Practice Exam Domain 2
Who owns the health record? a. Patient b. Provider who generated the information c. Insurance company who paid for the care recorded in the record d. No one
b. Provider who generated the information Ownership of the health record has traditionally been granted to the provider who generates the record.
Which of the following administrative safeguards includes policies and procedures for responding to emergencies or failures in systems that contain e-PHI? a. A contingency plan b. Security training c. Workforce security d. Information access management
a. A contingency plan A contingency plan is a standard that requires the establishment and implementation of policies and procedures for responding to emergencies or failures in systems that contain e-PHI. It includes a data backup plan, disaster recovery plan, emergency mode of operation plan, testing and revision procedures, and applications and data criticality analysis to prioritize data and determine what must be maintained or restored first in an emergency.
A special web page that offers secure access to data is a(n): a. Internet b. Home page c. Intranet d. Portal
d. Portal A portal is a special application to provide secure remote access to specific applications.
Within the context of electronic health records, protecting data privacy means defending or safeguarding: a. Access to information b. Data availability c. Health record quality d. System implementation
a. Access to information Within the context of data security, protecting data privacy means safeguarding access to information. Only those individuals who need to know information should be authorized to access it.
Which of the following is not an identifier under the Privacy Rule? a. Age 75 b. Vehicle license plate BZ LITYR c. Street address 265 Cherry Valley Road d. Visa account 2773 985 0468
a. Age 75 One of the most fundamental terms in the Privacy Rule is protected health information (PHI), defined by the rule as "individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium" (45 CFR 160.103). To meet the individually identifiable element of PHI, information must meet all three portions of a three-part test. It must either identify the person or provide a reasonable basis to believe the person could be identified from the information given. It must relate to one's past, present, or future physical or mental health condition; the provision of healthcare; or payment for the provision of healthcare. It must be held or transmitted by a covered entity or its business associate.
A secretary in the Nursing Office was recently hospitalized with ketoacidosis. She comes to the HIM department and requests to review her health record. Of the options here, what is the best course of action? a. Allow her to review her record after obtaining authorization from her. b. Refer the patient to her physician for the information. c. Tell her to go through her supervisor for the information. d. Tell her that hospital employees cannot access their own medical records.
a. Allow her to review her record after obtaining authorization from her. Review of records by the patient is permitted after the authorization for use and disclosure is verified. Usually hospital personnel should be present during on-site reviews to assist the requester with the paper record or working with the EHR if necessary. Assistance would not be needed if the people requesting on-site review work for the facility.
Under the HIPAA Privacy rule, which of the following statements is true? a. An authorization must contain an expiration date or event. b. A consent for use and disclosure of information must be obtained from every patient. c. An authorization must be obtained for uses and disclosures for treatment, payment, and operations. d. A notice of privacy practices must give 10 examples of a use or disclosure for healthcare operations.
a. An authorization must contain an expiration date or event. In order for an authorization to be valid, it must contain an expiration date or event that relates to the individual or the purpose of the use or disclosure.
Which of the following is an example of a business associate? a. Contract coder b. Environmental services department c. Hospital security officer d. Employee with access to e-PHI
a. Contract coder Although business associates are not directly regulated by the Privacy Rule, they do come under the Privacy Rule's requirements by virtue of their association with one or more covered entities. Some examples of business associates are contract coder, billing companies, consultants, accounting firms, and the like.
The legal health record (LHR) is a(n): a. Defined subset of all patient-specific data created or accumulated by a healthcare provider that may be released to third parties in response to a legally permissible request for patient information b. Entire set of information created or accumulated by a healthcare provider that may be released to third parties in response to a legally permissible request for patient information c. Set of patient-specific data created or accumulated by a healthcare provider that is defined to be legal by the local, state, or federal authorities d. Set of patient-specific data that is defined to be legal by state or federal statute and that is legally permissible to provide in response to requests for patient information
a. Defined subset of all patient-specific data created or accumulated by a healthcare provider that may be released to third parties in response to a legally permissible request for patient information The legal health record is a defined subset of all patient-specific data. The legal health record is the record that will be disclosed upon request by third parties. It includes documentation about health services provided and stored on any media.
The HIPAA Security Awareness and Training administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except: a. Disaster recovery plan b. Log-in monitoring c. Password management d. Security reminders
a. Disaster recovery plan Another administrative safeguard specification requires that a covered entity implement a security awareness and training program for all members of its workforce. Special protections must be taken to ensure information is not inappropriately released or accessed. These protections include log-in monitoring, password management, and security reminders.
Which of the following statements represents an example of nonmaleficence? a. HITs must ensure that patient-identifiable information is not released to unauthorized parties. b. HITs must apply rules fairly and consistently to every case. c. HITs must ensure that patient-identifiable information is released to the parties who need it to provide services to their patients. d. HITs must ensure that patients themselves, and not other parties, are authorizing access to the patients' individual health information.
a. HITs must ensure that patient-identifiable information is not released to unauthorized parties. Nonmaleficence would require the HIM professional to ensure that the information is not released to someone who does not have authorization to access it and who might harm the patient if access were permitted (for example, a newspaper seeking information about a famous person).
An electronic health record risk analysis is useful to: a. Identify security threats b. Identify which employees should have access to data c. Establish password controls d. Establish audit controls
a. Identify security threats Risk management begins by conducting a risk analysis. Identifying security threats or risks, determining how likely it is that any given threat may occur, and estimating the impact of an untoward event are all parts of a risk assessment.
