Download CHPC EXAM ACTUAL EXAM QUESTIONS AND CORRECT ANSWERS | ALREADY GRADED A+ | VERIFIED ANSWERS and more Exams Management Fundamentals in PDF only on Docsity! CHPC EXAM ACTUAL EXAM QUESTIONS AND CORRECT ANSWERS | ALREADY GRADED A+ | VERIFIED ANSWERS | LATEST VERSION 2024 Appropriate progressive discipline policies associated with a compliance program should be: a. Defined by role b. Enforced consistently c. Applied to physicians d. Reported to the government ------CORRECT ANSWER---------------b. Enforced consistently According to the Federal Sentencing Guidelines, which of the following factors could increase the punishment of an organization? a. Obstruction of justice B. Violation of the direct court order c. Prior history of violations d. All of the above ------CORRECT ANSWER---------------d. All of the above After an investigation, it was discovered that the organization's reputation is at stake. What should a Compliance Professional do next? a. Report the findings to the board. b. Contact legal counsel. c. Advise the CEO and recommend next steps. d. Self-disclose to the OIG. ------CORRECT ANSWER---------------b. Contact legal counsel. An organization identifies a potential issue when reviewing personal services and management contracts. Which of the following should the compliance professional consider in analyzing the issue? a. Deficit Reduction Act (DRA) b. Conditions of Participation (CoP) c. IRS tax-exempt guidelines d. Anti-Kickback (AKS) Safe Harbors ------CORRECT ANSWER--------------- d. Anti-Kickback (AKS) Safe Harbors Before a government investigation occurs, what should be reviewed carefully? a. Government investigator credentials. b. The search warrant to ensure only identified documents are searched. c. All of the above. d. None of the above. ------CORRECT ANSWER---------------b. The search warrant to ensure only identified documents are searched. True or False: Obligations to the Employing Organization, during an investigation, it is important to keep all identities discreet as much as possible to prevent and to protect the person who is being investigated and to protect the reputation of the entity. ------CORRECT ANSWER--------------- True (to prevent any damage). Organizations have the opportunity to reduce their culpability in accordance with the Federal Sentencing Guidelines by: a. Establishing mandatory audits. b. Effectively dealing with any offense after it has occurred. c. Developing a code of conduct and educating senior management. d. Voluntarily disclosing overpayments. ------CORRECT ANSWER------------ ---b. Effectively dealing with any offense after it has occurred. Communication made by a client, but not to underlying facts of the communication. Confidential communication between a client and his or her lawyer for the purpose of obtaining legal advice or securing legal services. This privilege protects communications of facts, and not the facts that underlie these communications. For instance, a client provides an attorney with a host of facts when communicating, but the privilege does not protect these facts from disclosure - only the communications themselves. During Attorney-Client Privilege considerations in a corporate compliance investigation, which of the following is a false statement: a. CO should determine who should conduct investigation b. When initially contacting counsel, clarify the purpose is to see counsel and define investigative strategy as appropriate (who investigation results be reported to, internal reviews to be conducted, individuals to be interviewed, documents that should be subject to privilege, etc.) c. Conduct internal investigation with in-house counsel and avoid engaging with outside counsel and other consultants to ensure confidentiality ------ CORRECT ANSWER---------------c. Conduct internal investigation with in- house counsel and avoid engaging with outside counsel and other consultants to ensure confidentiality. Note: The best way to ensure that communications exchanged during an internal investigation are protected by the attorney-client privilege is to use outside counsel as necessary, or other consultants that specialize in these matters. A provider is in the middle of a dispute. Legal Counsel writes two letters to this provider analyzing certain aspects of the dispute. The information contained in the letter is considered privileged. The provider accidentally hands these letters over to a third party not associated with the practice. As a result of handing over these letter to the third party, the provider may have caused the attorney-client privilege to be what? a. Directly Waived b. Inadvertently Waived c. Subject to the Crime-Fraud Exception d. Regulatory Waived ------CORRECT ANSWER---------------b. Inadvertently Waived Explanation: Inadvertent waiver of the privilege may occur if appropriate steps are not taken to maintain the confidentiality of the information gathered during the investigation. Courts use three separate approaches to determine whether a disclosure results in an inadvertent waiver. Res Ipsa Loquitur - The principle of law that allows the use of circumstantial evidence as proof. The Latin phrase means: ------CORRECT ANSWER------ ---------"The thing speaks for itself." A compliance professional discovers non-compliance with a regulation. Which of the following should the compliance professional do FIRST? a. Implement disciplinary actions. b. Conduct a baseline audit. c. Include it in the annual work plan. d. Develop a risk specific education. ------CORRECT ANSWER--------------- b. Conduct a baseline audit. What is the period to report misconduct to OIG? ------CORRECT ANSWER- --------------No more than 60 days after there is credible evidence of violation related to payment. No more than 30 days to avoid stricter fines. True or False: If a serious allegation, one of sensitive of nature, contact legal to see if attorney-client privilege needs to be attached. ------CORRECT ANSWER---- -----------True. If there is a detection of wrongdoing, what is the second step for the compliance professional? a. Contact legal counsel b. Begin a thorough investigation c. Contact the CEO d. None of the above ------CORRECT ANSWER---------------b. Begin a thorough investigation. A compliance professional is trying to determine if attorney client privilege should be requested. The compliance professional's policy should require attorney-client privilege to be established in which of the following situations: a. Violation of employee that occurred outside of the organization, and not within the roles and responsibilities this employee has to the organization. b. Illegal or unethical business practices by a Chief Executive Officer or other Executive Management. c. Overpayment from Medicare of $300,000 that was the result of a billing error. ------CORRECT ANSWER---------------b. Illegal or unethical business practices by a Chief Executive Officer or other Executive Management. Which of these steps should not be taken when assisting in a code of conduct violation investigation? a. Follow the company policy to fairly discipline the involved