INTRODUCTION
This graded project is a research paper that you’ll complete
and submit to the school for grading. In your paper, you’ll
apply what you learned about HIPAA to an actual situation in
which a health care organization violated HIPAA regulations.
YOUR ASSIGNMENT
Health care organizations must know and follow the regulations
that are set forth by HIPAA, or be held accountable
for their failure to follow the rules. For this assignment,
you’ll need to find three real-life examples of HIPAA violations;
that is, violations of HIPAA’s privacy or security laws
that occurred in the United States since the passage of the
HIPAA law (after 1996). Each violation described should be
serious, and one that resulted in a fine or penalty for the
individual or company involved.
You can find real-life examples of HIPAA violations in
news reports, medical journals, professional health care
publications, and other similar reliable factual sources.
For each example violation, you should provide the following
information:
n A complete, descriptive summary of the case
n Important facts that relate to the case, such as the
names of the company or individual involved, the date
of the violation, and the city and state where the incident
occurred
n An explanation of the HIPAA rules that were violated
Be sure to answer these questions when writing your
summaries:
n How did the HIPAA violation occur?
n What policies (if any) did the organization have in place
to protect against the violation?
n What was the penalty for the violation (fine, prison term,
termination of employment, etc)?
Finally, describe three ways in which the organization could
have prevented the violation.
Organize your three case examples into a 750-word paper.
Research Instructions
To write your paper, you may use journal articles, textbook
material, case studies, and Web site information. The Web
site information must come from reputable and verifiable
sources, such as the United States Department of Health and
Human Services, the American Medical Association, professional
or business organizations, or articles published by
major news organizations.
To get started on finding a real-life case example that you’re
interested in, you can use an Internet search engine such as
Google. Try entering keywords such as “HIPAA violation”
under the “News” section. Or, go to your local library and
perform a search in the medical journals or professional
publications they have on file.
Writing Guidelines
1. Type your submission, double-spaced, in a standard
print font, size 12. Use a standard document format with
1-inch margins. (Do not use any fancy or cursive fonts.)
2. Read the assignment carefully, and follow the instructions.
3. Be sure to include the following information at the top of
your paper:
n Your name
n Your student number
n The course title (HIPAA Compliance)
n Graded project number (46081100)
n The date
4. Be specific. Limit your submission to the issues covered
by your chosen topic.
The s.
This PowerPoint helps students to consider the concept of infinity.
INTRODUCTIONThis graded project is a research paper that you’ll .docx
1. INTRODUCTION
This graded project is a research paper that you’ll complete
and submit to the school for grading. In your paper, you’ll
apply what you learned about HIPAA to an actual situation in
which a health care organization violated HIPAA regulations.
YOUR ASSIGNMENT
Health care organizations must know and follow the regulations
that are set forth by HIPAA, or be held accountable
for their failure to follow the rules. For this assignment,
you’ll need to find three real-life examples of HIPAA
violations;
that is, violations of HIPAA’s privacy or security laws
that occurred in the United States since the passage of the
HIPAA law (after 1996). Each violation described should be
serious, and one that resulted in a fine or penalty for the
individual or company involved.
You can find real-life examples of HIPAA violations in
news reports, medical journals, professional health care
publications, and other similar reliable factual sources.
For each example violation, you should provide the following
information:
n A complete, descriptive summary of the case
n Important facts that relate to the case, such as the
names of the company or individual involved, the date
of the violation, and the city and state where the incident
occurred
n An explanation of the HIPAA rules that were violated
Be sure to answer these questions when writing your
summaries:
n How did the HIPAA violation occur?
n What policies (if any) did the organization have in place
to protect against the violation?
n What was the penalty for the violation (fine, prison term,
termination of employment, etc)?
2. Finally, describe three ways in which the organization could
have prevented the violation.
Organize your three case examples into a 750-word paper.
Research Instructions
To write your paper, you may use journal articles, textbook
material, case studies, and Web site information. The Web
site information must come from reputable and verifiable
sources, such as the United States Department of Health and
Human Services, the American Medical Association,
professional
or business organizations, or articles published by
major news organizations.
To get started on finding a real-life case example that you’re
interested in, you can use an Internet search engine such as
Google. Try entering keywords such as “HIPAA violation”
under the “News” section. Or, go to your local library and
perform a search in the medical journals or professional
publications they have on file.
Writing Guidelines
1. Type your submission, double-spaced, in a standard
print font, size 12. Use a standard document format with
1-inch margins. (Do not use any fancy or cursive fonts.)
2. Read the assignment carefully, and follow the instructions.
3. Be sure to include the following information at the top of
your paper:
n Your name
n Your student number
n The course title (HIPAA Compliance)
n Graded project number (46081100)
n The date
4. Be specific. Limit your submission to the issues covered
by your chosen topic.
The student must
n Provide a clear discussion of the chosen topic
3. n Address the topic in complete sentences
n Support his or her research by citing specific information
from the textbook, Web sites, and any other references,
and by using correct APA or MLA guidelines for citations
and references
n Stay focused on the chosen topic
n Write in his or her own words and use quotation marks
to indicate direct quotations
Written Communication
The student must
n Discuss the topic in complete paragraphs that include an
introductory sentence, at least four sentences of explanation,
and a concluding sentence
n Use correct grammar, spelling, punctuation, and sentence
structure
Provide clear organization (for example, uses words like
first, however, on the other hand, and so on, consequently,
since, next, and when)
n Make sure the paper contains no typographical errors
Format
The paper should be double-spaced and typed in font size 12.
4. It must include the student’s
n Name and complete mailing address
n Student number
n Course title (HIPAA Compliance)
n Research project number (46081100)
460810RR - IMPLEMENTING AND ENFORCING HIPAA
Questions 1 to 20: Select the best answer to each question. Note
that a question and its answers may be split across a page
break, so be sure that you have seen the entire question and all
the answers before choosing an answer.
1. Which of the following is used to code and classify morbidity
data from patient medical records,
physician offices, and surveys conducted by the National Center
for Health Statistics?
A. NPPES
B. ICD-9-CM
C. Claim status codes
D. HCPCS
2. You are employed by a small dentist office that has three
employees. Under the Administrative
Simplification Compliance Act, your office is
A. required to file claims electronically.
B. excluded from the mandate to file a claim electronically.
C. required to append a waiver form and file all claims
electronically.
D. required to file claims through paper submissions only.
3. Which of the following is the HIPAA standard code set for
diseases, injuries, and other health-related
medical problems?
A. HCPCS
5. B. National Drug Codes
C. CDT-4
D. ICD-9-CM
4. Dr. Madison's office calls an insurance company to determine
whether they have paid for Mr. Rossi's
last checkup visit. This procedure is known as a
A. referral authorization.
B. health care claim status inquiry.
C. functional acknowledgment.
D. remittance advice.
5. The agency of the federal government that combats fraud and
abuse in health insurance and health care
delivery is the
A. Centers for Medicare and Medicaid Services (CMS).
B. Health Care Fraud and Abuse Program.
C. Department of Justice (DOJ).
D. Office of the Inspector General (OIG)
6. Which of the following is the HIPAA standard code set for
dental services?
A. National Drug Codes
B. CDT-4
C. ICD-9-CM
D. Current Procedural Terminology
7. Which of the following advises covered entities about HIPAA
compliance problems uncovered by the
OIG?
A. corporate integrity agreement.
B. OIG Work Plan.
C. Health Care Fraud and Abuse Control Program.
D. OIG Fraud Alert
8. The department of the federal government that investigates
criminal violations of the HIPAA privacy
standards is the
A. Department of Justice (DOJ).
B. Health Care Fraud and Abuse Program.
C. Centers for Medicare and Medicaid Services (CMS).
6. D. Office of the Inspector General (OIG).
9. A written document created by a health care provider that's
designed to prevent fraud and abuse by
outlining the process for finding, correcting, and preventing
illegal practices among their staff members is
called a(n)
A. compliance plan.
B. code of conduct.
C. audit report.
D. OIG Work Plan.
10. Which of the following are physicians, contractors, or
employees who have been found guilty of fraud,
and are therefore prevented from participating in Medicare,
Medicaid, and federal health care programs?
A. Excluded parties
B. Advisors
C. Relators
D. Self-referrers
11. On a HIPAA 277 transaction, a claim status code of "A"
indicates that
A. the claim has been finalized.
B. an error occurred in the transmission of the claim.
C. a request for more information has been sent.
D. the claim has been received.
12. Under the HIPAA transaction standards, the supplemental
health information that's provided to clarify
and support a health care claim is called a
A. paper claim.
B. implementation guide.
C. claim attachment.
D. remittance advice remark.
13. There are eight mandated transactions described under the
HIPAA transaction standards. The 270/271
transaction represents
A. an inquiry to an insurance company to determine is a claim
has been paid.
7. B. remittance advice that explains how a payment amount was
calculated.
C. a delivery of information to an insurance company to apply
payment to an individual's account.
D. an inquiry to an insurance company to check whether a
patient is covered for a specific service.
14. Under HIPAA, the nonmedical code sets that are used to
capture general information, such as state
abbreviations and payment explanations, are called
A. implementation guides.
B. administrative code sets.
C. ICD-9-CM codes.
D. CPT codes.
15. Which of the following statements about electronic medical
claims is correct?
A. Dentists are required to submit all claims electronically.
B. Medicare pays electronic claims in half the time required to
pay paper claims.
C. No covered entity is required to use electronic claims; they
may continue to send paper claims indefinitely.
D. Electronic claims are more expensive to send than paper
claims.
16. The annual list of the OIG's planned projects for sampling
billing in various settings (such as hospitals,
doctor's offices, and long-term care facilities) to check for
potential fraud is called the
A. OIG Work Plan.
B. Deficit Reduction Act.
C. corporate integrity agreement.
D. triggered review.
17. Which of the following is the second part of an 835 that
explains how the payment was arrived at?
