HIO-201 Sample Questions Answers

The authorization has been revoked by the physician.

The patient remains a citizen of the United States.

The information is under the control of HHS.

The information is in the possession of a covered entity.

The information is not also available on paper forms.

Contingency Plan

Facility Security Plan

Emergency Mode Operation Plan

Accountability

Device and Media Controls

Report to the covered entity any security incident of which it becomes aware

Ensure the complete safety of all electronic protected health information

Compensate the covered entity for penalties incurred because of the business associate's security incidents.

Register as a business associate with HHS

Submit to periodic audits by HHS of critical systems containing electronic protected health information

Security Awareness and Training

Security Management Process

Access Control

Assigned Security Responsibility

Security Incident Procedures

Transmission Security

Evaluation

Audit Controls

Integrity

Security Management Process

Verbally request 3 consent and offer a copy of the Notice of Privacy Practices.

Verbally request specific authorization for the PHI.

Do nothing more.

Obtain the signature of the patient on their Notice of Privacy Practices.

Not respond to the request without an authorization from the primary physician.

270

276

834

835

837

Situations where the marketing is for a drug or treatment could improve the health of that individual.

Situations where the patient has already signed the covered entity's Notice of Privacy Practices.

A face-to-face encounter with the sales person of a company that provides drug samples

A communication involving a promotional gift of nominal value.

The situation where the patient has signed the Notice of Privacy Practices of the marketer.

Eligibility (270/271)

Premium Payment (820)

Unsolicited Claim Status (277)

Remittance Advice (835)

Functional Acknowledgment (997)

ICD-9-CM, Volumes 1 and 2

CPT-4

CDT

ICD-9-CM, Volume 3

NDC

Risk Analysis

Risk Management

Access Establishment and Modification

Isolating Health care Clearinghouse Function

Information System Activity Review

A covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form allowed by the regulations.

A face-to-face communication made by a covered entity to an individual is allowed by the regulations without an authorization

A promotional gift of nominal value provided by the covered entity is NOT allowed by the regulations without an authorization.

If the marketing is expected to result in direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is expected

Disclosure of PHI for marketing purposes is limited to disclosure to business associates (which could be a telemarketer) that undertakes marketing activities on behalf of the covered entity

270

835

278

820

834

Integrity Controls

Access Control and Validation Procedures

Emergency Mode Operation

Plan Response and Reporting

Risk Analysis

Title I.

Title II

Title III

Title IV.

Title V.

Their professional judgment and standards.

The policies set by the security rule for the protection of the information.

Specific guidelines set by WEDI.

Measures that are expedient and reduce costs.

The information for research and marketing purposes only.

Risk Management

Protection from Malicious Software

Facility Security Plan

Response and Reporting

Emergency Access Procedure

Technology specific

State of the art

Non-Comprehensive

Revolutionary

Scalable

The protected health information must be removed from the information. A substitute "key" may be supplied to allow re-identification, if needed.

Limit the information to coverage, dates of treatment, and payment amounts to avoid collecting any protected data.

Nothing. An oversight agency has the right to access this information without prior authorization.

Request that the insurance commissioner ask for an exception from HIPAA from the Department of Health and Human Services.

A written authorization is required from the patient.

Risk Analysis

Risk Management

Access Establishment and Modification

Isolating Health care Clearinghouse Function

Information System Activity Review

Security Management Process

Device and Media Controls

Information Access Management

Audit Controls

Transmission Security

Transmitted to a business associate for payment purposes only.

Stored on a smart card only by the patient.

Created or received by a credit company that provided a personal loan for surgical procedures.

Created or received by a health care clearinghouse for claim processing.

Requires the use of biometrics for access to records.

Eligibility (270/271)

Premium Payment (820)

Claim Status Notification (277)

Remittance Advice (835)

Functional Acknowledgment (997)

270

276

278

271

834

277.

278.

271.

82.

270.

In some circumstances a coveted entity is permitted, but not required, to rely on the judgment of the party requesting the disclosure as to the minimum amount of information necessary for the intended purpose. Some examples of these requesting parties are: another covered entity or a public official.

The privacy rule prohibits use, disclosure, or requests for an entire medical record.

Non-Covered entities need to redesign their facility to meet the requirement for minimum necessary uses.

The minimum necessary standard requires covered entities to prohibit maintenance of medical charts at bedside and to require that X-ray light boards be totally isolated.

