Chapter 9: Data Privacy and Confidentiality

__________ is a social value and the right "to be let alone"

privacy

_______________ is a law that protects patient's rights to privacy and protection of health information

HIPAA

__________________ is similar to privacy, but stems from the sharing of private thoughts in confidence with someone else

confidentiality

____________ is how an organization avails itself of health information internally

use

____________ is how health information is disseminated outside an organization

disclosure

_________________ which is both a process and a period of time- is a pretrial stage where parties to a lawsuit use numerous strategies to discover or obtain info that other parties hold

discovery

The purpose of _______is to learn of each party's relative weaknesses and strengths in a case to avoid a surprise at trial and perhaps encourage pretrial settlement

discovery

A ___________ is a discovery method in which there is a formal proceeding where the oral testimonies of parties to a lawsuit (plaintiff and dependent) and other relevant witnesses are obtained

deposition

Attendance to a deposition is compelled via a ________, a legal document that instructs a person or entity to do something

subpoena

______________ are a discovery method used to obtain information from other parties in a lawsuit

interrogatories

Through _________, parties are given questions to respond to in writing

interrogatories

A subpoena that seeks testimony is a __________

subpoena ad testificandum

More frequently, records custodians are served a _______, which requires the individual to bring documents and other records with oneself

subpoena duces tecum

__________ is the process of giving someone permission to do or have something

authorization

A ________ is a document issued by a judge

court order

A subpoena often requires an individual's __________ if health information is being sought

authorization

A specialized type of court order, a _____ is a judge's order that authorizes law enforcement to seize evidence and, often, to conduct a search as well

warrant

Criminal cases in which health records are most likely to be obtained via ______ involve healthcare fraud and abuse investigations

warrant

_______________ is the same pretrial process as discovery, but parties now obtain and review electronically stored data

e-discovery

The ______________ incorporated electronic information through the creation of e-discovery rules

federal rules of civil procedure (frcp)

The ______ applies only to cases in federal district courts

FRCP

____________ data includes not only the EHR, but also emails, texts, voicemails, drafts of documents, electronic schedulers, websites, and inform housed on mobile devices such as smartphones or flash drives

discoverable data

Discoverable data also include _____, which are data about data

metadata

________ provides information such as who accessed or attempted to access a system and when, which parts of the system were affected, and what operations took place

metadata

___________ is generally a court order to preserve a health record if there is concern about destruction

legal hold

A legal hold also prevents __________, the act of destroying, changing, or hiding evidence intentionally

spoilation

______ describes whether evidence is allowed to be admitted in a court of law

admissibility

The __________ governs admissibility in a federal court system

Federal rules of evidence

Generally only _________ evidence-that which makes a purported fact either more or less probable-may be admitted at trial

relevant

_____ is an out-of-court statement used to prove the truth of a matter, and it is inherently deemed untrustworthy because the maker of the statement was not cross-examined at the time the statement was made

hearsay

The most common exception for hearsay to be admitted into evidence is the ___________

business records exception

The _______ exists because business records are deemed inherently trustworthy and are admissible as long as they are made at or near the time of the event being recorded, are kept in the regular courses of business, and the record was created through the regular practice of business

business records exception

Testimony by HIM professionals is often focused on the __________ of the health record and refers to the document's baseline trustworthiness

authenticity

Regardless of state laws, every person or organization that is subject to _______, which is federal law, must comply with it

HIPAA

The right to privacy:

a. has been granted by the US constitution

b. has been granted via court decisions

c. does not apply to health info

d. does not exist

b. has been granted via court decisions

Which of the following describes discovery?

a. it is designed to limit access to information that other parties hold

b. it is a type of deposition

c. it is a pretrial process

d. it is intended to result in surprises at trial

c. it is a pretrial process

Which of the following is a discovery method?

a. subpoena

b. deposition

c. hearsay

d. legal hold

a. subpoena

Which of the following compels a person to bring records to a deposition or trial?

a. subpoena ad testificandum

b. subpoena duces tecum

c. interrogatories

d. e-discovery

b. subpoena duces tecum

Which of the following is an example of metadata?

a. text message

b. information that shows who accessed a record

c. voicemail message

d. printout of a patient's operative report

b. information that shows who accessed a record

A subpoena requesting patient records:

a. is initiated by a judge

b. is also referred to as a court order

c. must usually be accompanied by patient authorization

d. can be ignored

c. must usually be accompanied by patient authorization

Which of the following is an element of a deposition?

