HIPS Series > Federal and State Privacy Requirements > Quiz + Answers

A. "Increasing use of electronic records has raised privacy concerns, and the federal law is designed to help."

B. "The state health privacy laws that exist are not always good, and the good ones are not always enforced."

C. "Respecting privacy is just good business. It makes customers (patients) more confident about getting care from BSU-BSH."

D. All of these.

D is correct. All of these are excellent responses, so why not use all of them?

•  •  •  •  •

2. The CEO wants to know who is covered by HIPAA. You reply that it includes:

A. Health care providers, health plans, and health information clearinghouses.

B. Health care providers, health plans, and health information clearinghouses, and any business associates of them that handle information.

C. Health care providers, health plans, and health information clearinghouses, their business associates, and the workers for those organizations.

D. Pretty much anything or anybody that handles health information of any kind.

C, the longest answer is the most technically correct. Note that the law reaches to workers only indirectly, but it reaches to them nonetheless. You aren't far off the mark with D, however.

•  •  •  •  •

3. The CEO has heard that the definition of "protected" health information under the HIPAA law is "anything related to the past, present or future physical or mental health condition of a person." But what does "anything" include?

A. Health information in electronic information systems.

B. Health information in electronic systems and in paper medical records systems.

C. Health information in electronic systems, paper medical records systems, and in electronic mail or faxes associated with those systems.

D. Health information in any form or medium, as long as it is identified (or identifiable) as a a particular person's information.

D is correct. Identified (or identifiable) health information in any form or medium is covered by the HIPAA Privacy Rule. It's the Security Rule that applies only to electronic information.

•  •  •  •  •

4. The CEO wants to know about the "Notice of Privacy Practices" that he sees all the patients carrying around. Which of the following things that the CEO tells you about the Notice is wrong?

A. It's designed to inform patients about their federal and state privacy rights.

B. Patients are supposed to have an opportunity to discuss any privacy issues, particularly right after they receive their Notice.

C. Patients are asked to sign an acknowledgement that they received the Notice.

D. Giving the Notice to patients is optional.

D is correct. Giving each patient a Notice is required -- on the first visit and any time afterward when it has materially changed.

•  •  •  •  •

5. What are organizations covered by the federal HIPAA privacy law expected to do?

A. Protect the health information under their control.

B. Train their workers in how to protect information.

C. Help patients exercise their rights under the law -- such as getting a copy of their records, correcting errors, and learning who has seen their records.

D. All of these.

D is correct. All of these are required.

•  •  •  •  •

6. The CEO has heard that the HIPAA protections include something called the "minimum necessary" standard. He wants to know what that requires.

A. Workers have to use reasonable caution every time they use or disclose health information.

B. Workers can only use or disclose the minimum necessary amount of health information to accomplish a task.

C. Health information can only be used or disclosed by workers for legitimate work-related purposes.

D. All of the above.

B or D is acceptible. B is the strict definition of minimum necessary. However, A, B, and C are all required by HIPAA.

•  •  •  •  •

7.BSU-BSH has a top-ranked cosmetic surgery program, which attracts patients from around the world. Some of the staff use the online medical records system to check up on the big names who've checked in -- to see what parts of the rich and famous are getting improved. This is:

A. Not illegal, as long as no one tries to sell the information to the media, or tells someone outside BSU-BSH.

B. Not illegal, because famous people do not have the same health privacy rights under federal and state laws.

C. Not illegal, because this can be considered an "incidental use or disclosure."

D. Illegal, because there is no legitimate work-related purpose for such access.

D is correct. It's still a violation, even if it only is disclosed for intra-campus gossip. The famous get the same health privacy rights as the rest of us. The incidental uses and disclosures exception applies only to accidental releases.

•  •  •  •  •

8. The CEO likes that "incidental uses and disclosures" exception, though he is disappointed to hear that it won't cover the information leaks from the cosmetic surgery program. He wonders what it will cover?

A. It will cover true accidents, where reasonable caution was otherwise used and there was no negligence.

B. It will cover negligence, as long as it wasn't gross negligence.

C. It will cover negligence, but only by physicians.

D. It will cover anything that can be labelled as an "accident."

The long answer, A, is the correct one. Labelling something as an accidental disclosure doesn't make it so. Perfection isn't expected. Reasonable caution is, at all times. Negligence is not excused.

•  •  •  •  •

9. The CEO doesn't like trouble-makers, and wants to know if persons can be, um, er, "disciplined" for reporting a priivacy problem or filing a complaint. You reply:

A. "Sure, why not?"

B. "Federal law prohibits intimidation or retaliation against patients who report problems or file complaints, but workers can still be disciplined."

C. "Federal law prohibits intimidation or retaliation for reporting a problem or filing a complaint -- and that applies to our workers as well as our patients."

D. "Are you nuts?"

C is correct. HIPAA prohibits retaliation against both patients and workers. D is only correct if you want some time off from work.

•  •  •  •  •

10. Speaking of trouble, which of these provide severe penalties for deliberate misuse of health information, particularly where there is an intent to harm others or achieve personal financial gain?

A. Federal law (notably, HIPAA).

B. State laws.

C. Your organization's institutional policies.

D. All of these.

D is correct. Federal and state laws provide such penalties, and organizations are required to have a "sanctions policy" as well.

More information