RHIT Domain 2
Which of the following administrative safeguards includes policies and procedures for responding to emergencies or failures in systems that contain e-PHI? a. A contingency plan b. Security training c. Workforce security d. Information access management
a A contingency plan is a standard that requires the establishment and implementation of policies and procedures for responding to emergencies or failures in systems that contain e-PHI. It includes a data backup plan, disaster recovery plan, emergency mode of operation plan, testing and revision procedures, and applications and data criticality analysis to prioritize data and determine what must be maintained or restored first in an emergency (Rinehart-Thompson 2016c, 272).
The admissions director maintains that a notice of privacy practices must be provided to the patient on each admission. How should the HIM director respond? a. Notice of privacy practices is required on the first provision of service. b. Notice of privacy practices is required every time the patient is provided service. c. Notice of privacy practices is only required for inpatient admissions. d. Notice of privacy practices is required on the first inpatient admission but for every outpatient encounter.
a A patient has a right to a notice of privacy practices as defined in the HIPAA Privacy Rule. A healthcare provider has to provide the notice no later than the first service delivery. After that first provision of service, there is no requirement to provide a notice every time a patient receives service (Thomason 2013, 113).
An audit trail may be used to detect which of the following? a. Unauthorized access to a system b. Loss of data c. Presence of a virus d. Successful completion of a backup
a An audit trail is a software program that tracks every single access or attempted access of data in the computer system. It logs the name of the individual who accessed the data, terminal location or IP address, the date and time accessed, the type of data, and the action taken (for example, modifying, reading, or deleting data) (Rinehart-Thompson 2016c, 265).
With regard to training in PHI policies and procedures: a. Every member of the covered entity's workforce must be trained b. Only individuals employed by the covered entity must be trained c. Training only needs to occur when there are material changes to the policies and procedures d. Documentation of training is not required
a Every member of the covered entity's workforce must be trained in PHI policies and procedures to maintain the privacy of patient information, uphold individual rights guaranteed by the Privacy Rule, and report alleged breaches and other Privacy Rule violations (Rinehart- Thompson 2016b, 249).
Removing health records of patients who have not been treated at the facility for a specific period of time from the storage area is called: a. Purging records b. Assembling records c. Logging records d. Cycling records
a Files of patients who have not been at the facility for a specified period, such as two years, may be purged or removed from the active filing area (Sayles 2016b, 61).
The record custodian typically can testify about which of the following when a party in a legal proceeding is attempting to admit a health record as evidence? a. Identification of the record as the one subpoenaed b. The care provided to the patient c. The qualifications of the treating physician d. Identification of the standard of care used to treat the patient
a Original health records may be required by subpoena to be produced in person and the custodian of records is required to authenticate those records through testimony (Rinehart-Thompson 2016a, 198).
A patient requests copies of her medical records in an electronic format. The hospital does not maintain all of the designated records in an electronic format. How should the hospital respond? a. Provide the records in paper format only b. Scan the paper documents so that all records can be sent electronically c. Provide the patient with both paper and electronic copies of the record d. Inform the patient that PHI cannot be sent electronically
a The HIPAA Privacy Rule states that the covered entity must provide individuals with their information in the form that is requested by the individuals, if it is readily producible in the requested format. The covered entity can certainly decide, along with the individual, the easiest and least expensive way to provide the copies they request. Per the request of an individual, a covered entity must provide an electronic copy of any and all health information that the covered entity maintains electronically in a designated record set. If a covered entity does not maintain the entire designated record set electronically, there is not a requirement that the covered entity scan paper documents so the documents can be provided in that format (Thomason 2013, 102).
When served with a court order directing the release of health records, an individual: a. May ignore it b. Must comply with it c. Must request patient authorization before disclosing the records d. May determine whether or not to comply with it
b A court order is a document issued by a judge that compels a certain action, such as testimony or the production of documents such as health records. If a document requesting the production of health records is determined to be a court order, it must be complied with regardless of the presence or absence of patient authorization (Rinehart-Thompson 2017a, 58-59).
To ensure relevancy, an organization's security policies and procedures should be reviewed at least: a. Once every six months b. Once a year c. Every two years d. Every five years
b All data security policies and procedures should be reviewed and evaluated annually to make sure they are up-to-date and still relevant to the organization (Rinehart-Thompson 2016c, 264).
The protection measures and tools for safeguarding information and information systems is a definition of: a. Confidentiality b. Data security c. Informational privacy d. Informational access control
b Data security can be defined as the protection measures and tools for safeguarding information and information systems (Rinehart-Thompson 2016c, 254).
Which of the following statements is true regarding HIPAA security? a. All institutions must implement the same security measures. b. Institutions are allowed flexibility in the way they implement HIPAA standards. c. All institutions must implement all HIPAA specifications. d. A security risk assessment must be performed every year.
b HIPAA allows a covered entity to adopt security protection measures that are appropriate for its organization as long as they meet the minimum HIPAA security standards. Security protections in a large medical facility will be more complex than those implemented in a small group practice (Rinehart-Thompson 2016c, 271).
Under HIPAA rules, when an individual asks to see his or her own health information, a covered entity: a. Must always provide access b. Can deny access to psychotherapy notes c. Can demand that the individual pay to see his or her record d. Can always deny access
b Section 164.524 of the Privacy Rule states that an individual has a right of access to inspect and obtain a copy of his or her own protected health information (PHI) that is contained in a designated record set, such as a health record. The individual's right extends for as long as the PHI is maintained. However, there are exceptions to what PHI may be accessed. For example, psychotherapy notes; information compiled in reasonable anticipation of a civil, criminal, or administrative action or proceeding; or PHI subject to the Clinical Laboratory Improvements Act (CLIA) are all exceptions (Rinehart-Thompson 2016b, 225).
A secure method of communication between the healthcare provider and the patient is a(n): a. Personal health record b. E-mail c. Patient portal d. Online health information
c A secure patient portal allows for the communication between the provider and the patient and is not just a site for patients to access information. This is part of the effort to engage patients in their care (Sayles and Trawick 2014, 162).
What is the biggest threat to the security of healthcare data? a. Natural disasters b. Fires c. Employees d. Equipment malfunctions
c Employees are the biggest threat to the security of healthcare data. Whether it is disgruntled employees destroying computer hardware, snooping employees accessing information without authorization to do so, or employees accessing information for fraudulent purposes, employees are a real threat to data security (Rinehart-Thompson 2016c, 256).
