|
| A) | 1958. | ||
| B) | 1989. | ||
| C) | 2000. | ||
| D) | 2012. |
The HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule sets national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers who conduct standard healthcare transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (or April 14, 2004, for small health plans) [1].
| A) | April 20, 1995 (or April 20, 1996 for small health plans). | ||
| B) | April 20, 2005 (or April 20, 2006, for small health plans). | ||
| C) | December 31, 2000 (or December 31, 2001 for small health plans). | ||
| D) | December 31, 2020 (or December 31, 2021 for small health plans). |
The HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule sets national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers who conduct standard healthcare transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (or April 14, 2004, for small health plans) [1].
| A) | health plan. | ||
| B) | healthcare clearinghouse. | ||
| C) | healthcare provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA. | ||
| D) | All of the above |
As noted, the Privacy Rule, as well as all the Administrative Simplification Rules, apply to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA [3]. These groups are referred to collectively as covered entities.
| A) | HMOs | ||
| B) | Entities providing only workers' compensation | ||
| C) | Entities providing only automobile insurance | ||
| D) | Entities providing only property and casualty insurance. |
Individual and group plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions—a group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity. Two types of government-funded programs are not health plans: those whose principal purpose is not providing or paying the cost of health care (e.g., the food stamps program), and those programs whose principal activity is directly providing health care (e.g., a community health center) or the making of grants to fund the direct provision of health care. Certain types of insurance entities are also not health plans, including entities providing only workers' compensation, automobile insurance, or property and casualty insurance. If an insurance entity has separable lines of business, one of which is a health plan, the HIPAA regulations apply to the entity with respect to the health plan line of business [3].
| A) | Sex | ||
| B) | Name | ||
| C) | Address | ||
| D) | Birthdate |
Individually identifiable health information is defined as information, including demographic data, that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual and relates to the [3]:
Individual's past, present, or future physical or mental health or condition
Provision of health care to the individual
Past, present, or future payment for the provision of health care to the individual
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
| A) | disclosures to or requests by a healthcare provider for treatment purposes. | ||
| B) | disclosures to the individual who is the subject of the information. | ||
| C) | uses or disclosures made pursuant to an individual's authorization. | ||
| D) | All of the above |
The Privacy Rule generally requires covered entities to take reasonable steps to limit the use of, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to [11]:
Disclosures to or requests by a healthcare provider for treatment purposes
Disclosures to the individual who is the subject of the information
Uses or disclosures made pursuant to an individual's authorization
Uses or disclosures required for compliance with the HIPAA Administrative Simplification Rules
Disclosures to the HHS when disclosure of information is required under the Privacy Rule for enforcement purposes
Uses or disclosures that are required by other law
| A) | A covered entity may disclose PHI to the individual who is the subject of the information. | ||
| B) | A covered entity may NOT disclose PHI for the payment activities of another covered entity. | ||
| C) | The Privacy Rule requires that every risk of an incidental use or disclosure of PHI be eliminated. | ||
| D) | Most uses and disclosures of psychotherapy notes for treatment, payment, and healthcare operations purposes do not require an authorization. |
A covered entity may use and disclose PHI for its own treatment, payment, and healthcare operations activities. A covered entity also may disclose PHI for the treatment activities of any healthcare provider, the payment activities of another covered entity and of any healthcare provider, or the healthcare operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the PHI pertains to the relationship [3].
For the purposes of the Privacy Rule, treatment is defined as the provision, coordination, or management of health care and related services for an individual by one or more healthcare providers, including consultation between providers regarding a patient and referral of a patient by one provider to another. Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a healthcare provider to obtain payment or be reimbursed for the provision of health care to an individual [3].
Healthcare operations are any of the following activities [3]:
Quality assessment and improvement activities, including case management and care coordination
Competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation
Conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs
Specified insurance functions, such as underwriting, risk rating, and reinsuring risk
Business planning, development, management, and administration
Business management and general administrative activities of the entity, including but not limited to:
De-identifying PHI
Creating a limited data set
Certain fundraising for the benefit of the covered entity
Most uses and disclosures of psychotherapy notes for treatment, payment, and healthcare operations purposes require an authorization. Obtaining consent (written permission from individuals to use and disclose their PHI for treatment, payment, and healthcare operations) is optional under the Privacy Rule for all covered entities. The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent [3].
| A) | When a covered entity wishes to seek retaliation for a perceived injustice | ||
| B) | To identify or locate a suspect, fugitive, material witness, or missing person | ||
| C) | To alert law enforcement of a person's death, if the covered entity suspects that criminal activity caused the death | ||
| D) | As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests |
Covered entities may disclose PHI to law enforcement officials for law enforcement purposes under the following circumstances, and subject to specified conditions [3]:
As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests
To identify or locate a suspect, fugitive, material witness, or missing person
In response to a law enforcement official's request for information about a victim or suspected victim of a crime
To alert law enforcement of a person's death, if the covered entity suspects that criminal activity caused the death
When a covered entity believes that PHI is evidence of a crime that occurred on its premises
By a covered healthcare provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime
| A) | Individual review of each disclosure is not required. | ||
| B) | In almost all cases, a covered entity may condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization. | ||
| C) | A covered entity must obtain the individual's written authorization for any use or disclosure of PHI that is not for treatment, payment, or healthcare operations or otherwise permitted or required by the Privacy Rule. | ||
| D) | Covered entities must establish and implement policies and procedures for routine, recurring disclosures or requests for disclosures that limits the PHI disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure. |
A covered entity must obtain the individual's written authorization for any use or disclosure of PHI that is not for treatment, payment, or healthcare operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances [3]. Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures or requests for disclosures that limits the PHI disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. For non-routine, non-recurring disclosures or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually in accordance with the established criteria.