a. testimony is not transcribed because it cannot be used at trial

b. an individual appears at an appointed time and place to testify under oath

c. only the testimony of the plaintiff and defendant can be obtained

d. attorneys for the plaintiff and defendant are prohibited from attending

a. an individual appears at an appointed time and place to testify under oath

A legal hold serves to:

a. confine a person in jail

b. subject records to a search warrant

c. preserve information

d. create information

c. preserve information

Spoliation can be defined as which of the following?

a. it is required after a legal hold is imposed

b. it is the negligent destruction or changing or information

c. it is destroying, changing, or hiding evidence intentionally

d. it can only be performed on records that are involved in a court proceeding

c. it is destroying, changing or hiding evidence intentionally

State laws that protect the privacy of health information:

a. will not be preempted by HIPAA

b. are standard across all fifty states

c. may be preempted by HIPAA

d. prohibit disclosure of information without patient authorization

a. will not be preempted by HIPAA

The HIPAA _____ is one of the key federal laws that govern the protection of PHI

privacy rule

The legal doctrine of ______ means that federal law may supersede state law

preemption

__________ means that a state or federal statute provides an individual with greater privacy protections or gives individuals grater rights with respect to their PHI

stricter

The __________ provides significant funding for health information technology and other stimulus funding, and also made important changes to the HIPAA Privacy and Security Rules

ARRA

The changes to the HIPAA privacy and security rules made by ARRA are located in the _________

HITECH

The ________ is the primary federal entity responsible for coordinating national efforts to implement and use health info technology, and to promote the exchange of electronic health information

ONC

A ________ is a person or organization that must comply with the HIPAA privacy rule

covered entity

A __________ is a person or organization other than a member of a covered entity's workface that performs functions or activities on behalf of or for a covered entity that involves the use or disclosure of PHI

business associate (BA)

Common _______ include consults, billing companies, transcription companies, accounting firms and law firms

BAs

A BA's ________ are also BAs if they require access to an individuals PHI, regardless of whether an agreement has actually been signed

subcontractors

The Privacy Rule does not allow covered entities to disclose PHI to BAs unless the two enter into a written contract, or _________ that meets HIPAA and ARRA requirements

business associate agreement

The BA may use or disclose _______ once it agrees to the covered entity's requirements to protect the information's security and confidentiality

PHI

Both covered entities and BAs are responsible under the Privacy Tule for their _______ members

workforce

A _________ consists of not only employees, but also volunteers, student interns, trainees, and even employees of outsourced vendors who routinely work on-site in the covered entity's facility

workforce

The Privacy Rule safeguards a category of information called ____________

protected health information

_________ either identifies an individual or provides a reasonable basis to believe the person could be identified from the information given

protected health information

___________ is information that must either identify the person or provide a reasonable basis to believe the person could be identified from the information

individually identifiable health information

PHI of deceased persons loses PHI status and is no longer protected by HIPAA after the individual has been decreased more than _________ years

50

_________ does not identify an individual because person characteristics have been stripped from it in such a way that it cannot be later constituted or combined to reidentify an individual

deidentified information

The privacy rule does not protect ____________

deidentified information

The Privacy Rule defines an ______ as the person who is the subject of the PHI

individual

A _________ is a person who has legal authority to act on another's behalf

person representative

A _________ includes the health records, billing records, and various claims records that are used to make decisions about an individual

designated record set

The _______ requires uses, disclosures, and requests must be limited to only the amount needed to accomplish an intended purpose

minimum necessary standard

________________ is an important concept because the Privacy Rule provides a number of exceptions for PHI that is being used or disclosed for TPO purposes

Treatment, payment, and operations (TPO)

__________ means providing, coordinating, or managing healthcare or healthcare-related services by one or more healthcare providers

treatment

___________ includes activities by a health plan to obtain premiums, billing by healthcare providers or health plans to obtain reimbursement, claims management, claims collection, review of the medical necessity of care, and utilization review

payment

_______ may include quality assessment and improvement, case management, review of health professionals qualifications, insurance contracting, etc.

