AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Similar documents
Fifth National HIPAA Summit West

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

Determining Whether You Are a Business Associate

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA and Lawyers: Your stakes have just been raised

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA Compliance Guide

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

ARRA 2009: Privacy and Security Provisions. Deven McGraw

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

ARRA s Amendments to HIPAA Privacy & Security Rules

Effective Date: 4/3/17

HIPAA Background and History

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA Privacy & Security. Transportation Providers 2017

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

Getting a Grip on HIPAA

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

ARE YOU HIP WITH HIPAA?

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

2016 Business Associate Workforce Member HIPAA Training Handbook

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

The Impact of the Stimulus Act on HIPAA Privacy and Security

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA & The Medical Practice

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

The Audits are coming!

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

LEGAL ISSUES IN HEALTH IT SECURITY

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA Privacy: PHI Disclosure Accounting (Changes) and Access Report (New)

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

1 Security 101 for Covered Entities

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

RISK TRACK. Privacy and Data Protection

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

BREACH NOTIFICATION POLICY

HIPAA, HITECH & Meaningful Use

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

ALERT. November 20, 2009

The Privacy Rule. Health insurance Portability & Accountability Act

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

HIPAA Compliance Under the Magnifying Glass

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA, Privacy, and Security Oh My!

March 1. HIPAA Privacy Policy

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

AFTER THE OMNIBUS RULE

"HIPAA RULES AND COMPLIANCE"

HIPAA Omnibus Final Rule and Research

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

To: Our Clients and Friends January 25, 2013

HIPAA: Impact on Corporate Compliance

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017

Changes to HIPAA Privacy and Security Rules

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

HIPAA Privacy Overview

H E A L T H C A R E L A W U P D A T E

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

2. HIPAA was introduced in There are many facets to the law. Which includes the facets of HIPAA that have been implemented?

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

New HIPAA-HITECH Proposed Regulations Issued

EXCERPT. Do the Right Thing R1112 P1112

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Transcription:

1. HIPAA Security Rule Johns, Merida L., Information Security, in Johns, Merida L. (ed.) Health Information Management Technology, an Applied Approach, AHIMA: Chicago, IL, 2nd ed. 2007, chapter 19, pp. 847-874 1. The HIPAA Security Rule envisions that a covered entity s risk management activities and security measures will reduce the entity s data security risks and vulnerabilities to which of the following levels: a. reasonable and appropriate protection of electronic PHI b. reasonable and appropriate protection of electronic and non-electronic PHI c. absolute protection of electronic PHI from all threats and hazards, whether or not reasonably anticipated d. absolute protection of electronic PHI against any unauthorized use or disclosure, whether or not reasonably anticipated 2. Security policies must be in which of the following formats: a. Must be maintained in written format b. May be oral agreements between supervisors and employees c. May be written or oral d. May not be in an electronic form 3. The establishment by a covered entity of a defined security management process includes which of the following elements: a. Conducting a risk analysis b. Creating and maintaining security policies and practices c. Ongoing review of information system activity (e.g. audit logs, access reports, and tracking of security incidents) d. All of the above 4. According to HIPPA standards, the designated individual responsible for data security: a. Must be identified by every covered entity b. Is only required in large facilities c. Is only required in hospitals d. Is not required in small physician office practices 5. Workforce security awareness and training is required for which of the following: a. For all workforce members b. Only for workforce members who handle PHI c. Only for workforce members who handle electronic data d. Only for workforce members who handle electronic PHI 6. Which of the following ensures that procedures are in place to handle an emergency response in the event of an untoward event such as a power outage: SPS407_Unit IIC_Quiz_110214rev2.docx 1

a. An audit control b. A contingency plan c. Employee training d. Password protection 7. Written business associate agreements are required with which of the following: a. Any company where work is outsourced b. Any outside company that handles electronic data c. Any outside company that handles electronic PHI d. Every outside company 8. Which of the following ensure that a user has only the information needed to perform his or her job: a. Audit controls b. Access controls c. Person identification forms d. Workstation safeguards 9. A visitor sign-in sheet to a computer area is an example of which of the following controls: a. Administrative b. Audit c. Facility access d. Workstation 10. The process that encodes textual material, converting it to scrambled data that must be decoded, is which of the following: a. An audit trail b. An encryption c. A password d. A physical safeguard AMA Practice Management Center, What you need to know about the new health privacy and security requirements 11. The HIPAA regulations implementing the HITECH Act, a part of the 2009 stimulus bill, introduced which of the following patient rights that affect the content of a patient s clinical health record that may be disclosed by a covered entity to third parties, when a patient has paid the covered entity in full for a health care item or service: a. the patient may restrict the disclosure of the PHI about the individual to a health plan for the purpose of carrying out payment or of health care operations b. the patient may restrict the disclosure of the PHI about the individual to all other providers for any purpose, including for subsequent treatment of the same condition for which the patient had paid out of pocket SPS407_Unit IIC_Quiz_110214rev2.docx 2

