Hint: An EHR contingency plan is a safer bet than a generator in a natural disaster. HIPAA compliance is something that should be part of your daily operations and is now essential to the success of your practice. Ignoring both the privacy and security requirements could open you up to dozens of violations. Test your knowledge of HIPAA and compliance with the following ten questions based on information from past issues of Health Information Compliance Alert. 1. You head a very busy pediatric office, and your staff regularly use sign-in sheets to ensure they don’t forget a patient in the queue. To avoid a violation, they can: A. Limit information to name only on the sign-in sheet 2. Your practice decides to get rid of your outdated office hardware for new laptops. What do you do with the old computers? A. Throw them out back in the dumpster. 3. Mobile devices and laptops, particularly ones that physicians and staff use in the office and remotely to access ePHI, should always include: A. Encryption and multi-factor authentication that is updated frequently and outlined in an office HIPAAplan. 4. Business is booming, so you’ve decided to outsource your billing to ABC Billing, Inc.. Before you send them your claims, you should: A. Check the vendor’s background and how they’ve complied with HIPAA in the past. 5. Your new receptionist answers a call from an angry radiologist, insisting that she fax the files of five of your patients to his office immediately. When she asks the physician for his credentials, he screams at her outraged and hangs up. There is no follow-up call nor email from a radiology firm, which makes the call suspect and suggests: A. The radiologist will file a complaint against the receptionist. 6. A power outage due to a vicious thunderstorm knocks out the electricity and your CEHRT. Luckily, you are prepared with a HIPAA-secure contingency plan. Your protocol includes: A. Shelter for your patients. 7. Your IT monitoring systems annoy everyone in the office — so, you turn them off. When your IT director gets back from maternity leave, she reads through the reports and uncovers a breach. How could the violation have been prevented? A. Staff education on the HIPAA Privacy Rule. 8. Your practice manager opens an email from an affiliated hospital on Monday. On Tuesday, he comes in and is locked out of the system. What should he do? A. Log-in with another co-worker’s password and see if that works. 9. Your IT security uncovers that a former employee has been accessing and stealing patients’ data remotely. How did this likely happen? A. The networks weren’t configured right. 10. One of your nurses and the office’s physician assistant joked about a funny interaction with a patient on social media over the weekend. On Monday, you come into work, and there’s an angry message and email from the patient, who saw the post. There were no photos and the patient was not mentioned directly by name. What happens next? A. The nurse and physician assistant should be fired. Answer Key: 1. D 2. C 3. A 4. D 5. B 6. C 7. C 8. B 9. B 10. D.
B. Call out the patient by the name listed on the sign-in sheet only
C. Refrain from any mention of the reason for the visit
D. All of the above
B. Store them in the office storage room for back-up.
C. Extract the hard drives, strip and destroy the data, and dispose of the computers.
D. Give them to the IT officer for his home office.
B. A case to protect the device from breakage.
C. Quick-and-easy passwords the whole office knows to increase workflow.
D. Software that makes it easier to get to EHRs.
B. Ask for recommendations from other medical practices and follow up.
C. Institute a business associate agreement drawn up and organized by a lawyer who specializes in healthcare law.
D. All of the above.
B. The caller was a social engineer scamming the practice for PHI.
C. It was a wrong number.
D. None of the above.
B. A generator to bring the power back up.
C. An operations plan that allows your practice to run smoothly in the face of an EHR shut-down.
D. Food and water.
B. A business associate’s agreement.
C. Logging and monitoring the integrity of the systems and networks daily for unusual activity.
D. A risk assessment.
B. Alert the IT officer immediately that there’s a problem in case of a cyber attack.
C. Use another computer until the glitch goes away.
D. Shut down the computer and go to lunch early.
B. The compliance plan lacked a protocol for password changes after an employee leaves.
C. The system wasn’t backed up.
D. The staff didn’t understand how ePHI is lost.
B. The post should be removed, and an apology should be issued to the patient.
C. Your compliance team should investigate if a HIPAA violation occurred.
D. All of the above.