HIPAA

Self-Study Examination

Instructions: After studying the text answer the following true/false or multiple choice questions. Remember, there's only one answer to each question.

1.	The Privacy Rule establishes a ______ of Federal privacy protections and rights for individuals.

a) floor
b) ceiling

2.	Select the correct statement from below:

a) HIPAA rules supercede state laws providing additional protections to consumers.
b) State laws providing additional protections to consumers are not affected by the new rules.

3.	When are the doctors, hospitals and other direct-care providers required to notify their patients of the privacy protections afforded by HIPAA?

a) no later than April 14, 2003
b) on the patient’s first visit following April 14, 2003
c) when the patient requests
d) when a new patient is admitted

4.	The new privacy regulations do not apply to government-run hospitals or institutions.

a) true
b) false

5.	Under which instances HIPAA regulations permit disclosure of patient health information ?

a) sharing information with other health-care providers
b) under emergency circumstances
c) identification of the body of a deceased person
d) public health needs
e) all of the above

6.	Misuse of personal health information in violation of new privacy regulation could result in

a) civil penalties.
b) riminal penalties.
c) both

7.	*Which of the following is not* a covered health plan under the Privacy Rule?**

a) HMO
b) Medicare
c) Medicaid
d) workers’ compensation insurance

8.	*Which of the following is not* a covered entity under HIPAA Privacy Rule?**

a) Medicaid
b) county public health departments
c) Social Security Administration

9.	The HIPAA Privacy Rule applies equally to government-operated health plans (Medicare, Medicaid) and government health-care providers (e.g., VA hospitals).

a) true
b) false

10.	Which of the following is covered under HIPAA Privacy Rule?

a) long/short-term disability
b) workers’ compensation
c) automobile liability that includes coverage for medical payments
d) cafeteria plan

11.	Which of the following health plans is a covered entity?

a) workers’ compensation insurance
b) employer-administered group health plan with less than 50 participants
c) long-term care insurer
d) government-funded community health center

12.	The Privacy Rule permits a covered entity to disclose protected health information to an insurance company for the purpose of underwriting and risk rating.

a) true
b) false

13.	Covered entities must obtain written permission from individuals to use and disclose their protected health information for treatment, payment, and health care operations.

a) true
b) false

14.	Can a hospitalized patient’s religious affiliation be revealed to a member of the clergy under the new rules?

a) yes
b) no

15.	A hospital would be at liberty to disclose to a priest names of all patients in its facility who belong to the Roman Catholic Church.

a) true
b) false

16.	A hospital would be at liberty to disclose to a priest names of all patients in its facility who belong to the Roman Catholic Church.

a) Generally, individuals have the right to review and obtain a copy of their protected health information.
b) Individuals have the right to have covered entities amend their protected health information.
c) Individuals have the right to an accounting of the disclosures of their protected health information.
d) If an individual requests, a covered entity must restrict use or disclosure of protected health information.

17.	Protected health information can be used and disclosed without an individual’s authorization in all of the following instances except

a) victim of domestic violence
b) court subpoena
c) generalized research
d) pre-employment physical test

18.	Which of the following disclosures by a covered entity of protected health information is not permitted without authorization?

a) reporting to the CDC by a hospital of a communicable disease among its patients
b) reporting to a drug manufacturer of an unexpected side effects of a drug
c) providing a drug manufacturer with a list of persons who prefer a different flavored cough syrup over the flavor of one currently available
d) reporting to the FDA failure of a certain hip replacement device among the hospital’s orthopedic patients

19.	Blue Cross sends out a promotional brochure to its over-65 members offering additional health coverage at increased premium. Does this communication require prior written authorization from the members?

a) yes
b) no

20.	Say, a visitor to a hospital overhears two physicians conferring about the tests to be performed on a patient. Of and by itself, would this be a violation of the HIPAA Privacy Rule?

