FOL -- ADAMS ch 11-20
The privacy rule generally requires documentation related to its requirements to be retained for - 3 years - 5 years - 6 years - 10 years
6 years
the general retention period for HIPAA-related documentation is - 5 years - 6 years - 10 years - not specified in the HIPAA privacy rule
6 years
The May 31, 2011 proposed rule introduced the concept of an - accounting of disclosures - penalty for HIPAA violations resulting from malicious behavior - limitation on records of the deceased as PHI - Access report
Access report
An audit trail is a good tool for which of the following? A- Holding an individual employee accountable for actions B- reconstructing electronic events C- detecting a hacker D- recognizing when a system is having problems - a and d - b and d - All of the above - none of the above
All of the above
the latest provisions to HIPAA include - breach notification and modification to the security rule - breach notification and enforcement - breach notification and modifications to the security rule - breach notification, enforcement and modifications to the privacy and security rules
Breach notification, enforecement and modifications to the privacy and security rule
A staff person at Thompaon Laboratories received a request from Mrs Blake to receive a copy of her lab results. What legislation enables the laboratory to release Mrs. Blakes lab results directly to her? - FACTA - GINA - UHCDA - CLIA
CLIA
Elaine has moved to a new state to assume the director of HIM in a large community hospital. In her previous position, reporting of trauma injuries was required by state law. However, in her new position it is apparent that the hospital is not reporting traumatic injuries. Which of the following is the most appropriate action for Elaine to take - begin reporting trauma injuries - Refer to HIPAA about reporting of trauma injuries - inform the hospital administrator and start reporting trauma injuries - check state law to determine if reporting of trauma injuries is required
Check state law to determine if reporting of trauma injuries is required
State attorneys general can bring - civil actions in state court for individuals wrongs by HIPAA violations - Civil actions in federal court for individuals wronged by HIPAA violations - criminal actions in state court for individuals wronged by HIPAA violations - criminal actions in deferal court for individuals wronged by HIPAA violations
Civial actions in federal court for individuals wronged by HIPAA violations
a conditioned authorization - only allows participants in a research study if they are in good physical condition - conditions treatment, payment and health plan enrollment on an authorization - is the preferred type of research authoriztrion per HIPPA
Conditions treatment payment and health plan enrollment on an authorization
Elanor has refused life-saving treatment. Which of the following is true? - elanor has the right of self-determination to refuse treatment - the hospital may not refer this decision to a court - elanor does not have the right to refuse treatment - her refusal is voided because it will result in her death
Elanor has the right of self-determination to refuse treatment
Common safeguards utilized to protect e-mail communication include all but which of the following? - Anti-spam software - e-mail filtering - Encryption software - email scrubbing
Email scrubbing
With whom may patients file a complaint if they suspect medical identity theft violations - internal revenue service - office of civil rights - centers for medicare and medicaid services - federal trade commission
Federal trade commission
When Greg was released from Metro Hospital substance abuse inpatient facility, he authorized his records to be released to General Hospital, where he had his knee replaced. Greg's information from Metro Hospital along with it's own information to the physical therapy service. Select the statement that best addresses the situation - redisclosure of Metro's information on Greg has occurred, but it's okay since Greg signed an authorization to release his records to General Hospital - General Hospital has violated rediscolsure regulations by releasing the records from Metro Hospital to Physical therapy services - Redisclosure of substance abuse health information is always permitted under HIPAA regulations - Release of the information was appropriate since it follows the alcohol and drug abuse patient records regulations on disclusure of health information
General Hospital has violated redisclosure from Metro Hospital to Physical Therapy Services
Jack Mitchell, a patient in Ross Hospital, is being treated for gallstones. He has not opted out of the facility directory. Callers who request information about him may be given - no information due to the highly sensitive nature of his illness - admission date and location in the facility - general condition and acknowledgement of admission - location in the facility and diagnosis
