HCCA - CHPC STUDY QUESTIONS
(MASTER FLASHCARDS) WITH FULL
RATIONALES
• Protect PHI from unauthorized disclosure/use;
• Prevent fraud, waste and abuse (via Administrative Simplification);
• Make health insurance portable under ERISA;
• Move health care onto a nationally standardized electronic billing platform
Ref. https://quizlet.com/6202453/hcca-chpc-overview-flash-cards/
More on HIPAA: https://www.hhs.gov/hipaa/index.html - correct answers ✔✔What is the
purpose of HIPAA?
45 CFR sections 164.102 through 164.534
,https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164 - correct answers
✔✔HIPAA resides in which CFR section?
HIPAA - 45 CFR 164, subparts:
Subpart A - General rules
Subpart C - Security
Subpart D - Breach notification
Subpart E - Privacy
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164 - correct answers
✔✔What are the subparts of HIPAA part 164?
1. compare if the organization meets one of the 3 types of CE (provider, health plan,
clearinghouse)
and
2. determine if the organization electronically transmits one of the 9 defined
transactions:
• Health claims or equivalent encounter information
• Health claims attachments
• Enrollment and disenrollment in a health plan
• Eligibility for a health plan
• Health care payment and remittance advice
• Health plan premium payments
• First report of injury
• Health claim status
• Referral certification and authorization
In addition, business associates of covered entities must follow parts of the HIPAA
regulations.
https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
- correct answers ✔✔How do you determine if an organization is a "Covered Entity"?
The Privacy Act of 1974 - correct answers ✔✔This Act established in 1974 was created
for government agencies placing restrictions on how the government can share the
information maintained in Federal systems of records that might infringe on an
individual's privacy rights with other individuals and agencies.
4. Contract arrangement with FEDEX carrier - correct answers ✔✔Which of the
following is not considered a HIPAA Entity Designation:
1. Affiliated covered entity
2. Entity that performs healthcare and non-healthcare component activities including
both covered and non-covered functions
3. A group health plan
4. Contract arrangement with FEDEX carrier
,Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization
Act of 1999, includes The Financial Privacy Rule and The Safeguards Rule requires all
financial institutions to protect customer's personal financial information. - correct
answers ✔✔What is Gramm-Leach-Bliley Act (GLBA)?
OHCA (Organized Health Care Arrangement) it's a clinically integrated care setting
where individuals receive health care from more than one provider.
These are joint arrangements/activities and have an Integrated Delivery System for
easy exchange of PHI data. See 45 CFR 160.103. OHCAs can also utilize a joint NPP.
See 45 CFR § 164.520(d).
ACE (Affiliated Covered Entity) do not have an Integrated Delivery System because
these are legally separate covered entities that are associated in business, or affiliated
as a result of some common control or ownership.
Both the OHCA and the ACE would allow sharing of PHI across participating entity lines
for treatment, payment, operations purposes (TPO). - correct answers ✔✔What is an
OHCA?
ACE (Affiliated Covered Entity)
Legally separate covered entities that share common control/ownership and designate
themselves as a single CE for the purpose of complying with the HIPAA Privacy
standards.
ACEs do not have an Integrated Delivery System, while OHCA do, and can share a
single NPP. See 45 CFR § 164.520(d)
ACE example: a health system composed on several affiliated hospitals.
Both the OHCA and the ACE would allow sharing of PHI across participating entity lines
for treatment, payment, operations purposes (TPO). - correct answers ✔✔What's an
ACE?
Entity that conducts both covered functions (or healthcare-functions) and non-covered
functions (other biz/non-healthcare functions) to elect to be a "hybrid entity."
For instance, a University System that has a research laboratory or academic medical
center.
The post-secondary functions (non-healthcare components) do NOT need to comply
with HIPAA.
The research lab/med center functions (healthcare component) needs to comply with
HIPAA provisions to protect the use/disclosure of PHI involved.
https://www.hhs.gov/hipaa/for-professionals/faq/315/when-does-a-covered-entity-have-
discretion-to-determine-covered-functions/index.html#:~:text=For%20example%2C
%20a%20hybrid%20entity,hybrid%20entity's%20health%20care%20component.
, https://privacyruleandresearch.nih.gov/pr_06.asp - correct answers ✔✔What's a Hybrid
Entity?
Transaction (healthcare transaction).
Few examples of healthcare transactions:
healthcare claims;
coordination of benefits;
health plan premium payments;
remittance advice (or ETF, electronic fund transfer);
referral certification and authorization - correct answers ✔✔The transmission of
information between two parties to carry out financial or administrative activities related
to health care is called:
BA (Business Associate) - performs functions or activities on behalf of a covered entity
that involve access by the business associate to protected health information.
Examples:
claims processing
data analysis
billing
benefit management
quality assurance
quality improvement
practice management
legal
actuarial
accounting
accreditation
other administrative services
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/
index.html - correct answers ✔✔What are examples of a BA?
TRUE
Remember, use and disclosure of PHI for purposes of TPO requires no specific
authorization - correct answers ✔✔True or False:
A hospital is not required to have a business associate contract with the specialist to
whom it refers a patient and transmits the patient's medical chart for treatment
purposes.