a) yes
b) no

21.	Does the HIPAA Privacy Rule require hospitals and doctors’ offices to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard?

a) yes
b) no

22.	Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of an entire medical record?

a) yes
b) no

23.	Does the HIPAA Privacy Rule’s minimum necessary requirements prohibit medical residents, medical students, nursing students, and other medical trainees from accessing patient medical information in the course of their training?

a) yes
b) no

24.	One covered entity makes a request of another covered entity that certain minimum protected information is needed. Would the requested entity be justified in relying upon this statement in making the disclosure?

a) yes
b) no

25.	Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information?

a) yes
b) no

26.	Janitorial services that clean the offices of a covered entity and may come across protected health information in the course of their work are required to have business associate contracts.

a) true
b) false

27.	Which of the following situations requires a business associate contract?

a) between a physician and a health plan network
b) between two health care providers treating the same patient
c) between a hospital and a teaching physician
d) between a hospital and a software vendor selling standard programs

28.	Which of the following entities providing services to a covered entity is considered a “business associate” under the HIPAA Privacy Rule?

a) U.S. Postal Service
b) group health plan and an HMO
c) photocopy machine repairmen
d) medical transcription service

29.	Is a covered entity liable for, or required to monitor, the actions of its business associates?

a) yes
b) no

30.	Can the Secretary impose civil monetary penalties on a business associate for breach of its business associate contract with a covered entity?

a) yes
b) no

31.	Is a business associate contract required for a covered entity to disclose protected health information to a researcher?

a) yes
b) no

32.	Is JCAHO a business associate of the hospitals it accredits?

a) yes
b) no

33.	Under the HIPAA Privacy Rule, who is responsible to provide individuals with access to their protected health information?

a) covered entities
b) business associates
c) both

34.	*Which of the following is not* a business associate of a covered entity under the Privacy Rule?**

a) CPA with access to patients’ treatment and billing information
b) independent medical transcriptionist that provides services to a physician
c) consultant that performs utilization reviews for a hospital
d) employee of the covered entity

35.	A CPA who only provides accounting and tax information to a physician’s office is a business associate of the physician.

a) true
b) false

36.	A business consultant that analyses a dentist’s operations and advises on maximizing the fees for certain procedures is a business associate of the dentist.

a) true
b) false

37.	In which of the following situations a business associate contract is required?

a) credit card processor
b) entity that transmits protected health information electronically for the covered entity
c) health care clearinghouse
d) researcher

38.	In which of the following instances does the Privacy Rule permit the use and disclosure of protected health information?

a) health plan using protected health information to provide customer service to its enrollees
b) primary treating physician sending patient’s medical record to a specialist
c) hospital sending patient’s discharge instructions to a nursing home
d) hospital sharing patient’s payment information with the ambulance service for billing
e) all of the above

39.	Which of the following examples constitutes marketing under the Privacy Rule?

a) hospital using its patient list to announce the acquisition of a new MRI equipment
b) hospital informing its patients about a cardiac facility that is not part of the hospital
c) health plan sending a mailing to its subscribers offering Medicare supplemental plan for an additional premium
d) all of the above

40.	Which of the following communications is considered marketing under the Privacy Rule?

a) pharmacy mailing prescription refill reminders to its customers
b) optometrist sending letters to his or her patients reminding them to make appointments for annual eye exam
c) hospital social worker sharing patient information with various nursing homes in preparation of a transfer to a nursing home
d) none of the above

41.	Which of the following is an example of marketing under the Privacy Rule?

a) health insurer promoting home and casualty insurance product by the same company to its enrollees
b) health insurer offering lower premiums through higher deductibles to its plan members
c) both of the above
d) none of the above

42.	In which of the following instances prior authorization must be obtained from an individual before marketing a product or service?

a) physician giving out samples of prescribed medicine to a patient
b) hospital giving out discount coupons for diapers to new mothers
c) insurance agent sells a health insurance policy to a customer in his home and then proceeds to sell life insurance policy as well
d) none of the above