A special web page that offers secure access to data is a(n): a. Internet b. Home page c. Intranet d. Portal
d A portal is a special application to provide secure remote access to specific applications (Brinda 2016, 162).
A competent individual has the following rights concerning his or her healthcare: a. Right to consent to treatment and the right to destroy their original health record b. Right to destroy their original health record and the right to refuse treatment c. Right to access his or her own PHI and the right to take the original record with them d. Right to consent to treatment and the right to access his or her own PHI
d Competent adults have a general right to consent to or refuse medical treatment. In general, a competent adult has the right to request, receive, examine, copy, and authorize disclosure of the patient's healthcare information (Brodnik 2017b, 341-342).
Which of the following is not an automatic control that helps preserve data confidentiality and integrity in an electronic system? a. Edit checks b. Audit trails c. Password management d. Security awareness program
d Security awareness requires entities to provide security training for all staff. They must address security reminders, detection and reporting of malicious software, login monitoring, and password management. Edit checks, audit trails, and password management can all be programmed to be automatic controls where a security awareness program cannot (Rinehart- Thompson 2016c, 272).
The director of health information services is allowed access to the health record tracking system when providing the proper log-in and password. What is this access security mechanism called? a. Context based b. Role based c. Situation based d. User-based
d User-based access is a security mechanism that grants users of a system access based on their identity (Rinehart-Thompson 2016c, 262).
Which of the following statements about the directory of patients maintained by a covered entity is true? a. Individuals must be given an opportunity to restrict or deny permission to place information about them in the directory. b. Individuals must provide a written authorization before information about them can be placed in the directory. c. The directory may contain only identifying information such as the patient's name and birth date. d. The directory may contain private information as long as it is kept confidential.
a A patient has the opportunity to agree or disagree with being placed in a patient directory. They must be given the opportunity to determine if they want to be placed in the directory or not, but it does not need to be in writing (Rinehart-Thompson 2016b, 234).
Which of the following would be considered a security vulnerability? a. Lack of laptop encryption b. Workforce employees c. Tornado d. Electrical outage
a A security threat is anything that can exploit a security vulnerability. Vulnerability is a weakness or gap in security protection. In this situation the lack of encryption for the laptop would be considered a security vulnerability as the contents could be more easily accessed (Johns 2015, 219).
Which of the following is not true about the Notice of Privacy Practices? a. It must include at least two examples of how information is used for both treatment and operations. b. It must include a description of the right to request restrictions on certain uses and disclosures. c. It must explain the patient's right to inspect and copy PHI. d. It must include a description of the patient's right to amend PHI.
a AHIMA outlines the requirements for the content of the notice of privacy practices. One requirement is that a description (including at least one example) is to be given of the types of uses and disclosures the covered entity is permitted to make for treatment, payment, and healthcare operations (Rinehart-Thompson 2016b, 230-231).
An individual designated as an inpatient coder may have access to an electronic health record to code the record. Under what access security mechanism is the coder allowed access to the system? a. Role based b. User based c. Context based d. Situation based
a Access to e-PHI can be controlled through the use of the following: user-based access, rolebased access, and context-based access. Role-based access control decisions are based on the roles individual users have as part of an organization. Each user is given various privileges to perform their role or function (Rinehart-Thompson 2016c, 262).
Which of the following is an example of a business associate? a. Contract coder b. Environmental services department c. Hospital security officer d. Employee with access to e-PHI
a Although business associates are not directly regulated by the Privacy Rule, they do come under the Privacy Rule's requirements by virtue of their association with one or more covered entities. Some examples of business associates are contract coder, billing companies, consultants, accounting firms, and the like (Rinehart-Thompson 2017c, 211-212).
The HIPAA Security Awareness and Training administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except: a. Disaster recovery plan b. Log-in monitoring c. Password management d. Security reminders
a Another administrative safeguard specification requires that a covered entity implement a security awareness and training program for all members of its workforce. Special protections must be taken to ensure information is not inappropriately released or accessed. These protections include log-in monitoring, password management, and security reminders (Reynolds and Brodnik 2017, 274).
A coding compliance manager is reviewing a tool that identifies when a user logs in and out, what he or she does, and more. What is the manager reviewing? a. Audit trail b. Facility access control c. Forensics d. Security management plan
a Audit controls are required by HIPAA. One method of monitoring is the use of audit trails. Audit trails are a recording of activities occurring in an information system. Audit trails can monitor system level controls such as login, logout, unsuccessful logins, print, query, and other actions. It also records user-identification information and the date and time of the activity. Audits should be scheduled periodically, but can also be performed when a problem is suspected (Sayles and Trawick 2014, 215).
An employee accesses PHI on a computer system that does not relate to her job functions. What security mechanism should have been implemented to minimize this security breach? a. Access controls b. Audit controls c. Contingency controls d. Security incident controls
a Establishing access controls is a fundamental security strategy. Basically, the term access control means being able to identify which employees should have access to what data. The general practice is that employees should have access only to data they need to do their jobs. For example, an admitting clerk and a healthcare provider would not have access to the same kinds of data (Rinehart-Thompson 2016c, 273).
When an individual requests a copy of the PHI or agrees to accept summary or explanatory information, the covered entity may: a. Impose a reasonable cost-based fee b. Not charge the individual c. Impose any fee authorized by state statute d. Charge only for the cost of the paper on which the information is printed
a HIPAA gives individuals the right to request access to their PHI, but the covered entity may require that requests be in writing. HIPAA allows a reasonable cost-based fee when the individual requests a copy of PHI or agrees to accept summary or explanatory information (Rinehart-Thompson 2016b, 225).
Under the HIPAA Privacy rule, which of the following statements is true? a. An authorization must contain an expiration date or event. b. A consent for use and disclosure of information must be obtained from every patient. c. An authorization must be obtained for uses and disclosures for treatment, payment, and operations. d. A notice of privacy practices must give 10 examples of a use or disclosure for healthcare operations.
a In order for an authorization to be valid, it must contain an expiration date or event that relates to the individual or the purpose of the use or disclosure (Rinehart-Thompson 2016b, 245-246).
An audit log is an example of: a. Metadata b. Encryption c. Admissibility d. Data integrity
a Metadata are data about data and include information that track actions such as when and by whom a document was accessed or changed, such as in an audit log (Rinehart-Thompson 2016a, 206). 130 Correct0 Wrong0 Unanswered130
Which of the following statements represents an example of nonmaleficence? a. HITs must ensure that patient-identifiable information is not released to unauthorized parties. b. HITs must apply rules fairly and consistently to every case. c. HITs must ensure that patient-identifiable information is released to the parties who need it to provide services to their patients. d. HITs must ensure that patients themselves, and not other parties, are authorizing access to the patients' individual health information.
a Nonmaleficence would require the HIM professional to ensure that the information is not released to someone who does not have authorization to access it and who might harm the patient if access were permitted (for example, a newspaper seeking information about a famous person) (Gordon and Gordon 2016c, 604).
