HIPAA Training

HIPAA Certification Quiz

HIPAA Certification Quiz

1. The Health Insurance Portability and Accountability Act (HIPAA):
2. a.protects health insurance coverage for workers and their families when they change or lose their job
3. b.requires national standards for electronic health care transactions
4. c.addresses security and privacy of health data
5. d.all of the above

2. The Privacy Act limits the collection of information about individuals to that which is legally relevant and necessary.
3. True
4. False

3. Patients, for the most part, may gain access to any information pertaining to them that is contained in any system of records.
4. True
5. False

4. Accordingto the video, Which refers to information that can provide significant harm?
5. PHI/PII
6. b.ePHI
7. c.sPII/sPHI
8. d.iPHI
9. None of the above

5. If the patient wants access to their record, they must provide in writing a valid reason for wanting to see their record.
6. True
7. False

6. A patient is being transferred to contract nursing home for further care. The nursing home may be provided with individually identifiable healthcare information for the purposes of providing medical care to the patient that will be housed in its facility.
7. True
8. False

7. A patient must provide a signed authorization for release of information to third parties that are not part of the continuity of care.
8. True
9. False

8. Disclosure of individually identifiable health information to an outside healthcare provider (physician, hospital, nursing home) even for treatment purposes requires a written authorization by the patient.
9. True
10. False

9. Information Blocking Rule is part of the CURES Act.
10. True
11. False

10. Information Blocking REQUIRES a Medical Provider to share with other providers and push all available info to portal for access as not to interfere with, prevent or discourage access, exchange or use of Electronic Health Information.
11. True
12. False

11. The “No Surprises Act” is the portion of the ACA that maintains that providers must provide good faith estimates at or before the time of service to all uninsured and self-pay patients.
12. True
13. False

12. There is no set Max flat fee charge for medical records for personal use.
13. True
14. False

13. Medical Practices may choose a flat fee charge, an average cost charge, or a charge based on the actual cost to produce medical records to patients for personal use. These charges can be different for 3^rdParty vendors.
14. True
15. False

14. When a patient requests that records be sent to them via unencrypted email, we:
15. Must provide explanation of security risks of transit from sender to receiver
16. Only can provide at the patient’s direct request
17. Can send directly to the patient at the email provided
18. Must verify the identity of the patient
19. All of the above
20. None of the above

15. Accordingto the rules to verify identity of the patient, the patient must provide a signature in person at the office.
16. True
17. False

16. How many days does a Practice have to produce Medical Records requests to the requesting patient?
17. 3
18. 14
19. 21
20. 30
21. 60

17. Underthe Information Blocking rule, the only exception to providing immediate access to medical records is:
18. Preventing Harm to patient or another person
19. Protect an individual’s privacy
20. Protect the security of information
21. Limit content to scope of Practice
22. Protect value of innovations and royalties
23. All the above
24. A & B only

18. Patient has the right to request to amend their chart.
19. True
20. False

19. Patient conditions can be declared to insurance carriers for to obtain payment for services even if a financial waiver (assignment of benefits) is not in the patient chart.
20. True
21. False

20. A violation of the HIPAA laws can include fines and jail time for employees responsible for breaches.
21. True
22. False

21. When a patient requests access to his/her medical records:
22. I always have to provide the complete record, with few exceptions
23. I can provide a summary with redactions if it is too difficult for the patient to interpret
24. Provide only encounter notes from only our doctors, not including outside labs or imaging.
25. B and C only
26. None of the above

22. An authorization can be revoked by the patient:
23. Only within 30 days of the original authorization
24. b.By telephone request
25. Under no circumstances-once authorization is given, it cannot be revoked
26. If the requested action has NOT already taken place

23. Patient complaints must first be filed with the physician’s office.
24. True
25. False

24. If the Secretary of Health and Human Services (HSS) validates a complaint my practice:
25. Only receives recommendations to the provider from The Secretary of HSS
26. Nothing will happen unless harm to patient is proven
27. May have a compliance review and individual fines per incident of exposure/violation

25. My practice can respond to a request to amend a record:
26. a.As soon as we can get to it
27. b.Within 90 days
28. Only if deemed to affect a patient’s care
29. d.Within 60 days

26. A practice can refuse to amend the record:
27. a.Under NO circumstances
28. If you do not find it necessary for patient care
29. Only if it doesn’t affect insurance coverage
30. Under specific circumstances after providing a refusal form to the patient indicating the reason for rejection of the amendment request.

