Test Your HIPAA Knowledge: Answers and Explanations

These quiz questions and answers are from the original quiz to test your HIPAA knowledge. Click here, to go to the original quiz.

Do you understand the ins and outs of HIPAA?  With assistance from health IT firm HIPAA Risk Management, Medical Economics offers the following quiz to test your privacy and security knowledge.

Next: Answer to Q1

Q1:
True or False: By calling out a patient’s name in my reception area, we are possibly violating HIPAA.

[Answer: False]

Covered entities, such as medical practices, can call out patient names in reception areas, so long as the information disclosed is appropriately limited, according to the HIPAA Privacy Rule. These incidental disclosures are protected, however, only if you have implemented reasonable safeguards and meet the minimum necessary standard for medical information required. So names are fine, but other medical information should not be made publicly audible.

Next: Answer to Q2

Q2:
True or False: Sign-in sheets at the front desk to avoid calling out names protect us from HIPAA.

[Answer: False]

The same protection applies as calling out a patient's name-sign-in sheets are protected under the HIPAA Privacy Rule, but safeguards must be in place. So the sign-in sheet should include names, but no other medical information others can see, e.g. the medical issue that brings them into the practice.

Next: Answer to Q3

Q3:

True or False: Faxing personal health information to another physician is allowed under HIPAA.

[Answer: True] If you are disclosing this information for treatment purposes and meeting the "minimum necessary" rule, you are well within HIPAA guidelines. The U.S. Department of Health and Human Services (HHS) advises that covered entities (such as medical practices) have in place "reasonable and appropriate administrative, technical, and physical safeguards" to protect privacy of personal health information disclosed via fax. Examples include confirming the fax number prior to transmission and placing your fax machine in a secure location to prevent unauthorized access to faxed records coming in.

Next: Answer to Q4

Q4:

True or False: Encrypted computers ensure HIPAA compliance.

[Answer: False]

Encryption is just one step in protecting your practice’s computers and the personal health information (PHI) contained within. HHS requires additional specifications under the Security Rule to protect electronic personal health information (ePHI).

Next: Answer to Q5

Q5:
True or False: HIPAA Security can be achieved solely through a risk analysis, a practice policy manual, and staff training.

[Answer: False]

Medical practices also need to develop and implement an action plan to manage and mitigate risks, and monitor, audit, and update security on an ongoing basis. Additionally, a practice's entire process, findings, and actions, including its implementation and monitoring, must be documented. The Office of the National Coordinator for Health Information Technology (ONC) has recently updated the "Guide to Privacy and Security of Electronic Health Information" (bit.ly/ONC-HIPAA-help), providing
a seven-step approach for implementing a security management process in your practice.

Next: Answer to Q6

Q6:

True or False: A simple checklist is not sufficient to meet the HIPAA risk analysis requirement.

[Answer: True]

Both HHS and ONC advise that while checklists are useful tools, particularly in starting a risk analysis for your practice, they fall short of constituting a systematic security risk analysis or documenting that this process has been performed.

Next: Answer to Q7

Q7:
True or False: Healthcare providers can have confidential conversations with fellow providers or with patients, even if there's a possibility they can be overheard.

[Answer: True]

The HIPAA Privacy Rule doesn't prohibit physician conversations with providers or patients, according to HHS. The Privacy Rule also recognizes that overheard communications in these settings may be unavoidable and allows for incidental disclosures like this.

Next: Answer to Q8

Q8:

True or False: Appointment reminders are allowed under HIPAA.

[Answer: True]

Appointment reminders are considered part of an individual's treatment under HIPAA and can be made without an authorization.

Next: Answer to Q9

Q9:

True or False: My EHR vendor took care of my HIPAA Security.

[Answer: False]

An EHR vendor may provide information, assistance, and even training on HIPAA Privacy and Security aspects of their products, but they are not responsible for making products compliant with the federal regulation. The responsibility lies solely with the practice to undertake a complete risk analysis, according to ONC.

Next: Answer to Q10

Q10:

True or False: My practice is HIPAA compliant because our policies and procedures were written by an attorney.

[Answer: False]

Policies and procedures are an important part of a practice's HIPAA security compliance program, but are not the only requirement for being in compliance. It is critical that practice policies and procedures accurately reflect your current technical and operational procedures. In most cases, template policies and procedures must be customized for your practice and require technical expertise in addition to regulatory knowledge.

Next: Answer to Q11

Q11:

True or False: Medical practices are not required to notify patients through the mail of changes to their protected health information notice.

[Answer: True]

HHS notes that the HIPAA Privacy Rule doesn't require that revised notices or notification of changes be sent via mail. The notification must, however, be made available upon request by patients or others after the effective date of the revision as well as posted in a "clear and prominent location" at the practice. Providers must also ensure that the most current notice (the one in effect at that time) is provided to patients at their first visit and made available on the practice’s website if one exists.

Next: Answer to Q12

Q12:

True or False: Medical practices only need to do a risk analysis once to comply with HIPAA.

[Answer: False]

To comply with HIPAA, medical practices must continue to review, correct or modify, and update security protections, according to HHS.

Next: Answer to Q13

Q13:
True or False: HIPAA allows a friend or family member to pick up a patient's prescription.

[Answer: True]

HHS states that a relative or friend arriving at a pharmacy for this purpose "effectively verifies" that this person is involved in the patient's care. The HIPAA Privacy Rule allows the pharmacist to distribute the prescription without receipt of a prior list of approved family members or friends.

Next: Answer to Q14

Q14:

True or False: Cloud-based EHRs are exempt from HIPAA as there is no on-site storage of ePHI.

[Answer: False]

The HIPAA Security Rule applies to all individually identifiable ePHI, not just information contained in certified EHRs. This may include appointment information, billing records, transcription, test results, imaging and other electronic data transmitted or stored on devices in your practice.

Next: Answer to Q15

Q15:

True or False: Non-participation in CMS' Meaningful Use program also means exemption from having to  do a HIPAA risk analysis.

[Answer: False]

Just like cloud-based storage, the HIPAA Security Rule applies to all identifiable ePHI, not just that contained in EHRs. Appointment information, billing records, transcriptions, test results, and other electronic data transmitted or stored on devices in your practice require HIPAA compliance, exclusive of your participation in the Medicare or Medicaid EHR Incentive Programs.

Next: Answer to Q16

Q16:

True or False: Small medical practices have to comply with the same rule as larger provider systems.

[Answer: True]

While the size of the practice, types of computer systems, and resources may determine what types of security technology and processes are reasonable and appropriate for the individual practice, all covered entities have to comply with the same set of regulations, standards, and implementation specifications contained in the HIPAA Security Rule.