Which of the following is true regarding the development of health record destruction policies? a. All applicable laws must be considered b. The organization must find a way not to destroy any health records c. Health records involved in pending or ongoing litigation may be destroyed d. Only state laws must be considered
a Not all information must be kept forever. Just as the HIM professional must consider multiple factors when determining retention, many factors must also be taken into consideration with regard to health record destruction. These include applicable federal and state statutes and regulations; accreditation standards; pending or ongoing litigation; storage capabilities; and cost (Rinehart-Thompson 2016a, 208).
Which of the following is not an identifier under the Privacy Rule? a. Age 75 b. Vehicle license plate BZ LITYR c. Street address 265 Cherry Valley Road d. Visa account 2773 985 0468
a One of the most fundamental terms in the Privacy Rule is protected health information (PHI), defined by the rule as "individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium" (45 CFR 160.103). To meet the individually identifiable element of PHI, information must meet all three portions of a three-part test. It must either identify the person or provide a reasonable basis to believe the person could be identified from the information given. It must relate to one's past, present, or future physical or mental health condition; the provision of healthcare; or payment for the provision of healthcare. It must be held or transmitted by a covered entity or its business associate (Rinehart-Thompson 2017c, 213).
A secretary in the Nursing Office was recently hospitalized with ketoacidosis. She comes to the HIM department and requests to review her health record. Of the options here, what is the best course of action? a. Allow her to review her record after obtaining authorization from her. b. Refer the patient to her physician for the information. c. Tell her to go through her supervisor for the information. d. Tell her that hospital employees cannot access their own medical records.
a Review of records by the patient is permitted after the authorization for use and disclosure is verified. Usually hospital personnel should be present during on-site reviews to assist the requester with the paper record or working with the EHR if necessary. Assistance would not be needed if the people requesting on-site review work for the facility (Rinehart-Thompson 2016b, 225, 244). 130 Correct0 Wrong0 Unanswered130
An electronic health record risk analysis is useful to: a. Identify security threats b. Identify which employees should have access to data c. Establish password controls d. Establish audit controls
a Risk management begins by conducting a risk analysis. Identifying security threats or risks, determining how likely it is that any given threat may occur, and estimating the impact of an untoward event are all parts of a risk assessment (Rinehart-Thompson 2016c, 260-261).
Mary's PHI was breached by her physician office when it was disclosed in error to another patient. Which of the following breach notification statements is correct regarding the physician office's required action? a. It must report the breach to HHS within 60 days after the end of the calendar year in which the breach occurred b. It must report the breach to HHS within 60 days of the breach c. It must notify all local media outlets and HHS immediately d. It is not required to take any action since the breach affected only one person
a Since this breach applies to one patient, it must be reported to HHS within 60 days after the end of the calendar year (Rinehart-Thompson 2016b, 240).
Access to health records based on protected health information within a healthcare facility should be limited to employees who have a: a. Legitimate need for access b. Password c. Report development program d. Signed confidentiality agreement
a The access controls standard requires implementation of technical procedures to control or limit access to health information. The procedures would be executed through some type of software program. This requirement ensures that individuals are given authorization to access only the data they need to perform their respective jobs (Rinehart-Thompson 2016c, 273).
As the corporate director of HIM services and enterprise privacy officer, you are asked to review a patient's health record in preparation for a legal proceeding for a malpractice case. The lawsuit was brought by the patient 72 days after the procedure. Health information contains a summary of two procedures that were dictated 95 days after the procedure. The physician in question has a longstanding history of being lackadaisical with record completion practices. Previous concerns regarding this physician's record maintenance practices had been reported to the facility's Credentialing Committee. Is this information admissible in court? a. This information could be rejected because the physician dictated the procedure note after the malpractice suit was filed. b. This information will be admissible in court because it is part of the patient's health record. c. This information could be rejected because it is not relevant to the malpractice case. d. This information will be rejected because the patient did not authorize its release.
a The health record may be valuable evidence in a legal proceeding. To be admissible, the court must be confident that the record is: complete, accurate, and timely (recorded at the time the event occurred); was documented in the normal course of business; and was made by healthcare providers who have knowledge of the "acts, events, conditions, opinions, or diagnoses appearing in it" (Klaver 2017a, 78-79).
The legal health record (LHR) is a(n): a. Defined subset of all patient-specific data created or accumulated by a healthcare provider that may be released to third parties in response to a legally permissible request for patient information b. Entire set of information created or accumulated by a healthcare provider that may be released to third parties in response to a legally permissible request for patient information c. Set of patient-specific data created or accumulated by a healthcare provider that is defined to be legal by the local, state, or federal authorities d. Set of patient-specific data that is defined to be legal by state or federal statute and that is legally permissible to provide in response to requests for patient information
a The legal health record is a defined subset of all patient-specific data. The legal health record is the record that will be disclosed upon request by third parties. It includes documentation about health services provided and stored on any media (Rinehart-Thompson 2016a, 206).
Within the context of electronic health records, protecting data privacy means defending or safeguarding: a. Access to information b. Data availability c. Health record quality d. System implementation
a Within the context of data security, protecting data privacy means safeguarding access to information. Only those individuals who need to know information should be authorized to access it (Johns 2015, 210-211).
Which of the following statements is not true about a business associate agreement? a. It prohibits the business associate from using or disclosing PHI for any purpose other than that described in the contract with the covered entity. b. It allows the business associate to maintain PHI indefinitely. c. It prohibits the business associate from using or disclosing PHI in any way that would violate the HIPAA Privacy Rule. d. It requires the business associate to make available all of its books and records relating to PHI use and disclosure to the Department of Health and Human Services or its agents.
b Agreements between the covered entity and a business associate include: requiring the business associate to make available all of its books and records relating to protected health information (PHI) use and disclosure to the Department of Health and Human Services or its agent; prohibiting the business associate from using or disclosing PHI in any way that would violate the HIPAA Privacy Rule; and prohibiting the business associate from using or disclosing PHI for any purpose other than that described in the contract with the covered entity; and other agreements. But, it does not allow the business associate to maintain PHI indefinitely (Rinehart- Thompson 2016b, 220-222).
