Take a tour of our end-to-end microlearning platform in under 15 minutes Watch the Demo >

< Library Home

HIPAA for Healthcare Providers

Content by Qstream

HIPAA requires that every healthcare professional maintain the privacy and confidentiality of all protected health information (PHI). Reinforce a participant’s understanding of HIPAA privacy, security, and breach notification rules with this starter Qstream microlearning course.

Launch To My Team

Category: Compliance

Industry: Healthcare

Questions: 12

FREE

Content Preview

HIPAA for Healthcare Providers

Navigate through the Qstream questions below to preview. Each challenge is designed following Qstream’s best practices for maximum knowledge reinforcement and engagement. This Qstream is free for clients to use as a starting point.

Click on each title to preview the question in the mobile/desktop widget.

1. Administrative Security Duties >
2. Physical Security >
3. Technical Security >
4. Security Officer Duties >
5. Business Associate Agreement Content >
6. Privacy Rule De-Identification >
7. Personally Identifiable Information (PII) >
8. Privacy Violation >
9. Risk Assessment >
10. Two-Factor Authentication >
11. Telehealth Passwords >
12. Telehealth Security Rules >

Follow the interactions on each screen to answer Qstream questions as a Participant.

Emily was recently promoted to Office Manager at Dr. Marshall’s medical office (a covered entity). In her new role, Emily will oversee data security and HIPAA compliance.

As HIPAA compliance is ultimately the responsibility of senior management, Emily is in regular contact with Dr. Marshall regarding her efforts to maintain their HIPAA compliance.

In fulfilling Emily’s HIPAA administrative duties, which of the following activities should be formalized in a written document to keep patient data safe and in HIPAA compliance while also keeping Dr. Marshall informed?

Answer explanation:
Keeping patient data safe requires healthcare organizations to exercise best practices in three areas: Administrative, physical security, and technical security.

Administrative best practices require formalizing privacy procedures in a written document. These procedures include:

• Designating an executive to oversee data security and HIPAA compliance.
• Identifying employees with access to patient data.
• Training employees on the organization’s privacy policy and how it applies to their job.
• Requiring all outside parties needing to access protected patient data to sign contracts stating that they will comply with HIPAA security rules.
• Backing up data and having an emergency plan for disasters that may result in loss of information.
• Performing an annual data security assessment.
• Creating a data breach response plan that addresses notifying affected patients and fixing compromised IT systems.

Dr. Bishop has a small office staff and his office manager, Dan, wears multiple hats as HIPAA Compliance Officer, Privacy Officer, and Security Officer.

The physicians’ group has decided to relocate to a retail shopping area near the local Target for greater visibility. Dan is involved in the layout design of the new office and organizing their move. The physicians’ group will also receive new computers for their new office.

HIPAA compliance concerns triggered by this relocation require which of the following actions?

Answer explanation:
Keeping patient data safe requires healthcare organizations to exercise best practices in three areas: Administrative, physical security, and technical security.

Physical Security: These HIPAA rules help your organization prevent physical theft and loss of devices that contain patient information.

Best practice activities in physical security include:

• Limiting computer access by keeping them behind counters, secured to desks, and away from the general public.
• Restricting access to secure areas, monitoring building safety, and requiring visitors to sign in.
• Exercising caution and following best practices when upgrading or disposing of hardware and software, including securely wiping hard drives.
• Training employees and contractors on physical safety best practices, including the importance of securing their cell phones and mobile devices.

Dr. Hutchins’ office manager, Lisa, decides she may not be the best candidate to ensure their practice’s technical safety of protected health information (PHI) and together they decide that the technical safety portion of HIPAA compliance should be handled by an independent contractor.

In preparation, Lisa creates a list of issues that should be addressed by the technical security HIPAA contractor. These include which of the following measures to protect the practice’s network and devices from data breaches?

Answer explanation:
Keeping patient data safe requires healthcare organizations to exercise best practices in three areas: Administrative, physical security, and technical security.

Activities to enhance technical security include:

• Encrypting sensitive files that are sent via email to ensure that any cloud-based platform used offers encryption.
• Protecting the medical practice’s network from hackers and other cyber thieves with firewalls and intrusion detection and prevention systems.
• Training all employees to identify and avoid phishing scams.
• Backing up data in case of accidental deletion or changes.
• Authenticating data transfers to third parties by requiring a password, a two-way or three-way handshake, a token, or a callback.
• Requiring that employees periodically change their passwords, and ensure passwords contain a mix of letters, numbers, and special characters.
• Preventing data entry mistakes by using double-keying, checksum, and other redundancy techniques.
• Keeping updated documentation of the practices technology and network configurations.

The duties of a HIPAA Security Officer can include diverse topics. In smaller organizations, the same person may take on the roles of a HIPAA Privacy Officer as well as the HIPAA Security Officer.

Examples of a HIPAA Security Officer’s duties include which of the following?

Answer explanation:
The duties of a HIPAA Security Officer can include diverse topics such as the development of a Disaster Recovery Plan, the mechanisms in place to prevent unauthorized access to PHI, and how electronic PHI (ePHI) is transmitted and stored. There must be a system to monitor the status of HIPAA compliance. Electronic passwords must be required to meet specific standards and be changed with frequency.

Learn more: https://www.hipaajournal.com/duties-of-a-hipaa-compliance-officer/

A HIPAA-compliant Business Associate Agreement (BAA) clarifies the protected health information (PHI) provided to the business associate and its permissible uses and disclosures.

A BAA must also require the business associate to do which of the following?

Answer explanation:
A HIPAA-compliant Business Associate Agreement (BAA) clarifies the PHI that is being provided to the Business Associate and the permissible uses and disclosures. It must also require that the business associate:

• Will not use or further disclose the information other than as permitted by the contract or as required by law.
• Implement appropriate safeguards to prevent unauthorized uses or disclosures of the PHI.
• Report any use or disclosure not provided for by the agreement, including breaches of unsecured PHI.
• Satisfy individuals’ requests for copies of PHI, incorporate any amendments and account for the disclosure.
• Make available to HHS records relating to the use and disclosure of PHI in the event of an audit or investigation.
• Return or destroy PHI received from, created for, or received on behalf of, the Covered Entity at the termination of the agreement.
• Ensure that any parties with access to PHI agree to the same restrictions and conditions that apply to the business associate.

Note: Contracts between Business Associates and Business Associates that are subcontractors are subject to the same requirements.

Ric, a hospital administrator, has been tasked with permitting the use of hospital patient data for research. They understand that a medical record, laboratory report or hospital bill would be protected health information because each document would contain a patient’s name and/or other identifying information associated with the health data content.

Ric wants to de-identify PHI for research use so that the information does not disclose or identify individuals or provide a reasonable basis to identify an individual.

The Privacy Rule de-identification methods include which of the following?

Answer explanation:
The process of de-identification, by which identifiers are removed from the health information, mitigates privacy risks to individuals and supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors.

The Privacy Rule provides two de-identification methods:

1. A formal determination by a qualified expert.
2. The removal of specified individual identifiers as well as the absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual.

Both methods, even when properly applied, yield de-identified data that retains some risk of identification. A data set stripped of the explicitly enumerated identifiers cannot contain unique, identifying characteristics such as occupation. For example, “the President of a State University.”

Samantha is the head of research at a local university. She is concerned about her responsibility regarding the 18 enumerated identifiers of information received from the university-associated hospital that is classified as personally identifiable information (PII).

Which of the following statements are true regarding this scenario?

Answer explanation:
Research studies may use health-related information that is personally identifiable. This is because it includes personal identifiers such as name or address that isn't PHI because the data is not associated with or derived from a healthcare service event nor is it entered into the medical records.

HIPAA does not apply to “research health information” (RHI) that is kept only in the researcher’s records; however, other human subjects protection regulations still apply.

The responsibility to remove the personal identifying information (PII) lies with the covered entity.

