Regulations
Breaches and Preventive Measures
Noun
Patient Privacy
Class Freebies
100

A goal of the American Recovery and Reinvestment Act, also known as the “stimulus bill”, was to promote the adoption and meaningful use of health information technology.

In what year was the Act signed into law and under which president?

What is 2009 and President Barack Obama?
100

This is a technique for transforming information in such a way that it becomes unreadable.

What is Encryption?
100

In EHR system training, the trainer relies on these individuals to help their fellow trainees in the training process. These individuals are quick to grasp the learning material, therefore, are valuable resources in helping to train others.

What are super users or practice managers.
100

This is an individual’s ability to control the disclosure of personal facts.

What is privacy?
100

What is most difficult challenge when different software and hardware from different vendors try to communicate and share data?

What is Lack of Interoperability?
200

What new regulation was enacted on March 26, 2013 that modifies the requirements of HIPAA of 1996 and strives to enhance the protection of health information?

What is the HIPAA Omnibus Rule, also known as the Final Rule?
200

What is an authentication method design to reduce the number of time a user gets prompted to log on to different systems?

What is Single Sign on.
200

**DAILY DOUBLE**



There are two types of errors, one of omission and one of commission. Identify the type of error that occurs when a person performs the task incorrectly or does something where they should not?

What is an error of Commission?
200

This is known as any oral or recorded information relating to any past, present, or future, physical or mental health of an individual, provision of health care to the individual, or the payment of the healthcare of the individual.

What is PHI (protected health information)?
200

There are 14 usability principles for the design of EHR systems. Name at least three principles.

What is consistency, minimalist, flexibility, closure, documentation, visibility, memory, message, reversibility, match, feedback, error, control.
300

**DAILY DOUBLE**



This HIPAA rule does not apply to written and oral communications.

What is the Security Rule?

Important Note: The Security Rule is specific to electronic protected health information (e-PHI). In contrast, the requirements of the Privacy Rule apply to all forms of PHI, including written and oral.

It should be noted that e-PHI also includes telephone voice response and fax back systems because they can be used as input and output devices for electronic information systems. E-PHI does not include paper-to-paper faxes or video teleconferencing or messages left on voice mail, because the information being exchanged did not exist in electronic form before the transmission.

300

This is a step-by-step documented history of events that enables an IT or Compliance personnel to track and identify a cause of breach, such as unauthorized access and misuse.

What is an audit trail?
300

The following are examples of entities that are responsible for abiding with the HITECH Act:

*Person who receives, maintains, transmits PHI; claims processing or administration, data analysis utilization review, quality assurance, pt. safety activities, billing, practice management – provides legal, accounting consulting and data aggregation

*Health Information Organizations (HIOs)

*E-prescribing gateway

*Person that provides data transmissions withrespect to PHI to covered entity; will also require routine access to the PHI.

*Person that offers a personal health record to one or more individuals on behalf of the covered entity

*Subcontractor that creates, receives, maintains, or transmits PHI on behalf of BA.

*Vendors of personal health records.

What are Business Associates?
300

On a visit to a medical facility, a patient receives this notice that summarizes the facility’s privacy policies, explains how it will use/disclose the patient’s health information, and requires signed acknowledgement of receipt from patient.

What is the Notice of Privacy Practices?
300

Providers need to show they’re using certified EHR system in ways that can be measured significantly in quality and quantity. What is this known as?

What is meaningful use?
400

Civil monetary penalties for the reckless or knowing disclosure of identifiable patient information are established under this act.

What is Subtitle D of the HITECH Act?
400

The HITECH Act requires the posting of PHI breaches on the website of the Department of Health and Human Services if it affects this number of individuals.

What are 500 or more individuals?
400

Name the government entity that enforces HIPAA's rules and regulation?

What is the Office of Civil Rights (OCR)?
400

Below are examples of instances in which PHI are released.

*Use and disclosure for marketing purposes.

*Use and disclosure that involve the sale of Protected Health Information.

*Use and disclosure of psychotherapy notes.

What is required from the patient prior to facilities releasing the information?

What is an authorization or signed consent form from the patient?
400

This meaningful use core objective provide patients with an electronic copy of their health information within 3 business days

What is the Meaningful Use Core Objective 12?
500

Defined as a Business Associate, Patient Safety Organizations (PSOs) were established as part of this Act.

What is the Patient Safety and Quality Improvement Act of 2005 (PSQIA)?
500

The HIPAA Security Rule requires covered entities to implement what three categories of safeguards that act as security measures to protect e-PHI.

What are Administrative, Physical, and Technical safeguards?
500

This organization suffered the single greatest security breach yet recorded, on Sept. 3, 2011 involving the compromise of 4,901,432 patient records.

What is Tricare?
500

Under the HIPAA Privacy Rule, consent is made by an individual for the covered entity to use or disclose individually identifiable health information for these three purposes:

What is Treatment, Payment, or Operations?

Explanation: This is different from consent for treatment, which many providers use, and which should not be confused with the consent for use or disclosure of individually identifiable health information. Consent for use and/or disclosure of individually identifiable health information is optional under the Privacy Rule, although it may be required by state law, and may be combined with consent for treatment, unless prohibited by other law.

500

**FINAL JEOPARDY**



What acronym describes the concept where employees expect to you use their personal smart phones and mobile devices to access PHI at work.

HINT: Restaurants have a similar acronym for beverages.

What is BYOD (Bring Your Own Device)?