CHC Study Q Healthcare Compliance Certification Questions

Question Answer
What is Health Professional Shortage Area? Geo areas that have been designated as primary medical care shortage areas where physicians who furnish medical care are entitled to a Medicare incentive payment
What is the Centers for Medicare and Medicaid Services (CMS)? HHS agency who establishes payment policies for providers, conducts research, evaluates the quality of care provided to beneficiaries
What is a Carrier? An Ins. Co. that contracts with CMS to process Medicare Part B (Drs.) claims.
What is Fiscal Intermediary (FI)? An Ins. Co. that contracts with CMS to process Medicare Part A (Hosp., skill nursing co.) claims
What is a CMS 1450 or a UB-04? Institutional providers (hospitals) use this paper form to bill Medicare, Medicaid, CHAMPUS and most private ins. cos.
What is a 1500 form? Non-institutional providers use this paper form to bill Medicare, Medicaid, CHAMPUS and most private ins. cos. for patient.
What is Medicaid? State health ins. that helps people who cannot afford medical care and pays for some or all of their medical bills.
What is current procedural terminology or CPT? The American Medical Association (AMA) publishes and maintains this coding system
What is 837P? Electronic version of a claim for doctors/providers.
What is the International Classification of Disease, 10th Edition Clinical Modification (ICD-10-CM)? A statistical classification system that arranges disease and injuries into groups according to established criteria used to report healthcare diagnosis and procedures.
What is 837I? Electronic version of a claim for hospitals/facilities.
What is a modifier? A two digit alpha/numeric code used in conjunction with CPT or HCPCS code that may increase or decrease reimbursement.
What is upcoding? Using a billing code that reflects a higher payment rate for device or service than the actual cost. Billing for a higher level of service
What is the issue concerning services provided by Hosp. Outpatient Cardiac Rehab. locations? Regulation states physicians have to supervise patient treatment while treatment is being provided. "The physician has to be on site." Issue: Does the physician have to be physically present or same location as the patient?
What is unbundling? When a claim is billed by piece mail (each item separately) to maximize reimbursement.
What is Advance Beneficiary Notice (ABN)? A written form provided to the patient (Medicare beneficiary) before services are provided informing them that there is no coverage for payment for services being provided.
What is duplicate claims? When billing for a claim twice to get more money.
What is Medicare secondary payer questionnaire? It is used to identify the correct ins. co.that must pay the healthcare bill first when Medicare pays second. When you ask the patient a list of questions to determine who is the primary and/or secondary payer.
What is Physicians at a Teaching Hospital (PATH)? Per regulations Physicians are required to be involved and oversee patient care along with Residents at a teaching hospital.
What is PPS transfer project? This when a patient is transferred to another hospital and has not stayed a full average length of stay. The hospital who initially received the patient billed and got paid for services as discharge to home instead of discharge to another facility.
What is incident to billing? Services commonly furnished in a physician's office by a nurse practitioner in which there is direct physician personal supervision and are billed under the Drs' provider number.
What is credit balances? It is failure to refund, only 60 days to get refund back
What is a 72 hour rule, three day window EXAMPLE? Went to the hosp., if w/in 3 days the patient returns to the hosp. for the same care, all services provided upon initial visit rolls into the inpatient charges at the hosp. & billed the same. If upon return to the hosp., the services given are
What is Focused Medical Review (FMR)? A term for the process Medicare contractors use to examine data and request supporting documentation for claims submitted to Medicare.
What is Diagnosing Related Group (DRG)? A statistical system classifying any inpatient stay into groups for the purposes of payment. It is how Medicare & Health Ins. Co. categorize hospitalization cost & determine how much to pay for a hosp. stay.
What does Diagnosing Related Group (DRG) system process? The DRG classification system divides possible diagnoses into more than 20 major body systems & sub divides them into about 500 groups. Medicare pays the hosp. a fixed amount based on the DRG diagnosis.