Learn more: https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#standard

A Texas-based health system responded to an incident involving the use of a fraudulent ID card by a patient with a memo to the press. The press release included the patient’s name and the hospital system also released the patient’s name to the police.

Which of the following statements are true regarding the release of the patient’s name and HIPAA’s Privacy Rule?

Answer explanation:
The hospital system violated the privacy of the involved patient by including their name in the press release. Later the Office of Civil Rights made a formal finding that the hospital system engaged in an intentional failure to protect the patient’s rights to privacy.

While most HIPAA violation settlements affect a large number of medical records, even one individual’s medical data violates HIPAA’s Privacy Rule which requires that unauthorized PHI must not be disclosed.

The hospital system could release the patient’s name to the police in compliance with HIPAA’s Privacy Rule, however, the public statement which included the patient’s name did not protect the patient’s privacy and was a violation of the HIPAA Privacy Rule. The fine against the hospital system was assessed by the OCR at $2.4 million.

Every covered entity that creates, receives, maintains, or transmits PHI must conduct an accurate and thorough HIPAA risk assessment in order to comply with the Security Management requirements.

Which of the following statements are true regarding a HIPAA risk assessment?

Answer explanation:
A HIPAA risk assessment followed by the implementation of measures to fix any uncovered security flaws is required by HIPAA. An assessment can be complicated and time-consuming, but the alternative is potentially terminal to small medical practices and their Business Associates.

A risk assessment identifies the risks to HIPAA compliance, whereas a risk analysis assigns risk levels for vulnerability and impact combinations. The objective of assigning risk levels to each risk is so that risks with the potential to be the most damaging can be addressed as priorities.

Risk assessments should be tailored to the covered entity’s circumstances and environment, including the following:

• Size, complexity, and capabilities of the covered entity
• The covered entity’s technical infrastructure, hardware, and software security capabilities
• The probability and criticality of potential risks to ePHI
• The costs of security measures

HHS has made it clear that cost alone is not a sufficient basis for refusing to adopt a standard or an addressable implementation of identified specifications.

HIPAA Security Regulations require “reasonable and appropriate” security measures to be implemented and comply with Security Standards relating to Workforce Security and Information Access Management.

Which of the following statements are true about two-factor authentication (2FA)?

Answer explanation:
The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that covered entities must implement to secure ePHI.

Two-factor authentication (2FA) is not a requirement of HIPAA per se. However, if a Covered Entity or Business Associate conducts a risk assessment and identifies vulnerabilities that could be addressed with 2FA, it then becomes a “reasonable and appropriate” security measure that should be implemented to comply with Security Standards relating to Workforce Security and Information Access Management.

The HIPAA Security Standard stipulates that covered entities must implement procedures to verify that a person or entity seeking access to electronically protected health information is the one claimed. However, there is no indication of the procedures that should be implemented or even that user verification should be password-based.

Guidance published by the Department of Health and Human Services (HHS) suggests there are ways in which users can verify their identity using something that ___________.

Answer explanation:
Guidance published by HHS suggests there are three ways in which users can verify their identity. With something

1. Only known to the user, such as a password or PIN
2. The user possesses, such as a smart card or key
3. Unique to the user, such as a fingerprint or facial image

In addition to the above, a required implementation specification of the Access Controls Security Standard stipulates that covered entities assign a unique name and/or number for identifying and tracking user identity.

Verification is not required to be password-based. A username with biometric authentication could satisfy this requirement. The current guidance is that passwords should only be changed when there is evidence of compromise.

Dr. Mayzell’s two physician assistants conducted telehealth sessions during the pandemic restrictions. This was so successful that the clinic is going to start booking half their appointments as telehealth appointments. In preparation, Dr. Mayzell’s office manager is working on a best practices guide for conducting these telehealth sessions with patients.

Which of the following should be included in the telehealth written guide?