c. the patient may restrict the disclosure of the PHI about the individual to law enforcement authorities for any purpose 12. The HIPAA regulations implementing the HITECH Act introduced which of the following compliance obligations upon a business associate (BA) of a covered entity: a. the BA s compliance obligations are exclusively contained within the Business Associate Agreement(s) to which the BA is a party b. the HIPAA requirements apply directly to BAs, regardless of the content of any Business Associate Agreement to which the BA is a party c. the HIPAA requirements apply directly to BAs, subject to being reduced by a Business Associate Agreement containing a less restrictive requirement 13. HHS has yet to adopt final regulations implementing which of the following patient rights envisioned by the HITECH Act: a. a patient may receive from a covered entity with an EHR system an accounting of disclosures made by that covered entity of that patient s PHI, including disclosures that had been made for treatment, payment and healthcare operations purposes b. a patient may receive from a covered entity an electronic copy of his/her medical record c. a patient may restrict certain disclosures of PHI relating to services for which the patient has paid out of pocket (all of the above patient rights have been incorporated into the final HIPAA regulations) 14. In the HIPAA regulations the concept of limiting the scope and quantity of PHI to the minimum necessary to accomplish the intended purpose applies to: a. requests by a covered entity for the receipt of PHI b. disclosures by a covered entity of PHI in response to a request for PHI c. both of the above 15. In the HITECH Act the exercise of discretion by a covered entity to determine the minimum necessary information to be released pursuant to a request was limited (other than for purposes of treatment, among other exceptions). A default presumption was established, unless the releasing entity determines otherwise, that the minimum necessary is constituted of which of the following: a. the legal record/ a designated record set b. a de-identified data set c. a limited data set SPS407_Unit IIC_Quiz_110214rev2.docx 3

16. The HIPAA regulations implementing the HITECH Act introduced which of the following patient rights with regard to marketing materials sent to the patient by a covered entity: a. covered entities must provide patients an opportunity to opt-out of receiving fundraising communications b. covered entities must obtain prior written authorization from a patient to send a communication from a third party for which the covered entity receives direct or indirect payment c. both of the above Mosquera, Mary, 8 tactics for mobile data privacy and security, Government Health IT, July 20, 2011 17. The exponential growth in the use by healthcare professionals of mobile devices (e.g., smartphones, tablets, laptops) that provide access to a provider s electronic health record (EHR) system poses which of the following data security threats: a. Loss of a device without password protection enabled could provide a third party the means of unauthorized access to the EHR system and its PHI b. Loss of a device without encryption of the data stored on the device could provide a third party unauthorized access to the PHI at rest on the mobile device c. Us of the mobile device to access and transmit PHI to or from the EHR system over an unsecured WI-FI network could enable a third party s unauthorized access to the PHI in motion to or from the mobile device d. All of the above 5. Breach Notification AMA, HIPAA Violations and Enforcement 18. HIPAA provides for all of the following enforcement options in the event of a violation of the HIPAA regulations, except: a. a civil monetary penalty ranging from $100 to $50,000 per violation, determined by the HHS Secretary b. a criminal fine of up to $250,000 and imprisonment for up to ten years, determined by a court of law as a result of a prosecution initiated by the US Department of Justice c. damages awarded by a court of law as a result of a law suit (private cause of action) initiated by a private sector entity seeking to sanction a violation of HIPAA (all of the above are provided for in HIPAA) 19. The HIPAA regulations implementing the HITECH Act established several levels of increasing civil and criminal penalties for violations of HIPAA based upon: a. the number consumers directly affected by the violation SPS407_Unit IIC_Quiz_110214rev2.docx 4

b. the size of the violator covered entity c. increasing levels of culpability of the violator 20. The HIPAA regulations implementing the HITECH Act provide for the greatest potential civil monetary penalty for which of the following categories of culpability: a. unintentional violation caused by factors beyond the violator s knowledge or control b. gross negligence c. willful neglect followed by correction of the violation within 30 days of discovery d. willful neglect without correction of the violation 21. The HIPAA regulations implementing the HITECH Act provide for a maximum potential civil monetary penalty (CMP) for identical violations during a calendar year, in the amount of which of the following: a. $50,000 b. $10,000 c. $1.5 million 6. FTC Data Breach Enforcement FTC, Complying with the FTC s Health Breach Notification Rule, April 2010 22. The FTC s Health Breach Notification Rule applies to which of the following entities: a. HIPAA covered entities b. vendors of personal health records c. Business Associates of HIPAA covered entities 23. The timing of the reports to be submitted to the FTC following a breach of the FTC s Health Breach Notification Rule varies depending on which of the following: a. the number consumers directly affected by the violation b. the size of the violator c. increasing levels of culpability of the violator 24. The Federal Trade Commission (FTC) can penalize an entity that has violated the FTC s Health Breach Notification Rule by reason of which of the following authorities of the FTC; a. power to enforce compliance with HIPAA b. power to prosecute violations of the Fourth Amendment to the US Constitution c. power to prosecute unfair or deceptive act or practices in interstate commerce SPS407_Unit IIC_Quiz_110214rev2.docx 5

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback