Certified HIPAA Professional (CHP) Study Guide – Partial – Flashcards
Unlock all answers in this set
Unlock answersquestion
HIPAA
answer
Health Insurance Portability and Accountability Act
question
Date HIPAA legislation Passed
answer
August 21, 1996
question
What is HIPAA also known as?
answer
The Kennedy-Kassembaum Bill
question
What are the 5 key items that HIPAA addresses
answer
1) Improve Insurance portability and continuity, 2) Combat healthcare waste, fraud, and abuse, 3) Promote medical savings accounts, 4)Improve access to long-term care, 5) Simplify the administration of health insurance
question
What are the four main items Title 2 addresses?
answer
1)Transactions and Code Sets, 2) Identifiers, 3) Privacy, 4) Security
question
EDI
answer
Electronic Data Interchange
question
ARRA
answer
American Recovery & Retirement Act of 2009
question
What major act is included in the ARRA legislation?
answer
HITECH
question
HITECH
answer
Health Information Technology for Economic and Clinical Health Act
question
When did the Final Rule become effective? When did organizations have to be compliant?
answer
March 26, 2013 / they had 180 days to become compliant September 23, 2013
question
GINA
answer
Genetic Information Nondiscrimination Act of 2008 (GINA)
question
PSO
answer
Patient Safety Organizations (Treated as Business Associates)
question
HIO
answer
Health Information Organizations (Treated as Business Associates) i.e.... ePrescribing Gateways
question
HIE
answer
Health Information Exchanges
question
RHIO
answer
Regional Health Information Organizations
question
What 4 categories does HIPAA apply too?
answer
Payers, Providers, Clearinghouses, Business Associates & their Subcontractors (final rule)
question
Business Associate
answer
A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity itself.
question
CMS
answer
Centers for Medicare and Medicaid Services (CMS)
question
What is CMS responsible for?
answer
(Formally known as HCFA) The division of health and human services responsible for health care. CMS is responsible for Medicare and parts of Medicaid. CMS maintains specifications for various certifications for various certifications and authorizations used by the Medicare and Medicaid programs. CMS also maintains various code sets.
question
Consolidated Omnibus Budget Reconciliation Act (COBRA)
answer
An amendment to Title 1 of HIPAA that gives employees the right to continue health coverage as a private payer for a limited period of time once they leave a job.
question
Covered Entity (CE)
answer
A health plan, A healthcare clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction, Healthcare Provider
question
Three Items used to validate is a company is a Business Associate (BA)
answer
Are they performing a function for a CE (Covered Entity) or on their behalf (Yes), Are they a member of our workforce (No), Do they have access to PHI (Yes) --- Yes, No, Yes = BA
question
What types of organizations were added to the list of BA's in the Final Rule
answer
Health Information Exchanges (HIE) & Regional HIE's (RHIE), ePrescription Gateways, Patient Safety Organizations (PSO), All their subcontractors
question
Name the 5 Vital Business Contract Inclusions for BA's
answer
BA must use PHI only for the purpose for which it was shared, Assume responsibility to safeguard PHI from misuse, Provide individuals with access to their Health Information, Notify the CE if there is a breach, Assess each risk and mitigate
question
What is Electronic Data Interchange (EDI)
answer
The electronic exchange of information between computers, especially the exchange of health information among physicians and insurance companies.
question
Title I
answer
The portion of the HIPAA law concerned with health insurance reform & portability. The main purpose of Title I is to ensure continuation of health coverage when employees change jobs. It also entitles people who leave a job to continue their health insurance coverage as a private payer for a limited period of time under COBRA.
question
Title II
answer
The portion of the HIPAA law known as administrative simplification. Preventing healthcare fraud & abuse, administrative simplification, medical liability reform. It contains strict requirements for the uniform transfer rules of patient confidentiality.
question
Designated Record Set (DRS)
answer
A group of medical records. For providers, it includes medical and billing records but not other items, such as lab tests. For a health plan, the designated record set includes enrollment, payment, claim decisions, and medical management systems of the plan.
question
Electronic Medical Records (EMR)
answer
Or Electronic Health Record (EHR or EMR) Collection of health information that is immediately electronically accessible by authorized companies.