Which of the following statements about the directory of patients maintained by a covered entity is true? a. Individuals must be given an opportunity to restrict or deny permission to place information about them in the directory. b. Individuals must provide a written authorization before information about them can be placed in the directory. c. The directory may contain only identifying information such as the patient's name and birth date. d. The directory may contain private information as long as it is kept confidential.
a. Individuals must be given an opportunity to restrict or deny permission to place information about them in the directory. A patient has the opportunity to agree or disagree with being placed in a patient directory. They must be given the opportunity to determine if they want to be placed in the directory or not, but it does not need to be in writing.
Mary's PHI was breached by her physician office when it was disclosed in error to another patient. Which of the following breach notification statements is correct regarding the physician office's required action? a. It must report the breach to HHS within 60 days after the end of the calendar year in which the breach occurred b. It must report the breach to HHS within 60 days of the breach c. It must notify all local media outlets and HHS immediately d. It is not required to take any action since the breach affected only one person
a. It must report the breach to HHS within 60 days after the end of the calendar year in which the breach occurred Since this breach applies to one patient, it must be reported to HHS within 60 days after the end of the calendar year.
If a patient wants to amend his or her health record, the covered entity may require the individual to: a. Make an amendment request in writing and provide a rationale for the amendment. b. Ask the attending physician for his or her permission to amend their record. c. Require the patient to wait 30 days before their request will be considered and processed. d. Provide a court order requesting the amendment.
a. Make an amendment request in writing and provide a rationale for the amendment. The covered entity may require the individual to make an amendment request in writing and provide a rationale for their amendment request. Such a process must be communicated in advance to the individual.
An audit log is an example of: a. Metadata b. Encryption c. Admissibility d. Data integrity
a. Metadata Metadata are data about data and include information that track actions such as when and by whom a document was accessed or changed, such as in an audit log.
The HIPAA Privacy Rule requires that covered entities must limit use, access, and disclosure of PHI to only the amount needed to accomplish the intended purpose. What concept is this an example of? a. Minimum necessary b. Notice of privacy practices c. Authorization d. Consent
a. Minimum necessary The Privacy Rule introduced the standard of minimum necessary to limit the amount of PHI used, disclosed, and requested. This means that healthcare providers and other covered entities must limit uses, disclosures, and requests to only the amount needed to accomplish the intended purpose. For example, for payment purposes, only the minimum amount of information necessary to substantiate a claim for payment should be disclosed.
As the corporate director of HIM services and enterprise privacy officer, you are asked to review a patient's health record in preparation for a legal proceeding for a malpractice case. The lawsuit was brought by the patient 72 days after the procedure. Health information contains a summary of two procedures that were dictated 95 days after the procedure. The physician in question has a longstanding history of being lackadaisical with record completion practices. Previous concerns regarding this physician's record maintenance practices had been reported to the facility's Credentialing Committee. Is this information admissible in court? a. This information could be rejected because the physician dictated the procedure note after the malpractice suit was filed. b. This information will be admissible in court because it is part of the patient's health record. c. This information could be rejected because it is not relevant to the malpractice case. d. This information will be rejected because the patient did not authorize its release.
a. This information could be rejected because the physician dictated the procedure note after the malpractice suit was filed. The health record may be valuable evidence in a legal proceeding. To be admissible, the court must be confident that the record is: complete, accurate, and timely (recorded at the time the event occurred); was documented in the normal course of business; and was made by healthcare providers who have knowledge of the "acts, events, conditions, opinions, or diagnoses appearing in it".
An audit trail may be used to detect which of the following? a. Unauthorized access to a system b. Loss of data c. Presence of a virus d. Successful completion of a backup
a. Unauthorized access to a system An audit trail is a software program that tracks every single access or attempted access of data in the computer system. It logs the name of the individual who accessed the data, terminal location or IP address, the date and time accessed, the type of data, and the action taken (for example, modifying, reading, or deleting data).
Which of the following statements is true in regard to responding to requests from individuals for access to their protected health information (PHI)? a. A cost-based fee may be charged for retrieval of the PHI. b. A cost-based fee may be charged for making a copy of the PHI. c. No fees of any type may be charged. d. A minimal fee may be charged for retrieval and copying of PHI.
b. A cost-based fee may be charged for making a copy of the PHI. HIPAA allows the covered entity to impose a reasonable cost-based fee when the individual requests a copy of PHI or agrees to accept summary or explanatory information. The fee may include the cost of: copying, including supplies, labor, and postage. HIPAA does not permit "retrieval fees" to be charged to patients.
Which of the following are policies and procedures required by HIPAA that address the management of computer resources and security? a. Access controls b. Administrative safeguards c. Audit safeguards d. Role-based controls
b. Administrative safeguards Administrative safeguards include policies and procedures that address the management of computer resources. For example, one such policy might direct users to log off the computer system when they are not using it or employ automatic logoffs after a period of inactivity.
