International Center for Chiropractic Office Management

"ICCOM, A Leader in Chiropractic Office Management and Compliance Training"

www.ICCOM.org 

Member Login


HIPAA Questions

Test Yourself! As a DC, Office Manager or CA, you need to know the answers to these questions.  If you do not know the answers, cut and paste it into "Ask Edie" under "This is Where You can Ask a HIPAA Question."  The answer will be posted ASAP.

HIPAA Privacy


Categories

Notice of Privacy Practices

Patient Communication

Amending Health Records

Disclosing PHI

Patient Access to their Records

Patient Complaints

Privacy Official

Minimum Necessary

Business Associate Agreements

PHI Return or Destruction

Staff Training

State Verses Federal Law


What is HIPAA?


What should a practice do to implement HIPAA provisions?

 

Notice of Privacy Practices

 

What is a Privacy Notice?

 

What has to be in a Notice of Privacy Practices (NPP)?


Once I get this Privacy Notice written, what do I do with it?


What if I forget to give the Privacy Notice to a patient when he/she comes in?

 

Patient Communication

 

Can a patient ask to have their health related communications handled in a confidential manner?

 

Authorization (any authorization from a patient to use or disclose their PHI), and authorization is not necessary for anything related to treatment, payment or healthcare operations.

 

What is the requirement for an authorization?

 

Are there specific elements that must be in an authorization to make it valid?

 

Is there a requirement about language?

 

Can an authorization be verbal?

 

Can we accept a copy of an authorization instead of the original?

 

Is there a requirement to verify the identity of the individual signing the authorization?

 

Are there any special requirements to revoke an authorization?

 

Are there special requirements for authorization for research purposes?

 

Is there any easier way to obtain authorization for research purposes?

 

Are there any exceptions to the requirement for an authorization for disclosure for marketing purposes?

 

Amending Health Records

 

Under HIPAA, can patients change their medical records?

 

Can the practice deny the request to amend the record?

 

Is there any time limitation for response to a request to amend a record?

 

Are there requirements if a request to amend a record is approved?


Disclosing PHI


Under what circumstances can I use and disclose protected health information (PHI) without authorization?


Do I have to tell a patient that I have disclosed his/her protected health information (PHI) without authorization?

 

What if a patient asks for frequent accounts of disclosure?

 

Can a patient restrict the use or disclosure of his/her protected health information (PHI)?

 

Patient Access to their Records

 

Do the doctors have to allow patients to read their own charts?

 

Are there any exceptions to the provisions allowing patients to read their own charts?


Can the doctors deny patients access to their charts?


Does the patient have the right to appeal a denial?


Are there exceptions to the right to appeal a denial?

 

If access is denied, are there any other requirements to be met by the practice?

 

Can a summary of the information instead of the complete record be provided and meet the access requirement?

 

Can I charge patients for copies of their health care record?

 

Can I provide access to information from another health care provider that is part of my health care record?

 

Patient Complaints

 

Are we required to have a formal privacy complaint process related to privacy issues?

 

Are there specific requirements about notification?

 

Do I have to keep a record of complaints?

 

Can the individual elect to complain to the Regional Office for Civil Rights , US Department of Health and Human Services (HSS) without first complaining to me, as the practice?

 

What could happen if the Regional Office for Civil Rights, US Department of Health and Human Services (HSS) found the complaint to substantiate a violation?

 

Privacy Official

 

What is the intent or purpose of the privacy official?

 

What steps or activities should be privacy official take to assure compliance?

 

What if information is misused or improperly released?

 

What qualifications and responsibilities should a privacy official’s job description contain?

 

Minimum Necessary

 

What is the intent of the minimum necessary requirement?

 

Are there exceptions to the minimum necessary requirement?

 

What is the significance (within the minimum necessary standard) of an individual authorizing release of protected health information (PHI)?

 

Can information be released for continuity of care concerns to another provider without an individual authorizing release of protected health information (PHI)?