parties. b. Document and report your findings. c. Treat every person involved with dignity and respect. d. Limit your interview to as few people as possible. ------CORRECT ANSWER---------------d. Limit your interview to as few people as possible. If during the course of an internal investigation, the compliance officer believes the integrity of the investigation might be compromised by the continued presence of work force members who are the subject of the investigation. In the best interest of the attorney-client privilege, which action would you take? a. Conduct employee background checks. b. Ignore the OHRP letter since the bank was not created for research. c. Inform OHRP that the bank follows the FDA requirements. d. Provide OHRP with a summary of the findings and a Corrective Action Plan. ------CORRECT ANSWER---------------d. Provide OHRP with a summary of the findings and a Corrective Action Plan. Note: The HHS-Office for Human Research Protections (OHRP) provides leadership in the protection of the rights, welfare, and wellbeing of human subjects involved in research conducted or support by HHS. Reference: https://www.hhs.gov/ohrp/index.html Which of the following statements is true regarding Attorney-Client Privilege? a. It can be applied to employees, former employees, consultants, and public healthcare providers. b. It applies to documents that were created prior to an investigation with an attorney. c. It protects disclosures by a client to an attorney as well as the attorney's advice to the client. d. It applies to the underlying facts of the communications. ------CORRECT ANSWER---------------c. It protects disclosures by a client to an attorney as well as the attorney's advice to the client. Explanation: Privilege is a two way street. Both attorney and client communications are protected. Privacy Rule of 2000 ------CORRECT ANSWER---------------The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. Security Rule of 2003 ------CORRECT ANSWER---------------The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. CIA: Confidentiality, Integrity, Availability Parts of PHI Risk Assessment ------CORRECT ANSWER---------------1. Nature and extent of PHI involved including type of identifier and likelihood of reidentification. 2. The unauthorized person who used the PHI or to whom the disclosure was made. 3. Whether the PHI was actually acquired or viewed. 4. The extent to which the risk to the PHI has been mitigated. What does HIPAA apply to? ------CORRECT ANSWER---------------Data at- rest, in-use, and in motion at specific types of organizations as well as at specific. Safeguards to Protect PHI ------CORRECT ANSWER---------------Since no single safeguard is adequate, HIPAA defines three layered, overlapping types of safeguards to protect PHI. - Administrative Safeguards - Physical Safeguards - Technical Safeguards Administrative Simplification Rule ------CORRECT ANSWER---------------- Electronic transaction standards - rules for electronic exchange (e.g. claims, eligibility, payments) - Standard code sets (e.g., ICD-10, CPT) - Unique identifiers - healthcare plan (HPID), national provider (NPI), employer (EIN) What is the purpose of HIPAA? ------CORRECT ANSWER---------------- Protect PHI from unauthorized disclosure. - Prevent fraud, waste, and abuse (via Administrative Simplification) - Make health insurance portable under ERISA - Move health care onto a nationally standardized electronic billing platform Reference: https://www.hhs. gov/hipaa/index.html True or False: Response and Prevention Element, the following statement seems appropriate: Response: Requires resolution of issues by P&Ps; Prevention: Requires training people how to conduct investigations. ------ CORRECT ANSWER---------------True. Remember, Training/Education is the most important line of defense for a Compliance Program, and the best strategy for prevention. When considering self-disclosure, you should take the following steps: a. Clarify the issue, ask legal counsel for guidance, and contact outside counsel. b. Clarify and confirm it's a potential fraud issue, consult with attorney who has experience in these matters, and decide where to disclose as appropriate (CMS, OIG, US Attorney, etc.). c. Clarify the issue, contact, OIG, consult outside legal as appropriate. ------ CORRECT ANSWER---------------b. Clarify and confirm it's a potential fraud issue, consult with attorney who has experience in these matters, and decide where to disclose as appropriate (CMS, OIG, US Attorney, etc.). True or False: What are two incentives for self-disclosing misconduct to OIG? ------ CORRECT ANSWER---------------1. Lower settlement; and 2. No corporate integrity agreement (CIA) as long as provider fully cooperates with the disclosure process. What do subpoenas require? ------CORRECT ANSWER---------------SSS (signed, seized, searched): Signed by a judge (search warrant) Items to be seized, and Areas to be searched. What are watchwords for enforcing standards of conduct and P&P? ------ CORRECT ANSWER---------------Fair Equitable Consistent Who can bring suit under the False Claims Act? ------CORRECT ANSWER- --------------QuiTam plaintiff, Whistleblower, Relator, and Attorney General Whistleblowers can be eligible to receive __ to __% of government's total award if DOJ decided to assume the case. ------CORRECT ANSWER-------- -------15-25% (DOJ assumes case). Whistleblowers can be eligible to receive __ to __% of government's total award if DOJ declines the case. ------CORRECT ANSWER---------------25- 30% (DOJ declines case). Why is Caremark International Derivative Litigation important in Corporate Compliance? ------CORRECT ANSWER---------------The 1996 U.S. Civil settlement of Caremark International, Inc. Decision established Corporate directors breached their oversight duty by failing to adequately supervise their employees when they knew/should have known a violation of law was occurring. Organization entered into a 5-year imposed CIA. It increased significance of Compliance Programs and the duty of oversight to Board and Directors. A private physician signed a clinical trial agreement with a drug company to receive funds from trial sponsors for research services that must be conducted at a hospital. The physician contacted the hospital and requested $25 per subject referred to the hospital. On which of the following should the physician be educated?: a. HIPAA b. Stark Law c. Sarbanes-Oxley Act d. Medicare Modernization Act ------CORRECT ANSWER---------------b. Stark Law True or False: Stark Law indicates no Medicare payments may be made for DHS referred by the physician, and the Entity must refund all money collected for DHS referred by the physician. ------CORRECT ANSWER---------------True. In other words, Stark Law bans physicians from referring patients to the 10 designed healthcare services that are payable by Medicaid/Medicare from an entity with which physician (and immediate family member) has a financial relationship, unless referral is protected by an exception. The US Courts have determined that the government has an obligation to monitor