Jennifer's widowed mother is elderly and often confused. She has asked Jennifer to accompany her to the physician office visits because she often forgets to tell the physician vital information. Under the Privacy Rule, the release of her mother's PHI to Jennifer is: a. Never allowed b. Allowed when the information is directly relevant to Jennifer's involvement in her mother's care or treatment c. Allowed only if Jennifer's mother is declared incompetent by a court of law d. Any family member is always allowed access to PHI
b. Allowed when the information is directly relevant to Jennifer's involvement in her mother's care or treatment The Privacy Rule lists two circumstances where protected health information (PHI) can be used or disclosed without the individual's authorization (although the individual must be informed in advance and given an opportunity to agree or object). One of these circumstances is disclosing PHI to a family member or a close friend that is directly relevant to his or her involvement with the patient's care or payment. Likewise, a covered entity may disclose PHI, including the patient's location, general condition, or death, to notify or assist in the notification of a family member, personal representative, or some other person responsible for the patient's care.
Which of the following laws created the HITECH act? a. Health Insurance Portability and Accountability Act b. American Recovery and Reinvestment Act c. Consolidated Omnibus Budget Reconciliation Act d. Healthcare Quality Improvement Act
b. American Recovery and Reinvestment Act The American Recovery and Reinvestment Act of 2009 (ARRA) is considered one of the major health information technology laws that provided stimulus funds to the US economy in the midst of a major economic downturn. A substantial portion of the bill, Title XIII of the Act entitled the Health Information Technology for Economic and Clinical Health (HITECH) Act, was part of ARRA.
Which of the following is a software program that tracks every access to data in the computer system? a. Access control b. Audit trail c. Edit check d. Risk assessment
b. Audit trail The audit trail is a software program that tracks every single access to data in the computer system. It logs the name of the individual who accessed the data, the date and time, and the action taken (for example, modifying, reading, or deleting data). Review of audit trails can help detect whether a breach of security has occurred.
What is the legal term used to define the protection of health information in a patient-provider relationship? a. Access b. Confidentiality c. Privacy d. Security
b. Confidentiality Confidentiality, as recognized by law and professional codes of ethics, stems from a relationship such as physician and patient, and pertains to the information resulting from that relationship. Privileged communication is a legal concept designed to protect the confidentiality between two parties.
Which of the following is an organization's planned response to protect its information in the case of a natural disaster? a. Administrative controls b. Contingency plan c. Audit trail d. Physical controls
b. Contingency plan Disaster planning occurs through a contingency plan—a set of procedures, documented by the organization to be followed when responding to emergencies. It encompasses what an organization and its personnel need to do both during and after events that limit or prevent access to facilities and patient information.
The protection measures and tools for safeguarding information and information systems is a definition of: a. Confidentiality b. Data security c. Informational privacy d. Informational access control
b. Data security Data security can be defined as the protection measures and tools for safeguarding information and information systems.
Burning, shredding, pulping, and pulverizing are all acceptable methods in which process? a. Deidentification of electronic documents b. Destruction of paper-based health records c. Deidentification of records stored on microfilm d. Destruction of computer-based health records
b. Destruction of paper-based health records Because of cost and space limitations, permanently storing paper and microfilm-based health record documents is not an option for most hospitals. Acceptable destruction methods for paper documents include burning, shredding, pulping, and pulverizing.
Which of the following provide the objective and scope for the HIPAA Security Rule as a whole? a. Administrative provisions b. General rules c. Physical safeguards d. Technical safeguards
b. General rules The General Rules provide the objective and scope for the HIPAA Security Rule as a whole. They specify that covered entities must develop a security program that includes a range of security safeguards that protect individually identifiable health information maintained or transmitted in electronic form.
What does the term access control mean? a. Identifying the greatest security risks b. Identifying which data employees should have a right to use c. Implementing safeguards that protect physical media d. Restricting access to computer rooms and facilities
b. Identifying which data employees should have a right to use The term access control means being able to identify which employees should have access to what data. The general practice is that employees should have access only to data they need to do their jobs. For example, an admitting clerk and a healthcare provider would not have access to the same kinds of data.
Which of the following statements is NOT true about a business associate agreement? a. It prohibits the business associate from using or disclosing PHI for any purpose other than that described in the contract with the covered entity. b. It allows the business associate to maintain PHI indefinitely. c. It prohibits the business associate from using or disclosing PHI in any way that would violate the HIPAA Privacy Rule. d. It requires the business associate to make available all of its books and records relating to PHI use and disclosure to the Department of Health and Human Services or its agents.
b. It allows the business associate to maintain PHI indefinitely. Agreements between the covered entity and a business associate include: requiring the business associate to make available all of its books and records relating to protected health information (PHI) use and disclosure to the Department of Health and Human Services or its agent; prohibiting the business associate from using or disclosing PHI in any way that would violate the HIPAA Privacy Rule; and prohibiting the business associate from using or disclosing PHI for any purpose other than that described in the contract with the covered entity; and other agreements. But it does not allow the business associate to maintain PHI indefinitely.
When served with a court order directing the release of health records, an individual: a. May ignore it b. Must comply with it c. Must request patient authorization before disclosing the records d. May determine whether or not to comply with it
b. Must comply with it A court order is a document issued by a judge that compels a certain action, such as testimony or the production of documents such as health records. If a document requesting the production of health records is determined to be a court order, it must be complied with regardless of the presence or absence of patient authorization.