An authorization must be written in specific terms. It may allow use and disclosure of PHI by the covered entity seeking the authorization or by a third party. Examples of disclosures that would require an individual's authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes [3].
All authorizations must be in plain language and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data [3].
| A) | by prompt mailing for electronic service delivery. | ||
| B) | not later than the third service encounter by personal delivery for patient visits. | ||
| C) | by posting the notice at each service delivery site in a clear and prominent place. | ||
| D) | by automatic and contemporaneous electronic response for telephonic service delivery. |
A covered healthcare provider with a direct treatment relationship with individuals must have delivered a privacy practices notice to patients [3]:
Not later than the first service encounter by personal delivery (for patient visits), by automatic and contemporaneous electronic response (for electronic service delivery), and by prompt mailing (for telephonic service delivery)
By posting the notice at each service delivery site in a clear and prominent place where people seeking service may reasonably be expected to be able to read the notice
In emergency treatment situations, as soon as practicable after the emergency abates
| A) | Treatment plans | ||
| B) | Psychotherapy notes | ||
| C) | Diagnostic imaging results | ||
| D) | Documented patient histories |
Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI in a covered entity's designated record set. The designated record set is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider's medical and billing records about individuals or a health plan's enrollment, payment, claims adjudication, and case or medical management record systems. The Rule excepts from the right of access the following PHI:
Psychotherapy notes
Information compiled for legal proceedings
Laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access
Information held by certain research laboratories
| A) | six months immediately preceding the accounting request. | ||
| B) | two years immediately preceding the accounting request. | ||
| C) | six years immediately preceding the accounting request. | ||
| D) | nine years immediately preceding the accounting request. |
Individuals have a right to an accounting of the disclosures of their PHI by a covered entity or the covered entity's business associates. The maximum disclosure accounting period is the six years immediately preceding the accounting request, except a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date.
| A) | Trainee | ||
| B) | Employee | ||
| C) | Volunteer | ||
| D) | All of the above |
A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. Workforce members include employees, volunteers, trainees, and other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity). A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule [3].
| A) | outsource compliance activities to an approved officer. | ||
| B) | protect against unanticipated, permissible uses or disclosures. | ||
| C) | ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit. | ||
| D) | identify and protect against obscure and unanticipated threats to the security or integrity of the information. |
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must [5]:
Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit
Identify and protect against reasonably anticipated threats to the security or integrity of the information
Protect against reasonably anticipated, impermissible uses or disclosures
Ensure compliance by their workforce
| A) | The costs of security measures | ||
| B) | Its size, complexity, and capabilities | ||
| C) | The ease by which it can provide trainings | ||
| D) | Its technical, hardware, and software infrastructure |
When a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider [5]:
Its size, complexity, and capabilities
Its technical, hardware, and software infrastructure
The costs of security measures
The likelihood and possible impact of potential risks to e-PHI
| A) | is an optional process. | ||
| B) | should be an ongoing process. | ||
| C) | occur no more often than annually. | ||
| D) | should not affect the safeguards implemented. |
The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule [5].
A risk analysis process includes, but is not limited to, the following [5]:
Evaluating the likelihood and impact of potential risks to e-PHI
Implementing appropriate security measures to address the risks identified in the risk analysis
Documenting the chosen security measures and, where required, the rationale for adopting those measures
Maintaining continuous, reasonable, and appropriate security protections
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly re-evaluates potential risks to e-PHI [5].
| A) | affected individuals. | ||
| B) | the company executive. | ||
| C) | other companies in the same field. | ||
| D) | the Secretary of Homeland Security. |
Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
| A) | Office for Civil Rights | ||
| B) | Department of Justice | ||
| C) | Centers for Disease Control and Prevention | ||
| D) | Occupational Safety and Health Administration |
The OCR is responsible for enforcing the Privacy and Security Rules. It does so through an established complaint resolution process. The OCR enforces the Privacy and Security Rules by [8]:
Investigating filed complaints
Conducting compliance reviews to determine if covered entities are in compliance
Performing education and outreach to foster compliance with the Rules' requirements
| A) | 7 days of receipt of the notice. | ||
| B) | 30 days of receipt of the notice. | ||
| C) | 60 days of receipt of the notice. | ||
| D) | 120 days of receipt of the notice. |
Before the OCR imposes a penalty, it will notify the covered entity and provide the covered entity with an opportunity to provide written evidence of those circumstances that would reduce or bar a penalty. This evidence must be submitted to the OCR within 30 days of receipt of the notice. In addition, if the OCR states that it intends to impose a penalty, a covered entity has the right to request an administrative hearing to appeal the proposed penalty [3].
| A) | seek payment for services. | ||
| B) | protect businesses from litigation. | ||
| C) | state reporting on health care delivery or costs. | ||
| D) | provide administrative support to state educational institutions. |
In addition, preemption of a contrary state law will not occur if the HHS determines, in response to a request from a state or other entity or person, that the state law [3]:
Is necessary to prevent fraud and abuse related to the provision of or payment for health care
Is necessary to ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation
Is necessary for state reporting on health care delivery or costs
Is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy or Security Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served
Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances, or that is deemed a controlled substance by state law