Download 2025 HCCA-CHPC EXAM STUDY GUIDE/300+ACTUAL QUESTIONS AND ANSWERS|GRADED A+ and more Exams Public Health in PDF only on Docsity!
2025 HCCA-CHPC EXAM STUDY GUIDE/300+ACTUAL
QUESTIONS AND ANSWERS|GRADED A+
What is the purpose of HIPAA? ANS:->> • Protect PHI from unauthorized disclosure/use;
- Prevent fraud, waste and abuse (via Administrative Simplification);
- Make health insurance portable under ERISA;
- Move health care onto a nationally standardized electronic billing platform HIPAA resides in which CFR section? ANS:->> 45 CFR sections 164.102 through 164. What are the subparts of HIPAA part 164? ANS:->> HIPAA - 45 CFR 164, subparts: Subpart A - General rulesSubpart C - Security Subpart D - Breach notificationSubpart E - Privacy https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part- 164
How do you determine if an organization is a "Covered Entity"? ANS:->> 1. compare if the organization meets one of the 3 types of CE (provider, health plan, clearinghouse) and
- determine if the organization electronically transmits one of the 9 defined transactions:
- Health claims or equivalent encounter information
- Health claims attachments
- Enrollment and disenrollment in a health plan
- Eligibility for a health plan
- Health care payment and remittance advice
- Health plan premium payments
- First report of injury
- Health claim status
- Referral certification and authorization In addition, business associates of covered entities must follow parts of the HIPAA regulations. This Act established in 1974 was created for government agencies placing restrictions on how the government can share the information maintained in Federal systems of records that might infringe on an individual's privacy rights with other individuals and agencies.
ACEs do not have an Integrated Delivery System, while OHCA do, and can share asingle NPP. See 45 CFR § 164.520(d) ACE example: a health system composed on several affiliated hospitals. Both the OHCA and the ACE would allow sharing of PHI across participating entity lines for treatment, payment, operations purposes (TPO). What's a Hybrid Entity? ANS:->> Entity that conducts both covered functions (or healthcare-functions) and non-covered functions (other biz/non-healthcare functions) to elect to be a "hybrid entity." For instance, a University System that has a research laboratory or academic medical center. The post-secondary functions (non-healthcare components) do NOT need to comply with HIPAA. The research lab/med center functions (healthcare component) needs to comply with HIPAA provisions to protect the use/disclosure of PHI involved. The transmission of information between two parties to carry out financial or administrative activities related to health care is called:
ANS:->> Transaction (healthcare transaction). Few examples of healthcare transactions: healthcare claims; coordination of benefits; health plan premium payments; remittance advice (or ETF, electronic fund transfer);referral certification and authorization What are examples of a BA? ANS:->> BA (Business Associate) - performs functions or activities on behalf of a covered entity that involve access by the business associate to protected health information. Examples: claims processing data analysis billing benefit management quality assurance quality improvement practice
ANS:->> Byunderstanding the applicability (healthcare component), entities that transmit health information and fall under the 3 types of CE (health plans, clearinghouses, and providers) HIPAA provide standards for the access, disclosure, transmission, and retention of PHI, and created a national baseline for health information Privacy and Security. At the state level, they can also develop health information statutes but only adding higher or more restrictive standards than the Federal HIPAA rules. This is referred as: a. HIPAA status b. HIPAA assurance c. HIPAA preemption d. HIPAA state law ANS:->> c. HIPAA preemption What is the intent of HIPAA? a. standardize healthcare billing and coding to comply with national accounting principles b. increase payment from providers given the rising cost of healthcare and fraud violations c. allow group health plans collect premiums after individual has left a
job/employer d. improve healthcare programs and data flow between providers to data mine for fraudulent behavior ANS:->> d. improve healthcare programs and data flow between providers to data mine for fraudulent behavior The intent of HIPAA is to improve healthcare programs and the delivery of services through the two largest health plans in the U.S., This is accomplished by improved dataflows that leads to better outcomes using national standards formats and specific transactions to increase accuracy and rapid way to data mine ad detect fraudulent behavior. What is an OHCA? ANS:->> OHCA (Organized Health Care Arrangement) it's a clinically integrated care setting where individuals receive health care from more than one provider. These are joint arrangements/activities and have an Integrated Delivery System for easy exchange of PHI data. See 45 CFR 160.103. OHCAs can also utilize a joint NPP.See 45 CFR § 164.520(d). ACE (Affiliated Covered Entity) do not have an Integrated Delivery System because these are legally separate covered entities that are associated in business,