the Public's money. The Courts view of process in respect to statistical sampling when estimating an overpayment in a population of claims does NOT include: a. Sample must be representative. b. Contemporaneous and retrospective reviews are both required. c. Government should provide documents on sampling process. d. Provider should be able to challenge the results. ------CORRECT ANSWER---------------b. Contemporaneous and retrospective reviews are both required. Explanation: The specific type of review is not listed as a requirement. Enforcement and Discipline Compliance Program Element: Explain the difference between "enforcement" and "discipline." ------CORRECT ANSWER---------------Enforcement - through standards of conduct (written P&Ps, including consequence for non-compliance). Discipline - use Chain of Command (involve manager/supervisor to discuss problem with employee, provide education or additional training), escalate to HR or high level (written warning, suspension, termination). Regarding enforcement and discipline, OIG suggests Compliance Program include a written policy statement setting forth __________ of disciplinary actions for failing to comply with standards, policies, and applicable laws and regulations. These could range from oral warning to suspension, privilege revocation, termination, or financial penalties. ------CORRECT ANSWER---------------degrees When should legal counsel be involved during an internal investigation? a. If corporation may have to disclose inappropriate conduct and take remedial action. b. If there is an inadvertent billing error. c. If there is a question about the training program. What is the difference between erroneous and fraudulent claims to federal healthcare programs? ------CORRECT ANSWER---------------Fraudulent claims intentionally or recklessly are submitted to federal healthcare programs. Erroneous claims are innocent errors submitted unintentionally to federal healthcare programs. What responsibility do healthcare providers have to federal healthcare programs? ------CORRECT ANSWER---------------Federal healthcare providers have a duty to reasonably ensure that the claims submitted to Medicare and other federal healthcare programs are true and accurate. What are the steps for auditing and monitoring evaluations? ------ CORRECT ANSWER---------------Ensure that the standards and procedures are in fact current and accurate, but also whether the compliance program is working. Following steps and standards and procedures, review and claim submission audit. What do you validate when reviewing policies and procedures? ------ CORRECT ANSWER---------------Validate they are current and accurate. If standards and procedures are found to be ineffective or outdated, they should be updated to reflect changes in government regulations or compendiums generally relied upon by physicians and insurance, for example CPT and ICD-10 codes. Who should be involved in a claim submission audit? ------CORRECT ANSWER---------------The person in charge of billing and a medically trained person to audit the records. What should a physician's practice do if they are using another entity's compliance materials? ------CORRECT ANSWER---------------They need to tailor the materials to be applied by the physician practice starting with the following: 1. Develop written standards and procedures. 2. Updating clinical forms. 3. Make sure they facilitate encouraging clear and complete documentation of patient care. What are the four basic risk areas developed by the OIG? ------CORRECT ANSWER---------------1. Coding and billing. 2. Reasonable and necessary services. 3. Documentation. 4. Improper inducements. What are the biggest risks with coding and billing? ------CORRECT ANSWER---------------Billing for services not rendered or provided by as claimed, submitting claims for equipment medical supplies and services that are not reasonable and necessary, double billing resulting in duplicate payments, billing for noncovered services as if covered, knowing misuse of provider identification numbers which results in improper billing, unbundling billing for each component of service instead of billing for all inclusive code, failure to properly use Coding modifiers, and miscoding the level of service provided. What are some risks associated with physician documentation? ------ CORRECT ANSWER---------------1. Documentation is not performed timely and accurately. 2. Documentation is not complete. 3. Documentation does not reflect appropriate documentation of the diagnosis and treatment plan. Which federal entity is responsible for the administration and enforcement of compliance with the HIPAA Administrative Simplification Rule? a. OIG b. CMS c. OCR d. FTC ------CORRECT ANSWER---------------b. CMS - Centers for Medicare and Medicaid Services Explanation: Administrative Simplification Act of 1996 - took us from paper to electronic: electronic transaction, code sets, unique identifiers and operating rules. What does NIST stand for? a. National Institute of Standards & Technology b. National Incentives for Standards & Technology c. National Institute of Security & Technology d. National Institute of Security & Transactions ------CORRECT ANSWER--- ------------a. National Institute of Standards & Technology. NIST addresses data at rest, data in motion & data in use. HITECH: Health Information Technology for Economic & Clinical Health promoted and adopted what? a. Meaningful Use program b. Breach Notification Rule c. a & b d. None of these ------CORRECT ANSWER---------------c. a & b HITECH Act enacted in 2009 as part of the American Recovery and Reinvestment Act promoted adoption of six components: 1. Meaningful Use program 2. BA HIPAA Compliance 3. Breach Notification Rule 4. Willful neglect and auditing 5. HIPAA compliance updates 6. Access to electronic health records CIAs are negotiated between the involved entity and which of the following agencies/departments? a. CMS b. DOJ c. OCN d. OIG ------CORRECT ANSWER---------------d. OIG If a Covered Entity has insufficient or out of date contact information for less than 10 individuals, the Covered Entity MAY provide what? ------ CORRECT ANSWER---------------A substitute notice by an alternative form of written notice, by phone or other means. If a Covered Entity (CE) has insufficient or out of date contact information on 10 or more individuals the CE MUST provide a substitute individual notice by: a. Posting the notice on the home page of CE's website for at least 90 days. b. Providing the notice to major print or medical where affected individuals likely reside. c. Calling the local authorities or Public Health to put our a notice for 90 days. d. a & b ------CORRECT ANSWER---------------d. a & b Notice must include a toll free number that remains active for 90 days where individuals can learn if their information was involved in the breach. Individual notifications must be provided by what time frame? a. Without delay or within 60 days of discovery of the breach. b. Without delay or within 90 days of discovery of the breach. c. Individual notifications are never required. d. Within 60 days after the end of the discovery date calendar year. ------ CORRECT ANSWER---------------a. Without delay or within 60 days of discovery of the breach. How many exceptions are there to the breach definition? ------CORRECT ANSWER---------------3 The 3 breach exceptions are: 1. Unintentional access/use by a workforce member or person acting under CE/BA if such access/use/acquisition was made in good faith and within the scope of the job. 2. Inadvertent Disclosure of PHI by a person authorized to access PHI at a CE/BA to another authorized person to access PHI at CE/BA or OHCA in which CE participates. 