question
Notice of Privacy Practices (NPP)
answer
A document stating the privacy policies and procedures of a covered entity. (CE)
question
ePHI
answer
PHI that is stored or transmitted in electronic form.
question
HCPCS
answer
Health Care Common Procedure Code Systems - A classification system for medical procedures, services, and supplies. It was set up to give providers a coding system that describes specific products, supplies, and services patients receive that are not in CPT.
question
TCS
answer
Transactions and Code Sets - HIPAA standards governing the electronic exchange of health information using standard formats and standard code sets
question
NPI
answer
National Provider Identifier - Under HIPAA, a system for uniquely identifying all providers of health care services, supplies, and equipment.
question
POS
answer
Place of Service - Under HIPAA administrative code that indicates where medical services were provided.
question
OIG
answer
Office of the Inspector General - Federal agency that investigates and prosecutes fraud against government health care programs such as Medicare.
question
Business Associate
answer
Business Associate a person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity itself.
question
CMS
answer
Centers For Medicare and Medicaid Services (Formally known as HCFA) The division of health and human services responsible for health care. CMS is responsible for Medicare and parts of Medicaid. CMS maintains specifications for various certifications for various certifications and authorizations used by the Medicare and Medicaid programs. CMS also maintains various code sets.
question
COBRA
answer
Consolidated Omnibus Budget Reconciliation Act - An amendment to Title 1 of HIPAA that gives employees the right to continue health coverage as a private payer for a limited period of time once they leave a job.
question
CE
answer
Covered Entity
question
HHS
answer
Department of Health and Human Services - The federal department that administers federal programs covering public health and welfare.
question
Define Electronic Data Interchange (EDI)
answer
The electronic exchange of information between computers, especially the exchange of health information among physicians and insurance companies.
question
GHP
answer
Group Health Plan - Medical insurance offered to employees and played for in part or in full by an employer.
question
OCR
answer
Office for Civil Rights - The division of Health and Human Services responsible for enforcing the HIPAA privacy rules. Privacy is considered a civil right.
question
DRS
answer
Designated Record Set - A group of medical records. For providers, it includes medical and billing records but not other items, such as lab tests. For a health plan, the designated record set includes enrollment, payment, claim decisions, and medical management systems of the plan.
question
EMR
answer
Electronic Medical Records - Or Electronic Health Record (EHR or EMR) Collection of health information that is immediately electronically accessible by authorized companies.
question
NPP
answer
Notice of Privacy Practices - A document stating the privacy policies and procedures of a covered entity. (CE)
question
PHI
answer
Protected Health Information - The HIPAA terminology for individually identifiable health information in any medium
question
TPO
answer
Treatment. Payment, and health care operations - Under HIPAA, the rule that patient's protected health information may be shared without authorization for the purposes of treatment, payment, and operations.
question
ePHI
answer
PHI that is stored or transmitted in electronic form.
question
CDT
answer
Current Dental Terminology - HIPAA-mandated code set for procedures performed in a dental office. (Hint Dentist)
question
CPT
answer
Current Procedural Terminology - HIPAA-mandated procedural code set developed, owned, and maintained by the American Medical Association. (Hint Physician)
question
HCPCS
answer
Health Care Common Procedure Code Systems - A classification system for medical procedures, services, and supplies. It was set up to give providers a coding system that describes specific products, supplies, and services patients receive that are not in CPT.
question
TCS
answer
HIPAA Electronic Health Care Transactions and Code Sets - HIPAA standards governing the electronic exchange of health information using standard formats and standard code sets
question
NPI
answer
National Provider Identifier - Under HIPAA, a system for uniquely identifying all providers of health care services, supplies, and equipment.
question
POS
answer
Place of Service - Under HIPAA administrative code that indicates where medical services were provided.
question
Who is covered by the privacy rule?
answer
Applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form.
question
What is protected health information?
answer
"Individually identifiable health information" held or transmitted by a covered entity in any form whether media, electronic, paper, or oral.
question
What is the basic principle of the privacy rule?
