A prosthetic device is being coded on an electronic transaction. Which code set should be used?

HCPCS. HCPCS code sets are used to code medical items such as medical supplies, orthotic and prosthetic devices, and durable medical equipment.

Which use/disclosure of PHI is allowed under the HIPAA Privacy Rule?

Discussing a patient's case with a provider involved in the patient's care. PHI should be disclosed only to those with a need to know, such as providers involved in the patient's care.

What is the civil penalty for unknowingly violating HIPAA?

$112-$55,910. The civil penalty for unknowingly violating HIPAA is $112-$55,910.

A healthcare provider must use the employer identification number (EIN) whenever carrying out an electronic health transaction.

True. Healthcare providers must obtain and use a National Provider Identifier (NPI) for all HIPAA standardized transactions.

A provider asks a health plan for payment. What type of transaction is this?

Healthcare claim. When a provider asks a health plan for payment, this is a healthcare claim transaction.

A patient pays 100% of his/her treatment costs out of pocket. He/she can stop disclosure of this information to his/her insurer.

True. Patients can restrict disclosure if they pay 100% out of pocket.

Under the HIPAA Privacy Rule, which use/disclosure of PHI is acceptable?

A limited dataset is released for research purposes. A limited dataset consists of PHI with patient identifiers removed. Limited datasets may be released for purposes of research, healthcare operations, or public health activities.

The final rules in the HITECH Act, adopted in 2013, addressed all of the following except:

Removal of some requirements involving business associates of covered entities and PHI. Under the HITECH Act, business associates of covered entities are now directly liable for HIPAA compliance.

Information is sent to a health plan to start a patient's coverage. What type of transaction is this?

Enrollment and disenrollment in a health plan. When information is sent to a health plan to start or end a patient's healthcare coverage, this is an enrollment and disenrollment in a health plan transaction.

Which of the following is a technical safeguard for PHI?

Ensuring that PHI sent electronically is not changed improperly. A technical safeguard for PHI required under HIPAA is integrity control. This includes measures to ensure that 1) PHI sent electronically is not changed improperly and 2) any improper changes will be detected.

The PHI of 600 patients in Tennessee was breached. Whom should be notified?

All of the above. All of these need to be notified.

An ASC employee obtains PHI without authorization. He/she may be criminally liable for the violation.

True. According to the law, employees may be criminally liable for HIPAA violations.

The cause of a health problem is being coded on an electronic transaction. Which code set should be used?

ICD-10-CM. ICD-10-CM code sets are used to code causes of health problems.

A health plan sends a provider an explanation of benefits (EOB). What type of transaction is this?

Healthcare payment and remittance advice. When a health plan sends a payment or EOB, this is a healthcare payment and remittance advice transaction.

The HITECH Act did all of the following except:

Decrease the civil penalty for unknowingly disclosing PHI. The HITECH Act did not decrease the civil penalties for unknowingly disclosing PHI.

Which of the following is an administrative safeguard for PHI?

Authorizing and/or supervising employees who work with electronic PHI. An administrative safeguard for PHI, required under HIPAA, is authorization and/or supervision of employees with access to PHI.

Which statement is true of an organization that sends and/or receives PHI electronically?

The organization is a covered entity under HIPAA. An organization must follow HIPAA if the organization's business activities involve sending and/or receiving PHI electronically.

Which disclosure/use of PHI is allowed under the HIPAA Privacy Rule?

Releasing a patient's PHI to the patient when he or she requests access. PHI must be released to a patient when he or she requests access. Friends, co-workers, and the media should not be given access to PHI, unless the patient provides clear, written permission.