Mrs. Bolton is an angry patient who resents her physicians "bossing her around." She refuses to take a portion of the medications the nurses bring to her pursuant to physician orders and is verbally abusive to the patient care assistants. Of the following options, the most appropriate way to document Mrs. Bolton's behavior in the patient medical record is: a. Mean b. Noncompliant and hostile toward staff c. Belligerent and out of line d. A pain in the neck
b. Noncompliant and hostile toward staff When entries are made in the health record regarding a patient who is particularly hostile or irritable, general documentation principles apply, such as charting objective facts and avoiding the use of personal opinions, particularly those that are critical of the patient. The degree to which these general principles apply is heightened because a disagreeable patient may cause a provider to use more expressive and inappropriate language. Further, a hostile patient may be more likely to file legal action in the future if the hostility is a personal attribute and not simply a manifestation of his or her medical condition.
Jeremy Lykins was required to undergo a physical exam prior to becoming employed by San Fernando Hospital. Jeremy's medical information is: a. Protected by the Privacy Rule because it is individually identifiable b. Not protected by the Privacy Rule because it is part of a personnel record c. Protected by the Privacy Rule because it contains his physical exam results d. Protected by the Privacy Rule because it is in the custody of a covered entity
b. Not protected by the Privacy Rule because it is part of a personnel record Although a person or organization may, by definition, be subject to the Privacy Rule by virtue of the type of organization it is, not all information that it holds or comes into contact with is protected by the Privacy Rule. For example, the Privacy Rule has specifically excluded from its scope employment records held by the covered entity in its role as employer (45 CFR 160.103). Under this exclusion, employee physical examination reports contained within personnel files are specifically exempted from this rule.
To comply with HIPAA regulations, a hospital would make its membership in an HIE known to its patients through which of the following? a. Press release b. Notice of Privacy Practices c. Consent form d. Website notice
b. Notice of Privacy Practices The Privacy Rule introduced the standard that individuals should be informed how covered entities use or disclose protected health information (PHI). Section 164.520 requires that, except for certain variations or exceptions for health plans and correctional facilities, an individual has the right to a notice explaining how his or her PHI will be used and disclosed. This is the notice of privacy practices.
To ensure relevancy, an organization's security policies and procedures should be reviewed at least: a. Once every six months b. Once a year c. Every two years d. Every five years
b. Once a year All data security policies and procedures should be reviewed and evaluated annually to make sure they are up-to-date and still relevant to the organization.
Which of the following are security safeguards that protect equipment, media, and facilities? a. Administrative controls b. Physical safeguards c. Audit controls d. Role based safeguards
b. Physical safeguards Physical safeguards protect physical equipment, media, or facilities. For example, doors leading to the areas that house mainframes and other principal computing equipment should have locks on them.
Which of the following has access to personally identifiable data without authorization or subpoena? a. Insurance company for life insurance eligibility b. Public health department for disease reporting purposes c. The patient's attorney d. Workers' compensation for disability claim settlement
b. Public health department for disease reporting purposes Covered entities may disclose PHI to public health entities even if the law does not specifically require the disclosure is for the purpose of preventing or controlling disease; injury; or disability; including, but not limited to, the reporting of disease; injury; vital events such as birth or death; and the conduct of public health surveillance.
Which of the following technologies would reduce the risk that information is not accessible during a server crash? a. RAID b. Server redundancy c. Storage area network d. Tape or disk backup
b. Server redundancy As EHRs are being implemented without paper backup, contingency planning and disaster recovery is becoming increasingly important. Not only must a healthcare organization be able to replace data if a server or storage device is destroyed in some manner, but organizations need to be able to instantaneously failover to another server during a server crash. Back up of stored data has been routinely performed by most healthcare organizations. To reduce the risk of downtime, healthcare organizations now must also have server redundancy with server failover.
The director of health information services is allowed access to the health record tracking system when providing the proper log-in and password. What is this access security mechanism called? a. Context based b. User-based c. Situation based d. Role based
b. User-based User-based access is a security mechanism that grants users of a system access based on their identity.
To comply with HIPAA, under usual circumstances, a covered entity must act on a patient's request to review or copy his or her health information within ________ days. a. 10 b. 20 c. 30 d. 60
c. 30 A covered entity must act on an individual's request for review of PHI no later than 30 days after the request is made, extending the response period by no more than 30 additional days if it gave the individual a written statement within the 30-day time period explaining the reasons for the delay and the date by which the covered entity will complete its action on the request. The covered entity may extend the time for action on a request for access only once.
Under HIPAA regulations, how many days does a covered entity have to respond to an individual's request for access to his or her PHI when the PHI is stored off-site? a. 10 days beyond the original requirement b. 30 days c. 60 days d. 90 days
c. 60 days A covered entity must act on an individual's request for review of protected health information (PHI) no later than 30 days after the request is made, extending the response period by no more than 30 additional days if it gave the individual a written statement within the 30-day time period explaining the reasons for the delay and the date by which the covered entity will complete its action on the request. The covered entity may extend the time for action on a request for access only once. If PHI is not maintained or located on-site, the covered entity is given within 60 days of receipt to respond to a request.
Which of the following best describes the function of kiosks? a. A computer station that physicians can use to order medications b. A computer station that unlocks workstations c. A computer station that facilitates integrated communications within the healthcare organization d. A computer station that promotes the healthcare organization's services
c. A computer station that facilitates integrated communications within the healthcare organization A kiosk is a special form of input device geared to people less familiar with computers that is located in a provider's waiting room allowing patients to have access to some of their health information and other services.
