Pages

Privacy Act and HIPAA Challenge Answers

Select the best answer. The HIPAA Privacy Rule applies to which of the following?

A: PHI transmitted orally
B: PHI in paper form
C: PHI transmitted electronically
D: All of the above

Show or Reveal the Answer

All of the above

EXPLANATION: The correct answer is D. The HIPAA Privacy Rule applies to PHI that is transmitted or maintained by a covered entity or a business associate in any form or medium.

Under HIPAA, a covered entity (CE) is defined as:

A: A health plan.
B: A health care clearinghouse.
C: A health care provider engaged in standard electronic transactions covered by HIPAA
D: All of the above

Show or Reveal the Answer

All of the above

EXPLANATION: The correct answer is D. Under HIPAA, a CE is a health plan, a health care clearinghouse, or a health care provider engaged in standard electronic transactions covered by HIPAA.

An incidental use or disclosure is not a violation of the HIPAA Privacy Rule if the covered entity (CE) has:

A: Implemented the minimum necessary standard
B: Established appropriate administrative safeguards
C: Established appropriate physical and technical safeguards
D: All of the above

Show or Reveal the Answer

All of the above

EXPLANATION: The correct answer is D. An incidental use or disclosure is an unintended use or disclosure that occurs as a result of another use or disclosure that is permitted by the HIPAA Privacy Rule. Uses or disclosures that occur when carrying out a use or disclosure that is permitted or required by HIPAA are not considered a violation of the HIPAA Privacy Rule, provided that the CE has implemented the minimum necessary standard and established appropriate administrative, physical, and technical safeguards

Which of the following would be considered PHI?

A: An individual's first and last name and the medical diagnosis in a physician's progress report
B: Individually identifiable health information (IIHI) in employment records held by a covered entity (CE) in its role as an employer
C: Results of an eye exam taken at the DMV as part of a driving test
D: IIHI of persons deceased more than 50 years

Show or Reveal the Answer

An individual's first and last name and the medical diagnosis in a physician's progress report

Select the best answer. Which of the following are true statements about limited data sets?

A: A limited data set is PHI that excludes 16 specific direct identifiers of the individual or relatives, employers or household members of the individual, as set forth in the HIPAA Privacy Rule and DoD 's implementing issuance
B: A limited data set can be used or disclosed only for the purposes of research, public health or health care operations
C: When disclosing a limited data set, covered entities (CEs)/MTFs are required to obtain satisfactory assurances, in the form of a Data Use Agreement (DUA), signed by the recipient
D: All of the above

Show or Reveal the Answer

All of the above

EXPLANATION: The correct answer is D. A limited data set is PHI that excludes specific direct identifiers of the individual or relatives, employers or household members of the individual. It can be used or disclosed only for the purposes of research, public health or health care operations. When disclosing a limited data set, CEs/MTFs are required to obtain satisfactory assurances, in the form of a DUA, signed by the recipient.

Was this a violation of HIPAA security safeguards?

A: Yes
B: No

Show or Reveal the Answer

Yes

EXPLANATION: The correct answer is A - Yes. Thomas violated DoD's policy in downloading ePHI to a flash drive. As a result of this policy violation, Thomas put the ePHI of a significant number of Valley Forge MTF patients at risk and will be subject to disciplinary action consistent with Valley Forge MTF's workforce sanction policy. Both of these policies serve as good examples of administrative safeguards required by the HIPAA Security Rule. Further, this scenario presents additional risk in that the ePHI on the misplaced flash drive may not be encrypted. Under the HIPAA Security Rule, encryption is a technical safeguard that can protect ePHI at rest and through transmission. DoD covered entities should always utilize encryption when PII or PHI is placed on mobile media so as to avoid storing or transmitting sensitive information (including PHI) in an unsecure manner.

Select the best answer. Which of the following are fundamental objectives of information security?

A: Confidentiality
B: Integrity
C: Availability
D: All of the above

Show or Reveal the Answer

All of the above

EXPLANATION: The correct answer is D. Confidentiality, Integrity, and Availability are the fundamental objectives of health information security and the HIPAA Security Rule requires covered entities and business associates to protect against threats and hazards to these objectives.

Administrative safeguards are:

A: Administrative actions, and policies and procedures that are used to manage the selection, development, implementation and maintenance of security measures to protect electronic PHI (ePHI). These safeguards also outline how to manage the conduct of the workforce in relation to the protection of ePHI
B: Physical measures, including policies and procedures that are used to protect electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion
C: Information technology and the associated policies and procedures that are used to protect and control access to ePHI
D: None of the above

Show or Reveal the Answer

Administrative actions, and policies and procedures that are used to manage the selection, development, implementation and maintenance of security measures to protect electronic PHI (ePHI). These safeguards also outline how to manage the conduct of the workforce in relation to the protection of ePHI

EXPLANATION: The correct answer is A. Administrative safeguards are administrative actions, and policies and procedures that are used to manage the selection, development, implementation and maintenance of security measures to protect ePHI. These safeguards also outline how to manage the conduct of the workforce in relation to the protection of ePHI.