operations

The Privacy Rule's ______ allows an individual to inspect and obtain a copy of his or her own PHI contained within a designated record set, such as a health record

right of access

Per the Privacy Rule, there are times when a covered entity can deny an individual _________ to PHI

access

________ refers to the act of denying an individual access to PHI without providing him or her an opportunity to review or appeal the denial

no opportunity to review

In _______, the privacy rule requires the covered entity to give an individual the right to review a denial of access

opportunity to review

With the right of _________, one may request that a covered entity amend PHI or a record about the individual in a designated record set

right to request amendment

Per the ______________ an individual has the right to receive an accounting of certain disclosures made by a covered entity

right to request accounting of disclosures

An ______ is a report that allows an individual to see a record of every person who viewed the individual's DRS during the previous three years

access report

The __________ describes an individual's ability to request that a covered entity restrict the uses and disclosures of PHI to carry out treatment, payment or healthcare operations

right to request restrictions of PHI

In almost all cases, a covered entity can decline a _____________ request

restriction

An agreed upon restriction can be ________ be either the individual or the covered entity

terminated

Healthcare providers and health plans must give individuals the opportunity to request that communications of PHI be routed to an alternative location or by an alternative method, as per the _______________

right to request confidential communications

A covered entity must provide a process for an individual to file a _________ or allegation about the entity's policies and procedures, its noncompliance with them, or its noncompliance with the privacy rule

complaint

The privacy rule establishes that a patient has the right of access to inspect and obtain a copy of his or her PHI

a. for as long as it is maintained

b. for six years

c. forever

d. for 12 months

a. for as long as it is maintained

HIPAA regulations:

a. never preempt state statutes

b. always preempt state statutes

c. preempt less strict state statutes where they exist

d. preempt stricter state statutes where they exist

c. preempt less strict state statutes where they exist

The privacy rule applies to:

a. healthcare providers only

b. only healthcare providers that receive medicare reimbursement

c. only entities funded by the federal government

d. covered entities and their business associates

d. covered entities and their business associates

The privacy rule extends to protected health information:

a. in any form or medium, except paper and oral forms

b. in any form or medium, including paper and oral forms

c. that pertains to mental health treatment only

d. that exists in electronic form only

b. in any form or medium, including paper and oral forms

Per the right to request confidential communications, if the individual does not provide information as to how payment will be handled:

a. health plans must still honor the request

b. only healthcare providers may deny the request

c. healthcare providers must still honor the request

d. both health plans and healthcare providers may deny the request

d. both health plans and healthcare providers may deny the request

When an individual requests a copy of PHI or agrees to accept summary or explanatory information, the covered entity may:

a. impose a reasonable cost-based fee

b. not charge the individual

c. impose any fee authorized by state statute

d. charge only for the cost of the paper on which the info is printed

a. impose a reasonable cost-based fee

Business associate agreements are developed to cover the use of PHI by:

a. the covered entity's employees

b. organizations outside the covered entity's workforce that use PHI to perform functions on behalf of the covered entity

c. the covered entity's workforce

d. the covered entity's janitorial staff

b. organizations outside the covered entity's workforce that use PHI to perform functions on behalf of the covered entity

The term minimum necessary means that healthcare providers and other covered entities must limit use, access and disclosure to the minimum necessary to:

a. retain records needed for patient care

b. accomplish the intended purpose

c. treat an individual

d. perform research

b. accomplish the intended purpose

Which of the following is part of Hillside Hospital's workforce?

a. information system firm staff

b. volunteers

c. employees who work on-site for a contractor of the hospital

d. a business office employee at a competing hospital

b. volunteers

Deidentified information:

a. does not identify an individual

b. is information from which only a person's name has been stripped

c. can be constituted later or combined to reidentify an individual

d. is subject to the HIPAA privacy rule

a. does not identify an individual

The _________allows an individual the right to a notice explaining how his or her PHI will be used and disclosed

notice of privacy practices

Under the Privacy Rule, healthcare providers are not required to obtain patient __________, which is the patient's agreement to use or disclose personally identifiable info for treatment, payment and healthcare operations

consent

As a general requirement, the Privacy Rule states that an ___________ for uses and disclosures must be obtained from an individual

authorization

The privacy rule __________disclosure without authorization when the individual or individuals rep requests access to or an accounting of disclosures of the PHI and when HHS is conducting an investigation, review or enforcement action

requires

One exception to the authorization rule is when the healthcare facility maintains a _________ of patients who ask for individuals by name and for clergy

facility directory

There are ______ circumstances where PHI can be used or disclosed without the individual's authorization, nor does the individual have the opportunity to review or object

16