specific authorization True or False: Research use/disclosure with individual authorization does not expire or continue until the end of the research study ANS:->> TRUE https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html True or False: Research use/disclosure with individual authorization may be combined with an authorization for a different research activity if research related treatment is conditioned on the provision of one of the authorizations ANS:->> TRUE https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html True or False: Research use/disclosure with individual authorization may be combined with other legal permission or consent to participate in the research ANS:->> TRUE https://www.hhs.gov/hipaa/for-professionals/special- topics/research/index.html True of False:
Is it possible for a facility with multiple provider functions to have certain isolated providers or groups who are subject to Part 2, while the facility as a whole is not subject to Part 2. For example, a large facility may have primary care providers and a separate unit that provides SUD services. ANS:->> TRUE Explanation: The SUD unit is subject to Part 2, but the rest of the facility is not. True or False: An individual provider who works in a general medical facility could also be a Part 2 program IF the provider's primary function is to provide SUD services. ANS:->> TRUE Explanation: For example, a primary care physician who provides medication-assisted treatment would only meet the requirement if providing services to persons with SUD is their primary function. However, If a patient were to receive both primary care and SUD treatment, the SUD providers are still subject to Part 2 and could not share information with the patient's primary care provider without consent. True or False: A program or facility that provides both, SUD services and Mental Health Services, and a patient has been admitted to receiving both services, his/her records will be subject tothe Part 2 regulations ANS:->> FALSE Explanation: Mental health information is not subject to the standards in 42 CFR Part 2 and can be shared without consent for treatment purposes, including care coordination,
protect the privacy of subjects An individual must authorize these marketing communications before they can occur, except: a. when the communication is not for the purpose of providing treatment advice b. communication from a health insurer to promote their products/services c. communication in training material using their photo d. hospital uses its patient list to announce the arrival of a new specialty group in general mailing ANS:->> Except: d. hospital uses its patient list to announce the arrival of a new specialty group This activity does not meet the "marketing" definition, for instance, the disclosure of PHI in this example is not for exchange of remuneration, or to encourage use of product, promote services. https://www.hhs.gov/hipaa/for- professionals/privacy/guidance/marketing/index.html True or False: It is important that when contracting with payers or health plans they follow not only the HIPAA security but also the privacy rule to protect beneficiaries PHI including use/disclosure during payer's marketing activities ANS:->> TRUE Which of the following requires a Business Associate contract/agreement: a. independent medical transcriptionist b. entities that participate in an OHCA (organized healthcare arrangement) c. when a provider simply accepts a discounted rate to participate in the health plan's network d. US Postal Services or private carriers ANS:->> a. independent medical transcriptionist explanation: this is an outsourced service that handles PHI on behalf of the CE. The transcriptionist is performing an activity for the CE that contains PHI and a BAA is required to ensure proper use and disclosure. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business- associates/index.html Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for public health purposes? ANS:->> Yes. This is in the covered entity's Notice of Privacy Practices (NPP). The Privacy Rule requires a covered entity to include in its NPP a description of the purposes, which would include public health purposes, for which the covered entity may use or disclose PHI without an individual's authorization.