What is Healthcare Common Procedure Coding System (HCPCS)? An expanded version for coding – CMS contracts with the American Med. Assco. (AMA) to use current procedure terminology (CPT) coding for Medicare program using this expanded version
What is the 72 hr. 3 day rule? It requires all diagnostic or outpatient services given during the DRG payment window (the day of, 3 days prior to inpatient admission) to be bundled with the inpatient services for Medicare billing.
What is DRG Creep? The practices of healthcare providers that intentionally regroup patients according to more resources intensive DRG classification in order to increase hosp. income. EXAMPLES: upgrading or upcoding.
What are the 3 key components of Evaluation & Management (E&M) Services? 1-History. 2- Examination. 3-Medical Decision Making.
What are the complexities of Medical Decision Making? Straight forward, low complexity, moderate complexity and high complexity. Based on the amount of test the Dr. needs to provide for the patient, the higher the comp. the higher the payment.
What is Medicare Part A? Part of Medicare that reimburse primarily for inpatient services provided by institutions such as hospitals and skilled nursing facilities.
What is an initial patient visit? 3 key elements of Evaluation & Management Services (1-History. 2- Examination. 3-Medical Decision Making) must be met or exceed to bill for same.
What is Medicare Part B? Part of Medicare program that reimburse covered physicians and supplier services
What are the types of History or Examination? Problem focused, expended problem focused and detailed comprehensive.
What is Medicare Part C or Medicare Advantage? Formerly known as Medicare + Choice, Medicare Advantage, Managed Care. You must be eligible for Part A (hosp.) & have Part B (drs.).
What is established patient visit? 2 of 3 key elements of Evaluation & Management Services (1-History. 2- Examination. 3-Medical Decision Making) must be met or exceed in order to bill for same.
What is Medicare Part D? Part of Medicare that reimburse for out-patient prescription drugs.
What is the Code of Conduct? The commitment of a compliance program from not only management but employees & contractors. Reflects the ethical functionality of the organization and how it operates.
What does DRA stand for ? Deficit Reduction Act
What does the Deficit Reduction Act oversee? Medicaid
What is HIPAA Need to Know? Is generally an educational process, based on staff's role in the company in order to be allowed to access PHI.
What are the Centers for Medicare and Medicaid Services? HHS agency that establishes payment for providers, conducts research and evaluates the quality of care provided to beneficiaries.
What is a business associate? Is an external company who provides individual services with access to PHI as part of the health care operations of a covered entity.
What are the requirements within a business associate agreement (BAA)? It must provide assurances that no disclosure of PHI will be done & privacy rules must be followed.
What must a business associate agreement (BAA) include? Agreements must define the function of the business associate, limitations of the use & disclosure of the PHI and what will happen to the PHI held by BA upon termination of agreement.
What does HITECH require business associates (BA)/ subcontractors to do? To comply with technical, administrative & physical safe guards required per security rule & held accountable to HHS for criminal/civil penalties in violation of the privacy rule.
What is auditing? It is a formalized approach, the person doing the audit cannot have a vested interest in the outcome. An established approach for sampling.
What are components of Internal Controls? Controlled environment (tone at the top), risk assessment, control activities, information & communication, monitoring.
What is HIPAA preemption? It is a national regulation. If federal statutes override state law concerning an issue, the federal law must be followed.
What is Health Insurance Portability and Accountability Act of 1996 (HIPAA)? Final Rule became effective in 2013. It has to approaches; assign rights to individuals to provide control over their health information & provides standards for all others to access, use and disclose health information.
What is monitoring? It the day to day review, self reviews, internal, detective and ongoing.
What are four critical elements of learning? 1-Motivation. 2- Reinforcement. 3- Retention. 4-Transference.
What are types if Internal Controls? Preventive: stop risk from occurring (password). Detective: determine if you have an issue( investigations).
Directive: put in place to avoid having it happen again (education, training, policies & procedures).
What is the physician sunshine act? Physicians have to disclosure their relationships with pharmacies, labs, etc.