answer
Define and limit the circumstances in which an individual's PHI may be used or disclosed by covered entities.
question
Under the privacy rule, must every risk of an incidental use or disclosure of PHI be eliminated?
answer
No. Need to adopt appropriate safeguards where information being shared is the minimum necessary.
question
May covered entities use and disclose PHI without individual authorization as required by law?
answer
Yes (state, regulation, or court orders )
question
What is a limited data set?
answer
PHI from which certain specified direct identifiers or individuals and their relatives, household members and employees have been removed used for research, health care operations, and public health purposes.
question
5 Goals of HIPAA
answer
Improve Insurance Portability& Continuity, Combat Health Care Waste, Fraud, & Abuse, Promote Medical Savings Accounts, Improve Access to Long-Term Care, Simplify the administration of health insurance
question
Which title deals with Administrative Simplification
answer
Title 2
question
Under HIPAA what are Patient Rights
answer
Access to Information, How Information is shared, Protecting Privacy
question
What HIPAA Title addresses Healthcare fraud prevention & abuse
answer
Title 2
question
Which title protects patients from losing insurance due to preexisting medical conditions
answer
Title 1
question
HIO
answer
Health Information Organization
question
HIE
answer
Health Information Exchange
question
CPOE
answer
Computerized Physician Order Entry (e-prescribing)
question
Who does HIPAA Apply to (4 Category)
answer
Payers, Providers, Clearinghouses, BA - Business Associates & Subcontractors
question
Who are Covered Entities (CE)
answer
Healthplans, Healthcare Clearing House, Healthcare Providers.
question
RHIO
answer
Regional Health Information Organization
question
Date HITECH went into effect
answer
2/23/2010
question
PHI
answer
Protected Health Information
question
PII
answer
Patient Identifiable Information
question
How many days does a CE/BA have to notify of a breach
answer
60 day's (test) - Real life "moved to 30 day's"
question
HITECH (Civil Penalties) Single Violation
answer
Original Up to $100 / Updated 2010 $25,000
question
HITECH (Civil Penalties) Reasonable Cause - Not Willful)
answer
$1,000 for each violation - May not exceed $100,000
question
HITECH (Civil Penalties) Willful Neglect
answer
$10,000 for each violation - May not exceed $250,000
question
HITECH Multiple Violations (Willful & Not Corrected)
answer
Original up to $50,000 updated 2010 $1.5 Million
question
HITECH - Criminal Penalties - Wrongful disclosure of PHI under false pretenses to sell, transfer or otherwise misue.
answer
Up to $250,000 fine & Up to 10 years in jail
question
HITECH - Criminal Penalties - Wrongful disclosure of PHI under false pretenses
answer
Up to $100,000 & Up to 5 years in jail
question
HITECH - Criminal Penalties - Wrongful disclosure of PHI
answer
Up to $50,000 & up to 1 year in jail
question
Privacy Rule
answer
Confidentiality of PHI in all formats (Paper, oral, or electronic) "All Formats"
question
Security Rule
answer
PHI electronically captured, stored, used or transmitted. "Electronic PHI Only"
question
How long does a CE or BA have to report a Breach
answer
(Test) 60 day's - Actual 30 day's (Both to HHS and patients affected)
question
Define a Breach
answer
Unauthorized acquisition, access, use, or disclosure of PHI
question
Name three exceptions to Breaches
answer
Unintentional acquisition, access, or use of PHI (For example an office worker goes to the printer as a lab result prints for a nurse), Inadvertent disclosures by an individual who is otherwise authorized at a facility operated by an CE or BA, Situations in which the unauthorized person would not reasonably have been able to retain the info
question
When does a CE not have to notify HHS & Patients within 60 day's
answer
Breaches involving less than 500 patients in the same state (Report to HHS annually)
question
PII
answer
Patient Identifiable Information
question
IIHI
answer
Individually Identifiable Health Information
question
Define Small Health Plans
answer
Receipts of $5 million or less, Group Health Plans with fewer than 50 participants, Small Health Plans were given an extra year to become HIPAA compliant
question
NEI
answer
National Employer Identifier
question
TCS
answer
Transaction Code Set
question
Code 270
answer
Provider uses to check patient eligibility for coverage
question
Code 271
answer
Health plan provides coverage eligibility response
question
Code 276
answer
