Download HCCA-CHPC: STUDY GUIDE ||2025-2026||300+ QUESTIONS AND CORRECT DETAILED ANSWERS/A+ GRADE and more Exams Management of Health Service in PDF only on Docsity!
HCCA-CHPC: STUDY GUIDE || 2025 - 2026||300+
QUESTIONS AND CORRECT DETAILED
ANSWERS/A+ GRADE
What is the purpose of HIPAA?
- CORRECT ANSWER - • Protect PHI from unauthorized disclosure/use;
- Prevent fraud, waste and abuse (via Administrative Simplification);
- Make health insurance portable under ERISA;
- Move health care onto a nationally standardized electronic billing platform HIPAA resides in which CFR section?
- CORRECT ANSWER - 45 CFR sections164.102 through 164. What are the subparts of HIPAA part 164?
- CORRECT ANSWER - HIPAA - 45 CFR164, subparts: Subpart A - General rules Subpart C - Security Subpart D - Breach notification Subpart E - Privacy https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part- 164 How do you determine if an organization is a "Covered Entity"?
- CORRECT ANSWER - 1. compare if the organization meets one of the 3 types of CE (provider, health plan, clearinghouse) and
- determine if the organization electronically transmits one of the 9 definedtransactions:
- Health claims or equivalent encounter information
- Health claims attachments
- Enrollment and disenrollment in a health plan
- Eligibility for a health plan
- Health care payment and remittance advice
- Health plan premium payments
- First report of injury
- Health claim status
- Referral certification and authorization In addition, business associates of covered entities must follow parts of the HIPAA regulations. This Act established in 1974 was created for government agencies placing restrictionson how the government can share the information maintained in Federal systems of records that might infringe on an individual's privacy rights with other individuals and agencies.
- CORRECT ANSWER - The Privacy Act of 1974 Which of the following is not considered a HIPAA Entity Designation:1. Affiliated covered entity
- Entity that performs healthcare and non-healthcare component activities includingboth covered and non-covered functions
- A group health plan
- Contract arrangement with FEDEX carrier
- CORRECT ANSWER - 4. Contractarrangement with FEDEX carrier
The research lab/med center functions (healthcare component) needs to comply withHIPAA provisions to protect the use/disclosure of PHI involved. The transmission of information between two parties to carry out financial or administrative activities related to health care is called:
- CORRECT ANSWER - Transaction (healthcare transaction). Few examples of healthcare transactions: healthcare claims; coordination of benefits; health plan premium payments; remittance advice (or ETF, electronic fund transfer); referral certification and authorization What are examples of a BA? - CORRECT ANSWER - BA (Business Associate) - performs functions or activities on behalf of a covered entity that involve access by thebusiness associate to protected health information. Examples: claims processingdata analysis billing benefit management quality assurance quality improvement practice management legal
actuarial accounting
HIPAA preemption d. HIPAA state law
- CORRECT ANSWER - c. HIPAA preemption What is the intent of HIPAA? a. standardize healthcare billing and coding to comply with national accounting principles b. increase payment from providers given the rising cost of healthcare and fraud violations c. allow group health plans collect premiums after individual has left a job/employer d. improve healthcare programs and data flow between providers to data mine for fraudulent behavior
- CORRECT ANSWER - d. improve healthcare programs and data flow between providers to data mine for fraudulent behavior The intent of HIPAA is to improve healthcare programs and the delivery of services through the two largest health plans in the U.S., This is accomplished by improved dataflows that leads to better outcomes using national standards formats and specific transactions to increase accuracy and rapid way to data mine ad detect fraudulent behavior. What is an OHCA?
- CORRECT ANSWER - OHCA (Organized Health Care Arrangement) it's a clinically integrated care setting where individuals receive healthcare from more than one provider. These are joint arrangements/activities and have an Integrated Delivery System for easy exchange of PHI data. See 45 CFR 160.103. OHCAs can also utilize a joint NPP.See 45 CFR § 164.520(d).
