HIPAA True/False

False - PHI can be transmitted or maintained in any form or medium, including hardcopy, verbal exchanges, and electronic exchanges, such as e-mail.

False - PHI can be maintained in any form or medium. For example, if you make handwritten notes for your own use or write a paper that identifies a patient, the information becomes PHI regardless of whether it is on official NSU forms or contained in NSU records.

True - Like clinic staff and faculty providing services in the various NSU clinics, students must comply with the HIPAA policies implemented by the applicable NSU departments. Moreover, when training at affiliate locations, students will be responsible for complying with the policies implemented by the NSU affiliate institutions and clinics.

False - The HIPAA Notice must be given to all patients only one time. Unlike informed consents and similar documents, providing the HIPAA Notice is not a continuing obligation.

True - Although affirmatively providing the patient with a Notice is a one-time obligation, clinic employees are responsible for providing another copy to a patient who requests another copy.

False - As part of providing the Notice to the patient, the privacy rule requires that NSU clinics make a good faith effort to obtain a signed or initialed Acknowledgment from the patient or the patient's personal representative. This Acknowledgment form simply states that the patient received the Notice. The patient is not signing that he/she agrees with the Notice.

True - The personal representative provisions of HIPAA only come into play with incompetent adults, minors and deceased patients. Accordingly, competent adults should act on their own behalf.

False - Unless the 16-year-old has been emancipated, he or she has a personal representative for HIPAA purposes. In Florida, a minor is emancipated if he or she is married, is 18 years of age, a court has entered an emancipated order, or he or she has been adjudicated an adult and is in the custody or under supervision of the Florida Department of Corrections.

False - Under Florida law, the child's non-custodial parent is considered a personal representative and thus can request copies of the child's records under HIPAA unless there is a specific court order restricting the non-custodial parent's access to medical records.

False - The HIPAA privacy rule allows uses and disclosures of a patient's PHI without obtaining a consent or authorization for purposes of getting paid for services. This includes disclosing PHI to those providing billing services for the clinic.

False - The HIPAA privacy rule allows the use and disclosure of a patient's PHI without obtaining a consent or authorization for purposes of treatment. This includes exchanges of information for coordination of care, consultations and referrals.

True - Students' use of PHI in the clinic is considered part of the clinic's health care operations. The clinic's health care operations include conducting student-training programs.

True - Unless a limited exception applies, a patient must be given the verbal opportunity to object to disclosures made to family members.

False - The HIPAA privacy rule allows disclosures of a patient's PHI to a family member or friend who is involved in the patient's health care or payment of health care provided the information is relevant to their involvement. Although the patient must be given the opportunity to verbally object to most disclosures to family members, a written HIPAA authorization need not be obtained.

True - The HIPAA privacy rule does not allow disclosures of PHI to family members when the patient objects to the disclosure.

False - The HIPAA privacy rule allows disclosures of a patient's PHI, without an authorization, for health oversight activities such as audits and investigations of health care providers.

True - The HIPAA privacy rule requires that most special circumstances disclosures be documented as patients have the right to request an accounting of such disclosures. The documentation of the disclosures must contain: date of the disclosure; name of the receiver of the information; description of the PHI disclosed; and a brief statement of the purpose of the disclosure.

False - As discussed in previous lessons, the HIPAA privacy rule allows NSU clinics to use and disclose a patient's PHI without obtaining an authorization in a number of circumstances including for payment purposes.

False - The HIPAA authorization differs from typical blanket releases that are often used by health care providers. As discussed in previous lessons, the HIPAA privacy rule allows NSU clinics to use and disclose a patient's PHI without obtaining an authorization in a number of circumstances including for payment purposes.

True - As the disclosure is for purposes outside of the clinic's own treatment, payment and operations, the HIPAA privacy rule requires the NSU clinic to obtain the patient's authorization prior to discussing or sharing PHI with the patient's employer.

False - The patient's diagnosis and room number are not "identifiers". Therefore, the information is de-identified and is no longer protected health information.

True - The handwritten notes are protected health information (PHI). In general, you will not be permitted to remove this information from the clinical setting without de-identification. Information could be de-identified in this scenario by blacking out the patient's name.

True - In this circumstance, the information has been de-identified and can be taken from the clinical setting.

False - With regard to requesting access to records, NSU clinic patients can request to receive a copy of their medical records or billing records. Also, they are allowed to inspect the original records.

False -Great! Unlike the request to access records, many requests to amend records can be appropriately denied. For example, the NSU clinic may deny amendment requests when the information is accurate and complete or when the information has not been created by the NSU clinic

False -Great! Under the HIPAA privacy rule, NSU clinics are responsible for timely acting on patient requests for copies of their records within 30 days for records stored on-site and 60 days for records stored off-site.

False -Great! The HIPAA privacy rule prohibits health care providers from intimidating, threatening or otherwise retaliating against patients who file privacy complaints. This would include trying to persuade patients from filing complaints, as they are entitled to file complaints if they feel their privacy has been violated.

True -Great! The HIPAA privacy rule does not permit health care providers to request that patients waive their right to file privacy complaints with the government. Also remember that patients who file complaints with the clinic or the government cannot be treated differently than other patients.

True -Great! Under the HIPAA privacy rule, the NSU clinics are required to take appropriate action in response to breaches of patient privacy. As part of the NSU clinics' policies on complaints, departments will determine whether disciplinary action should be taken and the type of action to be taken.

False - Great! The HIPAA privacy rule considers the operation of training programs as health care operations and not treatment and thus the minimum necessary rules have to be followed. Accordingly, NSU students are not allowed to freely access patient records if the student is not participating in the care of the patient.

True -Great! The minimum necessary requirements in the HIPAA privacy rule are intended to ensure that patient information is only accessed by those with a need to know the information. For example, it would not be appropriate for a staff member to access information out of curiosity.

True -Great! It is important to keep in mind that the clinic policies should not be interpreted in any way that would comprise patient treatment. The HIPAA privacy rule recognizes that need to know policies should not interfere with proper patient care.