3. CE/BA has good faith belief that the unauthorized person whom the impermissible disclosure was made would not be able to maintain the information. What 3 elements must exist to call something PHI? ------CORRECT ANSWER---------------1. Health information that contains past, present, or future health condition treatment of an individual or payment for such care or treatment. 2. Information must reasonably identify the patient. 3. Information must be maintained in electronic or other form. What 3 situations are Covered Entities able to provide an individual the opportunity to object prior to use/disclosure occurring? ------CORRECT ANSWER---------------1. Facility directory. 2. Family/friends involved in care. 3. Disaster Relief. What the 7 rights of patients under HIPAA? ------CORRECT ANSWER------- --------1. Access 2. Amend 3. Accounting of Disclosure 4. Notice of Privacy Practice 5. Communication choice 6. Compliant 7. Restrict Under what circumstances are minimum standards NOT required? ------ CORRECT ANSWER---------------1. With an authorization. 2. To a provider for treatment. 3. To the subject of the information. 4. To the secretary of DHHS. 5. As required by law. 6. As requires to comply with regulations. When can PHI be disclosed without an authorization? ------CORRECT ANSWER---------------1. For treatment, payment, operations (TPO) 2. When disclosure is required by law 3. When it is in the patient's or public's best interest 4. To another healthcare entity when a relationship exists between the other Covered Entity and the patient. PHI excludes what types of information? ------CORRECT ANSWER----------- ----1. Education records covered by FERPA. 2. Employment records. 3. Deceased individual over 50 years old. Covered entities and Business Associates are required to provide an accounting of disclosures up to _______ time frame? a. 7 years Privacy Rule has to do with what form of PHI? a. Electronic b. Paper c. Verbal d. All of the above. ------CORRECT ANSWER---------------d. All of the above What is the OIG's Fraud and Abuse hotline number? ------CORRECT ANSWER---------------1-800-HHS-TIPS The Code of Conduct must be provided to a new hire upon how many days of hire? a. 30 b. 60 c. 90 d. There is no guidance. ------CORRECT ANSWER---------------c. 90 days The 72 hour rule relates to that: a. Discharge planning b. Billing of diagnostic tests c. Patient's right to access d. None of the above ------CORRECT ANSWER---------------b. Diagnostic tests 72 hour rule stipulates that diagnostic test provided on an outpatient basis within 72 hours of an admission must be billing as part of the admission DRG Name two incentives for self-disclosing misconduct to OIG. ------CORRECT ANSWER---------------Lower settlement and no CIA as long as the provider fully cooperates with the disclosure process. What are the 3 steps to take when you discover a violation of the federal fraud and abuse laws: ------CORRECT ANSWER---------------1. Clarify and confirm potential fraud. 2. Consult with healthcare attorney. 3. Decide where to disclose the conduct. **This is the same for self-disclosures. What are 3 important reasons for proper documentation? ------CORRECT ANSWER---------------1. Protect program. 2. Protect patients. 3. Protect provider. Which Act relates to Information Blocking? a. False Claims Act b. Affordable Care Act c. 21st Century CURES Act d. None of the above ------CORRECT ANSWER---------------c. 21st Century CURES Act The Common Law relates to: a. Marketing b. Research c. Fundraising d. Security ------CORRECT ANSWER---------------b. Research The Common Law is a federal policy for the protection of human subjects in research. HITECH was adopted to have originations show evidence of ______ ______ standards. HITECH also established a federal ______ ______ ______. ------CORRECT ANSWER---------------Meaningful use; Breach Notification Rule Auditing and monitoring contribute to the effectiveness of a compliance program because of their ability to what? ------CORRECT ANSWER---------- -----Detect List according to sample size, from least to most, the 3 forms of audit. ------ CORRECT ANSWER---------------1. Probe 2. Discovery 3. Full statistical True or False: The safeguards in the Security Rule are grouped into 3 categories: Administrative, Physical, and Technical. Each standard includes implementation specifications. ------CORRECT ANSWER---------------False. There are several standards that do not include implementation specifications. True or False: Under the Security Regulations, standards that are addressable must be implemented as outlined in regulation. ------CORRECT ANSWER-------------- -False. Required standards must be implemented as outlined. Addressable standards allows a CE several options for implementation. What are the recommended record retention guidelines? ------CORRECT ANSWER---------------The length of time that a practice records are to be retained specified in the standards and procedures based on federal and state statute should be consulted, medical records if in the possession of practice need to be secured against loss destruction, unauthorized access, reproduction corruption or damage, standards and procedures can stipulate the disposition of the medical records in the event the practice is sold or closed. What is the importance of compliance training? ------CORRECT ANSWER-- -------------1) all employees will receive training on how to perform their jobs in compliance with standards and practices in any applicable regulations, 2) each employee will understand the compliance is a condition of continued employment 3) compliance training focuses on explaining why the practice is developing a compliance program What is the purpose of HIPAA? ------CORRECT ANSWER---------------- Protect PHI from unauthorized disclosure/use - Prevent fraud, waste, and abuse (via Administrative Simplification) - Make health insurance portable under ERISA - Move healthcare onto a nationally standardized electronic billing platform HIPAA resides in which CFR section? ------CORRECT ANSWER-------------- -45 CFR sections 164.102 through 164.534 Reference: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter- C/part-164 What are the subparts of HIPAA part 164? ------CORRECT ANSWER-------- -------HIPAA - 45 CFR 164, subparts: A. General Rules C. Security D. Breach notification E. Privacy How do you determine if an organization is a "Covered Entity"? ------ CORRECT ANSWER---------------1. Compare if the