Editor’s Note: Links updated, June 2019
Thanks to Chris Apgar, CISSP, President and CEO of Apgar & Associates, LLC for his help in crafting the questions.
1. What does the HIPAA acronym stand for?
- Health Identification Privacy and Affordability Act
- Health Information Portability and Affordability Act
- Health Information Privacy and Accountability Act
- Health Insurance Portability and Accountability Act
2. Can a provider use the database to access the medical record of a patient who was seen by another provider in the same organization?
- No, he/she must create a new record for the patient based on his/her personal interactions with the patient.
- No, he/she must obtain written consent from the patient.
- Yes, as long as he/she will be treating that patient or the provider is assisting another provider with the coordination of the patient’s care.
- Yes, he/she can access any information available in the database.
3. A covered entity must obtain an individual’s written authorization for use or disclosure of protected health information in which of the following scenarios?
- A coder must review a patient’s chart to code a recent hospital stay.
- A consulting physician needs to access a patient’s record to inform his/her opinion.
- A hospital administrator needs to access patient data to create a report about how many patients were treated for diabetes in the last six months.
- None of the above
4. True or false: Patients can request a copy of billing records associated with their care.
- True
- False
5. Which division of the Department of Health and Human Services (HHS) is responsible for administering and enforcing HIPAA privacy and security standards?
- Centers of Medicare and Medicaid Services (CMS)
- Office of Civil Rights (OCR)
- Office of Inspector General (OIG)
- Office of the National Coordinator for Health Information Technology (ONC)
6. True or false: In order for a provider to use a smartphone to contact an answering service, HIPAA requires the phone be encrypted.
- True
- False
7. Any healthcare provider, regardless of size, is considered a covered entity under the HIPAA Privacy Rule, so long as the provider:
- Demonstrates meaningful use of electronic health records (EHR).
- Electronically transmits health information in connection with certain transactions.
- Handles health information in any way.
- Receives reimbursement from a government health program.
8. All of the following pieces of information are considered individually identifiable health information, EXCEPT:
- Birth date.
- Diagnosis.
- Name.
- Social Security number.
9. True or false: Providers may leave a message on a patient’s answering machine reminding him or her of an upcoming surgery as long as it doesn’t specify the type of surgery or the specialty practice.
- True
- False
10. Which of the following scenarios is considered an incidental disclosure?
- A member of the housekeeping staff overhears two physicians discussing a case in the break room.
- A nurse practitioner leaves a laptop containing protected health information on the subway.
- A nurse tells a 10-year-old patient’s parents the details of their child’s case.
- A physician tells his or her spouse that he saw their neighbor in the hospital.