INTRODUCTION
This graded project is a research paper that you’ll complete
and submit to the school for grading. In your paper, you’ll
apply what you learned about HIPAA to an actual situation in
which a health care organization violated HIPAA regulations.
YOUR ASSIGNMENT
Health care organizations must know and follow the regulations
that are set forth by HIPAA, or be held accountable
for their failure to follow the rules. For this assignment,
you’ll need to find three real-life examples of HIPAA violations;
that is, violations of HIPAA’s privacy or security laws
that occurred in the United States since the passage of the
HIPAA law (after 1996). Each violation described should be
serious, and one that resulted in a fine or penalty for the
individual or company involved.
You can find real-life examples of HIPAA violations in
news reports, medical journals, professional health care
publications, and other similar reliable factual sources.
For each example violation, you should provide the following
information:
n
A complete, descriptive summary of the case
n
Important facts that relate to the case, such as the
names of the company or individual involved, the date
of the violation, and the city and state where the incident
occurred
n
An explanation of the HIPAA rules that were violated
Be sure to answer these questions when writing your
summaries:
n
How did the HIPAA violation occur?
n
What policies (if any) did the organization have in place
to protect against the violation?
n
What was the penalty for the violation (fine, prison term,
termination of employment, etc)?
Finally, describe three ways in which the organization could
have prevented the violation.
Organize your three case examples into a 750-word paper.
Research Instructions
To write your paper, you may use journal articles, textbook
material, case studies, and Web site information. The Web
site information must come from reputable and verifiable
sources, such as the United States Department of Health and
Human Services, the American Medical Association, professional
or business organizations, or articles published by
major news organizations.
To get started on finding a real-life case example that you’re
interested in, you can use an Internet search engine such as
Google. Try entering keywords such as “HIPAA violation”
under the “News” section. Or, go to your local library and
perform a search in the medical journals or professional
publications they have on file.
Writing Guidelines
1. Type your submission, double-spaced, in a standard
print font, size 12. Use a standard document format with
1-inch margins. (Do
not
use any fancy or cursive fonts.)
2. Read the assignment carefully, and follow the instructions.
3. Be sure to include the following information at the top of
your paper:
n
Your name
n
Your student number
n
The course title
(HIPAA Compliance)
n
Graded project number (46081100)
n
The date
4. Be speci.
General Principles of Intellectual Property: Concepts of Intellectual Proper...
INTRODUCTIONThis graded project is a research paper that you’l.docx
1. INTRODUCTION
This graded project is a research paper that you’ll complete
and submit to the school for grading. In your paper, you’ll
apply what you learned about HIPAA to an actual situation in
which a health care organization violated HIPAA regulations.
YOUR ASSIGNMENT
Health care organizations must know and follow the regulations
that are set forth by HIPAA, or be held accountable
for their failure to follow the rules. For this assignment,
you’ll need to find three real-life examples of HIPAA
violations;
that is, violations of HIPAA’s privacy or security laws
that occurred in the United States since the passage of the
HIPAA law (after 1996). Each violation described should be
serious, and one that resulted in a fine or penalty for the
individual or company involved.
You can find real-life examples of HIPAA violations in
news reports, medical journals, professional health care
2. publications, and other similar reliable factual sources.
For each example violation, you should provide the following
information:
n
A complete, descriptive summary of the case
n
Important facts that relate to the case, such as the
names of the company or individual involved, the date
of the violation, and the city and state where the incident
occurred
n
An explanation of the HIPAA rules that were violated
Be sure to answer these questions when writing your
summaries:
n
How did the HIPAA violation occur?
n
What policies (if any) did the organization have in place
to protect against the violation?
n
What was the penalty for the violation (fine, prison term,
3. termination of employment, etc)?
Finally, describe three ways in which the organization could
have prevented the violation.
Organize your three case examples into a 750-word paper.
Research Instructions
To write your paper, you may use journal articles, textbook
material, case studies, and Web site information. The Web
site information must come from reputable and verifiable
sources, such as the United States Department of Health and
Human Services, the American Medical Association,
professional
or business organizations, or articles published by
major news organizations.
To get started on finding a real-life case example that you’re
interested in, you can use an Internet search engine such as
Google. Try entering keywords such as “HIPAA violation”
under the “News” section. Or, go to your local library and
4. perform a search in the medical journals or professional
publications they have on file.
