Answers to the NAAC HIPAA Quick Quiz

  1. True or False.  Patients who are treated in emergencies do not have to be provided a Notice of Privacy Practices (NPP) by your ambulance service.

    False.  This one is a little tricky.  In an emergency treatment situation, a patient doesn’t have to be given a NPP at the time of transport.  But, your ambulance service agency must still provide a NPP to the patient as soon as reasonably practicable after the emergency.  So the patient still needs to be provided a NPP.  See, 45 CFR § 164.520(c)(2)(i)(b).  However in some cases, 911 ambulance calls may not actually be emergency treatment situations.  In these cases it would make sense to offer a copy of the NPP at the time of service.
              
              What’s your agency’s policy for following up in an emergency situation to make sure the patient gets a NPP?
     

  2. If you are a public agency, can you release PHI in response to a state public records law request, or would that be a Federal HIPAA violation? 

    It all depends on what the state law says.  HIPAA permits a covered entity to disclose PHI as required by other law, including state law.  See, 45 CFR § 164.512(a).  Where a state public records law mandates that a covered entity disclose PHI, you are permitted by HIPAA to disclose PHI in response to the public records law request as long as you strictly comply with the law.  But, where a state public records law only permits, and does not mandate, the disclosure of PHI, or where there is an exception in the law exempting PHI from the state law’s disclosure requirement, such disclosures are not “required by law” and thus, would not fall under that HIPAA regulation - 45 CFR § 164.512(a). In such cases, you only would be able to make the disclosure of PHI in compliance with HIPAA if the disclosure was permitted by another provision of HIPAA.
     

  3. How long does HIPAA apply to PHI of deceased individuals – 25 years, 50 years, 100 years or indefinitely? 

    Fifty (50) years.  Do you know who you can release PHI to when a patient is deceased?
     

  4. What are the only two instances where HIPAA requires covered entities to disclose PHI?

    A covered entity must disclose PHI in only two situations: (1) to patients (or their personal representatives or another person designated by the patient) when they request access to, or an accounting of disclosures of, their PHI; and (2) to HHS when it is undertaking a compliance investigation or review or enforcement action.  All other uses and disclosures of PHI are “permissible” under HIPAA, meaning that HIPAA permits, but does not require, these other uses and disclosures of PHI.  That means technically there’s no obligation under HIPAA to share PHI with others for treatment, payment or healthcare operations purposes. 

              So, how do you get agencies to share PHI with you when there’s no HIPAA requirement? 

     
  5. If your ambulance service is being sued, can you use or share a patient care report that is relevant to the lawsuit with your attorney without the patient’s authorization?

    Yes. Where a covered entity is a defendant in a legal action, the covered entity may use or disclose PHI for purposes of the litigation as part of its health care operations. The definition of “health care operations” at 45 CFR § 164.501 includes conducting or arranging for legal servicesBut, there is a limitation that applies when sharing the PHI in this situation.  Do you know what it is? 
              
              Also, do you know what you have to do before sharing PHI with your lawyer? 

     
  6. True or False: Business associates are required by HIPAA to notify patients of breaches of unsecured protected health information. 

    False. HIPAA only requires a business associate to notify a covered entity of a breach of unsecured PHI.  See, 45 CFR § 164.410(a)(1).  A covered entity then has a duty under HIPAA to notify affected patients, HHS and potentially the media. 
              
              When would a business associate be required to notify patients? 
              What is the deadline for a business associate to notify a covered entity?     

     
  7. If an invoice gets sent to the wrong patient, is that a breach under HIPAA? 

    It depends.  Yes, we went there.  And if you said, “I need to know more,” you’re on the right path.  Determining whether or not an unpermitted disclosure of PHI qualifies as a breach under HIPAA can be a complex determination, and that determination is very fact-specific.  HIPAA outlines a 4-factor “risk assessment” for agencies to apply in potential breach scenarios, and under this assessment you need to consider things such as: what type of PHI was involved, who saw the PHI, and whether the PHI was actually viewed in the first place. 

              Do you know how to make this determination and the 4 factors that are involved?  

HIPAA requires every covered entity and business associate to have an official in charge of HIPAA compliance.  Are you involved in HIPAA compliance at your organization?  Do you have questions, or do you want to learn a lot more?  Join NAAC March 10-11, 2015  for the premiere event – the nation’s first and only HIPAA compliance accreditation for the ambulance-industry!  

At this exclusive CAPO event, you will learn:

  • Easy ways you can follow up in emergency situations to provide an NPP to the patient
  • How to handle requests for PHI from: state agencies, attorneys, law enforcement, family members, the media and others
  • What representatives you can deal with after the patient is deceased. 
  • How to get facilities to share patient and insurance information with your agency
  • How you can use and disclose PHI in legal proceedings, including when your agency is a plaintiff trying to obtain payment. 
  • When you must follow the minimum necessary rule - not all disclosures are subject to the rule
  • When you need a business associate agreement with your lawyer – you might not always need one   
  • Provisions you can add to a business associate agreement that better protect you in breach situations
  • When you have a duty to notify individuals, HHS and the media about breaches

Embassy Suites Philadelphia International Airport
9000 Bartram Avenue
Philadelphia, PA 19153
Phone: 215-365-4500

Rate:  $119.00 per night, includes free parking, free internet, free airport shuttle, free shuttle within 5 miles of the property, free HOT breakfast buffet and free parking.

Click HERE to make your reservation or mention NAAC CAPO when calling the hotel.