A. Functional acknowledgment
B. Remittance advice
C. Claim payment status
D. Claim status inquiry
8. 18. The Jefferson Pediatric group sends an 837 to the Rhode
Island Insurance Company. An 837 is a type
of HIPAA transaction that represents a
A. referral certification and authorization.
End of exam
B. health care payment and remittance advice.
C. health plan enrollment.
D. health care claim.
19. A physician's office "upcoded" office visits to an insurance
provider in order to receive a higher
reimbursement for patient services. Upcoding is an example of
A. abuse.
B. benchmarking.
C. compliance.
D. fraud.
20. The federal law that prohibits physicians from making self-
interested referrals, or referrals in which
they have a financial interest or may receive a kickback, is
called
A. Deficit Reduction Act (DRA).
B. Sarbanes-Oxley Act.
C. Stark II.
D. False Claims Act (FCA).
UNDERSTANDING HIPAA
Questions 1 to 20: Select the best answer to each question. Note
that a question and its answers may be split across a page
break, so be sure that you have seen the entire question and all
the answers before choosing an answer.
1. Under the HIPAA Security Standards, according to the
category of _______ standards, covered entities
are required to create policies and procedures that concern
authentication, transmission, and other issues
when electronic protected health information is accessed.
A. emergency
B. technical
C. administrative
9. D. physical
2. In a situation where a patient's protected health information
is required as evidence in a court of law, the
provider may release the information
A. only with the patient's approval.
B. upon the request of any attorney.
C. only if the patient signs a release form.
D. without the patient's approval upon receipt of a judicial
order.
3. Michael has just paid for a property and casualty insurance
policy for the Dalton Medical Clinic. How is
this type of insurance classified under HIPAA?
A. Property and casualty insurance policies are federally funded
clearinghouses.
B. Property and casualty insurance polices are not classified as
covered entities.
C. Property and casualty insurance policies are non-exempt
entities.
D. Property and casualty insurance policies are covered entities.
4. A provider instructs an administrative staff member to bill a
patient for a particular procedure. The
conversation is overheard by another patient who is sitting in
the waiting room. This situation would be
describes as a(n)
A. incidental use and disclosure, which is not a violation of
HIPAA rules.
B. illegal disclosure of protected health information.
C. release of information, which is a violation of HIPAA rules.
D. disclosure of de-identified health information.
5. In an electronic healthcare information system, a type of
program that harms the information system,
and that's often brought into the organization through e-mail
attachments or Internet downloads, is called
A. a proxy server.
B. encryption.
C. a firewall.
10. D. malware.
6. In the United States, the main federal government agency
that's responsible for healthcare and that
administers the Medicare and Medicaid programs is
A. the American Health Information Management Association
(AHIMA).
B. the Centers for Medicare and Medicaid Services (CMS).
C. the American Medical Association (AMA).
D. the Health Care Financing Administration (HCFA).
7. To protect electronic health information, many covered
entities prevent employees from accessing the
information unless they have a certain job title or job function.
This type of technical security safeguard is
called
A. a firewall.
B. antivirus software.
C. encryption.
D. role-based authorization.
8. A pathology laboratory is contracted with Winchester
Hospital to review the hospital's biopsy specimens.
Under HIPAA, the laboratory would be classified as a(n)
A. business associate.
B. direct provider.
C. clearinghouse.
D. indirect provider.
9. A hospital's security system requires an individual's unique
fingerprint, voice pattern, facial pattern, or
eye/iris pattern to access protected health information. These
unique methods of individual identification
are known as
A. biometrics.
B. backup procedures.
C. audit controls.
D. digital certificates.
10. According to the HIPAA Security Standards for electronic
protected health information, issues such as
11. workstation security, facility access controls, and device
controls are covered under _______ standards.
A. physical
B. technical
C. administrative
D. organizational
11. To protect electronic health information, the information
may be transformed into an unreadable format
before it's distributed to anyone. This type of security safeguard
is called
A. antivirus software.
B. encryption.
C. a firewall.
D. password protection.
12. Which of the following statements about the HIPAA Privacy
Rules is correct?
A. It's a HIPAA violation if a provider's name appears on a
patient's telephone caller ID.
B. There are no restrictions on the use or disclosure of de-
identified health information.
C. Providers are required to provide the Notice of Privacy
Practices to patients receiving emergency treatment.
D. It's a HIPAA violation to have a patient sign-in sheet at a
facility's front desk.
13. Which of the following is the computer-to-computer transfer
of routine business information that has
helped healthcare businesses to greatly simplify their
administrative practices?
A. Treatment, Payment, and Health Care Operations (TPO)
B. Electronic data interchange (EDI)
C. Notice of Privacy Practices (NPP)
D. Group health plans (GHP)
14. Having a backup procedure for the computer systems in a
health clinic is an example of satisfying
A. a technical security standard.
B. an implementation specification.
12. C. a physical security standard.
D. an administrative security standard.
15. Any direct personal contact between a patient and a health
care provider in any place of service for the
diagnosis and treatment of an illness or injury is called a(n)
A. complaint.
B. encounter.
C. authorization.
D. liability.
16. Which of the following organizations creates and promotes
standards for the transfer of data to and
from the pharmacy services sector of the health care industry?
A. The National Committee on Vital and Health Statistics
(NCVHS)
B. The Strategic National Implementation Process (SNIP)
C. The National Drug Code (NDC)
D. The National Council for Prescription Drug Programs
(NCPDP)
17. Rachel receives health insurance through her job as a
privacy officer at the MEA clinic. She has just
resigned from her job, but the office manager tells her that
she'll be allowed to continue her health coverage
under the employer's plan for a limited time period, at a cost of
$395.00 per month. Which of the following
acts allows Rachel to continue her health care coverage with her
former employer?
A. FEHB
B. ERISA
End of exam
C. IHP
D. COBRA
18. The Blue Ridge Surgery Group has developed a new Web
site that describes its services and benefits.
According to HIPAA rules, which of the following must be
included on the organization's Web site?
A. A complete description of all procedures provided
13. B. A list of the types of insurance they accept
C. A Notice of Privacy Practices
D. A listing of all physicians on staff and their professional
credentials
19. Frequently, electronic health information must be
transferred from one user to another over the Internet
or through a computer network. To ensure that the remote user
is authorized to receive the data, an
electronic authorization called a(n) _______ can be issued to
the remote users by a covered entity.
A. emergency access procedure
B. digital certificate
C. contingency
D. computer administrator
20. HIPAA refers to any item, collection, or grouping of
individually identifiable protected health
information as a
A. notice of privacy practices.
B. billing record.
C. designated record set.
D. health plan identifier.
Study Guide
HIPAA Compliance
By
Jacqueline K. Wilson, RHIA
Reviewed By
Karen J. Fuller
14. About the Author
Jacqueline K. Wilson is a Registered Health Information
Administrator (RHIA) with more than 13 years of experience
managing, consulting, writing, and teaching in the health care
industry. She’s a professional writer who has authored training
manuals, study guides, and online courses, as well as articles
on a variety of topics. In addition, Ms. Wilson develops
curricula
and teaches both traditional and online college courses in health
information technology, anatomy, medical terminology,
standards
in health care, and other health care courses. She was
previously
included in the distinguished national Who’s Who Among
America’s
Teachers.
About the Reviewer
Karen Fuller, an RHIA and graduate in health information
manage-
ment, has more than 13 years of experience in the health care
16. text should not be
regarded as affecting the validity of any trademark or service
mark.
INSTRUCTIONS TO STUDENTS 1
LESSON ASSIGNMENTS 5
LESSON 1: UNDERSTANDING HIPAA 7
LESSON 2: IMPLEMENTING AND
ENFORCING HIPAA 33
GRADED PROJECT 45
SELF-CHECK ANSWERS 51
iii
C
o
n
t
e
n
t
s
C
o
17. n
t
e
n
t
s
INTRODUCTION
Welcome to your HIPAA Compliance course, which provides
information that’s essential for working in today’s health care
industry. This course covers the basic provisions of the
Health Insurance Portability and Accountability Act (HIPAA),
including what the act protects, how it affects patients and
providers, and how HIPAA is enforced.
OBJECTIVES
When you complete this course, you’ll be able to
n Discuss the main purposes for the passage of the Health
Insurance Portability and Accountability Act (HIPAA)
n Identify the key provisions of the HIPAA Administrative
Simplification standards
n Describe the health care professionals and facilities that
are covered entities under HIPAA
n Describe how health care personnel can comply with
HIPAA standards
18. n Explain the contents of a medical record as the source
of health information about patients
n Define protected health information (PHI) and electronic
protected health information (ePHI)
n Discuss the required content of the HIPAA Notice of
Privacy Practices (NPP)
n Explain patients’ rights regarding the use and disclosure
of their PHI
n Describe HIPAA’s administrative, physical, and technical
standards for the protection of ePHI
n Explain the purpose of the HIPAA Electronic Health Care
Transactions and Code Set standards
n Describe several types of HIPAA transactions
1
In
s
t
r
u
c
t
io
n
s
19. In
s
t
r
u
c
t
io
n
s
Instructions to Students2
n List the HIPAA standards for medical code sets
n Describe how HIPAA’s rules are enforced
n Name the governmental agencies that are responsible
for HIPAA enforcement
YOUR TEXTBOOK
Your textbook, HIPAA for Allied Health Careers, by Cynthia
Newby, is the heart of this course. It contains the study
material on which your examinations will be based. We’ve
divided the textbook material into two lessons.
It’s very important that you read the material in the textbook
and study it until you’re completely familiar with it. It’s a
20. good idea to begin by skimming the contents at the front of
the book. This will give you an overview of the entire textbook.
Each chapter in your textbook opens with an outline, a list
of key terms, and some case examples that illustrate real-life
scenarios involving the HIPAA regulations. At the end of each
chapter, you’ll find a helpful summary of the information
you’ve just read. Use your chapter readings and the objec-
tives listed above to judge your understanding of the text
material before you take your examinations.
Your textbook also contains many helpful hints, compliance
tips, case studies, HIPAA cautions, and Internet resources
to further your understanding of the reading. There’s also a
glossary, an index, and an appendix of professional resources
at the back of the book.
COURSE MATERIALS
You should have received the following learning materials
for this course:
n Your textbook, HIPAA for Allied Health Careers, which
contains the assigned readings
n This study guide, which will help you to understand
the major ideas presented in the textbook in addition to
providing background information about specific topics
The study guide also includes
n Self-checks for each lesson
n Answers to the self-checks
21. A STUDY PLAN
In studying your assignments, be sure to read all of the
instructional material in both the textbook and the study
guide. Here’s a good plan to follow:
1. Note carefully the page where the assignment begins
and the page where it ends. These pages are indicated
in the Lesson Assignments section in this study guide.