Physical safeguards are:

A. Administrative actions, and policies and procedures that are used to manage the selection, development, implementation and maintenance of security measures to protect electronic PHI (ePHI). These safeguards also outline how to manage the conduct of the workforce in relation to the protection of ePHI
B. Physical measures, including policies and procedures that are used to protect electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion
C. Information technology and the associated policies and procedures that are used to protect and control access to ePHI
D. None of the above

Show or Reveal the Answer

Physical measures, including policies and procedures that are used to protect electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion

EXPLANATION: The correct answer is B. Physical safeguards are the physical measures, including policies and procedures that are used to protect electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Technical safeguards are:

A. Administrative actions, and policies and procedures that are used to manage the selection, development, implementation and maintenance of security measures to protect electronic PHI (ePHI). These safeguards also outline how to manage the conduct of the workforce in relation to the protection of ePHI
B. Physical measures, including policies and procedures that are used to protect electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion
C. Information technology and the associated policies and procedures that are used to protect and control access to ePHI
D. None of the above

Show or Reveal the Answer

Information technology and the associated policies and procedures that are used to protect and control access to ePHI

EXPLANATION: The correct answer is C. Technical safeguards are the Information technology and the associated policies and procedures that are used to protect and control access to ePHI.

Select the best answer. Which of the following are categories for punishing violations of federal health care laws?

A. Criminal penalties
B. Civil money penalties
C. Sanctions
D. All of the above

Show or Reveal the Answer

All of the above

EXPLANATION: The correct answer is D. The three main categories of punishment for violating federal health care laws include: criminal penalties, civil money penalties, and sanctions.

Select the best answer. If an individual believes that a DoD covered entity (CE) is not complying with HIPAA, he or she may file a complaint with the:

A. DHA Privacy Office
B. HHS Secretary
C. MTF HIPAA Privacy Officer
D. All of the above

Show or Reveal the Answer

All of the above

EXPLANATION: The correct answer is D. If an individual believes that a DoD CE is not complying with HIPAA he or she may file a complaint with the DHA Privacy Office, HHS Secretary, and/or the MTF HIPAA Privacy Officer.

Which HHS Office is charged with protecting an individual patient's health information privacy and security through the enforcement of HIPAA?

A. Office of Medicare Hearings and Appeals (OMHA)
B. Office for Civil Rights (OCR)
C. Office of the National Coordinator for Health Information Technology (ONC)
D. None of the above

Show or Reveal the Answer

Office for Civil Rights (OCR)

EXPLANATION: The correct answer is B. The HHS Office for Civil Rights (OCR) is charged with protecting an individual patient's health information privacy and security through the enforcement of HIPAA.

A covered entity (CE) must have an established complaint process.

A. True
B. False

Show or Reveal the Answer

TRUE

EXPLANATION: The correct answer is A - True. CEs/MTFs must have an established complaint process so that individuals understand how to file complaints regarding potential HIPAA violations and to ensure complaints are appropriately and consistently managed.

Under the Privacy Act, individuals have the right to request amendments of their records contained in a system of records.

A. True
B. False

Show or Reveal the Answer

TRUE

EXPLANATION: The correct answer is A - True. Under the Privacy Act, individuals have the right to request amendments of their records contained in a system of records.

The e-Government Act promotes the use of electronic government services by the public and improves the use of information technology in the government.

The e-Government Act provides the use of electronic government services by the public and improves the use of information technology in the government.
A. True
B. False

Show or Reveal the Answer

TRUE

EXPLANATION: The correct answer is A - True. The e-Government Act promotes the use of electronic government services by the public and improves the use of information technology in the government.

A Systems of Records Notice (SORN) serves as a notice to the public about a system of records and must:

A. Specify routine uses (how the information will be used)
B. Be republished if a new routine use is created
C. Be provided to Office of Management and Budget (OMB) and Congress and published in the Federal Register before the system is operational
D. All of the above

Show or Reveal the Answer

All of the above

EXPLANATION: The correct answer is D. A SORN serves as a notice to the public about a system of records and must: Specify routine uses (how the information will be used), be republished if a new routine use is created, and be provided to OMB and Congress and published in the Federal Register before the system is operational.

