HIPAA 2018

Please complete the following questions below, AFTER watching the above video:
***Please write down your answers to the questions below and click here to submit them.

1. HIPAA Privacy & Security Rules dictate that:


a. Only practice managers must abide by and know the privacy & security rules.

b. All who come into contact with protected health information must be informed of the rules and regulations of HIPAA, however, it is up to them to decide which rules they need to apply, as all of them are not required.

c. HIPAA only applies to some healthcare workers.

d. All who may come into contact with protected health information must go through a training on HIPAA policy, and documentation must be made and kept as evidence of completion.


2. What does HIPAA stand for?


a. Health Information Patient Accountability Act

b. Health Insurance Portability and Accountability Act

c. Hospital Informatics of Patient and Administration Aide

d. Healthcare Insurance for Patients Accepting Assignment


3. One of the primary purposes of HIPAA is to develop standards & requirements to protect the privacy & security of personal health information.


a. True

b. False


4. In the medical clinic, only the provider is responsible for knowing & complying with HIPAA policy.


a. True

b. False


5. Under the Privacy Rule it is:


a. A requirement to provide NPP only to patients having a surgical procedure.

b. Necessary to provide NPP to all patients, however, they only have to verbally acknowledge the receipt of it.

c. Important to tell each patient verbally that you will not discuss their information with anyone.

d. Required that all patients are provided with NPP and to make a good faith effort to obtain their written acknowledgement of their receipt of it.


6. Where are the Notices of Privacy Policy located at Plaza Del Rio Eye Clinic (Both Locations)?


a. At the front desk

b. In each exam room

c. In the waiting room

d. In the office managers office

e. Both C and D are correct


7. At Plaza Del Rio Eye Clinic, when is the patient given the opportunity to acknowledge that they have been given the NPP?


a. When the appointment is scheduled.

b. All patients who show up for an appointment are already in agreement with the NPP.

c. When they sign the new patient form.

d. It is the patients responsibility to ask for the NPP, so if they don’t, it is their own fault.


8. An entity has to have obtained a patients acknowledgement of NPP in order to use the PHI for its own treatment, payment, or healthcare operations.


a. True

b. False


9. When disclosing PHI to another covered entity you should:


a. Give them what they requested as well as all other information contained in the patients chart.

b. Not disclose anything without the patients’ signature of medical record release.

c. Provide the minimum necessary to accomplish the intended purpose of the use or disclosure.

d. Call the patient and inform them of the information that is being sent.


10. The Privacy Rule allows “incidental” disclosures of PHI, as long as the covered entity uses reasonable safeguards, this includes the use of a sign-in sheet.


a. True

b. False


11. The Security Rule requires that each medical office have which of the following:


a. A Security Office

b. Risk Analysis

c. Risk Management

d. Sanction Policy

e. Information System Activity Review

f. Employee Security

g. All of the above


12. The Privacy Rule requires which of the following administrative safeguards?


a. A Privacy Officer

b. Training

c. Business Associates

d. Tracking

e. Violations

f. All of the above


13. It is only the responsibility of the security officer to understand how to keep PHI secure as well as detect any incidences regarding PHI.


a. True

b. False


14. A Security Plan Analysis is not only a requirement of HIPAA, but also a requirement of MIPS.


a. True

b. False


15. According to the Security Rule, it is permissible to send patient information through work email or text messages either to patients, their relatives, or other employees regarding a patients PHI (name, DOB, phone number,etc.) as long as the information is requested directly by the patient or coworker.


a. True

b. False


16. Failure to comply with HIPAA Privacy & Security Rules can lead to Civil & Criminal penalties to both individual employees and companies. It can be enforced to include fines up to 1.5 million dollars per year & 10 years of imprisonment.


a. True

b. False


17. Examples of PHI include:


a. Name, address, birthdate, SS#, email address

b. Medical records, diagnosis, treatment, test results

c. Billing records, research records, referral authorizations

d. All of the above


18. A woman calls and she is the best friend of a patient who just had cataract surgery. She asks you to find out his/her prognosis. She can give you the patient’s name, address, and date of birth. What should you do?


a. Ask the doctor how the patient is doing and pass the information along to the woman calling.

b. Log into Medflow and pass the information along to the woman.

c. Explain to the woman that it’s a violation of the patient’s privacy for you to give her any information, unless the patient has authorized it in writing.

d. None of the above.


