HIPAA and HITECH JEOPARDY

HITECH

Security

Breach notification

Notice of Privacy

Alphabet Soup

100

The law applies only to information kept in this format.

What is electronically?

100

You should do these routinely to identify any inappropriate access to information in your system.

What are audits?

100

Breaches which have the potential to cause this must be reported. (Note this may not reach final rule status!)

What is harm?

100

You must attempt to get this whenever you issue the notice to a patient.

What is a written acknowledgement?

100

PHI

What is Protected Health Information?

200

Per HITECH, you must achieve this in order to qualify for federal funds for EMR implementation and adoption.

What is meaningful use?

200

Although not required, this is a good idea to protect information at rest and in motion.

What is encryption?

200

Any breach of _____or more must be reported to the media as well as to the patients involved.

What is 500?

200

Two places the Notice of Privacy Practices should be posted.

What is on the wall and on your website?

200

TPO

What is Treatment, Payment and Operations?

300

The HITECH rules were part of this law in 2009, also known as the Stimulus Law

What is the American Recovery and Reinvestment Act, or ARRA?

300

Document one of these every year or two to show due diligence in attempting to comply with the security standards.

What is a risk assessment or gap analysis?

300

Breach reports of less than 500 must be made on line by what date each year?

What is March 1?

300

THe number of times you must reissue the notice of privacy practices to your patients, including if revised.

What is none?

300

What is a Business Associate?

400

Under HITECH, these are now accountable for breaches of PHI, even though they are not healthcare providers.

What are Business Associates?

400

Two policies you should have that pertain to security of PHI.

What is (there are more than three) - requirement for strong passwords -onboarding and terminating procedures -Sanctions for improper access -training policies -social media policies -portable device policies -use of email and internet policies

400

You must do this if you have a breach with the potential to cause harm.

(There is more than one right answer) What is mitigate? What is inform the patient? What is investigate? Etc.

400

Three things your notice of privacy practices must include.

What is 1) how to file a complaint 2) How PHI will be used with your consent 3) How PHI may be used without your consent 4)your rights to amend, restrict, access, obtain an accounting, receive a copy 5) how to obtain a current copy of the notice.

400

What is a covered entity?

500

HITECH proposes extending this requirement to disclosures within your agency or facility as well as to outside of it, for three years, despite the objections of AHIMA and others.

What is Accounting of disclosures?

500

This agency is charged with enforcing the privacy and security standards.

What is OCR (Office of Civil Rights)?

500

The most commonly reported breach on the DHS website.

What is lost or stolen laptop? (More than 8 million breaches total have been reported, 59% involving portable devices).

500

If you have more than ___ percent of your population that speaks a different language, you should translate the notice into that language, per TJC and CMS.

What is 5%?

500

OHCA

What is an Organized Healthcare Arrangement?