However, the Privacy Rule does not require a business associate (such as an HIE that is a business associate) to provide individuals with a NPP. True of False: OHCAs and ACEs are able to produce a joint Notice of Privacy Practice (NPP) ANS:->> FALSE Explanation: OHCAs are joint arrangements, have an Integrated Delivery System, and therefore agree to abide by the terms of the notice with respect to PHI created or received by the covered entity as part of its participation in the OHCA. ACEs are legally separate covered entities working together and unable to use a joint NPP and they might still have separate EHRs, separate HIM/ROI functions, etc. and therefore, the PHI data is not create or receive in the same manner. See 45 CFR 164.520(d) https://www.law.cornell.edu/cfr/text/45/164. True or False: It is your last day at your pediatric clinical site and you are saying goodbye to all of your favorite patients. You take a picture on your phone of a few of the patients posing together and later post it to your private blog as an illustration of your last day. Since your blog is private and can only be accessed by those who know the URL, you are not in violation of HIPAA regulations. ANS:->> FALSE Fill in the blank: In the mid-1990s, OIG began to require providers settling civil health care fraud cases toenter into specific type of agreements as a condition for OIG not pursuing exclusion. These agreements are referred as: ANS:->> Corporate integrity Agreements (CIA) The foundation for establishing a good relationship with a vendor is the Contract. A contract is an exchange of promise, services for money, with a specific remedy for breach of contract. What are some of the key basic elements to contracts. ANS:->> Basic key elements to contacts include: I. Agreement (Offer and Acceptance) II. Capacity to contract (ability to perform, ask for proof, bios of staff that will perform the critical services) III. Consideration (remuneration must be defined) IV. Legal purpose (legal requirements, defined measures including subcontractors responsibilities) V. Legality of form (use key legal language or clauses, assurances)
It is a key concept under the PRIVACY Rule. Re: HIPAA Authorization Is there any information we can release to a person who is calling on behalf of a patient who is not authorized in a release form? ANS:->> Patient must be given an "opportunity to agree or object" keeping in mind:
- you can obtain patient's agreement verbally, over the phone, BUT makes notes in file 2. only disclose the Minimum Necessary https://thehipaaetool.com/hipaa-authorization-required/ Re: HIPAA Authorization When my patients are being treated for car accident injuries, we often receive requests for PHI from lawyers. I am not sure if we should provide the information and don't know how to decide whether the request is legitimate. How do we validate the request is legitimate? ANS:->> Ensure is a valid HIPAA authorization: MUST have the authorization 6 core elements and 3 key statements as per 45 CFR § 164.508 (c)(1) and (2) https://www.law.cornell.edu/cfr/text/45/164. Re: HIPAA Authorization One of my long term (dental) patients was recently diagnosed with cancer. His new oncologist's assistant called to request his PHI from our files. I don't know if the patient knows or has authorized this. Can the request be fulfilled? ANS:->> YES, no authorization is required for purposes of TPO. But, ensure the request is in writing including: Covered Entity's name; Patient's name; Date of the event/time of treatment; and Reason for the request. https://thehipaaetool.com/hipaa-authorization-required/ Re: HIPAA Authorization (suspected domestic violence) I strongly suspect that a patient is a victim of domestic violence, although the patient has not confided in me. The abuse seems to be escalating, judging by the
injuries I've seen. May I do anything? ANS:->> You may, this may be an exception to the HIPAA Privacy Rule. IF you reasonably believe the patient to be a victim of adult abuse, neglect or violence, you may report to the appropriate government agency. You may also obtain patient's agreement, but not required. ARRA passed in 2009, key items to know: ANS:->> ARRA - also known as "Obama Stimulus" in response to the 2008 recession ARRA mandated government spending, tax cuts, and loan guarantees for financial relief to families. ARRA required hospitals to computerize medical records and modernize HIT systems (HITECH). And breach notification provision implemented under HITECH https://en.wikipedia.org/wiki/American_Recovery_and_Reinvestment_Act_o f_2009 https://www.hhs.gov/hipaa/for-professionals/breach- notification/laws-regulations/final- rule-update/hitech/index.html IIHI ANS:->> Individually Identifiable Health Information It's any part of an individual's health information, including