the
department's attorney to formally challenge the subpoena. The attorney may file a motion to quash the
subpoena, or to modify the subpoena
Ask the department's attorney to informally request that the party who issued the subpoena excuse the
department from the subpoena's requirements
Comply with the subpoena by appearing at the place and time designated in the subpoena along with
any records requested by the subpoena. The person who appears should not testify about confidential
health information or release confidential records until the provisions of both HIPAA and state law have
been satisfied (judge order or written, compliant authorization)
Quash period correct answerstime frame between the issue date of the subpoena and when the records
are due to be produced, allows the opposing counsel to object to the records being fulfilled
Risk management correct answersincludes the implementation of security measures to reduce risk to
reasonable and appropriate levels to, among other things, ensure the confidentiality, availability and
integrity of ePHI, protect against any reasonably anticipated threats or hazards to the security or
integrity of ePHI, and protect against any reasonably anticipated uses or disclosures of ePHI that are not
permitted or required under the HIPAA Privacy Rule
State versus Federal regulations correct answersAlways choose the most stringent of the two between
state and federal regulations regarding to releasing medical records
21st Century Cures Act (21CCA) correct answersade sharing electronic health information the expected
norm in health care by authorizing the Secretary of HHS to identify reasonable and necessary activities
that do not constitute information blocking
ONC Cures Act Proposed Rule correct answersa request for information regarding potential disincentives
for health care providers that have committed information blocking and asked whether modifying
Security Rule correct answersestablishes national standards to protect individuals' electronic personal
health information that is created, received, used, or maintained by a covered entity
What is another name for the Security Rule? correct answersThe Security Standards for the Protection of
Electronic Protected Health Information
Who enforces the Security Rule? correct answersthe Office for Civil Rights (OCR)
Who does the Security Rule apply to? correct answershealth plans, health care clearinghouses, and to
any health care provider who transmits HI in electronic form in connection with a transaction for which
the Secretary of HHS has adopted standards under HIPAA (the CEs) and to their BAs
Administrative Safeguards provision in the Security Rule correct answersrequires covered entities to
perform risk analysis as part of their security management processes
Administrative safeguard examples correct answerssecurity management process, security personnel,
information access management, workforce training and management, and evaluation
Physical safeguard examples correct answersfacility access and control, and workstation and device
security
Technical safeguard examples correct answersaccess control, audit controls, integrity controls, and
transmission security
Minimum Necessary standard correct answerspractice that protected health information should not be
used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function
,Can an entire medical record be disclosed? correct answersA CE may not use, disclose, or request the
entire medical record for a particular purpose, unless it can specifically justify the whole record as the
amount reasonably needed for the purpose
Final Omnibus Rule correct answersimplements a number of provisions of the HITECH Act, enacted as
part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security
protections for health information established under HIPAA
The four final rules of the Omnibus Rule correct answersmodifications to the HIPAA Privacy, Security, and
Enforcement Rules mandated by the HITECH Act, and certain other modifications to improve the Rules
adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil penalty
structure provided by the HITECH Act
Breach Notification for Unsecured PHI under the HITECH Act, which replaces the breach notification
rule's ''harm'' threshold with a more objective standard
modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA)
to prohibit most health plans from using or disclosing genetic information for underwriting purposes
What must happen before a provider can respond to a subpoena? correct answersthe provider must
receive satisfactory assurance from the requesting party that reasonable efforts have been made by the
requesting party to ensure that the patient who is the subject of the PHI has been given notice of the
request
When can a disclosure of pHI in response to a subpoena occur? correct answersThe information may be
disclosed if the subpoena is accompanied by a proper written authorization. The authorization form
must include all of the elements described in HIPAA's authorization rule and must be signed by the
appropriate person (the patient himself, or the patient's personal representative)
The information may be disclosed without the individual's authorization if it is accompanied by a court
order for the information
, The information may be disclosed without the individual's authorization or a court order if written notice
that the information has been subpoenaed is given to the individual who is the subject of the PHI, or if a
qualified protective order is obtained from a court
What are the three responses a health department can give to a subpoena? correct answersAsk the
department's attorney to formally challenge the subpoena. The attorney may file a motion to quash the
subpoena, or to modify the subpoena
Ask the department's attorney to informally request that the party who issued the subpoena excuse the
department from the subpoena's requirements
Comply with the subpoena by appearing at the place and time designated in the subpoena along with
any records requested by the subpoena. The person who appears should not testify about confidential
health information or release confidential records until the provisions of both HIPAA and state law have
been satisfied (judge order or written, compliant authorization)
Quash period correct answerstime frame between the issue date of the subpoena and when the records
are due to be produced, allows the opposing counsel to object to the records being fulfilled
Risk management correct answersincludes the implementation of security measures to reduce risk to
reasonable and appropriate levels to, among other things, ensure the confidentiality, availability and
integrity of ePHI, protect against any reasonably anticipated threats or hazards to the security or
integrity of ePHI, and protect against any reasonably anticipated uses or disclosures of ePHI that are not
permitted or required under the HIPAA Privacy Rule
State versus Federal regulations correct answersAlways choose the most stringent of the two between
state and federal regulations regarding to releasing medical records
21st Century Cures Act (21CCA) correct answersade sharing electronic health information the expected
norm in health care by authorizing the Secretary of HHS to identify reasonable and necessary activities
that do not constitute information blocking
ONC Cures Act Proposed Rule correct answersa request for information regarding potential disincentives
for health care providers that have committed information blocking and asked whether modifying