Answer explanation:
For telemedicine/telehealth HIPAA Privacy requires:
• A system of monitoring communications containing ePHI be implemented to prevent accidental or malicious breaches.
• That all communications be encrypted including images, videos, and documents. This insures they are both unusable and unreadable should a message be intercepted over a public Wi-Fi service.
• The system has automatic log-off capabilities when the system is not used for a period of time.
• Mechanisms put in place so communications can be monitored and remotely deleted if necessary.

When conducting telehealth sessions, HIPAA safeguards should be implemented to limit incidental uses or disclosures of PHI. This includes not using a speaker phone and instead using earbuds or headphones to provide privacy. Make sure any view of documents does not include PHI or PII. Always ask the patient to relocate to a reasonable distance from others when discussing PHI.

Emily was recently promoted to Office Manager at Dr. Marshall’s medical office (a covered entity). In her new role, Emily will oversee data security and HIPAA compliance.

As HIPAA compliance is ultimately the responsibility of senior management, Emily is in regular contact with Dr. Marshall regarding her efforts to maintain their HIPAA compliance.

In fulfilling Emily’s HIPAA administrative duties, which of the following activities should be formalized in a written document to keep patient data safe and in HIPAA compliance while also keeping Dr. Marshall informed?

Answer explanation:
Keeping patient data safe requires healthcare organizations to exercise best practices in three areas: Administrative, physical security, and technical security.

Administrative best practices require formalizing privacy procedures in a written document. These procedures include:

• Designating an executive to oversee data security and HIPAA compliance.
• Identifying employees with access to patient data.
• Training employees on the organization’s privacy policy and how it applies to their job.
• Requiring all outside parties needing to access protected patient data to sign contracts stating that they will comply with HIPAA security rules.
• Backing up data and having an emergency plan for disasters that may result in loss of information.
• Performing an annual data security assessment.
• Creating a data breach response plan that addresses notifying affected patients and fixing compromised IT systems.

Dr. Bishop has a small office staff and his office manager, Dan, wears multiple hats as HIPAA Compliance Officer, Privacy Officer, and Security Officer.

The physicians’ group has decided to relocate to a retail shopping area near the local Target for greater visibility. Dan is involved in the layout design of the new office and organizing their move. The physicians’ group will also receive new computers for their new office.

HIPAA compliance concerns triggered by this relocation require which of the following actions?

Answer explanation:
Keeping patient data safe requires healthcare organizations to exercise best practices in three areas: Administrative, physical security, and technical security.

Physical Security: These HIPAA rules help your organization prevent physical theft and loss of devices that contain patient information.

Best practice activities in physical security include:

• Limiting computer access by keeping them behind counters, secured to desks, and away from the general public.
• Restricting access to secure areas, monitoring building safety, and requiring visitors to sign in.
• Exercising caution and following best practices when upgrading or disposing of hardware and software, including securely wiping hard drives.
• Training employees and contractors on physical safety best practices, including the importance of securing their cell phones and mobile devices.

Dr. Hutchins’ office manager, Lisa, decides she may not be the best candidate to ensure their practice’s technical safety of protected health information (PHI) and together they decide that the technical safety portion of HIPAA compliance should be handled by an independent contractor.

In preparation, Lisa creates a list of issues that should be addressed by the technical security HIPAA contractor. These include which of the following measures to protect the practice’s network and devices from data breaches?

Answer explanation:
Keeping patient data safe requires healthcare organizations to exercise best practices in three areas: Administrative, physical security, and technical security.

Activities to enhance technical security include:

• Encrypting sensitive files that are sent via email to ensure that any cloud-based platform used offers encryption.
• Protecting the medical practice’s network from hackers and other cyber thieves with firewalls and intrusion detection and prevention systems.
• Training all employees to identify and avoid phishing scams.
• Backing up data in case of accidental deletion or changes.
• Authenticating data transfers to third parties by requiring a password, a two-way or three-way handshake, a token, or a callback.
• Requiring that employees periodically change their passwords, and ensure passwords contain a mix of letters, numbers, and special characters.
• Preventing data entry mistakes by using double-keying, checksum, and other redundancy techniques.
• Keeping updated documentation of the practices technology and network configurations.