organization meets one of the 3 types of CE (provider, health plan, clearinghouse); and 2. Determine if the organization electronically transmits one of the 9 defined transactions: - Health claims or equivalent encounter information - Health claims attachments - Enrollment and disenrollment in a health plan - Eligibility for a health plan - Health care payment and remittance advice - Health plan premium payments - First report of injury - Health claim status - Referral certification and authorization In addition, business associates of covered entities must follow parts of the HIPAA regulations. Reference: https://www.hhs.gov/hipaa/for-individuals/guidance-materials- for-consumers/index.html This Act established in 1974 was created for government agencies placing restrictions on how the government can share the information maintained in Federal systems of records that might infringe on an individual's privacy rights with other individuals and agencies. ------CORRECT ANSWER--------- ------The Privacy Act of 1974 Which of the following is not considered a HIPAA Entity Designation: a. Affiliated covered entity b. Entity that performs healthcare and non-healthcare component activities including both covered and non-covered functions. c. A group health plan. d. Contract arrangement with FedEx carrier. ------CORRECT ANSWER------ ---------d. Contract arrangement with FedEx carrier. What is the Gramm-Leach-Bliley Act (GLBA)? ------CORRECT ANSWER--- ------------Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, include the Financial Privacy Rule and the Safeguards Rule, which requires all financial institutions to protect customer's personal financial information. What is an OCHA? ------CORRECT ANSWER---------------OCHA (Organized Health Care Arrangement) is a clinically integrated care setting where individuals receive health care from more than one provider. These are joint arrangements/activities and have an Integrated Delivery System for easy exchange of PHI data. See 45 CFR 160.103. OHCAs can also utilize a joint NPP. See 45 CFR § 164.520(d). ACE (Affiliated Covered Entity) do not have an Integrated Delivery System because these are legally separate covered entities that are associated in business, or affiliated as a result of some common control or ownership. Both the OHCA and the ACE would allow sharing of PHI across participating entity lines for treatment, payment, operations purposes (TPO). What's an ACE? ------CORRECT ANSWER---------------Affiliated Covered Entity (ACE). Legally separate covered entities that share common control/ownership and designate themselves as a single CE for the purpose of complying with the HIPAA Privacy standards. ACEs do not have b. HIPAA assurance b. HIPAA preemption d. HIPAA state law ------CORRECT ANSWER---------------c. HIPAA preemption What is the intent of HIPAA? a. Standardize healthcare billing and coding to comply with national accounting principles. b. Increase payment from providers given the rising cost of healthcare and fraud violations. c. Allow group health plans to collect premiums after an individual has left a job/employer. d. Improve healthcare programs and data flow between providers to data mine for fraudulent behavior. ------CORRECT ANSWER---------------d. Improve healthcare programs and data flow between providers to data mine for fraudulent behavior. The intent of HIPAA is to improve healthcare programs and the delivery of services through the two largest health plans in the U.S. This is accomplished by improved data flows that leads to better outcomes using national standards formats and specific transactions to increase accuracy and rapid way to data mine and detect fraudulent behavior. Reference: The specific data flows are outlined in the Transaction & Code Set Rules 45 CFR 162.100 - 162.1902https://www.ecfr.gov/current/title- 45/subtitle-A/subchapter-C/part-162 True or False: A physician is required to have a business associate contract with a laboratory as a condition of disclosing protected health information for the treatment of an individual. ------CORRECT ANSWER---------------False. Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization. True or False: A hospital laboratory is not required to have a business associate contract to disclose protected health information to a reference laboratory for treatment of the individual. ------CORRECT ANSWER---------------True. Remember, use and disclosure of PHI for purposes of TPO requires no specific authorization. True or False: Research use/disclosure with individual authorization does not expire or continue until the end of the research study. ------CORRECT ANSWER------ ---------True. Resource: https://www.hhs.gov/hipaa/for-professionals/special- topics/research/index.html True or False: Research use/disclosure with individual authorization may be combined with an authorization for a different research activity if research related treatment is conditioned on the provision of one of the authorization. ------ CORRECT ANSWER---------------True. Reference: https://www.hhs.gov/hipaa/for-professionals/special- topics/research/index.html True or False: Research use/disclosure with individual authorization may be combine with other legal permission or consent to participate in teh research. ------ CORRECT ANSWER---------------True. Reference: https://www.hhs.gov/hipaa/for-professionals/special- topics/research/index.html True or False: It is possible for a facility with multiple provider functions to have certain isolated providers or groups who are subject to Part 2, while the facility as a whole is not subject to Part 2. For example, a large facility may have primary care providers and a separate unit that provides SUD services. ----- -CORRECT ANSWER---------------True. Explanation: The SUD unit is subject to Part 2, but the rest of the facility is not. True or False: An individual provider who work sin a general medical facility could also be a Part 2 program IF the provider's primary function is to provide SUD services. ------CORRECT ANSWER---------------True. Explanation: A primary care physician who provides medication-assisted treatment would only meet the requirement if providing services to persons with SUD is their primary function. However, if a patient were to receive both primary care and SUD treatment, the SUD providers are still subject to Part 2 and could not share information with the patient's primary care provider without consent. True or False: A program or facility that provides both, SUD and Mental Health Services, an da patient has been admitted to receiving both services, his/her records will be subject to the Part 2 regulations. ------CORRECT ANSWER------------ ---False. Explanation: Mental health information is not subject to the standards in 42 CFR Part 2 and can be shared without consent for treatment purposes, including care coordination, as allowed under HIPAA. Only records or information about patients receiving SUD services will be subject to Part 2 and its use/disclosure is more restrictive. However, to allow appropriate mental/behavioral health information sharing with