Writing Guidelines
1. Type your submission, double-spaced, in a standard
print font, size 12. Use a standard document format with
1-inch margins. (Do
not
use any fancy or cursive fonts.)
2. Read the assignment carefully, and follow the instructions.
3. Be sure to include the following information at the top of
your paper:
n
Your name
n
Your student number
n
The course title
(HIPAA Compliance)
n
Graded project number (46081100)
n
The date
5. 4. Be specific. Limit your submission to the issues covered
by your chosen topic.
The student must
n
Provide a clear discussion of the chosen topic
n
Address the topic in complete sentences
n
Support his or her research by citing specific information
from the textbook, Web sites, and any other references,
and by using correct APA or MLA guidelines for citations
and references
n
Stay focused on the chosen topic
n
Write in his or her own words and use quotation marks
to indicate direct quotations
Written Communication
The student must
n
6. Discuss the topic in complete paragraphs that include an
introductory sentence, at least four sentences of explanation,
and a concluding sentence
n
Use correct grammar, spelling, punctuation, and sentence
structure
Provide clear organization (for example, uses words like
first, however, on the other hand, and so on, consequently,
since, next,
and
when
)
n
Make sure the paper contains no typographical errors
7. Format
The paper should be double-spaced and typed in font size 12.
It must include the student’s
n
Name and complete mailing address
n
Student number
8. n
Course title (HIPAA Compliance)
n
Research project number (46081100)
460810RR - IMPLEMENTING AND ENFORCING HIPAA
Questions 1 to 20:
Select the best answer to each question. Note that a question
and its answers may be split across a page
break, so be sure that you have seen the
entire
question and
all
the answers before choosing an answer.
1.
Which of the following is used to code and classify morbidity
data from patient medical records,
physician offices, and surveys conducted by the National Center
for Health Statistics?
A.
NPPES
B.
ICD-9-CM
9. C.
Claim status codes
D.
HCPCS
2.
You are employed by a small dentist office that has three
employees. Under the Administrative
Simplification Compliance Act, your office is
A.
required to file claims electronically.
B.
excluded from the mandate to file a claim electronically.
C.
required to append a waiver form and file all claims
electronically.
D.
required to file claims through paper submissions only.
3.
Which of the following is the HIPAA standard code set for
diseases, injuries, and other health-related
medical problems?
A.
HCPCS
B.
10. National Drug Codes
C.
CDT-4
D.
ICD-9-CM
4.
Dr. Madison's office calls an insurance company to determine
whether they have paid for Mr. Rossi's
last checkup visit. This procedure is known as a
A.
referral authorization.
B.
health care claim status inquiry.
C.
functional acknowledgment.
D.
remittance advice.
5.
The agency of the federal government that combats fraud and
abuse in health insurance and health care
delivery is the
A.
Centers for Medicare and Medicaid Services (CMS).
B.
11. Health Care Fraud and Abuse Program.
C.
Department of Justice (DOJ).
D.
Office of the Inspector General (OIG)
6.
Which of the following is the HIPAA standard code set for
dental services?
A.
National Drug Codes
B.
CDT-4
C.
ICD-9-CM
D.
Current Procedural Terminology
7.
Which of the following advises covered entities about HIPAA
compliance problems uncovered by the
OIG?
A.
corporate integrity agreement.
B.
OIG Work Plan.
12. C.
Health Care Fraud and Abuse Control Program.
D.
OIG Fraud Alert
8.
The department of the federal government that investigates
criminal violations of the HIPAA privacy
standards is the
A.
Department of Justice (DOJ).
B.
Health Care Fraud and Abuse Program.
C.
Centers for Medicare and Medicaid Services (CMS).
D.
Office of the Inspector General (OIG).
9.
A written document created by a health care provider that's
designed to prevent fraud and abuse by
outlining the process for finding, correcting, and preventing
illegal practices among their staff members is
called a(n)
A.
compliance plan.
13. B.
code of conduct.
C.
audit report.
D.
OIG Work Plan.
10.
Which of the following are physicians, contractors, or
employees who have been found guilty of fraud,
and are therefore prevented from participating in Medicare,
Medicaid, and federal health care programs?
A.
Excluded parties
B.
Advisors
C.
Relators
D.
Self-referrers
11.
On a HIPAA 277 transaction, a claim status code of "A"
indicates that
A.
the claim has been finalized.
B.