43.	Which of the following activities is not permitted under the Privacy Rule without a prior authorization from the patient?

a) ophthalmologist sending to his patients discount coupons for eye exam
b) hospital recruiting customers for its weight-loss clinic from its patient base
c) pharmacist selling a list of patients to a pharmaceutical company, for the pharmaceutical company to market its own products
d) physician giving out free drug samples to his patients

44.	A physician wants to send out to his patients information about a new drug to treat hypertension. Under which circumstances would this activity be classified as marketing under the Privacy Rule?

a) sending information to all the patients whether they sought treatment for hypertension or not
b) sending information only to those patients who sought treatment for hypertension
c) the activity is not marketing under either of these circumstances

45.	Which of the following instances would require prior authorization before a covered entity may disclose protected health information?

a) reporting the HIV status of a patient to the state health agency
b) reporting births to the county recorder’s office
c) reporting salmonella poisoning cases to the CDC
d) none of the above

46.	A covered health care provider provides health care services to the workforce of an employer. In which of the following instances, the health care provider may disclose an individual’s protected health information to the employer without the individual’s authorization?

a) work-related injury
b) HIV status of the worker
c) signs of domestic abuse
d) all of the above

47.	Can a health care provider report suspected child abuse or neglect to public health authorities without running afoul of the HIPAA Privacy Rule?

a) yes
b) no

48.	Hospitals can disclose a patient’s religious affiliation (as long as the patient has not objected) to

a) members of the clergy.
b) anyone who asks for the patient by name.
c) both of the above

49.	Under the Privacy Rule which information about a patient a hospital is permitted to include in its directory?

a) patient’s name
b) location in the facility
c) health condition in general terms
d) religious affiliation
e) all of the above

50.	Can the phone number of a patient’s room be released as part of the facility directory?

a) yes
b) no

51.	Which of the following disclosures are permissible under the HIPAA Privacy Rule?

a) doctor’s office sending reminders to patients’ home about appointments
b) pharmacy calling the patient’s family that the prescription is ready
c) doctor contacting a pregnant patient’s husband that his wife is in labor
d) hospital informing callers about a patient’s location in the facility and patient’s general condition
e) all of the above

52.	Covered entities may disclose protected health information to law enforcement if the information would identify or apprehend an escapee or violent criminal.

a) true
b) false

53.	Under the HIPAA Privacy Rule, which of the following information may a covered entity disclose to law enforcement without a warrant or without the individual’s authorization?

a) DNA to identify a suspect
b) domestic violence or abuse
c) bioterrorism threat
d) all of the above

54.	Under what circumstances HHS Office for Civil Rights may obtain protected health information of an individual?

a) to investigate complaints that the Rule has been violated
b) the individual is the target of a fraud investigation
c) to gather statistical data
d) all of the above

55.	Which of the following entities can receive disclosures of protected health information under the Privacy Rule?

a) workers’ compensation insurers
b) Social Security Administration
c) medical bill collection agencies
d) all of the above

56.	Uses or disclosures of protected health information for marketing communications require

a) patient consent.
b) patient authorization.

57.	The HIPAA Privacy Rule does not affect the laws concerning informed consent for treatment.

a) true
b) false

58.	Consider this situation: A public health authority is hired as a business associate by a covered entity to create a limited data set, and then the public health authority is also the intended recipient of the limited data set. Do these disclosures require an accounting?

a) yes
b) no

59.	Which of the following entities are required to develop and distribute a privacy notice under the HIPAA Privacy Rule?

a) health care clearinghouses
b) correctional institutions
c) community hospitals
d) all of the above
e) none of the above

60.	The Privacy Rule permits e-mailing of the privacy practices notice to individuals if individuals agree to receive an electronic notice.

a) true
b) false

61.	A health plan must distribute its privacy practices notice to its current enrollees

a) in every written communication.
b) at least once every year.
c) at least once every three years.
d) whenever requested by an enrollee.
e) through its web site.

