CHC - Certified in Healthcare Compliance HIPAA Privacy and Security Questions and Answers

Question 1

A covered entity discovers that a business associate has experienced a breach of unsecured protected health information (PHI) affecting 450 individuals. The business associate notified the covered entity 50 days after discovering the breach. According to the HIPAA Breach Notification Rule, what is the covered entity's primary notification responsibility?

Accepted Answer

Notify the affected individuals and the Secretary of HHS annually, as the breach affects fewer than 500 individuals.

Answer

For breaches affecting fewer than 500 individuals, covered entities are required to notify the Secretary of HHS by submitting an annual report of all such breaches within 60 days after the end of the calendar year in which the breaches were discovered. They must still notify the affected individuals without unreasonable delay and within 60 days of discovery.

Question 2

Which of the following is a key distinction between the HIPAA Privacy Rule and the HIPAA Security Rule?

Accepted Answer

The Privacy Rule establishes standards for how PHI can be used and disclosed, while the Security Rule sets standards for safeguarding electronic PHI.

Answer

The HIPAA Privacy Rule governs the use and disclosure of all protected health information (PHI), regardless of its format (paper, oral, electronic). The HIPAA Security Rule specifically addresses the protection of PHI that is in electronic form (ePHI) by requiring administrative, physical, and technical safeguards.

Question 3

A hospital's fundraising foundation wants to send a mailing to former patients. Under HIPAA, which of the following pieces of information may the hospital disclose to its foundation for fundraising purposes without obtaining prior patient authorization?

Accepted Answer

Dates of service, demographic information, and health insurance status.

Answer

HIPAA permits a covered entity to use or disclose limited PHI for its own fundraising purposes without an individual's authorization. This is limited to demographic information (like name and address), dates of healthcare provided, department of service information, treating physician, outcome information, and health insurance status. The notice of privacy practices must inform patients about fundraising communications and their right to opt out.

Question 4

A patient reviews their medical record and finds an error in their diagnosis history. Under the HIPAA Privacy Rule, the patient has the right to request an amendment to their PHI. What is the covered entity's obligation after receiving this request?

Accepted Answer

Act on the request within a reasonable time, typically within 60 days, by either making the amendment or providing a written denial.

Answer

The HIPAA Privacy Rule gives individuals the right to request an amendment to their PHI in a designated record set. The covered entity must act on the request, typically within 60 days (with a possible 30-day extension). It can either accept the amendment and notify the patient and relevant parties, or provide the individual with a timely, written denial explaining the basis for the decision and their right to submit a disagreement.

Question 5

A research institution wants to use a hospital's patient database for a study. To comply with HIPAA, they plan to de-identify the data. They choose the 'Safe Harbor' method. Which of the following is one of the 18 identifiers that MUST be removed under this method?

Accepted Answer

All geographic subdivisions smaller than a state, including ZIP codes.

Answer

The HIPAA Safe Harbor method requires the removal of 18 specific identifiers to de-identify data. One of these identifiers is 'All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes.' An exception exists for the initial three digits of a ZIP code under certain population criteria.

CHC - Certified in Healthcare Compliance Practice Test

CHC - Certified in Healthcare Compliance Practice Test

CHC - Certified in Healthcare Compliance HIPAA Privacy and Security Questions and Answers