The duties of a HIPAA Security Officer can include diverse topics. In smaller organizations, the same person may take on the roles of a HIPAA Privacy Officer as well as the HIPAA Security Officer.

Examples of a HIPAA Security Officer’s duties include which of the following?

Answer explanation:
The duties of a HIPAA Security Officer can include diverse topics such as the development of a Disaster Recovery Plan, the mechanisms in place to prevent unauthorized access to PHI, and how electronic PHI (ePHI) is transmitted and stored. There must be a system to monitor the status of HIPAA compliance. Electronic passwords must be required to meet specific standards and be changed with frequency.

Learn more: https://www.hipaajournal.com/duties-of-a-hipaa-compliance-officer/

A HIPAA-compliant Business Associate Agreement (BAA) clarifies the protected health information (PHI) provided to the business associate and its permissible uses and disclosures.

A BAA must also require the business associate to do which of the following?

Answer explanation:
A HIPAA-compliant Business Associate Agreement (BAA) clarifies the PHI that is being provided to the Business Associate and the permissible uses and disclosures. It must also require that the business associate:

• Will not use or further disclose the information other than as permitted by the contract or as required by law.
• Implement appropriate safeguards to prevent unauthorized uses or disclosures of the PHI.
• Report any use or disclosure not provided for by the agreement, including breaches of unsecured PHI.
• Satisfy individuals’ requests for copies of PHI, incorporate any amendments and account for the disclosure.
• Make available to HHS records relating to the use and disclosure of PHI in the event of an audit or investigation.
• Return or destroy PHI received from, created for, or received on behalf of, the Covered Entity at the termination of the agreement.
• Ensure that any parties with access to PHI agree to the same restrictions and conditions that apply to the business associate.

Note: Contracts between Business Associates and Business Associates that are subcontractors are subject to the same requirements.

Ric, a hospital administrator, has been tasked with permitting the use of hospital patient data for research. They understand that a medical record, laboratory report or hospital bill would be protected health information because each document would contain a patient’s name and/or other identifying information associated with the health data content.

Ric wants to de-identify PHI for research use so that the information does not disclose or identify individuals or provide a reasonable basis to identify an individual.

The Privacy Rule de-identification methods include which of the following?

Answer explanation:
The process of de-identification, by which identifiers are removed from the health information, mitigates privacy risks to individuals and supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors.

The Privacy Rule provides two de-identification methods:

1. A formal determination by a qualified expert.
2. The removal of specified individual identifiers as well as the absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual.

Both methods, even when properly applied, yield de-identified data that retains some risk of identification. A data set stripped of the explicitly enumerated identifiers cannot contain unique, identifying characteristics such as occupation. For example, “the President of a State University.”

Samantha is the head of research at a local university. She is concerned about her responsibility regarding the 18 enumerated identifiers of information received from the university-associated hospital that is classified as personally identifiable information (PII).

Which of the following statements are true regarding this scenario?

Answer explanation:
Research studies may use health-related information that is personally identifiable. This is because it includes personal identifiers such as name or address that isn't PHI because the data is not associated with or derived from a healthcare service event nor is it entered into the medical records.

HIPAA does not apply to “research health information” (RHI) that is kept only in the researcher’s records; however, other human subjects protection regulations still apply.

The responsibility to remove the personal identifying information (PII) lies with the covered entity.

Learn more: https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#standard

A Texas-based health system responded to an incident involving the use of a fraudulent ID card by a patient with a memo to the press. The press release included the patient’s name and the hospital system also released the patient’s name to the police.

Which of the following statements are true regarding the release of the patient’s name and HIPAA’s Privacy Rule?

Answer explanation:
The hospital system violated the privacy of the involved patient by including their name in the press release. Later the Office of Civil Rights made a formal finding that the hospital system engaged in an intentional failure to protect the patient’s rights to privacy.

While most HIPAA violation settlements affect a large number of medical records, even one individual’s medical data violates HIPAA’s Privacy Rule which requires that unauthorized PHI must not be disclosed.

