HCCA - CHPC OVERVIEW MOST TESTED EXAM QUESTIONS WITH CORRECT DETAILED ANSWERS A+ VERIFIED, Exams of Animal Anatomy and Physiology

Download HCCA - CHPC OVERVIEW MOST TESTED EXAM QUESTIONS WITH CORRECT DETAILED ANSWERS A+ VERIFIED and more Exams Animal Anatomy and Physiology in PDF only on Docsity!

HIPAA became law - correct answers-1996 What is the purpose of HIPAA? - correct answers-* To make health insurance portable under ERISA; © To move health care onto a nationally standardized electronic billing platform; and * To prevent fraud, waste and abuse Intent - correct answers-purpose of this subtitle to improve the Medicare program under title XVIII of the Social Security Act, the Medicaid program under title XIX of such Act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information. HIPAA resides in what CFR section - correct answers-45 CFR sections 164.102 through 164.534 Identify the four sections in the CFR by location and topic - correct answers-Section One: 164.102 - 164.318 and 164.530 - 164-534 Organizational Requirements Section Two: 164.500 - 164.514 Use and Disclosure of Information Section Three: 164.520 - 164.528 Individual's Rights and Penalties Section Four: Interaction with the HIPAA Security Rule How do you determine if organization is a CE - correct answers-- compare the functions of the entity to the three principal types of "covered entities" (CE), - determine if the entity electronically transmits one of the nine defined transactions" What are the different types of CEs - correct answers-- Provider - Health Plan - Clearing House - Other Types How is a Provider defined - correct answers-- "a provider of services (as defined in section 1395x (u) of title XIX) - a provider of medical or other health services (as defined in section 1395x (s) of title XIX) - any other person furnishing health care services or supplies. Does a provider need a standing facility to be considered a CE - correct answers-NO What does "Health Plan" mean? - correct answers-An individual or group plan that provides, or pays the cost of, medical care © A group health plan, but only if the plan: -- has 50 or more participants -- is administered by an entity other than the employer who established and maintains the plan. ¢ A health insurance issuer * A health maintenance organization © The Medicaid program under title XIX. * A Medicare supplemental policy © A long-term care policy, including a nursing home fixed indemnity policy « An employee welfare benefit plan providing health benefits to the employees of 2 or more employers. © The health care program for active military © The veteran's health care program . © The Civilian Health and Medical Program What are examples of a BA? - correct answers-claims processing data analysis billing benefit management quality assurance quality improvement practice management legal actuarial accounting accreditation other administrative services What has been the main complaint with holding a BA accountable under the 2000 Privacy Rule? - correct answers-- lack of penalties for non-compliance - federal penalties could only be levied against the CE Which new regulation corrected shot comings of the HIPAA 2000 regulation concerning BAs? - correct answers-Health Information Technology for Economic and Clinical Health (HITECH) Who is know responsible for privacy and security of BAs? - correct answers-The Business Associate, legal liability for violations, and possible penalties, flow directly to the entity that violates. What nine transaction are used to determine if a organization is a CE? - correct answers-* Health claims or equivalent encounter information * Health claims attachments ¢ Enrollment and disenrollment in a health plan ° Eligibility for a health plan « Health care payment and remittance advice © Health plan premium payments First report of injury © Health claim status ¢ Referral certificatian and authorization What format must information be to determine if it is covered? - correct answers-any format - electronic or papaer What is Information? - correct answers-every piece of information your entity has in its possession or has access too. What is Health Information? - correct answers-any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, and relates to the past, present, or future physical or mental health or condition of an individual. This includes the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. What is Individually Identifiable Health Information (IIHI)? - correct answers-information that is a subset of health information, including demographic information collected from an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse, and relates to the past, present, or future physical or mental health condition of an individual, the provision of health care to an individual, or the past, present, or future payment aggregated into a single category of age 90 or older * Telephone numbers * Fax numbers Electronic mail addresses © Social security numbers * Medical record numbers © Health plan beneficiary numbers ¢ Account numbers * Certificate/license numbers * Vehicle identifiers and serial numbers, including license plate numbers * Device identifiers and serial numbers * Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers © Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images; and ¢ Any ather unique identifying number, characteristic, or code, except as permitted; and --The CE does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. What is Limited data set? - correct answers-CE may use or disclose a limited data set if the CE enters into a data use agreement with the following direct identifiers of the individual or of relatives, employers, or household members of the individual: « Names; * Postal address information, other than town or city, state, and zip code; © Telephone numbers; © Fax numbers; « Electronic mail addresses; © Social security numbers; « Medical record numbers; © Health plan beneficiary numbers; © Account numbers; * Certificate/license numbers; * Vehicle identifiers/serial numbers or license plate numbers; * Device identifiers and serial numbers; « Web Universal Resource Locators (URLs); © Internet Protocol (IP) address numbers; © Biometric identifiers, including finger and voice prints; and Full face photographic images and any comparable images. What is Re-identification? - correct answers-CE may assign a number for re-identification; however, the creation of the numbering system should not be based on the information and the CE is forbidden from disclosing the e-identification scheme. What is Unsecured PHI? - correct answers-"PHI that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is permitted or required... © Minimum necessary « Uses and disclosures of PHI subject to an agreed upon restriction Uses and disclosures of de-identified protected health information * Disclosures to BAs * Deceased individuals © Personal representatives * Confidential communications Uses and disclosures consistent with notice © Disclosures by whistleblowers and workforce member crime victims. Minimum Necessary - correct answers-using or disclosing information to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. When