HCCA - CHPC Overview | HCCA - CHPC Study Questions (MASTER STUDY GUIDE) Questions With Ver, Exams of Insurance law

Download HCCA - CHPC Overview | HCCA - CHPC Study Questions (MASTER STUDY GUIDE) Questions With Ver and more Exams Insurance law in PDF only on Docsity!

HCCA - CHPC Overview | HCCA - CHPC Study Questions (MASTER STUDY GUIDE) Questions With Verified Answers| LATEST UPDATED 2025/2026 HIPAA became law - Correct Answer 1996 What is the purpose of HIPAA? - Correct Answer * To make health insurance portable under ERISA; * To move health care onto a nationally standardized electronic billing platform; and « To prevent fraud, waste and abuse Intent - Correct Answer purpose of this subtitle to improve the Medicare program under title XVIII of the Social Security Act, the Medicaid program under title XIX of such Act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information. HIPAA resides in what CFR section - Correct Answer 45 CFR sections 164.102 through 164.534 Identify the four sections in the CFR by location and topic - Correct Answer Section One: 164.102 - 164.318 and 164.530 - 164-534 Organizational Requirements Section Two: 164.500 - 164.514 Use and Disclosure of Information Section Three: 164.520 - 164.528 Individual's Rights and Penalties Section Four: Interaction with the HIPAA Security Rule How do you determine if organization is a CE - Correct Answer - compare the functions of the entity to the three principal types of "covered entities" (CE), - determine if the entity electronically transmits one of the nine defined transactions" What are the different types of CEs - Correct Answer - Provider - Health Plan - Clearing House - Other Types How is a Provider defined - Correct Answer - "a provider of services (as defined in section 1395x (u) of title XIX) - a provider of medical or other health services (as defined in section 1395x (s) of title XIX) - any other person furnishing health care services or supplies. Does a provider need a standing facility to be considered a CE - Correct Answer NO What does "Health Plan" mean? - Correct Answer An individual or group plan that provides, or pays the cost of, medical care * A group health plan, but only if the plan: -- has 50 or more participants CE definitions and is typical of large entities What is Organized Health Care Arrangement (OHCA)? - Correct Answer clinically integrated care setting where individuals receive health care from more than one health care provider. What is Affiliated Covered Entity? - Correct Answer legally distinct entities that share common control or common ownership and choose to designate themselves as one affiliated CE for the purposes of complying with the HIPAA Privacy standard What must a Affiliated Entity agree to? - Correct Answer Be treated as a single CE. Must agree to follow a standard policy and procedure What is a Business Associate? - Correct Answer - CE to either get "assurances" for privacy and security standards from their business partners or to include a BA amendment to a contract. - where a separate legal entity uses or discloses Individually Identifiable Information on behalf of the CE. What are examples of a BA? - Correct Answer claims processing data analysis billing benefit management quality assurance quality improvement practice management legal actuarial accounting accreditation other administrative services What has been the main complaint with holding a BA accountable under the 2000 Privacy Rule? - Correct Answer - lack of penalties for non-compliance - federal penalties could only be levied against the CE Which new regulation corrected shot comings of the HIPAA 2000 regulation concerning BAs? - Correct Answer Health Information Technology for Economic and Clinical Health (HITECH) Who is know responsible for privacy and security of BAs? - Correct Answer The Business Associate, legal liability for violations, and possible penalties, flow directly to the entity that violates. What nine transaction are used to determine if a organization is a CE? - Correct Answer ¢ Health claims or equivalent encounter information * Health claims attachments * Enrollment and disenrollment in a health plan * Eligibility for a health plan * Health care payment and remittance advice * Health plan premium payments + First report of injury * Health claim status + Referral certification and authorization What is Protected Health Information (PHI)? - Correct Answer information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes IIHI in education records covered by the Family Educational Rights and Privacy Act (FERPA) What is Electronic Protected Health Information (EPHI)? - Correct Answer is when IIHI is transmitted by electronic media or maintained in electronic media. What is De-identified Information? - Correct Answer To be de-identified the data set must exclude: « Names * Geographic subdivisions smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: --The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and --The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 + All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older * Telephone numbers = Fax numbers + Electronic mail addresses * Social security numbers * Medical record numbers * Health plan beneficiary numbers * Account numbers * Certificate/license numbers * Vehicle identifiers and serial numbers, including license plate numbers * Device identifiers and serial numbers * Web Universal Resource Locators (URLs) + Internet Protocol (IP) address numbers * Biometric identifiers, including finger and voice prints + Full face photographic images and any comparable images; and + Any other unique identifying number, characteristic, or code, except as permitted; and --The CE does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. What is Limited data set? - Correct Answer CE may use or disclose a limited data set if the CE enters into a data use agreement with the following direct identifiers What is Unsecured PHI? - Correct Answer "PHI that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute Use & Disclosure (U&D), and Authorization - Correct Answer ... Mandated Disclosures - Correct Answer - to the individual who is the subject of the information (or their legal representative), and to - the Secretary of Health and Human Services. What is the one exception to releasing information - Correct Answer provider has determined that the information might cause harm to the individual who is the subject of the information (164.524(a)) Use - Correct Answer employment of information internally in an organization. This is interpreted to mean either inside the legal boundary of an entity or inside the HIPAA CE functions of a hybrid entity Disclosure - Correct Answer when information leaves the boundary of the legal entity or when it leaves the HIPAA CE functions in a hybrid entity What Rule changed the requirement that you track a disclosure as part of the TPO relationship. - Correct Answer HITECH Does USE and DISCLOSURE mean the same thing? - Correct Answer No Valid Authorization - Correct Answer Unless the HIPAA Privacy Rule has an exception, a client must provide a valid authorization for the use or disclosure of information Why is more difficult to get Authorization today? - Correct Answer - Rule mandates that the form state a purpose that is meaningful and specific. - This combined with the requirement of