What is the primary purpose of the HIPAA Privacy Rule?
To protect patient health information and control its use and disclosure.
What does PHI stand for?
Protected Health Information.
What is the minimum necessary standard?
Limiting PHI access to only what is needed for a specific task.
What document authorizes release of information?
A valid patient authorization form.
How long must HIPAA documentation be retained?
6 years.
What is an audit trail?
A record of system activity tracking access and changes.
What is a covered entity?
Healthcare providers, plans, and clearinghouses under HIPAA.
What is a business associate?
A third party that handles PHI on behalf of a covered entity.
What is required before releasing PHI for non-treatment purposes?
Patient authorization.
What is a breach under HIPAA?
Unauthorized access, use, or disclosure of PHI.
How soon must patients be notified of a breach?
Within 60 days.
What is de-identified information?
Data with all identifiers removed.
What is the purpose of the HIPAA Security Rule?
To protect electronic PHI.
Name one administrative safeguard.
Employee training.
Name one physical safeguard.
Locked file cabinets.
Name one technical safeguard.
Encryption.
What is role-based access?
Access based on job responsibilities.
What is the purpose of access controls?
To limit who can view or use PHI.
What is a subpoena?
A legal document requiring records or testimony.
What must be verified before releasing records?
Patient identity and authorization.
What is the purpose of an ROI log?
To track disclosures of PHI.
What is accounting of disclosures?
A record of certain PHI disclosures.
When is patient consent not required?
For treatment, payment, and operations.
What is incidental disclosure?
Unavoidable disclosure during normal operations.