demographic information (e.g. address, date of birth) collected from the individual PHI ANS:->> Protected Health Information Info transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. (PHI excludes IIHI education records covered by FERPA) What is de-identified information? ANS:->> Removing the HIPAA individual identifiable information. This is accomplish by two methods: Expert Determination: de-identification of PHI by an expert (statistical or scientific principles) Safe Harbor: removing the 18 identifiers https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de- identification/index.html What is re-identification? ANS:->> CE may assign a number for re- identification; however, the creation of the numbering system should not be based on the information and the CE is forbidden from disclosing the e-
- name of the individual/person authorized to make the requested disclosure 3. name or other identification of the recipient of the information
- description of each purpose of the disclosure 5. expiration date for the authorization
- signature and date of the individual or their personal representative (someone authorized to make health care decisions on behalf of the individual) https://www.law.cornell.edu/cfr/text/45/ 64.508 and https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency- preparedness/authorization/index.html Valid Authorization 3 key statements (see 45 CFR § 164.508(c)(2)): ANS:-
The statements are to be included in a valid Authorization:
- A statement of the person's right to revoke the authorization, exceptions to this right, and a description of how to revoke:
- A statement that treatment, payment, enrollment or eligibility for benefits may NOT be conditioned upon signing the authorization;
- A statement regarding the potential that the information disclosed pursuant to the authorization may be re-disclosed by the recipient and, if so, it may no longer be protected by a federal confidentiality law; Note: the person signing the authorization has the right to (or will receive) a copy of the authorization. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part- 164/subpart-E/section- 164. Fill in the blanks: The three types of AUTHORIZATION: VALID - must have all the 6 required core elements and 3 statements/notices D - lacks any of the required elements/statements, or expiration date has passed, or revoked, etc. C - typically allowed in research studies, this authorization may be combined with another written permission IF it's for the same research related studies ANS:->> Defective; Compound Request for Restrictions ANS:->> patient has the right to request restrictions on the U&D of information, even for the TPO exception. Provider must determine if it is reasonable, accommodate request, and abide toagreement.
Ref § 164.520 - Notice of privacy practices for protected health information. Request for Confidential Communication ANS:->> Patient may request other communication channels not typical for the entity, such as email, or meeting in off- site locations. What is the difference between HIPAA security and privacy? ANS:->> Security
- covers ePHI Privacy - covers all forms (electronic, oral, written) 45 CFR 164 - Subpart C outlines the three safeguards to ensure the , , of ePHI that both, CE and BA must implement to ensure compliance and protect against anticipated threats, and/or reasonably anticipated uses/disclosures (incidental/inadvertent/unintentional) ANS:->> Confidentiality, integrity, availability Note: Accidental - must be reported. An accidental HIPAA violation refers to the unauthorized disclosure of PHI (protected health information) without intent. Despite having safeguards and protective measures in place, there is still a possibility of breaching HIPAA regulations. These types of violations could include an employee accidentally seeing a different patient's medical records, an email being sent to the wrong person or the loss or theft of a personal device that contains PHI. https://www.hipaajournal.com/accidental-hipaa-violation/ Research HIPAA Waiver criteria: ANS:->> Research Waiver In order for research to be conducted, it must meet a minimum set of waiver criteriaelements. Elements that must be met to meet wavier criteria are:
- the use or disclosure for the research involved minimum risk to the patient;
- the research could not be conducted without proper access to the waiver being approved; and
- the research could not be conducted without proper access to the use of the PHI. 45 CFR 164.512 (i)(2) What's malicious software? ANS:->> malware, is software that is used to control or take over applications, workstations, or servers, damage/disrupt a system. See Security Rule, definitions - 45 CFR 164. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part- 164/subpart-C/section- 164.