SUD c. When a provider simply accepts a discounted rate to participate in the health plan's network. d. US Postal Services or private carriers. ------CORRECT ANSWER---------- -----a. Independent medical transcriptionists. Explanation: This is an outsourced service that handles PHI on behalf of the CE. The transcriptionist is performing an activity for the CE that contains PHI and a BAA is required to ensure proper use and disclosure. Reference: https://www.hhs.gov/hipaa/for- professionals/privacy/guidance/business-associates/index.html Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for public health purposes? ------CORRECT ANSWER---------------Yes. This is the covered entity's Notice of Privacy Practices (NPP). The Privacy Rule requires a covered entity to include in its NPP a description of the purposes, which would include public health purposes, for which the covered entity may use or disclose PHI without an individual's authorization. However, the Privacy Rule does not require a business associate (such as an HIE that is a business associate) to provide individuals with a NPP. True or False: OHCAs and ACEs are able to produce a joint Notice of Privacy Practice (NPP). ------CORRECT ANSWER---------------False. Explanation: OHCAs are joint arrangements, have an Integrated Delivery System, and therefore agree to abide by the terms of the notice with respect to PHI created or received by the covered entity as part of its participation in the OHCA. ACEs are legally separate covered entities working together and unable to use a joint NPP and they might still have separate EHRs, separate HIM/ROI functions, etc. and therefore, the PHI is not created or received in the same manner. Reference: 45 CFR 164.520(d); https://www.law.cornell.edu/cfr/text/45/164.520 True or False: It is your last day at your pediatric clinical site and you are saying goodbye to all of your favorite patients. You take a picture on your phone of a few of the patients posing together and later post it to your private blog as an illustration of your last day. Since your blog is private and can only be accessed by those who know the URL, you are not violation of HIPAA regulations. ------CORRECT ANSWER---------------False. In the mid-1990s, OIG began to require providers settling civil health care fraud cases to enter into specific type of agreements as a condition for OIG not pursuing exclusion. These agreements are referred to as what? ------ CORRECT ANSWER---------------Corporate Integrity Agreements (CIA) A privacy professional is reviewing a program for an academic medical center that includes a faculty group practice, hospital, student health center, and self-funded group health plan. The privacy professional should evaluate if the program has notices for: a. GINA b. FMLA c. HIPAA d. FISMA ------CORRECT ANSWER---------------c. HIPAA A health system implemented an EHR in 55 clinics. The privacy professional is told employees are inconsistently interpreting the policy addressing employee access to the EHR. Which of the following is the privacy professional's BEST strategy? a. Collaborate with HR to ensure appropriate discipline. b. Perform an audit under attorney-client privilege. c. Conduct surveys of clinic employees for concerns. d. Audit a random sampling of clinics across the organization. ------ CORRECT ANSWER---------------d. Audit a random sampling of clinics across the organization. A privacy professional is assisting IT with the development of proper controls to protect the privacy of the organization's data. Which of the following is an employee-related control? a. Breach response procedures. b. Annual evaluations. c. Contractual requirements. d. User passwords. ------CORRECT ANSWER---------------d. User passwords. The HIPAA Privacy Rule requires retraining of workforce: a. After a material change in policy. b. Six months after initial training. c. Every other year. d. After a violation. ------CORRECT ANSWER---------------a. After a material change in policy. The PRIMARY purpose of a privacy exit interview is to: a. Meet HITECH requirements. b. Prevent whistleblower lawsuits. c. Evaluate for rehire. d. Determine the appropriate discipline. ------CORRECT ANSWER------------ ---b. Prevent whistleblower lawsuits. An employee responsible for quality assurance reviews was terminated for inappropriately accessing sensitive information of a health plan beneficiary. Several medical records cannot be located. The privacy professional hears that physicians are taking original patient records home to dictate. No tracking process exists for medical records. Which of the following is the privacy professional's MOST appropriate action? a. Create shadow records. b. Develop an audit process. c. Design a monitoring tool. d. Recommend discipline. ------CORRECT ANSWER---------------b. Develop an audit process. The health information management director for a hospital asks a privacy professional if the information of a deceased patient can be released to the patient's spouse. In which circumstances would the release to the spouse be permitted? a. The spouse was involved in the patient's care before death. b. Permission was granted in the patient's will. c. The spouse has healthcare power of attorney. d. The spouse has a waiver of authorization. ------CORRECT ANSWER----- ----------a. The spouse was involved in the patient's care before death. An employee contacts a privacy professional about the employee's involvement in possible illegal activity involving the misuse of individually identifiable information. Which of the following should the privacy professional do FIRST? a. Ask the CFO for assistance. b. Contact legal counsel. c. Notify local law enforcement. d. Refer the employee to human resources. ------CORRECT ANSWER------ ---------b. Contact legal counsel. When asked to give a presentation to the board on the implementation of a privacy program, a privacy professional should consider which of the following elements FIRST? a. Program budget. b. Audit plan. c. Training plan. D. Program scope. ------CORRECT ANSWER---------------d. Program scope. Which of the following topics should be included in a training presentation on privacy safeguards? a. Recycling paper documents. b. Maintaining medical records for a specific number of year. c. Requiring BAAs of vendors. d. Shredding paper documents. ------CORRECT ANSWER---------------d. Shredding paper documents. A privacy professional has been notified that there had been a data breach of a clinical system containing protected health information. Which of the following is the source of the notification requirements? a. FERPA provisions. b. HIPAA Security Rule. c. HITECH Act. d. Privacy Act ------CORRECT ANSWER---------------c. HITECH Act A photo of a nurse doing a procedure on a patient in the hospital has been posted on a social networking site. HR has identified both the nurse in the photo and the patient. HR asks the privacy professional for a recommendation for disciplinary action. Before providing a recommendation, the privacy professional should determine if the: a. 60-day timeline for reporting