HIO-201 Sample Questions Answers

In some circumstances a coveted entity is permitted, but not required, to rely on the judgment of the party requesting the disclosure as to the minimum amount of information necessary for the intended purpose. Some examples of these requesting parties are: another covered entity or a public official.

The privacy rule prohibits use, disclosure, or requests for an entire medical record.

Non-Covered entities need to redesign their facility to meet the requirement for minimum necessary uses.

The minimum necessary standard requires covered entities to prohibit maintenance of medical charts at bedside and to require that X-ray light boards be totally isolated.

If there is a request for more than the minimum necessary PHI, the privacy rule requires a covered entity to deny the disclosure of information after recording the event in the individual's case file.

Risk Management

Written Contract or Other Arrangement

Accountability

Authorization and/or Supervision

Integrity Controls

$1,000,000 per person per violation of a single standard for a calendar year.

$10 per person per violation of a single standard for a calendar year.

$25,000 per person per violation of a single standard for a calendar year.

$2,500 per person per violation of a single standard for a calendar year.

$1000 per person per violation of a single standard for a calendar year.

Data element

Data segment

Transaction set

Functional envelope

Interchange envelope

Administrative Safeguards

Physical Safeguards

Technical Safeguards

Audit Controls

Information Access Management

Business Associate Contract

Response and Reporting

Emergency Access Procedure

Sanction policy

Risk Management

"Use" refers to the release, transfer, or divulging of IIHI between various covered entities

"Use" refers to adding, modifying and deleting the PHI by other covered entities.

"Use" refers to utilizing, examining, or analyzing IIHI within the covered entity

"Use" refers to the movement of de-identified information within an organization.

"Use" refers to the movement of information outside the entity holding the information

Loop.

Enumerator.

Identifier

Data segment.

Code set.

Patient's country of birth

Patient's pet name

Patient's weight

Patient's address

Patient's date of birth

Security information such as a fingerprint.

Privacy information.

Information on all business associates.

Information on all health care clearinghouses.

Identifiers.

Title I.

Title II

Title III

Title IV.

Title V.

Risk Analysis

Risk Management

Access Establishment and Modification

Isolating Health care Clearinghouse Function

Information System Activity Review

Covered entities that violate the standards or implementation specifications will be subjected to civil penalties of up to $100 per violation except that the total amount imposed on any one person in each calendar year may not exceed $25,000 for violations of one requirement

Criminal penalties for non-compliance are fines up to $65,000 and one year in prison for each requirement or prohibition violated

Criminal penalties for willful violation are fines up to $50,000 and one year in prison for each requirement or prohibition violated.

Criminal penalties for violations committed under “false pretenses” are fines up to $100,000 and five years in prison for each requirement or prohibition violated

Criminal penalties for violations committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm are fines up to $250,000 and ten years in prison for each requirement or prohibition violated

National Provider Identifier (NPI)

Social Security Number (SSN)

National Health Plan Identifier (PlanID)

National Employer Identifier for Health Care (EIN)

National Health Identifier for Individuals (NHII)

Power Backup plan

Data Backup Plan

Security Testing

Risk Analysis

Authorization and/or Supervision

If the notice must state that the covered entity reserves the right to disclose PHI without obtaining the individuals authorization.

The notice must prominently include an expiration date.

The notice must describe every potential use of PHI

The notice must describe an individual's rights under the rule such as to inspect, copy and amend PHI and to obtain an accounting of disclosures of PHI

The notice must clearly identify that the covered entity is in compliance with HIPAA regulations as of April 16,2003

A covered entity must apply disciplinary sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity.

A covered entity need not train all members of its workforce whose functions are materially affected by a change in policy or procedure.

A covered entity must designate, and document, a contact person responsible for receiving acknowledgements of Notice of Privacy Practice.

A covered entity may require individuals to waive their rights.

A covered entity must provide maximum safeguards for PHI from any intentional or unintentional use or disclosure that is in violation of the regulations and to limit incidental uses and disclosures made pursuant to permitted or required use or disclosure.

Information Access Management

Security Management Process

Evaluation

Transmission Security

Device and Media Controls

All Employers.

The Washington Publishing Company

Disclosure of non-identifiable demographics.

Oral disclosure of PHI.

The prevention of use of de-identified information.

Security rule.

Privacy rule.

Covered entity rule.

Electronic Transactions and Code Sets rule.

Electronic Signature Rule.

Establish a business partner relationship with the other provider.

Obtain a signed authorization from the patient to cover the disclosure.

Make a copy of the signed Notice available to the other provider.

Obtain the patients signature on the second provider's Notice of Privacy Practices.

Do nothing more -the Notice of Privacy Practices covers treatment activities.