Practice Questions for RHIT Exam: DOMAIN 5: Compliance
Community hospital is looking for ways to increase physician referrals. One board member suggested that they offer local physician $100 for every patient referred to the hospital for care. If the hospital goes ahead with the board member's suggestion, what statute is the hospital violating? A. Anti-Kickback statute B. False Claims Act C. Health Insurance Portability and Accountability Act D. Red Flags Rule
Anti-Kickback Statute The Anti-Kickback Statute dictates that physicians cannot receive money or other benefits for referring patients to a healthcare facility. In this example, a hospital cannot give a physician $100 for every patient referred to the hospital for care.
Which of the following is an example of a common form of healthcare fraud and abuse? A. Billing for services not furnished to patients B. Clinical documentation improvement C. Refiling claims after denials D. Use of a claim scrubber prior to submitting bills
Billing for services not furnished to patients Healthcare fraud is defined as an intentional representation that an individual knows to be false or does not believe to be true and makes, knowing that the representation could result in some unauthorized benefits to himself or herself or some other person. An example of fraud is billing for a service that was not furnished. The other three options are acceptable practices for healthcare organizations to use to effectively manage their revenue cycles.
In a typical acute-care setting, the Explanation of Benefits, Medicare Summary Notice, and Remittance Advice documents (provided by the payer) are monitored in which revenue cycle area? A. Preclaims submission B. Claims processing C. Accounts receivable D. Claims reconciliation and collections
Claims reconciliation and collections The last component of the revenue cycle is reconciliation and collections. The healthcare facility uses the EOB, MSN, and RA to reconcile accounts. These are monitored in the claims reconciliation and collections area of the revenue cycle.
Which of the following is the process of establishing an organizational culture that promotes the prevention, detection, and resolution of instances of conduct that do not conform to federal, state, or private payer healthcare program requirements or the healthcare organization's ethical and business policies? A. corporate integrity B. meaning use C. benchmarking D. compliance
Compliance Compliance is the process of establishing an organization culture that promotes the prevention, detection, and resolution of instances of conduct that do not conform to federal, state, or private payer healthcare program requirements or the healthcare organization's ethical and business policies. In other words, compliance actively prevents fraud and abuse.
Community Hospital has launched a clinical documentation improvement (CDI) initiative. Currently, clinical documentation does not always adequately reflect the severity of illness of the patient or support optimal HIM coding accuracy. Given this situation, which of the following would be the best action to validate that the new program is achieving its goals? A. Hire clinical documentation specialists to review records prior to coding B. Ask coders to query physicians more often C. Provide physicians the opportunity to add addenda to their reports to clarify documentation D. Conduct a retrospective review of all query opportunities for the year.
Conduct a retrospective review of all query opportunities for the year Facilities may design the CDI program based on several different models. Improvement work can be done with retrospective record review and queries, which concurrent record review and queries, or with concurrent coding. Staffing models may include the involvement of the CDS discussed previously or could be done by enhancing the role of the utilization review staff or case mangers or a communication of these models. Retrospective review of all query opportunities for the year would help to validate the effectiveness of the new program.
Which plan should be devised to respond to issues arising from the clinical documentation improvement (CDI) compliance and operational audit process? A. CDI response plan B. Quality assurance plan C. CDI plan D. Corrective action plan
Corrective action plan Most audits should identify some issues, either operational or compliance, in the clinical documentation improvement (CDI) process, even if they are minor issues. An organization needs to develop a corrective action plan for any identified issues.
The evaluation of coders is recommended at least quarterly for the purpose of measurement and assurance of: A. Speed B. Data quality and integrity C. Accuracy D. Effective relationships with physicians and facility personnel
Data quality and integrity Coders should be evaluated at least quarterly, with appropriate training needs identified, facilitated, and reassessed over time. Only through this continuous process of evaluation can data quality and integrity be accurately measured and ensured.
When the Medicare Recovery Audit Contractor has determined that incorrect payment has been made to an organization, which document is sent to the provider notifying them of this determination? A. Appeal request B. Claims denial C. Demand letter D. Medicare Summary Notice
Demand letter The provider will be notified of RAC determination in a demand letter, which includes the providers identification, reason for the review, list of claims, reasons for any denials, and amount of the overpayment for each claim. The demand letter is the equivalent of a denial letter.
The nursing staff routinely sends text messages to attending physicians to clarify orders during the night shift. The HIM professional should recommend which of the following to refine the policy as the best practice for protection information that is text messaged. A. Send a text message to more than one person B. Enter a person's telephone number each time a text message is sent to him C. Encrypt text messages during transmission D. Presume that telephone numbers stored in memory remain valid
Encrypt text messages during transmission Although text messaging is often used in healthcare it presents privacy and security risks. One best practice for text messaging in healthcare is to use encryption during transmission.
The Joint Commission is conducting an audit at Community Hospital to determine the hospital's compliance with the Joint Commission standards regarding patient rights. This is an example of a(n): A. Complex review B. External audit C. Internal Audit D. Casefinding review
External audit External audits are conducted by accreditation, insurance companies, or other organizations monitoring the healthcare provider for compliance with their standards and regulations. In this scenario The Joint Commission is doing an external audit to determine compliance with The Joint Commission standards regarding patients' rights.
If an HIM department acts in deliberate ignorance or in disregard of official coding guidelines, it may be committing: A. Abuse B. Fraud C. Malpractice D. Kickbacks
Fraud Medicare defines fraud as an intentional representation that an individual knows to be false or does not believe to be true but makes, knowing that the representation could result in some unauthorized benefit to himself or herself or some other person. Disregard for official coding guidelines would be considered fraud.
Which of the following issues compliance program guidance? A. AHIMA B. CMS C. Federal Register D. HHS Office of Inspector General
HHS Office of Inspector General From February 1998 until the present, the Office of Inspector General (OIG) continues to issue compliance program guidance for various types of healthcare organizations. The OIG website (www.oig.hhs.gov) posts the documents that most healthcare organizations need to develop fraud and abuse compliance plans.
A facility recently submitted two claims for the same service for a patient's recent encounter for chemotherapy. If the third-party payer pays both of these claims, the facility will receive a higher reimbursement than deserved. This is called: A. Appropriate payment B. Overpayment C. Unbundling D. Waste
Overpayment An overpayment occurs when a facility receives higher reimbursement than the facility deserves. One example of this is when a facility submits two or more claims for the same service.
Which of the following would NOT be a focus area of claims auditing for healthcare services provided in the emergency department? A. Ensuring claims are not submitted more than once B. Procedures are reported at the appropriate level C. Ensuring documentation supports services reported on the claim D. Patients are satisfied with their services
Patients are satisfied with their services The data elements collected during the audit vary based on the audit objective. As in this example, auditing a claim for healthcare services in the emergency department could consider the following areas: procedures that are reported at the appropriate level, claims are not submitted more than once, documentation supports services reported on the claim. Patient satisfaction with their services would not be an area of claim audit.
Every healthcare organization's risk management plan should include the following components except: A. Loss prevention and reduction B. Safety and security management C. Peer review D. Claims management
Peer review Risk management programs have three functions: risk identification and analysis, loss prevention and reduction, and claims management.
All of the following are measures used to track and assess clinical documentation improvement (CDI) programs EXCEPT: A. Record review rate B. Physician query rate C. Record agreement rate D. Query agreement rate
Record agreement rate Each of these percentages should be tracked within the first few months of program operation. The target percentage may need adjustment over time as the CDS staff members become more familiar with their responsibilities and physician documentation improves. These percentages are record review rate, physician query rate and query agreement rate.
The benefits of a coding compliance plan include the following: A. Improving patient care B. Identifying those who participate in fraud and abuse C. Retention of high standard of coding D. Increasing the number of denials of healthcare services reimbursement based on coding errors
Retention of high standard of coding There are a number of benefits of a coding compliance plan including retention of high standard of coding.
Which of the following types of information include areas like genetics, adoption, and drug use that require special attention? A. Special information B. Scientific information C. Sensitive information D. Super information
Sensitive information All health information must be protected; however, there is some information that requires special attention because it is considered sensitive health information such as genetic, adoptive, drug, alcohol, sexual health, and behavioral information. This type of information not only has strict rules and regulations, but also providers and ethical gray area when it comes to releasing and providing records.
Which step of risk analysis identifies information assets that need protection? A. identifying vulnerabilities B. Control Analysis C. System characterization D. Likelihood determination
System characterization The first step of risk analysis is system characterization. It focuses on what the organization possesses by identifying which information assets need protection. The assets may be identified either because they are critical to business operations (for example, the data itself, such as e-PHI) or because critical data is processed and stored on the system (such as hardware).
Which of the following can be used to discover current risk or focused areas of compliance? A. The OIG workplan B. AHA newsletter C. HIPAA Privacy Rule D. Local medical review policy
The OIG Workplan The OIG workplan should be reviewed each year. This document provides insight into the directions the OIG is taking , as well as highlights hot areas of compliance.
Why is it essential for members of the compliance team to be involved in the entire EHR implementation process? A. To ensure HIPAA compliance B. Evolving regulatory guidelines C. To monitor cut and past documentation D. Reimbursement risk
To monitor cut and past documentation Because of compliance concerns, such as cutting and pasting documentation in the EHR, it is essential to ensure that a member of the compliance team is involved in the entire EHR implementation process, as well as the part of the process involving clinical documentation practice.
The breach notification requirement applies to: A. All PHI B. Unsecured PHI only C. Electronic PHI only D. PHI on paper only
Unsecured PHI only Breach notification requirements only apply to unsecured PHI that technology has not made unusable, unreadable, or indecipherable to unauthorized person. This PHI is considered to be the most at-risk.
Medical identity theft includes which of the following: A. Using another person's name to obtain durable medical equipment B. Purchasing an EHR C. Purchasing surgical equipment D. Using another healthcare provider's national provider identifier to submit a claim
Using another person's name to obtain durable medical equipment Medical identity theft is a crime that challenges healthcare organizations and the health information profession. A type of healthcare fraud that includes both financial fraud and identity theft, it involves either (a) the inappropriate or unauthorized misrepresentation of one's identity (for example, the use of one's name and Social Security number) to obtain medical services or good, or (b) the falsifying of claims for medical services in an attempt to obtain money.
Per the HITECH breach notification requirements, what is the threshold for the immediate notification of each individual? A. 1,00 individuals affected B. 500 individuals affected C. 250 individuals affected D. Any number of individuals affected requires individual notification.
500 individuals affected All individuals whose information has been breached must be notified without unreasonable delay, and not more than 60 days, by first-class mail or a faster method (such as telephone) if there is the potential for imminent misuse. If 500 or more individuals are affected, they must be individually notified immediately and media outlets must be used as a notification mechanism as well. The Secretary of HHS must specifically be notified of the breach.
HIPAA requires that data security policies and procedures be maintained for a minimum of: A. 3 years from date of creation B. 5 years from the date of creation C. 5 years from date of creation or the date when last in effect, whichever is later D. 6 years from date of creation or the date when last in effect, whichever is later
6 years from date of creation or the date when last in effect, whichever is later Covered entities must maintain their security policies and procedures in written form. This includes formats that may be electronic. Any actions, assessments, or activities of the HIPAA Security Rule also must be documented in a written format. Documentation must be retained for six years from the date of its creation or the date when it last was in effect, whichever is later.
A group practice has hired an HIT as its chief compliance officer. The current compliance program includes written standards of conduct and policies, and procedures that address specific areas of potential fraud. It also has audits in place to monitor compliance. Which of the following should the compliance officer also ensure are in place? A. A bonus program for coders who code charts with higher paying MS-DRGs B. A hotline to receive complaints and adoption of procedures to protect whistleblowers from retaliation C. Procedures to adequately identify individuals who make complaints so that appropriate follow-up can be conducted D. A corporate compliance committee that reports directly to CFO
A hotline to receive complaints and adoption of procedures to protect whistleblowers from retaliation The OIG has outlined seven elements as the minimum necessary for a comprehensive compliance program. One of the seven elements is the maintenance of a process, such as a hotline, to receive complaints and the adoption of procedures to protect the anonymity of complaints and to protect whistleblowers from retaliation.
Coding policies should include which of the following elements? A. Lunch or break schedule B. How to access the computer system C. AHIMA Standards of Ethical Coding D. Nonofficial coding guidelines
AHIMA Standards of Ethical Coding Coding policies should include the following components: AHIMA Code of Ethics, AHIMA Standards of Ethical Coding, Official Coding Guidelines, applicable federal and state regulations, internal documentation policies requiring the presence of physician documentation to support all coded diagnosis and procedure code assignments.
Which of the following is a legal concern regarding the EHR? A. Ability to subpoena audit trails B. Template design C. ANSI standards D. Data sets
Ability to subpoena audit trails There are a number of legal issues facing the electronic health record (EHR). State laws vary as to what is and is not acceptable in a court of law regarding EHRs. Healthcare providers frequently receive subpoenas requesting the production of the health record. The subpoenas may require the production of audit trails.
Per the Fair and Accurate Credit Transactions Act (FACTA), which of the following is not a red flag category? A. An account held by a person who is over 80 years old B. Warnings from a consumer-reporting agency C. Unusual activity relating to a covered account D. Suspicious documents
An account help by a person who is over 80 years old The federal Fair and Accurate Credit Transactions Act (FACTA) requires financial institutions and creditors to develop and implement written identity theft programs that identify, detect, and respond to red flags that may signal the presence of identity theft. There are five categories of red flags that are used as triggers to alert the organization to a potential identity theft (16 CFR Part 681). The categories are: Alerts, notifications, or warnings from a consumer reporting agency; Suspicious documents; Suspicious personally identifying information such as a suspicious address; Unusual use of , or suspicious activity relating to, a covered account; Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account.
Calling out patient names in a physician's office is: A. An incidental disclosure B. Not subject to the minimum necessary requirement C. A disclosure for payment purposes D. An automatic violation of the HIPAA Privacy Rule
An incidental disclosure Calling out patient's name in a physician office is an incidental disclosure because it occurs as part of office operations. It is permitted as long as the information disclosed is the minimum necessary.
The coding staff should be updated at least__________ on compliance requirements. A. Weekly B. Monthly C. Every six months D. Annually
Annually It is imperative that all staff be trained in compliance policies, procedures, and standards of conduct as it applies to their position in the organization. This training should occur, at a minimum, in their initial orientation training and on and annual basis.
Which of the following is a good question for a supervisor of coding to ask when evaluating potential fraud or abuse risk areas in the coding area? A. Are the assigned codes supported by the health record documentation? B. Does the hospital have a compliance plan? C. How many claims have not been coded? D. Which members of the medical staff have the most admissions to the hospital?
Are the assigned codes supported by the health record documentation? Codes are used to determine reimbursement, therefore code assignment is critical. Assigning the incorrect codes with the intent of receiving more money is fraudulent. The coding supervisor should regularly compare assigned codes to health record documentation to ensure compliance.
Using data mining, an RAC makes a claim determination at the system-level without a human review of the health record. This type of review is called: A. Automated review B. Complex review C. Detailed review D. Systematic review
Automated review RACs conduct three types of audits: automated reviews, semi-automated reviews, and complex reviews. An automated review occurs when an RAC makes a claim determination at the system level without human review of the health record, such as data mining. Errors found must be clearly non-covered services or incorrect applications of coding rules and must be supported by Medicare policy, approved article, or coding guidance.
A Recovery Auditing Contractor (RAC) is conducting a review of claims for improper payment at Wildcat Hospital. The review is performed electronically utilizing a software program that analyzes claims data to identify proper payments. This type of review is referred to as: A. Automated review B. Complex REview C. Semi-automated review D. Semi-complex review
Automated review Recovery Audit Contractor (RAC) is a governmental program whose goal is to identify improper payments made on claims of healthcare services provided to Medicare beneficiaries. Improper payments may be overpayments or underpayments. Automated reviews are performed electronically rather than by humans. A software program analyzes claims data to identify improper payments.
A visitor to the hospital looks at the screen of the admitting clerk's computer workstation when she leaves her desk to copy some admitting documents. What security mechanism would best have minimized this security breach? A. Access controls B. Audit controls C. Automatic logoff controls D. Device and media controls
Automatic logoff controls Provisions must also be made to protect workstations that are more exposed to the public. For example, locking devices can be used to prevent removal of computer equipment and other devices. Automatic logouts can be used to prevent access by unauthorized.
The supervisor over the coding division in the HIM Department at Community Hospital reviewed the productivity logs of four newly hired coders after their first month. Using the information below, which employee will require additional assistance in order to meet the standard of 20 medical records coded per day? ***Question needs a graph Q 40*** A. Coder 1 B. Coder 2 C. Coder 3 D. Coder 4
Coder 3 Productivity is defined as a unit of performance defined by management in quantitative standards. Productivity allows organizations to measure how well the organization converts input into output or labor into a product or service. 20 records per day x 5 days x 4 weeks = 400 records required to be coded. Coder 1 coded 400 records; Coder 2 Coded 405 records; Coder 3 coded 345 records; Coder 4 coded 400 records.
Which of the following is an investigational technique that facilitates the identification of the various factors that contribute to a problem? A. Affinity grouping B. Cause-and-effect diagram C. Force-field analysis D. Nominal group technique
Cause-and-effect diagram A cause-and-effect diagram is an investigational technique that facilitates the identification of the various factors that contribute to a problem.
The National Patient Safety Goals (NPSGs) have effectively mandated all healthcare organizations to examine care processes that have a potential for error that can cause injury to patients. Which of the following process are included in the NPSGs? A. Identify patients correctly, prevent infection, and file claims for reimbursement B. Check patient medicines, prevent infection, and identify patients correctly C. File claims for reimbursement, check patient medicines, and improve staff communication D. Improve staff communication, process claims timely, and prevent infection
Check patient medicines, prevent infection, and identify patients correctly The National Patient Safety Goals (NPSGs) have effectively mandated all healthcare organizations examine care processes that have a potential for error and can cause injury to patients. The NPSGs include identifying patients correctly, improving staff communication, using medicines safely, preventing infection, checking patient medicines, preventing patients from falling, preventing bed sores, and identifying patient safety risks.
Which of the following groups are included in the feedback loop between denials, management, and clinical documentation improvement (CDI) program staff? A. Compliance B. Office of the Inspector General C. Center for Medicare and Medicaid Services D. Payers
Compliance The clinical documentation improvement (CDI) manager should coordinate a feedback look with functional managers that involved reporting data from the department to CDI and then from CDI back to the department. The three areas for CDI best practices include operationalizing feedback loops with denials management, compliance, and HIM.
The clinical documentation improvement (CDI) staff might create a feedback loop in which department to prevent disgruntled physicians from filing claims against them? A. Billing or finance B. Health information management C. Compliance D. Case Management
Compliance The clinical documentation improvement (CDI) manager should see the compliance function as an opportunity to discuss concerns about physicians who may not be cooperating with program staff of who are ignoring queries. If not managed appropriately, these physicians may become disgruntled with the CDI process and file complaints with CMS, the state's attorney general, or even the OIG.
The clinical documentation improvement (CDI) program must keep high-quality records of the query process for: A. Revenue cycle analysis B. Compliance issues C. Chart deficiency tracking D. Reducing the workload on HIM
Compliance issues Every organization should apply the same criteria for high-quality clinical documentation to the recording of clinical documentation improvement (CDI) program activities (queries and case notes) as it does to the review of clinical documentation. Maintaining thorough query documentation is necessary for compliance purposes.
What is the goal of the clinical documentation improvement (CDI) compliance review? A. To ensure adequate CDI improvement B. Compliant query generation and physical responses C. To ensure corrective action for any compliance concerns D. To ensure compliance between CDI program staff
Compliant query generation and physician responses Clinical documentation improvement (CDI) should be part of the organizational compliance program. The goal of a CDI compliance review is to monitor compliant query generation and physician responses.
Sarah, a new graduate of a health information technology program, sits for the registered health information technician (RHIT) exam and fails. She does not want her employer to know she failed and tells her coworker she passed the examination. Sarah then starts using the RHIT credential after her name in work correspondence. A coworker, Nancy, discovers that Sarah is using the RHIT credential fraudulently and notifies the supervisor, Joan. What is the responsibility of Nancy and Joan in this situation? A. Contact AHIMA and report the abuse B. Contact the state licensing division C. Contact the office of inspector general D. Contact the HIT program
Contact AHIMA and report the abuse HIM professionals should be guided by the AHIMA Code of Ethics in making ethical decisions that relate to the HIM profession. In this situation, Joan and Nancy should contact AHIMA and report the abuse.
If a patient notices an unknown item in the explanation of benefits they receive from an insurance company and they do not recognize the service being paid for, the patient should: A. Not do anything B. Contact the insurer and the provider who billed for the services to correct the information C. Contact the police D. Contact human resources and let them know there has been a mistake
Contact the insurer and the provider who billed for the services to correct the information Patients should review and monitor the information found within their explanation of benefits (EOBs). Patients should not assume that their healthcare services have been accurately submitted to and paid by their insurance companies as claims submission is an error-prone process.
What is one key component of a compliant clinical documentation improvement program? A. Detailed review of Joint Commission findings B. Documented, mandatory physician education C. Revenue cycle team involvement D. Exceeding query response targets
Documented, mandatory physician education There are three components an organization should include early in the implementation of a compliant clinical documentation improvement (CDI ) program. These include: documented, mandatory physician education; detailed query documentation; CDI policies and procedures with annual sign-off from all program staff.
A postoperative patient was prescribed Lortab prn. Nurse Jones documented in the patient record that she administered one does of Lortab to the patient, but never actually administered this medication. Nurse Jones then took the Lortab herself. This action would be called? A. Drug prescribing B. Adverse drug reaction C. Sentinel event D. Drug diversion
Drug diversion Drug diversion is the removal of a medication from its usual stream of preparation, dispensing, and administration by personnel involved in those steps in order to use or sell the medication in non-healthcare settings. An individual might take the medication for personal use, to sell on the street, to sell directly to a user as a dealer or to sell to others who will redistribute for the diverting individual.
A Joint Commission-accredited organization must review its formulary annually to ensure a medication's continued: A. Safety and dose B. Efficiency and efficacy C. Efficacy and safety D. Dose and efficiency
Efficacy and safety The formulary is composed of medications used for commonly occurring conditions or diagnoses treated in the healthcare organization. Organizations accredited by the Joint Commission are required to maintain a formulary and document that they review it at least annually for a medication's continued safety and efficacy.
Corporate compliance programs became common after adoption of which of the following? A. False Claims Act. B. Federal Sentencing Guidelines C. Office of the Inspector General for HHS D. Federal Physician Self-Referral Statute
Federal Sentencing Guidelines The U.S. Federal Sentencing Guidelines outline seven steps as the hallmark of an effective program to prevent and detect violations of law. These seven steps were the basis for the OIG's recommendations regarding the fundamental elements of an effective compliance program.
What is the most constant threat to health information integrity? A. Natural threats B. Environmental threats C. Internal threats D. Humans
Humans Health information can be threatened by humans as well as by natural and environmental factors. Threats posed by humans can be either unintentional or intentional. Threats to health information can result in compromised integrity (that is alteration of information, either intentional or unintentional), theft (intentional by nature), loss (unintentional) or intentional misplacement, other wrongful uses or disclosures (either intentional or unintentional), and destruction (intentional or unintentional).
Which of the following should be the first step in any quality improvement process? A. Analyzing the problem B. Identifying the performance measures C. Developing an alternative solution D. Deciding on the best solution
Identifying the performance measures Most quality improvement methodologies recognize that the organization must identify and continuously monitor the important organizational and patient-focused functions that they perform. The first step in this process is to identify performance measures.
Community Hospital is identifying strategies to minimize the security risks associated with employees leaving their workstations unattended. Which of the following solutions will minimize the security risk of unattended workstations? A. Use biometrics for access to the system. B. Implement firewall and virus protection. C. Implement automatic session terminations. D. Install encryption and similar devices.
Implement automatic session terminations. Automatic log-off is a security procedure that causes a computer session to end after a predetermined period of inactivity, such as 10 minutes. Multiple software products are available to allow network administrators to set automatic log-off parameters.
In Medicare, the most common forms of fraud and abuse include all except which of the following? A. Billing for services not furnished B. Misrepresenting the diagnosis to justify payment C. Unbundling or exploding charges D. Implementing a clinical documentation improvement program
Implementing a clinical documentation improvement program In Medicare, the most common forms of fraud and abuse include billing for services not furnished; misrepresenting the diagnosis to justify payment; soliciting, offering, or receiving a kickback; unbundling; falsifying certificates of medical necessity; and billing for a service not furnished as billed, known us upcoding.
Which of the following would be and example of a reviewable sentinel event? A. Incidence of hospital acquired infection B. Incidence of an unruly patient C. Incidence of infant abduction D. Incidence of blood transfusion reaction
Incidence of infant abduction A sentinel event includes any process variation for which a recurrence would carry a significant chance of serious adverse outcome. Such events are called "sentinel" because they signal the need for immediate investigation and response. Examples of sentinel events include infant abduction from the nursery or a foreign body left in a patient from surgery.
A local nonprofit community hospital is looking to do a fundraiser to add to their surgical center. HIPAA rules restrict activities related to fundraising for healthcare organizations. Which of the following must the hospital do to comply with the HIPAA requirements for fundraising? A. Fundraising materials do not have to include opt-out instructions B. Prior authorization is only required if individuals are not targeted based on diagnosis C. Individuals must be informed in the notice of privacy practices that their information may be used for fundraising purposes D. Authorization is required for fundraising solicitations.
Individuals must be informed in the notice of privacy practices that their information may be used for fundraising purposes For fundraising activities that benefit the covered entity, the covered entity may use or disclose to a BA or an institutionally related foundation, without authorization, demographic information and dates of healthcare provided to an individual. However, the covered entity must inform individuals in its notice of privacy practices that PHI may be used for this purpose. It must also include in its fundraising materials instructions on how to opt out of receiving materials in the future.
The process that involves ongoing surveillance and prevention of infections so as to ensure the quality and safety of healthcare for patients and employees is known as: A. Case management B. Infection control C. Risk management D. Utilization management
Infection control Infection control is a system for the prevention of communicable diseases that concentrates on protecting healthcare workers and patients against exposure to disease causing organisms and promotes compliance with applicable legal requirements through early identification of potential sources of contamination and implementation of policies and procedures that limit the spread of disease.
Organizations use of audits in data analysis in order to ensure compliance with policies and procedures is a component of: A. Internal monitoring B. Benchmarking C. Corrective action D. Educating staff
Internal monitoring As part of an effective compliance plan organizations must perform internal monitoring. These organizations must be diligent to ensure compliance with policies and procedures, such as through the use of audits and data analysis.
A physician takes the medical records of a group of HIV positive patients out of the hospital to complete research tasks at home. The physician mistakenly leaves the records in a restaurant, where they are read by a newspaper reporter who publishes an article that identifies the patients. The physician can be sued for: A. Slander B. Willful infliction of mental distress C. Libel D. Invasion of privacy
Invasion of privacy A person's right to privacy is the right to be left alone and protected against physical or psychological invasion. It includes freedom from intrusion into one;s private affairs to include their healthcare diagnoses.
A notice that the suspends the process or destruction of paper or electronic records is called: A. Subpoena B. Consent form C. Rule D. Legal hold
Legal hold A legal hold (also known as a preservation order, preservation notice, or litigation hold) basically suspends the processing or destruction of paper or electronic records. It may be initiated by a court if there is concern that information may be destroyed in cases of current or anticipated litigation, audit, or government investigation. Or, it may be initiated by the organization as part of their pre-litigation planning and duty to preserve information in anticipation of litigation.
Risk determination considers the factors of: A. Likelihood and impact B. Risk prioritization and control recommendations C. Risk Prioritization and impact D. Likelihood and control recommendations
Likelihood and impact Risk determination considers how likely it is that a particular threat will actually occur and , if it does occur, how great its impact or severity will be. Risk determination quantifies and organization's threats and enables it to both prioritize its risks and appropriately allocate its limited resources (namely, people, time, and money) accordingly.
Which type of identity theft occurs when a patient uses another person's name and insurance information to receive healthcare benefits? A. Medical B. Financial C. Criminal D. Health
Medical Medical identity theft occurs when a patient uses another person's name and insurance information to receive healthcare benefits. Most often this is done so a person can receive healthcare with an insurance benefit and pay less or nothing for the care received.
Events that occur in a healthcare organization that do not necessarily affect an outcome but carry significant chance of being a serious adverse event if they were to recur are: A. Time-out B. Serious events C. Sentinel events D. Near misses
Near Misses Near misses include occurrences that do not necessarily affect an outcome but if they were to recur they would carry significant chance of being a serious adverse event. Near misses fall under the definition of a sentinel event, but are not reviewable by The joint Commission under its current sentinel event policy.
In developing a coding compliance program, which of the following would NOT be ordinarily included as participants in coding compliance education? A. Current coding personnel B. Medical staff C. Newly hired coding personnel D. Nursing staff
Nursing staff In conjunction with the corporate compliance officer, the health information manager should provide education and training related to the importance of complete and accurate coding, documentation, and billing on an annual basis. Technical education for all coders should be provided. Documentation education is also part of compliance education. A focused effort should be made to provide documentation education to the medical staff.
The risk manager's principal tool for capturing the facts about potentially compensable events is the: A. Accident report B. RM report C. Occurrence report D. Event report
Occurrence report The risk manager's principal tool for capturing the facts about potentially compensable events is the occurrence report, sometimes called the incident report. Effective occurrence reports carefully structure the collection of data, information, and facts in a relatively simple format.
The Medicare Integrity Program was established to battle fraud and abuse and is charged with which of the following responsibilities? A. Audit of expense reports and notifying beneficiaries of their rights B. Payment determinations and audit of cost reports. C. Publishing of new coding guidelines and code changes D. Monitoring of physician credentials and payment determinations
Payment determinations and audit of cost reports The Medicare Integrity Program was established under the HIPAA legislation to battle healthcare fraud and abuse. Not only did medicare continue to review provider claims for fraud and abuse, but the focus expanded to cost reports, payment determinations and the need for ongoing compliance education.
Dr. Smith always orders the same 10 things when a new patient is admitted to the hospital in addition to some patient-specific orders. What would assist in assuring that the specific patient is not allergic to a drug being ordered? A. Clinical decision support B. Electronic medication administration record system C. Pharmacy information system D. Standard order set
Pharmacy information system When the pharmacy information system receives an order for a drug, it will aid the pharmacist in checking for contraindications, directs staff in compounding any drugs requiring special preparation, and aids in dispensing the drug in the appropriate dose and route of administration. Indication of an allergy would be considered a contraindication.
Which item below is NOT recommended by the HHS and the OIG for minimum compliance with clinical documentation regulations? A. Physicians should include vaccination records B. Progress, response, and changes are to be documented C. Health record should be completely legible D. Past and present diagnosis should be easily accessible
Physicians should include vaccination records Progress, response, and changes to the patient's condition must be documented. All health records should be completely legible and accessible to patient and present diagnosis information. These are all required elements of the Medicare Conditions of Participation. Physician inclusion of vaccination records is not mandated.
A risk manager is called in to evaluate a situation in which a visitor to the hospital slipped on spilled water, fell, and fractured his femur. This situation was referred to the risk manager because it involves a: A. Medical error B. Claims management issue C. Potentially compensable event D. Sentinel event
Potentially compensable event Risk management systems today are sophisticated programs that function to identify, reduce, or eliminate potentially compensable events (PCEs), thereby decreasing the financial liability of injuries or accidents to patients, staff, or visitors.
The quality improvement organizations (QIOs) under contract with CMS conduct audits on high-risk and hospital-specific data from claims data in this report: A. Hospital Payment Monitoring Program B. Payment Error Prevention Program C. Program for Evaluation Payment Patterns Electronic Report D. Compliance Program Guidance for Hospitals
Program for Evaluation Payment Patterns Electronic Report QIOs are currently under contract with CMS to perform a Hospital Payment Monitoring Program. This program targets specific DRGs and discharges that have been identified as at high-risk for payment errors. The high-risk hospital specific data are identified in an electronic report called Program for Evaluating Payment Patterns Electronic Report (PEPPER).
Detailed query documentation can be used to: A. Protect the hospital from lawsuits B. Protect the hospital against claims from physicians about leading queries C. show the effects of follow-up training D. Protect the auditor from corrective action
Protect the hospital against claims from physicians about leading queries Healthcare organization should keep detailed query data. Ther should be documented evidence of all queries the clincial documentation improvement (CDI) specialists ask, to whom they ask them, the clinical documentation or information supporting the query, and responses to queries. Detailed query documentation can also protect the hospital when against claims from physicians about leading queries.
Which of the following is the whistleblower provision of the False Claims Act that provides a means for individuals to report healthcare information non-compliance? A. Quid pro quo B. Query C. Qui tam D. Quasi reporting
Qui tam One of the key components of the False Claims Act is qui tam. Qui tam is the whistleblower provision of the False Claims Act-private persons, known as realtors, may enforce the Act by filing a complaint, under seal, alleging fraud committed against the government. For example, if a coder is told to assign codes in violation of coding rules, then he or she can report the facility for fraud.
If a patient receives a ____________ from a healthcare organization it indicated that the patient's protected health information was involved in a data breach. A. Notice of Breach B. Release of Information C. Protected Health Breach Notice D. Receipt of Breach Notice
Receipt of Breach Notice If a patient receives a Receipt of Breach Notice from a healthcare organization it indicates that the patient's protected health information was involved in a data breach
Examples of high-risk billing practices that create compliance risks for healthcare organizations include all EXCEPT which of the following? A. Altered claim forms B. Returned overpayments C. Duplicate billings D. Unbundled procedures
Returned overpayments Fraudulent billing practices represent a major compliance risk for healthcare organizations. High-risk billing practices include: billing for noncovered services, altered claim forms, duplicate billing, misrepresentation of facts on a claim form, failing to return overpayments, unbundling, billing for medically unnecessary services, overcoding and upcoding, billing for items or services not rendered, and false cost reports.
Exceptions to the Federal Anit-Kickback Statute that allow legitimate business arrangements and are not subject to prosecution are: A. Qui tam practices B. Safe practices C. Safe harbors D. Exclusions
Safe harbors A common theme runs through safe harbors and that is the intent to protect certain arrangements in which commercially reasonable items or services are exchanged for fair market value compensation. Safe harbors are an exception to the Federal Anti-Kickback Statue. Congress authorized HHS to establish additional safe harbors by regulation. These safe harbors are activities that are not subject to prosecution and protect the organization from civil or criminal penalties.
A patient requested a copy of a payment made by her insurance company for a surgery she had last month. The business office copied the remittance advice (RA) notice the organization received from the insurance company but failed to delete or remove the PHI for 10 patients listed on the same RA. This is an example of: A. Double billing B. Stereotyping C. Retrospective review D. Security breach
Security breach A security breach of PHI has occurred in this scenario because business office provided the patient with not only her information on the remittance advice, but also that the 10 other patients.
A patient was taken into surgery at a local hospital for treatment of colon cancer. A large section of the colon was removed during surgery and the patient was taken to the medical floor after surgery. Within the first 24 hours post-op, the patient developed fever, chills, and abdominal pain. An abdominal CT scan revealed the presence of a foreign body. This situation describes a: A. Near miss B. Sentinel event C. Security incident D. Time out
Sentinel event A sentinel event includes any process variation for which a recurrence would carry a significant chance of serious adverse outcome. Such events are called "sentinel" because they signal the need for immediate investigation and response. Examples of sentinel events include infant abduction from the nursery or a foreign body left in a patient from surgery.
How many basic elements are included in an effective compliance program? A. Five B. Seven C. Nine D. three
Seven Each healthcare facility should have a compliance program. There are seven basic elements that should be included in an effective compliance program. These include: policies, procedures, and standards of conduct; identifying a compliance officer and committee; educating staff; establish communication channels; perform internal monitoring; penalties for noncompliance with standards; and taking immediate corrective action when a problem is identified.
From an evidentiary standpoint, incident reports: A. Are universally nonadmissible during trial proceedings B. May be referenced in the patient's health record C. Should not be placed in a patient's health record D. Are universally nondiscoverable during litigation
Should not be placed in a patient's health record Incident reports involving patient care are not created to treat the patient, but rather to provide a basis for investigating the incident. From an evidentiary standpoint, incident reports should not be placed in a patient's health record, nor should the record refer to an incident report.
A hospital employee destroyed a health record so that its contents-which would be damaging to the employee-could not be used at trial. In legal terms, the employee's action constitutes: A. Mutilation B. Destriction C. Spoilation D. Spoilage
Spoliation Spoliation is a legal concept applicable to both paper and electronic records. When evidence is destroyed that relaters to a current or pending civil or criminal proceeding, it is reasonable to infer that the party had a consciousness of guilt or another motive to avoid the evidence.
The Medical Record Committee wants to determine if the hospital is in compliance with medical staff rules and regulations for medical record delinquency rates. The HIM director has compiled a report that shows that records are delinquent for an average of 29 days after discharge. Given this information, what can the committee conclude? A. Delinquency rate is within medical staff rules and regulations B. All physicians are performing at optimal levels C. The chart deficiency process is working well D. The data are insufficient to determine whether the hospital is in compliance.
The data are insufficient to determine whether the hospital is in compliance. When an incomplete record is not rectified within a specific number of days as indicated in the medical staff rules and regulations, the record is considered to be a delinquent record. Generally, an incomplete record is considered delinquent after it haws been available to the physician for completion for 15-30 days. This question does not provide enough information on the standard as the medical staff rules and regulations on delinquent records are not defined.
Healthcare fraud is all except which of the following? A. Damage to another party that reasonably relied on misrepresentation B. False representation of fact C. Failure to disclose a material fact D. Unnecessary costs to a program
Unnecessary costs to a program Healthcare fraud is the intentional deception or misrepresentation that an individual knows (or should know) to be false, or does not believe to be true, and makes, knowing the deception could result in some unauthorized benefit to himself or some other person(s). Unnecessary costs to a program, in and of itself, would not be healthcare fraud, there would need to be some intentional deception for it to be considered fraud.
The policies and procedures section of a coding compliance plan should include all EXCEPT which of the following? A. Physician query process B. Unbundling C. Assignment of discharge disposition codes D. Utilization review
Utilization review The policies and procedures section of a coding compliance plan should include physician query process, coding diagnosis not supported by health documentation, upcoding, correct use of encoder software, unbundling, coding health records without complete documentation, assignment of discharge destination codes, and complete process for using scrubber software. Utilization review would not be part of the policies and procedures section of a Coding Compliance Plan.
The overutilization or inappropriate utilization of services and misuse of resources, typically not a criminal or intentional act is called which of the following? A. Fraud B. Abuse C. Waste D. Audit
Waste Waste is the overutilization or inappropriate utilization of services and misuse of resources, and typically is not a criminal or intentional act. Waste includes practice like over prescribing and ordering tests inappropriately.
A laboratory employee forgot his password to the computer system while trying to record the results for a STAT request. He asked his coworker to log in for him so that he could record the results and said he would then contact technical support to reset his password. What controls should have been in place to minimize this security breach? A. Access controls B. Security incident procedures C. Security management process D. Workforce security awareness training
Workforce security awareness training A strategy included in a good security program is employee security awareness training. Employees are often responsible for threats to data security. Consequently, employee awareness is a particularly important tool in reducing security breaches.