27. The Notice of Privacy Practices (NPP) must be:
28. Given to each patient at the first visit & at least every 3 years after
29. Posted on the Practice’s website
30. Posted in the office
31. All of the above

28. If I forget to give a Notice of Privacy Practices (NPP) to a patient:
29. It’s no big deal
30. I can give it to him at the next visit
31. I can give it to a friend to take to him
32. I have to mail it immediately and document my actions

29. Once the Notice of Privacy Practices (NPP) is written:
30. It can’t be changed
31. It can be changed but entity has to notifypatients promplty and redistribute when any material changes made
32. It has to be updated at least every year
33. I don’t have to worry about it any more

30. If a non-authorized disclosure of protected health information (PHI) is made:
31. I must keep a record of this for six years
32. I must give the patient a full accounting upon proper request
33. There is no such thing as a non-authorized request
34. A and B

31. If a patient wants to request a restriction on the disclosure of his/her protected health information (PHI):
32. It must be in writing stating what PHI is being restricted
33. Can be retroactive to cover information already released
34. The patient cannot restrict disclosure of PHI

32. Staff must be trained:
33. Annually
34. Initially at hire
35. Once every 3 years after hire
36. A and B only

33. Other than office staff:
34. No one else needs to be trained about HIPAA
35. Casual employees do not need to be trained about HIPAA
36. Contract staff, such as cleaning crews,do not need to be trained about HIPAA
37. Everyone who works in my office, including unpaid volunteers, contract employees, and casual laborers, must be trained or show documentation of training about HIPAA

34. A privacy officer should conduct the following steps:
35. Identify the internal and external risks of disclosure of protected health information (PHI)
36. Create, implement, & maintain a security plan to reduce risks
37. Train all personnel on the practice’s privacy and security of PHI
38. Monitor & enforce security policies in place
39. All of the above
40. A, B, and D only

35. If an individual authorizes release of protected health information (PHI) that includes psychotherapy notes:
36. I can release this PHI
37. I don’t have to consult with the patient about what information to release
38. I can condition coverage or treatment on an authorization to use or disclose psychotherapy notes
39. I am required to respond to an authorization for psychotherapy notes but I may use some discretion
40. None of the above
41. A, B, and D only

36. The Minimum Necessary Standard restricts covered entities and their business associates to restrict the use and disclosure of PHI as permitted by the HIPAA privacy rules to only information that is needed for patient care in the scope of the Provider receiving the shared information.
37. True
38. False

37. I don’t need a business associate agreement for:
38. My employees
39. My cleaning service
40. My corporate attorney
41. Contracted employees such as a physical therapist who perform a substantial portion of their work at my practice
42. None of the above
43. A, B, and D only

38. The Privacy Rule requires the return or destruction of all protected health information (PHI) at the termination of a business associate agreement contract only where feasible or permitted by law:
39. True
40. False

39. HIPAA security Rule – Cyber Security – only applies to IT personnel and automated security software scanning at the Practice.
40. True
41. False

40. HIPAA Security Rule Addresses malicious use for:
41. Ransomware
42. Medicare Fraud
43. Banking Viruses
44. Exfiltrationof pt Records
45. Identity Theft
46. Cryptomining
47. All of the Above

41. Individual employees can be held liable for exposing the network to Security breaches.
42. True
43. False

42. NPPES is the agency that receives reports regarding reports of ePHInetwork intrusions within Medical facilities and practices.
43. True
44. False