HIPAA: Are You an Expert or a Flunky?
See if your knowledge of Privacy and Security Rules is a help or a hinderance to your practice’s compliance.
Take this quiz and then score yourself to find out if you are a HIPAA expert, a HIPAA flunky, or somewhere in between.
(Note: You will not earn any continuing education units (CEUs) for taking this quiz. It is just for the satisfaction and fun of testing your HIPAA knowledge.)
Test Your HIPAA Knowledge
1. Today, what describes “HIPAA Rules” best?
a. The Health Insurance Portability and Accountability Act of 1996
b. The Privacy, Security, and Breach Notification Rules
c. The HIPAA Final Rule, which took effect Sept. 23, 2013
d. The Health Information Technology and Clinical Health Act (HITECH) of 2009
2. A business’ Notice of Privacy Practices is required to be:
a. Posted in the waiting room in plain sight
b. Available as a handout for any patient who requests a copy
c. On the practice’s website
d. All of the above
3. HIPAA training for a medical practice’s staff is required:
a. Upon hire
d. Upon hire, and whenever policies and procedures are updated that impact how staff protect privacy while doing their jobs
4. HIPAA training at a private practice is required of:
a. Staff and volunteers, with the exception of minors
c. Physicians and other qualified healthcare professionals
d. The entire workforce
5. How many new patient rights are there under HITECH, and what are they?
a. Two: Right to request protected health information (PHI) not be shared with your insurer when you pay in full; and Right to be notified of a breach.
b. Two: Right to privacy; and Right to integrity of data.
c. Six: Right to access, copy, and inspect their record; Right to amend; Right to accounting of certain disclosures; Right to request privacy protections; Right to complain about alleged violations; and Right to be notified when a breach occurs.
d. Six: Right to privacy; Right to integrity of data; Right to complain; Right to edit their medical record; Right to request confidentiality; and Right to be notified of a breach.
6. HIPAA documentation must be maintained by a practice for how many years?
7. HIPAA is enforced by:
a. Centers for Medicare & Medicaid Services (CMS)
b. Office of Inspector General (OIG)
c. Office for Civil Rights (OCR)
d. False Claims Act (FCA)
8. A covered entity is which of the following?
a. Any provider who sends claims electronically
b. Any provider who sends hard-copy claims
c. Any provider
d. Any provider who sees Medicare patients
9. Which is most likely not a HIPAA violation?
a. Charging a patient a $50 fee for a copy of their five-page medical record
b. Allowing a patient to amend their record
c. Sending an unsecured email that contains PHI without the patient’s permission
d. Leaving a detailed message with the patient’s administrative assistant that contains PHI
10. Which is a HIPAA violation?
a. Sending a claim to an insurance company after a patient self-pays in full and requests no disclosure of their PHI to their insurance company
b. Restricting communication according to the patient’s instructions on a “confidential communication” form
c. Faxing an encounter form and copy of a patient’s insurance card to the practice’s billing company
d. Mailing medical records to a patient’s primary care physician from a specialist’s office
11. Under HIPAA, which is a permissible use of a practice’s mailing list?
a. Providing it to a drug company for a mass mailing of marketing materials
b. Selling it for a fair market rate
c. Anything you want, as long as patients provide verbal authorization
d. To use PHI for a purpose not explicitly allowed for in the rule, written approval from each patient is required
12. The maximum fine HIPAA can impose on a physician, per violation, in a year is:
13. The highest category of fine imposed for a specific violation of HIPAA is:
a. Willful neglect – not corrected within 30 days
b. Willful neglect – corrected within 30 days
c. Did not know
d. Reasonable cause
14. Inpatient-based physicians who “borrow” or work under the Notice of Privacy Practices from the covered entity where they see patients are referred to by HIPAA as:
a. Occupational Safety and Health Administration (OSHA)
b. Covered entity
c. Organized Health Care Arrangement (OHCA)
15. For OCR enforcement under HIPAA, business associates are:
a. Only liable “downstream” from a covered entity
b. Directly liable
c. Always equally liable with covered entity
d. Exclusively liable
16. Which is not typically considered a business associate?
b. Document storage company
c. Janitorial service
d. Electronic health record (EHR) vendor
17. An organization or individual will be considered a business associate under HIPAA if they create, receive, maintain, or transmit which of the following to do their job?
