Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
RHIA Chapter 11
Chapter 11 of the RHIA Book
| Question | Answer |
|---|---|
| What is privacy? | The freedom from unauthorized intrusion. The right of a patient to control disclosure of protected health information. |
| What is confidentiality? | Establishes the healthcare provider's responsibility for protecting health records and other personal and private information from unauthorized use or disclosure. Data or information is not made available or disclosed to unauthorized persons or processes |
| What is security? | The means used to control access and protect information from accidental or intentional disclosure to unauthorized persons and from unauthorized alteration, destruction or loss. |
| Why was HIPAA (Health Insurance Portability and Accountability Act) initially established? | To ensure health insurance continuity (portability), set standards for electronic claims and national identifiers, and protect against fraud and abuse. |
| What was HIPAA (Health Insurance Portability and Accountability Act) expanded to include? | To establish national standards for the protection of privacy and the assurance of the security of health information. |
| Where is the Privacy Rule, Security Rule, and Breach Notification Rule located in HIPAA (Health Insurance Portability and Accountability Act)? | Title II, known as the Administrative Simplification Provisions |
| What is PHI (protected health information)? | Individually identifiable health information held or transmitted by a covered entity or business associate. |
| What is Individually identifiable health information? | Information that identifies the individual or there is reasonable belief that it can be used to identify the individual. |
| What can individually identifiable health information relate to? | The individual's past, present, or future physical or mental condition; the provision of healthcare to the individual; or the past, present, or future payment for the provision of healthcare to the individual. |
| What is a covered entity? | A health plan, healthcare clearinghouse, or healthcare provider that transmits information in electronic form in connection with a transaction. |
| What is a business associate (BA)? | A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of or provides services to a covered entity. |
| Where is the Privacy Rule located in HIPAA (Health Information Portability and Accountability Act)? | 45 CFR Part 160 and Subparts A and E of Part 164. |
| What is the goal of the Privacy Rule? | To assure the protection of health information. Specifically, the goal to address the use and disclosure of PHI, as well as standards for individuals' privacy rights to understand and control how their health information is used and shared |
| What are the three main purposes of the Privacy Rule? | To protect and enhance the rights of healthcare consumers by providing them access to their health information and ensure the appropriate use of that information, improve quality of healthcare in the US, to improve the efficiency and effectiveness |
| How many primary sections can the Privacy Rule be broken into? | Eight |
| What is the purpose of the Security Rule? | To operationalize the protections identified in the Privacy Rule by addressing the technical and nontechnical safeguards that covered entities must put in place to secure individuals' e PHI. |
| Where in HIPAA (Health Insurance Portability and Accountability Act) does the Security Rule exist? | 45 CFR Part 160 and Subparts A and C of Part 164 |
| What types of safeguards are included in the Security Rule? | Administrative Safeguards, Physical Safeguards, Technical Safeguards, and Organizational Safeguards |
| What are examples of Administrative safeguards? | Policies and procedures, to manage administrative actions, policies and procedures to prevent, detect, contain, and correct security violations. |
| What are examples of physical safeguards? | Surveillance cameras, identification badges, to identify measures to protect information systems, buildings, and equipment from natural and environmental hazards |
| What are examples of technical safeguards? | Automatic logoff, unique user identification, to protect access and control of ePHI |
| What are examples of organizational safeguards? | BAAs, requirement to have written policies and procedures to comply with the HIPAA Security Rule, make sure they are updated on a regular basis, and that they are provided to staff |
| What are required standards in the Security Rule? | Standards that are mandated, and the organization must implement them as written by the HIPAA Security Rule. |
| What are the addressable standards in the Security Rule? | Provide flexibility to the covered entity and business associates by allowing the organization to implement the standard based upon: the size and complexity, the organization's technical infrastructure, hardware, and software; costs, risks |
| What act was the HITECH (Health Information Technology for Economic and Clinical Health) part of? | American Recovery and Reinvestment Act (ARRA) |
| How did the HITECH (Health Information Technology for Economic and Clinical Health) Act strengthen the Privacy Rule and Security Rule? | Mandatory reporting requirements/penalties for breaches, new enforcement responsibilities, new privacy requirements, extended requirements to the business associates |
| What is the HITECH-HIPAA Omnibus Privacy Act also called? | Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rule Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act |
| What does the HITECH-HIPAA Omnibus Act do? | Strengthens the privacy and security of PHI, modifies the Breach Notification Rule, strengthens privacy protections for genetic information by prohibiting health plans form using or disclosing such information for underwriting, increased liability of BAs |
| What is the Breach Notification Rule? | Created under the HITECH Act. Entails notifying patients if their PHI has been breached. Unauthorized uses and disclosures of any PHI at any time may be considered a data breach under the updated regulations. New process. Short timeline. |
| How does the HITECH-HIPAA Omnibus Act define a breach? | An acquisition, access, use or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the CE or BA, as applicable, demonstrates there is a low probability the PHI was compromised |
| What should a breach risk assessment include? | The nature and extent of the PHI involved in the data breach, the unauthorized person (people) who used the PHI and to whom it was disclosed, Whether the PHI was viewed, acquired, or redisclosed, The extent to which the risk to the PHI has been mitigated |
| How long under the Breach Notification Rule does a covered entity have to notify affected invidiuals? | 60 days |
| What else must be done under the Breach Notification Rule if 500 or more individuals were affected? | The secretary of the HHS must be notified within 60 days of the date of discovery of the breach and the local media must be contacted. |
| What else must be done under the Breach Notification Rule if less than 500 individuals were affected? | The HHS secretary must be notified annually but no later than 60 days after the calendar year in which the data breach occurred. |
| What are three exceptions to the Breach Notification Rule requirement? | The PHI disclosure was not intentional and individual that received the info has the requirement to keep the information confidential, unintentional by a workforce member with same add'tl information, the PHI could not have been retained by receiver |
| What is HIPAA Enforcement under the Omnibus Rule (Enforcement Rule)? | Contains provisions relating to compliance, investigations, penalties for violations, and procedures for hearings. |
| What are possible penalties for a breach? | A corrective action plan (CAR) or civil monetary penalty (CMP) |
| What are the four tiers of fines for a breach? | Tier 1 - Did not know, Tier 2 - Reasonable Cause, Tier 3 - Willful Neglect-corrected (within 30 days), Tier 4 Willful Neglect-not corrected (within 30 days) |
| What is reasonable cause as it applies to Tier 2 of breach fines? | An act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known that the act or omission violated and administrative simplification provision, but no willful neglect |
| What is Willful Neglect as it applies to Tier 3 or 4 of breach fines? | Conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated |
| What is a CMP (civil monetary penalty) based on? | Nature and extent of violation, nature and extent of harm resulting from the violation, covered entity or business associates' prior compliance with HIPAA regulations, financial condition of the covered entity or business associate |
| What is Use of PHI? | Use is defined as the sharing, employment, application, utilization, examination, or analysis within a covered entity that creates and maintains the PHI. |
| What is Disclosure in PHI? | Disclosure is the release, transfer, provision or access to, or divulging in any manner of information outside the entity holding the information. |
| What is an authorization? | A document that gives covered entities permission to use PHI for specified purposes or to disclose PHI to a third party specified by the individual. |
| How does the HIPAA Privacy Rule define a designated record set? | A group of records maintained by or for a covered entity that may include patient medical and billing records; the enrollment, paymt, claims, adjudication, and cases or medical mgmt record systems maintained by or for a health plan, care-related decisions |
| What is the designated record set used for? | Support a variety of patients' rights under the HIPAA Privacy Rule, such as patients' access to PHI, electronic copy of PHI, and amendment of a record. |
| For what does the HIPAA Privacy Rule require a valid authorization to disclose information for? | Disclosure of PHI not permitted to be released without an authorization, Psychotherapy notes, Marketing, Sale of protected information |
| How long does a covered entity have to respond to a request for disclosure of PHI? | 30 days |
| What makes an authorization defective under the HIPAA Privacy Rule? | The expiration date has passed or the expiration event has occurred, The authorization in not completely filled out, The authorization has been revoked, required elements are missing, a compound authorization is used, Information is known to be false |
| What type of combination authorization can be used under the Omnibus Rule? | Conditioned and unconditioned research on one form |
| What is a conditioned authorization? | Used for an individual to consent into the main research study |
| What is an unconditioned authorization? | Used for the individual to consent into additional research studies if the patient elects to be involved. |
| What are some uses of PHI where an authorization is not needed? | To business associates, required by law, for public health reporting, other public health activities, victims of abuse, neglect or domestic violence, health oversight activities, judicial and administrative proceedings, law enforcement, organ donation |
| What is not included in the accounting of disclosures? | Carrying out treatment, payment, and healthcare operations, receiving own information, facility directory, national security or intelligence purposes, correctional institutions or law enforcement, limited data set, prior to compliance date for the CE |
| How long does a facility have to provide an accounting of disclosures? | 60 days |
| What must an accounting of disclosures include? | Date of disclosures, Name or entity that received the PHI, a brief description of the PHI, a brief statement of the purpose of the disclosure |
| What is deidentification? | Health information that has had identifiers removed so there is not the capability to reasonably identify the individual to which the information belongs. |
| What methods of deidentification are allowed under HIPAA (Health Insurance Portability and Accountability Act)? | expert determination methods and safe harbor method |
| What is the expert determination method for deidentification? | Data elements that could identify an individual are removed from the data and then an expert the org hires, such as a statistician applies scientific methodology to determine the likelihood of identification of the individual and provides probability |
| What is the safe harbor method of deidentification? | Requires the covered entity or business associate to remove 18 elements from the health information. |
| What is reidentification? | An organization can apply a specific code, or other means, to the data for future reidentification purposes; however, the specific code cannot be derived from any type of data elements that come from the patient's PHI. Needs separate from the data. |
| How is disclosure of PHI within the facility directory accepted or denied? | Orally |
| What PHI can be added to the facility directory if allowed? | Patient Name, Individual's location in the facility, individual's condition, religious affiliation |
| How does the Joint Commission recommend that a patient's identity is verified? | Minimum of two different data elements. |
| Where is the confidentiality of alcohol and drug abuse in patient records addressed in the HIPAA Privacy Rule? | 42 CFR Part 2 Subpart B. Called the Confidentiality of Substance Use Disorder Patient Records |
| What exceptions are included in the Confidentiality of Substance Use Disorder Patient Records requirements? | Medical Emergencies and Food and Drug Administration. Specific statements need to be included. |
| What additional notice is required for alcohol and drug abuse patients? | A Notice of Confidentiality of Alcohol and Drug Abuse Records |
| What is the Guide to Privacy and Security of Health Information used for? | To guide healthcare organizations through the establishment and creation of a privacy and security compliance program within their organization. It offers a 7-step approach. |
| What is a risk analysis? | A systematic process for reviewing all systems, applications, and processes to identify potential threats and vulnerabilities, document current controls, and understand the likelihood of the impact |
| What are tasks of a HIPAA Security Officer regarding Risk? | Lead the HIPAA Risk Analysis Process, Establish a Plan for the Risk Management component of the HIPAA requirements |
| What is a common risk analysis methodology? | The NIST (National Institute fo Standards and Technology) methodology |
| What are three basic methods for addressing risk? | Mitigate the risk, Transfer the Risk, Accept the Risk |
| What is residual risk? | Risks that remain even when the current safeguards and controls applied, will exist as no additional controls would be implemented. |
| What related to risk must be attested to as part of Meaningful Use in the Promoting Interoperability (PI) Program? | Eligible hospitals and critical access hospitals must attest that they have conducted a security risk analysis during the calendar year in which the EHR reporting period occurs, referred to as the performance period. |
| What are five security components of risk management? | Administrative safeguards, physical safeguards, technical safeguards, organizational safeguards, policies and procedures |
| What is an audit? | A function that allows retrospective reconstruction of events, including who executed the events in question, why, and what changes were made as a result. |
| What is an audit log? | A chronological record of electronic system activities of individual user activity over a period of time, as well as record different actions that a user takes within the system. |
| What is a contingency plan? | Also known as a disaster plan. Prepares organizations for a potential event that could impact the ability to access patient information, the integrity of the information, or the confidentiality of the information. Disrupts normal day-to-day operations. |
| What part of HIPAA requires a contingency plan? | The HIPAA Security Rule. |