What is risk assessment? It is through look at an organization to identify those things, situations and processes that may cause harm to the organization resulting in noncompliance with regulatory requirements
What is common working file? Identifies population of CMS coverage
What are steps to a risk mitigation plan? ID high risk areas, develop mitigation plan, review draft plan with management and issue final mitigation plan
What is local coverage (for the region) & national (for the country)coverage determinations? Is the criteria used to pay claims per Medicare and their administrative contractors that provide coverage information to determine whether services are reasonable and necessary on certain services offered by participating providers.
What is RAT-Stats? Primary statistical audit tool used by HHS, OIG audit services by selecting randomized samples and evaluates them
Management's responsibility as it pertains to risk can be handled by implementing controls/techniques, name four? 1-Avoid risk. 2- Transfer risk. 3- Accept risk. 4- Reduce or mitigate risk.
Under HIPAA what is a breach? it is impermissible use of disclosure under the privacy rule that compromises the security/privacy of the PHI; use and disclosure poses a significant risk of fin, reputation, or orther harm to the affect person.
What are some exceptions to a HIPAA breach? 1-De-idinfo. in which all HIPAA id have been removed. 2- Disclosures where there is a good faith belief that the receipt of the info. would not reasonably have been able to retain the inform. 3-Unintentional acquisitions by staff 4-inadvertent didclosure
To become a Medicaid Medicare biller, what must you do? Set-up conditions of participation
What is the compliance program designed to do? Mitigate risks
What impacts the compliance program infrastructure? Size, financial resources, scope of the compliance program
What is a controlled self assessment? It is an assessment that involves staff in the process, is in lines staff, places soft controls, it has a team approach, manager's involvement and theirs employee buy in.
What are the benefits of a controlled self assessment? It increases the scope, there is target audit work, it frees internal audit resources, it increases awareness and motivates staff.
How do you prepare for a Risk Assessment audit plan? Identify the audit areas, classify audits into: 1-Operational. 2- Financial. 3- Compliance. 4-Performance; and identify the audit type.
When conducting a Risk Assessment (RS) Audit and team selection, items to consider are? 1-What is the team members skill/experience. 2-Their knowledge of the risk areas. 3-Why are they being selected. 4-What is the RS process. 5-What RA tool will be used. 6-Rules and expectations.
What is Medicare Administration Contract (MAC)? Contractor for Part A (hosp.) and Part B (drs)
What is the first thing one should consider when doing an effective compliance program? identify and focus compliance efforts on those areas of potential risk and concern relevant to one's co.
The formal commitment to a compliance program by the co.'s governing body and senior management is called what? An effective compliance program
Name a few of what a successful compliance program entails? A well defined mission code of conduct, will organized dept., enough resources both staff and budget to support a compliance program.
What is the identification, measurement and prioritization of relevant events that may have a material consequence on the organization to achieve its objectives? A risk assessment, it is having the right control in place to provide quality care.
A process effective by an entity's BOD, management & other personnel designed to provide reasonable assurances regarding the achievement of objectives is called? Internal controls
What are objectives of internal controls? 1-Reliabiliy and integrity of information. 2-Compliance with polices, plans, procedures, laws, regulations, contracts.
3-Safeguard assets
4-Economical and efficient use of resources
5-Accomplishment of objectives and goals.
What are types of internal controls? 1-Preventive
2-Dectective
3-Directive
What is the benefit of a risk assessment per U.S. Sentencing Guidelines? Co.'s assess periodically the risk of criminal conduct to determine the nature, likelihood of re-occurrence and history.
What is the benefit of a risk assessment per OIG? Incumbent on corporate offices, managers, to ensure systems are in place to facilitate ethical and legal conduct.
Within compliance RA, what is a management's responsibility ? To identify risks and implement controls, avoid risk, transfer risk, accept risk and reduce or mitigate risk.
How do you manage compliance risk? By identification, assessment and prioritization of issues to reduce possible re-occurrence
What are the steps for conducting a Risk Assessment? 1-Risk Identification. 2- Risk ranking. 3- Risk Prioritization. 4- Control evaluation. 5- Work mitigation and plans
How do you identify risk within the co.? Staff interviews, Document reviews: OIG workplan, fraud alerts, previous audits. Employee surveys
What must you do when there is a billing over payment? The co. has 60 days to return any monies for a billing over payment.