2. Read the introduction to the assignment in the study
guide.
3. Read the designated pages for that assignment in the
textbook to get a general idea of their contents. Then
study the assignment, paying careful attention to all
details, including the compliance tips and HIPAA cau-
tions referenced in the text.
4. When you’re comfortable with the material for each
assignment, complete the self-check at the end of the
assignment in your study guide. When you’ve finished
the self-checks, compare your answers with those given
at the end of the study guide. If you’ve missed any ques-
tions, go back and review the related topic. This review
will reinforce your understanding of the material.
5. Complete each assignment in this way.
6. When you feel that you understand all of the material
presented in the lesson assignments, you may complete
the examination for that lesson.
7. Follow this procedure for both of the two lessons.
22. 8. Complete the Research Project after completing both
lessons.
Instructions to Students 3
Remember, at any time, you can contact your instructor for
information regarding the materials. The instructor can pro-
vide you with answers to any questions you may have about
the course or your study materials.
Now you’re ready to begin Lesson 1.
Good luck!
Instructions to Students4
Lesson 1: Understanding HIPAA
For: Read in the Read in
study guide: the textbook:
Assignment 1 Pages 8–14 Chapter 1, Pages 1–19
Assignment 2 Pages 16–22 Chapter 2, Pages 25–52
Assignment 3 Pages 24–29 Chapter 3, Pages 59–82
Examination 460809 Material in Lesson 1
Lesson 2: Implementing and Enforcing HIPAA
For: Read in the Read in
23. study guide: the textbook:
Assignment 4 Pages 34–36 Chapter 4, Pages 89–109
Assignment 5 Pages 39–41 Chapter 5, Pages 114–144
Examination 460810 Material in Lesson 2
Graded Project 46081100
5
A
s
s
ig
n
m
e
n
t
s
A
s
s
ig
n
m
24. e
n
t
s
Note: To access and complete any of the examinations for this
study
guide, click on the appropriate Take Exam icon on your “My
Courses”
page. You shouldn’t have to enter the examination numbers.
These
numbers are for reference only if you have reason to contact
Student
Services.
NOTES
Lesson Assignments6
7
L
e
s
s
25. o
n
1
L
e
s
s
o
n
1
Understanding HIPAA
INTRODUCTION
This first lesson is an introduction to the Health Insurance
Portability and Accountability Act of 1996, or HIPAA. The
provisions of the HIPAA law affect everyone who works in
the health care field, so it’s important to understand what
the law covers and how you need to comply with it. The
lesson contains three reading assignments.
Assignment 1 starts out with a description of the two basic
parts of the HIPAA law, Title I and Title II. Title I covers
health insurance reform. Title II includes HIPAA’s adminis-
tration simplification rules. You’ll learn about the basic
goals and objectives of the HIPAA law in this assignment.
Assignment 2 reviews the HIPAA Privacy Standards, which
26. protect patients’ private health information in medical
records. A patient’s private health information can be
shared or disclosed only under specific circumstances
that are explained under the HIPAA rules.
Assignment 3 introduces the HIPAA Security Standards,
which describe how electronic information about patients
must be protected.
OBJECTIVES
When you complete this lesson, you’ll be able to
n Describe the major provisions of Title I and Title II
of HIPAA
n Identify the key provisions of the HIPAA Administrative
Simplification standards
n Describe the health care professionals and facilities
that are covered entities under HIPAA
n Explain the difference between a covered entity and
a business associate
HIPAA Compliance8
n List five responsibilities of covered entities under the
HIPAA Privacy Rule
n Define protected health information (PHI) and electronic
protected health information (ePHI)
n Discuss the required content of the HIPAA Notice of
27. Privacy Practices (NPP)
n Explain the privacy standards relating to the release
of PHI for treatment, payment, and operations (TPO)
purposes
n Describe the situations in which authorization for release
of PHI must be obtained
n Name several major exceptions to the HIPAA release of
information requirements
n Explain patients’ rights regarding the use and disclosure
of their PHI
n List the three goals of the HIPAA security standards
n Compare and contrast risk analysis and risk
management
n Describe HIPAA’s administrative, physical, and technical
standards for the protection of ePHI
ASSIGNMENT 1
Read this introduction to Assignment 1. Then, read Chapter 1,
“The Goal of HIPAA: Administrative Simplification,” on
pages 1–19 in your textbook HIPAA for Allied Health Careers.
What Is HIPAA?
The Health Insurance Portability and Accountability Act of
1996 (HIPAA) was signed into law on August 21, 1996 by
the United States Congress. The main purpose of HIPAA is
to increase the efficiency and effectiveness of health care,
and to protect patient rights. It’s designed to help people
build trust in the health care system.
28. Lesson 1 9
The law has two important parts, called Title I and Title II.
Title I of HIPAA provides a basis for ensuring the portability
of health insurance, which means that employees and their
families can keep their health insurance when workers
change jobs. Title II of HIPAA lays out specific rules that
health insurance plans, health care providers, and employers
must follow, and defines noncompliance penalties that can be
applied when rules are broken. It also contains provisions to
protect the privacy and security of people’s health care data.
HIPAA was created to help with several important problem
areas within the health care industry. The laws was designed
to
n Improve the portability and continuity of health care
coverage in insurance markets
n Combat waste, fraud, and abuse in the health care
system, and also in the insurance industry
n Improve access to long-term care
n Simplify health insurance administration
n Provide a means to pay for reforms
n Protect the privacy of a patient’s personal information
and health care data
n Provide for the electronic and physical security of
personal information and health care data
29. n Simplify billing and other health care transactions
The areas in which the enactment of HIPAA has most affected
health care include the following:
n The privacy of health information
n The establishment of standards for electronic transac-
tions (such as electronic medical records, insurance
claims, and so on)
n The security of electronic health information (such as
electronic medical records)
HIPAA Compliance10
HIPAA’s Two Titles
HIPAA is a complex federal legislative act that’s organized
into two parts: Title I and Title II. Each part covers different
health care topics. Let’s take a closer look at each of these
parts now.
HIPAA Title I: Health Insurance Reform
Title I of the HIPAA act provides individuals with rights relat-
ing to their insurance portability when they change jobs.
Title I also outlines certain requirements for government-
based medical coverage (such as Medicare and Medicaid)
and private insurance. Under the HIPAA rules, individuals
who apply for medical insurance coverage under Medicare
can’t be denied insurance because of a preexisting medical
condition. Title I of HIPAA also regulates the insurance
30. coverage that’s provided through private insurance compa-
nies, such as employer-sponsored group health plans (the
insurance people receive through their employers). Federal
programs, such as Medicare and Medicaid, are also covered
by other federal laws.
Hint: Be sure to review pages 4–5 in your textbook to get a
brief overview of the different types of private health insur-
ance plans that are available for employees and retired
employees.
Employer-sponsored group health insurance plans are
regulated by the Employee Retirement Income and Security Act
of 1974 (ERISA). Most other health insurance plans (that is,
other than employer-sponsored health insurance plans) are
regulated by state-based insurance commissions. The state
department of insurance agencies creates coverage require-
ments for various plans.
The Consolidated Omnibus Budget Reconciliation Act
(COBRA)
is a law that gives employees who are leaving a job the oppor-
tunity to continue their health insurance coverage under
their employer’s plan, so that they don’t have a gap in med-
ical insurance. Under COBRA, the employee will continue
to pay for insurance under the employer’s plan, usually at a
Lesson 1 11
rate higher than the standard employee insurance. However,
the rate is still usually lower than they would have to pay for
a new individual insurance policy that’s not group-based with
the employer.
31. HIPAA Title II: Administrative Simplification (AS)
The Administrative Simplification (AS) provisions of Title II
of the HIPAA act required the United States Department of
Health and Human Services (HHS) to establish national stan-
dards for the security of electronic health care information.
The final rule adopting the HIPAA standards for security was
published in the Federal Register on February 20, 2003. This
final rule specifies a series of administrative, technical, and
physical security procedures for covered entities to assure
the confidentiality of electronic protected health information.
The main goal of the Administrative Simplification (AS) provi-
sions is to cut costs and reduce administrative overhead in
the health care field. In addition, the AS provisions encourage
organizations to use electronic data interchange (EDI) trans-
actions. EDI is an exchange of information that’s completed
through computer transactions using established criteria.
Specifically, Title II gives the Department of Health and
Human Services the authority to do the following:
n Mandate the use of standards for the electronic exchange
of health care data
n Specify what medical and administrative code sets
should be used within those standards
n Require the use of national identification systems for
health care patients, providers, payers, and employers
n Specify the types of measures required to protect the
security and privacy of individually identifiable health
information (IIHI)
It’s important to understand the difference between the terms
32. privacy and security as they relate to health information.
You can think of it like a sealed letter that’s kept in a locked
mailbox. A sealed envelope will keep the letter private, and
prevent people from reading the letter’s contents by accident.
HIPAA Compliance12
However, only the locked mailbox will keep the letter secure,
and prevent someone from stealing the letter. When you’re
dealing with a person’s sensitive health care details, you need
to keep the information private (only the patient and author-
ized professionals should be able to see it or hear it) and you
need to keep it secure (protect it from being stolen). These are
the exact reasons why the HIPAA rules were created.
Covered Entities
Covered entities are all of the organizations that are required
to follow HIPAA regulations by state and federal laws.
Covered entities provide care to patients during the normal
course of business, and they also send protected information
electronically. The Administrative Simplification (AS) stan-
dards under HIPAA defines covered entities as any of the
following:
n A health care provider. Note that a health care provider
is any health care professional or organization (such
as a doctor, hospital, or clinic) that provides medical
and health care to individuals, and that conducts certain
transactions in electronic form.
n A health care clearinghouse. A health care clearinghouse
is an entity that processes or aids in the processing
of information. In simple terms, this means a medical
33. billing service, community health information system,
or other similar company.
n A health care plan. A health care plan refers to health
insurance coverage by a group, organization, or person
that pays for and administers the health insurance.