General condition and acknowledgement of admission
Mr Thompson was working on his roof and fell off, sustaining a severe head injury that has left him in a coma. Before he fell from the ladder, he and his wife were in the process of getting a divorce. However, the divorce was not final. Which statement best describes the circumstance regarding who may authorize access to Mr. Thompson's records - Legal counsel must be sought to represent Mr. Thompson - Mr Jones eldest son can authorize the access - His wife cannot authorize access because they were getting a divorce - His wife may authorize access because she is next of kin and they are still married
His wife may authorize access because she is next of kin and they are still married
Which of the following is not a HIPAA individual right? - request restrictions regarding PHI use and disclosure for treatment - Import PHR content into the providers health record - access to PHI - request amendments to PHI
Import PHR content into the providers health record
At Frank's recent medical appointment, his physician provided information to Frank, but Frank made his own treatment decisions. This situation describes what type of relationship? - informative - paternalistic - interpretive - mutual
Informative
Katie is 13 years old and lives with her mom, who has custody of Katie since her parents are divorced. Katie has recently been in the hospital, and her mother is now seeking a copy of Katie's health record. Who must sign the authorization form that will enable Katie's mother to access Katie's record? - Katie - both of Katie's parents must sign - Katie's mother becuase she has custody of Katie - Katie may appoint a personal representative to sign for her
Katie's mother because she has custody of Katie
According to the HIPAA security rule, what should a covered entity instruct a physician who needs a new smart phone to do with her current smart phone that contains ePHI - sell her old smart phone - keep her old smart phone - recycle the old smart phone by giving it to a charity - do what she wants since IT is too busy with other projects
Keep her old smart phone
Marty Jones has been out of work for three months and has recently applied for a position at a local factory. As part of the employment process, the employer has asked Mr. Jones to complete a pre-employment physical that includes genetic testing for any disease that might interfere with Mr. Jones' ability to run an expensive piece of factory equipment. Of the options below what is the best option? - Mr. Jones complies with the request - Mr. Jones reluctantly complies with the request because he needs a job - Mr. Jones informs the employer that CLIA regulations prohibit employers from requiring genetic information as part of the employment process - Mr. Jones informs the employer that GINA regulations prohibit employers from requiring genetic information as part of the employment process
Mr. Jones informs the employer that GINA regulations prohibit employers from requiring genetic information as part of the employment process
which of the following statements are not part of the EMTALA (Emergency Medical Treatment and Active Labor Act) regulations - every patient arriving at the emergency department must recieve an appropriate medical screening exam - if an emergency medical condition exists, the hospital must treat and stablize the emergency condition or transfer the patient - non-medicare, indigent patients must be transferred to the nearest Level 1 trauma center - Transfers of non-stabilized patients must only occur under certain specific conditions
Non-Medicare, indigent patients must be transferred to the nearest Level 1 trauma center
When determining the appropriate password composition, the HIM professional should refer to which of the following - HIPAA privacy rule - HIPAA security rule - HITECH act - Organizational policy
Organizational Policy
the release of information manager at Hope Hospital has received a request to obtain copies of an individual's recent hospitalization for spousal abuse. Upon reviewing the request, the manager notices that the signature on the request does not look like the patient's signature on the informed consent in the patient's medical record. What would be the best course of action? - refer the request to the hospital's medical identity theft committee to ascertain if this is indeed the patient requesting the information - copy the requested information and have it ready for pick up by the individual requesting the information - ignore the request since you are pretty sure it is not legitimate - wait until the person comes in to pick up the material and ask the person to sign their name again for comparison purposes: if it looks the same, give them the record.
