Click here for more sample CPC practice exam questions with Full Rationale Answers

Practice Exam

Click here for more sample CPC practice exam questions and answers with full rationale

Practice Exam

CPC Practice Exam and Study Guide Package

Practice Exam

What makes a good CPC Practice Exam? Questions and Answers with Full Rationale

CPC Exam Review Video

Laureen shows you her proprietary “Bubbling and Highlighting Technique”

Download your Free copy of my "Medical Coding From Home Ebook" at the top left corner of this page

Practice Exam

2016 CPC Practice Exam Answer Key 150 Questions With Full Rationale (HCPCS, ICD-9-CM, ICD-10, CPT Codes) Click here for more sample CPC practice exam questions with Full Rationale Answers

Practice Exam

Click here for more sample CPC practice exam questions and answers with full rationale

Tag Archives: HIPAA

OCR ramps up HIPAA enforcement efforts

OCR ramps up HIPAA enforcement efforts

The Office for Civil Rights (OCR) stepped up HIPAA enforcement in a big way this year. The agency handed down more than $ 5 million in HIPAA settlement fines in one week in March, and in July reached a HIPAA violation settlement with Advocate Health Care in Illinois that carried a $ 5.55 million payment. OCR kicked off phase two of its HIPAA Audit Program and will likely complete desk audits of covered entities (CE) and business associates (BA) by the end of the year. Comprehensive on-site audits may occur early in 2017.

However, breaches continue to come at a relentless pace and questions have arisen about OCR’s handling of HIPAA violations, particularly repeat HIPAA offenders. And a truly permanent HIPAA audit program may not yet be in sight: OCR states that phase two audits will help the agency plan for a permanent audit program but doesn’t state when that might launch.

In a September 2015 report (, the Office of Inspector General (OIG) said OCR?and the U.S. Department of Health and Human Services (HHS) as a whole?should strengthen its oversight of CEs and be proactive rather than reactive in its approach to HIPAA enforcement. The report found that in 26% of closed privacy cases, OCR did not have complete documentation of corrective actions taken by CEs. In addition, OCR’s case tracking system has significant limitations and makes it difficult for the agency’s staff to check if a CE under investigation has been the subject of previous investigations.

All of this may make some CEs and BAs feel that HIPAA compliance is merely optional, and that leads to a weaker privacy and security culture throughout the industry. Although OCR does take action to make its presence felt, it could do more, Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says.

"I do believe that OCR is trying to let people know that it considers HIPAA compliance an important objective," he says. "With its guidance and ongoing alerts about the occasional enforcement actions here and there, I see OCR’s enforcement a small step above being a paper tiger in terms of how seriously people take it."

The waiting game

The OIG’s September 2015 report wasn’t the first time that agency has found fault with HHS and OCR’s methods, Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts, says.

"OIG has published a number of reports over the years, identifying problems with HHS’ oversight and enforcement of these HIPAA rules," she says. "I know of no one in the profession who reads the OIG reports and disagrees."

But HHS and OCR have been slow to take action. More than five years passed between the end of phase one of the HIPAA Audit Program and the announcement of phase two, and OCR still has obligations it’s failed to fulfill. The agency’s slow pace may lead some to take it, and HIPAA, less seriously.

"Since the latest round of rule changes back in 2010, over six years ago, there are still outstanding rules and unmet commitments by HHS and OCR," Ruelas says. "In the end, it not only erodes credibility but also questions just how seriously is OCR taking its enforcement duties."


Another day, another fine

HHS and OCR regularly announce breach settlements, but 2016 saw a flurry of high-profile and costly settlements. OCR took the opportunity to make examples of a number of CEs and BAs in its statements, calling attention to the particular violations that tipped the settlements into the hundreds of thousands, or even millions, of dollars.

Although the settlements grab attention and headlines, it may be difficult to determine their positive impact. Some of the HIPAA violations in question date back years. Staff who worked at the organization, and may have been involved in the breach, are likely gone. Even administrators, executive leaders, and owners may change in that time. Some organizations may see OCR’s enforcement actions as too little, too late, Mac McMillan, FHIMSS, CISSM, cofounder and CEO of CynergisTek, Inc., in Austin, Texas, says.

"We all want the same thing: to see our industry do better," he says. "This is just more of the same old, same old. Same issues, different players."

A HIPAA settlement fine might be a crushing blow to a physician practice or small home health or physical therapy organization, but even the largest fines might not make an appreciable impact on larger organizations, McMillan says.

"To be really impactful, there will probably need to be more, they will need to happen closer to the actual event they’re related to, and possibly the fines will need to be bigger," he says. "The fines levied were really not substantial fiscally, and there was no accountability for those responsible for making security decisions, so they pay and move on."

