1. When a patient requests copies of his/her medical records:

a.      I can set the rate at any amount I choose

b.     I can charge $1.00 per copy

c.      I can charge reasonable cost-based fees

d.     I can charge for retrieval as well as copying fees for retrieval

2. When a patient requests access to his/her medical records:

a.      I always have to provide the complete record

b.     I can provide a summary if I think it is too difficult for the patient to interpret

c.      I need to have the requestor agree on charges for the summary in advance

d.     B and C

3. A copy of an authorization:

a.      Is okay, if legible

b.     Is never acceptable

c.      Is acceptable if all elements are included

d.     Must be notarized

4. An authorization can be revoked:

a.      Only within 30 days of the original authorization

b.     By telephone request

c.      Under no circumstances—once authorization is given, it cannot be revoked

d.     At anytime

5. Patient complaints must first be filed with the agency’s office.

a.      True ____

b.     False ____

6. If the Secretary of Health and Human Services (HSS) validates a complaint:

a.      The Secretary of HSS just makes recommendations to the provider

b.     There can be a $100 penalty per complaint

c.      Nothing will happen unless harm to patient is proven

d.     It may result in a compliance review

7. This agency can respond to a request to amend a record:

a.      When I get around to it

b.     Within 90 days

c.      Only if deemed to affect a patient’s care

d.     Within 60 days

8. This agency can refuse to amend the record:

a.      Under NO circumstances

b.     If you do not find it necessary for patient care

c.      Only if it does not affect insurance coverage

d.     Under specific circumstances

9. The Notice of Privacy Practices (NPP) must be:

a.      Given to each patient at the first visit after April 14, 2003

b.     Posted on company Web site, if it has one

c.      Posted in the office

d.     All of the above

10.  If I forget to give a Notice of Privacy Practices (NPP) to a patient:

a.      It is no big deal

b.     I can give it to him at the next visit

c.      I can give it to a friend to take to him

d.     I have to mail it on the date of service and document my actions

11.  Once the Notice of Privacy Practices (NPP) is written:

a.      It cannot be changed

b.     It can be changed if I have reserved this right in my notice

c.      It has to be updated at least every year

d.     I do not have to worry about it any more

12.  Protected health information (PHI) can ONLY be given out after obtaining written authorization.

a.      True ____

b.     False ____

13.  If unsecured protected health information (PHI) is breached and a risk assessment is performed that indicates there is a low probability that the PHI has been compromised:

a.      I must keep a record of this for six years

b.     I must give the patient a full accounting upon proper request

c.      There is no such thing as a non-authorized request

d.     I am not required to notify the patient.

14.  If a patient wants to request a restriction on the disclosure of his/her protected health information (PHI):

a.      I have to agree to it

b.     It must be in writing

c.      Can be retroactive to cover information already released

d.     The patient cannot restrict disclosure of his PHI

15.  Staff must be trained:

a.      Annually

b.     Initially, prior to April 14, 2003, and periodically

c.      Once is enough, and it does not matter when

d.     A and B

16.  Other than office staff:

a.      No one else needs to be trained about HIPAA

b.     Casual employees do not need to be trained about HIPAA

c.      Contract staff, such as cleaning crews, do not need to be trained about HIPAA

d.     Everyone who works in my office, including unpaid volunteers, contract employees, and casual laborers, must be trained or show documentation of training about HIPAA

17.  A privacy officer should conduct the following steps:

a.      Identify the internal and external risks of disclosure of protected health information (PHI)

b.     Create and implement a plan to reduce the risk of releasing PHI in those areas identified

c.      Train all personnel on the practice’s privacy and security of PHI.

d.     Monitor the implementation and enforce appropriately any breaches of policy.

e.      All the above

f.      A, B, and D only

18.  With a complaint process, the government is the only mechanism to assure a medical practice’s compliance with HIPAA.

a.      True ____

b.     False ____

19.  I do not need a business associate agreement for:

a.      My employees

b.     My cleaning service

c.      My corporate attorney

d.     Contracted employees such as a physical therapist who perform a substantial portion of their work for this agency

e.      None of the above

f.      A, B, and D only

20.  The Privacy Rule requires the return or destruction of all protected health information (PHI) at the termination of a business associate agreement contract only where feasible or permitted by law:

a.      True ____

b.     False ____

____________________________________________________________________________________________________

Answers:

1.C

2.D

3.C

4.D

5.B

6.D

7.D

8.D

9.D

10.D

11.B

12.B

13.D

14.B

15.B

16.D

17.E

18.B

19.F

20.A