St. Joseph's Hospital has a psychiatric service on the sixth floor of the hospital. A 31-year-old male has come to the HIM department and requested to see a copy of his medical record. He indicated he was a patient of Dr. Schmidt, a psychiatrist, and that he was on the sixth floor of St. Joseph's for the past two months. These records are not psychotherapy notes. Of the options here, what is the best course of action? a. Prohibit the patient from accessing his record, as it contains psychiatric diagnoses that may greatly upset him. b. Allow the patient to access his record. c. Allow the patient to access his record if, after contacting his physician, his physician does not think it will be harmful to the patient. d. Deny access because HIPAA prevents patients from reviewing their psychiatric records.
c. Allow the patient to access his record if, after contacting his physician, his physician does not think it will be harmful to the patient. The HIPAA Privacy Rule provides patients with significant rights that allow them to have some measure of control over their health information. As long as state laws or regulations or the physician do not state otherwise, competent adult patients have the right to access their health record.
Which of the following statements is false with regard to the HIPAA Privacy Rule? a. A notice of privacy practices must be written in plain language. b. A notice of privacy practices must have a statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such authorization. c. An authorization must be obtained for uses and disclosures for treatment, payment, and operations. d. A notice of privacy practices must give an example of a use or disclosure for healthcare operations.
c. An authorization must be obtained for uses and disclosures for treatment, payment, and operations. Under the Privacy Rule, healthcare providers are not required to obtain patient consent to use or disclose personal identifiable information for treatment, payment, and healthcare operations.
Which of the following security controls are built into a computer software program? a. Physical safeguards b. Administration safeguards c. Application safeguards d. Media safeguards
c. Application safeguards One security strategy is to implement application safeguards. These are controls contained in the application software or computer programs. One common application control is password management. It involves keeping a record of end users' identifications and passwords and then matching the passwords to each end user's privileges.
The HIM supervisor suspects that a departmental employee is accessing the EHR for personal reasons, but has no specific data to support this suspicion. In this case, what should the supervisor do? a. Confront the employee. b. Send out a memorandum to all department employees reminding them of the hospital policy on Internet use. c. Ask the security officer for audit trail data to confirm or disprove the suspicion. d. Transfer the employee to another job that does not require computer usage.
c. Ask the security officer for audit trail data to confirm or disprove the suspicion. The HIM supervisor should determine if a breach has occurred before action is taken. This can be done using an audit trail, which is a software program that tracks access to data in the EHR. It logs the name of the individual who accessed the data, the date and time, and the action taken (for example, modifying, reading, or deleting data).
Which of the following is an example of data security? a. Contingency planning b. Fire protection c. Automatic logoff after inactivity d. Card key for access to data center
c. Automatic logoff after inactivity Data security includes insuring that workstations are protected from unauthorized access. If a workstation is inactive for a period of time specified by the organization, it should log itself off automatically. The automatic log off helps prevent unauthorized users from accessing e-PHI when an authorized user walks away from the computer without logging out of the system.
Which of the following is not an element that makes information "PHI" under the HIPAA Privacy Rule? a. Identifies an individual b. In the custody of or transmitted by a CE or its BA c. Contained within a personnel file d. Relates to one's health condition
c. Contained within a personnel file To meet the individually identifiable element of PHI, the information must meet all three portions of a three-part test: it must either identify the person or provide a reasonable basis to believe the person could be identified from the information given; it must relate to one's past, present, or future physical or mental health condition, the provision of healthcare, or payment for the provision of healthcare; and it must be held or transmitted by a covered entity or its business associate.
What is the biggest threat to the security of healthcare data? a. Natural disasters b. Fires c. Employees d. Equipment malfunctions
c. Employees Employees are the biggest threat to the security of healthcare data. Whether it is disgruntled employees destroying computer hardware, snooping employees accessing information without authorization to do so, or employees accessing information for fraudulent purposes, employees are a real threat to data security.
Covered entities must do which of the following to comply with HIPAA security provisions? a. Appoint an individual who has the title of chief security officer who is responsible for security management b. Conduct employee security training sessions every six months for all employees c. Establish a contingency plan d. Conduct technical and nontechnical evaluations every six years
c. Establish a contingency plan Administrative safeguards are documented, formal practices to manage data security measures throughout the organization. Basically, they require the facility to establish a security management process. The administrative provisions detail how the security program should be managed from the organization's perspective. Administrative safeguards have nine standards, including the development and testing of a contingency plan. This is to ensure that procedures are in place to handle an emergency response in the event of an untoward event such as a power outage.
The function used to provide access controls, authentication, and audit logging in an HIE is: a. Patient identification b. Record location service c. Identity management d. Consent management
c. Identity management Identity management provides security functionality, including determining who (or what information system) is authorized to access information, authentication services, audit logging, encryption, and transmission controls.
Which of the following is not true of Notices of Privacy Practices? a. Must be made available at the site where the individual is treated b. Must be posted in a prominent place c. Must contain content that may not be changed d. Must be prominently posted on the covered entity's website when the entity has one
c. Must contain content that may not be changed Healthcare providers with a direct treatment relationship with an individual must provide the notice of privacy practices no later than the date of the first service delivery (for example, first visit to a physician's office, first admission to a hospital, or first encounter at a clinic), including service delivered electronically. Notices must be available at the site where the individual is treated and must be posted in a prominent place where patients can reasonably be expected to read it. If the facility has a website with information on the covered entity's services or benefits, the notice of privacy practices must be prominently posted to it.