Refer ther request to the hospital's medical identity theft committee to ascertain if this is indeed the patient requesting the information
Medicare requirements pertaining to seclusion and restraint - encourage their use through flexible standards - restrict their use - prohibit seclusion for patients less than 18 years old - prohibit restraint for patients less than 18 years old
Restrict their use
Healthcare facililites are required to report vital statistics to which of the following authority - centers for disease control and prevention (CDC) - National Center for Vital Statistics - State department of health - World Health Organization
State department of health
Responsibility for completing a fetal death certificate is determined by - state law - federal law - health department - physician policy
State law
When determining which immunizations must be reported which of the following would you refer to first - HIPAA Privacy Rule - State reporting requirements - Providers - AMA pediatric section
State reporting requirements
Which of the following is the public or known portion of most user log-ins? - password - User ID - Firewall - Token
User ID
Which of the following is an example of a two factor authentication - user name and password - password - user name and password and token - user name and PIN
User name and password and token
Except as provided by law, who controls access to a patient's health information by third parties such as insurance companies? A- patient B- Patient's legal representative C- physician - a and b only - a and c only
a and b only
a nurse administrator who does not typically take call gets called in over the weekend to staff the emergency department. She does not have access to enter notes since this is not part of her typical role. In order to meet the intent of the HIPAA security rule, the hospital policy should include - a requirement for her to attend training before accessing ePHI - a provision to allow her to share a password with another nurse - a provision to allow her emergency access to the system - a restriction on her ability to access ePHI
a provision to allow her emergency access to the system
Mia is 16 year old pregnant female who plans on having an abortion. Mia has the right choose who her health information may be released to. What other healthcare situations exists that give Mia the right to authorize release of her healthcare information? A- Mental health B- substance abuse C- veneral diseases - a and b - a and c - a and d - a, b, and c
a, b and c
the VP of finance wants to consider sending all of the medical transcriptionists home to work. What security issues should be included in the risk analysis - access of data by unauthorized persons - storage of data on remove devices - transmission risks when reporting data - potential for new regualtions
access of data by unauthorized persons
Crystals request to access her medical record has been denied. The denial is subject to appeal. Which of the following is the most likely reason for the denial - access to the PHI would likely endanger Crystals life or physical safety - the PHI contains psychotherapy notes - PHI in the record is subject to the federal privacy act - PHI was created in the course of research including treatment, and crystal agreed to suspend her right of access during the study time period
access to the PHI would likely endanger crystals life or physical safety
A mental health professional can not be compelled to testify or disclose protected health information without patient authorization in a judicial situation except in what situation A- Health professional performs an examination under court order B- patient brings up the issue of mental or emotional condition C- Protect patient from harming self or others - a and c - all of the above
all of the above
Breach notification requirements apply to - HIPAA covered entities - HIPAA business associates - non business associate PHR vendor - All of the above
all of the above
Health literacy focuses on - individuals for whom English is a second language - individuals with limited reading proficiency - Varying levels of technological proficiency - all of the above
all of the above
The HIPAA Security Rule allows flexibility in implementation based on reasonableness and appropriateness. What does the covered entity use to make these determinations? - size of the covered entity - security capabilities of the covered entity's system - costs of security - all of the above
all of the above
Under HIPAA a covered entity may deny a patients amendment request for which of the following reasons - the information is accurate and complete - the information in questions was not created by this covered entity - the information is not part of the individuals designated record set - all of the above
all of the above
Which of the following should occur when a patient leaves a hospital against medical advice - patient signs a form acknowledging potential consequences - patient signs a form acknowledging health insurance may refuse to pay for care provided - risks are discussed with the patient when possible - documentation of the AMA in the patients medical record - all of the above
all of the above
the HIPAA security rule applies to which of the following covered entites - hospital that bills medicare - physician electronic billing company - bluecross health insurance plan - all of the above
all of the above
Which of the following is an example of mitigation - breach notification - payment of a bill for financial loss resulting from an infraction - apology - all of these are examples of mitigation
all of these are examples of mitigation
St. Josephs hospital has a psychiactric service on the sixth floor of the hospital. A 31 year old male has come to the HIM department and requested to see a copy of his medical record. He has told your clerk he was a patient of Dr. Schmidt, a psychiatrist, and was on the sixth floor of St. Josephs for the last two months. These records are not psychotherapy notes. As the HIM director, the best course of action for you to take is to - prohibit the patient from accessing his record, as it contains psychiatric diagnoses that may greatly upset him - allow the patient to access his record - allow the patient to access his record if, after contacting his physician, his physician does not feel it will be harmful to the patient - deny access because HIPAA prevents patients from reviewing their psychiatric records
