As we mentioned in the course introduction, covered entities can be institutions, organizations, or persons, and include the following:
Non-covered entities are not subject to HIPAA regulations. However, the American Medical Association (AMA) now requires non-HIPAA-covered entities to protect sensitive Patient Health Information (PHI) they collect. The law requires that they ensure the products or services they use don’t compromise patient privacy. Examples include:
To determine your covered-entity status, visit the Centers Medicare and Medicaid Services (cms.gov)
1. Which of the following is one of the four categories of covered entities that must comply with HIPAA regulations?
a. Public health authoritiesEvery health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include the following:
Using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction.
The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care providers include all "providers of services" (e.g., institutional providers such as hospitals) and "providers of medical or health services" (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.
2. Which of the following is considered a covered entity regardless of its size?
a. Health care planThe HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI), as explained in the Privacy Rule. The Security Rule protects the information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information "electronic protected health information" (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must:
3. Covered entities must ensure the confidentiality, integrity, and availability of all electronic protected health information (e-PHI) _____.
a. transmitted orally or in writingThe Security Rule defines "confidentiality" to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI.
Let’s take a look at a scenario about disclosing information to others inappropriately.
Situation: Joan works in a cardiology practice. The physicians in the practice admit patients to a local hospital. Joan schedules a hospital admission for a friend, Nell, who attends the same church as Joan. At church the following Sunday, several members ask Joan if she knows anything about Nell’s condition. How should Joan respond?
Response: Joan must not disclose any information about Nell obtained as a result of her work in the cardiology practice, not even with Joan’s family or friends. Joan should politely inform the concerned church members that federal laws prohibit the sharing of confidential information about patients without their expressed permission.
4. The Security Rule defines "confidentiality" to mean that e-PHI is _____
a. withheld from external covered entitiesThe Security Rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule:
HHS recognizes covered entities range from the smallest provider to the largest, multi-state health plan. Therefore, the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.
Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:
Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.
5. Under the Security Rule, _____ means e-PHI is not altered or destroyed in an unauthorized manner.
a. portabilityThe Administrative Safeguards provisions in the HIPAA Security Rule require covered entities to perform a risk analysis as part of their security management processes.
A risk analysis process includes, but is not limited to, the following activities:
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.
6. As required by the HIPAA Security Rule, which of the following must be accomplished by a covered entity as part of their security management processes?
a. A safety inspectionThere are several administrative, physical, and technical safeguards that should be put into place to protect the security of e-PHI.
Administrative Safeguards. Here are a few examples of recommended administrative safeguards:
Physical Safeguards. Here are examples of physical safeguards that can be implemented:
7. Which of the following is an example of an Administrative Safeguard to protect the security of electronic protected health information (e-PHI)?
a. Designate a security official responsible for policies and proceduresTechnical Safeguards. Here are examples of technical safeguards that can be implemented to protect e-PHI:
If a covered entity knows of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation, the covered entity must take reasonable steps to cure the breach or end the violation. Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.
8. Which of the following technical safeguards ensures e-PHI is not improperly altered or destroyed?
a. Access ControlsHIPAA provisions require covered entities to develop and maintain policies, procedures, and documentation to comply with the Security Rule. A covered entity must:
9. How long must written security policies, procedures, and records of required actions, activities or assessments be maintained by covered entities?
a. A minimum of five years from date of creationIn general, state laws contrary to the HIPAA regulations are preempted by the federal requirements, which means the federal requirements will apply. "Contrary" means it would be impossible for a covered entity to comply with both the state and federal requirements, or the provision of state law is an obstacle to accomplishing the full purposes and objectives of the HIPAA provisions.
If a covered entity’s employees and/or volunteers do NOT follow the rules set out by HIPAA, the federal government has the right to do the following:
Unintentional HIPAA violations could result in monetary penalties. Health and Human Services may not impose a civil money penalty under specific circumstances, such as when a violation is due to reasonable cause and did not involve willful neglect and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation.
Knowingly making unauthorized disclosure of PHI, intentionally selling information, and offenses that include false pretenses may result in substantial fines ($50,000 - $250,000) and/or imprisonment. The U.S. Department of Justice will enforce the criminal sanctions.
10. If a covered entity cannot comply with both state and federal HIPAA requirements, the covered entity _____.
a. must comply with federal requirementsClick on the "Check Quiz Answers" button to grade your quiz and see your score. You will receive a message if you forgot to answer one of the questions. After clicking the button, the questions you missed will be listed below. You can correct any missed questions and check your answers again.