This Government Office Investigates Hipaa Violations
24 community-sourced questions and answers. Free — no login.
HIPPA
•Health Insurance Portability and Accountability Act •Protects workers and their families from privacy breaches, health coverage loss, fraud and identity theft •Enacted in 1996 •HIPAA compliance is the act of conforming to HIPAA’s rules and requirements •Privacy Officer
HIPAA Objectives
•Standardized the way health insurance providers transmit data •Fraud Protection •Identity theft •Efficiency •Protect Personal Information •Gather Illness Data •Patient Rights (Notice of Privacy Practices)
Privacy Rule
•dictates and enforces the manner in which medical and personal health records may or may not be shared
Security Rule
•Protects patient confidentiality •Keeps health information out of public knowledge •Sets national standards to safeguard records that are created, accessed, transmitted and or maintained by an authorized covered entity. •Enforce specific administrative physical and electronic behaviors.
Final Rule
•Omnibus Rule •Gives patients more rights to their PHI •Enhances government's ability to enforce the law •Allows penalties to $1.5mil •Patients may request and receive a copy of medical records in electronic forms •Patients may request that their provider not share their information with their health plan when they pay for services by cash •Genetic information may not be used or disclosed for underwriting purposes
HITECH• Health Technology for Economic and Clinical Health Act:
- Digital copy of PHI - HITECH allows patients access to medical records via digital copy now. As a result, covered entities are required to comply to such a request with a digital copy instead a paper copy. Acceptable digital copies may be CD, flash drive, or secured database access.
Review of Patient Rights
•Patients have the right to know that their health information will be safe and secure at the UAFS clinic. •Patients have the right to know that they will be treated fairly regardless of race, creed, national origin, economic status, gender, or age and that each will be treated as an individual. •Patients have the right to know that the students, faculty and administrative staff is experienced and trained in HIPAA policies and procedures. •Patients have the right to know that they are in charge of their personal information in regards to sharing PHI via electronic means with "covered entities" and "business associates".
4 Factors of Assessing Breach Notification
•Nature and extent of PI involved, including types of identifiers and likelihood of re-identification. •Unauthorized person who used PI or to whom the disclosure was made. •Whether PI was actually acquired or viewed. •Extent to which the risk to the PI has been mitigated. •A breach log must be kept involving fewer than 500 individuals, and submit the information annually to HHS. If more than 500 individuals, they must notify HHS immediately. Old rule- report breaches for the previous year, New rule- report for the current year.
Deceased Patients
•who has been deceased for 50 years. * Must know the date of death. •Not a record retention period. The 50-year period is not a record retention requirement. In general, state law determines how long patient records must be retained. •The new rule permits (does not require) a dental practice to disclose certain information about a deceased patient to family members and others who were involved in the patient’s care or payment for care without first getting the written authorization of the personal representative. * For example, a dental practice could disclose billing information to a family member of a deceased patient who is helping wrap up the patient’s estate, unless the patient had “expressed a preference to the contrary,” then the practice must first get the written authorization of the patients personal representative.
Enforcement
•The Office for Civil Rights ("OCR"), an agency of HHS, enforces HIPAA. •OCR has the right to investigate complaints and suspected violations and to impose civil money penalties on dental practices that violate HIPAA. Some HIPAA violations also carry criminal penalties. •Generally, when OCR receives a complaint about a dental practice's HIPAA compliance, it conducts a preliminary review. If the review indicates a possible HIPAA violation, OCR may proceed with an investigation. •If OCR learns of an alleged HIPAA violation (for example, from a state or federal agency, breach notification report, or in the news), OCR has the right to investigate.
Penalties
•The new rule has tiered penalty amounts for increasing levels of culpability, up to an annual cap of $1.5 million for all violations of the same HIPAA requirement or prohibition. •If a violation was due to willful neglect and was not corrected within 30 days, there is a minimum penalty of $50,000 per violation.
Immunization Records
•The new rule permits a dental practice send proof of immunization to a school without a signed authorization form in states that have school entry or similar laws, as long as the patient (or parent or guardian) agrees. •If the agreement is oral (e.g., over the telephone), the dental practice must document the agreement (for example, by making a notation in the dental record). •If the agreement is in writing (for example, by letter or email), the letter or email is sufficient documentation. •A signature is not required. A dental practice can still require a signed authorization form if it wishes. •**This new rule only applies to immunization records. A dental practice must still require a signed authorization form before sending or telling any other patient information to a school.
Notice of Privacy Practices/PHI
•First visit-understandable •Privacy policies •Complaints •Right to see and obtain PHI (not originals) •Time frame (fulfill within 30 days) •Allowable fees •Can be amended (pt request in writing) •Request can be denied •Treatment exceptions •PHI alternative means •Disclosure accounting
Exceptions for Consent and Mandatory PHI Disclosures
•ID Verification •Sale of a practice •Required by Law •Official Request from Secretary of HHSSale of the practice •Disclosure of patient information that is required by law •If information is de-identified properly, it is no longer protected by HIPAA
What is the HIPAA officer?
The individual that works for the covered entity that oversees all activities related to the entity's privacy policies.
What is the process called in which certain identifiers are removed from a patient's health record?
De-identify data
As defined in the HIPAA Privacy Rule, the right to patient privacy dictates and enforces the manner in which personal health records may or may not be shared among organizations or other third parties.
True
Under HIPAA, patients have the right to access, copy, and inspect their own health information.
True
To protect ePHI in accordance with HIPAA's Security Rule, which is true for passwords.
• Have a strong password • Don't share your password • Lock your PC or device when away • Utilize virus/spyware protection • All of the above
This government office investigates HIPAA violations:
Office for Civil Rights (OCR)
It is acceptable for a covered entity to access and/or disclose Protected Health Information without written permission to ____.
• Public agencies during an audit, inspection, or legal proceeding • Public health agencies as required by law • Law enforcement officials •All of the above
What should you do as a covered entity to protect PHI?
• Shred documents • Keep patient information private • Beware of potential criminals/hackers • Don't browse friends'/family records • All of the above
The HIPAA Final Rule is also known as the Omnibus Rule.
True
HIPAA is also known as the Health Insurance Portability and Accountability Act.
True
Looking for a different version?
CBTs get updated every year. Search for the exact version you're taking (e.g. "cyber awareness 2025").
Search all study materials