HIO-201 Certified HIPAA Professional Questions and Answers

Administrative Safeguards

Physical Safeguards

Technical Safeguards

Audit Controls

Information Access Management

Establishing an orderly hierarchy where HIPAA applies, then other Federal law, then State law.

Defining privacy to be a national interest that is best protected by Federal law

Allowing State privacy laws to provide a cumulative effect lower than HIPAA.

Mandating that Federal laws preempt State laws regarding privacy.

Establishing a "floor" for privacy protection.

In some circumstances a coveted entity is permitted, but not required, to rely on the judgment of the party requesting the disclosure as to the minimum amount of information necessary for the intended purpose. Some examples of these requesting parties are: another covered entity or a public official.

The privacy rule prohibits use, disclosure, or requests for an entire medical record.

Non-Covered entities need to redesign their facility to meet the requirement for minimum necessary uses.

The minimum necessary standard requires covered entities to prohibit maintenance of medical charts at bedside and to require that X-ray light boards be totally isolated.

If there is a request for more than the minimum necessary PHI, the privacy rule requires a covered entity to deny the disclosure of information after recording the event in the individual's case file.

Risk Analysis

Authorization and/or Supervision

Termination Procedures

Contingency Operations

Encryption and Decryption

Encrypted communication between patient and provider.

All patient events.

Security.

Benefits inquiry.

Emergency treatment.

Report to the covered entity any security incident of which it becomes aware

Ensure the complete safety of all electronic protected health information

Compensate the covered entity for penalties incurred because of the business associate's security incidents.

Register as a business associate with HHS

Submit to periodic audits by HHS of critical systems containing electronic protected health information

Eligibility (270/271).

Premium Payment (820).

Unsolicited Claim Status (277).

Remittance Advice (835).

Functional Acknowledgment (997).

Security Management Process

Facility Access Control

Security Awareness and Training

Workforce Security

Security Management Process

Sanction Policy

access Authorization

Facility Security Plan

Termination Procedures

Unique User Identification

Data element

Data segment

Transaction set

Functional envelope

Interchange envelope

Security rule.

Privacy rule.

Covered entity rule.

Electronic Transactions and Code Sets rule.

Electronic Signature Rule.

Business Associate Contract

Data Backup Plan

Media Re-use

Disposal

Accountability

The authorization has been revoked by the physician.

The patient remains a citizen of the United States.

The information is under the control of HHS.

The information is in the possession of a covered entity.

The information is not also available on paper forms.

NCPDP-based pharmacy standards

The standard for pharmacy-health plan communication.

Administering Medicare and Medicaid programs.

Claims attachments.

Publishing HIPAA Transactions-related Implementation Guides.

$5,000 in fines.

55000 in fines and six months in prison.

An annual cap of $50,000 in fines.

A fine of up to $50,000 if they wrongfully disclose PHI.

Six months in prison.

The date on which any automatic extension occurs.

Covered entity's signature.

A statement that federal privacy laws still protect the information after it is disclosed.

A statement that the individual has no right to revoke the authorization.

The date signed.

Termination Procedures

Automatic Logoff

Emergency Access Procedure

Contingency Operations

Response and Reporting

PKI requirements for hospitals and health care providers.

Encryption algorithms that must be supported by hospitals and health care providers.

Fraud and abuse in the health care system and ways to eliminate the same.

Guaranteed health insurance coverage to workers and their families when they change employers.

The use of strong authentication technology that must be supported by hospitals and health care providers.

Security Awareness and Training

Security Management Process

Access Control

Assigned Security Responsibility

Security Incident Procedures

Detail specifically all activities that are considered a use or disclosure.

Describe in plain language what is meant by treatment, payment, and health care operations (TPO)

Inform the individual that protected health information (PHI) may only be used for valid medical research.

Inform the individual that this version of the Notice will always cover them, regardless of subsequent changes.

State the expiration date of the Notice.

Contingency Plan

Evaluation

Security Management Procedures

Facility Access Control

Security Incident Procedures