What is the process once a billing over payment is identified? Provided notice of the over payment to the State, letting them know a billing over payment was identified and are quantifying the amount of the over payment.
Whats are steps for a risk mitigation plan? ID the top high risk areas, develop a risk plan, discuss the draft plan with management and issue the final plan for implementation.
What does effective auditing and monitoring consist of? Has to be applicable to business risks/strategy risk areas, need to be understood by Subject Matter expert, focus on the risk areas, critical ownership of corrective action and monitoring following audits.
What are steps in an auditing and monitoring plan? Conduct a risk assessment, prioritize the risks, identify resources, obtain buy in, document a process for developing of plan, evaluate against assessed goals, finalize the auditing and monitoring plan
What are the two types of audit sampling categories? Statistical and Non-Statistical
What is statistical audit sampling? Precision -could be a computer system issue, over payment for large populations, etc.
What is non-statistical audit sampling? Potential issue is isolated to one department, person, etc.
What is a prospective audits? Audits conducted prior to claim submission
What is a concurrent audit? Audits conducted anytime up to the final submission, real time (at the same time as claim submission)
What is a retrospective audit? Audit conducted for a milestone period, going back to the system (after claim submission) you know the sample unit from your system.
What are steps to an audit process? Planning, scope of audit, notification, introduction meeting, internal controls/testing, fieldwork, findings/recommendations, management responses, follow up on corrective action plan, lessons learned.
What is the process usually done by management to ensure processes are working as intended? Monitoring
How often should the BODs should review reports on the status of the compliance program? At least annually
What is the term called for a co.'s comment to compliance by all staff and contractors that summarizes ethical behavior, legal principles under which the co. operates? Code of Conduct
True or False, the OIG voluntary guidance helps to enhance the internal controls of the co.? True
When there is poor distribution beyond the compliance officer, what happens to the co.? Compliance program implementation lags which means you do not have an effective compliance program
How does a co. mitigate risk? Internal Controls
First thing one should do when considering an effective compliance program? Risk Assessment, focus on the co.'s risks.
Name some examples of uses & disclosure of PHI for other purposes aside from treatment, payments and operations (TPO)? Public health issue, health oversight law, enforcement, avert serious treat, research, worker's compensation, organ/tissue donation and decedent's information
What is De-identification as it pertains to PHI? Removal of any identifiers for the individual, relatives, employers or household members.
What area some identified high risk fraud issues? 1-Sudden changes in billing. 2-Spike billing. 3-Billing by inappropriate specialties or diagnosis. 4-Geo changes in billing. 5-Increased patient complaints. 6-Billing for deceased patients. 7-Billing for Part B (drs.) instead of Part A (hosp.) 8-High comp
What is limited data set (LDS)? Smaller paired down information necessary to do a function (minimal necessary). Applies to areas such as Public Health, Research, Healthcare Operations.
A Co. may disclose PHI with applicable laws & standards if…? There is a good faith belief the disclosure is to avert a serious & imminent threat to public and/or individual.
What are two examples of all use and disclosure of PHI that are not explicitly required or allowed under the regulation but may ONLY be done w/an authorization? Marketing & fundraising
Under HIPAA what are uses and disclosure that provide an opportunity to object? Facility directory, family, friends, others involved in patient's care or payment, notifications (ex. natural disasters
What information can a patient not get access to in a designed record set (DRS)? Mental health, psychotherapy, litigation and CLIA (lab)
What is willful neglect? Conscious, intentional failure to reckless indifference to the obligation to comply with a law.
What is reasonable diligence? Is the business care a reasonable person seeking to satisfy a legal requirement under the law.
