A Process for Gathering Information Pertaining to a Hipaa Compliance Audit Assessment Questions

Define a Process for Gathering Information Pertaining to a HIPAA Compliance Audit
Assessment Questions

1. What are four parts of the administrative simplification requirements of HIPAA?

1. Electronic transaction and code sets standards requirements
2. Privacy requirements
3. Security requirements
4. National identifier requirements

1. Name 3 factors used to determine whether you need to comply with HIPAA.

1. Whether the health plan is self-insured or fully insured
2. Whether the plan sponsor receives PHI or SHI
3. How the plan sponsor utilizes SHI.

1. What are the three categories of entities affected by HIPAA Medical Privacy Regulations?

1. Health Care Providers: Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which standard requirements have been adopted.
2. Health Plans: Any individual or group plan that provides or pays the cost of health care.
3. Health Care Clearinghouses: A public or private entity that transforms health care transactions from one format to another.

1. What would Business Associates of covered entities consist of as it pertains to HIPAA’s regulation?

1. HIPAA defines a business associate as an individual or corporate "person" that: performs on behalf of the covered entity any function or activity involving the use or disclosure of protected health information (PHI); and is not a member of the covered entity's workforce.

1. Who is covered by the Privacy Rule in HPAA? Give some examples.

1. Health care providers who transmit any health information electronically in connection with certain transactions.
2. Health plans
3. Healthcare Clearinghouse - Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

1. What information is protected in HIPAA?

1. Healthcare claims or equivalent encounter information
2. Healthcare payment and remittance advice
3. Coordination or benefits
4. Healthcare claim status
5. Enrollment or disenrollment in a health plan
6. Eligibility for a health plan
7. Health plan premium payments
8. Referral certification and authorization

1. Describe the Basic Principle and Required Disclosures of HIPAA.

1. The basic principle of the HIPAA Privacy Rule is that a covered entity may not use or disclose protected health information, except when the Privacy Rule explicitly permits it or the individual subject of the information authorizes it.
2. The HIPAA Privacy Rule does not require the disclosure of health information, except in two instances:

1. To the individual subject to the information.
2. To HHS when conducting a compliance investigation.

1. Is a health information organization (HIO) covered by the HIPAA Privacy Rule?

1. Generally, no. The HIPAA Privacy Rule applies to health plans, health care clearinghouses, and health care providers that conduct covered transactions. The functions a HIO typically performs do not make it a health plan, health care clearinghouse, or covered health care provider. Thus, a HIO is generally not a HIPAA covered entity. However, a HIO that performs certain functions or activities on behalf of, or provides certain services to, a covered entity which require access to PHI would be a business associate under the Privacy Rule. See 45 C.F.R. § 160.103 (definition of “business associate”). HIPAA covered entities must enter into contracts or other agreements with their business associates that require the business associates to safeguard and appropriately protect the privacy of protected health information. See 45 C.F.R. §§ 164.502(e), 164.504(e). (See also the relevant business associate requirements in the HIPAA Security Rule at 45 C.F.R. §§ 164.308(b), 164.314(a).) For instance, a HIO that manages the exchange of PHI through a network on behalf of multiple covered health care providers is a business associate of the covered providers, and thus, one or more business associate agreements would need to be in place between the covered providers and the HIO.

1. Does the HIPAA Privacy Rule inhibit electronic health information exchange across different states or jurisdictions?

1. No. The Privacy Rule establishes a federal baseline of privacy protections and rights, which applies to covered entities consistently across state borders. The Privacy Rule, however, as required by HIPAA, does not preempt State laws that provide greater privacy protections and rights. Thus, as with covered entities that conduct business today on paper in a multi-jurisdictional environment, covered entities participating in electronic health information exchange need to be cognizant of States with more stringent privacy laws that will affect the exchange of electronic health information across State lines. In addition, other Federal laws also may apply more stringent or different requirements to such exchanges depending on the circumstances. Covered entities and health information organizations (acting as their business associates) which participate in multi-jurisdictional electronic health information exchange should establish privacy policies for the network that accommodate these variances.

1. How should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate?

1. The Privacy Rule establishes a series of steps a covered entity should take in response to any complaints or other evidence it receives that a HIO has violated its business associate agreement, which include the following:

1. Investigation of any complaint received, as well as of other information containing credible evidence of a violation;
2. Reasonable steps to cure/end any material breaches or violations it becomes aware of;
3. Termination of the agreement where attempts to cure a material breach are unsuccessful;
4. In the event termination of the agreement is not feasible, the report of violation(s) to the Secretary of HHS, through OCR. See 45 C.F.R. § 164.504(e).

1. True or False. As a patient, your doctor must have you sign a HIPAA Consent and Release Form to share your ePHI or PHI with insurance providers who pay for your medical bills. This is part of the HIPAA Privacy Rule.

1. True

1. After consent and permission is provided by the patient to the medical practice or covered entity, what agreement is needed between the medical practice and its downstream medical insurance claims processor or downstream medical specialist that requires the patient’s ePHI?

1. Not use or further disclose the information other than as permitted or required by the contract or as required by law;
2. Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
3. Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;
4. Ensure that any agents, including a subcontractor, to whom it provides, protected health information received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information.

1. Why is security awareness training for all employees within a healthcare organization a major component of HIPAA compliance?

1. The HIPAA privacy and security rules require formal education and training of the workforce to ensure ongoing accountability for privacy and security of protected health information (PHI). HIPAA's privacy and security rules independently address training requirements. Like most standards, the training requirements are non-prescriptive, giving organizations flexibility in implementation.

1. Under the HIPAA Security Rule, it is a requirement for a healthcare organization to have a security incident response plan and team to handle potential security incidents and breaches. Why is this a requirement?

1. The main goal of the HIPAA Security Rule is to protect the confidentiality, integrity and availability of electronic protected health information (EPHI).

1. Confidentiality is the “property that data or information is not made available or disclosed to unauthorized persons or processes.”
2. Integrity is the “property that data or information has not been altered or destroyed in an unauthorized manner.”
3. Availability is “the property that data or information is accessible and usable upon demand by an authorized person.”

1. True or False. It is a requirement for a healthcare organization to secure the transmission of ePHI through the public Internet.

1. False

...