19. State and Federal laws, as well as health system policy, require what form of patient information to be protected and remain confidential?


a. Written

b. Spoken

c. Electronic

d. All of the above


20. A 19-year-old college student has a semi-emergency eye injury that was sustained in a motor vehicle accident. While she is in the office, her father calls from Minnesota asking for information on her condition. You can:


a. Tell the patient’s father of her general condition and status, since she is considered a minor

b. Provide no information at all to her father

c. The patient is 18 or older, so you must obtain the patients’ written consent to provide her general condition and status to her father

d. Both a and c


21. An elderly patient’s child, who lives out of state, calls and is concerned about their parent’s glaucoma, they ask you to give them a general update on how their parent is doing, they are able to provide you with the patients name, address, and date of birth. Can you disclose the patient’s information to them?


a. Yes

b. No

c. Yes because the patient is elderly and forgot what the doctor told them during their exam.

d. Only if the child’s name is listed in the patients chart as someone we can discuss the PHI with, I would have to check the records for this.


22. A co-worker is called away for a short errand and leaves the clinic PC logged onto the confidential information system. You need to look up information using the same computer. What should you do?


a. Log your co-worker off and re-log in under your own User ID and password.

b. To save time, just continue working under your co-worker’s User-ID.

c. Wait for co-worker to return before disconnecting him/her; or take a long break until co-worker returns.

d. Leave your co-worker’s computer logged on and find a different computer to use.


23. A patient calls and asks if you can e-mail or send them a text message of their prescription, they don’t have a fax and did not set-up an account on our secure portal, they are on their way to the location where they want their prescription filled and is in a hurry. What should you do?


a. Take a picture with your phone and text/e-mail it to the patient.

b. Log on to your personal/work e-mail account and send the patient the information, then delete the e-mail.

c. Explain to the patient that it is against HIPAA regulations to do this and that they would either have to come pick it up or create a secure portal account and then you can send it to them through that portal, or you can fax it directly to the company they are having it filled.

d. Tell the patient that you would do it this one time.


24. Accessing patient information electronically can be tracked back to your User ID and computer and defines the documents and time spent accessing the records.


a. The statement is TRUE

b. The statement is FALSE

c. User ID and computer cannot be tracked.

d. None of the above


25. You are checking your personal/work e-mail, and realized that you are still in the Allscripts Windows (the blue bar is at the top of the screen). What actions should be taken?


a. Quickly log-off of your e-mail, close the internet browser, come out of the Allscripts Windows and then check your e-mail outside of Allscripts Windows.

b. It is okay to check your personal/work e-mail within the Allscripts Windows.

c. Check your e-mail really fast and be more careful the next time.

d. It’s okay to check your work e-mail in Allscripts Windows but just not your personal e-mail.


26. As long as it’s NOT involving medical information, can I talk about the patients with my family and friends even if it has nothing to do with my job?


a. You may only talk about patients with your coworkers

b. You may only talk about the patients with your family and friends

c. You may discuss the patients with coworkers and family & friends

d. You may NOT discuss any patient information with anyone unless they need the information to complete their job, or is authorized by the patient


27. Which workstation security safeguards are YOU responsible for using and/or protecting?


a. User ID

b. Password

c. Logging out of programs that access PHI when you’re not using them

d. All of the above


28. You are working and all of a sudden have to step away from your desk for maybe 1-5 minutes. Should you log out of Allscripts PM or Medflow?


a. No, it’s only 1-5 minutes.

b. Yes, I should log out to protect the patients PHI, from someone who pass by my work area.

c. There is no need to logout as long as you minimize the PM or EHR screens.

d. I don’t know


29. A doctor’s office calls and tells you that they need records for a patient that we referred to them. What should you do?


a. Get their fax and send them the records.

b. Tell them that unless the patient signed a HIPAA medical records release, you cannot send them records.

c. Ask for the name of the doctor’s office that they are calling from, get the name of the person calling, have them verify the patients name and date of birth, fax the records to them and document all of the information so that it can be scanned into the patients chart.

d. Get the doctor’s name, fax the chart information, and shred everything after making sure that they received everything.


30. A lady calls stating that she has power of attorney and needs the records of a patient, because they are relocating. What should you do?


a. Get her information and send the records to her because she has power of attorney.

b. Tell her that you cannot send her anything unless the patient signs a HIPAA records release.

c. Tell her that she would have to first sign our records release form as well as provide us with a copy of the power of attorney documents before anything can be released to her.

d. I don’t know.


31. What is malware?


a. It is software that is used to protect ones computer against viruses.

b. It is a device for checking mail.

c. It is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

d. None of the above.


32. What should you do if you suspect that your computer has a virus?


a. If a pop up box comes on my screen stating that I have a virus and that I need to click on the box to get rid of it, I am going to quickly click on it to get rid of the virus.

b. Try to surf the internet for “how to get rid of a virus” information

c. Do nothing, it will eventually go away

d. Tell the office manager as soon as possible


***Please write down your answers to the above questions and click here to submit them.