HIO-201 Certified HIPAA Professional Questions and Answers

The Notice must be signed before a State authorized notary

Direct Treatment Providers must make a good faith effort to obtain patient's written acknowledgement of Notice of Privacy Practices.

Organizations may not have a "layered" Notice - a short, summary Notice preceding the more detailed Notice.

Authorization forms are mandatory for the Notice to be valid

An individual must sign an authorization before a state authorized notary.

Access Control

Security Incident Procedures

Information Access Management

Workforce Security

Security Management Process

Risk Analysis

Risk Management

Access Establishment and Modification

Isolating Health care Clearinghouse Function

Information System Activity Review

Transmission Security

Evaluation

Audit Controls

Integrity

Security Management Process

Security Management Process

Facility Access Control

Security Awareness and Training

Workforce Security

Security Management Process

Media Re-use

Termination Procedures

Risk Management

Maintenance Records

Disposal

Audit Control

Integrity

Access Control

Person or Entity Authentication

Transmission Security

The authorization has been revoked by the physician.

The patient remains a citizen of the United States.

The information is under the control of HHS.

The information is in the possession of a covered entity.

The information is not also available on paper forms.

$5,000 in fines.

55000 in fines and six months in prison.

An annual cap of $50,000 in fines.

A fine of up to $50,000 if they wrongfully disclose PHI.

Six months in prison.

$1,000,000 per person pet violation

$10 per person pet violation

$10,000 per person per violation

$100 per person per violation

$1000 per person per violation

270

276

278

271

834

Data group

Segment

Transaction set

Functional group

Interchange envelope

All Employers.

The Washington Publishing Company

Disclosure of non-identifiable demographics.

Oral disclosure of PHI.

The prevention of use of de-identified information.

Administrative Safeguards

Physical Safeguards

Technical Safeguards

Audit Controls

Information Access Management

Access Control

Security Management Process

Facility Access Controls

Workstation Use

Device and Media Controls

It cannot be used to transfer enrollment information from a plan sponsor to a hearth care insurance company or other benefit provider.

It can be used by a health insurance company to notify a plan sponsor that it has dropped one of its members.

It cannot be used to enroll, update, or dis-enroll employees and dependents in a health plan.

A sponsor can be an employer, insurance agency, association or government agency but unions are excluded from being plan sponsors.

It can be used in either update or full replacement mode.

October 16, 2003 - small health plans to begin testing without ASCA extension

October 16, 2004 - full compliance deadline for small health plans

April 16, 2004 - small health plans to begin testing with ASCA extension

April 16, 2003 - deadline to begin testing with ASCA extension

April 14, 2003; deadline to begin testing with the ASCA extension.

"Disclosure" refers lo employing IIHI within a covered entity.

"Disclosure" refers to utilizing, examining, or analyzing IIHI within a covered entity.

"Disclosure" refers to the release, transfer, or divulging of IIHI to another covered entity.

"Disclosure" refers to the movement of information within an organization.

"Disclosure" refers to the sharing of information within the covered entity.

Risk Analysis

Authorization and/or Supervision

Termination Procedures

Contingency Operations

Encryption and Decryption

The social security number has been selected as the National Health Identifier for individuals.

The COT code set is maintained by the American Medical Association.

Preferred Provider Organizations (PPO) are not covered by the definition of "health plan" for purposes of the National Health Plan Identifier

HIPAA requires health plans to accept every valid code contained in the approved code sets

An important objective of the Transaction Rule is to reduce the risk of security breaches through identifiers.

Patient's country of birth

Patient's pet name

Patient's weight

Patient's address

Patient's date of birth

Contingency Plan

Evaluation

Security Management Procedures

Facility Access Control

Security Incident Procedures

A covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form allowed by the regulations.

A face-to-face communication made by a covered entity to an individual is allowed by the regulations without an authorization

A promotional gift of nominal value provided by the covered entity is NOT allowed by the regulations without an authorization.

If the marketing is expected to result in direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is expected

Disclosure of PHI for marketing purposes is limited to disclosure to business associates (which could be a telemarketer) that undertakes marketing activities on behalf of the covered entity

Simple flat file structure for transactions.