a. Medical records
c. Hospital records
d. Insurance information
18. Which is not a type of safeguard that must be addressed in a practice’s security risk assessment?
19. The highest HIPAA civil monetary penalty (CMP) imposed to date is which amount?
a. $1.5 million
b. $2.4 million
c. $3.5 million
d. $4.3 million
20. What are covered entities that settle with the federal government for potential violations of HIPAA often forced into?
a. Consent decrees, with no admission of guilt
b. Settlements with resolution agreements, requiring a monitoring period of 2-3 years
c. Corrective action plans that last 20 years
d. Notices of apology and consumer credit card reporting
21. How many CMPs have been imposed against covered entities since 2003 when HIPAA first went into effect?
1. B: The Privacy, Security, and Breach Notification Rules are the regulations that are promulgated by the U.S. Department of Health and Human Services’ (HHS) OCR to implement the laws, which are now both HIPAA of 1996 and HITECH of 2009.
2. D: HIPAA requires a practice to provide the notice three ways: posted in the office, available for patients who come in, and on their website.
3. D: HIPAA requires training within a reasonable amount of time when someone joins the practice, and as business practices change. It’s worthy to note, however, that the expectation by OCR in audits is to ask for records of annual training.
4. D: HIPAA requires practices to train their workforce. The OCR operationalizes the definition of workforce members broadly to include all full-time and part-time employees, volunteers, etc.
5. A: HITECH added the right to restrict PHI from going to an insurer when the patient pays for the item or service out-of-pocket and in full. HITECH also added the Breach Notification Rule, which requires affected individuals to be notified when a breach of their PHI occurs.
6. C: HIPAA Rules require all documentation showing compliance with HIPAA to be maintained for six years after the date it was last in effect.
7. C: The Office for Civil Rights, which is in charge of ensuring individuals’ civil rights are maintained, enforces the Privacy, Security and Breach Notification Rules.
8. A: HIPAA was originally passed as a simplification rule, and targeted electronic transactions. The privacy and security portions were tacked onto the simplification of those electronic standards. HIPAA only applies to covered entities who conduct standard healthcare transactions electronically.
9. B: The patient has a right to amend their medical record. The other options are all allowed in certain circumstances, but are likely hard to justify.
10. A: Under HIPAA, a patient who pays in full, out-of-pocket, has the right to request no disclosure of their PHI to their insurance company.
11. D: Authorizations must be in writing and contain certain elements to use PHI for a purpose not explicitly allowed for in the rule (Treatment, Payment, or Operations).
12. D: HITECH allowed for increasing penalties up to $1.5 million per year, per violation. This was increased in late 2016 to $1.6 million for inflation adjustment.
13. A: HITECH increased enforcement in penalties surrounding “willful neglect.” Discretion is allowed in cases where the willful neglect is corrected within 30 days.
14. C: An OHCA is a clinically integrated care setting in which individuals typically receive healthcare from more than one healthcare provider. When organized in this manner, covered entities are allowed to work under the same Notice of Privacy Practices.
15. B: HITECH changed applicability of the HIPAA Rules to include business associates, who can now be audited, fined, etc.
16. C: HITECH clarified that certain entities, such as EHR vendors and document storage companies, must be considered business associates when they create, receive, maintain, or transmit PHI on behalf of a covered entity. Subcontractors are considered business associates if they fit the definition.
17. B: Under HIPAA, the definition of a business associate is a person or entity who, on behalf of a covered entity or an OHCA, creates, receives, maintains, or transmits PHI for a function or activity regulated by the Privacy Rule.
18. B: The HIPAA Security Rule requires that administrative, technical, and physical safeguards be addressed and implemented.
19. D: The HHS OCR fined Cignet Health of Maryland a CMP of $4.3 million for failing to comply with the patient rights under the Privacy Rule in October 2010. There have been higher settlement amounts, but Cignet was the highest CMP to date.
20. B: Most HIPAA enforcement actions levied since 2009 have included Resolution Agreements, which require the entity to put in place various safeguards and controls, and report progress to the federal government, with compliance for 2-3 years.
21. B: There were only three times since 2003 when OCR proceeded with CMPs against an organization for HIPAA violations, instead of settling.
How Well Did You Do?
If you got 100 percent, you’re a HIPAA expert! If you’re not already your practice’s HIPAA privacy or security officer, you may want to consider applying for the job.
If you answered 16-20 questions correctly, you are on the right track. Your knowledge on HIPAA is about average. Most likely, you’re not causing concerns for your practice. However, there might be more expertise you can attain.
If you answered 15 or fewer questions correctly, you may not want to admit it to anybody. We’d recommend immediate training in the essentials of HIPAA before you put yourself and your practice at risk.