14. an error occurred in the transmission of the claim.
C.
a request for more information has been sent.
D.
the claim has been received.
12.
Under the HIPAA transaction standards, the supplemental health
information that's provided to clarify
and support a health care claim is called a
A.
paper claim.
B.
implementation guide.
C.
claim attachment.
D.
remittance advice remark.
13.
There are eight mandated transactions described under the
HIPAA transaction standards. The 270/271
transaction represents
A.
an inquiry to an insurance company to determine is a claim has
been paid.
15. B.
remittance advice that explains how a payment amount was
calculated.
C.
a delivery of information to an insurance company to apply
payment to an individual's account.
D.
an inquiry to an insurance company to check whether a patient
is covered for a specific service.
14.
Under HIPAA, the nonmedical code sets that are used to capture
general information, such as state
abbreviations and payment explanations, are called
A.
implementation guides.
B.
administrative code sets.
C.
ICD-9-CM codes.
D.
CPT codes.
15.
Which of the following statements about electronic medical
claims is
correct?
A.
16. Dentists are required to submit all claims electronically.
B.
Medicare pays electronic claims in half the time required to pay
paper claims.
C.
No covered entity is required to use electronic claims; they may
continue to send paper claims indefinitely.
D.
Electronic claims are more expensive to send than paper claims.
16.
The annual list of the OIG's planned projects for sampling
billing in various settings (such as hospitals,
doctor's offices, and long-term care facilities) to check for
potential fraud is called the
A.
OIG Work Plan.
B.
Deficit Reduction Act.
C.
corporate integrity agreement.
D.
triggered review.
17.
Which of the following is the second part of an 835 that
explains how the payment was arrived at?
17. A.
Functional acknowledgment
B.
Remittance advice
C.
Claim payment status
D.
Claim status inquiry
18.
The Jefferson Pediatric group sends an 837 to the Rhode Island
Insurance Company. An 837 is a type
of HIPAA transaction that represents a
A.
referral certification and authorization.
End of exam
B.
health care payment and remittance advice.
C.
health plan enrollment.
D.
health care claim.
19.
A physician's office "upcoded" office visits to an insurance
provider in order to receive a higher
18. reimbursement for patient services. Upcoding is an example of
A.
abuse.
B.
benchmarking.
C.
compliance.
D.
fraud.
20.
The federal law that prohibits physicians from making self-
interested referrals, or referrals in which
they have a financial interest or may receive a kickback, is
called
A.
Deficit Reduction Act (DRA).
B.
Sarbanes-Oxley Act.
C.
Stark II.
D.
False Claims Act (FCA).
UNDERSTANDING HIPAA
Questions 1 to 20:
19. Select the best answer to each question. Note that a question
and its answers may be split across a page
break, so be sure that you have seen the
entire
question and
all
the answers before choosing an answer.
1.
Under the HIPAA Security Standards, according to the category
of _______ standards, covered entities
are required to create policies and procedures that concern
authentication, transmission, and other issues
when electronic protected health information is accessed.
A.
emergency
B.
technical
C.
administrative
D.
physical
2.
In a situation where a patient's protected health information is
required as evidence in a court of law, the
provider may release the information
20. A.
only with the patient's approval.
B.
upon the request of any attorney.
C.
only if the patient signs a release form.
D.
without the patient's approval upon receipt of a judicial order.
3.
Michael has just paid for a property and casualty insurance
policy for the Dalton Medical Clinic. How is
this type of insurance classified under HIPAA?
A.
Property and casualty insurance policies are federally funded
clearinghouses.
B.
Property and casualty insurance polices are
not
classified as covered entities.
C.
Property and casualty insurance policies are non-exempt
entities.
D.
Property and casualty insurance policies are covered entities.
4.
A provider instructs an administrative staff member to bill a
21. patient for a particular procedure. The
conversation is overheard by another patient who is sitting in
the waiting room. This situation would be
describes as a(n)
A.
incidental use and disclosure, which is not a violation of HIPAA
rules.
B.
illegal disclosure of protected health information.
C.
release of information, which is a violation of HIPAA rules.
D.
disclosure of de-identified health information.
5.
In an electronic healthcare information system, a type of
program that harms the information system,
and that's often brought into the organization through e-mail
attachments or Internet downloads, is called
A.
a proxy server.
B.
encryption.
C.
a firewall.
22. D.
malware.