62.	With respect to the notice of privacy practices, are health care providers required by the HIPAA Privacy Rule to post their

a) entire notice at their facility? or,
b) may they post just a brief description of the notice?

63.	With respect to the notice of privacy practices required by the HIPAA Privacy Rule, select the correct statement from below:

a) Health care provider must give the notice to every patient no later than the date of first service delivery to the patient.
b) The privacy notice need not be given to individual patients as long as the notice is posted in the health care provider’s facility in a clear and prominent location where patients are likely to see it.
c) Business associates of covered entities must develop and distribute a separate notice of privacy practices.
d) All covered entities–health care providers with direct treatment relationship with patients and health plans, such as Blue Cross–are required to make a good faith effort to obtain a written acknowledgment of receipt of the notice.
e) all of the above

64.	Which of the following practices would be barred under the HIPAA Privacy Rule?

a) patients’ names displayed outside their hospital rooms
b) leaving patient medical charts outside of exam rooms
c) announcing patients’ names and other information over a facility’s PA system
d) leaving messages for patients at their homes, either on an answering machine or with a family member
e) none of the above

65.	In which of the following instances the covered entity must treat the personal representative as the individual for all purposes under the Rule?

a) parent of a minor child
b) person with authority to act on behalf of a deceased individual, such as an executor of the estate
c) spouse of the individual
d) person with an individual’s limited health care power of attorney regarding only a specific treatment, such as the use of artificial life support
e) a and b

66.	Say, the state law permits a teenager to obtain abortion without the consent of her parents. Do the parents have a right of access to their daughter’s protected health information?

a) yes
b) no

67.	Which of the following persons cannot have access to protected health information of another individual?

a) parents of a minor child
b) person with a general power of attorney
c) personal representative of an adult or emancipated minor
d) family members of a deceased individual to determine if they have proclivity for a genetic disease

68.	Can the family members of a deceased individual obtain the deceased individual’s protected health information that may help them in their own health care?

a) true
b) false

69.	Does an individual have a right under the HIPAA Privacy Rule to restrict the protected health information his or her health care provider discloses for workers’ compensation purposes?

a) yes
b) no

70.	If an individual believes that his privacy rights have been violated, who should he complain to?

a) covered entity
b) Office for Civil Rights (OCR)
c) both

71.	What is the time limit within which a complaint about privacy violation against a covered entity should be filed with the Office for Civil Rights?

a) 30 days
b) 90 days
c) 180 days
d) one year

72.	What is the primary purpose behind the Administrative Simplification?

a) protecting individuals’ health information
b) requiring electronic transmission of any health information
c) requiring that certain standards be followed anytime the transactions are conducted electronically

73.	*HIPAA requires the use of “unique identifier” for all of the following except:*

a) patients
b) health care providers
c) health plans
d) employers

74.	A health care provider does not itself electronically transmit health information in connection with certain transactions, but uses a third-party billing service to do so on its behalf. Is this provider a covered entity under the HIPAA Privacy Rule?

a) yes
b) no

75.	Who is required to file Medicare claims electronically?

a) all covered entities
b) all covered entities with 10 or more full-time employees (including physicians)

76.	The Privacy Rule protects individually identifiable health information only if the covered entity transmits it electronically.

a) true
b) false

77.	A provider conducts no transactions electronically for which the Secretary of Health and Human Services has adopted a standard. Instead, the provider sends paper claims directly to a health plan, and the health plan transforms the paper claims into electronic format in order to process and pay the claim. In this situation, is the provider a covered entity under HIPAA?

a) yes
b) no

78.	*The provisions of HIPAA apply to a health care provider that conducts certain transactions in electronic form. Which of the following is not* an electronic transaction?**

a) using a computer hard drive
b) Internet
c) private networks
d) telephone