Which of the following is considered a two-factor authentication system? a. User ID with a password b. User ID with voice scan c. Password and swipe card d. Password and PIN
c. Password and swipe card Strong authentication requires providing information from two of the three different types of authentication information. The three methods are something you know such as a password or PIN; something you have, such as an ATM card, token, swipe card, or smart card; and something you are, such as a biometric fingerprint, voice scan, iris, or retinal scan. An individual who provides something he knows (password) and something he has (swipe card) is called two-factor authentication.
A secure method of communication between the healthcare provider and the patient is a(n): a. Personal health record b. E-mail c. Patient portal d. Online health information
c. Patient portal A secure patient portal allows for the communication between the provider and the patient and is not just a site for patients to access information. This is part of the effort to engage patients in their care.
Placing locks on computer room doors is considered what type of security control? a. Access control b. Workstation control c. Physical safeguard d. Security breach
c. Physical safeguard Physical safeguards protect physical equipment, media, or facilities. For example, doors leading to the areas that house mainframes and other principal computing equipment should have locks on them.
The legal term used to describe when a patient has the right to maintain control over certain personal information is referred to as: a. Access b. Confidentiality c. Privacy d. Security
c. Privacy Privacy is when a patient has the right to maintain control over certain health information.
The sister of a patient requests the HIM department to release copies of her brother's health record to her. She states that because the physician documented her name as her brother's caregiver that HIPAA regulations apply and that she may receive copies of her brother's health record. In this case, how should the HIM department proceed? a. Provide the copies as requested since the sister was a caregiver. b. Provide only copies of the reports where the sister's name is mentioned. c. Refuse the request. d. Refer the individual to legal counsel.
c. Refuse the request. The Privacy Rule addresses the issue of personal representatives. Personal representatives are those who are legally authorized to make healthcare decisions on an individual's behalf or to act on behalf of a deceased individual or that individual's estate. Under the Privacy Rule, then, a personal representative must be treated the same as the individual regarding the use and disclosure of the individual's PHI. In this instance, the fact that the sister is listed in the health record as the caregiver does not make her legally authorized as a personal representative under the Privacy Rule. Her request should be refused.
What type of health record policy dictates how long individual health records must remain available for authorized use? a. Disclosure policies b. Legal policies c. Retention policies d. Redisclosure policies
c. Retention policies Hospitals and other healthcare facilities develop health record retention policies to ensure that health records comply with all applicable state and federal regulations, accreditation standards, as well as meet future patient care needs. Most states have established regulations that address how long health records and other healthcare-related documents must be maintained before they can be destroyed.
During user acceptance testing of a new EHR system, physicians are complaining that they must use multiple log-on screens to access all the system modules. For example, they must use one log-on for CPOE and another log-on to view laboratory results. One physician suggests having a single sign-on that would provide access to all the EHR system components. However, the hospital administrator thinks that one log-on would be a security issue. What information should the HIM director provide? a. Single sign-on is not supported by HIPAA security measures. b. Single sign-on is discouraged by the Joint Commission. c. Single sign-on is less frustrating for the end user and can provide better security. d. Single sign-on is not possible given today's technology.
c. Single sign-on is less frustrating for the end user and can provide better security. Single sign-on allows sign-on to multiple related, but independent, software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems.
What resource should be consulted in terms of who may authorize access, use, or disclose the health records of minors? a. HIPAA because it has strict rules regarding minors b. Hospital attorneys because they know the rules of the hospital c. State law because HIPAA defers to state laws on matters related to minors d. Federal law because HIPAA overrides state laws on matters related to minors
c. State law because HIPAA defers to state laws on matters related to minors Because HIPAA defers to state laws on the issue of minors, applicable state laws should be consulted regarding appropriate authorization. In general, the age of maturity is 18 years or older. This is the legal recognition that an individual is considered responsible for, and has control over, his or her actions.
Which document directs an individual to bring originals or copies of records to court? a. Summons b. Subpoena ad testificandum c. Subpoena duces tecum d. Deposition
c. Subpoena duces tecum A subpoena duces tecum means to bring documents and other records with oneself. Such subpoenas may direct the heath information technology (HIT) professional to bring originals or copies of health records, laboratory reports, x-rays, or other records to a deposition or to court. Each state has different rules governing the production of health records in litigation. Often, the component state HIM association of AHIMA has a legal handbook that outlines the various conditions and how HITs should respond to a subpoena.
Community Hospital is discussing restricting the access that physicians have to electronic health records. The medical record committee is divided on how to approach this issue. Some committee members maintain that all information should be available, whereas others maintain that HIPAA restricts access. The HIM director is part of the committee. Which of the following should the director advise the committee? a. HIPAA restricts the access of physicians to all information. b. The "minimum necessary" concept does not apply to disclosures made for treatment purposes; therefore, physician access should not be restricted. c. The "minimum necessary" concept does not apply to disclosures made for treatment purposes, but the organization must define what physicians need as part of their treatment role. d. The "minimum necessary" concept applies only to attending physicians, and therefore, restriction of access must be implemented.
c. The "minimum necessary" concept does not apply to disclosures made for treatment purposes, but the organization must define what physicians need as part of their treatment role. The HIPAA Privacy Rule concept of "minimum necessary" does not apply to disclosures made for treatment purposes. However, the covered entity must define, within the organization, what information physicians need as part of their treatment role.
Central City Clinic has requested that Ghent Hospital send its hospital records for Susan Hall's most recent admission to the clinic for her follow-up appointment. Which of the following statements is true? a. The Privacy Rule requires that Susan Hall complete a written authorization. b. The hospital may send only the discharge summary, history and physical, and operative report. c. The Privacy Rule's minimum necessary requirement does not apply. d. This "public interest and benefit" disclosure does not require the patient's authorization.
c. The Privacy Rule's minimum necessary requirement does not apply. There are certain circumstances where the minimum necessary requirement does not apply, such as to healthcare providers for treatment; to the individual or his personal representative; pursuant to the individual's authorization to the secretary of the HHS for investigations, compliance review, or enforcement; as required by law; or to meet other Privacy Rule compliance requirements.
For HIPAA implementation specifications that are addressable, which of the following statements is true? a. The covered entity must implement the specification. b. The covered entity may choose not to implement the specification if implementation is too costly. c. The covered entity must conduct a risk assessment to determine whether the specification is appropriate to its environment. d. If the covered entity is a small hospital, the specification does not have to be implemented.
c. The covered entity must conduct a risk assessment to determine whether the specification is appropriate to its environment. Implementation specifications define how standards are to be implemented. Implementation specifications are either "required" or "addressable." Covered entities must implement all implementation specifications that are "required." For those implementation specifications that are labeled addressable, the covered entity must conduct a risk assessment and evaluate whether the specification is appropriate to its environment.
In which of the following situations must a covered entity provide an appeals process for denials to requests from individuals to see their own health information? a. Any time access is requested b. When the covered entity is a correctional institution c. When a licensed healthcare professional has determined that access to PHI would likely endanger the life or safety of the individual d. When the covered entity is unable to produce the health record
c. When a licensed healthcare professional has determined that access to PHI would likely endanger the life or safety of the individual The HIPAA Privacy Rule provides patients with significant rights that allow them to have some measure of control over their health information. As long as state laws or regulations or the physician does not state otherwise (such as when a licensed healthcare professional has determined that access would likely endanger the life or safety of the individual) competent adult patients have the right to access their health record.
An HIT using her password can access and change data in the hospital's master patient index. A billing clerk, using his password, cannot perform the same function. Limiting the class of information and functions that can be performed by these two employees is managed by: a. Network controls b. Audit trails c. Administrative controls d. Access controls
d. Access controls Determining what data to make available to an employee usually involves identifying classes of information based on the employee's role in the organization. Every role in the organization should be identified, along with the type of information required to perform it. This is often referred to as role-based access. Although there are other types of access control strategies, role-based access is probably the one used most often in healthcare organizations. Access to information and information resources (such as computers) must be restricted to those authorized to access the information or the associated resources.
Written business associate agreements are required with: a. Every company where work is outsourced b. Any outside company that handles electronic data c. Every outside company d. Any outside company that handles electronic PHI
d. Any outside company that handles electronic PHI Covered entities must obtain a written contract with business associates or other entities who handle e-PHI. The written contract must stipulate that the business associate will implement HIPAA administrative, physical, and technical safeguards and procedures and documentation requirements that safeguard the confidentiality, integrity, and availability of the e-PHI that it creates, receives, maintains, or transmits on behalf of the covered entity.
The medical record of Kathy Smith, the plaintiff, has been subpoenaed for a deposition. The plaintiff's attorney wishes to use the records as evidence to prove his client's case. In this situation, although the record constitutes hearsay, it may be used as evidence based on the: a. Admissibility exception b. Discovery exception c. Direct evidence exception d. Business records exception
d. Business records exception The Business Records Exception is the rule under which a record is determined not to be hearsay if it was made at or near the time by, or from information transmitted by, a person with knowledge; it was kept in the course of a regularly conducted business activity; and it was the regular practice of that business activity to make the record.
Under HIPAA rules, when an individual asks to see his or her own health information, a covered entity: a. Must always provide access b. Can always deny access c. Can demand that the individual pay to see his or her record d. Can deny access to psychotherapy notes
d. Can deny access to psychotherapy notes Section 164.524 of the Privacy Rule states that an individual has a right of access to inspect and obtain a copy of his or her own protected health information (PHI) that is contained in a designated record set, such as a health record. The individual's right extends for as long as the PHI is maintained. However, there are exceptions to what PHI may be accessed. For example, psychotherapy notes; information compiled in reasonable anticipation of a civil, criminal, or administrative action or proceeding; or PHI subject to the Clinical Laboratory Improvements Act (CLIA) are all exceptions.
When a patient revokes authorization for release of information after a healthcare facility has already released the information, the facility in this case: a. May be prosecuted for invasion of privacy b. Has become subject to civil action c. Has violated the security regulations of HIPAA d. Is protected by the Privacy Act
d. Is protected by the Privacy Act An individual may revoke an authorization at any time, provided that he or she does so in writing. However, the revocation does not apply when the covered entity has already taken action on the authorization.
