Could Your Employees Pass This HIPAA Quiz?
The healthcare sector is among the largest and most complicated American industries, comprising nearly one-fifth of the US economy.
It is also among the most legally (and ethically) volatile environments and, comes under strict government regulation and oversight. Not only must healthcare professionals safeguard their patients' heath, but they must also implement strict privacy practices -- so that the patients are not harmed by having their medical records and other sensitive information about their health exposed to other parties without their consent.
This is where HIPAA compliance comes in. This article will walk you through what HIPAA is, why it requires employee training, and let you test your HIPAA knowledge a bit with a brief HIPAA quiz.
What Is Health Insurance Portability And Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act (HIPAA) was originally passed in 1996. At the time, it was primarily intended to assist more Americans with obtaining health insurance coverage and to ensure that employees would not lose this coverage while they were changing jobs.
Soon, however, it became obvious that, with the advent of the internet and digital record-keeping, HIPAA would have to be amended multiple times to account for increasing privacy threats to patients' private medical records.
HIPAA regulation today is a series of national standards concerning the security and privacy and confidentiality of protected health information. Try our free HIPAA compliance checklist for employers to make sure you don't miss anything and risk fines.
As of 2022, HIPAA rules to comply with are as follows:
HIPAA Privacy Rule
HIPAA Privacy Rule (finalized in 2003) sets standards for patient use and access to "protected health information" (PHI), demographic info used to identify the patient:
- Name
- Address
- Any personal dates related to the individual (birth, death, admission, discharge, etc.)
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers/serial numbers/license plate
- Device identifiers/serial numbers
- Web URLs
- IP address
- Biometric identifiers (e.g. fingerprints, voiceprints, retinal scans, etc.)
- Full-face photos
- Any other unique identifying numbers/codes/characteristics
HIPAA Security Rule
The HIPAA Security Rule provides a set of safeguards to be instituted by all HIPAA-beholden entities, which involves administrative, technical and physical standards for maintaining the security of PHI.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule sets standards for how data breaches are to be investigated, reported to the proper authorities, and communicated to affected patients.
A later piece of HITECH Act (2009), created a system of fines for violating HIPAA, elevating the potential costs for noncompliance with HIPAA to unprecedented heights.
HIPAA Omnibus Rule
Effective in 2013, the HIPAA Omnibus Rule states that all business associates of involved healthcare entities must be HIPAA-compliant.
Considering all the adjustments made to HIPAA regulations so far, one can expect more HIPAA updates added in the future.
Who Is Subject To HIPAA Law?
Legally, HIPAA law identifies two HIPAA-beholden categories: "covered entities" and "business associates".
Covered Entities include:
- Health Plans, e.g.: HMOs, health insurance companies, company health plans, and certain government programs like Medicare and Medicaid
- The Majority of Health Care Providers: the healthcare providers that conduct business/store private information electronically (e.g. electronically billing health insurance)
- Healthcare Clearinghouses: services that process nonstandard health information received from another entity into a standard (and vice versa)
Business Associates is a term that refers to any business associate of the above-specified covered entities in the form of a contractor, a subcontractor, or another person or company that is not an employee of the covered entity, such as:
- Companies that help doctors get paid, billing companies, businesses that process healthcare claims
- Companies that help administer health plans
- External/independent professionals serving healthcare organizations, such as accountants, IT experts, attorneys, etc.
Is HIPAA Compliance Training Mandatory?
Yes, HIPAA training is a federal requirement for all of the above entities and associates. Employees entering positions that involve handling PHI must be trained soon after getting hired, and can then be retrained on a periodic or as-needed basis.
Who Enforces HIPAA Compliance?
Enforcing HIPAA compliance is primarily the jurisdiction of the Department of Health and Human Services' (HHR) Office for Civil Rights (OCR). The Center for Medicare and Medicaid Services (CMS) has certain limited powers of HIPAA enforcement; the Federal Communications Commission (FCC) and US Food and Drug Administration (FDA) had been involved in past legal HIPAA interventions.