including a sunset date, or event, may mean that if you have limited purpose you will have to renew the authorization on its expiration. Use and Disclosure general rules that should be in a policy - Correct Answer + CE may not use or disclose PHI, except as permitted or required... * Minimum necessary * Uses and disclosures of PHI subject to an agreed upon restriction * Uses and disclosures of de-identified protected health information * Disclosures to BAs * Deceased individuals * Personal representatives * Confidential communications * Uses and disclosures consistent with notice + Disclosures by whistleblowers and workforce member crime victims. Minimum Necessary - Correct Answer using or disclosing information to limit protected health information to the minimum necessary * Payment « Business operations » Research (under certain circumstances) * As required by law * To avert a serious threat to health or safety * Workers compensation * Public health activities * Reporting abuse, neglect or domestic violence * Health oversight activities * Organ and tissue donation * Lawsuits and disputes + Law enforcement * Specialized government functions. Who can Deceased Individuals information be released at anytime? - Correct Answer decedent information can be released to coroners or medical examiners When can a decedent information be released for research? - Correct Answer if the CE first obtains, from the researcher, a representation that the use or disclosure sought is solely for research on the protected health information of decedents. Are two specific instances where a CE must seek permission from the individual if they want to use or disclose PHI? - Correct Answer - "facility directories," - Second is "uses and disclosures for involvement in the individual's care and notification purposes. Is a valid authorization required for Psychotherapy Notes/Records? - Correct Answer yes, except for TPO including the entity's internal training program and Marketing. What are the seven elements of a valid Authorization? - Correct Answer * A specific and meaningful description of the information to be disclosed, including specific * A specific division is identified as the one authorized to disclose the medical record: * The name or other specific identification of the person(s) or entity(ies) to whom disclosure can be made; * A statement of the purpose of the requested disclosure (which may be "at the request of the client"), including any limitations on the use of the information; * An expiration date or a valid expiration event AND check that the date has not passed nor has the expiration event occurred; « A signature dated by client or client's authorized personal representative. If signed by the authorized personal representative, a description of such representative's authority to act for the client is provided; records and service dates; What are the four statements are to be included in a valid Authorization? - Correct Answer « A statement of client's right to revoke the authorization, exceptions to this right, and a Request for Confidential Communication Communication. - Correct Answer patient may request other communication channels not typical for the entity, such as email, or meeting in off-site locations. What can an entity consider when they get a Request for Confidential Communication? - Correct Answer - Entity must first determine if it is reasonable - may refuse if they have to go to extraordinary lengths Access and Copy Information - Correct Answer Patients are entitled to a copy of, or access to, the information in the designated record set How did Access And Copy Information under HITECH? - Correct Answer HITECH extended the requirements via electronic health records (EHRs). CEs must provide the patient (or individuals or entities authorized by the patient, such as doctors and personal health record services) with an electronic copy of their file. Request to Amend - Correct Answer client has the right to request an amendment to their designated record set if they determine it may be inaccurate Does a provider have to amend the record if a patient asks? - Correct Answer it is only a request. If the provider determines the record to be accurate, they can deny the request. What can a patient do if the provider refuse to amend the record? - Correct Answer client has the right to ask that their statement of inaccuracy be placed in the file Right to an Accounting of Disclosures - Correct Answer Patients are entitled to know the identity of to whom information is disclosed, and the purpose of the disclosure Notice of Privacy Practice - Correct Answer - CE must provide a Notice of Privacy Practice (NPP). - This statement provides the rules of the road on how an entity will use and disclose information. - These are the policies and procedures (P&P) that support the privacy and security of the information and the entity's commitment to the individual. Violations where the offender didn't realize he or she violated the Act and would have handled the matter differently if known - Correct Answer -- $100 fine for each violation, -- Total not to exceed $25,000 for the calendar year. Violations due to reasonable cause, but not "willful neglect": - Correct Answer -- $1,000 fine for each violation, -- Total not to exceed $100,000 for the calendar year. Violations due to willful neglect that the organization ultimately corrected - Correct Answer -- $10,000 fine for each violation, -- Total not to exceed $250,000 for the calendar year. Violations of willful neglect that the organization did not correct - Correct Answer -- $50,000 fine for each violation, -- Not to exceed $1,500,000 for the calendar year. Under HITECH what can state AGs do? - Correct Answer - levy fines Security Rule says an entity must: - Correct Answer * Ensure the confidentiality, integrity, and availability (CIA) of all electronic protected health information (EPHI) the CE creates, receives, maintains, or transmits * Support CIA through Administrative, Technical and Physical safeguards + Protect against any reasonably anticipated threats or hazards to the security or integrity of such information * Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required * Ensure compliance by the workforce. Technically the Security Rule is what - Correct Answer neutral, it outlines principles rather than single solutions. What does the Privacy professional do related to a vulnerability - Correct Answer identify this as a vulnerability in their portion of the Security Risk Analysis (RA) and implement a mitigation scheme HIPAA grants the CE related to security - Correct Answer * Covered entities may use any security measures that allow the CE to reasonably and appropriately implement the standards and implementation specifications. + In deciding which security measures to use, a CE must take into account the following factors: --The size, complexity, and capabilities of the CE --The CE's technical infrastructure, hardware, and software s ecurity capabilities --The costs of security measures --The probability and criticality of potential risks to electronic protected health information. How does privacy bridge the gap of security? - Correct Answer - privacy professional coordinates the administrative safeguards - generally limited to policies and procedures Can "Addressable" Security requirements be ignored? - Correct Answer No