the breach to DHHS has lapsed. b. Photo was posted during work hours or an unpaid break. c. Nurse was aware that she was being photographed. d. Patient says they gave permission for the photo. ------CORRECT ANSWER---------------c. Nurse was aware that she was being photographed. A privacy professional verified that a Business Associate (BA) is selling an individual's PHI. The BA can claim they were compliant with regulatory requirements if they obtained: a. Authorization from the individual. b. Consent from the individual. c. Authorization from the healthcare entity. d. Consent from the healthcare entity. ------CORRECT ANSWER-------------- -a. Authorization from the individual. A clinic has patient data that an independent researcher would like to access. The researcher only needs de-identified information, but the clinic does not have the resources to strip the patient identifiers from the data being requested. The researcher does have the resources and offers to remove the identifiers before beginning the research. A privacy professional should inform the clinic that it can provide the PHI to the researcher if the clinic: a. Notifies each patient whose information is disclosed. b. Modifies the hospital's Notice of Privacy Practices. c. Requires the researcher to obtain a waiver of authorization. d. Has the researcher show proof of privacy training. ------CORRECT ANSWER---------------c. Requires the researcher to obtain a waiver of authorization. Thee is a message on a hotline from a patient indicating that her PHI has been used to contact her about participating in a research study. As the NEXT step in the investigation, the privacy professional should contact the: a. Patient for additional information. b. Patient's primary care physician to confirm the information. c. Principal investigator about how she got the patient's name. d. Mental illness, HIV status, drug and alcohol abuse. ------CORRECT ANSWER---------------c. Drug abuse, alcoholism, infection with the HIV virus, and sickle cell anemia. True or False: The Minimum Necessary is a key concept under the HIPAA Security Rule. - -----CORRECT ANSWER---------------False. It is a key concept under the HIPAA Privacy Rule. Regarding HIPAA Authorization: Is there any information we can release to a person who is calling on behalf of a patient who is not authorized in a release form? ------CORRECT ANSWER---------------Patient must be given an "opportunity to agree or object" keeping in mind: 1. You can obtain patient's agreement verbally, over the phone, BUT make sure to document in the medical record. 2. Only disclose the Minimum Necessary. Regarding HIPAA Authorization: When my patients are being treated for car accident injuries, we often receive requests from PHI from lawyers. I am not sure if we should provide the information and don't know how to decide whether the request is legitimate. How do we validate if the request is legitimate? ------CORRECT ANSWER---------------Ensure it is valid HIPAA Authorization: It MUST have the authorization 6 core elements and 3 key statements as per 45 CFR § 164.508 (c)(1) and (2) Regarding HIPAA Authorization: One of my long term (dental) patients was recently diagnosed with cancer. His new oncologist's assistant called to request his PHI from our files. I don't know if the patient knows or has authorized this. Can the request be fulfilled? ------CORRECT ANSWER---------------Yes, no authorization is required for the purposes of TPO. But, ensure the request is in writing, including: Covered Entity's name, Patient's name, Date of the event/time of treatment; and Reason for the request. Regarding HIPAA Authorization: I strongly suspect that a patient is a victim of domestic violent, although the patient has not confided in me. The abuse seems to be escalating, judging by the injuries I've seen. May I do anything? ------CORRECT ANSWER------ ---------You may, this may be an exception to the HIPAA Privacy Rule. IF you reasonably believe the patient to be victim of adult abuse, neglect, or violence, you may report to the appropriate government agency. You may also obtain patient's agreement, but not required. American Recovery and Reinvestment Act (ARRA) passed in 2009. What is it? ------CORRECT ANSWER---------------ARRA - also known as "Obama Stimulus" in response to the 2008. ARRA mandated government spending, tax cuts, and loan guarantees for financial relief to families. ARRA required hospitals to computerize medical records and modernize HIT systems (HITECH). Breach notification provision was implemented under HITECH. IIHI ------CORRECT ANSWER---------------Individually Identifiable Health Information It is any part of an individual's health information, including demographic information (e.g., address, date of birth) collected from the individual. PHI ------CORRECT ANSWER---------------Protected Health Information Information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. (PHI excludes IIHI education records covered by FERPA. What is de-identified information? ------CORRECT ANSWER--------------- Removing the HIPAA individual identifiable information. This is accomplished by two methods: 1. Expert Determination - de-identification of PHI by an expert (statistical or scientific principles) 2. Safe Harbor - Removing the 18 identifiers Reference: https://www.hhs.gov/hipaa/for-professionals/privacy/special- topics/de-identification/index.html What is re-identification? ------CORRECT ANSWER---------------CE may assign a number for re-identification; however, the creation of the numbering system should not be based on the information and the CE is forbidden from disclosing the e-identification scheme. Reference: https://www.hhs.gov/hipaa/for-professionals/privacy/special- topics/de-identification/index.html What's the Minimum Necessary? ------CORRECT ANSWER--------------- Use/disclose limited PHI to accomplish the intended purpose of the use, disclosure, or request. Reference: https://www.hhs.gov/hipaa/for-professionals/privacy/laws- regulations/index.html The Minimum Necessary DOES NOT apply to? ------CORRECT ANSWER- --------------TPO To the individual directly To the HHS Secretary or required by law When authorization is granted Ref § 164.520 - Notice of privacy practices for protected health information. Request for Confidential Communication ------CORRECT ANSWER---------- -----Patient may request other communication channels not typical for the entity, such as email, or meeting in off-site locations. What is the difference between HIPAA security and privacy? ------ CORRECT ANSWER---------------Security - covers ePHI Privacy - covers all forms (electronic, oral, written) 45 CFR 164 - Subpart C outlines the three safeguards to ensure that _____, _____, _____ of ePHI that both, CE and BA must implement to ensure compliance and protect against anticipated threats, and/or reasonably anticipated uses/disclosures (incidental/inadvertent/unintentional) ------CORRECT ANSWER--------------- Confidentiality, Integrity, Availability Note: Accidental - must be reported. An accidental HIPAA violation refers to the unauthorized disclosure of PHI without intent. Despite having safeguards and protective measures in place, there is still a possibility of breaching HIPAA regulations. These types of violations could include an employee accidentally seeing a different patient's medical records, an email being sent to the wrong person or the loss or theft of a personal device that contains PHI. What criteria is there for a Research HIPAA Waiver? ------CORRECT ANSWER---------------In order for research to be conducted, it must meet a minimum set of waiver criteria elements. Elements that must be met to meet waiver criteria are: 1. The use or disclosure for the research involved minimum risk to the patient. 