Many types of health insurance plans are included in the
HIPAA regulations, including the following:
n Employer-provided group health plans
n Preferred provider organizations (PPOs)
n Health maintenance organizations (HMOs)
n Federal insurance agencies (Medicare and Medicaid)
Lesson 1 13
n Long-term care insurance plans
n Medicare supplemental insurers
n The TRICARE program (for military personnel)
n The CHAMPVA program (for veterans)
n Indian Health Service programs (for Native Americans)
n Federal Employees Health Benefits (FEHB)
n State-based child health care plans (such as CHIP)
34. However, there are also some types of medical insurance
benefits that fall outside of the HIPAA standards. These
types of benefits include disability income, accident income,
automobile liability insurance, general liability insurance,
workers’ compensation, or medical payments that occur
through an automobile insurance policy.
Providers
Under the HIPAA regulations, these covered entities are
health care providers who bill for services that are provided
to a patient during the normal course of business. A provider
submits a claim to the patient’s insurance carrier (such as
a private insurance agency, Medicare, or Medicaid) in order
to receive payment for the services he or she provided to
the patient. The services provided can include an annual
checkup, a diagnostic test, a laboratory test, a preventive
screening, or a surgical procedure, as well as diagnosis,
treatment, and care for an illness. The covered provider
entities may be a hospital, skilled nursing facility, outpatient
rehabilitation facility, hospice organization, home health
organization, pharmacy, physician’s office, dental office,
chiropractor, podiatrist, therapist, or laboratory.
HIPAA Compliance14
Business Associates
Sometimes, a covered entity will retain an outside person
or business to perform a function on the entity’s behalf,
who will also need to have access to the covered entity’s pro-
tected health information. According to HIPAA, these outside
professionals are called business associates. Some common
examples of business associates are the following:
35. n Medical billing companies
n Law offices
n Accountants
n Information technology (IT) contractors
n Medical transcription companies
n Collection agencies
n Third-party claim administrators (TPAs)
These business associates must follow HIPAA standards
in order to do business with a covered entity.
After you’ve carefully read pages 1–19 in the textbook HIPAA
for Allied Health Careers, complete Self-Check 1. Check your
answers with those provided at the back of this study guide.
When you’re sure that you understand the material from
Assignment 1, move on to Assignment 2.
Lesson 1 15
Self-Check 1
At the end of each section of HIPAA Compliance, you’ll be
asked to pause and check
your understanding of what you’ve just read by completing a
“Self-Check” exercise.
36. Answering these questions will help you review what you’ve
studied so far. Please
complete Self-Check 1 now.
Questions 1–8: Indicate whether each statement is True or
False.
______ 1. Title II of HIPAA expands the COBRA law with
additional continuation of coverage.
______ 2. HIPAA’s Administrative Simplification rules prohibit
the use of electronic data
interchange (EDI).
______ 3. Examples of covered entities under HIPAA includes
health plans, health care
providers, and health care clearinghouses.
______ 4. Title I of HIPAA covers the Privacy and Security
Rules.
______ 5. A health care clearinghouse provides insurance to a
patient.
______ 6. If business associates want to do business with a
covered entity, they must
follow HIPAA standards.
______ 7. Under the concept of preemption, state laws
supersede HIPAA rules in most
situations.
37. ______ 8. The Centers for Medicare and Medicaid Services
(CMS) is responsible for enforcing
the HIPAA privacy standards.
(Continued)
HIPAA Compliance16
ASSIGNMENT 2
Read this introduction to Assignment 2. Then, read Chapter 2,
“The HIPAA Privacy Standards,” on pages 25–52 in your text-
book HIPAA for Allied Health Careers.
The Medical Record
The HIPAA privacy standards include guidelines for electronic
medical records. The information in a medical record is the
documentation that relates to a patient’s illness, course of
Self-Check 1
Questions 9–12: Select the one best answer to each question.
9. According to HIPAA, home-based medical coders, third-party
claim administrators,
and medical transcription companies are defined as
a. clearinghouses. c. covered entities.
b. health care providers. d. business associates.
10. Which of the following is another name for Title II of
HIPAA?
38. a. Administrative Simplification c. NPRM
b. COBRA d. Health Insurance Reform
11. Which of the following is an agency of the HHS that’s
charged with enforcing privacy
standards?
a. The Office of Management and Budget (OMB)
b. The Office of Personnel Management (OPM)
c. The Office for Civil Rights (OCR)
d. The Office of the Inspector General (OIG)
12. The health care organizations that are required by law to
obey the HIPAA regulations
are called
a. employers. c. business associates.
b. covered entities. d. facility directors.
Check your answers with those on page 51.
Lesson 1 17
treatment, and care. Medical records are considered to be
legal documents, and they may be very important documen-
tation in court cases (for example, if a physician or a hospital
is sued by a patient).
According to state and federal laws, health care professionals
are required to include specific information in a patient’s
medical record to document every encounter with the patient.
An encounter is defined as any patient visit with a physician
or other qualified health care provider (such as a nurse
39. practitioner, therapist, or physician assistant) to diagnose
a condition or treat an illness or injury.
To document a patient encounter, the provider must include
the following information, at a minimum:
n The patient’s name
n The date of the encounter
n The reason for the encounter
n A documented medical history and physical examination
n A review of laboratory and diagnostic tests if performed
n A review of medications, if the patient was prescribed
drugs
n A diagnosis
n A plan of care or notes that identifies the procedures
and treatments given
n The signature of the provider who saw the patient
HIPAA Compliance18
What Is Protected Health
Information?
According to the Federal government, protected health
information (PHI) is defined as “individually identifiable
health information maintained in or transmitted by electronic
40. media.” PHI is information that can specifically identify a
unique individual, and may include any of the following:
n A person’s name
n Home address
n Names of relatives
n Name of employer
n Date of birth
n Home telephone number or fax number
n Personal e-mail address
n Social Security number
n Medical record number
n Health insurance plan beneficiary number or account
number
n Driver’s license number
n Vehicle serial number
n Web site address
n Fingerprints
n Photograph
Protected health information also includes data about sensi-
tive health conditions that patients usually want to keep very
41. private, such as alcohol and drug dependence, mental health
issues, sexually transmitted diseases, infectious diseases,
and HIV or AIDS. A higher standard of privacy applies to
these types of conditions under HIPAA’s rules.
Lesson 1 19
Individually identifiable health information may reside on or
travel via electronic avenues, such as the Internet, extranets
and intranets, leased lines, dial-up lines, private networks,
magnetic tape, and compact disk media.
Minimum Necessary Standard
The minimum necessary standard is a component of the
HIPAA Privacy Act that attempts to limit the disclosure
of protected health information. The standard requires
hospitals, insurance plans, health care providers, and
other organizations to make as much effort as possible
to limit the disclosure of PHI to the “minimum necessary”
amount that’s needed for individual employees to do their
jobs. For example, in a health clinic, the information in a
patient’s electronic medical record would be disclosed only
to the doctor providing services and the office employee
who’s recording and billing the services. The private health
information wouldn’t be provided to all of clinic’s employees.
These procedures reduce the risk of someone accessing or
disclosing protected health information incorrectly.
Business Associates and PHI
The HIPAA Privacy Rule defines business associates (BA) as
individuals or corporations that work with covered entities,
such as medical billers, accountants, lawyers, accreditation
42. agencies, and any other independent contractors that provide
services. Since these business associates themselves aren’t
bound by HIPAA privacy rules, it’s necessary for the covered
entity to ensure that patients’ PHI is protected when business
associates come into contact with the information.
For example, in the course of preparing tax documents,
a physician’s accountant might need to review claims and
bills that contain individually identifiable health information.
To ensure that the PHI will be held in confidence, the HIPAA
Privacy Rule requires that covered entities have contracts
with their business associates that cover confidentiality.
The Privacy Rule also imposes liability if that confidentiality
is breached.
HIPAA Compliance20
Notice of Privacy Practices (NPP)
The Notice of Privacy Practices (NPP) is a document that out-
lines the privacy policies and procedures of a physician’s
office or hospital. The NPP tells the patient how the facility
will use his or her medical information, how it will disclose
this information, and how it will protect the information.
The NPP also tells patients how they can access their own
medical information.
It’s very important that employees receive proper training to
ensure that everyone understands the HIPAA rules. Patients
must also be informed of the HIPAA rules that protect them.
Usually, a doctor’s office will provide each patient with a
Notice of Privacy Practices document one time. Then, the
patient will be asked to sign a separate form called an
Acknowledgment of Receipt of Notice of Privacy Practices.
43. The acknowledgment form states that the patient has read
the privacy practices and understands his or her rights
regarding the privacy of their health information.
HIPAA requires every health care provider to make a good-
faith attempt to have each patient sign the acknowledgment
form. The health care provider must
n Provide a full notice of privacy practices (not a summary)
to each patient at least once
n Obtain a signed acknowledgment from the patient that
he or she received the NPP
n Keep the signed acknowledgment form in the patient
record, or a description of a good-faith attempt to get
a signed acknowledgment
n Document a patient’s refusal to sign (if the patient
refuses) and retain it in the patient record
Most importantly, the provider is not allowed to refuse treat-
ment if the patient refuses to sign the acknowledgment.
It’s the responsibility of an organization’s appointed HIPAA
officer to ensure that all employees are trained in the HIPAA
rules. The HIPAA law states that employee training records
must be kept on file for six years. It also mandates that
Lesson 1 21
employers provide annual employee reviews on HIPAA poli-
cies and procedures, and periodic retraining for employees
(when necessary) to explain new responsibilities.
44. Disclosure of PHI
The term disclosure refers to the release, transfer, or provi-
sion of protected health information to someone outside the
entity that holds the information. For example, a doctor’s
office would be the entity holding a patient’s private informa-
tion, and anyone else who requests to see that information
(such as an insurance carrier) would be an outside entity.
In some cases, PHI can be released to outside entities with-
out special permission; in other situations, the patient must
provide a specific authorization for PHI to be disclosed.
In the ordinary process of providing medical care, it’s
sometimes necessary for a patient’s private information
to be disclosed to others. For example, a doctor’s office
may need to provide PHI to a hospital, or to another doctor’s
office where a patient is being treated. Or, the patient’s
insurance company may need to see a patient’s PHI in order
to pay a claim. These necessary, everyday situations are
called treatment, payment, and health care operations (TPO)
under HIPAA. Disclosures of health information are permitted
for TPO without special authorization.
However, there are also some circumstances in which restric-
tions will apply to the release of PHI. If PHI is to be released
for some purpose other than treatment, payment, or health
care operations, the patient must be asked to sign a written
authorization to release the information.