6.
In the United States, the main federal government agency that's
responsible for healthcare and that
administers the Medicare and Medicaid programs is
A.
the American Health Information Management Association
(AHIMA).
B.
the Centers for Medicare and Medicaid Services (CMS).
C.
the American Medical Association (AMA).
D.
the Health Care Financing Administration (HCFA).
7.
To protect electronic health information, many covered entities
prevent employees from accessing the
information unless they have a certain job title or job function.
This type of technical security safeguard is
called
A.
a firewall.
B.
antivirus software.
23. C.
encryption.
D.
role-based authorization.
8.
A pathology laboratory is contracted with Winchester Hospital
to review the hospital's biopsy specimens.
Under HIPAA, the laboratory would be classified as a(n)
A.
business associate.
B.
direct provider.
C.
clearinghouse.
D.
indirect provider.
9.
A hospital's security system requires an individual's unique
fingerprint, voice pattern, facial pattern, or
eye/iris pattern to access protected health information. These
unique methods of individual identification
are known as
A.
biometrics.
24. B.
backup procedures.
C.
audit controls.
D.
digital certificates.
10.
According to the HIPAA Security Standards for electronic
protected health information, issues such as
workstation security, facility access controls, and device
controls are covered under _______ standards.
A.
physical
B.
technical
C.
administrative
D.
organizational
11.
To protect electronic health information, the information may
be transformed into an unreadable format
before it's distributed to anyone. This type of security safeguard
is called
25. A.
antivirus software.
B.
encryption.
C.
a firewall.
D.
password protection.
12.
Which of the following statements about the HIPAA Privacy
Rules is
correct?
A.
It's a HIPAA violation if a provider's name appears on a
patient's telephone caller ID.
B.
There are no restrictions on the use or disclosure of de-
identified health information.
C.
Providers are required to provide the Notice of Privacy
Practices to patients receiving emergency treatment.
D.
It's a HIPAA violation to have a patient sign-in sheet at a
facility's front desk.
13.
Which of the following is the computer-to-computer transfer of
routine business information that has
26. helped healthcare businesses to greatly simplify their
administrative practices?
A.
Treatment, Payment, and Health Care Operations (TPO)
B.
Electronic data interchange (EDI)
C.
Notice of Privacy Practices (NPP)
D.
Group health plans (GHP)
14.
Having a backup procedure for the computer systems in a health
clinic is an example of satisfying
A.
a technical security standard.
B.
an implementation specification.
C.
a physical security standard.
D.
an administrative security standard.
15.
Any direct personal contact between a patient and a health care
provider in any place of service for the
27. diagnosis and treatment of an illness or injury is called a(n)
A.
complaint.
B.
encounter.
C.
authorization.
D.
liability.
16.
Which of the following organizations creates and promotes
standards for the transfer of data to and
from the pharmacy services sector of the health care industry?
A.
The National Committee on Vital and Health Statistics
(NCVHS)
B.
The Strategic National Implementation Process (SNIP)
C.
The National Drug Code (NDC)
D.
The National Council for Prescription Drug Programs (NCPDP)
17.
Rachel receives health insurance through her job as a privacy
officer at the MEA clinic. She has just
28. resigned from her job, but the office manager tells her that
she'll be allowed to continue her health coverage
under the employer's plan for a limited time period, at a cost of
$395.00 per month. Which of the following
acts allows Rachel to continue her health care coverage with her
former employer?
A.
FEHB
B.
ERISA
End of exam
C.
IHP
D.
COBRA
18.
The Blue Ridge Surgery Group has developed a new Web site
that describes its services and benefits.
According to HIPAA rules, which of the following
must
be included on the organization's Web site?
A.
A complete description of all procedures provided
B.
29. A list of the types of insurance they accept
C.
A Notice of Privacy Practices
D.
A listing of all physicians on staff and their professional
credentials
19.
Frequently, electronic health information must be transferred
from one user to another over the Internet
or through a computer network. To ensure that the remote user
is authorized to receive the data, an
electronic authorization called a(n) _______ can be issued to
the remote users by a covered entity.
A.
emergency access procedure
B.
digital certificate
C.
contingency
D.
computer administrator
20.
HIPAA refers to any item, collection, or grouping of
individually identifiable protected health
information as a
30. A.
notice of privacy practices.
B.
billing record.
C.
designated record set.
D.
health plan identifier.