Jeremy Lykins was required to undergo a physical exam prior to becoming employed by San Fernando Hospital. Jeremy's medical information is: a. Protected by the Privacy Rule because it is individually identifiable b. Not protected by the Privacy Rule because it is part of a personnel record c. Protected by the Privacy Rule because it contains his physical exam results d. Protected by the Privacy Rule because it is in the custody of a covered entity
b Although a person or organization may, by definition, be subject to the Privacy Rule by virtue of the type of organization it is, not all information that it holds or comes into contact with is protected by the Privacy Rule. For example, the Privacy Rule has specifically excluded from its scope employment records held by the covered entity in its role as employer (45 CFR 160.103). Under this exclusion, employee physical examination reports contained within personnel files are specifically exempted from this rule (Rinehart-Thompson 2017c, 215).
Burning, shredding, pulping, and pulverizing are all acceptable methods in which process? a. Deidentification of electronic documents b. Destruction of paper-based health records c. Deidentification of records stored on microfilm d. Destruction of computer-based health records
b Because of cost and space limitations, permanently storing paper and microfilm-based health record documents is not an option for most hospitals. Acceptable destruction methods for paper documents include burning, shredding, pulping, and pulverizing (Fahrenholz 2013a, 111).
Which of the following ethical principles is being followed when a health information management professional ensures that patient information is only released to those who have a legal right to access it? a. Autonomy b. Beneficence c. Justice d. Nonmaleficence
b Beneficence would require the HIM professional to ensure that the information is released only to individuals who need it to do something that will benefit the patient (for example, to an insurance company for payment of a claim) (Gordon and Gordon 2016c, 604).
What is the legal term used to define the protection of health information in a patient-provider relationship? a. Access b. Confidentiality c. Privacy d. Security
b Confidentiality, as recognized by law and professional codes of ethics, stems from a relationship such as physician and patient, and pertains to the information resulting from that relationship. Privileged communication is a legal concept designed to protect the confidentiality between two parties (Brodnik 2017a, 7-8).
Which of the following refers to guarding against improper information modification or destruction? a. Confidentiality b. Integrity c. Privacy d. Security
b Data integrity means that data should be complete, accurate, consistent, and up-to-date. With respect to data security, organizations must put protections in place so that no one may alter or dispose of data in a manner inconsistent with acceptable business and legal rules (Johns 2015, 211).
When data has been lost in an EHR, which action is taken to remedy this problem? a. Build a firewall b. Data recovery c. Review the audit trail d. Develop data integrity plan
b Data recovery is the process of recouping lost data or reconciling conflicting data after the system fails. These data may be from events that occurred while the system was down or from backed-up data (Sayles and Trawick 2014, 213).
The three elements of a security program are ensuring data availability, protection, and: a. Suitability b. Integrity c. Flexibility d. Robustness
b Data security embodies three basic concepts: protecting the privacy of data, ensuring the integrity of data, ensuring the availability of data (Rinehart-Thompson 2016c, 254).
A dietary department donated its old microcomputer to a school. Some old patient data were still on the computer. What controls would have minimized this security breach? a. Access controls b. Device and media controls c. Facility access controls d. Workstation controls
b Device and media controls require the facility to specify proper use of electronic media and devices (external drives, backup devices, etc.). Included in this requirement are controls and procedures regarding the receipt and removal of electronic media that contain protected health information and the movement of such data within the facility. The entity must also address procedures for the transfer, removal, or disposal, including reuse or redeployment, of electronic media (Rinehart-Thompson 2016c, 273).
Which of the following is an organization's planned response to protect its information in the case of a natural disaster? a. Administrative controls b. Contingency plan c. Audit trail d. Physical controls
b Disaster planning occurs through a contingency plan—a set of procedures, documented by the organization to be followed when responding to emergencies. It encompasses what an organization and its personnel need to do both during and after events that limit or prevent access to facilities and patient information (Rinehart-Thompson 2016c, 267).
Which of the following individuals may authorize release of information? a. An 86-year-old patient with a diagnosis of advanced dementia b. A married 15-year-old father c. A 15-year-old minor d. The parents of an 18-year-old student
b Emancipated minors generally may authorize the access and disclosure of their own PHI. If the minor is married or previously married, the minor may authorize the disclosure or use of his or her information. If the minor is under the age of 18 and is the parent of a child, the minor may authorize the access and disclosures of his or her own information as well as that of his or her child (Brodnik 2017b, 343-344).
A hospital HIM department receives a subpoena duces tecum for records of a former patient. When the health record technician goes to retrieve the patient's health records, it is discovered that the records being subpoenaed have been purged in accordance with the state retention laws. In this situation, how should the HIM department respond to the subpoena? a. Inform defense and plaintiff lawyers that the records no longer exist b. Submit a certification of destruction in response to the subpoena c. Refuse the subpoena since no records exist d. Contact the clerk of the court and explain the situation
b If the paper health record is destroyed, the imaging record would be the legal health record. This may not be the case if the paper record is retained. State laws typically view the original health record as the legal record when it is available. Those who choose to destroy the original health record may do so within weeks, months, or years of scanning. If the record was destroyed according to guidelines for destruction and no scanned record exists, the certificate of destruction should be presented in lieu of the record (Rinehart-Thompson 2017b, 199-200).
A hospital is planning on allowing coding professionals to work at home. The hospital is in the process of identifying strategies to minimize the security risks associated with this practice. Which of the following would be best to ensure that data breaches are minimized when the home computer is unattended? a. User name and password b. Automatic session terminations c. Cable locks d. Encryption
b In the HIPAA Security Rule, one of the technical safeguards standards is access control. This includes automatic log-off, which ensures processes that terminate an electronic session after a predetermined time of inactivity (Reynolds and Brodnik 2017, 277).
Who owns the health record? a. Patient b. Provider who generated the information c. Insurance company who paid for the care recorded in the record d. No one
b Ownership of the health record has traditionally been granted to the provider who generates the record (Brodnik 2017a, 9).
Which of the following laws created the HITECH act? a. Health Insurance Portability and Accountability Act b. American Recovery and Reinvestment Act c. Consolidated Omnibus Budget Reconciliation Act d. Healthcare Quality Improvement Act
b The American Recovery and Reinvestment Act of 2009 (ARRA) is considered one of the major health information technology laws that provided stimulus funds to the US economy in the midst of a major economic downturn. A substantial portion of the bill, Title XIII of the Act entitled the Health Information Technology for Economic and Clinical Health (HITECH) Act, was part of ARRA (Kellogg 2016a, 28).