The hospital system could release the patient’s name to the police in compliance with HIPAA’s Privacy Rule, however, the public statement which included the patient’s name did not protect the patient’s privacy and was a violation of the HIPAA Privacy Rule. The fine against the hospital system was assessed by the OCR at $2.4 million.

Every covered entity that creates, receives, maintains, or transmits PHI must conduct an accurate and thorough HIPAA risk assessment in order to comply with the Security Management requirements.

Which of the following statements are true regarding a HIPAA risk assessment?

Answer explanation:
A HIPAA risk assessment followed by the implementation of measures to fix any uncovered security flaws is required by HIPAA. An assessment can be complicated and time-consuming, but the alternative is potentially terminal to small medical practices and their Business Associates.

A risk assessment identifies the risks to HIPAA compliance, whereas a risk analysis assigns risk levels for vulnerability and impact combinations. The objective of assigning risk levels to each risk is so that risks with the potential to be the most damaging can be addressed as priorities.

Risk assessments should be tailored to the covered entity’s circumstances and environment, including the following:

• Size, complexity, and capabilities of the covered entity
• The covered entity’s technical infrastructure, hardware, and software security capabilities
• The probability and criticality of potential risks to ePHI
• The costs of security measures

HHS has made it clear that cost alone is not a sufficient basis for refusing to adopt a standard or an addressable implementation of identified specifications.

HIPAA Security Regulations require “reasonable and appropriate” security measures to be implemented and comply with Security Standards relating to Workforce Security and Information Access Management.

Which of the following statements are true about two-factor authentication (2FA)?

Answer explanation:
The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that covered entities must implement to secure ePHI.

Two-factor authentication (2FA) is not a requirement of HIPAA per se. However, if a Covered Entity or Business Associate conducts a risk assessment and identifies vulnerabilities that could be addressed with 2FA, it then becomes a “reasonable and appropriate” security measure that should be implemented to comply with Security Standards relating to Workforce Security and Information Access Management.

The HIPAA Security Standard stipulates that covered entities must implement procedures to verify that a person or entity seeking access to electronically protected health information is the one claimed. However, there is no indication of the procedures that should be implemented or even that user verification should be password-based.

Guidance published by the Department of Health and Human Services (HHS) suggests there are ways in which users can verify their identity using something that ___________.

Answer explanation:
Guidance published by HHS suggests there are three ways in which users can verify their identity. With something

1. Only known to the user, such as a password or PIN
2. The user possesses, such as a smart card or key
3. Unique to the user, such as a fingerprint or facial image

In addition to the above, a required implementation specification of the Access Controls Security Standard stipulates that covered entities assign a unique name and/or number for identifying and tracking user identity.

Verification is not required to be password-based. A username with biometric authentication could satisfy this requirement. The current guidance is that passwords should only be changed when there is evidence of compromise.

Dr. Mayzell’s two physician assistants conducted telehealth sessions during the pandemic restrictions. This was so successful that the clinic is going to start booking half their appointments as telehealth appointments. In preparation, Dr. Mayzell’s office manager is working on a best practices guide for conducting these telehealth sessions with patients.

Which of the following should be included in the telehealth written guide?

Answer explanation:
For telemedicine/telehealth HIPAA Privacy requires:
• A system of monitoring communications containing ePHI be implemented to prevent accidental or malicious breaches.
• That all communications be encrypted including images, videos, and documents. This insures they are both unusable and unreadable should a message be intercepted over a public Wi-Fi service.
• The system has automatic log-off capabilities when the system is not used for a period of time.
• Mechanisms put in place so communications can be monitored and remotely deleted if necessary.

When conducting telehealth sessions, HIPAA safeguards should be implemented to limit incidental uses or disclosures of PHI. This includes not using a speaker phone and instead using earbuds or headphones to provide privacy. Make sure any view of documents does not include PHI or PII. Always ask the patient to relocate to a reasonable distance from others when discussing PHI.

Interested in this content and learning more?

Schedule a Call with Qstream

Looking for more questions?
We have the answers.