Borten agrees that the long period of time between when a breach is reported and when OCR takes action lessens the impact. "The response or punishment must rapidly follow the event to have a significant impact on future behavior," she says.

Although some find California’s short breach notification timelines and black and white faxing rules burdensome, these measures have caused CEs and BAs to change their behavior and improved privacy and security, McMillan says.

Some CEs and BAs may be willing to take the chance they won’t be caught, Ruelas says. "I truly think that people see enforcement a lot like getting hit by lightning. However, if it does occur, it tends to be a game changer and does make for an interesting day."

But whether the change is meaningful or widespread may be difficult to determine, and any alteration to OCR’s HIPAA enforcement practices would likely be an improvement, he adds.


Learning from others’ mistakes

However, CEs and BAs can get something out of HIPAA settlements. Conscientious entities will fulfill the terms of the corrective action plan and even improve on it. And other CEs and BAs can take valuable lessons from OCR’s breach announcements. The agency often draws attention to specific issues that led to the breach, levies a pricey fine, and points out how the organization could have avoided the problem in the first place.

"HIPAA enforcement actions are important teaching tools," Borten says. "Workforce members can be asked if the same problem could arise in their organization, and how individuals can avoid the same fate."

Many privacy or security failures that lead to breaches are the result of human error and are still relevant regardless of when the breach occurred, she adds.

Although the security landscape has expanded beyond missing laptops and smartphones, Ruelas says there’s still a lot CEs and BAs can learn from these enforcement actions. Organizations may see ransomware, phishing, and privacy and security breaches on social media as the biggest threats?and rightly so. Yet many breaches still come down to 10-year-old HIPAA basics: misdirected faxes, incorrectly addressed emails, or handing the wrong documents to a patient.


While human error is still a concern, McMillan is most worried about the increasing number of breaches due to hacking, particularly the greater loss of data due to hacking and the effects such breaches have on the industry. "Human errors are still an issue, but the relative impact of those incidents compared to the impacts we see from hacking recently pales in comparison. Many of those attacks were the result of misconfigured or poor administration of systems resulting in serious outages and millions of lost records," McMillan says. "This is where OCR needs to focus attention."


Phase two

The launch of phase two of the HIPAA Audit Program may promise some positive change. The audits are intended to help the agency improve HIPAA guidance and tools and pinpoint common problems and challenges CEs and BAs face. Desk audits of CEs began in July, with BAs scheduled to follow in the fall. However, it may take 90 days after submitting documents for CEs to receive a draft audit report. Until then, it will be difficult to predict what OCR’s response to the audits might be.

The audit reports will not be made public, although OCR representatives indicated they will likely be available through a Freedom of Information Act request. Sharing some data might help CEs and BAs.

"I do think that if audit results can somehow be summarized and shared, just by their detailed nature, the audits can be wonderful sources of information for the HIPAA community," Ruelas says.

It took three years for the agency to update the audit protocols to reflect changes made by the HIPAA omnibus rule, he adds. It’s too soon to tell how long it might take the agency to revise or refocus its guidance based on the results of the phase two audits, but it would no doubt be beneficial for all CEs and BAs to see results sooner rather than later.

Establishing a permanent audit program is one of OCR’s responsibilities under HIPAA, and the agency’s failure to develop one has drawn criticism from the industry and from other regulatory agencies such as the OIG. OCR agreed with the OIG’s latest call for a permanent audit program. Phase two is an encouraging step in that direction, but still not quite enough.

"It has been very vocal on its commitment to establishing an effective and permanent auditing program," Ruelas says. "Let’s see if it really is going to walk the talk." – Credentialing and Peer Review Legal Insider

Prevalent Vendor Assess evaluates third-party vendors’ HIPAA compliance

Product watch

Prevalent Vendor Assess evaluates third-party vendors’ HIPAA compliance

by Chris Apgar, CISSP

Much of today’s healthcare industry is reliant on third-party vendors. If you haven’t asked your vendors whether they are compliant with HIPAA and have implemented sound information privacy and security programs, you are likely facing unknown?and possibly significant?risks. Covered entities (CE) and business associates (BA) are required by HIPAA to exercise due diligence when it comes to their BAs and BA subcontractors. Assessing the risk of those vendors is necessary, especially if those vendors support critical functions in support of CE operations.

Prevalent offers Vendor Assess: a software as a service-based tool that can automate a large part of third-party vendor assessments. Its third-party risk management solution can help CEs and BAs manage the risks associated with BAs and BA subcontractors. And Vendor Assess provides the information and tools necessary to require vendors to address risks that could have an adverse impact on business and clinical operations.

Vendor Assess is a subscription-based service which uses industry best practices to efficiently support CEs and BAs to conduct third-party assessments without the need for additional staff or resources. Prevalent Vendor Assess leverages Prevalent’s Vendor Risk Manager platform to generate focused third-party risk assessments and store the results in an easily accessible web portal. Also, Prevalent’s Vendor Threat Monitor is available to support the collection of real-time vendor threat intelligence information. THe subscription includes a single assessment, threat intelligence monitoring, reporting, and assessment recommendations by Prevalent.

Vendor Assess uses predeveloped third-party security questionnaires to identify CE and BA vendor risks. The questionnaires sent to vendors are customized to address areas of risk that are associated with each vendor versus a static set of questions that are not necessarily suited for each vendor. Because risks vary depending on the vendors and the services provided, the customization is an added bonus?especially when evaluating critical vendor information security risk to CEs and BAs.

The tool can be used to electronically generate questionnaires that can be distributed to vendors and takes a lot less time than manually generating, addressing, and sending questionnaires that are geared to identify risks that vendors pose to their CE and BA clients. The tool creates a centralized repository that can be used to track vendor risk management activities and questionnaire returns and create a baseline of vendor risk that can be used for future Vendor Assess assessments.

In addition to providing a sound solution to assess vendor risk, Prevalent’s offerings include the Prevalent Vendor Risk Maturity Assessment. The Vendor Risk Maturity Assessment was created to help CEs and BAs understand the maturity of their vendor risk management program, review specific actions for maturity improvement, and benchmark overall maturity with other Prevalent clients.

The Vendor Risk Maturity Assessment identifies CEs’ and BAs’ vendor risk management program maturity. The assessment involves a question and answer session with the staff responsible for vendor risk management. A Prevalent analyst reviews the data, identifies areas for improvement, develops a specific action plan for improving maturity across all the CE’s BAs and BA subcontractors and creates an executive presentation to show how an entity’s vendor risk assessment program compares to other Prevalent clients.

Pricing for Prevalent services fits the budget of most small and large CEs and BAs. Pricing is, for the most part, tiered by the number of vendors CEs and BAs will be sending questionnaires out to. Prevalent offers a concierge package of services that has, per Prevalent, appealed to smaller CEs and BAs. More information is available from Prevalent at


Editor’s note

Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. Opinions expressed are that of the author and do not represent HCPro or ACDIS. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Email your HIPAA questions to Associate Editor Nicole Votta at – Briefings on HIPAA

Is HIPAA enough?

Privacy and security

Is HIPAA enough?

HIPAA breaches haven’t become less common. If the law was, in part, meant to reduce the amount of PHI released to unauthorized individuals, some may say its success is uncertain. HIPAA’s requirements aren’t prohibitively stringent: they provide a basic floor of privacy and security. If a covered entity (CE) or business associate (BA) does no more than comply with HIPAA, it will simply be doing the bare minimum to safeguard PHI. Although that may not sound difficult, some organizations continue to fall short and leave others wondering if HIPAA is enough to meet today’s information security and privacy challenges.


Covering basics

HIPAA does provide a floor for privacy and security, a minimum amount an organization can do, but is it effective? "No, it establishes a level of security that’s not actually effective," Rick Kam, CIPP/US, president and co-founder of ID Experts, says.

HIPAA is not as closely tied to reimbursement as other compliance measures. Many organizations may choose to simply meet HIPAA’s basic requirements and put the majority of their efforts into meeting other compliance goals. Although such a situation may not exactly set HIPAA up to fail, it doesn’t do any favors for the privacy and security of PHI either.

"For most organizations, who don’t think they’re going to have an issue, they’re lulled into a comfortable zone where they can say, ‘I’ve done what the federal government has asked me to do, that’s enough, I’m compliant.’ The bad news is they’re still being breached and their employees are being sloppy and losing data and so forth," Kam says.

The Office for Civil Rights’ (OCR) HIPAA audit program is intended to help CEs and BAs get better at HIPAA compliance?and help the agency understand what it can do better. Whether the audits will result in changes or improvements to HIPAA is debatable. Earlier this year, some lawmakers suggested expanding HIPAA and making it stronger, but it’s unlikely the topic will be revisited in earnest until next year at the earliest, Kam says.

Other agencies, such as the Office of Inspector General and Government Accountability Office, have recently questioned OCR’s oversight of HIPAA and lack of robust guidelines. Even OCR agrees that a permanent audit program—required by HIPAA—is long overdue. But in this, the agency isn’t far removed from the entities it oversees, Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says.

"HHS-OCR is much like many of the CEs and BAs, as they have next to or no auditing and monitoring function," he says. "When you don’t have an effective auditing and monitoring function, I don’t believe you can have an effective enforcement function. It’s as simple as that."

OCR offers a risk analysis tool and improved its guidelines and explanations for CEs and BAs this year, but the agency has limited ability to help smaller entities that may struggle to afford new software and upgraded security safeguards. Smaller entities may be more likely to combine the role of information security officer with other duties and may have a difficult time competing with larger organizations for qualified staff. Smaller entities may simply not have the expertise in-house, Kam says.

