HIPAA Privacy Test

HIPAA Privacy Test Overview

We have developed a short test as an adjunct to your HIPAA training. The test has 22 questions and should take approximately 10-20 minutes to complete. It may be used in many ways:

1. A pre-test to assess the base level of your staff’s HIPAA knowledge.
2. A post-test to assess the effectiveness of your training.
3. Print off the final test for each employee and place it in his/her employment file to demonstrate HIPAA training/competence.
4. A training tool to assure coverage of many pertinent HIPAA issues.
5. A self-test to assess learning and identify areas that need more training.

As the employer, you may determine how, when, or if this test is to be used and the passing score. You may also use this test as a template upon which to develop your own organization-specific test.

HME HIPAA Privacy Test – Begin

1. When a patient requests copies of his/her medical records:
2. I can set the rate at any amount I choose
3. I can charge $1.00 per copy
4. I can charge reasonable cost-based fees
5. I can charge for retrieval as well as copying fees for retrieval

1. When a patient requests access to his/her medical records:
2. I always have to provide the complete record
3. I can provide a summary if I think it is too difficult for the patient to interpret
4. I need to have the requestor agree on charges for the summary in advance
5. B and C

1. A copy of an authorization:
2. Is okay, if legible
3. Is never acceptable
4. Is acceptable if all elements are included
5. Must be notarized

1. An authorization can be revoked:
2. Only within 30 days of the original authorization
3. By telephone request
4. Under no circumstances—once authorization is given, it cannot be revoked
5. If the requested action has NOT already been taken

1. Patient complaints must first be filed with the HME provider’s office.
2. True ____
3. False ____

1. If the Secretary of Health and Human Services (HSS) validates a complaint originating from my HME facility:
2. The Secretary of HSS just makes recommendations to the provider
3. There can be a $100 penalty per complaint
4. Nothing will happen unless harm to patient is proven
5. It may result in a compliance review

1. My HME facility can respond to a request to amend a record:
2. When I get around to it
3. Within 90 days
4. Only if deemed to affect a patient’s care
5. Within 60 days

1. An HME facility can refuse to amend the record:
2. Under NO circumstances
3. If you do not find it necessary for patient care
4. Only if it doesn’t affect insurance coverage
5. Under specific circumstances

1. The Notice of Privacy Practices (NPP) must be:
2. Given to each patient at the first visit
3. Posted on my Web site, if I have one
4. Posted in the office
5. All of the above

1. If I forget to give a Notice of Privacy Practices (NPP) to a patient:
2. It’s no big deal
3. I can give it to him at the next visit
4. I can give it to a friend to take to him
5. I have to mail it on the date of service and document my actions

1. Once the Notice of Privacy Practices (NPP) is written:
2. It can’t be changed
3. It can be changed if I have reserved this right in my notice
4. It has to be updated at least every year
5. I don’t have to worry about it any more

1. Protected health information (PHI) can ONLY be given out after obtaining written authorization.
2. True ____
3. False ____

1. If a non-authorized disclosure of protected health information (PHI) is made:
2. I must keep a record of this for six years
3. I must give the patient a full accounting upon proper request
4. There is no such thing as a non-authorized request
5. A and B

1. If a patient wants to request a restriction on the disclosure of his/her protected health information (PHI):
2. I have to agree to it
3. It must be in writing
4. Can be retroactive to cover information already released
5. The patient can not restrict disclosure of his PHI

1. Staff must be trained:
2. Annually
3. Initially
4. Once is enough, and it doesn’t matter when
5. A and B

1. Other than office staff:
2. No one else needs to be trained about HIPAA
3. Casual employees do not need to be trained about HIPAA
4. Contract staff, such as cleaning crews, do not need to be trained about HIPAA
5. Everyone who works in an HME facility, including unpaid volunteers, contract employees, and casual laborers, must be trained or show documentation of training about HIPAA

1. A privacy officer should conduct the following steps:
2. Identify the internal and external risks of disclosure of protected health information (PHI)
3. Create and implement a plan to reduce the risk of releasing PHI in those areas identified
4. Train all personnel on the organization’s privacy and security of PHI.
5. Monitor the implementation and enforce appropriately any breaches of policy.
6. All the above
7. A, B, and D only

1. With a complaint process, the government is the only mechanism to assure an HME facility’s compliance with HIPAA.
2. True ____
3. False ____

1. I don’t have to worry about the minimum necessary requirement for:
2. Disclosures to or requests by a health care provider for treatment
3. Uses or disclosures made pursuant to an authorization
4. Uses or disclosures made to the individuals family
5. Disclosures made to the Secretary of Health and Human Services (HSS), pursuant to the stated rules
6. All the above
7. A, B, and D only

1. If an individual authorizes release of protected health information (PHI) that includes psychotherapy notes:
2. I can release this PHI
3. I don’t have to consult with the patient about what information to release
4. I can condition coverage or treatment on an authorization to use or disclose psychotherapy notes
5. I am required to respond to an authorization for psychotherapy notes but I may use some discretion
6. None of the above
7. A, B, and D only

1. I don’t need a business associate agreement for:
2. My employees
3. My cleaning service
4. My corporate attorney
5. Contracted employees such as a respiratory therapist who perform a substantial portion of their work at my facility
6. None of the above
7. A, B, and D only