allow the patient to access his record if after contacting his physician, his physician does not feel it will be harmful to the patient
Which of the following has the right to consent to treatment? - a 10 year old boy - an 88 year old woman - a 45 year old man with severe mental retardation - all of the above have the right to consent to treatment
an 88 year old woman
A waived authorization for a research study may be granted by - a researcher in the research study - an institutional review board - the CEO of a covered entity that is providing PHI - The office for civil rights
an institutional review board
With the inititation of HIPAA audits, complaints - are no longer used as a way to detect HIPAA violations - are still used as a way to detect HIPAA violations - can only be proven through corrobration via a HIPAA audit - must be present before a HIPAA audit can be conducted
are still used as a way to detect HIPAA violations
The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of - audit trail - access control - auto-authentication - override function
audit trail
The capture of data by a hospitals data security system that shows multiple invalid attempts to access the patients' database is an example of what type of security control? - audit trail - access crontrol - auto-authentication - override function
audit trail
one of the four general requirements a covered entity must adhere to for compliance with the HIPAA security rule is to ensure the confidentiality, integrity and ----- of ePHI - addressability - accuracy - availablity - accountability
availability
The HIPAA security rule requires that passwords - be updated every 90 days - be updated by organizational policy - be updated every time there is a breach - be updated every 60 days
be updated by organizational policy
non-compliance with the HIPAA security rule can lead to A- civil penalties B - criminal penalties C - a max annual penalty of $1 million D- both a & b
both a & b
What are the primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule A- the security rule applies to all forms of patients' PHI whether electronic, written, or oral, but the security rule covers only electronic PHI B- the security rule provides for far more comprehensive security requirements than the privacy rule and includes a level of detail not provided in the privacy rule - Both A & B - Neither a nor b there are no distinctions
both a and b
Which of the following would provide the best support of an organizations efforts toward compliance with the security rule? - implement mandatory password changes every 30 days - create a mascot for security awareness - build security into software and systems - prohibit remote access to ePHI
build security into software and systems
With respect to patients rights, the Joint commission standards: - do not address patient rights - contain a provision regarding the review of patient complaints - address patient rights in most contexts but do not address research and clinical trials - mandate the actual language to be used in patient rights policies
contain a provision regarding the review of patient complaints
Under which access security mechanism would an individual be allowed access to e-PHI if they have a proper log-in and password, belong to a specified group, and their workstation is located in a specific place within the facility? - role based - user based - context based - none of the above
context based
Copying data onto tapes and storing the tapes at a distant location is an example of - data backup - data mapping - data recovery - data storage for recovery
data backup
The role of the HIM professional in medical identity theft protection programs includes all of the following except - ensure safeguards are in place to protect the privacy and security of PHI - Balance patient privacy protection with disclosing medical identity theft to victims - identify resources to assist patients who are the victims of medical identity theft - Defer all issues related to medical identity theft to the in house attorney
defer all issues related to medical identity theft to the in-house attorney
The admissions department is getting some new computers from the surgery department. The director is so excited to get the new computers that he does not contact IT and installs the computers over the weekend in admissions. Since the computers were not checked for the presence of e-PHI, the admissions director has violated which provision of the HIPAA security rule - access controls - device and media controls - emergency access procedure - contingency operations
device and media controls
The HIPAA Security Awareness and Training administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except - disaster recovery plan - log in monitoring - password management - security reminders
disaster recovery plan
What statement best addresses disclosure of information about abortions - should never be disclosed - disclosed at the directions of the physician - deferred to the chief of staff for determination -Disclosed based on required reporting statues
disclosed based on required reporting statutes
What term is also used to denote the HIPAA requirement of Contingency Planning - data backup - data recovery - disaster planning - emergency mode of operation
emergency mode of operation
Who own the health record of a patient treated in a healthcare facility? - Facility - patient - patients family - physician
facility
Report for a fetal death would be reported on which required form - birth certificate - death certificate - fetal birth certificate - fetal death certificate
fetal death certificate