| What are the requirements under a contingency plan? | data backups, disaster recovery plan, emergency mode operation plan, emergency access |
| What is a data backup plan? | Defines how the system is being backed up, the method of backing up the data, location of the backup, frequency of the backup, and testing of the backup. All data must be backed up. |
| What does a functional backup plan include? | Processing for backing up all data on all systems, Description and location of the electronic, hybrid or patient records, processes for recreating data tables, contracts, licenses, assignment of responsibility for each component, an estimate of function |
| What is a disaster recovery plan? | Defines the processes for recovery of data in the event of a disaster. Procedures for recovering lost data. Downtime data. |
| What is an emergency mode operation plan? | Creates processes and procedures to support the continuation of critical business and patient care operations while protecting the security of ePHI in the event of disaster. |
| What should an emergency mode plan include? | Detailed communication plan, Documentation requirements, Emergency registration sets, Emergency paper chart, downtime procedures for paper documentation, stickers for alerts/allergies, filing procedures that will allow for info to be accessed later |
| What is a software criticality analysis? | Required under the HIPAA Security Rule. Consists of evaluating each of the different systems of the organization to determine how crucial the information in the system is to day-to-day healthcare operations and patient care. |
| What are common types of data security methods? | Authentication, malicious software protection, evaluation, data encryption |
| What is user authentication? | The process where an end user logs into an electronic system using specific credentials defined by the organization. |
| 'What is two-factor authentication? | Provides additional security to the authentication process as it requires one additional step to verify the user's identification. |
| What is biometric authentication? | Allows a user to be uniquely identified and access the system based on one or more biometric traits, such as fingerprints, hand geometry, retinal pattern or voice waves. |
| What is the most reliable biometric technology? | Retina Scan Technology |
| What are two different encryption requirements under HIPAA? | encryption of data at rest and encryption of data in motion |
| What is data at rest? | Data in storage within a database or on a server and are no longer being used or accessed. |
| What is data in motion? | Data in the process of being transmitted from one location to another location, such as email. |
| What is encryption? | A mathematical method for the transformation of data from plaintext into cipher text, allowing no individual or machine to get access a decipher the original information. |
| What is plaintext? | The original text that has not been altered. |
| What is cipher text? | Unreadable or indecipherable due to encryption. |
| What is decryption? | The process of transforming the information from cipher text to plaintext. |
| What is a cryptographic key? | The tool applied to the data in order to turn the information into cipher text as well as convert the data from cipher text back into plaintext. |
| What is secure information? | It is unreadable, unusable, and indecipherable. Under the HIPAA Omnibus Rule, information is considered secure if it is encrypted. |
| What is Malware? | Any program that causes harm to systems by unauthorized access, unauthorized disclosure, destruction, or loss of integrity of any information. |
| What are common types of malware? | Viruses, Worms, Trojan Horses, Logic Bombs, Rootkit |
| What are viruses? | Programs that search out other programs and infect them by embedding a copy of itself. This type of malware has the capability to spread to other computers by attaching itself to programs shared through a network. |
| What are worms? | Programs that reproduce on their own that have no need for a host application; they are self-contained programs. |
| What are Trojan horses? | Programs that are disguised as a normal program to trick users to download the file. |
| What are logic bombs? | Malware that will execute a program or string of code, when a certain event happens |
| What are rootkit? | A type of malicious software that will remotely access or control a computer without being detected by users or security programs |
| What challenges do organizations face regarding malware? | Data breaches, unauthorized access or disclosure of ePHI, Increased central processing unit use, Slowed computer response time, modified or deleted files, Additions or changes to ePHI being stored |
| What is ransomware? | Malware that prevents or limits the users from gaining access to their system. The hacker blocks by encrypting the server. |
| What is bring your own device (BYOD)? | Personal devices that are allowed to be used within a healthcare organization and interact with ePHI |
| What is considered the workforce per the Omnibus Rule? | Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid |
| What are the required training components under HIPAA? | Training soon after joining workforce, ongoing training and awareness building, addresses changes |
Created by:
cedeusser
Popular Health Info Tech sets