1. HIPAA TRIVIA Do you know HIPAA?

2. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States Supreme Court Click the box beside the correct answer

3. United States Congress  HIPAA was passed by Congress and signed into law by the President in 1996.  The HIPAA Privacy rule was effective in 2003.  The HIPAA Security rule was effective in 2005.  Both the HIPAA Privacy and Security rules govern our activities at ARHS. NEXT QUESTION

4. INCORRECT – Try Again  Click here to return to the question

5. “HIPAA” stands for?  Health Insurance Portability and Accountability Act  Health Information Protection and Accessibility Act  Health Information Portability and Accountability Act  Health Insurance Protection and Accessibility Act Click the box beside the correct answer

6. H ealth I nsurance P ortability and A ccountability A ct  The first section of HIPAA regulates the transfer or “portability” of health insurance when individuals move from one employer or insurance company to another.  At ARHS we are governed by the additional sections of HIPAA which regulate privacy and security of our patients’ health information. NEXT QUESTION

7. INCORRECT – Try Again  Click here to return to the question

8. The bill that was passed to strengthen HIPAA is commonly known as?  HIPAA 2  HITECH  PHIA  SSA Click the box beside the correct answer

9. HITECH  H ealth I nformation T echnology for E conomic and C linical H ealth Act  Strengthens and provides additional regulatory and enforcement support to the privacy and security rules established by HIPAA NEXT QUESTION

10. INCORRECT – Try Again  Click here to return to the question

11. In HIPAA and HITECH “PHI” stands for?  Patient Health Insurance  Patient Health Information  Protected Health Information  Personal Health Information Click the box beside the correct answer

12. P rotected H ealth I nformation  Name  Address  Date of Birth  Social Security Number  Insurance Information  Employer  Family member names  Photos  Medical history  Medical record  Any information that may be used to identify the patient is considered PHI NEXT QUESTION

13. INCORRECT – Try Again  Click here to return to the question

14. What is ePHI?  Electronic Protected Health Information  Eliminated Protected Health Information  Enforced Protected Health Information  Enhanced Protected Health Information Click the box beside the correct answer

15. Electronic Protected Health Information  ePHI is any Protected Health Information (PHI) stored or transmitted in an electronic format  ePHI includes PHI stored on Electronic Medical Records, computers, laptops, USB keys, cell phones or any other electronic media  ePHI includes PHI that is included in an e-mail  E-mailed PHI must be encrypted unless the patient requests an unencrypted e-mail and is made aware of the risks of the PHI being sent unsecured  ePHI also includes PHI that has been faxed NEXT QUESTION

16. INCORRECT – Try Again  Click here to return to the question

17. Under HIPAA and HITECH ARHS and its facilities are a(n)?  Business Associate  Covered Entity  Clearinghouse  Insurance Provider Click the box beside the correct answer

18. Covered Entity  ARHS and all its facilities are Covered Entities under HIPAA and HITECH  Covered Entities are healthcare providers which treat patients and accumulate PHI for those patients including but not limited to hospitals, post- acute/long-term care facilities and physician practices. NEXT QUESTION

19. INCORRECT – Try Again  Click here to return to the question

20. Under HIPAA and HITECH a Business Associate of ARHS is?  Any organization that has access to PHI stored at ARHS  Any individual or organization that ARHS contracts with to access PHI when the PHI is to be used for the benefit of ARHS  Any individual who may have access to PHI  Any software company ARHS does business with Click the box beside the correct answer

21. Business Associate  Business Associates (BA) are entities or individuals to whom we release our patient’s PHI so they can use that PHI to perform a specific task for the benefit of ARHS such as attorneys, auditors, consultants and others.  ARHS is required to maintain a Business Associate Agreement (BAA) with all Business Associates. NEXT QUESTION

22. INCORRECT – Try Again  Click here to return to the question

23. HIPAA allows use and disclosure of PHI for?  Treatment  Payment  Operations  All of the above Click the box beside the correct answer

24. Treatment, Payment and Operations  HIPAA allows the use and disclosure of PHI only for the treatment of patients, the collection of payment and for operations of the organization.  Also referred to as “TPO” these are the only uses and disclosures allowed by HIPAA without the consent of the patient.  Additionally HIPAA’s “Minimum Necessary” rule restricts access, use or disclosure of PHI to only the minimum extent necessary for a provider or employee to perform his/her job responsibilities. NEXT QUESTION