Which of the following is not included as a patient responsibility? - Follow treatment regimen as mandated by the provider - provide full and honest information to providers - show respect for providers and other patients - make good faith efforts to meed financial obligation
follow treatment regimen as mandated by the provider
to which of the following does GINA apply - disability insurers - long term care insurers - health insurers - life insurers
health insurers
Which of the following statements is false about the security officer? The security officer - is generally the individual within the healthcare organization responsible for overseeing the information security program - holds a required full time position under HIPAA security rule - generally reports to an upper level administrator within the healthcare organization - is given the authority to effectively manage the security program, apply sanctions and influence employees
holds a required full time position under HIPAA security rule
with addressable standards the covered entity may do all but which of the following - implement the standards as written - implement an alternative standard - ignore the standard since it is addressable - determine that the risk of not implementing is negligible
ignore the standard since it is addressable
the HIPAA security rule allows flexibility in implementation based on reasonableness and appropriateness. This means that covered entities can - ignore addressable standards - implement only required standards - implement based on organizational assessment - mitigate standards with a clearinghouse
implement based on organizational assessment
the purpose of the implementation specifications of the HIPAA security rule is to provide - protection of patient information - instruction for implementation of standards - guidance for security training and education - Sample policies and procedures
instruction for implementation of standards
The community benefit standard - requires hospitals to accommodate all languages spoken by patients in a community - is required for tax-exempt status - requires communities to provide a percentage of tax revenue to their hospitals - ensures that healthcare providers do not violate the Civil Rights Act of 1964
is required for tax exempt status
Which of the following is true about a restriction request - it can be terminated by the covered entity only - it can be terminated by the individual only - it can be terminated by either the covered entity or the individual - it cannot be terminated once agreed upon by the covered entity and the individual
it can be terminated by either the covered entity or the individual
Shirley Denton has written to request an amendment to her PHI from Bon Voyage Hospital, stating that incorrect information is present on the document in question. The document is an incident report from Bon Voyage Hospital, which was erroneously placed in Ms. Denton's health record. The covered entity declines to grant her request based on which privacy rule provision? - it was not created by the covered entity - it is not part of the designated record set - both a & b - none. the covered entity must grant her request
it is not part of the designated record set
the HIPAA security rule contains what provision about encryption - it is required for all ePHI - it is required based on CMS guidance - it is required based on organizational policy - it is not required for small providers
it is required based on organizational policy
Mitigation is - paying a patient who has been harmed by a breach - lessening the harmful effects of wrongful use or disclosure of PHI - Responding to the OCR's investigation of HIPAA violation complaint - a gesture of goodwill to a patient to compensate for a HIPAA infraction
lessening the harmful effects of wrongful use or disclosure of PHI
Which of the following communicable diseases is typically not required to be reported - Lice - ebola - syphillis - yellow fever
lice
The following reporting exceptions to the doctrine of preemption are allowable except for which of the following - Marketing - child abuse - disease - injury
marketing
home health nurses at a covered entity want to use laptop computers to record patient notes. The director of nursing asks for guidance about whether or not this is a HIPAA violation. The most appropriate response from the security officer is that they - need to sign business associate contracts before they get laptops - need additional training as remote workers - need to wait and come back to the office and record the notes - cannot have laptops since it is a security risk
need additional training as remote workers
Common data reported to the medical examiner in cases of reportable deaths typically includes all but which data element? - age - ethnicity - marital statue - number of children
number of children
the enforcement agency for the security rule is - office of the inspector general - centers for medicare and medicaid services - office for civil rights - office of management and budget
office for civil rights
Which of the following is not an access control commonly utilized by covered entities for compliance with HIPAA security rule - user based access - passwords - tokens - palm scanners
palm scanners
EMTALA (Emergency Medical Treatment and Active Labor Act) was passsed in response to the problem of --- - patient dumping - inflated healthcare costs - low quality medical care - poor patient provider communication
patient dumping
Which of the following information is not included about a physician in the National Practitioner Data Bank - Malpractice lawsuites - disciplinary actions - personal bankruptcy - credentialing information from other facilities
personal bankruptcy
What protects confidential communications from disclosure between a doctor and patient-related to diagnosis and treatment during civil and some criminal misdemeanor litigation - communication rules of court - privilege statutes - duty of responsibility - contract
privilege statutes
Trauma registry data is used for all of the following except - performace improvement - public safety law - research - prosecution of drunk drivers
prosecution of drunk drivers
the HIPAA security rule contains the following safeguards - technical - administrative - physical - reliability
reliability
Telephone callback procedures are used primarily for - remote employees - temporary employees - employees who have been placed on probation - contract employees
remote employees
Under HIPAA, the following disclosures must be included in a patient accounting of disclosures - reporting child abuse, venereal disease, occupational diseases - disclosures pursuant to patients signed authorization - disclosures pursuant to a subpoena accompanied by a patient authorization - all of the above
reporting child abuse, venereal disease, occupational diseases
Kelly is a nurse at Riverview Hospital. She believes there are numerous HIPAA privacy rule violations occurring, but they are not being corrected even though she has brought them to the privacy officers attention. She contacts the Office for Civil Rights (OCR) to complain. Riverview Hospital learns that she has submitted a complaint to OCR - riverview may not retaliate against kelly - riverview may retaliate against kelly, but not against patients who complain of violations - Riverview may retaliate neither against kelly nor against patients who complain of violations - the HIPAA privacy rule does not address the issue of retaliation
riverview may retaliate neither against Kelly nor against patients who complain of violations
Uniform access to patient information for all nursing staff best describes - data warehouse - group-based access - passwords - role based access
role based access
Under the privacy rule, the following must be included in a patient accounting of disclosures: - state mandated report of sexually transmitted disease - disclosure pursuant to a patient's signed authorization - disclosure pursuant to a subpoena - disclosure for payment purposes
state mandated report of secually transmitted disease
Which of the following can the HIM department require of a patient who is requesting an amendment to her PHI - submit the request in writing - attend a meeting to discuss the reasons the patient disagrees with the record as currently documented - payment of a nominal fee to address the cost of reviewing the request - there are no requirements the HIM department can require of a requester
submit the request in writing
Examples of reportable deaths include which of the following - sudden, expected, violent, suspicious - sudden, unexpected, violent, suspicious - Sudden, expected, non violent, suspicious - sudden, unexpected, non violent, suspicious
sudden, unexpected, violent, suspicious
The privacy rule permits charging patients for labor and supply costs associated with copying health records. Mercy Hospital is located in the state where state law allows charging patients a $100 search fee associated with locating records that have been requested - state law will not be preempted in this situation - the privacy rule will preempt state law in this situation - the privacy rule never preempts existing state law - the privacy rule always preempts existing state law
the privacy rule will preempt state law in this situation
some of the best steps that workers can take to comply with HIPAA security rule include ensuring - the security of mobile devices - all employees receive appropriate training - that employees dont ever use email - that employees secure their workplace
the security of mobile devices
which of the following is true regarding breaches and breach notification per HITECH - it applies to both encrypted and unencrypted PHI - affected individuals must be notified within 30 days - if just one persons information is wrongfully disclosed, it is not a breach - it is only a breach if 500 or more individuals information is affected - there are exceptions to the breach definition and notification is therefore not required
there are exceptions to the breach definition and notification is therefore not required
Which of the following must notify the Federal Trade Commission of a breach - covered entity - business associate - third party service providers of PHR vendors - all of these entities must notify the Federal Trade Commission of a breach
third party service providers of PHR vendors
Per the privacy rule, which of the following requires authorization for research purposes? - use of marys information about her myocardial infarction, de-identified - use of marys information about her asthma in a limited data set - use of Mary's individually identifiable information related to her asthma treatments - use of medical information about Jim, Mary's deceased husband
use of marys individually identifiable information related to her asthma treatments
The most important protection against loss of data is - user compliance with policy and procedures - user adoption of biometric identifiers - user adoptions of employee nondisclosure agreements - user compliance with architecture and topology
user compliance with policy and procedures
During the flu season, a nursing home reports that cases of known flu in the nursing home population. The local health department calls and wants more information on the recent hospitalizations of these flu patients. How should the request be handled - call the nursing home attorney for advice - inform the sheriff of suspicion of medical identity theft - verify the authenticity of the request and provide information - obtain an authorization from each of the patients and provide the information
verify the authenticity of the request and provide information
a physician practice was warned last year by auditors that it's disposal of paper records (dumping them in bins without shredding or de-identifying them) violated HIPAA, but it did nothing to correct the problem. When the records were found in a city dumpster, an anonymous caller notified the Office for Civil Rights (OCR) An investigation by OCR confirmed that the practice had been warned about violations. What level of violation is OCR likely to assess in this situation: - unknowing - reasonable cause - willful neglect, corrected within 30 days of discovery - willful neglect, uncorrected
willful neglect, uncorrected