What are come key staff buy-in techniques? Motivation, participation, cooperation and education
In order to build trust, what should a compliance professional do? Communicate good and bad news, honor confidentiality, allow frustrations and keep your commitment
What are some challenges in training physicians? Peer to peer instruction, time commitments, hesitance to open dialogue, what are the issues that differ from employees/staff
Why should compliance training be evaluated? To make sure it is correct & current. To make sure it is effective to identify areas of improvement. To determine if the training is repeatable
What are some of the levels for training evaluations? Action, learning, behavior and results.
If there is a problem with an employee and his manager and compliance was contacted, what is your next step? Direct them to HR & ask for a follow up report.
If there is a detection of wrong doing, what is the first step for the compliance professional? Contact legal counsel who can make the initial assessment of the risks involved.
What is the purpose of a baseline audit? It outlines current operational stand, Identifies real and potential weaknesses and offers recommendations regarding necessary remedial actions
What is the next step once resources have been identified when implementing an auditing and monitoring plan? Obtain buy-in
When reviewing compliance efforts, what is the first thing to be done? Review one of the guidance and see if the risk areas are listed in the OIG guidance and make sure these risks are addressed in the co.
Once a compliance program is established, what is the first thing that a co. should do? Conduct a Risk Assessment (RA)
When physicians are billing for services that are performed by residents, what is this called? Physicians at a teaching hospital (PATH)
One of the processes for risk identification is document review, name some of the documents that should be considered for review? OIG workplan, fraud alerts, management input, prior audits
What is the identification measurement and prioritization of relevant events that may have a material consequence on the organization to achieve its objectives? Risk assessment, it is having the right controls in place to provide quality care.
What provided the groundwork for the compliance development? Federal Sentencing Guidelines.
Who can bring suit under the false claim act? The attorney general, whistleblower (Qui Tam) or a Relator (an individual who files alone)
What is the physician payment sunshine act? Drug device manufacturers must disclose to the government on a quarterly basis anything of value provided to physicians. Applies to companies with annual gross revenue of greater than 100 million.
What is the difference between HIPAA privacy & security? Privacy covers all forms of PHI whereas security only covers ePHI.
What is breach notification under American Recovery Reinvestment Act (ARRA) described? When and how you notify OCR when s PHI breach has occurred.
What are the 7 elements of a compliance program? 1-Written policies and procedures/standard of conduct. 2- Compliance officer & compliance committee. 3- Education and training. 4-Auditing and monitoring. 5- Reporting processes for issues 6- Enforcement & disciplinary processes. 7- Invesgitation and reme
What is anti-trust? Price fixing
What is EMTALA? Emergency medical treatment active labor act
What is a key factor in planning for auditing and monitoring? Scalability-you cannot complete a workplan if you donot have enough resources to implement the plan by the end of the year.
What are two objectives of the BODs? To follow a decision making function and apply duty of care. This applies to the level of care that a prudetn person would do, like ask questions and understand what is going on.
What are the primary focus of areas of the BODs as it pertains to compliance? Structural: understanding the scope of the compliance program. Operational: understanding the operations of the compliance program.
What is administrative simplification? Standardizes electronic exchanges of clinical and administrative data. Used to improve security, safeguards confidentiality of private information & protects integrity of healthcare data.
PHI collected by an individual or received by a covered entity can be used & disclosed by these four areas? For TPO, public interest, when an individual is given the opportunity to object, with an authorization.
What are the ONLY two instances where a use/disclosure does not require an authorization? 1- To the patient. 2- To HHS for investigations
What is FERPA & is this allowed under HIPAA PHI use/disclosure? Family education right and privacy act which safeguards student educational records from uses and disclosure. PHI excludes individual identifiable health information Re: FERPA.
HIPAA consent & authorization have key differences, what are they? The privacy rule permits but does not require the covered entity voluntarily to obtain patient consent for uses & disclosures of PHI information for TPO. An Authorization is required for use & disclosure of PHI not otherwise allowed by the rule.
In billing what is are outliers? Payments used to pay for patients who are at the hospital for long periods of times.
In billing what is CMS allowable? The amount allowed for billing reimbursement
What is 3rd party carrier? Whoever the government contracts to process claims on behalf of the beneficiary.
In billing, what is electronic data interchange? Standards to follow to process the claim electronically
In billing, what is common working file? The patient's file with all the information
In billing, what is return to provider (RTP) report? For hospitals only, telling the hospital something is wrong with the claim and it needs to be fixed
In billing, what is participating provider to supplier? Accept payment in full.
In billing what is assignment? Once the payment is accepted in full, you accept the assignment.
In billing, what is reassignment of a provider #? When a provider has changed a position.
What is certificate of medical necessity? Certifying medical services are medically necessary.
What is coordination of benefits? The order in which benefits will be paid.
What is medical code editor? Software system hat tells you something is wrong with the claim.
In billing, what is grouper? Takes information about the claim and tells you what Diagnosis Related Group you can bill under.
In billing, what is pricer? Tells you how much you will get paid.
In billing, what is remittance advice? when you get paid, tells you everything about the payment.
In billing, what is focused medical review? It is when it is determine if the medical documents support the claim.
What are conditions of participation (CoPs)? CMS standards
What is a claims investigation notice? A 23 notice re: a billing claim that is being investigated. You will still get paid until the CoP is determined.
Why was Health Information Technology for Economic & Clinical Health (HITECH) Act established? In order to promote standardization of electronic health records
What does HIPAA govern? The use & disclosure of PHI by covered entities directly & their business associates indirectly. If the co. does not fit the definition of the covered entity, the regulation does not apply.
What kind of PHI can a patient obtain? Records included and part of a designated record set (records used to make decisions about the patient) with exclusions per applicable regulation.
What is a designated record set? It includes medical billing records, payments, claims adjudication and medical management record system, with exclusions as per applicable regulation.
Can an individual be denied access to PHI? the provider can deny access to PHI in situations such as when access can cause harm to the individual or others.
What is the HIPAA general rule? A covered entity may not use or disclose protected health information except as permitted or required.
What are covered entities? Health Plan, Providers or Clearing Houses (process claims for providers)
Under HIPAA what is USE? Is internal (within the entity), with respect to individually identifiable PHI within an entity that maintains the information.
Under HIPAA what is disclosure? Is external (outside of the entity) release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the PHI.
What is Protected Health Information (PHI)? Health inform collected from an individual, created or received by a covered entity that relates to past, present or future health conditions, services provided & payments which can identify or be used to identify the individual & maintained in any form.
Under HIPAA, what is de-identification of PHI? When all identifiers (there are 18) listed within the regulation are removed.
Under HIPAA, is de-indentification information PHI and protected per the regulation? No
Under HIPAA, what is limited data set? It is health information that excludes certain direct identifiers (there are 16) that are removed from the PHI. This information can be shared under a data user agreement.
What kind of PHI is excluded from designated record set? Psychotherapy medical records, information complied for legal proceedings, lab results for CLIA Re: information held by certain research labs.
Why was HIPAA passed in 1996? To reduce costs of healthcare.
Why was Health Information Technology for Economic and Clinical Health (HITECH) Act passed in 2009? Per the implementation of the electronic medical record.
Under HIPAA covered entities are? 1- health plans 2-health care clearinghouses 3- health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Under HIPAA, what is a person's Rights Under The Privacy Rule? Right to access, get a copy, amend, get an accounting of disclosures, get a Notice of Privacy Practices, communications done in a confidential manner, restrict disclosure on uses/disclosures, right to file a complaint
What is a Notice of Privacy Practices? Describes how a co. will use and disclose PHI. Explains what the company’s obligations are under HIPAA, patient’s rights and whom to contact concerning a complaint or questions.
When must a Notice of Privacy Practices be given to the patient? The notice must be provided to the patient at the first episode of care.
If the patient's first episode of care is given over the telephone, when must the Notice of Privacy Practices by given? The notice of privacy practices must be mailed to the patient within 24 hours.
What are examples of restricted PHI? Psychotherapy Notes, For litigation,Proh by CLIA (1988), Correctional Inst if access will put patient at risk, Research study if previously agreed to same, Records from another source than a health care provider, if access would put patient at risk
If access to PHI is denied, what process must be followed? An appeal process must be provided and a third party individual (licensed health care professional) not involved must review the decision.