Test Your HIPAA Compliance Knowledge With Our HIPAA Quiz
Here are just a few HIPAA questions from across the spectrum of education.
Updated HIPAA law must be complied with by:
- Every American business regardless of industry
- Covered entities and business associates in healthcare
- All physicians but not registered nurses in hospitals and clinics
- All US citizens and residents above the age of 18
(Correct answer: 2)
Which of the following is NOT a patient right under HIPAA's "Privacy Rule"?
- Patient right to ask to see/get a copy of their health records
- Patient right to have corrections added to their health information
- Patient right to request that the healthcare entity issue them an in-depth technical report of the breach, if there is a breach
- Patient right to be notified of how their health information is used/shared
(Correct answer: 3)
The Notice of Privacy Practices must be:
- Given to the patient to review on their first visit
- Given to the patent to review on every visit
- Provided to every individual entering the hospital/clinic waiting room, regardless of whether they are a patient or not
- Posted online: no need to provide a physical copy in-person
(Correct answer: 1)
The "minimum necessary" rule refers to:
- A minimal quota of patients to serve by a clinic within a calendar month
- The understanding that healthcare employees must only look at patient's PHI on as-needed basis
- The minimum amount of days that must pass between changing company computer passwords
- None of the above
(Correct answer: 2)
If an employee perceives a PHI "privacy incident" that could result in a data breach, they are required to notify the Privacy Officer
- True
- False
(Correct answer: 1)
Once digital PHI record-keeping devices get old, they must be:
- Thrown in the garbage
- Taken to a proper state recycling center for computer hardware
- Mailed to the patient (or their next of kin)
- Accounted for and kept secure until they can be safely wiped/physically destroyed
(Correct answer: 4)
What kind of protected health information is covered by HIPAA?
- Electronic
- Spoken
- Paper
- All of the above
(Correct answer: 4)
Under HIPAA, it is permitted to access patient health files out of curiosity:
- If you keep it to yourself
- Under no circumstances -- it is a HIPAA breach that could get you fired
- If you know the patient very well
- If the patient's family was asking about it
(Correct answer: 2)
Computer security is:
- A purely technical function
- Exclusively the responsibility of the user
- A combination of technical and user security measures and vigilance
- Is not covered by HIPAA regulations
(Correct answer: 3)
If a patient is being transferred to a different medical facility for specialized treatment, is it permissible to provide this facility with the patient's PHI for the purposes of ensuring apt medical care to that patient?
- Yes
- No
(Correct answer: 1)
This quiz is just a tiny sampler of potential questions every PHI-handling healthcare employee should be able to answer on the spot. Now, what are the chances of that without prior training?
Get The Best HIPAA Training For Your Employees And Avert Serious Problems
It is reported that 29 million health records had experienced breaches in the year 2020 alone. One of the key HIPAA violations responsible is failure to provide proper training to employees handling PHI.
Since protected data breaches carry a sizeable potential for disaster for multiple parties, it is in everyone's best interests (and certainly less costly) to prevent them, rather than clean up the mess they leave behind.
Training is essential -- and, for something as important as HIPAA compliance, training has to be top-notch.
EasyLlama Makes HIPAA Compliance Training Easy (It's In Our Name!)
Designed for a mobile workforce with a 21st-century attention span, EasyLlama's interactive HIPAA compliance training will keep your employees engaged with interesting, bite-sized modules that will:
- educate them about HIPAA and its rules
- define HIPAA breaches and provide a variety of real-life examples to illustrate how they can happen in practice
- go over the HIPAA penalties, as they apply to different tiers of violations
- teach them to value and protect patient privacy, and to navigate HIPAA rules in everyday work life without even coming close to violating them
Choose EasyLlama's fully-compliant HIPAA training program for your employees and have one less (major) thing to worry about with your business!
Written by: Maria Malyk