An authorization is simply permission to do something. In
relation to protected health information, an authorization
means that the patient gives permission for his or her PHI
to be shared or disclosed for some reason. For example, a
patient may give written authorization for PHI to be used in a
research study or for marketing purposes, or to be disclosed
45. to relatives or an employer.
HIPAA Compliance22
Your textbook describes a number of situations where a
patient’s written authorization will be required to release PHI.
It also reviews the rights of patients as related to accessing
their own health care information. Be sure to review these
concepts carefully.
After you’ve carefully read pages 25–52 the textbook HIPAA
for Allied Health Careers, complete Self-Check 2. Check your
answers with those provided at the back of this study guide.
When you’re sure that you understand the material from
Assignment 2, move on to Assignment 3.
Self-Check 2
Questions 1–6: Indicate whether each statement is True or
False.
______ 1. The HIPAA Privacy Rule was the first federal law
designed to protect the privacy
of health information.
______ 2. A provider isn’t allowed to treat a patient unless he
or she signs an Acknowledgement
of Receipt of Notice of Privacy Practices.
______ 3. Protected health information includes any data that
can identify a unique individual.
46. ______ 4. A covered entity must have a signed authorization in
order to use a patient’s protected
health information for marketing.
______ 5. Patients can file a complaint to the Office for Civil
Rights when their privacy has been
violated by a health care provider.
______ 6. A provider can’t send a patient’s PHI to a health
insurance plan for payment without
a signed authorization from the patient.
(Continued)
Lesson 1 23
Self-Check 2
Questions 7–12: Select the one best answer to each question.
7. According to HIPAA rules, what is the minimum amount of
time that a provider must retain
a patient’s signed Acknowledgment of Receipt of Notice of
Privacy Practices?
a. 10 years c. 1 year
b. 6 years d. 3 years
8. A medical record that’s stored in a combination of paper
forms and electronic forms is called a
47. a. designated record set. c. hybrid record.
b. minimum necessary record. d. de-identified record.
9. The release, transfer, provision of access to, or divulging of
protected health information
outside the entity that holds the information is called
a. authorization. c. documentation.
b. incidental use. d. disclosure.
10. Patients who observe privacy problems in their provider’s
offices can complain to the
a. Office for Civil Rights (OCR).
b. Department of Health and Human Services (HHS).
c. National Center for Health Statistics.
d. Office of the Inspector General (OIG).
11. A correction of a finalized entry in a medical record that has
been identified as incorrect
is called a(n)
a. incident. c. complaint.
b. disclosure. d. amendment.
12. According to the HIPAA Privacy Rule, which of the
following is considered to be a part
of a designated record set?
a. Requests for lab tests c. Appointment schedules
b. Billing records d. Birth records
Check your answers with those on page 51.
48. HIPAA Compliance24
ASSIGNMENT 3
Read this introduction to Assignment 3. Then, read Chapter 3,
“The HIPAA Security Standards,” on pages 59–82 in your text-
book HIPAA for Allied Health Careers.
The HIPAA Security Rule
This part of your textbook reviews the details of the HIPAA
Security Rule, which describes the administrative, physical,
and technical safeguards that are needed to keep protected
health information safe, and prevent unintended disclosures.
According to the HIPAA Security Rule, covered entities must
have security standards in place to protect PHI that’s stored
or transmitted in electronic form (that is, on computer sys-
tems) from improper usage and disclosure.
Administrative safeguards include establishing office security
policies and procedures, and training staff on how to access
information securely.
Physical safeguards include limiting the physical access to
the computer systems on which electronic PHI is stored.
Technical safeguards focus on the policies and procedures
for accessing PHI data, including the restriction of access
through the use of passwords and other individual authenti-
cation methods.
Electronic Protected Health
Information
One important point about the HIPAA Security Rule is that
it focuses on electronic health information, and doesn’t deal
with the security of paper medical records or documents. (In
49. contrast, the HIPAA Privacy Rule protects health information
in any format, whether it’s paper information or electronic
information.)
Lesson 1 25
Remember that a patient’s protected health information (PHI)
includes any individually identifiable information in any
form, including name, address, Social Security number,
birth date, telephone number, e-mail address, and hospital
admission number (or patient number).
The main purposes of the HIPAA security standards are to
n Ensure the confidentiality of electronic patient health
information
n Ensure the integrity of electronic patient health
information
Note that the HIPAA security standards don’t outline specific
actions that a covered entity must take to protect electronic
patient information. Instead, the standards provide goals
and examples that organizations can follow to protect health
information. Individual covered entities are allowed to have
different security policies and procedures that are appropri-
ate for their size and the type of care they provide.
Threats to Information Security
Even though patient information is probably safer when
stored in an electronic medical record than in paper form,
it doesn’t mean that the information can’t be damaged or
lost. Computers and other electronic storage media are
50. vulnerable to a number of different threats that can damage
or destroy stored information. The following are some of the
common ways in which the security of protected health infor-
mation can be threatened:
n Natural disasters, such as fires, floods, earthquakes,
and explosions
n Power loss or utility outages
n Malware (such as computer viruses) or computer hacking
n Problems during computer updates or upgrades
n Deliberate theft or sabotage by employees or contractors
HIPAA Compliance26
Note that malware is any type of harmful computer program
that can be transmitted into a computer system, typically
through e-mail attachments or Internet downloads. Malware
can damage or destroy the data that’s stored on a computer
or a connected storage device. A covered entity can protect
stored electronic health information by installing antivirus
software on individual employees’ computers and on the
organization’s network. Antivirus software is able to find
and remove viruses from the computer system before any
damage occurs to the stored data.
Important data may be damaged or lost during computer
updates or upgrades, or when new computers or software
programs are installed. Therefore, it’s very important that
established procedures be followed carefully at all times.
51. An additional threat can come from the unauthorized access
of data by employees or others who have access to computer
systems. For example, someone may attempt to access data
for the purposes of identity theft. In hospitals or doctor’s
offices that service celebrity patients, employees may try
to obtain information to disclose or sell to the media. Or,
a disgruntled employee may access patient information
or cause damage to the organization’s computerized data
to seek revenge on the employer.
Because of these internal and external threats to computer
systems, it’s critical to ensure that patient information is
kept secure. One way to do this is to appoint a security
officer who will be responsible for developing security plans
and evaluating their effectiveness.
Your textbook describes a variety of methods that can be
used to protect stored computer data, including firewalls,
passwords, encryption, locks, and antivirus software. Be
sure to review these carefully.
Lesson 1 27
Administrative Standards
A large part of the HIPAA Security Rule covers administrative
standards for protecting electronic health information. The
administrative standards describe policies and procedures
that covered entities must implement in the workforce to
protect patients’ private information. The administrative
standards include the following nine key requirements:
1. The covered entity must perform a risk analysis, and
then develop a plan to manage the risk.
52. 2. The covered entity must appoint a security officer to
manage security policies.
3. Each employee must be allowed only the minimum
necessary access to PHI.
4. Employees must have authorization to access
information.
5. Employees must receive security training.
6. A procedure must be prepared to address security
incidents.
7. The covered entity must have a contingency plan to
protect PHI in a disaster.
8. The covered entity must periodically evaluate and update
its security procedures.
9. If the covered entity has any business associates, there
must be wording in their contracts that require HIPAA
compliance.
This is only a brief summary of the nine main provisions of
the HIPAA administrative standards. Your textbook describes
these topics in much greater detail, so be sure to examine
this information carefully.
Physical Standards
Physical security refers to the protection of the environment
where PHI is stored. This includes the building, rooms,
equipment, and computer hardware where a covered entity
keeps its records. The physical safeguards that are used to
53. HIPAA Compliance28
protect information at a doctor’s office, hospital, or insurance
company are the same things that would be used to protect
expensive merchandise in a retail store (such as diamonds
in a jewelry shop), and may include
n Locks on doors
n Alarm systems
n Video surveillance monitors
n Fire detection equipment
n Patrolling security guards
It’s important to remember that while PHI must be protected
from unauthorized access, there will also be times when
employees will need to access the information for regular
treatment, payment, and health care operations. Thus, there
must be a careful balance between allowing appropriate
access and limiting improper access. The patients’ private
information must be protected, but at the same time, you
can’t make it so difficult to access information that the daily
office activities are slowed to a crawl.
The HIPAA physical security standards include the following
four main provisions:
1. Only authorized persons should be allowed to enter the
building.
54. 2. The access to PHI on workstations should be limited to
“minimum necessary.”
3. Workstations must be protected from theft or removal.
4. The use of devices, such as backup tapes and flash
drives, must be controlled.
Technical Standards
Technical safeguards refer to the procedures and policies for
using technology, and the related control of access to data.
The HIPAA standards don’t require that any specific methods
be used; they simply provide security guidelines.
Lesson 1 29
Some of the key provisions of the technology safeguards
include the following requirements:
n Individuals must be authorized to access PHI.
n Covered entities must preserve the integrity of PHI
by preventing its alteration or destruction.
n Authentication must be provided to prove that an
individual has the right to access data.
n Covered entities must use secure transmission systems
or encryption to protect private information that’s trans-
mitted electronically (for example, by e-mail).
n Covered entities must use audit controls to monitor
security breaches.
55. Note that authentication is the process of proving who you are
before you can access private information on a computer sys-
tem. Authentication can be provided by password, a unique
possession such as a key or ID card, or through a biometric
feature (fingerprint, voice pattern, or eye pattern). Unique
user identification is required for every employee who needs
access to PHI.
If an outside entity needs to access data on an organization’s
computer system over a network or through an Internet
connection, the outside entity can be required to provide a
digital certificate for identification. A digital certificate is an
electronic file that certifies the identity of the individual or
organization that’s requesting information access.
Audit controls are devices or software that monitor security
breaches. Audit controls establish audit trails that log
employees’ identification numbers when they access certain
parts of the electronic medical record.
After you’ve carefully read pages 59–82 in the textbook HIPAA
for Allied Health Careers, complete Self-Check 3. Check your
answers with those provided at the back of this study guide.
When you’re sure that you understand the material from these
three assignments, complete the examination for Lesson 1.
HIPAA Compliance30
Self-Check 3
Questions 1–10: Indicate whether each statement is True or
False.
56. ______ 1. Under HIPAA, computer passwords are examples of
administrative safeguards that
protect ePHI.
