CIPP- US- Chapter 4 Exam Questions with Complete Solutions (Graded A+)

CIPP- US- Chapter 4 Exam Questions with Complete Solutions (Graded A+) Health Information Technology for Economic and Clinical Health Act of 2009 - Answers What does HITECH stand for? Health Insurance Portability and Accountability Act of 1996 - Answers What does HIPAA stand for? No - Answers Does HIPAA preempt stricter state healthcare privacy laws? Improving efficiency of healthcare delivery - Answers What was the initial reason for the creation of HIPAA? Protected Health Information (PHI) - Answers "Any individually identifiable health information 1)transmitted or maintained in any form or medium that is held by a covered entity or its business associate; 2) identifies the individual or offers a reasonable basis for identification; 3) is created or received by a covered entity or an employer, and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual." ePHI - Answers Any PHI that is transmitted or maintained in electronic media (such as computer hard drives, magnetic tapes or disks, or digital memory cards, all of which are considered electronic storage media. HITECH - Answers Under what update are business associates now held under the HIPAA Privacuy and Security protections under written contracts they sign with the business associates? Business Associate - Answers Any person or organization, other than a member of a covered entity's workforce, that performs services and activities for, or on behalf of, a covered entity, if such services or activities involve the use or disclosure of PHI. Transaction Rules - Answers In 2000, HHS promulgated these regulatins on standard electronic formats for healthcare transactions. Fair Information Privacy Practices - Answers Compared with other US laws, HIPAA provides perhaps the most detailed implementation of what Privacy Practices, including the requirements concerning privacy notices, authorizations for use and dislcosure of PHI, limits on use and disclosure to the minimum necessary, individual access and accounting right, security safeguardsm and accountability through administrative requirements and enforcement. Indirect Treatment Relationship - Answers What exception is noted for not having to provide notice at the date of first service delivery? TPO (treatment, payment, operations) - Answers In what instances does HIPAA authorize the use and disclosure of PHI for essential healthcare purposes? Opt-In Authorization - Answers For uses and disclosures outside of TPO, what type of authorization is required from individual for uses and disclosures? Minimum Necessary - Answers Other than for treatment, organizations must make reasonable efforts to limite th use and disclosure of PHI in order to accomplish the intended purposes. Access and Accounting of Disclosures - Answers A key privacy protection that applies to access of PHI kept in a "designated record set" which is a fairly broad defibition including a patients medical records and billing records, or other records used by the covered entity to make decisions about individuals. Accountability - Answers "A Key privacy protection created to foster compliance via a set of administrative requirements. For ex: Covered Entities must designate a privacy official who is responsible for the development and implementation of privacy protections. This privacy protection is furthered by a range of enforcement agencies suhc as the OCR." Office of Civil Rights (OCR) - Answers The primary enforcer for the Privacy Rule in HHS which processes individual complaints and can assesscivil monetary penalties of up to $1.5 miliion per year per type of violation. US Department of Justice - Answers This US Dept. has criminal enforcement authority with prison sentences of up to 10 years. FTC - Answers For many companies within its jurisdiction this Commission can bring enforcement actions related to unfair and decptive practices, even for entities covered by HIPAA. State attorney general - Answers Can bring enforcement for unfair and decptive practices pursuant to any applicable state medical privacy laws. De-identification - Answers The privacy rule does not apply to this type of information. It is information that does not actually identify an indiviudal where there is no reasonable basis to believe that the info can be use dto identify an indiviudal. The two methods of de-identification - Answers 1) remove all of at least 17 data elements listed in the rule, such as name, phone number and address; or 2) have an expert certify that the risk of re-identifying the individuals is very smal.. Research - Answers As it relates to health information, this action can occur with the consent of the individual, or without consent if an authorized entity such as an institutional review board approves the action as consistent with the Privacy Rule and general rules covering the action on human subjects. This action is permitted on de-identified information. Security Rule - Answers HIPAA rules that was designed to require covered entities to implement "reasonable" security measures in technology-neutral manner. Security Rule - Answers HIPAA rules comprised of "standards" and "implementation