Which of the following is not true about the Notice of Privacy Practices? a. It must include a description of the patient's right to amend PHI. b. It must include a description of the right to request restrictions on certain uses and disclosures. c. It must explain the patient's right to inspect and copy PHI. d. It must include at least two examples of how information is used for both treatment and operations.
d. It must include at least two examples of how information is used for both treatment and operations. AHIMA outlines the requirements for the content of the notice of privacy practices. One requirement is that a description (including at least one example) is to be given of the types of uses and disclosures the covered entity is permitted to make for treatment, payment, and healthcare operations.
Lane Hospital has a contract with Ready-Clean, a local company, to come into the hospital to pick up all of the facility's linens for off-site laundering. Ready-Clean is: a. A business associate because Lane Hospital has a contract with it b. Not a business associate because it is a local company c. A business associate because its employees may see PHI d. Not a business associate because it does not use or disclose individually identifiable health information
d. Not a business associate because it does not use or disclose individually identifiable health information Vendors who have a presence in a healthcare facility, agency, or organization will often have access to patient information in the course of their work. If the vendor meets the definition of a business associate (that is, it is using or disclosing an individual's PHI on behalf of the healthcare organization), a business associate agreement must be signed. If a vendor is not a business associate, employees of the vendor should sign confidentiality agreements because of their routine contact with and exposure to patient information. In this situation, Ready-Clean is not a business associate.
Under HIPAA, which of the following is not named as a covered entity? a. Attending physician b. Healthcare clearinghouse c. Health plan d. Outsourced transcription company
d. Outsourced transcription company An outsourced transcription company and vendor would be business associates of a covered entity (CE). Although business associates are not directly regulated by the Privacy Rule, they do come under the Privacy Rule's requirements by virtue of their association with one or more CEs. A business associate is a person or organization other than a member of a CE's workforce that performs functions or activities on behalf of or affecting a CE that involve the use or disclosure of individually identifiable health information.
The process of releasing health record documentation originally created by a different provider is called: a. Privileged communication b. Subpoena c. Jurisdiction d. Redisclosure
d. Redisclosure The process of releasing health record documentation originally created by a different provider is called redisclosure. Federal and state regulations provide specific redisclosure guidelines; however, when in doubt, follow the same principles as the release and disclosure guidelines for other types of health record information.
A competent individual has the following rights concerning his or her healthcare: a. Right to consent to treatment and the right to destroy their original health record b. Right to destroy their original health record and the right to refuse treatment c. Right to access his or her own PHI and the right to take the original record with them d. Right to consent to treatment and the right to access his or her own PHI
d. Right to consent to treatment and the right to access his or her own PHI Competent adults have a general right to consent to or refuse medical treatment. In general, a competent adult has the right to request, receive, examine, copy, and authorize disclosure of the patient's healthcare information.
An individual designated as an inpatient coder may have access to an electronic health record to code the record. Under what access security mechanism is the coder allowed access to the system? a. Situation based b. User based c. Context based d. Role based
d. Role based Access to e-PHI can be controlled through the use of the following: user-based access, role- based access, and context-based access. Role-based access control decisions are based on the roles individual users have as part of an organization. Each user is given various privileges to perform their role or function.
Which of the following is not an automatic control that helps preserve data confidentiality and integrity in an electronic system? a. Edit checks b. Audit trails c. Password management d. Security awareness program
d. Security awareness program Security awareness requires entities to provide security training for all staff. They must address security reminders, detection and reporting of malicious software, login monitoring, and password management. Edit checks, audit trails, and password management can all be programmed to be automatic controls where a security awareness program cannot.
The HIPAA Privacy Rule: a. Protects only medical information that is not already specifically protected by state law b. Supersedes all state laws that conflict with it c. Is federal common law d. Sets a minimum (floor) of privacy requirements
d. Sets a minimum (floor) of privacy requirements With the passage of the Privacy Rule, a minimum amount of protection (that is, a floor) was achieved uniformly across all the states through the establishment of a consistent set of standards that affected providers, healthcare clearinghouses, and health plans.
The "custodian of health records" refers to the individual within an organization who is responsible for all except which of the following actions? a. Authorized to certify records b. Supervising inspection and copying of record c. Testifying to the authenticity of records d. Testifying regarding the care of the patient
d. Testifying regarding the care of the patient The custodian of health records is the individual who has been designated as having responsibility for the care, custody, control, and proper safekeeping and disclosure of health records for such persons or institutions that prepare and maintain records of healthcare. The custodian of the health record does not have the responsibility or expertise to testify regarding the care of the patient.
Which of the following would be the best course of action to take to ensure continuous availability of electronic data? a. Acquire storage management software. b. Send data to a remote site using the Internet. c. Store data on RAID. d. Use redundant servers.
d. Use redundant servers. Data must be available continuously. When paper as a backup no longer exists in a paperless electronic health record (EHR) environment, users must be assured that the computer system is available to them at all times. To achieve such availability, an EHR should have server redundancy. This means that as data are entered and processed by one server, they are entered and processed simultaneously by a second server. Should the primary server crash, the system should be designed to "fail over" to the second server and can continue processing as if, at least from the user's point of view, nothing had happened.
Susan is completing her required high school community service hours by serving as a volunteer at the local hospital. Relative to the hospital, she is a(n): a. Business associate b. Covered entity c. Employee d. Workforce member
d. Workforce member Covered entities (CEs) are responsible for their workforce, which consists not only of employees but also volunteers, student interns, and trainees. Workforce members are not limited to those who receive wages from the CE.