HIPAA - Health Insurance Portability and Accountability Act The Omnibus Rule Questions and Answers

Question 1

The HIPAA Omnibus Rule of 2013 modified the Breach Notification Rule by replacing the subjective "harm threshold." An impermissible use or disclosure of PHI is now presumed to be a breach unless the covered entity or business associate demonstrates what?

Accepted Answer

There is a low probability that the protected health information has been compromised.

Answer

The individuals affected have been notified and offered credit monitoring.

Answer

A formal risk of harm analysis shows no significant financial impact.

Answer

The data was encrypted after the impermissible disclosure was discovered.

Question 2

A patient pays for a specific medical procedure entirely out-of-pocket and explicitly requests that the provider not share any information about this service with their health insurance plan. According to the rights expanded by the HIPAA Omnibus Rule, how must the provider respond?

Accepted Answer

The provider must agree to the restriction request.

Answer

The provider can deny the request if it is administratively burdensome.

Answer

The provider only has to agree if the request is submitted in writing 30 days in advance.

Answer

The provider can inform the patient that all services are reported to health plans regardless of payment method.

Question 3

How did the HIPAA Omnibus Rule fundamentally change the liability of a business associate's subcontractors?

Accepted Answer

Subcontractors are now directly liable for compliance with the HIPAA Rules and can face penalties from the Office for Civil Rights (OCR).

Answer

Subcontractors' liability is limited to the terms specified in their contract with the primary business associate.

Answer

The covered entity is solely responsible for any breaches caused by a business associate's subcontractor.

Answer

Subcontractors are only liable if they have direct access to a covered entity's electronic health record system.

Question 4

Which of the following provisions was incorporated into the HIPAA Privacy Rule by the Omnibus Final Rule to prohibit its use in underwriting?

Accepted Answer

Genetic Information Nondiscrimination Act (GINA).

Answer

Substance Use Disorder (SUD) information from Part 2 records.

Answer

Information related to psychotherapy notes.

Answer

Protected Health Information used in marketing.

Question 5

Following the 2013 Omnibus Rule, which of the following statements is a required addition to a covered entity's Notice of Privacy Practices (NPP)?

Accepted Answer

A statement that the individual has the right to be notified following a breach of their unsecured PHI.

Answer

A list of all business associates the entity works with.

Answer

A statement that the entity may contact the individual for marketing purposes.

Answer

The fee schedule for obtaining copies of medical records.

Question 6

A pharmaceutical company pays a hospital to send promotional materials about a new brand-name drug to a specific list of patients with a relevant diagnosis. Under the HIPAA Omnibus Rule, what is required before the hospital can send these materials?

Accepted Answer

The hospital must secure each patient's written authorization that acknowledges the remuneration.

Answer

An opportunity for the patients to opt-out of the communication.

Answer

Approval from the hospital's Institutional Review Board (IRB).

Answer

The communication must be classified as a treatment-related communication.