______ 2. The process of creating policies and procedures to
protect ePHI is called risk analysis.
______ 3. The process of ensuring that someone is in fact who
he or she claims to be is called
authentication.
______ 4. The HIPAA Security Rule covers any PHI that’s in an
electronic format.
______ 5. Locks on the doors to the computer room are
examples of technical safeguards
that protect ePHI.
______ 6. Security includes planning for threats or hazards that
haven’t yet happened.
______ 7. The three goals of the HIPAA security standards are
to ensure the confidentiality,
integrity, and availability of ePHI.
______ 8. The protection of information by transferring it into
an unreadable format before
it’s distributed is called authorization.
______ 9. A type of software that scans a computer system for
malware is called a digital
57. certificate.
______ 10. Policies and procedures are examples of physical
safeguards that protect ePHI
under HIPAA.
(Continued)
Lesson 1 31
Self-Check 3
Questions 11–16: Select the one best answer to each question.
11. According to the HIPAA security standards for electronic
protected health information, issues
such as access controls, audit controls, integrity, and
authentication are covered under
a. physical standards. c. technical standards.
b. administrative standards. d. organizational standards.
12. One of the goals of the HIPAA security standards is to
ensure the _______ of electronic
protected health information, which means that the information
is shared only among
authorized individuals and organizations.
a. integrity c. accuracy
b. availability d. confidentiality
13. To protect electronic health information, _______ is used to
58. prevent unauthorized entry
into a computer network, to prevent unauthorized data from
exiting the network, and to
control what users can access on the Internet.
a. a firewall c. antivirus software
b. encryption d. role-based authorization
14. Under the HIPAA Security Standards, according to the
category of _______ standards,
covered entities are required to implement policies and
procedures that limit unauthorized
access to facilities and computer systems where electronic
protected health information is
stored.
a. physical c. technical
b. administrative d. emergency
15. To protect electronic health care data from serious threats
such as computer software
or hardware failures, fires, earthquakes, floods, or terrorist acts,
a covered entity must
have a(n)
a. firewall. c. antivirus program.
b. disaster recovery plan. d. security incident procedure.
16. Appointing a security official for a newly opened health
clinic is an example of satisfying
a. a technical security standard.
b. a physical security standard.
c. an administrative security standard.
d. an implementation specification.
59. Check your answers with those on page 52.
HIPAA Compliance32
NOTES
33
L
e
s
s
o
n
2
L
e
s
s
o
n
2
60. Implementing and
Enforcing HIPAA
INTRODUCTION
The first part of this lesson contains an introduction to the
electronic data interchange (EDI) requirements that are
specified by HIPAA. Under the HIPAA rules, all health care
transactions must follow certain standards. You’ll learn about
these standards and how to comply with them. The second
part of the lesson covers the enforcement of HIPAA rules, and
how workers can comply with the rules to prevent fraud and
abuse in the health care industry.
OBJECTIVES
When you complete this lesson, you’ll be able to
n Explain the purpose of the HIPAA Electronic Health
Care Transactions and Code Sets standards
n Name eight types of HIPAA transactions
n Identify the key purpose of the Administrative
Simplification Compliance Act
n List the HIPAA standards for medical code sets
n Compare and contrast the ICD-9-CM diagnosis codes,
CPT and HCPCS procedure and supply codes, and
ICD-9-CM Volume 3 procedure codes
n Explain the purpose of the HIPAA final enforcement rule
n Distinguish between civil and criminal cases
61. n Describe the roles of the Office for Civil Rights (OCR)
and the Department of Justice (DOJ) in the enforcement
of the HIPAA privacy standards
HIPAA Compliance34
n Describe the roles of the Centers for Medicare and
Medicaid Services (CMS) in the enforcement of the
HIPAA security, transactions, code sets, and identifiers
standards
n Describe the civil case procedure followed by OCR
and CMS
ASSIGNMENT 4
Read this introduction to Assignment 4. Then, read Chapter 4,
“The HIPAA Transactions, Code Sets, and National Identifier
Standards,” on pages 89–109 in your textbook HIPAA for Allied
Health Careers.
The Administrative Simplification
Provisions
HIPAA has defined a number of requirements for electronic
data interchange (EDI), which is the transfer of health care
data between providers, insurance plans, and clearinghouses.
The goal of HIPAA’s administrative simplification rules is to
make the exchange of health care and billing information
faster, more efficient, and more accurate. By standardizing
the format of electronic transactions, communication between
organizations becomes easier.
Standard Transactions
62. HIPAA requires that every provider who uses electronic data
interchange must use the same health care transactions,
code sets, and identifiers.
A transaction is an exchange of electronic information
between two parties, and is the equivalent of a business
document. HIPAA requires covered entities to use certain
standards for every transaction.
Lesson 2 35
Under HIPAA, there are eight types of mandated transactions:
1. Health plan premium payments
2. Enrollment or disenrollment in a health plan
3. Eligibility inquiries
4. Referral certification and authorization
5. Claims
6. Payment with an explanation
7. Claim status inquiries
8. Coordination of benefits
Each of these transactions is assigned a specific name and
number for use in electronic data exchanges.
Standard Code Sets
63. Code sets are alphanumeric codes (groups of letters and
numbers) that are used to encode data elements. Medical
code sets are used to identify specific diagnosis and clinical
procedures on claims and encounter forms. Administrative
code sets are used to encode general business information,
such as a state abbreviation, zip code, or an explanations
why a claim was denied by an insurance company.
The health care industry is made up of many different
parties (such as patients, providers, health care plans,
clearinghouses, employers, and so on) who must communi-
cate with one another. In years past, there was very little
standardization in the sending and receiving of health care
data. However, the creation of standardized code sets has
greatly streamlined the exchange of data, resulting in
n Exchanges of information that take a much shorter
amount of time
n A reduction in errors, such as mistaken identities
n A reduction in printing and mailing costs, since data
can be sent electronically
HIPAA Compliance36
National Identifiers
An identifier is a number of a specific structure and length,
such as a Social Security number, that uniquely identifies an
individual. HIPAA has required the development of national
identifier numbers for employers, health care providers, and
health care plans. These numbers are used for identification
in electronic transactions.
64. The national provider identifier (NPI) is used in HIPAA trans-
actions to uniquely identify a health care provider, such as a
physician who has provided services to a patient. The NPI is
a ten-digit number that’s specific to that provider, and not to
any hospital or clinic the provider works for. All providers
who send in electronic claims to an insurance carrier must
include their NPI number on the electronic claim.
Another rule that HIPAA has established is the requirement
that employer identification numbers and national provider
identifiers be placed on claim forms that are submitted by
providers to payers (insurance companies).
After you’ve carefully read pages 89–109 in the textbook
HIPAA
for Allied Health Careers, complete Self-Check 4. Check your
answers with those provided at the back of this study guide.
When you’re sure that you understand the material from
Assignment 4, move on to Assignment 5.
Lesson 2 37
Self-Check 4
Questions 1–8: Indicate whether each statement is True or
False.
______ 1. The HIPAA transaction number for a health plan
enrollment is 278.
______ 2. CPT Category I codes have five digits.
______ 3. HIPAA legislation mandates that ePHI transmissions
65. must comply with ASC X12
standards.
______ 4. The HIPAA transaction number for a referral
authorization is 820.
______ 5. NDC is the HIPAA-mandated code set for dental
procedures.
______ 6. The HIPAA transaction number for a health care
claim status inquiry/response is
276/277.
______ 7. The standard for the identification of providers for
HIPAA transactions is the National
Provider Identifier (NPI).
______ 8. The NPPES is a coding system that’s used to describe
products, supplies, and services
that aren’t covered in the CPT codes.
Questions 9–12: Select the one best answer to each question.
9. Which of the following is an organization responsible for
maintaining HIPAA standards
for EDI transactions and code sets?
a. Centers for Medicare and Medicaid
b. The ANSI Committee
c. Designated Standard Maintenance Organizations
d. The World Health Organization
66. 10. The _______ provides detailed technical information and
correct formats for preparing
each mandated HIPAA transaction.
a. status response c. remittance advice
b. claim status inquiry d. implementation guide
(Continued)
HIPAA Compliance38
Self-Check 4
11. Under HIPAA, any group of codes used for encoding data
elements is called a
a. national identifier. c. claim.
b. code set. d. referral authorization.
12. Which of the following organizations lists the national
provider identifier numbers
on their Web site?
a. The Designated Standard Maintenance Organization (DSMO)
b. The Department of Health and Human Services (HHS)
c. The World Health Organization (WHO)
d. The National Plan and Provider Enumeration System
(NPPES)
13. Unique numbers of predetermined length and structure, such
as Social Security numbers,
that can be used in electronic transactions are called
a. referral certifications. c. identifiers.
67. b. implementation guides. d. CPT codes.
14. On a HIPAA 277 transaction, a claim status code of “F”
indicates that
a. the claim has been finalized.
b. the claim has been received.
c. an error occurred in the transmission of the claim.
d. a request for more information has been sent.
15. If a HIPAA transaction name contains two numbers,
a. the first number refers to the insurance company, and the
second number
refers to the patient.
b. the first number is from the provider to the plan, and the
second number
is from the plan back to the provider.
c. the numbers describe where the claim is in processing.
d. the claim is missing HIPAA standard codes.
16. Under HIPAA, which of the following is a set of codes
that’s used to identify alternative
medicine procedures and services?
a. CDT-4 c. ICD-9-CM
b. The ABC Code Set d. The National Drug Code
Check your answers with those on page 52.
Lesson 2 39
68. ASSIGNMENT 5
Read this introduction to Assignment 5. Then, read Chapter 5,
“HIPAA Enforcement,” on pages 114–144 in your textbook
HIPAA for Allied Health Careers.
HIPAA Enforcement
Enforcement of the HIPAA rules is carried out by several
different agencies, including the Office for Civil Rights (OCR),
the Department of Justice (DOJ), the Centers for Medicare
and Medicaid Services (CMS), and the Office of the Inspector
General (OIG). Violators of the HIPAA rules can have civil
or criminal charges brought against them. A civil penalty
is generally a monetary fine that’s assessed for violating a
provision of the law. A criminal penalty is brought by the
government (on behalf of the people) for wrongdoing that’s
detrimental to society, and may include a monetary fine as
well as imprisonment.
