Which of the following is a goal of the minimum necessary requirement under the HIPAA Privacy Rule? - Ensure that all workforce members have the same
... [Show More] access to PHI within an organization.
A patient is checking in at the registration desk and overhears a conversation between another patient and the billing specialist regarding a specific diagnosis that is not being covered under the patient's insurance. This is an example of what type of disclosure? - Incidental
Which of the following is the only scenario where breach notification can be delayed past the 60-day notification requirement? - When law enforcement requests a delay due to open criminal investigation.
During a recent change in a computer system's access, an organization determined that they were going to create role-based access defined on the need for each job type within the organization. This is an example of application of which of the following: - Minimum necessary
An organization just finished updating the minimum necessary policy and procedure. The new policy took effect on February 12, 2016. How long do they have to maintain the previous version of the policy? - February 12, 2020
Which of the following is considered a patient's right under the HIPAA Privacy Rule? - Accounting of disclosure (AOD)
How long does a covered entity have to respond to an accounting of disclosure request? - 30 days with one 30 day extension.
A patient has requested three accounting-of-disclosures reports in the past month. Which of the following statements is true regarding the accounting of disclosure? - The CE is allowed to charge a reasonable, cost-based fee for the second and third request for accounting disclosures and must inform the patient prior.
In the final HIPAA Omnibus Rule of 2013, which of the following was added to the regulations regarding patient access? - A patient has a right to receive his or her designated record set electronically, if maintained electronically.
If a state requires that all medical records are disclosed within 15 days from the request, and HIPAA requires for disclosures to be completed within 30 days from the request, which timeline should be followed? - State law because it is more stringent than HIPAA.
Which of the following is allowed under the applicable fees and charges when charging for a copy of medical records? - Labor cost
if a patient put in a request for an amendment to his or her medical record on July 20, 2020, when would be the last possible day that the CE would need to provide outcome information on the amendment or notification of a 30-day extension? - September 20, 2020
If a patient chooses to make a complaint against a CE to the Secretary of Health and Human Services, the complaint must be made in _____ days from the date the complaint was known or should have been known. - 180
A patient made a request for an accounting of disclosure on March 31, 2020. What is the date range that must be provided on the accounting-of-disclosure document? - March 31, 2015 -March 31, 2020. 6 years prior.
What was the compliance date for all covered entities and business associates to bring all of the grandfathered business associate agreements into compliance with the final Omnibus Rule of 2013? - September 23, 2014
The HIPAA Security Rule allows flexibility with implementation based on reasonableness and appropriateness safeguards. This means that covered entities can - implement based on organizational assessment
What group was granted authority to bring civil actions against healthcare organizations and business associates based on alleged HIPAA violations? - State attorney general
To place a patient in a facility directory, a covered entity - must obtain the patient's verbal agreement.
The Privacy Rule permits charging patients for labor and supply costs associated with copying health records. Hospital is located in a state where state law allows charging a patients a $100 search fee associated with locating records that have been requested. - The Privacy Rule will preempt state law in this situation.
What does it mean to state the regulation in the HIPAA Security Rule is addressable? - The organization can implement an alternate safeguard of equivalent protections.
A healthcare provider that provided a copy of an individual's medical record to a nursing home that the patient will be transferred to is an example of using protected health information for what purpose? - Treatment
A payment from a drug company to a covered entity to promote a new medication for treatment of acne is referred to as - direct.
Which of the following is considered to be part of healthcare operations and uses deidentified health information pr a limited data set and benefits the covered entity? - Fundraising
Providing a copy of an emergency room visit report to a primary care provider is an example of which of the following under HIPAA? - Disclosure of protected health information
Authorizations are required for all disclosures except - Treatment, payment, and healthcare operations
Which of the following terms refers to the direct or indirect payment from a third party whose product or service is being described by the covered entity? - Financial remuneration
A health plan uses a month's worth of diagnosis codes from member;s bills submitted to evaluate new services that can be created to support health-plan member education. This is an example of using protected health information for what purpose? - Healthcare operations
How many years after an individual passes away is medical information no longer considered protected health information and is no longer protected by HIPAA regulations? - 50
A health plan must provide a copy of NOPP to individuals covered - once every three years.
If a covered entity maintains a website for their organization, which of the following are true? - The covered entity needs to prominently post the notice of privacy practices on the website.
If a request to a health plan is made for alternative locations of confidential communication with an insured individual due to concerns with endangerment to the individual, the health plan must - permit and accommodate reasonable requests for confidential communication.
A covered entity provided training to their workforce in an all-staff meeting on October 11, 2020. The privacy officer has a copy of the presentation along with all the individuals present. What is the earliest date the privacy officer can destroy the training documentation? - After 6 years.
Which of the following does a covered entity need to include in HIPAA education as they are considered part of the workforce? - Health information student intern [Show Less]