2. The research could not be conducted without proper access to the waiver being approved. 3. The research could not be conducted without proper access to the use of PHI. Reference: 45 CFR 164.512(i)(2) What is malicious software? ------CORRECT ANSWER---------------Malware. It is software that is used to control or take over applications, workstations, or servers, damage/disrupt a system. Reference: See Security Rule, definitions - 45 CFR 164.304https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part- 164/subpart-C/section-164.304 What does TPO stand for? ------CORRECT ANSWER--------------- Treatment, payment, and healthcare operations True or False: Payer/health plan are allowed to use/disclose beneficiary's PHI in activities such as legal services, medical review, and fraud and abuse detection. ----- -CORRECT ANSWER---------------True. A provider receives a request from the Social Security Administration for PHI relating to a person's application for benefits. Which of the following is the correct method of release? a. Since it is to a federal agency, an authorization from the patient is not needed, so PHI can be released. b. The provide should review the PHI and make a decision on the minimum necessary and release. c. The provider should notify the patient and obtain a signed authorization prior to release. d. Release the information because the patient signed a consent for treatment. ------CORRECT ANSWER---------------c. The provider should notify the patient and obtain a signed authorization prior to release. Also known as the "Stimulus Act" or the "Recovery Act," enacted in 2009. Its main purpose was to create jobs and stimulate economic growth; it also included provisions to promote health information technology. ------ CORRECT ANSWER---------------American Recovery and Reinvestment Act (ARRA) In terms of HIPAA, what does CIA stand for? ------CORRECT ANSWER----- ----------Confidentiality - Not available or disclosed to an unauthorized person. Integrity - Unaltered or destroys in unauthorized manner. Availability - accessible and useable by authorized persons. Reference: https://www.hhs.gov/hipaa/for-professionals/security/laws- regulations/index.html Comprehensive legislation that ensures access to health coverage for those who change jobs or are temporarily out of work. It also provides the mechanism for funding the Department of Justice and the FBI for health care fraud investigations. ------CORRECT ANSWER---------------Health Insurance Portability and Accountability (HIPAA) Reference: https://oig.hhs.gov/reports-and-publications/hcfac/index.asp True or False: The HIPAA Privacy and Security Rules were promulgated to make health care interstate commerce equal, thus creating a national health care privacy and security baseline or floor. ------CORRECT ANSWER--------------- True. What is a designated record set (DRS)? ------CORRECT ANSWER----------- ----A group of records maintained by or for a covered entity that comprises the following: 1. medical/billing records 2. Enrollment/payment /claims adjudication/ case management by health plan. 3. Other records used by or for covered entity to make decisions about individuals. What is excluded from a designated record set? ------CORRECT ANSWER- --------------Administrative data (audit trails, appointment schedules, that doesn't imbed PHI). Incident reports. Quality assurance data. Statistical reports. DVD medical records are destroyed by? ------CORRECT ANSWER----------- ----Shredding and cutting. What are a few examples for use or disclosure of PHI other than TPO? ----- -CORRECT ANSWER---------------Public health interest, research, serious threat, organ/tissue donation decedent information, worker's compensation insurers. What are examples of administrative safeguards? ------CORRECT ANSWER---------------- Policies and procedures - Training and education - Designation of individuals, i.e., Security Officer - Contingency Planning What are examples of physical safeguards? ------CORRECT ANSWER------ ---------- Facility security or access plan - Disposal processes and media reuse - Data backup and storage What are examples of technical safeguards? ------CORRECT ANSWER----- ----------- Passwords - Encryption - Auto Log Off - Unique User Identification HIPAA "consent" and "authorization" have key differences. What are they? ------CORRECT ANSWER---------------Consent is voluntary for TPO, while authorization is required by the Privacy Rule for use and disclosure of PHI. Reference: https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is- the-difference-between-consent-and-authorization/index.html Regarding disclosure, what is the primary difference between HIPAA authorization and Right of Access? ------CORRECT ANSWER--------------- HIPAA authorization is a PERMITTED disclosure. Right of Access is a REQUIRED disclosure. What is excluded from the Right of Access? ------CORRECT ANSWER------ ---------1. Any information that is not part of the designated record set. 2. Psychotherapy notes/records (see 45 CFR 164.524(a)(1)(i) and 164.501) 3. Records gathered in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding (45 CFR 164.524(a)(1)(ii)) Reference: https://www.hhs.gov/hipaa/for- professionals/privacy/guidance/access/index.html HIPAA of 1996: Examples of criminal offenses. ------CORRECT ANSWER-- -------------Makes it a criminal offense to submit claims based on incorrect codes or medically unnecessary services and the government has the power to exclude the organization from Medicare, Medicaid, and a long list of other government programs. Security Rule Documentation requirements: How long must a CE maintain written records for? ------CORRECT ANSWER---------------At least 6 years from the date records were created or effective date. Risk Assessment to determine LoProCo: ------CORRECT ANSWER---------- -----1. Nature and extent of PHI involved including type of identifiers and likelihood of reidentification. 2. The unauthorized person who used the PHI or to whom the disclosure was made. 3. Whether the PHI was actually acquired or viewed. 4. The extent to which the risk to the PHI has been mitigated. HITECH is part of what? ------CORRECT ANSWER---------------American Recovery and Reinvestment Act (ARRA) How long is PHI protected after the person's death? ------CORRECT ANSWER---------------50 years. How many identifiers are listed in the HIPAA Privacy Rules? ------ CORRECT ANSWER---------------18