Which of the following provide the objective and scope for the HIPAA Security Rule as a whole? a. Administrative provisions b. General rules c. Physical safeguards d. Technical safeguards
b The General Rules provide the objective and scope for the HIPAA Security Rule as a whole. They specify that covered entities must develop a security program that includes a range of security safeguards that protect individually identifiable health information maintained or transmitted in electronic form (Rinehart-Thompson 2016c, 271).
Which of the following is true about health information retention? a. Retention depends only on accreditation requirements b. Retention periods differ among healthcare facilities c. The operational needs of a healthcare facility cannot be considered d. Retention periods are frequently shorter for health information about minors
b The HIM professional must consider multiple factors when developing health record retention policies that determine how long health records are to be kept. These factors include applicable federal and state statutes and regulations; accreditation standards; operational needs of the organization; and the type of organization, thus retention policies differ among healthcare facilities (Rinehart-Thompson 2016a, 206-207).
Which of the following is a core ethical obligation of health information professionals? a. Coding diseases and operations b. Protecting patients' privacy and confidential communications c. Transcribing health reports d. Performing quantitative analysis on record content
b The HIM professional's core ethical obligations are to protect patient privacy and confidential information and communication and to assure security of that information (Gordon and Gordon 2016c, 609).
The Medical Record Committee is reviewing the privacy policies for a large outpatient clinic. One of the members of the committee remarks that he feels that the clinic's practice of calling out a patient's full name in the waiting room is not in compliance with HIPAA regulations and that only the patient's first name should be used. Other committee members disagree with this assessment. What should the HIM director advise the committee? a. HIPAA does not allow a patient's name to be announced in a waiting room. b. There is no violation of HIPAA in announcing a patient's name, but the committee may want to consider implementing a change that might reduce this practice. c. HIPAA allows only the use of the patient's first name. d. HIPAA requires that patients be given numbers and only the number be announced.
b The HIPAA Privacy Rule allows communications to occur for treatment purposes. The preamble repeatedly states the intent of the rule is to not interfere with customary and necessary communications in the healthcare of the individual. Calling out a patient's name in a waiting room, or even on the facility's paging system, is considered an incidental disclosure, and therefore, allowed in the Privacy Rule (Thomason 2013, 37).
To comply with HIPAA regulations, a hospital would make its membership in an HIE known to its patients through which of the following? a. Press release b. Notice of Privacy Practices c. Consent form d. Website notice
b The Privacy Rule introduced the standard that individuals should be informed how covered entities use or disclose protected health information (PHI). Section 164.520 requires that, except for certain variations or exceptions for health plans and correctional facilities, an individual has the right to a notice explaining how his or her PHI will be used and disclosed. This is the notice of privacy practices (Rinehart-Thompson 2016b, 230-231).
Which of the following is a software program that tracks every access to data in the computer system? a. Access control b. Audit trail c. Edit check d. Risk assessment
b The audit trail is a software program that tracks every single access to data in the computer system. It logs the name of the individual who accessed the data, the date and time, and the action taken (for example, modifying, reading, or deleting data). Review of audit trails can help detect whether a breach of security has occurred (Rinehart-Thompson 2016c, 265).
Mrs. Bolton is an angry patient who resents her physicians "bossing her around." She refuses to take a portion of the medications the nurses bring to her pursuant to physician orders and is verbally abusive to the patient care assistants. Of the following options, the most appropriate way to document Mrs. Bolton's behavior in the patient medical record is: a. Mean b. Noncompliant and hostile toward staff c. Belligerent and out of line d. A pain in the neck
b When entries are made in the health record regarding a patient who is particularly hostile or irritable, general documentation principles apply, such as charting objective facts and avoiding the use of personal opinions, particularly those that are critical of the patient. The degree to which these general principles apply is heightened because a disagreeable patient may cause a provider to use more expressive and inappropriate language. Further, a hostile patient may be more likely to file legal action in the future if the hostility is a personal attribute and not simply a manifestation of his or her medical condition (Rinehart-Thompson 2017b, 179).
A home health agency plans to implement a computer system whereby its nurses document home care services on a laptop computer taken to the patient's home. The laptops will connect to the agency's computer network. The agency is in the process of identifying strategies to minimize the risks associated with the practice. Which of the following would be the best practice to protect laptop and network data from a virus introduced from an external device? a. Biometrics b. Encryption c. Personal firewall software d. Session terminations
c A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a software program or device that filters information between two networks, usually between a private network like an intranet and a public network like the Internet (Rinehart-Thompson 2016c, 265).
Which document directs an individual to bring originals or copies of records to court? a. Summons b. Subpoena c. Subpoena duces tecum d. Deposition
c A subpoena duces tecum means to bring documents and other records with oneself. Such subpoenas may direct the heath information technology (HIT) professional to bring originals or copies of health records, laboratory reports, x-rays, or other records to a deposition or to court. Each state has different rules governing the production of health records in litigation. Often, the component state HIM association of AHIMA has a legal handbook that outlines the various conditions and how HITs should respond to a subpoena (Rinehart-Thompson 2016b, 215).
Which of the following technologies would reduce the risk that information is not accessible during a server crash? a. RAID b. Storage area network c. Server redundancy d. Tape or disk backup
c As EHRs are being implemented without paper backup, contingency planning and disaster recovery is becoming increasingly important. Not only must a healthcare organization be able to replace data if a server or storage device is destroyed in some manner, but organizations need to be able to instantaneously failover to another server during a server crash. Back up of stored data has been routinely performed by most healthcare organizations. To reduce the risk of downtime, healthcare organizations now must also have server redundancy with server failover (Sayles and Trawick 2014, 212-213).
What resource should be consulted in terms of who may authorize access, use, or disclose the health records of minors? a. HIPAA because it has strict rules regarding minors b. Hospital attorneys because they know the rules of the hospital c. State law because HIPAA defers to state laws on matters related to minors d. Federal law because HIPAA overrides state laws on matters related to minors
c Because HIPAA defers to state laws on the issue of minors, applicable state laws should be consulted regarding appropriate authorization. In general, the age of maturity is 18 years or older. This is the legal recognition that an individual is considered responsible for, and has control over, his or her actions (Klaver 2017b, 160).
Which of the following is a characteristic of breach notification? a. It is only required when 500 or more individuals are affected b. It applies to both secured and unsecured PHI c. It applies when one person's PHI is breached d. Is only applies when 20 or more individuals are affected
c Breaches by covered entities and BAs (both governed by HHS breach notification regulations) are deemed discovered when the breach is first known or reasonably should have been known. All individuals whose information has been breached must be notified without unreasonable delay, and within 60 days, by first-class mail or a faster method, such as by telephone, if there is the potential for imminent misuse (Rinehart-Thompson 2016b, 240).
Which of the following has access to personally identifiable data without authorization or subpoena? a. Insurance company for life insurance eligibility b. The patient's attorney c. Public health department for disease reporting purposes d. Workers' compensation for disability claim settlement
c Covered entities may disclose PHI to public health entities even if the law does not specifically require the disclosure is for the purpose of preventing or controlling disease; injury; or disability; including, but not limited to, the reporting of disease; injury; vital events such as birth or death; and the conduct of public health surveillance (Brodnik 2017c, 411).
Written business associate agreements are required with: a. Any company where work is outsourced b. Any outside company that handles electronic data c. Any outside company that handles electronic PHI d. Every outside company
c Covered entities must obtain a written contract with business associates or other entities who handle e-PHI. The written contract must stipulate that the business associate will implement HIPAA administrative, physical, and technical safeguards and procedures and documentation requirements that safeguard the confidentiality, integrity, and availability of the e-PHI that it creates, receives, maintains, or transmits on behalf of the covered entity (Rinehart-Thompson 2016b, 220).
Which of the following is an example of data security? a. Contingency planning b. Fire protection c. Automatic logoff after inactivity d. Card key for access to data center
c Data security includes insuring that workstations are protected from unauthorized access. If a workstation is inactive for a period of time specified by the organization, it should log itself off automatically. The automatic log off helps prevent unauthorized users from accessing e-PHI when an authorized user walks away from the computer without logging out of the system (Sayles and Trawick 2014, 223-224).
What type of health record policy dictates how long individual health records must remain available for authorized use? a. Disclosure policies b. Legal policies c. Retention policies d. Redisclosure policies
c Hospitals and other healthcare facilities develop health record retention policies to ensure that health records comply with all applicable state and federal regulations, accreditation standards, as well as meet future patient care needs. Most states have established regulations that address how long health records and other healthcare-related documents must be maintained before they can be destroyed (Fahrenholz 2013a, 109).
The function used to provide access controls, authentication, and audit logging in an HIE is: a. Patient identification b. Record location service c. Identity management d. Consent management
c Identity management provides security functionality, including determining who (or what information system) is authorized to access information, authentication services, audit logging, encryption, and transmission controls (Amatayakul 2016, 307).
The right of an individual to keep personal health information from being disclosed to anyone is a definition of: a. Confidentiality b. Integrity c. Privacy d. Security
c In the context of healthcare, privacy can be defined as the right of individuals to control access to their personal health information (Rinehart-Thompson 2016b, 214).
Sally has requested an accounting of PHI disclosures from Community Hospital. Which of the following must be included in an accounting of disclosures to comply with this request? a. PHI related to treatment, payment, and operations b. PHI provided to meet national security or intelligence requirements c. PHI sent to a physician who has not treated Sally d. PHI released to Sally's attorney upon her request
c Maintaining some type of accounting procedure for monitoring and tracking PHI disclosures has been a common practice in departments that manage health information. However, the Privacy Rule has a specific standard with respect to such record keeping. Disclosures for which an accounting is not required and which are therefore exempt include some of the following examples: TPO disclosures, pursuant to an authorization, and to meet national security or intelligence requirements. PHI sent to a physician that has not treated the patient would need to be accounted for (Rinehart-Thompson 2017d, 247-248).
Which of the following security controls are built into a computer software program? a. Physical safeguards b. Administration safeguards c. Application safeguards d. Media safeguards
c One security strategy is to implement application safeguards. These are controls contained in the application software or computer programs. One common application control is password management. It involves keeping a record of end users' identifications and passwords and then matching the passwords to each end user's privileges (Rinehart-Thompson 2016c, 265).
Placing locks on computer room doors is considered what type of security control? a. Access control b. Workstation control c. Physical safeguard d. Security breach
c Physical safeguards protect physical equipment, media, or facilities. For example, doors leading to the areas that house mainframes and other principal computing equipment should have locks on them (Rinehart-Thompson 2016c, 264).
The legal term used to describe when a patient has the right to maintain control over certain personal information is referred to as: a. Access b. Confidentiality c. Privacy d. Security
c Privacy is when a patient has the right to maintain control over certain health information (Rinehart-Thompson 2016b, 214).
An individual's right to control access to his or her personal information is known as: a. Security b. Confidentiality c. Privacy d. Access control
c Privacy, confidentiality, and security are related, but distinct, concepts. In the context of healthcare, privacy can be defined as the right of individuals to control access to their personal health information. Confidentiality refers to the expectation that the personal information shared by an individual with a healthcare provider during the course of care will be used only for its intended purpose. Security is the protection of the privacy of individuals and the confidentiality of health records (Johns 2015, 210-211).
The release of information function requires the HIM professional to have knowledge of: a. Clinical coding principles b. Database development c. Federal and state confidentiality laws d. Human resource management
c Release of information (ROI) is the process of providing PHI access to individuals or entities that are deemed to be authorized to either receive or review it. Protecting the security and privacy of patient information is one of a healthcare organization's top priorities, and the HIM department is usually responsible for determining appropriate access to and ROI from patient health records. Knowledge of state and federal confidentiality laws is critical to the ROI function (Rinehart-Thompson 2016b, 243-244).
During user acceptance testing of a new EHR system, physicians are complaining that they have to use multiple log-on screens to access all the system modules. For example, they have to use one log-on for CPOE and another log-on to view laboratory results. One physician suggests having a single sign-on that would provide access to all the EHR system components. However, the hospital administrator thinks that one log-on would be a security issue. What information should the HIM director provide? a. Single sign-on is not supported by HIPAA security measures. b. Single sign-on is discouraged by the Joint Commission. c. Single sign-on is less frustrating for the end user and can provide better security. d. Single sign-on is not possible given today's technology.
c Single sign-on allows sign-on to multiple related, but independent, software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems (Rinehart-Thompson 2016c, 263).
A health information technician receives a subpoena ad testificandum. To respond to the subpoena, which of the following should the technician do? a. Review the subpoena to determine what documents must be produced b. Review the subpoena and notify the hospital administrator c. Review the subpoena and appear at the time and place supplied to give testimony d. Review the subpoena and alert the hospital's risk management department
c Sometimes HIM professionals are subpoenaed to testify as to the authenticity of the health records by confirming that they were compiled in the normal course of business and have not been altered in any way. A subpoena that is issued to elicit testimony is a subpoena ad testificandum (Rinehart-Thompson 2016b, 215).