TRUE
Even if no written contract exists between the covered entity and a contracted company
performing services related to handling PHI in some form, the company is deemed a
business associate by law. This deemed status essentially classifies contracted vendors
or individuals as business associates solely by the nature of the services they provide to
(MASTER FLASHCARDS) WITH FULL
RATIONALES
• Protect PHI from unauthorized disclosure/use;
• Prevent fraud, waste and abuse (via Administrative Simplification);
• Make health insurance portable under ERISA;
• Move health care onto a nationally standardized electronic billing platform
Ref. https://quizlet.com/6202453/hcca-chpc-overview-flash-cards/
More on HIPAA: https://www.hhs.gov/hipaa/index.html - correct answers ✔✔What is the
purpose of HIPAA?
45 CFR sections 164.102 through 164.534
,https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164 - correct answers
✔✔HIPAA resides in which CFR section?
HIPAA - 45 CFR 164, subparts:
Subpart A - General rules
Subpart C - Security
Subpart D - Breach notification
Subpart E - Privacy
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164 - correct answers
✔✔What are the subparts of HIPAA part 164?
1. compare if the organization meets one of the 3 types of CE (provider, health plan,
clearinghouse)
and
2. determine if the organization electronically transmits one of the 9 defined
transactions:
• Health claims or equivalent encounter information
• Health claims attachments
• Enrollment and disenrollment in a health plan
• Eligibility for a health plan
• Health care payment and remittance advice
• Health plan premium payments
• First report of injury
• Health claim status
• Referral certification and authorization
In addition, business associates of covered entities must follow parts of the HIPAA
regulations.
https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
- correct answers ✔✔How do you determine if an organization is a "Covered Entity"?
The Privacy Act of 1974 - correct answers ✔✔This Act established in 1974 was created
for government agencies placing restrictions on how the government can share the
information maintained in Federal systems of records that might infringe on an
individual's privacy rights with other individuals and agencies.
4. Contract arrangement with FEDEX carrier - correct answers ✔✔Which of the
following is not considered a HIPAA Entity Designation:
1. Affiliated covered entity
2. Entity that performs healthcare and non-healthcare component activities including
both covered and non-covered functions
3. A group health plan
4. Contract arrangement with FEDEX carrier
,Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization
Act of 1999, includes The Financial Privacy Rule and The Safeguards Rule requires all
financial institutions to protect customer's personal financial information. - correct
answers ✔✔What is Gramm-Leach-Bliley Act (GLBA)?
OHCA (Organized Health Care Arrangement) it's a clinically integrated care setting
where individuals receive health care from more than one provider.
These are joint arrangements/activities and have an Integrated Delivery System for
easy exchange of PHI data. See 45 CFR 160.103. OHCAs can also utilize a joint NPP.
See 45 CFR § 164.520(d).
ACE (Affiliated Covered Entity) do not have an Integrated Delivery System because
these are legally separate covered entities that are associated in business, or affiliated
as a result of some common control or ownership.
Both the OHCA and the ACE would allow sharing of PHI across participating entity lines
for treatment, payment, operations purposes (TPO). - correct answers ✔✔What is an
OHCA?
ACE (Affiliated Covered Entity)
Legally separate covered entities that share common control/ownership and designate
themselves as a single CE for the purpose of complying with the HIPAA Privacy
standards.
ACEs do not have an Integrated Delivery System, while OHCA do, and can share a
single NPP. See 45 CFR § 164.520(d)
ACE example: a health system composed on several affiliated hospitals.
Both the OHCA and the ACE would allow sharing of PHI across participating entity lines
for treatment, payment, operations purposes (TPO). - correct answers ✔✔What's an
ACE?
Entity that conducts both covered functions (or healthcare-functions) and non-covered
functions (other biz/non-healthcare functions) to elect to be a "hybrid entity."
For instance, a University System that has a research laboratory or academic medical
center.
The post-secondary functions (non-healthcare components) do NOT need to comply
with HIPAA.
The research lab/med center functions (healthcare component) needs to comply with
HIPAA provisions to protect the use/disclosure of PHI involved.
https://www.hhs.gov/hipaa/for-professionals/faq/315/when-does-a-covered-entity-have-
discretion-to-determine-covered-functions/index.html#:~:text=For%20example%2C
%20a%20hybrid%20entity,hybrid%20entity's%20health%20care%20component.
, https://privacyruleandresearch.nih.gov/pr_06.asp - correct answers ✔✔What's a Hybrid
Entity?
Transaction (healthcare transaction).
Few examples of healthcare transactions:
healthcare claims;
coordination of benefits;
health plan premium payments;
remittance advice (or ETF, electronic fund transfer);
referral certification and authorization - correct answers ✔✔The transmission of
information between two parties to carry out financial or administrative activities related
to health care is called:
BA (Business Associate) - performs functions or activities on behalf of a covered entity
that involve access by the business associate to protected health information.
Examples:
claims processing
data analysis
billing
benefit management
quality assurance
quality improvement
practice management
legal
actuarial
accounting
accreditation
other administrative services
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/
index.html - correct answers ✔✔What are examples of a BA?
TRUE
Remember, use and disclosure of PHI for purposes of TPO requires no specific
authorization - correct answers ✔✔True or False:
A hospital is not required to have a business associate contract with the specialist to
whom it refers a patient and transmits the patient's medical chart for treatment
purposes.
TRUE
Even if no written contract exists between the covered entity and a contracted company
performing services related to handling PHI in some form, the company is deemed a
business associate by law. This deemed status essentially classifies contracted vendors
or individuals as business associates solely by the nature of the services they provide to
