2.2 HIPPA: Privacy and Confidentiality: Professional and Legal Responsibilities Flashcards Preview

HCISSP ISC2 > 2.2 HIPPA: Privacy and Confidentiality: Professional and Legal Responsibilities > Flashcards

Flashcards in 2.2 HIPPA: Privacy and Confidentiality: Professional and Legal Responsibilities Deck (82)
Loading flashcards...
1
Q

Includes any information that identifies or could reasonably identify an individual, his or her health/condition, treatment, or provision/payment for healthcare…

A

PHI (personal health information)

2
Q

What is defined as all individually identifiable health information created, transmitted, received, or maintained by a covered health entity?

A

Protected health information (PHI)

3
Q

What is included in identifying information?

A

-name
-address
-city
-zip code
-names of relatives
-names of employer
-birth date
-telephone number
-fax and email address
-social security number
-medical record number
-health plan beneficiary number
-account number
-certificate/license number
-any vehicle or other device serial number
-Web URL, Internet protocol address
-finger or voice print
photographic images, and any other unique identifying number, characteristic, or code

4
Q

What is PHI included on?

A
  • encounter forms
  • claims
  • appointment schedule
  • reports
  • dietary cards
  • requisitions
  • prior authorizations
  • test results
  • logs
  • pharmacy labels
  • electronic data
5
Q

Name examples of PHI in the workplace.

A
  • Communication: switchboard, hallway conversations, dictation, shift reports, telephone conversations, and meeting discussions
  • Materials: medical records, meeting minutes, white boards, clinical reports, wristbands, encounter forms, medication vials, downtime logs, printers, paper files, and notes.
  • Data: claims, computer screens, EKG strips, films, email, faxes. and electronic files
6
Q

When dealing with personal information, there does not have to be some middle ground between strict non-disclosure and full disclosure. True or False

A

False
When dealing with personal information, there has to be some middle ground between strict non-disclosure and full disclosure.

7
Q

Some public and private health information must be shared to properly treat populations and individuals. True or False

A

True

8
Q

With so much information now digitized, and therefore easily transmitted, must there be there be some protection of health information that must remain confidential to the individual?

A

Yes some information must remain confidential to the individual.

9
Q

Health information has one level of confidentiality. True or False

A

False… Health information has different levels of confidentiality.

10
Q

Information on HIV status or psychiatric diagnosis may have a higher level of confidentiality than something less revealing, such as a zip code. What is this an example of?

A

This is an example of the different levels of health information confidentiality.

11
Q

Some local and state laws may have higher documentation and disclosure requirement over special health information. True or False

A

True

12
Q

What is the synonym for Health Insurance Portability and Accountability Act

A

HIPPA

13
Q

When was HIPPA drafted?

A

HIPPA was drafted in 1996.

14
Q

What was HIPPA originally drafted for?

A

HIPPA was originally drafted to protect health insurance coverage for workers and families when they changed or lost their jobs

15
Q

PHI stands for Personal Health Information T/F

A

False PHI stands for Protected Health Information

16
Q

PHI is included on most healthcare forms, reports, and screens. T/F

A

True PHI is included on encounter forms, claims, appointment schedules, reports, dietary card, requisitions, prior authorizations, test results, logs, pharmacy labels, electronic data.

17
Q

All health information has the same level of confidentially T/F

A

False Health Information has different levels of confidentiality. For example, information on HIV status or psychiatric diagnosis may have a higher level of confidentiality.

18
Q

The HIPPA Security Rule requires healthcare entities to protect against any reasonably anticipated threats or hazards to PHI

A

True The security rule requires healthcare entities to ensure the confidentiality, integrity, and availability of all electronic protected health information

19
Q

HIPPA defines which types of technologies must be used to safe guard PHI

A

False One thing HIPPA does not specif is the type of technology to secure patient data. This is left to the health entities to figure out. It does specify that the technologies be appropriate to their operations and be supported by a thorough security.

20
Q

The HIPPA Privacy rule gives patients the right to request correction to their medical records.