"There have to be other ways these organizations can improve," he says. "Maybe it’s as simple as other industries, like the insurance industry, coming to their rescue with cyber insurance and tools that are part of their programs in order to help those small organizations do a better job."


Focus on fines

OCR relies on fines to scare CEs and BAs into HIPAA compliance, yet for many the fines aren’t all that scary.

An organization that’s been through a HIPAA breach investigation may not want to repeat the experience. However, as a ProPublica investigation earlier this year discovered, OCR investigates relatively few breaches (

Even when an organization is investigated, the consequences often come years later and may not be significant enough to change its behavior. Those fines might cripple a small BA or CE, but larger companies or health systems might see even the biggest HIPAA fines as cheaper than compliance, Mac McMillan, FHIMSS, CISSM, co-founder and CEO of CynergisTek, Inc., in Austin, Texas, says.

In recent settlement announcements, OCR has put at least some of the blame squarely on the organization’s leaders. Those strong words may be in vain, Ruelas says. Because the agency doesn’t hold an organization’s leaders directly responsible for failing to act on risk analyses or support privacy and security needs, there’s little incentive for leaders to be accountable.

"I also think that it is not uncommon when settlements are made, there are people that are named scapegoats for the issues related to the settlement and often find themselves in some manner as the sacrificial lamb in losing their jobs," Ruelas says.

One way to solve the accountability crisis would be to take a cue from legislation such as the Sarbanes-Oxley Act (, Kam says. The Sarbanes-Oxley Act was signed into law in 2002 in response to the corporate and accounting scandals that rocked the financial world in the early 2000s. If an organization’s chief executive officer was required to personally sign off on risk analysis reports and could be held personally accountable for his or her failure to properly follow up on security risks, HIPAA might start to carry some real weight.


Standard security

OCR recommends that CEs and BAs follow theNational Institute of Standards and Technology’s (NIST) cybersecurity framework. The agency released a HIPAA/NIST crosswalk tool in February to help CEs and BAs map HIPAA security requirements to specific standards in the framework ( CEs and BAs aren’t required to follow the NIST’s cybersecurity framework, but it provides the practical guidance many are looking for. It can also be used to help an organization improve its data security overall and better protect PHI and business and financial information.

"I think the healthcare industry needs to up the ante, to work toward a higher standard," Kam says. "NIST and others are publishing security protocols and frameworks that the industry can work toward. Those are the types of standards that should be looked at, not for compliance but for data security."

Other security standards such as the Payment Card Industry Data Security Standard (PCI-DSS) are optional but can be used to enhance an organization’s security.

But regardless of the standard, organizations must determine that security standards and policies are actually being applied. All too often policies on paper are fully implemented. Without regular organizationwide risk analyses, gaps in compliance and implementation will be missed. Failure to complete or follow up on organizationwide risk analyses has been cited repeatedly in OCR’s recent HIPAA breach settlements. A risk analysis is the cornerstone of a security program, Linda Sanches, MPH, senior advisor for health information privacy for OCR, said in September at the Health Care Compliance Association’s annual regional conference in Boston.

"You cannot have a sound security program without a risk analysis," she said.

Sanches advised CEs and BAs to check OCR’s website for guidance and tools designed to help with HIPAA compliance. But a Government Accountability Office (GAO) report released in September cast a critical eye on the agency’s resources for CEs and BAs ( The GAO report slammed OCR’s oversight of HIPAA and called the guidance and tools it offers CEs and BAs inadequate.


Looking to states

Most states have privacy and security laws and organizations can look to them to answer some of the questions, and fill some of the gaps, left by HIPAA. Navigating a patchwork of state laws isn’t always ideal. Multi-state organizations must keep track of laws in each state they operate in. And if a resident of one state experiences a breach of his or her PHI held by an organization in another state, it might be difficult for an organization to determine which state’s law applies. However, HIPAA was designed to complement state laws, not overrule them.

"HIPAA is designed to work with state laws," Sanches said. "You really need to look at the interplay between state laws." – Briefings on HIPAA


In a $ 750,000 HIPAA Settlement, the University of Washington Medicine (UWM) has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations.  UWM is an affiliated covered entity, which includes designated health care components and other entities under the control of the University of Washington, including University of Washington Medical Center, the primary teaching hospital of the University of Washington School of Medicine.  Affiliated covered entities must have in place appropriate policies and processes to assure HIPAA compliance with respect to each of the entities that are part of the affiliated group.  The settlement includes a monetary payment of $ 750,000, a corrective action plan, and annual reports on the organization’s compliance efforts.

You can review the complete notice on the website.


The Coding Network