If PHI is maintained electronically, how must is be produced? Per HITECH regulations, it must be produced electronically unless requested in another format.
What is the regulation when an amendment to PHI is requested? Co can amend the records per their policies & procedures but the company does have the right to reject the request for amendment. If the company amends the patient’s records, the amendment cannot completely eliminate the information from the record.
What are some reasons a co. can reject a request for amendment to PHI? The information in the records was not generated by the company. The request for amendment is for information not part of the designated record set and/or the patient does not have access to same
A patient can request a restrict use and disclosure of PHI when used for ? Treatment, Payment, Healthcare operations
Disclosure to family member, friend, other person involved in the patient’s care
Does a co. have to comply with the patient's request for restrict to use and disclosure of PHI? No, with an exception per HITECH which requires health care providers not to disclose health information to health plans in cases where the patient and/or other individual pays for all health services in full.
What is the time period for a patient's Right to Request an Accounting of Disclosures? The covered entity is required to provide this information for a period of up to six years but not if done for TPO, in a limited data set, made w/ patient's autho, per national security, records prior to 4/03, if patient objected.
What must an accounting of disclosure include? Who received the information
The date the disclosure was made
A brief description of the information
A brief statement of purpose
What is the primary use of PHI? For Treatment, Payment of health care and Health care operations
Per the Privacy regulations does the covered entity have to disclose PHI without an authorization for public interest? No, but it is permitted without an authorization.
What are examples of disclosure of PHI without an authorization for public interest? Public health acti,Report victims of abuse, neglect/domestic violence,Report for health oversight activities, Judicial proceedings, Law enfor, Inform medical examiners&funeral directors,organ donation,research purposes, avert a serious threat to health or
When can PHI be used or disclosed without the patient’s permission & no objection? There are 3 opportunities once the patient has been given the chance to OBJECT. 1-Facility directory. 2-A disclosure to family, friends involved in the patient’s care or payment for care. 3-A disclosure can be made for purposes of disaster relief.
Does HIPAA permit use and disclosure of limited PHI without authorization for fundraising? Yes but only demographic information as follows: Name , Address, Contact information, Insurance status and Date of care. For additional PHI an authorization is required
Does a patient have a right to opt out of all fundraising communications? Yes, per HITECH implemented a patient’s right for an easy and inexpensive (no more than a stamp) way to opt out of all fundraising communications and the Patient’s response is not conditioned on treatment or payment of health services.
Does HIPAA require an authorization for use and disclosure of PHI for marketing? Yes, and the company has to report to the patient if they are getting paid for said information.
Under HIPAA what information is not considered marketing? Information given to an individual about a particular benefit or service that is part of the patient’s health plan, information related to treatment, information about alternative treatments, therapies, health care providers, setting of care.
Under HIPAA, what is minimum necessary PHI? To identify the amount of PHI that can be used or disclosed in a particular circumstance. Anytime a covered entity makes a use or disclosure of PHI and evaluation for minimum necessary is required.
Under HIPAA What is Role base access? Means only allowing employees and others access to the information that is needed to perform their role in the organization.
Under HIPAA What is Need-to-know this is an educational process. The ability to have access to PHI does not mean there is a need to know. For example: a doctor with full access to the medical record but should only access the medical record for his patient.
When is PHI considered unusable/ unreadable ? When it is encrypted per NIST standards, when PHI is de-identified, shredded or when paper cannot be reconstructed.
To have a reportable breach what must there be? A privacy breach (unauthorized acquisition, access, use or disclosure of PHI) and unsecured (PHI not secured via technology, etc.) PHI.
What is presumption of a reportable breach? Unless there is a low probability of compromise of the privacy & security of PHI, a risk assessment is required to make a determination.
What factors must be considered and assessed for presumption of a reportable breach risk assessment ? Content: What PHI was included. Person: To whom was the PHI disclosed? Access: Was the PHI actually accessed. Mitigation: to what extent has the risk of harm been lessened.
When is a covered entity or business associate on notice of a breach? On the first day of the known breach or with the exercise of reasonable diligence SHOULD HAVE KNOWN of the breach.
When does the covered entity or business associate have to provide notice of a breach? ASAP without delay and no later than 60 days after the breach was discovered
Who must the covered entity or business associate notify and provide the notice of a breach? The individual whose PHI was breached, their next of kin or personal representative.
Do all breaches require written notification to the individuals? Yes, 1st class mail to the last know address.
What must a breach notification include? desc of event, date of breach & discovery.Desc of PHI, Steps you can take, Desc what co is doing to invtg the breach, mitigate harm&protect against further breaches, Contact info to ask questions, a toll-free number, email address, website/postal address
If there is a breach of 500 or MORE, what is required? Reported imm to HHS online via the OCR website. The patients must be notified immediately or no later than 60 days after the breach occurred. Media outlets must also be notified, radio, television with the same information provided to the patients.
If there is a breach of 500 or LESS, what is required? Report ann HHS onlineOCR website w/in 60 days end of the year. If insufficient add or ntc are ret, sub ntc must be provided imm by phone, email, post 90 days on home page of co website, major print or broadcast media in geo area where individual lives.
When a patient requests a copy of their PHI, how long does co have to comply? The records must be produced within 30 days of the request or sooner.
What is the HIPAA civil monetary penalties cap for a calendar year, per violation(event, instance, patient)? $1,500,000.
What are some factors to consider re: calculations of HIPAA violations and civil monetary penalties? How well can you negotiate, what were the circumstances for the violation and did you cooperate with OCR, how fast did you fix the problem and what was done.
What is HIPAA civil monetary penalties PER violation involving reasonable cause but no willful neglect ? $1,000. – $50,000.
What is HIPAA civil monetary penalties PER violation involving willful neglect and problem was fixed within 30 days of discovery ? $10,000. – $50,000.
involving willful neglect and problem was NOT fixed within 30 days of discovery ? $50,000. – $50,000.
What is HIPAA civil monetary penalties PER violation not known by the entity? $100. – $50,000.
What is the security rule (HITECH)? It defines how to protect PHI in electronic form
How many safeguards does the security rule have? Three: Administration, Physical and Technical (broken down into 18 standards)
Within the three security rule safeguards, how many standards does the security rule have? 18 (broken down into 42 implementation specifications)
What are examples of the security Administrative standard? It provides oversight, risk assessment password.
What examples of the security Physical standard? Surrounding of the data
What are examples of the security Technical standards? How you limit and protect the data
How many security implementation specifications does the security rule have? 42 (20 are required and 22 are addressable)
How are the security implementation specifications divided? 20 are required and 22 are addressable
If a security implementation specification is required, what must you do? You do not have a choice, you must implement the security specification.
If a security implementation specification is addressable, what are your options? You do not have to implement the specification but you must document and outline the rational as to why.

Question Answer What are the 5 classes of addictive drugs and what do they do pharacologically? part 1 1. Psychostimulants e.g. cocaine, amphetamines, MDMA. Block monoamine transporters 2. Opiods e.g. opium, morphine, heroin. Opiod receptor agonists 3. Cannabinoids – cannabinoid …

Question Answer How long is the check out period for a book by and undergrad? 28 days How long is the check out period for a book by and grad student? 90 days How long is the check out period …

The cost of medical treatment has increase greatly just of late. Do to this problem of expensive treatment many people are now looking for less expensive health insurance plans. Therefore most people are in for low cost medical insurance coverage. …

Term Definition Assumption Of Risk Defense in a law of torts Battery Unconsented physical contact Ethics Moral principals Health Insurance Portability and Accountability Act (HIPAA) A federal regulation establishing national standards for health care information to protect personal health information …

David from ajethno:

Hi there, would you like to get such a paper? How about receiving a customized one? Check it out https://goo.gl/chNgQy