1. The Privacy Rule requires the return or destruction of all protected health information (PHI) at the termination of a business associate agreement contract only where feasible or permitted by law:
2. True ____
3. False ____

Answer Key

1. When a patient requests copies of his/her medical records:
2. I can set the rate at any amount I choose
3. I can charge $1.00 per copy
4. I can charge reasonable cost-based fees - CORRECT
5. I can charge for retrieval as well as copying fees for retrieval

1. When a patient requests access to his/her medical records:
2. I always have to provide the complete record
3. I can provide a summary if I think it is too difficult for the patient to interpret
4. I need to have the requestor agree on charges for the summary in advance
5. B and C - CORRECT

1. A copy of an authorization:
2. Is okay, if legible
3. Is never acceptable
4. Is acceptable if all elements are included - CORRECT
5. Must be notorized

1. An authorization can be revoked:
2. Only within 30 days of the original authorization
3. By telephone request
4. Under no circumstances—once authorization is given, it cannot be revoked
5. If the requested action has NOT already been taken - CORRECT

1. Patient complaints must first be filed with the HME provider’s office.
2. True ____
3. False ____ - CORRECT

1. If the Secretary of Health and Human Services (HSS) validates a complaint originating from my HME facility:
2. The Secretary of HSS just makes recommendations to the provider
3. There can be a $100 penalty per complaint
4. Nothing will happen unless harm to patient is proven
5. It may result in a compliance review - CORRECT

1. My HME facility can respond to a request to amend a record:When I get around to it
2. Within 90 days
3. Only if deemed to affect a patient’s care
4. Within 60 days - CORRECT

1. A organization can refuse to amend the record:
2. Under NO circumstances
3. If you do not find it necessary for patient care
4. Only if it doesn’t affect insurance coverage
5. Under specific circumstances - CORRECT

1. The Notice of Privacy Practices (NPP) must be:
2. Given to each patient at the first visit
3. Posted on my Web site, if I have one
4. Posted in the office
5. All of the above - CORRECT

1. If I forget to give a Notice of Privacy Practices (NPP) to a patient:
2. It’s no big deal
3. I can give it to him at the next visit
4. I can give it to a friend to take to him
5. I have to mail it on the date of service and document my actions - CORRECT

1. Once the Notice of Privacy Practices (NPP) is written:
2. It can’t be changed
3. It can be changed if I have reserved this right in my notice - CORRECT
4. It has to be updated at least every year
5. I don’t have to worry about it any more

1. Protected health information (PHI) can ONLY be given out after obtaining written authorization.
2. True ____
3. False ____ - CORRECT

1. If a non-authorized disclosure of protected health information (PHI) is made:
2. I must keep a record of this for six years
3. I must give the patient a full accounting upon proper request
4. There is no such thing as a non-authorized request
5. A and B - CORRECT

1. If a patient wants to request a restriction on the disclosure of his/her protected health information (PHI):
2. I have to agree to it
3. It must be in writing - CORRECT
4. Can be retroactive to cover information already released
5. The patient can not restrict disclosure of his PHI

1. Staff must be trained:
2. Annually
3. Initially - CORRECT
4. Once is enough, and it doesn’t matter when
5. A and B

1. Other than office staff:
2. No one else needs to be trained about HIPAA
3. Casual employees do not need to be trained about HIPAA
4. Contract staff, such as cleaning crews, do not need to be trained about HIPAA
5. Everyone who works in my HME facility, including unpaid volunteers, contract employees, and casual laborers, must be trained or show documentation of training about HIPAA - CORRECT

1. A privacy officer should conduct the following steps:
2. Identify the internal and external risks of disclosure of protected health information (PHI)
3. Create and implement a plan to reduce the risk of releasing PHI in those areas identified
4. Train all personnel on the organization’s privacy and security of PHI.
5. Monitor the implementation and enforce appropriately any breaches of policy.
6. All the above - CORRECT
7. A, B, and D only

1. With a complaint process, the government is the only mechanism to assure an HME facility’s compliance with HIPAA.
2. True ____
3. False ____ - CORRECT

1. I don’t have to worry about the minimum necessary requirement for:
2. Disclosures to or requests by a health care provider for treatment
3. Uses or disclosures made pursuant to an authorization
4. Uses or disclosures made to the individuals family
5. Disclosures made to the Secretary of Health and Human Services (HSS), pursuant to the stated rules
6. All the above
7. A, B, and D only - CORRECT

1. If an individual authorizes release of protected health information (PHI) that includes psychotherapy notes:
2. I can release this PHI
3. I don’t have to consult with the patient about what information to release
4. I can condition coverage or treatment on an authorization to use or disclose psychotherapy notes
5. I am required to respond to an authorization for psychotherapy notes but I may use some discretion
6. None of the above
7. A, B, and D only - CORRECT

1. I don’t need a business associate agreement for:
2. My employees
3. My cleaning service
4. My corporate attorney
5. Contracted employees such as a respiratory therapist who perform a substantial portion of their work at my facility
6. None of the above
7. A, B, and D only - CORRECT

1. The Privacy Rule requires the return or destruction of all protected health information (PHI) at the termination of a business associate agreement contract only where feasible or permitted by law:
2. True ____ - CORRECT
3. False ____