If there is a request for more than the minimum necessary PHI, the privacy rule requires a covered entity to deny the disclosure of information after recording the event in the individual's case file.

Loop.

Enumerator.

Identifier

Data segment.

Code set.

Security Management Process

Facility Access Control

Security Awareness and Training

Workforce Security

Security Management Process

H must be written in plain, simple language

It must explicitly describe all uses of PHI

A description about the usage of hidden security cameras for tracking patient movements for implementing privacy.

A description of the duties of the individual

A statement that the individual must abide by the terms of the Notice.

The social security number has been selected as the National Health Identifier for individuals.

The COT code set is maintained by the American Medical Association.

Preferred Provider Organizations (PPO) are not covered by the definition of "health plan" for purposes of the National Health Plan Identifier

HIPAA requires health plans to accept every valid code contained in the approved code sets

An important objective of the Transaction Rule is to reduce the risk of security breaches through identifiers.

Security Awareness Training

Workforce Security

Facility Access Controls

Workstation Use

Workstation Security

Testing and Revision Procedures

Information System Activity Review

Response and Reporting

Data Backup Plan

Emergency Access Procedure

Access to the psychotherapy notes.

Request an amendment to their medical record.

Receive a digital certificate.

See an accounting of disclosures for which authorization was given.

The use of a smart card for accessing their records.

270/271

276/277

278/278

834/834

837/835

Access Establishment and Modification

Isolating Health care Clearinghouse Functions

Information System Activity Review

Risk Management

Risk Analysis

Covered entities that violate the standards or implementation specifications will be subjected to civil penalties of up to $100 per violation except that the total amount imposed on any one person in each calendar year may not exceed $25,000 for violations of one requirement

Criminal penalties for non-compliance are fines up to $65,000 and one year in prison for each requirement or prohibition violated

Criminal penalties for willful violation are fines up to $50,000 and one year in prison for each requirement or prohibition violated.

Criminal penalties for violations committed under “false pretenses” are fines up to $100,000 and five years in prison for each requirement or prohibition violated

Criminal penalties for violations committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm are fines up to $250,000 and ten years in prison for each requirement or prohibition violated

A list of authorized entities, together with their access rights.

Corroborating your identity.

The prevention of an unauthorized use of a resource.

Proving that nothing regarding your identity has been altered

Being unable to deny you took pan in a transaction.

Limited 1o the minimum necessary to accomplish the intended purpose.

Left to the professional judgment and discretion of the requestor.

Controlled totally by the requestor's pre-existing authorization document.

Governed by industry "best practices" regarding use

Left in force for eighteen (18) years.

Risk Analysis

Authorization and/or Supervision

Termination Procedures

Contingency Operations

Encryption and Decryption

A covered entity must use the applicable code set that is valid at the time the transaction is initiated.

April 14, 2003 is the compliance date for implementation of the National Provider Identifier.

CMS is responsible for updating the CPT-4 code set.

An organization that assigns NPIs is referred to as National Provider for Identifiers.

HHS assigns the Employer Identification Number (EIN), which has been selected as the National Provider Identifier for Health Care.

"Use" refers to the release, transfer, or divulging of IIHI between various covered entities

"Use" refers to adding, modifying and deleting the PHI by other covered entities.

"Use" refers to utilizing, examining, or analyzing IIHI within the covered entity

"Use" refers to the movement of de-identified information within an organization.

"Use" refers to the movement of information outside the entity holding the information

Is required for all Chain of Trust Agreements.

Must allow for the patient's written acknowledgement of receipt.

Must always be signed by the patient.

Must be signed in order for the patient's name to be sold to a mailing list organization

Is not required if an authorization is being developed

The Secretary is required by statue to Impose penalties of at least $100 per violation on any person or entity that fails to comply with a standard except that the total amount imposed on any one person in each calendar year may not exceed $1,000.000 for violations of one requirement

Health plans are required to accept all standard transactions.

Health plans may not require providers to make changes or additions to standard transactions

Health plans may not refuse or delay payment of standard transactions.

If additional information is added to a standard transaction it must not modify the definition, condition, intent, or use of a data element

Information Access Management

Security Management Process

Evaluation

Transmission Security

Device and Media Controls

Establish a business partner relationship with the other provider.

Obtain a signed authorization from the patient to cover the disclosure.

Make a copy of the signed Notice available to the other provider.

Obtain the patients signature on the second provider's Notice of Privacy Practices.

Do nothing more -the Notice of Privacy Practices covers treatment activities.