A

True It gives them the right examine and obtain a copy of their own medical records and request corrections.

21
Q

An insurer, responsible for payment, is entitled to see all data in a patient’s health record.

A

False Generally limits release of information to a minimum needed for treatment, payment, operations.

22
Q

What data a person can see in an EHR is dependent on his or her role.

A

True The role you have will dictate what you have the right to access.

23
Q

An employee responsible for scheduling will have access to the same EHR functions as a nurse

A

False The role you have dictates the amount of patient information you have the right to access and disclose, so a scheduler on needs access to demographics and insurance information

24
Q

If you accidentally view information you should not have access to, report the event to your supervisor.

A

True

25
Q

As an employee in a healthcare organization, you have the right to access the maximum information needed to care for the patient

A

False

26
Q

If an individual access a record inappropriately, he she is protected from being fired as long as he/she has completed HIPPA training

A

False It is becoming common that immediate employment termination could be the consequence of reviewing information that you do not have the right and need to know

27
Q

HIPPA’s Privacy and Security policies became law in

A

1996

28
Q

The HIPPA security rule requires healthcare entities to ensure

A

the confidentiality, integrity, and availability of PHI

29
Q

HIPPA of 1996 continues to amend with

A

HITECH

30
Q

What is Title I under HIPPA

A

Protects health insurance coverage for those who lose or change jobs

31
Q

What is Title II under HIPPA

A

Standardizes electronic data exchange and protects the confidentiality and security of health data

32
Q

What are the four Parts to Title II of HIPPA

A
  • Standards for electronic transactions
  • Unique identifiers for providers, employers, and health plans
  • The security rule
  • The privacy rule
33
Q

HIPPA Security Rule states

A
  • Security, integrity, and availability of PHI (disclosures of PHI that are not permitted
  • Safeguard physical access to PHI (protected networks and computers
34
Q

What is Protected Health Information and list for examples

A
  • All individually identifiable health information created, transmitted, received or maintained by a healthcare institution
    • Identification of an individual
    • Health condition
    • Treatment
    • Provision/payment for healthcare
35
Q

List some examples of identifying information

A
  • Name, address, city, address, county, names of relatives. names of employers, photographic images. DOB, telephone number, fax number. email address social security number, medical record number, certificate/license
36
Q

Name the Safeguards in HIPPA’s security Rule

A

Administrative, Physical, Technical

37
Q

Name some examples of Administrative Safeguard

A
  1. Clear roles and responsibility for who can see what information
  2. Documented policies including password policies
  3. Security awareness training
  4. Security risk assessment
  5. Privacy and Security Officer
38
Q

Name some examples of Technical Control Safeguards

A
  1. Firewalls
  2. Encryption - Transmission Security
  3. Audit trails
  4. Antivirus programs
  5. Use of passwords or other authentication methods
    - —ex—-encryption and decryption———
39
Q

A technical control audit trail consist of

A
  • A log of each user and what is viewed and accessed in any given amount of time
  • Evaluated for inappropriate access to function or information
40
Q

Technical Controls consists of Data Integrity which is

A

Required to maintain data integrity so organizations should have

  • a disaster recovery to protect against the loss of data
  • ensuring data validity which means having good clean data and:
  • –editing against list of values
  • –required fields (can not go any further without being filled in
  • –required values
  • -compliance with data standards
41
Q

Technical Control Authentication consist of

A

The way a system knows who you are and what access and control to give you

42
Q

Authentication is based on

A
  1. What you have (A special card or token)
  2. What you know (Password or personal identification number PIN)
  3. Who you are - fingerprint or other biometric scan
43
Q

Name the Do’s and Don’ts of passwords

A
  1. Do Not Share passwords or cards
  2. Do not log on for someone else
  3. Do not keep passwords in an obvious place
  4. Make sure system has a time-out and auto log off
  5. Use a strong password
44
Q

What are the characteristics of a strong password

A

Upper case, number and symbol

45
Q

Explain Role-Based security

A
  • The job you have will dictate what you have the right to access and to disclose
  • ONLY access information that you absolutely need to know and have the right to know
  • Authentication may include electronic signature required for a document ( example is the Practice Fushion Encounter Note)
46
Q

What is the minimum necessary concept (rule)

A

In all uses/disclosures of PHI under the Privacy Rule, healthcare entities must use.disclose the minimum amount of PHI NECESSARY TO ACHIEVE THE PURPOSE OF THE USE/DISCLOSURE

47
Q

What is a Limited data set?