The HIPAA final enforcement rule can impose civil monetary
penalties of not more than $100 per violation, and not more
than $25,000 for all similar violations per calendar year.
Even though severe penalties may be imposed on HIPAA
violators, the foremost enforcement goal of the Office for
Civil Rights (OCR) is to work to help correct problems before
imposing those penalties.
Enforcement of Transactions
and Code Sets
Your textbook explains how the Department of Health and
Human Services (HHS) originally created an Office of HIPAA
Standards (OHS) to oversee and enforce transactions and
code sets. The OHS provided a written form to use for com-
plaints about HIPAA transactions.
69. HIPAA Compliance40
This complaint form was set up to hear feedback about
transactions and codes sets from
n Health care providers
n Clearinghouses
n Any others using transactions and code sets
In May 2005, the OHS was expanded and is now called t
he Office of E-Health Standards and Services (OESS) to
reflect the expanding responsibilities of e-health. The
OESS is responsible for enforcing the Administrative
Simplification portion of HIPAA. Complaints that are
covered by the HIPAA Privacy Rule are enforced by the
Office for Civil Rights.
The OESS uses a computer application called the
Administrative Simplification Enforcement Tool (ASET)
that allows individuals or organizations to file complaints
against HIPAA violators. The ASET application can be
found at the OESS Web site.
Preventing Fraud and Abuse
The National Health Care Anti-Fraud Association has
determined that 3% to 10% of health care spending is
lost annually because of fraud and abuse, contributing
to unnecessary costs in the health care system.
70. Fraud is an intentional act of deception to obtain a financial
benefit. An example would be a physician who sends a claim
to Medicare, billing an office visit for a patient who doesn’t
exist.
In contrast, abuse is any action that improperly uses an
entity’s resources. An example of abuse is billing for services
that aren’t medically necessary. Abuse may occur uninten-
tionally as a result of ignorance of billing rules or the use
of an inaccurate medical code.
One of the responsibilities that employees have in any organi-
zation is to protect the dollars that are spent for health care.
Employees can do this by identifying and reporting situations
where they see fraud and abuse occurring.
Lesson 2 41
Government health care agencies must train their employees
and business partners to understand, identify, and report
fraud and abuse. Also, there are important laws and regula-
tions that cover these issues, including the following:
n The Antikickback Act of 1986, which makes it illegal to
offer incentives to induce referrals for services paid for
by government agencies (such as Medicare or Medicaid)
n The Stark Laws, which prevent physicians from making
self-referrals (referrals to entities with which the physi-
cian has a financial relationship)
n The Sarbanes-Oxley Act, which requires publicly traded
corporations to have sound financial management
71. n The Deficit Reduction Act of 2005
Your textbook reviews these laws in detail, so be sure to read
this information carefully.
After you’ve carefully read pages 114–144 in the textbook
HIPAA for Allied Health Careers, complete Self-Check 5.
Check
your answers with those provided at the back of this study
guide. When you’re sure that you understand the material from
these two assignments, complete the examination for Lesson 2.
HIPAA Compliance42
Self-Check 5
Questions 1–8: Indicate whether each statement is True or
False.
______ 1. A formal examination or review of health care
records is called a code of conduct.
______ 2. The Department of Justice prosecutes criminal
violations of HIPAA’s privacy standards.
______ 3. The Deficit Reduction Act encourages states to pass
their own false health care
claim acts.
______ 4. The Centers for Medicare and Medicaid Services
(CMS) is responsible for enforcing
HIPAA privacy violations.
72. ______ 5. The Office for Civil Rights (OCR) is the federal
government’s main law enforcement
division.
______ 6. Actions that misuse government money (such as
Medicare finds) and that aren’t
sound medical, business, or fiscal practices are referred to as
abuses.
______ 7. A top compliant reported by the Office for Civil
Rights is insufficient safeguards
to protect PHI data.
______ 8. The Stark laws are designed to protect whistle-
blowers in health care fraud cases.
(Continued)
Lesson 2 43
Self-Check 5
Questions 9–14: Select the one best answer to each question.
9. A formal examination or review that attempts to discover
whether a health care organization’s
staff members comply with HIPAA coding and billing
regulations is called a(n)
a. benchmark. c. compliance plan.
73. b. audit. d. corporate integrity agreement.
10. _______ is defined as any action that improperly uses
government monies (for example
by billing for services that weren’t medically necessary) and
may be the result of incorrect
coding or ignorance of billing rules.
a. Abuse c. Qui tam
b. Fraud d. Benchmarking
11. _______ is defined as an intentional act of deception that’s
intended to obtain a financial
benefit (for example, billing a federal insurance program for
medical services that weren’t
provided).
a. Abuse c. Fraud
b. Qui tam d. Benchmarking
12. Which of the following laws protects individuals who are
identified as whistle-blowers, that is,
people who report suspected health insurance fraud?
a. The Antikickback Act of 1986 c. The False Claims Act
b. The Sarbanes-Oxley Act d. The Deficit Reduction Act
13. A person who makes an accusation of suspected health care
fraud is called a(n)
a. self-referrer. c. excluded party.
b. advisor. d. relator.
14. A written document created by a health care provider that
outlines ethical practices for the
members of its organization is called a(n)
74. a. compliance plan. c. audit report.
b. OIG Work Plan. d. code of conduct.
Check your answers with those on page 53.
HIPAA Compliance44
NOTES
INTRODUCTION
This graded project is a research paper that you’ll complete
and submit to the school for grading. In your paper, you’ll
apply what you learned about HIPAA to an actual situation in
which a health care organization violated HIPAA regulations.
YOUR ASSIGNMENT
Health care organizations must know and follow the regula-
tions that are set forth by HIPAA, or be held accountable
for their failure to follow the rules. For this assignment,
you’ll need to find three real-life examples of HIPAA viola-
tions; that is, violations of HIPAA’s privacy or security laws
that occurred in the United States since the passage of the
HIPAA law (after 1996). Each violation described should be
serious, and one that resulted in a fine or penalty for the
individual or company involved.
You can find real-life examples of HIPAA violations in
news reports, medical journals, professional health care
publications, and other similar reliable factual sources.
75. For each example violation, you should provide the following
information:
n A complete, descriptive summary of the case
n Important facts that relate to the case, such as the
names of the company or individual involved, the date
of the violation, and the city and state where the incident
occurred
n An explanation of the HIPAA rules that were violated
Be sure to answer these questions when writing your
summaries:
n How did the HIPAA violation occur?
n What policies (if any) did the organization have in place
to protect against the violation?
n What was the penalty for the violation (fine, prison term,
termination of employment, etc)?
45
G
ra
d
e
d
P
ro
je
76. c
t
G
ra
d
e
d
P
ro
je
c
t
Finally, describe three ways in which the organization could
have prevented the violation.
Organize your three case examples into a 750-word paper.
Research Instructions
To write your paper, you may use journal articles, textbook
material, case studies, and Web site information. The Web
site information must come from reputable and verifiable
sources, such as the United States Department of Health and
Human Services, the American Medical Association, profes-
sional or business organizations, or articles published by
major news organizations.
77. To get started on finding a real-life case example that you’re
interested in, you can use an Internet search engine such as
Google. Try entering keywords such as “HIPAA violation”
under the “News” section. Or, go to your local library and
perform a search in the medical journals or professional
publications they have on file.
Writing Guidelines
1. Type your submission, double-spaced, in a standard
print font, size 12. Use a standard document format with
1-inch margins. (Do not use any fancy or cursive fonts.)
2. Read the assignment carefully, and follow the instructions.
3. Be sure to include the following information at the top of
your paper:
n Your name
n Your student number
n The course title (HIPAA Compliance)
n Graded project number (46081100)
n The date
4. Be specific. Limit your submission to the issues covered
by your chosen topic.
Graded Project46
5. Include a reference page in either APA or MLA style. On
78. this page, list Web sites, books, journals, and all other
references used in preparing the submission.
6. Proofread your work carefully. Check for correct spelling,
grammar, punctuation, and capitalization.
Grading Criteria
Your project will be based on the following criteria:
Content 80%
Written communication 10%
Format 10%
Here’s a brief explanation of each of these points.
Content
The student must
n Provide a clear discussion of the chosen topic
n Address the topic in complete sentences
n Support his or her research by citing specific information
from the textbook, Web sites, and any other references,
and by using correct APA or MLA guidelines for citations
and references
n Stay focused on the chosen topic
n Write in his or her own words and use quotation marks
to indicate direct quotations
79. Written Communication
The student must
n Discuss the topic in complete paragraphs that include an
introductory sentence, at least four sentences of explana-
tion, and a concluding sentence
n Use correct grammar, spelling, punctuation, and sen-
tence structure
Graded Project 47
Graded Project48
n Provide clear organization (for example, uses words like
first, however, on the other hand, and so on, consequently,
since, next, and when)
n Make sure the paper contains no typographical errors
Format
The paper should be double-spaced and typed in font size 12.
It must include the student’s
n Name and complete mailing address
n Student number
n Course title (HIPAA Compliance)
n Research project number (46081100)
80. Submitting Your Work
You can submit your project online. Follow this procedure to
submit your assignment online:
1. On your computer, save a revised and corrected version
of your assignment. Be sure it includes all of the infor-
mation listed in “Writing Guidelines.”
2. Go to http://www.takeexamsonline.com and log onto
the site.
3. At your homepage, click on Take an Exam.
4. In the box provided, enter the examination number. The
number for this research assignment is 46081100.
5. Click Submit.
6. On the next screen, enter your e-mail address.
(Note: This information is required for online
submission.)
Important
After you submit the assignment for evaluation, you should
receive a
confirmation e-mail with a tracking number. If you don’t
receive this
number within 24 hours, you must resubmit the assignment.
81. 7. If you wish to tell your instructor anything specific
regarding this assignment, enter it in the Comments
box.
8. Attach your file or files as follows:
a. Click on the first Browse box.
b. Locate the file you wish to attach.
c. Double-click on the file.
d. If you have more than one file to attach, click on the
next Browse box and repeat steps b and c for each
file.
