Domain 2: Compliance with Access, Use and Disclosure of Health Information

A data breach of less than 500, the covered entity must inform the DHHS

within 60 days after the end of the calendar year in which the breach occurred 

When someone requests a copy of their PHI, they must hear back within

1. 30 days, otherwise this is a HIPAA violation 

   1. Goes for when someone is requesting a physician to review a copy of their PHI

When sending someone else to collect your copy of records,

the person who the records belong to must provide written authorization 

open communication =

between a provider and a patient (where the patient has gone to see the provider)

closed communication =

structured way or exchanging information that confirms a message was both received and understood correctly

private communication

ensures patient confidentiality and regulatory compliance through secure, encrypted channels

Community Hospital wants to provide transcription services for transcription of office notes of the private patients of physicians. All of these physicians have medical staff privileges at the hospital. This will provide an essential service to the physicians as well as provide additional revenue for the hospital. In preparing to launch this service, the HIM director is asked whether a business associate agreement is necessary. Which of the following should the hospital HIM director advise to comply with HIPAA regulations?

Each physician practice should obtain a business associate agreement with the hospital.

If a patient requests their records in electronic format and some documents are on paper,

the hospital should provide the patient with both the paper and electronic copies of the record

If a healthcare provider is accused of breaching the privacy and confidentiality of a patient, what resource may a patient rely on to substantiate the provider’s responsibility for keeping health information private?

professional code of ethics

Federal code of fair practice =

prohibits debt collectors from using abusive, unfair, or deceptive practices (not so much to do with healthcare)

State code of fair practice =

prohibits discrimination, unfair business practices, or unethical conduct within the state

Emma is getting ready to begin kindergarten. Her school is requesting her immunization records as required by state law. Per HIPAA, Emma’s pediatrician may:

Disclose this PHI with verbal permission from Emma’s parent

The Medical Record Committee is reviewing the privacy policies for a large outpatient clinic. One of the members of the committee remarks that he feels that the clinic’s practice of calling out a patient’s full name in the waiting room is not in compliance with HIPAA regulations and that only the patient’s first name should be used. Other committee members disagree with this assessment. What should the HIM director advise the committee?

There is no violation of HIPAA in announcing a patient’s name, but the committee may want to consider implementing practices that might reduce this practice.

A hospital currently includes the patient’s social security number in the electronic version of the health record. The hospital risk manager has identified this as a potential identity breach risk and wants the information removed. The physicians and others in the hospital are not cooperating, saying they need the information for identification and other purposes. Given this situation, what should the HIM director suggest?

Avoid displaying the number on any document, screen, or data collection field

firewall =

controls external access to a network

If a patient has health insurance but pays in full for a healthcare service and asks that the information be kept private, under HIPAA the covered entity must:

Comply with the patient’s request and keep the information private

A visitor sign-in sheet to a computer area is an example of what type of control?

facility access

An administrative safeguard =

 documentation retention guidelines

Susan is completing her required high school community service hours by serving as a volunteer at a local hospital, she is a

• workforce member

  • anyone who is and isn’t being paid for their work (employee + volunteers)

business associate =

person or entity that performs certain functions or activities that involve the use or disclosure of PHI

covered entity =

1. healthcare providers, health planes and healthcare clearinghouses involved in the transmission of PHI

   1. Transmission = payment, treatment, operations, billing or insurance coverage 

Per HITECH, an accounting of disclosures must include disclosures made during the previous

3 years

The baby of a mother who is 15 years old was recently discharged from the hospital. The mother is seeking access to the baby’s health record. Who must sign the authorization for release of the baby’s health record?

mother of the baby

The outpatient clinic of a large hospital is reviewing its patient sign-in procedures. The registration clerks say it is essential that they know if the patient has health insurance and the reason for the patient’s visit. The clerks maintain that having this information on a sign-in sheet will make their jobs more efficient and reduce patient waiting time in the waiting room. What should the HIM director advise in this case?

To be HIPAA compliant, sign-in sheets should contain the minimal information necessary such as patient name.

The Latin phrase meaning “let the master answer” that puts responsibility for negligent actions of employees on the employer is called

Respondeat superior

Res ipsa locquitor =

principle that the occurrence of an accident implies negligence 

Employees in the hospital business office may have legitimate access to patient health information without patient authorization based on what HIPAA standard or principle?

minimum necessary

Compound authorization =

asking someone to approve multiple uses or disclosures of PHI in one authorization document 

Accounting of disclosures =

mandated record of when a patient’s PHI is shared outside of an organization for non-routine purposes (research, legal proceedings, or public health reporting) + patient can request this list for the past 6 years

The hospital’s public relations department in conjunction with the local high school is holding a job shadowing day. The purpose of this event is to allow high school seniors an opportunity to observe the various jobs in the hospital and to help the students with career planning. The public relations department asks for input on this event from the standpoint of HIPAA compliance. In this case, what should the HIM department advise?

Job shadowing should be limited to areas in which the likelihood of exposure to PHI is very limited, such as administrative areas.

Generally, policies addressing the confidentiality of quality improvement (QI) committee data (minutes, actions, and so forth) state that this kind of data is

Protected from disclosure

Central City Clinic has requested that Ghent Hospital send its hospital records from Susan Hall’s most recent admission to the clinic for her follow-up appointment. Which of the following statements is true?

1. The Privacy Rule’s minimum necessary requirement does not apply.

   1. Doesn’t apply to to healthcare providers for treatment; to the individual or his or her personal representative; pursuant to the individual’s authorization to the Secretary of the HHS for investigations, compliance review, or enforcement; as required by law; or to meet other Privacy Rule compliance requirements

An original goal of HIPAA Administrative Simplification was to standardize

The electronic transmission of health data

Which of the following is considered a two-factor authentication system?

Password and swipe card