Which of the following is considered a two-factor authentication system? a. User ID with a password b. User ID with voice scan c. Password and swipe card d. Password and PIN
c Strong authentication requires providing information from two of the three different types of authentication information. The three methods are something you know such as a password or PIN; something you have, such as an ATM card, token, swipe card, or smart card; and something you are, such as a biometric fingerprint, voice scan, iris, or retinal scan. An individual who provides something he knows (password) and something he has (swipe card) is called two-factor authentication (Rinehart-Thompson 2016c, 262-263).
The HIM supervisor suspects that a departmental employee is accessing the EHR for personal reasons, but has no specific data to support this suspicion. In this case, what should the supervisor do? a. Confront the employee. b. Send out a memorandum to all department employees reminding them of the hospital policy on Internet use. c. Ask the security officer for audit trail data to confirm or disprove the suspicion. d. Transfer the employee to another job that does not require computer usage.
c The HIM supervisor should determine if a breach has occurred before action is taken. This can be done using an audit trail, which is a software program that tracks access to data in the EHR. It logs the name of the individual who accessed the data, the date and time, and the action taken (for example, modifying, reading, or deleting data) (Rinehart-Thompson 2016c, 265).
Community Hospital is discussing restricting the access that physicians have to electronic health records. The medical record committee is divided on how to approach this issue. Some committee members maintain that all information should be available, whereas others maintain that HIPAA restricts access. The HIM director is part of the committee. Which of the following should the director advise the committee? a. HIPAA restricts the access of physicians to all information. b. The "minimum necessary" concept does not apply to disclosures made for treatment purposes; therefore, physician access should not be restricted. c. The "minimum necessary" concept does not apply to disclosures made for treatment purposes, but the organization must define what physicians need as part of their treatment role. d. The "minimum necessary" concept applies only to attending physicians, and therefore, restriction of access must be implemented.
c The HIPAA Privacy Rule concept of "minimum necessary" does not apply to disclosures made for treatment purposes. However, the covered entity must define, within the organization, what information physicians need as part of their treatment role (Thomason 2013, 5).
Community Hospital is planning implementation of various elements of the EHR in the next six months. Physicians have requested the ability to access the EHR from their offices and from home. What advice should the HIM director provide? a. HIPAA regulations do not allow this type of access. b. This access would be covered under the release of PHI for treatment purposes and poses no security or confidentiality threats. c. Access can be permitted providing that appropriate safeguards are put in place to protect against threats to security. d. Access can be permitted because the physicians are on the medical staff of the hospital and are covered by HIPAA as employees.
c The HIPAA Privacy Rule permits healthcare providers to access protected health information for treatment purposes. However, there is also a requirement that the covered entity provide reasonable safeguards to protect the information. These requirements are not easy to meet when the access is from an unsecured location, although policies, medical staff bylaws, confidentiality or other agreements, and a careful use of new technology can mitigate some risks (Thomason 2013, 46).
St. Joseph's Hospital has a psychiatric service on the sixth floor of the hospital. A 31-year-old male has come to the HIM department and requested to see a copy of his medical record. He indicated he was a patient of Dr. Schmidt, a psychiatrist, and that he was on the sixth floor of St. Joseph's for the last two months. These records are not psychotherapy notes. Of the options here, what is the best course of action? a. Prohibit the patient from accessing his record, as it contains psychiatric diagnoses that may greatly upset him. b. Allow the patient to access his record. c. Allow the patient to access his record if, after contacting his physician, his physician does not think it will be harmful to the patient. d. Deny access because HIPAA prevents patients from reviewing their psychiatric records.
c The HIPAA Privacy Rule provides patients with significant rights that allow them to have some measure of control over their health information. As long as state laws or regulations or the physician do not state otherwise, competent adult patients have the right to access their health record (Rinehart-Thompson 2017d, 243-244).
Community Hospital is terminating its business associate relationship with a medical transcription company. The transcription company has no further need for any identifiable information that it may have obtained in the course of its business with the hospital. The CFO of the hospital believes that to be HIPAA compliant, all that is necessary is for the termination to be in a formal letter signed by the CEO. In this case, how should the director of HIM advise the CFO? a. Determine that a formal letter of termination meets HIPAA requirements and no further action is required. b. Confirm that a formal letter of termination meets HIPAA requirements and no further action is required except that the termination notice needs to be retained for seven years. c. Confirm that a formal letter of termination is required and that the transcription company must provide the hospital with a certification that all PHI that it had in its possession has been destroyed or returned. d. Inform the CFO that business associate agreements cannot be terminated.
c The HIPAA Privacy Rule requires the covered entity to have business associate agreements in place with each business associate. This agreement must always include provisions regarding destruction or return of protected health information (PHI) upon termination of a business associate's services. Upon notice of the termination, the covered entity needs to contact the business associate and determine if the entity still retains any protected health information from, or created for, the covered entity. The PHI must be destroyed, returned to the covered entity, or transferred to another business associate. Once the PHI is transferred or destroyed, it is recommended that the covered entity obtain a certification from the business associate that either it has no PHI, or all PHI it had has been destroyed or returned to the covered entity (Thomason 2013, 18).
Central City Clinic has requested that Ghent Hospital send its hospital records for Susan Hall's most recent admission to the clinic for her follow-up appointment. Which of the following statements is true? a. The Privacy Rule requires that Susan Hall complete a written authorization. b. The hospital may send only the discharge summary, history and physical, and operative report. c. The Privacy Rule's minimum necessary requirement does not apply. d. This "public interest and benefit" disclosure does not require the patient's authorization.
c There are certain circumstances where the minimum necessary requirement does not apply, such as to healthcare providers for treatment; to the individual or his personal representative; pursuant to the individual's authorization to the secretary of the HHS for investigations, compliance review, or enforcement; as required by law; or to meet other Privacy Rule compliance requirements (164.502(b)(2); Rinehart-Thompson 2017c, 234).
Release of birth and death information to public health authorities: a. Is prohibited without patient consent b. Is prohibited without patient authorization c. Is a public interest and benefit disclosure that does not require patient authorization d. Requires both patient consent and authorization
c There are circumstances where PHI can be used or disclosed without the individual's authorization and without granting the individual the opportunity to agree or object. Some of these circumstances include preventing or controlling diseases, injuries, and disabilities, and reporting disease, injury, and vital events such as births and deaths (Rinehart-Thompson 2016b, 235).
