2009 Health Information Privacy and Security (HIPS) Week Quiz Answers and Explanations

1. Which of the following items are examples of Protected Health Information (PHI)? a) Appointment schedules, patient logs, census reports b) Patient meal tickets/order slips c) Patient ID bracelets, patient IV labels/bags d) All of the above Explanation: Choice (d) is correct. Choice (a), (b), and (c) are examples of protected health information (PHI). PHI can be defined as any information that can lead to the identity of an individual or the contents of the information can be used to make a reasonable assumption as to the identity of an individual. PHI is everywhere! 2. E-mail communication involving PHI is only allowed under specific circumstances and may occur according to UCMC guidelines. a) True b) False Explanation: Choice (a) is correct. It is true, e-mail communication involving PHI may only occur according to UCMC guidelines. At this time, UCMC does not have an organizational-wide secure e-mail system for e-mail communication sent outside UCMC. For more information, reference these guidelines on our website: 1. E-mail Communications: Between UCMC Providers and Patients 2. E-mail Communications: Including PHI In E-mail 3. Computers that are no longer needed should be placed in the basement of the medical center for disposal. a) True b) False Explanation: Choice (b) is correct. Leaving computers in the medical centers basement for disposal poses a risk to patients and UCMC. Contact the CBIS Help Desk (2-3456) for assistance. For additional tips and information, reference the following guideline on our website: 1. Proper Disposal of Protected Health Information 4. When should you access patient PHI? a) For the treatment of a patient, if part of your job b) For obtaining payment for services, if part of your job c) For non-work related purposes to help a family member, colleague or friend if verbal permission is given d) Answers a & b Explanation: Choice (d) is correct. Choice (a) and (b) are appropriate reasons to access PHI. Employees may not access through the institution's current information systems the medical information of family members, friends, or other individuals for personal or other non-work related purposes, even if written or verbal authorization has been obtained.

2009 Health Information Privacy and Security (HIPS) Week Quiz Answers and Explanations
5. According to the UCMC Faxing Patient Information guidelines, you are not allowed to fax PHI outside UCMC. a) True b) False Explanation: Choice (b) is correct. Employees are allowed to fax patient information outside of UCMC if they limit the amount of information being faxed to the minimum amount necessary. Each fax should be accompanied by a HIPAA approved fax cover sheet. UCMC does not recommend faxing highly confidential information (HCI). However, if necessary, faxing of HCI is only permitted if the sender first calls the recipient and confirms that the recipient or his/her designee can be waiting at the fax machine, and then, the recipient or his/her designee waits at the fax machine to receive the fax and then calls the sender to confirm receipt of the document. Both the sender and the recipient must be attentive to the sensitive nature of highly confidential information. 6. What should you do with PHI that is no longer needed? a) Discard it in a locked shredding container b) Discard it in your trash can c) Hold it in a temporary gathering box that is clearly marked with a to be shredded sign d) Answers a & c Explanation: Choice (d) is correct. Choice (a) and (c) are examples of how we can protect PHI that is no longer needed. If you must use a temporary gathering box before transporting PHI to a locked shredding container, please make sure it is in a secure area, in close proximity to UCMC personnel and is clearly marked with a to be shredded sign (available via the HIPAA online Best Practices Library). 7. If a) b) c) d) you are aware of a privacy incident or breach you should do the right thing by contacting: A co-worker The HIPAA Program Office (HPO) A friend None of the above

Explanation: Choice (b) is correct. The HIPAA Program Office (HPO) is just a phone call or e-mail away. The key thing to remember is to report an incident or breach before it escalates into something bigger. Call us at 4-9716 or send us an email at HPO@bsd.uchicago.edu.

2009 Health Information Privacy and Security (HIPS) Week Quiz Answers and Explanations
8. How can you prevent unauthorized access to PHI via your computer? a) Never share your UserID and password with anyone b) Lock or log-off your computer when you walk away c) Dont write your password on a post-it note or tape it to your monitor d) All of the above

Explanation: Choice (d) is correct. You are responsible for protecting your UserID and password and will be held responsible for actions performed using your credentials. Never share your password with anyone or store it anywhere near your computer where it can be easily found. Be sure to always lock or log-off your computer when you walk away.

9. If you need to dispose of PHI on electronic media (i.e. computers, video tapes) you should contact the following for assistance: a) Network Services Information Technology (NSIT) Computer Recycling Program b) Chicago Biomedicine Information Services (CBIS) c) Environmental Services (EVS) for bulk items d) Answers b & c Explanation: Choice (d) is correct. Choice (b) and (c) are departments that can be contacted for assistance. Employees should not contact NSIT for assistance with computers containing PHI. Disposal of electronic media containing PHI must be tracked and logged. For proper disposal of electronic media containing PHI, contact CBIS at 2-3456. If you need assistance with disposing bulk items containing PHI (e.g. video tapes, CD-ROMS), shredding containers or boxes/bags of PHI for shredding, you can contact EVS at 2-6296.

10. What does the minimum necessary rule require employees to do? a) To wear an ID badge at all times b) To limit the use and disclosure of PHI to the amount that is needed to accomplish the intended purpose to perform their job c) To allow employees to access their own PHI d) None of the above Explanation: Choice (b) is correct. The PHI you need to do your job is called "minimum necessary." It is information you "need to know" to do your job. Despite safeguards and controls to minimize access, we know that PHI surrounds us. If you come into contact with PHI and your job does not require it, you should not discuss or use this information.

2009 Health Information Privacy and Security (HIPS) Week Quiz Answers and Explanations

11. It is okay to look up your spouses lab results in EPIC if you have his/her verbal permission. a) True b) False Explanation: Choice (b) is correct. Employees may not access either through our information systems (e.g. OACIS, Centricity, or Lastword) or the patient's medical record the medical and/or demographic information of family members, friends, or other individuals for personal or other non-work related purposes, even if written or oral patient authorization has been given.

12. When selecting a patient in our information systems (i.e. EPIC, Centricity), you should do the following to prevent a possible HIPAA violation. a) Check to see if there is more than one patient with the same name and confirm that you have the correct patient before making your selection b) If there is more than one patient with the same name, select the first one on the list c) If the patient is present (i.e. clinic visit), ask him/her to verify his/her demographic information such as name, address, telephone number, date of birth, and insurance information d) Answers a & c Explanation: Choice (d) is correct. Be sure to select the correct patient before entering PHI in information systems (i.e. Epic, Lastword). Entering information in the wrong patient's electronic medical record can lead to a possible HIPAA violation as well as may adversely impact patient care and safety.