25. INCORRECT – Try Again  Click here to return to the question

26. The office that enforces HIPAA and HITECH is?  United States Department of Justice  United States Centers for Medicare and Medicaid  North Carolina Department of Health and Human Services  Office for Civil Rights Click the box beside the correct answer

27. Office for Civil Rights  The United States Department of Health and Human Services (HHS) assigned enforcement of HIPAA to the Office for Civil Rights (OCR)  The OCR has completed Phase I of a program to audit Covered Entity’s and Business Associate’s compliance with HIPAA and HITECH.  The second phase of audits will begin in 2016 and ARHS could be chosen to be audited. NEXT QUESTION

28. INCORRECT – Try Again  Click here to return to the question

29. HIPAA gives patients the right to?  Request a copy of their medical record  Request a list of providers and others the Covered Entity has disclosed their PHI to.  Request limited access to their PHI.  All of the above. Click the box beside the correct answer

30. All of these and many others  HIPAA grants patients all the rights listed as well as many additional rights.  Every patient has the right to a copy of his/her medical record which ARHS must provide upon request.  ARHS is required to maintain a list of disclosures of patient PHI and provide that list upon request by the patient.  Our patients have the right to request limited access to their PHI, however ARHS may determine it is unreasonable or we are unable to honor their request.  All patient rights are listed in the Notice of Patient Rights given to patients upon registration. NEXT QUESTION

31. INCORRECT – Try Again  Click here to return to the question

32. What disclosure(s) may be determined a breach of PHI?  A fax sent to the wrong phone number  Posting a picture or information about a patient on social media  Notifying a family member that a patient is in an ARHS facility when the patient has not authorized you to do so  Discussing patient information in the hospital cafeteria  All of the above Click the box beside the correct answer

33. All of these and more!!  Any incident or communication where it can be determined that there is more than a low probability that the PHI could be used for purposes other than those allowed by HIPAA is a breach  A breach may involve PHI of one patient or PHI of thousands of patients  Breaches of PHI by staff of ARHS could result in disciplinary action up to and including termination. NEXT QUESTION

34. INCORRECT – Try Again  Click here to return to the question

35. Who are HIPAA breaches reported to?  The patient whose PHI was breached  The Office for Civil Rights  The patient and the Office for Civil Rights  HIPAA breaches are not reported Click the box beside the correct answer

36. The patient and the Office for Civil Rights  All breaches must be reported to the patient whose PHI was breached regardless of when or how the breach occurred.  Breaches involving 500 or more individuals’ PHI must be reported to the Office for Civil Rights and local media in addition to notifying the patient.  Breaches involving 1 – 499 individuals’ PHI must be reported to the Office for Civil Rights in addition to notifying the patient. NEXT QUESTION

37. INCORRECT – Try Again  Click here to return to the question

38. Who is the Privacy Officer at ARHS?  Randy Dow  Nathan White  Kevin May  Amy Crabbe Click the box beside the correct answer

39. Randy Dow  Randy Dow is the Compliance and Privacy Officer at ARHS.  Compliance is responsible for monitoring and auditing HIPAA at ARHS and its facilities.  Compliance is also responsible for HIPAA breach determination and notification at ARHS and its facilities.  Randy Dow is assisted in Compliance by Sherrie King, ARHS Compliance Auditor NEXT QUESTION

40. INCORRECT – Try Again  Click here to return to the question

41. How do you notify Compliance of any HIPAA concerns you may have?  Contact Randy Dow at 268-8915 or rcdow@apprhs.org rcdow@apprhs.org  Contact Sherrie King at 263-1207 or saking@apprhs.org saking@apprhs.org  Call the Hotline at 1-800-656-7743  All of the above Click the box beside the correct answer

42. You may report HIPAA concerns or violations to:  Randy Dow at 268-8915 or rcdow@apprhs.orgrcdow@apprhs.org  Sherrie King at 263-1207 or saking@apprhs.orgsaking@apprhs.org  Compliance Concepts Hotline 1-800-656-7743  Hotline calls are answered by a company outside ARHS and you do not have to give your name when calling the hotline  You cannot be punished by your supervisor or ARHS for reporting HIPAA violations.

43. INCORRECT – Try Again  Click here to return to the question