Spoliation can be defined as which of the following? a. It is required after a legal hold is imposed b. It is the negligent destruction or changing of information c. It is destroying, changing, or hiding evidence intentionally d. It can only be performed on records that are involved in a court proceeding
c To preserve discoverable data, they must also ensure that records involved in litigation or potential litigation are preserved through a legal hold, which is generally a court order to preserve a health record if there is concern about destruction. A legal hold supersedes routine destruction procedures. It also prevents spoliation—the act of destroying, changing, or hiding evidence intentionally (Rinehart-Thompson 2016b, 216).
A subpoena duces tecum compels the recipient to: a. Serve on a jury b. Answer a complaint c. Testify at trial d. Bring records to a legal proceeding
d A subpoena duces tecum instructs the recipient to bring documents and other records with himself or herself to a deposition or to court (Rinehart-Thompson 2017a, 59).
When a patient revokes authorization for release of information after a healthcare facility has already released the information, the facility in this case: a. May be prosecuted for invasion of privacy b. Has become subject to civil action c. Has violated the security regulations of HIPAA d. Is protected by the Privacy Act
d An individual may revoke an authorization at any time, provided that he or she does so in writing. However, the revocation does not apply when the covered entity has already taken action on the authorization (Rinehart-Thompson 2017c, 223).
Under HIPAA, which of the following is not named as a covered entity? a. Attending physician b. Healthcare clearinghouse c. Health plan d. Outsourced transcription company
d An outsourced transcription company and vendor would be business associates of a covered entity (CE). Although business associates are not directly regulated by the Privacy Rule, they do come under the Privacy Rule's requirements by virtue of their association with one or more CEs. A business associate is a person or organization other than a member of a CE's workforce that performs functions or activities on behalf of or affecting a CE that involve the use or disclosure of individually identifiable health information (45 CFR 160.103(1); Rinehart- Thompson 2017c, 210-211).
Ted and Mary are the adoptive parents of Susan, a minor. What is the best way for them to obtain a copy of Susan's operative report? a. Wait until Susan is 18 b. Present an authorization signed by the court that granted the adoption c. Present an authorization signed by Susan's natural (birth) parents d. Present an authorization that at least one of them (Ted or Mary) has signed
d Because minors are, as a general rule, legally incompetent and unable to make decisions regarding the use and disclosure of their own health information, this authority belongs to the minor's parent(s) or legal guardian(s) unless an exception applies. Because privacy, security, and confidentiality of minor records are extremely regulated, HIM professionals should also consult state regulations or legal counsel for specific questions. Generally, only one parent signature is required to authorize the use or disclosure of the minor's PHI (Brodnik 2017b, 343).
Which of the following would be the best course of action to take to ensure continuous availability of electronic data? a. Acquire storage management software. b. Send data to a remote site using the Internet. c. Store data on RAID. d. Use redundant servers.
d Data must be available continuously. When paper as a backup no longer exists in a paperless electronic health record (EHR) environment, users must be assured that the computer system is available to them at all times. To achieve such availability, an EHR should have server redundancy. This means that as data are entered and processed by one server, they are entered and processed simultaneously by a second server. Should the primary server crash, the system should be designed to "fail over" to the second server and can continue processing as if, at least from the user's point of view, nothing had happened (Rinehart-Thompson 2016a, 212-213).
An HIT using her password can access and change data in the hospital's master patient index. A billing clerk, using his password, cannot perform the same function. Limiting the class of information and functions that can be performed by these two employees is managed by: a. Network controls b. Audit trails c. Administrative controls d. Access controls
d Determining what data to make available to an employee usually involves identifying classes of information based on the employee's role in the organization. Every role in the organization should be identified, along with the type of information required to perform it. This is often referred to as role-based access. Although there are other types of access control strategies, role-based access is probably the one used most often in healthcare organizations. Access to information and information resources (such as computers) must be restricted to those authorized to access the information or the associated resources (Rinehart-Thompson 2016c, 262). 130 Correct0 Wrong0 Unanswered130
The medical record of Kathy Smith, the plaintiff, has been subpoenaed for a deposition. The plaintiff's attorney wishes to use the records as evidence to prove his client's case. In this situation, although the record constitutes hearsay, it may be used as evidence based on the: a. Admissibility exception b. Discovery exception c. Direct evidence exception d. Business records exception
d The Business Records Exception is the rule under which a record is determined not to be hearsay if it was made at or near the time by, or from information transmitted by, a person with knowledge; it was kept in the course of a regularly conducted business activity; and it was the regular practice of that business activity to make the record (Klaver 2017a, 80).
A patient requests a copy of his health records. When the request is received, the HIM clerk finds that the records are stored off-site. Which is the longest timeframe the hospital can take to remain in compliance with HIPAA regulations? a. Provide copies of the records within 15 days b. Provide copies of the records within 30 days c. Provide copies of the records within 45 days d. Provide copies of the records within 60 days
d The HIPAA Privacy Rule requires that records be produced within 30 days to a patient or their personal representative, with a one-time extension of an additional 30 days if necessary. If such an additional 30 days is needed, the covered entity must notify the patient in writing of the need for additional time (Thomason 2013, 98).
The "custodian of health records" refers to the individual within an organization who is responsible for all except which of the following actions? a. Authorized to certify records b. Supervising inspection and copying of record c. Testifying to the authenticity of records d. Testifying regarding the care of the patient
d The custodian of health records is the individual who has been designated as having responsibility for the care, custody, control, and proper safekeeping and disclosure of health records for such persons or institutions that prepare and maintain records of healthcare. The custodian of the health record does not have the responsibility or expertise to testify regarding the care of the patient (Brodnik 2017a, 9).
The HIPAA Privacy Rule: a. Protects only medical information that is not already specifically protected by state law b. Supersedes all state laws that conflict with it c. Is federal common law d. Sets a minimum (floor) of privacy requirements
d With the passage of the Privacy Rule, a minimum amount of protection (that is, a floor) was achieved uniformly across all the states through the establishment of a consistent set of standards that affected providers, healthcare clearinghouses, and health plans (Rinehart- Thompson 2017c, 210).
The process of releasing health record documentation originally created by a different provider is called: a. Privileged communication b. Subpoena c. Jurisdiction d. Redisclosure
d The process of releasing health record documentation originally created by a different provider is called redisclosure. Federal and state regulations provide specific redisclosure guidelines; however, when in doubt, follow the same principles as the release and disclosure guidelines for other types of health record information (Fahrenholz 2013a, 104).