ACE (Affiliated Covered Entity) do not have an Integrated Delivery System because these are legally separate covered entities that are associated in business, or affiliatedas a result of some common control or ownership. Both the OHCA and the ACE would allow sharing of PHI across participating entity linesfor treatment, payment, operations purposes (TPO). The specific data flows are outlined in the Transaction & Code Set Rules 45 CFR162.100 -
True or False: A physician is required to have a business associate contract with a laboratory as a condition of disclosing protected health information for the treatment of an individual. - CORRECT ANSWER - FALSE Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization True or False: A hospital laboratory is not required to have a business associate contract to disclose protected health information to a reference laboratory for treatment of the individual. - CORRECT ANSWER - TRUE Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization
Certificates of Confidentiality (CoC) is a formal confidentiality to protect the privacy of human research participants enrolled in biomedical, behavioral, clinical and other forms of sensitive research. CoC are issued by the NIH or the FDA, and are authorized by law by the P H S Act - CORRECT ANSWER - Public Health Services Act. An individual provider who works in a general medical facility could also be a Part 2 program IF the provider's primary function is to provide SUD services. - CORRECT ANSWER - TRUE Explanation: For example, a primary care physician who provides medication-assisted treatment would only meet the requirement if providing services to persons with SUD is their primary function. However, If a patient were to receive both primary care and SUD treatment, the SUD providers are still subject to Part 2 and could not share informationwith the patient's primary care provider without consent. True or False: A program or facility that provides both, SUD services and Mental Health Services, and a patient has been admitted to receiving both services, his/her records will be subject to the Part 2 regulations - CORRECT ANSWER - FALSE Explanation: Mental health information is not subject to the standards in 42 CFR Part 2 and can be shared without consent for treatment purposes, including care coordination, as allowedunder HIPAA. More details. Only records or information about patients receiving SUD services will be subject to Part 2 and its use/disclosure is more restrictive. However, to allow appropriate mental/behavioral health information sharing with SUD information, a Qualified Service Organization Agreement (QSOA) would be needed as defined in 42 CFR 2.11 "Qualified service organization" section. What are the 4 federal regulations and/or government agencies that govern the privacyof individually identifiable info in research - CORRECT ANSWER - 1. HHS-FDA (protections of human subject and IRBs)
- HHS-NIH (certificate of confidentiality)
- HHS-Office of Human Research Protections (Common Rule)4. HHS-OCR - HIPAA Privacy Rule Ref. HCCA Privacy Handbook 3rd Ed The Privacy Act of 1974 was created in response to the government creating and using computer databases. The Act places restrictions on how government can share the information with other individuals and agencies, and ultimately protect the privacy of individuals that is maintained in Systems of Records by federal agencies. Before a federal agency
begins to collect personal information for a system of records, an advanced public notice must be published in the Federal Register, which outlines the administrative, technical, and physical safeguards for protecting the personally identifiable information being collected. This "public notice" is called" - S of R N (SORN) - CORRECT ANSWER - system of records notice (SORN) ref. HCCA privacy handbook 3rd ed. "Privacy Act 1974" section What is a research IRB?
- Institutional Research Board
- A group of executives that review all research activities conducted by the Board of Directors
- A group of individuals that review proposed research to protect the privacy of subjects
- Can make changes to the research or alter its content as they seemed appropriate - CORRECT ANSWER - 3. A group of individuals that review proposed research to protect the privacy of subjects An individual must authorize these marketing communications before they can occur,except: a. when the communication is not for the purpose of providing treatment adviceb. communication from a health insurer to promote their products/services c. communication in training material using their photo d. hospital uses its patient list to announce the arrival of a new specialty group in general mailing - CORRECT ANSWER - Except: d. hospital uses its patient list to announce the arrival of a new specialty group This activity does not meet the "marketing" definition, for instance, the disclosure of PHI in this example is not for exchange of remuneration, or to encourage use of product, promote services. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/marketing/index.html True or False: It is important that when contracting with payers or health plans they follow not only theHIPAA security but also the privacy rule to protect beneficiaries PHI including use/disclosure during payer's marketing activities - CORRECT ANSWER - TRUE Which of the following requires a Business Associate contract/agreement: a. independent medical transcriptionist b. entities that participate in an OHCA (organized healthcare arrangement) c. when a provider simply accepts a discounted rate to participate in the health plan's network d. US Postal Services or private carriers - CORRECT ANSWER - a. independent medical transcriptionist explanation: this is an outsourced service that handles PHI on behalf of the CE. The transcriptionist is performing an activity for the CE that contains PHI and a BAA is required to ensure proper use and disclosure. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business- associates/index.html Is a covered entity required to provide notice to individuals about its disclosures of PHI to a
