HIO-201 Certified HIPAA Professional Questions and Answers

Indefinitely, because the life of a signed authorization isindefinite.

Six (6) years from the time it expires.

For as long as the patient's records are kept.

Until it is specifically revoked by the individual.

Ten (10) years from the date it was signed.

270

835

837 - Professional

CPT-4

UB-92

270

835

278

820

834

Security Awareness and Training

Security Management Process

Access Control

Assigned Security Responsibility

Security Incident Procedures

ICD-9-CM. Volumes 1 and 2.

CPT-4.

CDT.

ICD-9-CM. Volume 3.

NDC.

A covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form allowed by the regulations.

A face-to-face communication made by a covered entity to an individual is allowed by the regulations without an authorization

A promotional gift of nominal value provided by the covered entity is NOT allowed by the regulations without an authorization.

If the marketing is expected to result in direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is expected

Disclosure of PHI for marketing purposes is limited to disclosure to business associates (which could be a telemarketer) that undertakes marketing activities on behalf of the covered entity

ICD-9-CM, Volumes 1 and 2.

CPT-4.

CDT.

ICD-9-CM, Volume 3.

HCPCS.

Security Incident Procedures

Assigned Security Responsibly

Security Management Process

Access Control

Facility Access Control

Is required for all Business Associate Contracts.

Must always be associated with a valid authorization.

Must be signed before providing treatment to a patient.

Must be associated with a valid Business Associate Contract.

Must describe the individual's rights under the Privacy Rule.

Eligibility (270/271)

Premium Payment (820)

Claim Status Notification (277)

Remittance Advice (835)

Functional Acknowledgment (997)

No - This would be considered an allowed "routine disclosure" between the doctor and his business partner

Yes - There is no exception to the requirement for an authorization prior to disclosure, no matter how well intentioned or documented.

Yes - a delivery service is not considered a covered entity

Yes - to be a “routine disclosure” all the parties must have their own Privacy Officer as mandated by HIPAA

Yes - this is not considered a part of "treatment", which is one of the valid exceptions to the Privacy Rule

Data group

Segment

Transaction set

Functional group

Interchange envelope

Disaster Recovery Plan

Data Backup Plan

Facility Access Controls

Security Incident Procedures

Emergency Mode Operations Plan

Workstation Use

Workstation Security

Sanction Policy

Termination Procedures

Facility Security Plan

Establish a business partner relationship with the other provider.

Obtain a signed authorization from the patient to cover the disclosure.

Make a copy of the signed Notice available to the other provider.

Obtain the patients signature on the second provider's Notice of Privacy Practices.

Do nothing more -the Notice of Privacy Practices covers treatment activities.

If the notice must state that the covered entity reserves the right to disclose PHI without obtaining the individuals authorization.

The notice must prominently include an expiration date.

The notice must describe every potential use of PHI

The notice must describe an individual's rights under the rule such as to inspect, copy and amend PHI and to obtain an accounting of disclosures of PHI

The notice must clearly identify that the covered entity is in compliance with HIPAA regulations as of April 16,2003

$1,000,000 per person pet violation

$10 per person pet violation

$10,000 per person per violation

$100 per person per violation

$1000 per person per violation

Risk analysis

Applications and Data Criticality Analysis

Risk Management

Integrity Controls

Encryption

Requires PKI for the provider and the patient.

Is exempt from HIPAA regulations.

Is a not-for-profit operation.

Identifies all hospitals and health care organizations.

Performs the functions of format translation and data conversion.

ICD-9-CM, Volumes 1 and 2

CPT-4

CDT

ICD-9-CM, Volume 3

HCPCS

270

276

834

835

837