 

Psychotherapy Notes (not relevant most of the time, but in case you have these records in your possession for some reason, you need this information)

 

What about an individual authorizing release of protected health information (PHI) that includes psychotherapy notes?

 

What about releasing protected health information (PHI) not made in a routine and recurring manner?

 

Business Associate Agreements

 

What is the intent of business associate agreements?

 

Who qualifies as a business associate?

 

What types of functions do business associates typically perform?

 

Who doesn’t qualify as a business associate?

 

What about when information is shared for treatment purposes?

 

Do I need a business associate agreement for my cleaning service?

 

Since I already have an attorney-client relationship with counsel, do I need a business associate agreement?

 

What about organizations that act merely as a conduit of protected health information (PHI)?

 

PHI Return or Destruction

 

What is the requirement for the return or destruction of protected health information (PHI)?

 

Staff Training

 

What are the requirements for training my staff and who needs to be trained?

 

What does my staff need to know about HIPAA?

 

How do I prove training took place?


What about state verses federal law requirements?

 


HIPAA Security

Categories
Three categories that the security standards
Required and Addressable
Security Official
Workforce Security
Security Reminders
Security Incident Procedures
Contingency Plan
Physical Safeguards
Technical Safeguards
Miscellaneous

What is HIPAA Security? 

 

What is the HIPAA Security compliance date?

 

Who must comply?

 

Why HIPAA Security?

 

What is the difference between the HIPAA Privacy and the HIPAA Security Rules?

 

What is a covered entity?

 

What is the difference between “required” and “addressable”?

 

How is it determined that the specification is reasonable and appropriate?

 

What does “Implementation Specifications” mean? Sometimes referred to in this manual as “specifications”

 

What is the minimum process that is required of covered entities?

 

What does “flexible and scalable standards” mean?

 

What does “technology neutral standards” mean?


What are the three categories that the security standards are divided into?

 

What are the implementation specifications in the Security Management Process?

 

What is the importance of Risk Analysis and Risk Management?

 

What is system vulnerability?

 

What is the importance of an information system activity review?

 

What is the purpose of assigning security responsibility and the Security Official?

 

What does workforce security cover?


What is the importance of a Sanction Policy?

 

How do I determine what level of access is required for each person in the clinic? 

 

Are workforce clearance procedures required?

 

What should I look for in putting together termination procedures?

 

How do I ensure access is restricted within my clinic?

 

What must be included in security awareness and training?

 

What is meant by “security reminders”?

 

What are my responsibilities in protecting health information from malicious software?

 

What is the purpose of the Log-In Monitoring specification?

 

Do I need a procedure for changing passwords on my computer?

 

What are security incident procedures?

 

What are the contingency plan standards?


What is the purpose of a Contingency Plan standard?

 

What is required for a data backup plan?

 

What is required for a disaster recovery plan?

 

What is required of an emergency mode operation plan?

 

What is required of testing and revision procedures?

 

What is required of an application and data criticality analysis?

 

What is meant by physical safeguards?

 

What does it mean that facility access controls are addressable?

 

What are the implementation specifications of Facility Access Controls?

 

What does “contingency operations” mean?

 

What does “facility security plan” mean?

 

What does “workstation use” mean?

 

Does “workstation” apply to the workstation I use at home?

 

What are the implementation specifications for Device and Media Controls?

 

What is my main concern with disposing of electronic media?

 

What does “media re-use” mean?

 

What is required for data backup and storage?

 

What are considered technical safeguards?

 

What implementation specifications are associated with the Access Control standard?

 

Am I required to have a unique user identification specified for each user of my computer system?

 

Am I required to establish emergency access procedures?

 

Am I required to have automatic log off that terminates a session after a predetermined time of inactivity?

 

Is encryption required of electronically protected health information?

 

What does it mean to protect the integrity of protected health information?

 

What is the penalty for not complying with the HIPAA Security Rule?

 

What is the most important thing I should do to start protecting electronic protected health information?



Powered by Wild Apricot Membership Software