Editor’s Note: Links updated, June 2019
Thanks to Chris Apgar, CISSP, President and CEO of Apgar & Associates, LLC for his help in crafting the questions.
1. What does the HIPAA acronym stand for?
- Health Identification Privacy and Affordability Act
- Health Information Portability and Affordability Act
- Health Information Privacy and Accountability Act
- Health Insurance Portability and Accountability Act
2. Can a provider use the database to access the medical record of a patient who was seen by another provider in the same organization?
- No, he/she must create a new record for the patient based on his/her personal interactions with the patient.
- No, he/she must obtain written consent from the patient.
- Yes, as long as he/she will be treating that patient or the provider is assisting another provider with the coordination of the patient’s care.
- Yes, he/she can access any information available in the database.
3. A covered entity must obtain an individual’s written authorization for use or disclosure of protected health information in which of the following scenarios?
- A coder must review a patient’s chart to code a recent hospital stay.
- A consulting physician needs to access a patient’s record to inform his/her opinion.
- A hospital administrator needs to access patient data to create a report about how many patients were treated for diabetes in the last six months.
- None of the above
4. True or false: Patients can request a copy of billing records associated with their care.
5. Which division of the Department of Health and Human Services (HHS) is responsible for administering and enforcing HIPAA privacy and security standards?
- Centers of Medicare and Medicaid Services (CMS)
- Office of Civil Rights (OCR)
- Office of Inspector General (OIG)
- Office of the National Coordinator for Health Information Technology (ONC)
6. True or false: In order for a provider to use a smartphone to contact an answering service, HIPAA requires the phone be encrypted.
7. Any healthcare provider, regardless of size, is considered a covered entity under the HIPAA Privacy Rule, so long as the provider:
- Demonstrates meaningful use of electronic health records (EHR).
- Electronically transmits health information in connection with certain transactions.
- Handles health information in any way.
- Receives reimbursement from a government health program.
8. All of the following pieces of information are considered individually identifiable health information, EXCEPT:
- Birth date.
- Social Security number.
9. True or false: Providers may leave a message on a patient’s answering machine reminding him or her of an upcoming surgery as long as it doesn’t specify the type of surgery or the specialty practice.
10. Which of the following scenarios is considered an incidental disclosure?
- A member of the housekeeping staff overhears two physicians discussing a case in the break room.
- A nurse practitioner leaves a laptop containing protected health information on the subway.
- A nurse tells a 10-year-old patient’s parents the details of their child’s case.
- A physician tells his or her spouse that he saw their neighbor in the hospital.