Health Information Compliance Alert

Make sure your staff know the essentials to avoid a violation.

Even though you may think that you’ve got HIPAA wrapped up, compliance is something that should be part of your daily operations; moreover, your should revisit protocols frequently to ensure the entire staff is up-to-date and onboard.>

Here’s why: A significant HIPAA slip-up can open your practice up to dozens of violations, wreaking both fiscal and personal havoc on your business. And beyond the damage to your finances and reputation, a breach can also put your patients in harm’s way, exposing their protected health information (PHI).>

Front-desk staffers and seasoned clinicians alike need comprehensive HIPAA training. Consider adding these 10 questions to your next compliance training sessions:>

1. When do the HIPAA Privacy and Security Rules apply to PHI?>

     a. Only at work or in the office
​     b. Sometimes during discussions of patients with my co-workers or other clinicians
​     c. When I transfer data electronically via text
​     d. Every time it is used, accessed, disclosed, transmitted, stored, or filed, both in person and electronically>

2. What constitutes PHI or ePHI?>

​     a. A patient’s name on a prescription label
​     b. A patient’s email address
​     c. A Social Security number
​     d. All of the above>

3. What is a way that you can legally dispose of ePHI under HIPAA?>

​     a. Delete a file from the computer
​     b. Physically destroy the storage device
​     c. Sell the hardware to another IT firm
​     d. None of the above>

4. What is not an example of a technical safeguard under the HIPAA Security Rule?

​     a. Log and monitor network activity
​     b. Use mobile devices to assist patients
​     c. Utilize multi-factor authentication for passwords
​     d. Back up and secure data at a remote location>

5. How many years does the HIPAA Privacy Rule protect a patient’s PHI after he passes away?>

​     a. 10 years
​     b. 25 years
​     c. 50 years
​     d. 100 years>

6. A nurse leaves a laptop open and unlocked with an unattended patient while running for a medicine sample. What should be done first?>

​     a. Nothing, the patient is trustworthy and a long-time customer
​     b. Immediately do a network security check and run an audit trail report to determine if any PHI was inappropriately accessed
​     c. Chastise the nurse about HIPAA security
​     b. Alert the HHS Office for Civil Rights of a breach>

7. What is considered inappropriate access of patient’s PHI?>

​     a. Use information in order to treat a patient
​     b. Utilize PHI to bill for services provided to a patient
​     c. Review a friend’s files after seeing her in the waiting area
​     d. Employ PHI to carry out job responsibilities>

8. If a state’s privacy law is more “stringent” than HIPAA, which mandate is followed?>

​     a. HIPAA because federal rules always come first
​     b. The state’s law would preempt the HIPAA Privacy Rule
​     c. Neither>

9. If a breach impacts less than 500 individuals, the covered entity _____________________.>

​     a. Doesn’t have to notify anyone
​     b. Must notify the media
​     c. Must notify the HHS Secretary within 60 days
​     d. Must pay a fine immediately to the HHS Office for Civil Rights>

10. According to the HIPAA Security Rule, risk analysis and management include:>

​     a. Regular evaluations concerning the risks to ePHI
​     b. Adoption and implementation of safeguards to circumvent risks to ePHI
​     c. Appropriate updates that ensure the security measures are being met
​     d. All of the above>

Answers: 1) D; 2) D; 3) B 4) B; 5) C; 6) B; 7) C; 8) B; 9) C; 10) D. >