HIPAA Basics
What law sets national standards for protecting patient health information?
HIPAA-Health Insurance Portability and Accountability Act.
What are the two pieces of information you must always verify before discussing patient details?
Patient’s full name and date of birth.
Two patients have the same name. You accidentally open the wrong chart. What is your next step?
Stop immediately and verify DOB before documenting anything.
Where do you check to see who is legally allowed to receive information about a patient?
The consent form in Ethizo.
What is acceptable to leave on a voicemail?
Office name, your name, and callback number only. No PHI.
What two major rules does HIPAA include that protect paper and electronic PHI?
Privacy Rule and the Security Rule.
You are speaking with a caller who claims to be the patient’s family member. What is the first thing you must do?
Verify the patient’s DOB and obtain verbal consent directly from the patient.
You accidentally place a note in the wrong chart but catch it right away. What must happen?
Notify your manager, document the error, and request removal of the incorrect note.
If a patient says “only release information to me personally,” what must you avoid?
Talking to anyone without verifying patient consent.
Is texting PHI allowed?
No — only use secure systems like Teams, company email, or Ethizo Chat.
Which rule requires you to share only the information needed to complete the task?
Minimum Necessary Rule.
A patient’s spouse answers the phone and begins asking for medical information. You recognize the spouse is not on the consent form. What should you say?
"I’m sorry, I can’t share information because you’re not listed on the consent, but is the patient available to verify their DOB and provide consent?"
You created a task for the patient's spouse in the patient’s chart. The spouse is on the consent form. Is this a HIPAA violation?
Yes, this would be considered a Documentation Error and is a HIPAA violation.
A caller begins providing medical updates about the patient. Before engaging, what must you confirm?
The caller’s identity and relationship to the patient, and verify the patient's name and DOB.
What should you always do before sending emails or faxes?
Slow down and double-check addresses, attachments, and numbers.
What is the proper response if you overhear coworkers discussing patient info in a hallway?
Respectfully redirect the conversation to a private area.
How long is verbal consent valid for?
Only for the duration of that specific call. This should be followed up with written consent from patient. Make sure to document the consent in the patient's chart.
An MA accidentally inserts a spouse’s medication refill request in the husband’s chart. What could this lead to?
A HIPAA breach due to inaccurate medical documentation and PHI placement.
How should you communicate professionally when a caller is not authorized?
“I’m sorry, I can’t share that information, but is the patient there to verify consent?" And then offer to send a written consent form to patient to complete or add to.
What should you NEVER do when getting rid of printed PHI such as EOBs?
Put them in regular trash. They must be shredded.
If you’re unsure whether something is a HIPAA violation, what should you do?
Ask your Direct Supervisor, report, and don’t guess.
A patient is having trouble hearing and hangs up before DOB is confirmed. What should you not do when you call back?
Skip Name and DOB verification.
What tool helps prevent charting errors by requiring employees to stop and re-confirm patient identity?
The “5-Second Rule” verification checklist.
You speak with an authorized contact, but they fail DOB verification. What must you do?
Ask them to reverify the Patient's Name and DOB, if incorrect - decline to share information and request the patient verify instead.
What are three of the 18 personal identifiers, besides the patient's name and DOB?
18 Patient Identifiers
Name
All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and theirequivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available datafrom the Bureau of the Census:
The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000people; and
The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
All elements of dates including birth date, admission date, discharge date, or date of death. Exact age of a patientolder than 89 must be categorized into "90+".
Telephone numbers
Fax Numbers
Electronic mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code.