VII. Consent to contract (required signatures) VIII. Mistakes, undue influence (if things go wrong, list alternative options) True or False: Regarding vendor relations, the privacy professional must ensure that the contract supports the privacy profile. This includes clearly outlining privacy impacts, clauses, mandates, remedies from the vendor's services to ensure expectations are met, evenwhen things go wrong. - CORRECT ANSWER - TRUE HCCA Privacy Compliance Handbook - Vendor Relations and Privacy Section A Covered Entity may denied an individual access to their PHI under specific circumstances set forth in 45 CFR 164.524 (a)(2), which of the following doesn't fallunder those circumstances: a. Request for psychotherapy notes b. if it jeopardizes the health, safety, security, rehab of individual (e.g. inmate's' request,suicidal patient) c. during the course of research/clinical trial d. to request restrictions of their PHI - CORRECT ANSWER - a. Request for psychotherapy notes Under the HIPAA Privacy Rule, individual has the right to request a copy, an amendment and restrictions to their PHI, request confidential communications involving your PHI, and list of disclosures. See 45 CFR § 164.524 (a)(2) https://www.hhs.gov/hipaa/for- professionals/faq/2046/under-what-circumstances-may-a- covered-entity/index.html https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html 38 U.S.C. 7332 deals with confidentially of patient medical record information related to:a. drug abuse, sexually transmitted diseases, and tuberculosis b. HIV/AIDS status c. drug abuse, alcoholism, infection with the HIV virus, and sickle cell anemia d. mental illness, HIV status, drug and alcohol abuse - CORRECT ANSWER - c. drugabuse, alcoholism, infection with the HIV virus, and sickle cell anemia True or False: The Minimum Necessary is a key concept under the HIPAA security rule - CORRECT ANSWER - FALSE
It is a key concept under the PRIVACY Rule. Re: HIPAA Authorization Is there any information we can release to a person who is calling on behalf of a patient who is not authorized in a release form? - CORRECT ANSWER - Patient must be given an "opportunity to agree or object" keeping in mind:
- you can obtain patient's agreement verbally, over the phone, BUT makes notes in file 2. only disclose the Minimum Necessary https://thehipaaetool.com/hipaa-authorization-required/ Re: HIPAA Authorization When my patients are being treated for car accident injuries, we often receive requests for PHI from lawyers. I am not sure if we should provide the information and don't know how to decide whether the request is legitimate. How do we validate the request is legitimate? - CORRECT ANSWER - Ensure is a validHIPAA authorization: MUST have the authorization 6 core elements and 3 key statements as per 45 CFR §164. (c)(1) and (2) https://www.law.cornell.edu/cfr/text/45/164. Re: HIPAA Authorization One of my long term (dental) patients was recently diagnosed with cancer. His new oncologist's assistant called to request his PHI from our files. I don't know if the patient knows or has authorized this. Can the request be fulfilled? - CORRECT ANSWER - YES, no authorization is requiredfor purposes of TPO. But, ensure the request is in writing including: Covered Entity's name; Patient's name; Date of the event/time of treatment; and Reason for the request. https://thehipaaetool.com/hipaa-authorization-required/ Re: HIPAA Authorization (suspected domestic violence) I strongly suspect that a patient is a victim of domestic violence, although the patient has not confided in me. The abuse seems to be escalating, judging by the injuries I'veseen. May I do anything? - CORRECT ANSWER - You may, this may be an exception to theHIPAA Privacy Rule.
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html The Minimum Necessary DOES NOT apply to? - CORRECT ANSWER - does not applyto: TPO To the individual directly To the HHS Secretary or required by law When authorization is granted Where does Minimum Necessary link to in the Security rule? - CORRECT ANSWER - Role Based Access - can content filters be used to support the privacy concept Who can Deceased Individuals information be released to at anytime? - CORRECT ANSWER - coroners or medical examiners (and Funeral Directors as necessary to carryout their duties with respect to the decedent) https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-
Preemption under HIPAA means - CORRECT ANSWER - Federal law states that it preempts or overrides (supersedes) state law on a particular issue, then federal law isthe law that must be followed. In general, HIPAA preempts state law that is "contrary" to the federal rule. In many cases, complying with the stronger standard (more stringent) will allow you tocomply with both state law and HIPAA. Example 1: if state law gives a provider 10 days to respond to a patient's request for a copy of his medical records, and HIPAA allows 30 days, you can comply with both stateand federal law by responding within 10 days. Example 2: if state law requires longer period for record keeping than the federal law,then go with the longer period. https://library.ahima.org/doc?oid=59816#.YlTLkOjMI2w Valid Authorization core elements (see 45 CFR § 164.508(c)(1)): - CORRECT ANSWER - 1. meaningful description of the information to be disclosed
- name of the individual/person authorized to make the requested disclosure3. name or other identification of the recipient of the information
- description of each purpose of the disclosure5. expiration date for the authorization
- signature and date of the individual or their personal representative (someoneauthorized to make health care decisions on behalf of the individual) https://www.law.cornell.edu/cfr/text/45/164.508and https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency- preparedness/authorization/index.html
Valid Authorization 3 key statements (see 45 CFR § 164.508(c)(2)): - CORRECT ANSWER - The statements are to be included in a valid Authorization:
- A statement of the person's right to revoke the authorization, exceptions to this right, and a description of how to revoke:
- A statement that treatment, payment, enrollment or eligibility for benefits may NOT be conditioned upon signing the authorization;
- A statement regarding the potential that the information disclosed pursuant to the authorization may be re-disclosed by the recipient and, if so, it may no longer be protected by a federal confidentiality law; Note: the person signing the authorization has the right to (or will receive) a copy of the authorization. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-
Fill in the blanks: The three types of AUTHORIZATION: VALID - must have all the 6 required core elements and 3 statements/notices D - lacks any of the required elements/statements, or expiration date has passed, or revoked, etc. C - typically allowed in research studies, this authorization may be combined with another written permission IF it's for the same research related studies - CORRECT ANSWER - Defective; Compound Request for Restrictions - CORRECT ANSWER - patient has the right to request restrictions on the U&D of information, even for the TPO exception. Provider must determine if it is reasonable, accommodate request, and abide toagreement. Ref § 164.520 - Notice of privacy practices for protected health information. Request for Confidential Communication - CORRECT ANSWER - Patient may request other communication channels not typical for the entity, such as email, or meeting in off-site locations. What is the difference between HIPAA security and privacy? - CORRECT ANSWER - Security - covers ePHI Privacy - covers all forms (electronic, oral, written) 45 CFR 164 - Subpart C outlines the three safeguards to ensure the , , of ePHI that both, CE and BA must implement to ensure compliance and protect against anticipated threats, and/or reasonably anticipated uses/disclosures (incidental/inadvertent/unintentional) - CORRECT ANSWER - Confidentiality, integrity, availability
Also known as the "Stimulus Act" or the "Recovery Act", enacted in 2009; its main purpose was to create jobs and stimulate economic growth; it also included provisions to promote health information technology - CORRECT ANSWER - American Recoveryand Reinvestment Act (ARRA) C.I.A. (HIPAA) stands for? - CORRECT ANSWER - Confidentiality (not available or disclosed to unauthorized person) Integrity (unaltered or destroys in unauthorized manner)) Availability (accessible and usable by authorized person) https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html Comprehensive legislation that ensures access to health coverage for those who change jobs or are temporarily out of work. It also provides the mechanism for funding the Department of Justice and the FBI for health care fraud investigations - CORRECTANSWER - Health Insurance Portability and Accountability (HIPAA) Ref. https://oig.hhs.gov/reports-and-publications/hcfac/index.asp True or False: The HIPAA Privacy and Security rules were promulgated to make health care interstate commerce equal, thus creating a national health care privacy and security baseline or floor - CORRECT ANSWER - TRUE One of the barriers before HIPAA was signed into law was the lack of access and national standards. The Privacy and Security provisions were integral elements as many States did not have privacy rights or individual right of access to healthcare records. Re: HCCA Privacy Compliance Handbook True or False: If disclosing PHI to legal authorities/government/public official, CE must verify identity, for instance asking for a gov badge/ID, credential, or some proof of gov status, such govwritten letterhead, warrant, memorandum, etc. - CORRECT ANSWER - TRUE Computerized data medical records are destroyed by - CORRECT ANSWER - Magnetic degaussing Covered entities participating in an Organized Health Care Arrangement are permittedto A. act as a single covered entity B. utilize a single notice of privacy practicesC. share psychotherapy notes D. operate as a hybrid entity - CORRECT ANSWER - B. utilize a single notice of privacy practices
True or False: In cases where CE is making Fundraising communications to individuals, the individualmust be provided with an Opportunity to Object/Elect to receive such communications (and to opt back if individual changes her/his opinion) - CORRECT ANSWER - TRUE Covered Entity can use or disclose PHI by these 4 areas: - CORRECT ANSWER - 1. for treatment, payment, healthcare operations (TPO)
- for public interest in disaster relief or public emergency 3. with an opportunity to object (i.e. spouse picking up Rx)4. with authorization granted Covered entity includes: - CORRECT ANSWER - • Health plan (payers)
- Health care clearinghouse (process health information into standard data elements on behalf of the CE)
- Health care provider who transmits any health info in electronic form AND
- CE's business associate (when applicable) What is a Controlling Health Plan (CHP)? - CORRECT ANSWER - Health plan that controls its own business, actions, activities, and policies; Controls the subhealth plan (SHP). This applies to state Medicaid plans. For instance, the CHC is the state Medicaid, andthe SHP would be the local administrator. Re: HCCA Privacy Compliance Handbook Describe what to do with a "required" implementation specification - CORRECT ANSWER - Implement the specification as presented Describe what to do with an "addressable" implementation specification - CORRECT ANSWER
- Implement as presented, or if not reasonable and appropriate implement anequivalent alternative measure. Designated Record Set (DRS) - includes: - CORRECT ANSWER - Group of records maintained by or for a Covered Entity that comprises the following:
- medical/billings records
- enrollment/payment/claims adjudication/case management by health plan
- other records used by or for covered entity to make decisions about individuals Designated Record Set (DRS) - records excluded from DRS: - CORRECT ANSWER - Administrative data (audit trails, appointment schedules, that don't imbed PHI). Incident reports. Quality Assurance Data.Statistical reports. DVD medical records are destroyed by - CORRECT ANSWER - Shredding and cutting