does Minimum Necessary not apply? - correct answers-- does not apply to treatment uses and disclosures - disclosures to the individual - disclosures per authorization, - disclosures made to the Secretary, or disclosures required by law. May CE use, disclose or request a whole medical record? - correct answers-amount disclosed must reasonably necessary to accomplish the purpose of the use, disclosure, or request Where does Minimum Necessary link to in the Security rule? - correct answers-Role Based Access - can content filters be used to support the privacy concept What secondary purpose does Minimum Necessary support? - correct answers-a measurement to support any disciplinary process for unauthorized access The privacy professional's main task is to reduce risk by ensuring that privacy rights are not violated. How does Minimum Necessary accomplish this? - correct answers-- justify why they want information sent - why access is allowed, based on the use or disclosure but limited to the minimum necessary You MAY use or disclose without authorization for which 14 circumstances? - correct answers-* Treatment * Payment ¢ Business operations © Research (under certain circumstances) © As required by law © To avert a serious threat to health or safety * Workers compensation Public health activities © Reporting abuse, neglect or domestic violence © Health oversight activities © Organ and tissue donation * Lawsuits and disputes * Law enforcement © Specialized government functions. Who can Deceased Individuals information be released at anytime? - correct answers-decedent information can be released to coroners or medical examiners personal representative. If signed by the authorized personal representative, a description of such representative's authority to act for the client is provided; records and service dates; What are the four statements are to be included in a valid Authorization? - correct answers-« A statement of client's right to revoke the authorization, exceptions to this right, and a description of how to revoke: « Astatement that treatment, payment, enrollment or eligibility for benefits may NOT be conditioned upon signing the authorization; * Astatement regarding the potential that the information disclosed pursuant to the authorization may be re-disclosed by the recipient and, if so, it may no longer be protected by a federal confidentiality law; ¢ A statement that the person signing the authorization has the right to (or will receive) a copy of the authorization. What are the draw backs in over-collecting authorizations? - correct answers-- the entity must track the expiration date for renewals. - there is a debate about using the information for any other purpose than what is stated on the authorization Request for Restrictions - correct answers-patient has the right to request restrictions on the U&D of information, even for the TPO exception The entity must do what when a "Request for Restriction"? - correct answers-- determine if the request is reasonable - if they can accommodate the request - must abide by any agreed upon restrictions Request for Confidential Communication Communication. - correct answers-patient may request other communication channels not typical for the entity, such as email, or meeting in off-site locations. What can an entity consider when they get a Request for Confidential Communication? - correct answers-- Entity must first determine if it is reasonable - may refuse if they have to go to extraordinary lengths Access and Copy Information - correct answers-Patients are entitled to a copy of, or access to, the information in the designated record set How did Access And Copy Information under HITECH? - correct answers-HITECH extended the requirements via electronic health records (EHRs). CEs must provide the patient (or individuals or entities authorized by the patient, such as doctors and personal health record services) with an electronic copy of their file. Request to Amend - correct answers-client has the right to request an amendment to their designated record set if they determine it may be inaccurate Does a provider have to amend the record if a patient asks? - correct answers-it is only a request. If the provider determines the record to be accurate, they can deny the request. What can a patient do if the provider refuse to amend the record? - correct answers-client has the right to ask that their statement of inaccuracy be placed in the file Right to an Accounting of Disclosures - correct answers-Patients are entitled to know the identity of to whom information is disclosed, and the purpose of the disclosure Who must a CE notify in a Breach? - correct answers-- individuals affected - HHS Secretary -media What triggers a notification to the impacted individual, HHS Secretary and media? - correct answers- Affects more than 500 people If a breach occurs of less than 500 people who must be notified and when? - correct answers-The HHS Secretary at least annually When does a CE not have to report? - correct answers-considered a breach only if the use or disclosure poses some harm to the individual Who do BAs have to notify of a breach? - correct answers-The CE If information is encrypted is it considered a breach? - correct answers-No What in addition is required of a CE beyond Policy and Procedures? - correct answers-Education of the Workforce What is the difference between security and privacy? - correct answers-Security is how things are protected, while privacy tells us what to protect. Security Rule says an entity must: - correct answers-* Ensure the confidentiality, integrity, and availability (CIA) of all electronic protected health information (EPHI) the CE creates, receives, maintains, or transmits © Support CIA through Administrative, Technical and Physical safeguards * Protect against any reasonably anticipated threats or hazards to the security or integrity of such information © Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required « Ensure compliance by the workforce. Technically the Security Rule is what - correct answers-neutral, it outlines principles rather than single solutions. What does the Privacy professional do related to a vulnerability - correct answers-identify this as a vulnerability in their portion of the Security Risk Analysis (RA) and implement a mitigation scheme HIPAA grants the CE related to security - correct answers-* Covered entities may use any security measures that allow the CE to reasonably and appropriately implement the standards and implementation specifications. © In deciding which security measures to use, a CE must take into account the following factors: --The size, complexity, and capabilities of the CE --The CE's technical infrastructure, hardware, and software s ecurity capabilities --The costs of security measures --The probability and criticality of potential risks to electronic protected health information. How does privacy bridge the gap of security? - correct answers-- privacy professional coordinates the administrative safeguards - generally limited to policies and procedures Can "Addressable" Security requirements be ignored? - correct answers-No