Select the best answer. A Privacy Impact Assessment (PIA) is an analysis of how information is handled:

A. To ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy
B. To determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system
C. To examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks
D. All of the above

Show or Reveal the Answer

All of the above

EXPLANATION: The correct answer is D. A PIA is an analysis of how personally identifiable information (PII) is utilized to ensure data handling conforms to applicable legal, regulatory, and policy requirements regarding privacy. Additionally, a PIA determines the need, privacy risks and effects of collecting, maintaining, using and disseminating PII in electronic form as well as examining and evaluating protections and alternative processes to mitigate potential privacy risks.

A breach as defined by the DoD is broader than a HIPAA breach (or breach defined by HHS).

A. True
B. False

Show or Reveal the Answer

TRUE

EXPLANATION: The correct answer is A - True. A breach as defined by the DoD is the "actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for an other than authorized purposes where one or more individuals will be adversely affected." A HIPAA breach, or HHS breach, is defined as the unauthorized acquisition, access, use, or disclosure of PHI which compromises the privacy and security of the PHI. A DoD breach includes a HIPAA breach, but is actually broader in scope.

Select the best answer. Which of the following are common causes of breaches?

A. Theft and intentional unauthorized access to PHI and personally identifiable information (PII)
B. Human error (e.g. misdirected communication containing PHI or PII)
C. Lost or stolen electronic media devices or paper records containing PHI or PII
D. All of the above

Show or Reveal the Answer

All of the above

EXPLANATION: The correct answer is D. Breaches are commonly associated with human error at the hands of a workforce member. Improper disposal of electronic media devices containing PHI or PII is also a common cause of breaches. Theft and intentional unauthorized access to PHI and PII are also among the most common causes of privacy and security breaches. Another common cause of a breach includes lost or stolen electronic media devices containing PHI and PII such as laptop computers, smartphones and USB storage drives. Lost or stolen paper records containing PHI or PII also are a common cause of breaches.

Select the best answer. Which of the following are breach prevention best practices?

A. Access only the minimum amount of PHI/personally identifiable information (PII) necessary
B. Logoff or lock your workstation when it is unattended
C. Promptly retrieve documents containing PHI/PHI from the printer
D. All of the above

Show or Reveal the Answer

All of the above

EXPLANATION: The correct answer is D. You can help prevent a breach by accessing only the minimum amount of PHI/PII necessary and by promptly retrieving documents containing PHI/PII from the printer. You should always logoff or lock your workstation when it is unattended for any length of time.

When must a breach be reported to the U.S. Computer Emergency Readiness Team?

A. Within 1 hour of discovery
B. Within 24 hour of discovery
C. Within 48 hour of discovery
D. Within 72 hour of discovery

Show or Reveal the Answer

Within 1 hour of discovery

EXPLANATION: The correct answer is A. A breach must be reported to the U.S. Computer Emergency Readiness Team within 1 hour of discovery.

How should John advise the staff member to proceed?

A: John should advise the staff member to take the man's word for it and allow him to enter.
B: John should advise the staff member to deny the man's request and indicate that access cannot be gained without his ID badge
C. John should advise the staff member to have the man contact the help desk to assist him in gaining a temporary access card or another approved alternative means of access.
D. Both B and C

Show or Reveal the Answer

Both B and C

EXPLANATION: The correct answer is D. This scenario illustrates a good example of a physical safeguard in the form of an access control to a secure area of the Valley Forge MTF. Pursuant to the HIPAA Security Rule, covered entities must maintain secure access (for example, facility door locks) in areas where PHI is located. Allowing an unidentified individual to bypass a security entrance in this scenario violates the HIPAA Security Rule and exposes the MTF and its patients to a potential breach situation.

What enforcement actions may occur based on Janet's conduct?

What enforcement actions may occur based on Janet’s conduct?
A: Janet may be the subject of criminal charges if it is determined that her intent may have been to sell the General's information to a local tabloid for personal gain.
B: The MTF may be subject to civil money penalties based upon Janet's access and disclosure of the subject PHI being a HIPAA violation.
C: The General who was the subject of the disclosure may file a complaint with the MHS and/or HHS based on Janet's inappropriate conduct.
D: All of the above.

Show or Reveal the Answer

All of the above.

EXPLANATION: The correct answer is D. In this scenario, it is reasonable to find Janet's actions are egregious and would support the imposition of civil money penalties against the Valley Forge MTF and perhaps even result in criminal charges, if additional facts support that her intention was to experience personal gain from the use of the subject PHI. Additionally, a complaint for the HIPAA violation at issue in this scenario may be filed with the DHA Privacy Office, the MTF's Privacy Officer, and/or HHS.