Provider uses to find out about existing claim
question
Codes 200's
answer
Patient coverage, eligibility, status of claims, review
question
Codes 800's
answer
Deal with enrollment and payments
question
Defining Security
answer
Security is generally defined as having controls, countermeasures, and procedures in place to ensure "appropriate" protection of information assists & control access to valued resources
question
Year for "Common Criteria for Security"
answer
1990's collaboration between 7 countries
question
NIST definition
answer
National Institute of Standards & Technology
question
What is Security addressing
answer
Minimizing the vulnerability of assets & resources 1) Assets is anything of value - EPHI 2) Vulnerability "weakness that could be exploited" 3) threat "potential violation of security"
question
CIA
answer
Confidentially, Integrity, & Availability of EPHI
question
How do you ensure confidentiality
answer
1) limit access "need to know" 2) allow disclosure privileges only to users who are trained and authority to make decisions 3) install reliable authentication methods and control employee access to medical data
question
Documentation in regards of Security
answer
"Documentation = Administration"
question
Parts of Security Rule
answer
Administrative, Physical, Technical
question
Security Rule (ensuring integrity)
answer
Data Integrity, source integrity, data has not been altered or destroyed, security backup / disaster recovery
question
Privacy Rule Summary
answer
Patients right over the use & disclosure of personal PHI When, how, and to what extent PHI is shared Access to personal PHI All forms of PHI are protected electronic, written, oral
question
Privacy Rule only focuses on
answer
Confidentially
question
Security Rule on deals with what form of data
answer
Electronic data (not oral, or paper)
question
3 types of Security Rule Safeguards
answer
Administrative, Physical, and Technical ( layers)
question
Security Rule Implementation Specs
answer
"Required" = must do Addressable ( two options) Option 1 "reasonable and appropriate" Contributes to protecting PCI = do it Option 2 does not make sense, organization to small, to costly, exposure risk minimal - need to document why and have a plan
question
Administrative Safegaurds
answer
"training, Documentation, policies, etc
question
Physical Safegaurds
answer
Facility access, systems, monitoring, environmental controls
question
Technical Safegaurds
answer
Access control, passwords, identification authentication, network configuration - logical...
question
Transaction code sets ( even / odd )
answer
Even= request Odd = response
question
APT acronym for 3 security Safegaurds
answer
Admin, physical, technical
question
Entity Sanction Policy
answer
Address disciplinary actions - employee needs to know legal action potential and organizational repercussions
question
4 areas of Physical Safeguard "Standards"
answer
Facilities access control Workstation use Workstation security Device and Media Controls
question
9 Administrative Safeguards "Standards"
answer
Security Management Process Assigned Security Responsibility Workforce Security Info access management Security "awareness / training" Security incident procedures Contingency plan Evaluation Business associate agreement
question
5 Technical Safeguard "Standards"
answer
Access Control Audit Control Integrity Person or entity authentication Transmission security
question
NDC
answer
National Drug Code
question
NHI
answer
National Health Identifier for Individuals ( not established / might never be implemented)
question
CPT
answer
Current Procedural Code
question
NPPES
answer
National Plan and Provider Enumeration System
question
NPI
answer
National Provider Identifier
question
ANSI
answer
American National Standards Institute
question
ANSI
answer
American National Standards Institute
question
ANSI ASC X12N - envelope structure
answer
Header Data content Trailer
question
4 parts of the HIPAA puzzle are:
answer
TCS - transaction code sets Identifiers Privacy rule Security rule
question
X12N & HIPAA transaction sets implementation guides published by
answer
Washington publishing company
question
OCR
answer
Office of Civil Rights
question
How many identifiable items must be removed for PII to be de-identified and considered non-PHI according to Safe Harbor Method.
answer
18 specific items and information cannot be reconstructed
question
ICD9 vs ICD10
answer
International Classification of Diseases - codes matching procedures / diagnoses ICD10 much more detailed
question
NCPDP
answer
National Council of Prescription Drug Program