Compliance Jeopardy - The HIPAA Jam

HIPAA Basics

HIPAA for Business Associates

HIPAA Security

LGE

Fun Stuff

100

HIPAA is applicable primarily to these entities.

What are Covered Entities? For extra 100 Points- business associates too!

100

Business associates must obtain contracts with these entities.

What are subcontractors?

100

HIPAA Security refers to what.

What is electronic versions of PHI and how to protect it?

100

The name of the person you should ask compliance questions of.

Who is your Privacy Officer or Security Officer for ePHI?

100

My predecessor's daughter has this interesting compliance name.

Who is ERISA?

200

These contracts are required to be signed with all self-funded health plan clients.

Business Associate Agreement

200

This controls the majority of HIPAA obligations for a business associate.

What is a Business Associate Agreement?

200

Lisa Nelson

Who is the Leavitt Group Health Plan HIPAA Privacy Officer?

200

The location where you can find HIPAA compliance resources.

What is the Shared Drive and intranet?

200

Orange

Knock knock whose there?

300

This standard requires those using and disclosing PHI to do so using the least amount of PHI required to get the task done.

What is the minimum necessary standard?

300

If sending an email with PHI to the wrong recipient, this is what I must do.

What is notify the Privacy Officer who will take any necessary action?

300

I must click which button to ensure emails with PHI and PII are sent secure.

What is the encrypt button?

300

Sample business associate agreements can be found here.

What is the EB Resources Center HIPAA folder - internal?

300

To get to the other side.

Why did the chicken cross the road?

400

A method used to remove identifiers from PHI so that the PHI can then be used without an authorization form.

What is de-identification?

400

I must obtain this in order to share PHI with a third-party, not the owner of the PHI.

What is an authorization form?

400

True or false. Data warehouses or cloud based storage do not need a Business Associate Agreement.

False. If storing or using PHI or PII, a subcontractor BAA is recommended.

400

This person will review changes to the BAA.

Who is your HIPAA Privacy Officer Lisa Nelson?

400

True or False: You cannot snore and dream at the same time.

False

500

Self-funded plans, including self-funded components (e.g., some HSA, HRA, EAP & FSA) must comply with HIPAA by doing (at least) the following five things. Whomever gets the most gets the win!

1. Risk Assessment

2. HIPAA Policies & Procedures

3. Documented HIPAA training

4. Business Associate Agreements

5. Authorization Form

500

I must do this biannually to help my agency comply with HIPAA.

What is training?

500

Double checking recipient email address and consider whether the message makes sense/is spelled correctly.

What are things to consider when receiving emails with attachments in order to avoid phishing scams?

500

This is required in order for carriers to share PHI with the Plan.

What is the standards clause or HIPAA plan certification?

500

HIPAA-Crite

What do you call someone who wants to keep their information private but overshares others'?