How should John respond?

A: No. The Privacy Act does not pertain to research projects within DoD.
B: No. Privacy Act statements and SORNs are irrelevant in this case.
C: Yes. Privacy Act Statements and a SORN should both be considered prior to initiating the research project.
D: Yes. Privacy Act Statement should be considered but there is no need to worry about a SORN.

Show or Reveal the Answer

Yes. Privacy Act Statements and a SORN should both be considered prior to initiating the research project.

EXPLANATION: The correct answer is C. Thomas Martin is collecting and maintaining PII in a system of records, and will have the ability to retrieve information through the use of PII. Thus, the Privacy Act requires that a SORN be considered - there may be a DoD SORN that already exists that covers the data collection and can clearly apply to this effort, but if there is not one, a SORN will need to be put in place before the study begins. Privacy Act Statements must also be prepared, to provide to study participants during the interviews that are expected to be conducted as part of the study.

Major Edmund Randolph, an active member of the United States Air Force, recently discovered through a public notice that his PII is being maintained by the federal government in a system of records. Because Major Randolph is very diligent about safeguarding his personal information and is aware of how this information could be vulnerable, he is interested in obtaining a copy and reviewing them for accuracy. Is Major Randolph able to obtain a copy of his records from the system of records and request changes to ensure that they are accurate?

A. No, even though the records at issue pertain to Major Randolph he is not entitled to a copy or request amendments.
B. Yes, pursuant to the Privacy Act, Major Randolph may obtain a copy of his records through the submission of a written request, but he is not able to request any changes to his records.
C. Yes, as an upstanding member of the United States Air Force, Major Randolph can gain access and request changes to any PII maintained by the federal government.
D. Yes, Major Randolph is able to request to inspect and copy his records and can request an amendment to correct inaccurate information.

Show or Reveal the Answer

Yes, Major Randolph is able to request to inspect and copy his records and can request an amendment to correct inaccurate information.

EXPLANATION: The correct answer is D. The Privacy Act, subject to some specific limitations, grants individuals the right to access and copy as well as the right to request an amendment to their records. If Major Randolph's PII is also part of his medical record, then he can also make a request to inspect and copy his records and can request to amend inaccurate information under the HIPAA Privacy Rule. These rights, however, under HIPAA and the Privacy Act, are held to differing response times and procedural requirements. DoD components must comply with DoD implementing issuances under both the Privacy Act and the HIPAA Privacy Rule, as applicable to the individual's request.

George is reminded of a conversation he overheard between two co-workers who were contemplating selling some old Valley Forge MTF computers instead of disposing of them through the MTF's IT department. With reason to believe Alexander is telling the truth as to the computers and PHI in his possession, what is the appropriate course of action for George?

A: George should refrain from doing anything because he learned of this information outside the workplace and does not have any IT responsibilities
B: George should ask Alex to review the PHI on the computers when he has a chance, so the two can then determine what to do the next time they meet for dinner
C: George should immediately report the possible breach to his supervisor and assist in providing any relevant information for purposes of the investigation
D: George should go online and see if he can get a good deal on any of the old computers which may still be for sale

Show or Reveal the Answer

George should immediately report the possible breach to his supervisor and assist in providing any relevant information for purposes of the investigation

EXPLANATION: The correct answer is C. DoD workforce members are required to promptly report all possible DoD breaches to their supervisor. Delays in breach reporting can result in additional, avoidable harm to both DoD and, more importantly, its patients. In this scenario the possible breach appears to be the result of the improper disposal of electronic media devices, a common cause of breaches, which could have been avoided through the use of proper disposal procedures.

Is Carla's time saving measure appropriate provided she only sends unencrypted emails on occasion?

A: Yes, because the security risks associated with an email transmission are minimal
B: No, because unencrypted emails containing PHI or PII may be intercepted and result in unauthorized access
C: Yes, because seeing patients in a timely manner is a priority for Carla and requires her to occasionally take shortcuts in other areas
D: No, because sending PHI in an unencrypted email can always result in a security breach

Show or Reveal the Answer

No, because unencrypted emails containing PHI or PII may be intercepted and result in unauthorized access

EXPLANATION: The correct answer is B. As we have learned, the actual or potential unauthorized access of PHI or PII constitutes a DoD breach. Encrypting e-mails is relatively simple and is required when sending an e-mail containing PHI or PII outside of the organization's network boundary. Other helpful best practices for preventing a possible breach include not sharing passwords, holding all conversations involving PHI or PII in private areas, and always logging off or locking your workstation when leaving it unattended.

No comments:

Post a Comment