9. Click on Submit.
Graded Project 49
NOTES
Graded Project50
51
A
n
s
w
83. 11. c
12. b
Self-Check 2
1. True
2. False
3. True
4. True
5. True
6. False
7. b
8. c
9. d
10. a
11. d
12. b
Self-Check Answers52
Self-Check 3
84. 1. False
2. True
3. True
4. True
5. False
6. True
7. True
8. False
9. False
10. False
11. d
12. a
13. c
14. c
15. b
16. a
Self-Check 4
1. False
85. 2. True
3. True
4. False
5. False
6. True
7. True
8. False
9. b
10. c
Self-Check Answers 53
11. b
12. d
13. b
14. c
15. a
16. d
Self-Check 5
86. 1. False
2. True
3. True
4. False
5. False
6. True
7. True
8. False
9. b
10. a
11. c
12. c
13. d
14. d
Study Guide
HIPAA Compliance
By
87. Jacqueline K. Wilson, RHIA
Reviewed By
Karen J. Fuller
About the Author
Jacqueline K. Wilson is a Registered Health Information
Administrator (RHIA) with more than 13 years of experience
managing, consulting, writing, and teaching in the health care
industry. She’s a professional writer who has authored training
manuals, study guides, and online courses, as well as articles
on a variety of topics. In addition, Ms. Wilson develops
curricula
and teaches both traditional and online college courses in health
information technology, anatomy, medical terminology,
standards
in health care, and other health care courses. She was
previously
included in the distinguished national Who’s Who Among
America’s
Teachers.
89. Pennsylvania 18515.
Printed in the United States of America
All terms mentioned in this text that are known to be trademarks
or service
marks have been appropriately capitalized. Use of a term in this
text should not be
regarded as affecting the validity of any trademark or service
mark.
INSTRUCTIONS TO STUDENTS 1
LESSON ASSIGNMENTS 5
LESSON 1: UNDERSTANDING HIPAA 7
LESSON 2: IMPLEMENTING AND
ENFORCING HIPAA 33
GRADED PROJECT 45
SELF-CHECK ANSWERS 51
iii
C
o
n
t
e
n
90. t
s
C
o
n
t
e
n
t
s
INTRODUCTION
Welcome to your HIPAA Compliance course, which provides
information that’s essential for working in today’s health care
industry. This course covers the basic provisions of the
Health Insurance Portability and Accountability Act (HIPAA),
including what the act protects, how it affects patients and
providers, and how HIPAA is enforced.
OBJECTIVES
When you complete this course, you’ll be able to
n Discuss the main purposes for the passage of the Health
Insurance Portability and Accountability Act (HIPAA)
n Identify the key provisions of the HIPAA Administrative
Simplification standards
91. n Describe the health care professionals and facilities that
are covered entities under HIPAA
n Describe how health care personnel can comply with
HIPAA standards
n Explain the contents of a medical record as the source
of health information about patients
n Define protected health information (PHI) and electronic
protected health information (ePHI)
n Discuss the required content of the HIPAA Notice of
Privacy Practices (NPP)
n Explain patients’ rights regarding the use and disclosure
of their PHI
n Describe HIPAA’s administrative, physical, and technical
standards for the protection of ePHI
n Explain the purpose of the HIPAA Electronic Health Care
Transactions and Code Set standards
n Describe several types of HIPAA transactions
1
In
s
tr
u
c
92. tio
n
s
In
s
tr
u
c
tio
n
s
Instructions to Students2
n List the HIPAA standards for medical code sets
n Describe how HIPAA’s rules are enforced
n Name the governmental agencies that are responsible
for HIPAA enforcement
YOUR TEXTBOOK
Your textbook, HIPAA for Allied Health Careers, by Cynthia
Newby, is the heart of this course. It contains the study
material on which your examinations will be based. We’ve
divided the textbook material into two lessons.
It’s very important that you read the material in the textbook
93. and study it until you’re completely familiar with it. It’s a
good idea to begin by skimming the contents at the front of
the book. This will give you an overview of the entire textbook.
Each chapter in your textbook opens with an outline, a list
of key terms, and some case examples that illustrate real-life
scenarios involving the HIPAA regulations. At the end of each
chapter, you’ll find a helpful summary of the information
you’ve just read. Use your chapter readings and the objec-
tives listed above to judge your understanding of the text
material before you take your examinations.
Your textbook also contains many helpful hints, compliance
tips, case studies, HIPAA cautions, and Internet resources
to further your understanding of the reading. There’s also a
glossary, an index, and an appendix of professional resources
at the back of the book.
COURSE MATERIALS
You should have received the following learning materials
for this course:
n Your textbook, HIPAA for Allied Health Careers, which
contains the assigned readings
n This study guide, which will help you to understand
the major ideas presented in the textbook in addition to
providing background information about specific topics
The study guide also includes
n Self-checks for each lesson
94. n Answers to the self-checks
A STUDY PLAN
In studying your assignments, be sure to read all of the
instructional material in both the textbook and the study
guide. Here’s a good plan to follow:
1. Note carefully the page where the assignment begins
and the page where it ends. These pages are indicated
in the Lesson Assignments section in this study guide.
2. Read the introduction to the assignment in the study
guide.
3. Read the designated pages for that assignment in the
textbook to get a general idea of their contents. Then
study the assignment, paying careful attention to all
details, including the compliance tips and HIPAA cau-
tions referenced in the text.
4. When you’re comfortable with the material for each
assignment, complete the self-check at the end of the
assignment in your study guide. When you’ve finished
the self-checks, compare your answers with those given
at the end of the study guide. If you’ve missed any ques-
tions, go back and review the related topic. This review
will reinforce your understanding of the material.
5. Complete each assignment in this way.
6. When you feel that you understand all of the material
presented in the lesson assignments, you may complete
the examination for that lesson.
7. Follow this procedure for both of the two lessons.
95. 8. Complete the Research Project after completing both
lessons.
Instructions to Students 3
Remember, at any time, you can contact your instructor for
information regarding the materials. The instructor can pro-
vide you with answers to any questions you may have about
the course or your study materials.
Now you’re ready to begin Lesson 1.
Good luck!
Instructions to Students4
Lesson 1: Understanding HIPAA
For: Read in the Read in
study guide: the textbook:
Assignment 1 Pages 8–14 Chapter 1, Pages 1–19
Assignment 2 Pages 16–22 Chapter 2, Pages 25–52
Assignment 3 Pages 24–29 Chapter 3, Pages 59–82
Examination 460809 Material in Lesson 1
Lesson 2: Implementing and Enforcing HIPAA
96. For: Read in the Read in
study guide: the textbook:
Assignment 4 Pages 34–36 Chapter 4, Pages 89–109
Assignment 5 Pages 39–41 Chapter 5, Pages 114–144
Examination 460810 Material in Lesson 2
Graded Project 46081100
5
A
s
s
ig
n
m
e
n
ts
A
s
s
ig
n
m
e
97. n
ts
Note: To access and complete any of the examinations for this
study
guide, click on the appropriate Take Exam icon on your “My
Courses”
page. You shouldn’t have to enter the examination numbers.
These
numbers are for reference only if you have reason to contact
Student
Services.
NOTES
Lesson Assignments6
7
L
e
s
s
o
n
98. 1
L
e
s
s
o
n
1
Understanding HIPAA
INTRODUCTION
This first lesson is an introduction to the Health Insurance
Portability and Accountability Act of 1996, or HIPAA. The
provisions of the HIPAA law affect everyone who works in
the health care field, so it’s important to understand what
the law covers and how you need to comply with it. The
lesson contains three reading assignments.
Assignment 1 starts out with a description of the two basic
parts of the HIPAA law, Title I and Title II. Title I covers
health insurance reform. Title II includes HIPAA’s adminis-
tration simplification rules. You’ll learn about the basic
goals and objectives of the HIPAA law in this assignment.
Assignment 2 reviews the HIPAA Privacy Standards, which
protect patients’ private health information in medical
records. A patient’s private health information can be
shared or disclosed only under specific circumstances
that are explained under the HIPAA rules.
99. Assignment 3 introduces the HIPAA Security Standards,
which describe how electronic information about patients
must be protected.
OBJECTIVES
When you complete this lesson, you’ll be able to
n Describe the major provisions of Title I and Title II
of HIPAA
n Identify the key provisions of the HIPAA Administrative
Simplification standards
n Describe the health care professionals and facilities
that are covered entities under HIPAA
n Explain the difference between a covered entity and
a business associate
HIPAA Compliance8
n List five responsibilities of covered entities under the
HIPAA Privacy Rule
n Define protected health information (PHI) and electronic
protected health information (ePHI)
n Discuss the required content of the HIPAA Notice of
Privacy Practices (NPP)
n Explain the privacy standards relating to the release
of PHI for treatment, payment, and operations (TPO)
purposes
100. n Describe the situations in which authorization for release
of PHI must be obtained
n Name several major exceptions to the HIPAA release of
information requirements
n Explain patients’ rights regarding the use and disclosure
of their PHI
n List the three goals of the HIPAA security standards
n Compare and contrast risk analysis and risk
management
n Describe HIPAA’s administrative, physical, and technical
standards for the protection of ePHI
ASSIGNMENT 1
Read this introduction to Assignment 1. Then, read Chapter 1,
“The Goal of HIPAA: Administrative Simplification,” on
pages 1–19 in your textbook HIPAA for Allied Health Careers.
What Is HIPAA?
The Health Insurance Portability and Accountability Act of
1996 (HIPAA) was signed into law on August 21, 1996 by
the United States Congress. The main purpose of HIPAA is
to increase the efficiency and effectiveness of health care,
and to protect patient rights. It’s designed to help people
build trust in the health care system.
Lesson 1 9
101. The law has two important parts, called Title I and Title II.
Title I of HIPAA provides a basis for ensuring the portability
of health insurance, which means that employees and their
families can keep their health insurance when workers
change jobs. Title II of HIPAA lays out specific rules that
health insurance plans, health care providers, and employers
must follow, and defines noncompliance penalties that can be
applied when rules are broken. It also contains provisions to
protect the privacy and security of people’s health care data.
HIPAA was created to help with several important problem
areas within the health care industry. The laws was designed
to
n Improve the portability and continuity of health care
coverage in insurance markets
n Combat waste, fraud, and abuse in the health care
system, and also in the insurance industry
n Improve access to long-term care
n Simplify health insurance administration
n Provide a means to pay for reforms
n Protect the privacy of a patient’s personal information
and health care data
n Provide for the electronic and physical security of
personal information and health care data
n Simplify billing and other health care transactions
The areas in which the enactment of HIPAA has most affected
health care include the following: