Health Information Privacy and Security p335
The administrator states that he should not have to participate in privacy and security training as he does not use PHI. How should you respond? A. "All employees are required to participate in the training, including top administration." B. "I will record that in my files." C. "Did you read the privacy rules?" D. "You are correct. There is no reason for you to participate in the training."
"All employees are required to participate in the training, including top administration."
Which of the following statements demonstrates a violation of protected health information? A. "Can you help me find Mary Smith's record?" B. A member of the physician's office staff calls centralized scheduling and says, "Dr. Smith wants to perform a bunionectomy on Mary Jones next Tuesday." C. "Mary, at work yesterday I saw that Susan had a hysterectomy." D. Dr. Jones tells a nurse on the floor to give Ms. Brown Demerol for her pain.
"Mary, at work yesterday I saw that Susan had a hysterectomy."
Which of the following set(s) is an appropriate use of the emergency access procedure? A. A patient is crashing. The attending physician is not in the hospital, so a physician who is available helps the patient. B. One of the nurses is at lunch. The nurse covering for her needs patient information. C. The coder who usually codes the emergency room charts is out sick and the charts are left on a desk in the ER admitting area. D. A and B.
A and B.
Which of the following is an example of a trigger that might be used to reduce auditing? A. A patient has not signed their notice of privacy practices. B. A patient and user have the same last name. C. A nurse is caring for a patient and reviews the patient's record. D. The patient is a Medicare patient.
A patient and user have the same last name.
Which of the following statements is true about a requested restriction? A. ARRA mandates that a CE must comply with a requested restriction. B. ARRA states that a CE does not have to agree to a requested restriction. C. ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions. D. ARRA does not address restrictions to PHI.
ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions
Mountain Hospital has discovered a security breach. Someone hacked into the system and viewed 50 medical records. According to ARRA, what is the responsibility of the covered entity? A. ARRA does not address this issue. B. All individuals must be notified within 30 days. C. All individuals must be notified within 60 days. D. ARRA requires oral notification.
All individuals must be notified within 60 days.
Which of the following statements are true? A. All patients must be given a notice of privacy practices. B. All patients except outpatients must be given a notice of privacy practices. C. All patients except inmates must be given a notice of privacy practices. D. All patients except home health patients must be given a notice of privacy practices.
All patients except inmates must be given a notice of privacy practices.
Today is August 30, 2014. When can the training records for the HIPAA privacy training being conducted today be destroyed? A. August 30, 2018 B. August 30, 2019 C. August 30, 2020 D. August 30, 2021
August 30, 2020
Miles has asked you to explain the rights he has via HIPAA privacy standards. Which of the following is one of his HIPAA-given rights? A. He can review his bill. B. He can ask to be contacted at an alternative site. C. He can discuss financial arrangements with business office staff. D. He can ask a patient advocate to sit in on all appointments at the facility.
He can ask to be contacted at an alternative site.
Which of the following statements is true about the Privacy Act of 1974? A. It applies to all organizations that maintain health care data in any form. B. It applies to all health care organizations. C. It applies to the federal government. D. It applies to federal government except for the Veterans Health Administration.
It applies to the federal government. (Privacy Act of 1974 - establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies)
A breach has been identified. How quickly must the patient be notified? A. As soon as the problem has been resolved B. No more than 90 days C. No more than 60 days D. No more than 30 days
No more than 60 days
A patient has submitted an authorization to release information to a physician office for continued care. The release of information clerk wants to limit the information provided because of the minimum necessary rule. What should the supervisor tell the clerk? A. Good call. B. The patient is an exception to the minimum necessary rule, so process the request as written. C. The minimum necessary rule was eliminated with ARRA. D. The minimum necessary rule only applies to attorneys.
The patient is an exception to the minimum necessary rule, so process the request as written.
If the patient has agreed to be in the directory, which of the following statements would be true? A. The patient has given up the right to privacy. B. The patient's condition can be described in detail with family members but not others. C. The patient's condition can be described in general terms like "good" and "fair." D. The number of visitors is limited to people on the approved visitor list.
The patient's condition can be described in general terms like "good" and "fair."
Critique this statement: A business associate has the right to use a health care facility's information beyond the scope of their agreement with the health care facility. A. This is a true statement because business associates can use the information for their main source of business as long as the patient's privacy is protected. B. This is a true statement as long as they have patient consent. C. This is a false statement because the HIPAA privacy rule states that to use it in their own business they must have the health care facility's approval. D. This is a false statement because it is prohibited by the HIPAA privacy rule.
This is a false statement because it is prohibited by the HIPAA privacy rule.
Your department was unable to provide a patient with a copy of his record within the 30-day limitation. What should you do? A. Call the patient and apologize. B. Call the patient and let him know that you will need a 30-day extension. C. Write the patient and tell him that you will need a 30-day extension. D. Both write and call the patient to tell him you need a 30-day extension.
Write the patient and tell him that you will need a 30-day extension.
The facility can release information to which of the following requesters without a patient authorization? A. the public health department B. the nurse caring for the patient C. a court with a court order D. a business associate
a court with a court order
Someone accessed the covered entity's electronic health record and sold the information that was accessed. This person is known as which of the following? A. malware B. a virus C. a hacker D. a cracker
a cracker
A data use agreement is required when A. a complaint has been filed. B. a limited data set is used. C. a notice of disclosure is requested. D. information is provided to a business associate.
a limited data set is used
Researchers can access patient information if it is A. protected health information. B. a limited data set. C. patient specific. D. related to identity theft.
a limited data set.
When patients are able to obtain a copy of their health record, this is an example of which of the following? A. a required standard B. an addressable requirement C. a patient right D. a preemption
a patient right
Which of the following can be released without consent or authorization? A. summary of patient care B. de-identified health information C. personal health information D. protected health information
de-identified health information
Our Web site was attacked by malware that overloaded it. What type of malware was this? A. phishing B. virus C. denial of service D. spyware
denial of service
Contingency planning includes which of the following processes? A. data quality B. systems analysis C. disaster planning D. hiring practices
disaster planning (Contingency - a future event or circumstance that is possible but cannot be predicted with certainty)
You are defining the designated record set for South Beach Healthcare Center. Which of the following would be included? A. quality reports B. psychotherapy notes C. discharge summary D. information compiled for use in civil hearing
discharge summary
A hacker recently accessed our database. We are trying to determine how the hacker got through the firewall and exactly what was accessed. The process used to gather this evidence is called A. forensics. B. mitigation. C. security event. D. incident.
forensics
An employee in the admission department took the patient's name, Social Security number, and other information and used it to get a charge card in the patient's name. This is an example of A. identity theft. B. mitigation. C. disclosure. D. release of information.
identity theft
A covered entity A. is exempt from the HIPAA privacy and security rules. B. includes all health care providers. C. includes health care providers who perform specified actions electronically. D. must utilize business associates.
includes health care providers who perform specified actions electronically.
A mechanism to ensure that PHI has not been altered or destroyed inappropriately has been established. This process is called A. entity authentication. B. audit controls. C. access control. D. integrity.
integrity
Which of the following is an example of administrative safeguards under the security rule? A. encryption B. monitoring the computer access activity of the user C. assigning unique identifiers D. monitoring traffic on the network
monitoring the computer access activity of the user
The purpose of the notice of privacy practices is to A. notify the patient of uses of PHI. B. notify the patient of audits. C. report incidents to the OIG. D. notify researchers of allowable data use.
notify the patient of uses of PHI.
The HIM director received an e-mail from the technology support services department about her e-mail being full and asking for her password. The director contacted tech support and it was confirmed that their department did not send this e-mail. This is an example of what type of malware? A. phishing B. spyware C. denial of service D. virus
phishing
In conducting an environmental risk assessment, which of the following would be considered in the assessment? A. placement of water pipes in the facility B. verifying that virus checking software is in place C. use of single sign-on technology D. authentication
placement of water pipes in the facility
A patient authorizes Park Hospital to send a copy of a discharge summary for the latest hospitalization to Flowers Hospital. The hospital uses the discharge summary in the patient's care and files it in the medical record. When Flowers Hospital receives a request for records, a copy of Park Hospital's discharge summary is sent. This is an example of A. a privacy violation B. redisclosure C. satisfactory assurance D. inappropriate release
redisclosure
To prevent our network from going down, we have duplicated much of our hardware and cables. This duplication is called A. emergency mode plan B. redundancy C. contingency plan D. business continuity planning
redundancy
The HIM Director, has received a request to amend a patient's medical record. The appropriate action for him to take is A. make the modification because you have received the request. B. file the request in the chart to document the disagreement with the information contained in the medical record. C. route the request to the physician who wrote the note in question to determine appropriateness of the amendment. D. return the notice to the patient because amendments are not allowed.
route the request to the physician who wrote the note in question to determine appropriateness of the amendment.
Which of the following is an example of an administrative safeguard? A. access control B. physical security of hardware C. firewall D. training
training
If an authorization is missing a Social Security number, can it be valid? A. yes B. no C. only if the patient is a minor D. only if the patient is an adult
yes
The police came to the HIM Department today and asked that a patient's right to an accounting of disclosure be suspended for two months. What is the proper response to this request? A. "I'm sorry officer, but privacy regulations do not allow us to do this." B. "I'm sorry officer but we can only do this for one month." C. "Certainly officer. We will take care of that right now." D. "Certainly officer. We will be glad to do that as soon as we have the request in writing."
"Certainly officer. We will be glad to do that as soon as we have the request in writing."
The hospital has received a request for an amendment. How long does the facility have in order to accept or deny the request? A. 30 days B. 60 days C. 14 days D. 10 days
60 days (The request must be acted on within 60 days after receipt; however, the response may be extended once by 30 days, with a written statement with reason and response date.)
The facility had a security breach. The breach was identified on October 10, 2013. The investigation was completed on October 15, 2013. What is the deadline that the notification must be completed? A. 60 days from October 10 B. 60 days from October 15 C. 30 days from October 10 D. 30 days from October 15
60 days from October 10
Richard has asked to view his medical record. How long does the facility have to provide this record to him? A. 30 days B. 60 days C. 14 days D. 10 days
30 days
Which of the following examples is an exception to the definition of a breach? A. A coder accidentally sends PHI to a billing clerk in the same facility. B. The wrong patient information was sent to the patient's attorney. C. Information was erroneously sent to another healthcare facility. D. Information was loaded on the Internet inappropriately.
A coder accidentally sends PHI to a billing clerk in the same facility.
Which of the following is an example of a security incident? A. Temporary employees were not given individual passwords. B. An employee took home a laptop with unsecured PHI. C. A handheld device was left unattended on the crash cart in the hall for 10 minutes. D. A hacker accessed PHI from off site.
A hacker accessed PHI from off site.
HIPAA states that release to a coroner is allowed. State law says that the coroner must provide a subpoena. Which of the following is a correct statement? A. Follow the HIPAA requirement since it is a federal law. B. Follow the state law since it is stricter. C. You can follow either the state law or the HIPAA rule. D. You must request a ruling from a judge.
Follow the state law since it is stricter
Patricia is processing a request for medical records. The record contains an operative note and a discharge summary from another hospital. The records are going to another physician for patient care. What should Patricia do? A. Notify the requestor that redisclosure is illegal and so he must get the operative and discharge summary records from the original source hospital. B. Include the documents from the other hospital. C. Redisclose when necessary for patient care. D. Redisclose when allowed by law.
Include the documents from the other hospital.
Mabel is a volunteer at a hospital. She works at the information desk. A visitor comes to the desk and says that he wants to know what room John Brown is in. What should Mabel do? A. Look the patient up and give the room number to the visitor. B. Look the patient up to see if John has agreed to be in the directory. If he has, then give the room number to the visitor. C. Look the patient up to see if the patient signed a notice of privacy practice. If so, then give the visitor the room number. D. Look the patient up in the system to determine if the patient has agreed to TPO usage, and then give the room number to the visitor if he had.
Look the patient up to see if John has agreed to be in the directory. If he has, then give the room number to the visitor
Mary processed a request for information and mailed it out last week. Today, the requestor, an attorney, called and said that all of the requested information was not provided. Mary pulls the documentation, including the authorization and what was sent. She believes that she sent everything that was required based on what was requested. She confirms this with her supervisor. The requestor still believes that some extra documentation is required. Given the above information, which of the following statements is true? A. Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule. B. Mary is required to release the extra documentation because the requestor knows what is needed. C. Mary is required to release the extra documentation because, in the customer service program for the facility, the customer is always right. D. Mary is not required to release the additional information because her administrator agrees with her.
Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule.
Which of the following is allowed by HIPAA? A. Releasing patient information to the patient's attorney without an authorization B. Letting a business associate use PHI in whatever manner they see fit C. Permitting a spouse to pick up medication for the patient D. Mandating that a health care facility can amend the health record of a patient at the patient's request
Permitting a spouse to pick up medication for the patient
Which of the following is a true statement about private key encryption? A. Public encryption uses a private and public key. B. The digital certificate shows that the keys are encrypted. C. Public key encryption requires both computers to have the same key. D. The sending computer uses the public key.
Public encryption uses a private and public key
Intrusion detection systems analyze A. authentications. B. network traffic. C. audit trails. D. firewalls.
network traffic
You work for an organization that publishes a health information management journal and provides clearinghouse services. What must you do? A. Have the same security plan for the entire organization. B. Separate the e-PHI from the noncovered entity portion of the organization. C. Train the journal staff on HIPAA security awareness. D. Follow the same rules in all parts of the organization.
Separate the e-PHI from the noncovered entity portion of the organization.
John is allowed to delete patients in the EHR. Florence is not. They both have the same role in the organization. What is different? A. Their authentication B. Their permissions C. Their authorization D. Their understanding of the system
Their permissions
A home health care agency employee has contacted the Center for Medicare and Medicaid Services to report health care fraud. Patient information is provided in the report. Which of the following is true? A. This is a violation of the patient rights and then employee should be charged with a HIPAA violation. B. The disclosure is not a violation of HIPAA even if the employee made up the charges. C. The disclosure is not a violation of HIPAA if the information was provided in good faith. D. CMS can never access patient information.
The disclosure is not a violation of HIPAA if the information was provided in good faith
Which statement is true about when a family member can be provided with PHI? A. The patient's mother can always receive PHI on their child. B. The family member lives out of town and cannot come to the facility to check on the patient. C. The family member is a health care professional. D. The family member is directly involved in the patient's care.
The family member is directly involved in the patient's care.
Which of the following situations violate a patient's privacy? A. The hospital sends patients who are scheduled for deliveries information on free childbirth classes. B. The physician on the quality improvement committee reviews medical records for potential quality problems. C. The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples. D. The hospital uses aggregate data to determine whether or not to add a new operating room suite.
The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples.
The patient calls and has a telephone consultation. Which of the following is true about notice of privacy practices? A. The patient must come in within 72 hours to sign the document. B. Telephone encounters are not allowed since the patient cannot be handed a notice of privacy practices. C. Telephone encounters are exempt from the requirement for providing the patient a notice of privacy practices. D. The notice of privacy practices can be mailed to the patient.
The notice of privacy practices can be mailed to the patient (The Notice of Privacy must be written in plain English so that it can be understood.)
The physician office you go to has a data integrity issue. What does this mean? A. There has been unauthorized alteration of patient information. B. Someone in the practice has released information inappropriately. C. A break-in attempt has been identified. D. The user's access has not been defined.
There has been unauthorized alteration of patient information
You have been given some information that includes the patient's account number. Which statement is true? A. This is de-identified information because the patient's name and social security are not included in the data. B. This is not de-identified information, because it is possible to identify the patient. C. These data are individually identified data. D. These data are a limited data set.
This is not de-identified information, because it is possible to identify the patient.
Barbara, a nurse, has been flagged for review because she logged in to the EHR in the evening when she usually works the day shift. Why should this conduct be reviewed? A. This is a privacy violation. B. This needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time. C. This is not a violation since Barbara, as a nurse, has full access to data in the EHR. D. No action is required.
This needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time
A patient signed an authorization to release information to a physician but decided not to go see that physician. Can he stop the release? A. No, once the release is signed, it cannot be reversed B. Yes - in all circumstances C. Yes, as long has it has not been released already D. Yes, as long as the physician agrees
Yes, as long has it has not been released already
You have been asked to create a presentation on intentional and unintentional threats. Which of the following should be included in the list of threats you cite? A. hard drive failures B. data deleted by accident C. data loss due to electrical failures D. a patient's Social Security number being used for credit card applications
a patient's Social Security number being used for credit card applications
The supervisors have decided to give nursing staff access to the EHR. They can add notes, view, and print. This is an example of what? A. the termination process B. an information system activity review C. spoliation D. a workforce clearance procedure
a workforce clearance procedure
The company's policy states that audit logs, access reports, and security incident reports should be reviewed daily. This review is known as A. a data criticality analysis. B. a workforce clearinghouse. C. an information system activity review. D. a risk analysis.
an information system activity review.
Before a user is allowed to access protected health information, the system confirms that the patient is who he or she says they are. This is known as A. access control. B. notification. C. authorization. D. authentication.
authentication
You have been asked to provide examples of technical security measures. Which of the following would you include in your list of examples? A. locked doors B. automatic logout C. minimum necessary D. training
automatic logout
Which security measure utilizes fingerprints or retina scans? A. audit trail B. biometrics C. authentication D. encryption
biometrics
In case your system crashes, your facility has defined the policies and procedures necessary to keep your business going. This is known as: A. core operations B. business continuity plan C. data recovery D. data backup
business continuity plan
The computer system containing the electronic health record was located in a room that was flooded. As a result, the system is inoperable. Which of the following would be implemented? A. SWOT analysis B. information systems strategic planning C. request for proposal D. business continuity processes
business continuity processes
The HIPAA security rule impacts which of the following protected health information? A. x-ray films stored in radiology B. paper medical records C. faxed records D. clinical data repository
clinical data repository (The security rule only applies to e-PHI)
You are a nurse who works on 3West during the day shift. One day, you had to work the night shift because they were shorthanded. However, you were unable to access the EHR. What type of access control(s) are being used? A. user-based B. context-based C. role-based D. either user- or role-based
context-based
Alisa has trouble remembering her password. She is trying to come up with a solution that will help her remember. Which one of the following would be the BEST practice? A. using the word "password" for her password B. using her daughter's name for her password C. writing the complex password on the last page of her calendar D. creating a password that utilizes a combination of letters and numbers
creating a password that utilizes a combination of letters and numbers
Your organization is sending confidential patient information across the Internet using technology that will transform the original data into unintelligible code that can be re-created by authorized users. This technique is called A. a firewall. B. validity processing. C. a call-back process. D. data encryption.
data encryption
Intentional threats to security could include A. a natural disaster (flood). B. equipment failure (software failure). C. human error (data entry error). D. data theft (unauthorized downloading of files).
data theft (unauthorized downloading of files)
You have been given the responsibility of destroying the PHI contained in the system's old server before it is trashed. What destruction method do you recommend? A. crushing B. overwriting data C. degaussing D. incineration
degaussing
As Chief Privacy Officer for Premier Medical Center, you are responsible for which of the following? A. backing up data B. developing a plan for reporting privacy complaints C. writing policies on protecting hardware D. writing policies on encryption standards
developing a plan for reporting privacy complaints
What type of digital signature uses encryption? A. digitized signature B. electronic signature C. digital signature D. encryption is not a part of digital signatures
digital signature
The surgeon comes out to speak to a patient's family. He tells them that the patient came through the surgery fine. The mass was benign and they could see the patient in an hour. He talks low so that the other people in the waiting room will not hear but someone walked by and heard. This is called a(n) A. privacy breach. B. violation of policy. C. incidental disclosure. D. privacy incident.
incidental disclosure
Protected health information includes A. only electronic individually identifiable health information. B. only paper individually identifiable health information. C. individually identifiable health information in any format stored by a health care provider. D. individually identifiable health information in any format stored by a health care provider or business associate
individually identifiable health information in any format stored by a health care provider or business associate
I have been asked if I want to be in the directory. The admission clerk explains that if I am in the directory (catalog), A. my friends and family can find out my room number. B. my condition can be discussed with any caller in detail. C. my condition can be released to the news media. D. my condition can be released to hospital staff only.
my friends and family can find out my room number.
The patient has the right to control access to his or her health information. This is known as A. security. B. confidentiality. C. privacy. D. disclosure.
privacy
Which of the following would be a business associate? A. release of information company B. bulk food service provider C. childbirth class instructor D. security guards
release of information company
Ms. Thomas was a patient at your facility. She has been told that there are some records that she cannot have access to. These records are most likely A. psychotherapy notes. B. alcohol and drug records. C. AIDS records. D. mental health assessment.
psychotherapy notes
Which of the following disclosures would require patient authorization? A. law enforcement activities B. workers' compensation C. release to patient's family D. public health activities
release to patient's family
Which of the following situations would require authorization before disclosing PHI? A. releasing information to the Bureau of Disability Determination B. health oversight activity C. workers' compensation D. public health activities
releasing information to the Bureau of Disability Determination
You are looking for potential problems and violations of the privacy rule. What is this security management process called? A. risk management B. risk assessment C. risk aversion D. business continuity planning
risk assessment
You are reviewing your privacy and security policies, procedures, training program, and so on, and comparing them to the HIPAA and ARRA regulations. You are conducting a A. policy assessment. B. risk assessment. C. compliance audit. D. risk management.
risk assessment
You work for a 60-bed hospital in a rural community. You are conducting research on what you need to do to comply with HIPAA. You are afraid that you will have to implement all of the steps that your friend at a 900-bed teaching hospital is implementing at his facility. You continue reading and learn that you only have to implement what is prudent and reasonable for your facility. This is called A. scalable. B. risk assessment. C. technology neutral. D. access control.
scalable
Which of the following documents is subject to the HIPAA security rule? A. document faxed to the facility B. copy of discharge summary C. paper medical record D. scanned operative report stored on CD
scanned operative report stored on CD
You have to decide which type of firewall you want to use in your facility. Which of the following is one of your options? A. packet filter B. secure socket layer C. CCOW D. denial of service
secure socket layer
Which of the following is prohibited by ARRA? A. the right to request restrictions to the disclosure of health information B. the patient right to request an amendment to the health record C. the use of protected health information by business associates pursuant to a written agreement. D. selling aggregated patient data without patient consent
selling aggregated patient data without patient consent
The information systems department was performing their routine destruction of data that they do every year. Unfortunately, they accidentally deleted a record that is involved in a medical malpractice case. This unintentional destruction of evidence is called A. mitigation. B. spoliation. C. forensics. D. a security event.
spoliation
Bob submitted his resignation from Coastal Hospital. His last day is today. He should no longer have access to the EHR and other systems as of 5:00 PM today. The removal of his privileges is known as A. terminating access. B. isolating access. C. password management. D. sanction policy.
terminating access
Which of the following should the record destruction program include? A. the method of destruction B. the name of the supervisor of the person destroying the records C. citing the laws followed D. requirement of daily destruction
the method of destruction
Robert Burchfield was recently caught accessing his wife's medical record. The system automatically notified the staff of a potential breach due to the same last name for the user and the patient. This was an example of a A. trigger. B. biometrics. C. telephone callback procedures. D. transmission security.
trigger
As Chief Privacy Officer, you have been asked why you are conducting a risk assessment. Which reason would you give? A. to get rid of problem staff B. to change organizational culture C. to prevent breach of confidentiality D. to learn about the organization
to prevent breach of confidentiality
You have been asked what should be done with the notice of privacy practice acknowledgment when the patient had been discharged before it was signed. Your response is to A. shred it. B. try to get it signed, and if not, to document the action taken. C. keep trying to get the document signed until you succeed, even if you must go to the patient's home. D. File the blank form in the chart.
try to get it signed, and if not, to document the action taken
Before an employee can be given access to the EHR, someone has to determine what they have access to. What is this known as? A. workforce clearance procedure B. authentication C. health care clearinghouse D. authorization
workforce clearance procedure
You have been assigned the responsibility of performing an audit to confirm that all of the workforce's access is appropriate for their role in the organization. This process is called A. risk assessment. B. information system activity review. C. workforce clearance procedure. D. information access management.
workforce clearance procedure.