A

A “limited data set” means PHI with its patient identifiers removed. The Privacy Rule allows covered entities to use/disclosure limited data sets for certain purposes, if safeguards are put in place to protect the PHI remaining in the data.

48
Q

Name the allowed purposes for “limited data sets”

A

research, healthcare operations, and public health activities

49
Q

Give some examples of Physical Controls

A

-Locking down computer
=Placement of computer relative to viewing by other
-Computer does not allow the use of jump drives
-Physically securing data center were servers are located

50
Q

Explain the HIPPA Privacy Rule

A
  • Patients given more control/rights over their personal health information
  • Safeguards to protect the privacy of health information
  • Boundaries on use and release of health records
  • Balances public responsibility that may require disclosure of some data to protect public health
  • Patients have right to as to amend PHI if inaccurate or incomplete
  • Patients have right to request restriction on PHI disclosure, BUT covered entities so not have to agree to these requests
51
Q

What does the HIPPA Privacy Rule allow use/disclosure of PHI by a covered entity for its own:

A

T- treatment activities
P- payment activities
O- operations of the facility supporting healthcare activities

52
Q

CMS

A

Centers for Medicare and Medicaid Services

53
Q

EDI

A

Electronic data interchange

54
Q

EIN

A

Employer identification number

55
Q

PHI

A

Protected health information

56
Q

TPO

A

Treatment, payment or healthcare operations (to carry out)

57
Q

BAA

A

Business Associate Agreement

58
Q

Legislation focused on Privacy and Security

A

ARRA

59
Q

Uses a variety of characters

A

STRONG PASSWORD

60
Q

authorized uses for disclosure of PHI

A

TPO

61
Q

requires a key

A

ENCRYPTION

62
Q

protects against viruses

A

FIREWALL

63
Q

Used to ensure data integrity

A

REQUIRED FIELD

64
Q

type of safeguard

A

PHYSICAL

65
Q

removes patient identifiers

A

LIMITED DATA SET

66
Q

Requires additional disclosure

A

PSYCHIATRIC NOTE

67
Q

used to identify inappropriate access to PHI

A

AUDIT TRAIL

68
Q

use for authentication method

A

TOKEN

69
Q

Required before using an external transcription company

A

BAA

70
Q

identifies an individual

A

PHI

71
Q

legislation that included HITECH

A

HIPPA

72
Q

For providers and insureers, release of information is limited to the minimum needed for

A

TPO–treatment, payment, operations

73
Q

What is monitored to assess inappropriate access to a patient’s record

A

audit trail

74
Q

What should the individual responsible for the security of health care data do first

A

perform a risk assessment

75
Q

Tokens and biometric devices are examples of

A

authentication methods

76
Q

For providers and insurers, release of information is limited to the minimum need for

A

TPO - treatment, payment, and operations

77
Q

Your screen saver should activate in how many minutes

A

5 minutes

78
Q

A clearinghouse that processes claims data must sign what kind of agreement

A

BAA - Business Associate Agreement

79
Q

In Practice Fusion assignment where each physician sent a SOAP Note to the instructor what was the security risk?

A

Lack of encryption, ability of instructor to download the SOAP note to a personal hard drive

80
Q

Encryption requires use of

A

a key

81
Q

The last steps in your workday should be to

A

ensure the computer is physically secure, complete a full logoff to the system

82
Q

What does PHI stand for?

A

Protected health information (PHI)

Decks in HCISSP ISC2 Class (56):