Envelope structure for transactions.

Employer identifier.

Health plan identifier

Provider identifier.

Eligibility (270/271)

Premium Payment (820)

Claim Status Notification (277)

Remittance Advice (835)

Functional Acknowledgment (997)

837 - Professional

834

CPT-4

837 - Institutional

CDT

Accountants

Hospital employees

A covered entity's internal IT department

CEO of the covered entity

The covered entity's billing service department

Risk analysis

Applications and Data Criticality Analysis

Risk Management

Integrity Controls

Encryption

The types of financial information to be disclosed.

The specific individuals or entities to which disclosure would be made.

The types of persons who would receive PHI.

The conditions that would not apply to disclosure of PHI

The criteria for reviewing requests for routine disclosure of PHI.

Risk Analysis

Access Control and Validation Procedures

Integrity Controls

Access Authorization

Termination Procedures

Annual Audits

Claims Management

Salary disbursement to the workforce having direct treatment relationships.

Life Insurance underwriting

Cash given to the pharmacist for the purchase of an over-the-counter drug medicine

A person who acts on behalf of a non-covered entity.

A person who's function may involve claims processing, administration, data analysis or practice management with access to PHI.

A person who is a member of the covered entity's workforce.

A clearinghouse.

A person that performs or assists in the performance of a function or activity that involves the use or disclosure of de-identified health information.

PHI includes all individually identifiable health information (IIHI).

PHI does not include physician's hand written notes about the patient's treatment.

PHI does not include PHI stored on paper.

PHI does not include PHI in transit.

PHI includes de-identified health information

Security Awareness and Training

Security Incident Procedure

Information Access Management

Security Management Process

Contingency Plan

Security rule.

Privacy rule.

Covered entity rule.

Electronic Transactions and Code Sets rule.

Electronic Signature Rule.

Creation and modification of health information during and after an emergency.

Integrity of health information during and after an emergency.

Accountability of health information during and after an emergency.

Vulnerability of health information during and after an emergency.

Non-repudiation of the entity.

A covered entity must apply disciplinary sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity.

A covered entity need not train all members of its workforce whose functions are materially affected by a change in policy or procedure.

A covered entity must designate, and document, a contact person responsible for receiving acknowledgements of Notice of Privacy Practice.

A covered entity may require individuals to waive their rights.

A covered entity must provide maximum safeguards for PHI from any intentional or unintentional use or disclosure that is in violation of the regulations and to limit incidental uses and disclosures made pursuant to permitted or required use or disclosure.

Security Incident Procedures

Assigned Security Responsibility

Access Control

Facility Access Controls

Security Management Process

National Provider Identifier (NPI)

Social Security Number (SSN)

National Health Plan Identifier (PlanID)

National Employer Identifier for Health Care (EIN)

National Health Identifier for Individuals (NHII)

Eligibility (270/271).

Premium Payment (820).

Unsolicited Claim Status (277).

Remittance Advice (835).

Functional Acknowledgment (997).

A covered entity must use the applicable code set that is valid at the time the transaction is initiated.

April 14, 2003 is the compliance date for implementation of the National Provider Identifier.

CMS is responsible for updating the CPT-4 code set.

An organization that assigns NPIs is referred to as National Provider for Identifiers.

HHS assigns the Employer Identification Number (EIN), which has been selected as the National Provider Identifier for Health Care.

ICD-9-CM, Volumes 1 and 2.

CPT-4.

CDT.

ICD-9-CM, Volume 3.

HCPCS.

The Washington Publishing Company has the exclusive rights to publish the X12N Implementation Guides.

HHS has adopted the Implementation Guides as standards for HIPAA transactions.

The guides are intended to be instructive and need not be followed strictly.

The guides may be downloaded free from WPC's Website.

The guides explain the usage of the transaction set segments and data elements.

270

276

278

280

834

Access Authentication

Integrity Controls

Authorization and/or Supervision

Data Authentication

Unique User Identification