Content Area: Health Information Privacy and Security Mock Exam

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

The administrator states that he should not have to participate in privacy and security training as he does not use PHI. How should you respond? Selected Answer: Correct "All employees are required to participate in training, including top administration" Answers: Correct "All employees are required to participate in training, including top administration" "I will record that in my files" "Did you read the privacy rules?" "You are correct. There is no reason for you to participate in the training"

"All employees are required to participate in training, including top administration"

Which of the following statements demonstrates a violation of protected health information? Selected Answer: Correct "Mary, at work yesterday I saw that Susan had a hysterectomy" Answers: "Can you help me find Mary Smith's record?" A member of the physician's office staff calls centralized scheduling and says, "Dr. Smith wants to perform a bunionectomy on Mary Jones next Tuesday" Correct "Mary, at work yesterday I saw that Susan had a hysterectomy" Dr. Jones tells a nurse on the floor to give Ms. Brown Demerol for her pain

"Mary, at work yesterday I saw that Susan had a hysterectomy"

Which of the following techniques would a facility employ for access control? 1 - automatic log off 2 - authentication 3 - integrity controls 4 - unique user identification Selected Answer: Correct 1 and 4 only Answers: Correct 1 and 4 only 1 and 2 only 2 and 4 only 3 and 4 only

1 and 4 only

Which of the following techniques would a facility employ for access control? 1. automatic logoff 2. authentication 3. integrity controls 4. unique user identification Selected Answer: Correct 1 and 4 only Answers: Correct 1 and 4 only 1 and 2 only 2 and 4 only 3 and 4 only

1 and 4 only

Physical safeguards include: 1-tools to monitor access 3-fire protection 2-tools to control access to computer systems 4-tools preventing unauthorized access to data Selected Answer: Correct 2 and 3 Answers: 1 and 2 1 and 3 Correct 2 and 3 2 and 4

2 and 3

The hospital has received a request for an amendment. How long does the facility have in order to accept or deny the request? Selected Answer: Correct 30 days Answers: Correct 30 days 60 days 14 days 10 days

30 days

Which of the following statements is true about a requested restriction? Selected Answer: Correct ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions Answers: ARRA mandates that a CE must comply with a requested restriction ARRA states that a CE does not have to agree to a requested restriction Correct ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions ARRA does not address restrictions to PHI

ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions

A patient's medical record was breached. The written notification that goes out to the patient should contain only a message to call the hospital Selected Answer: Correct false statment - the patient should receive a brief description of the breach, what the covered entity is doing about the breach, what the patient should do, and whom to contact Answers: true statement - this is too senstivie to address in a letter Correct false statment - the patient should receive a brief description of the breach, what the covered entity is doing about the breach, what the patient should do, and whom to contact false statment - because the patient should be told to contact the Office of the Inspector General false statment - because the patient should be told what happened and that the facility is sorry and hopes the patient will not have any problems as a result of the breach

False statement - the patient should receive a brief description of the breach, what the covered entity is doing about the breach, what the patient should do, and whom to contact

A mechanism to ensure that PHI has not been altered or destroyed inappropriately has been established. This process is called Selected Answer: Correct integrity Answers: entity authentication audit controls access control Correct integrity

Integrity

Margaret looked up PHI on her ex-sister-in-law. A routine audit discovered the violation. Which statemenet is true under ARRA? Selected Answer: Correct Margaret cannot be prosecuted since she is not a covered entity Answers: Correct Margaret cannot be prosecuted since she is not a covered entity Margaret cannot be prosecuted since she is not a covered entity or business associate Margaretcannot be prosecuted since she did not sell the PHI Margaret can be prosecuted

Margaret cannot be prosecuted since she is not a covered entity

Mark, a patient of Schnering Hospital, has asked for an electronic copy of his medical record to go to his physician. According to ARRA, what is the CE's obligation to Mark? Selected Answer: Correct Mark has a right to an electronic copy or to have it sent to someone else Answers: None, as this is prohibited by ARRA None, as this is prohibited by HIPAA Mark has a right to an electronic copy, but it has to go to him, not a third party Correct Mark has a right to an electronic copy or to have it sent to someone else

Mark has a right to an electronic copy or to have it sent to someone else

Mary processed a request for information and mailed it out last week. Today, the requestor, an attorney, called and said that all of the requested information was not provided. Mary pulls the documentation, including the authorization and what was sent. She believes that she sent everything that was required. She confirms this with her supervisor. The requestor still believes that some extra documentation is required. Given the above information, which of the following statements is true? Selected Answer: Correct Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule Answers: Correct Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule Mary is required to release the extra documentation because the requestor knows what is needed Mary is required to release the extra documentation because, in the customer service program for rhe facility, the customer is always right Mary is not required to release the additional information because her administrator agrees with her Question 19

Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule

Nicole is developing an agreement that will be used between the hospital and the health care clearing house. This agreement will require the two parties to protect the privacy of data exchanged. This is called Selected Answer: Correct a business associate agreement Answers: Correct a business associate agreement a business contract a trading partner agreement none of the above

a business associate agreement

Mountain Hospital has discovered a security breach. Someone hacked into the system and viewed 50 medical records. According to ARRA, what is the responsibility of the covered entity? Selected Answer: Correct all individuals must be notified within 60 days Answers: ARRA does not address this issue all individuals must be notified within 30 days Correct all individuals must be notified within 60 days ARRA requires oral notification

all individuals must be notified within 60 days

You have been asked to provide examples of technical security measures. Which of the following would you include in your list of examples? Selected Answer: Correct automatic logout Answers: locked doors Correct automatic logout minimum necessary training

automatic logout

Which security measure utilizes fingerprints or retina scans? Selected Answer: Correct biometrics Answers: audit trail Correct biometrics authentication encryption

biometrics

The computer system containing the electronic health record was located in a room that was flooded. As a result, the system is inoperable. Which of the following would be implemented? Selected Answer: Correct business continuity processes Answers: SWOT analysis information systems strategic planning request for proposal Correct business continuity processes

business continuity processes

Alisa has trouble remembering her password. She is trying to come up with a solution that will help her remember. Which one of the following would be the BEST practice? Selected Answer: Correct creating a password that utilizes a combination of letters and numbers Answers: using the word "password" for her password using her daugher's name for her password writing the complex password on the last page of her calendar Correct creating a password that utilizes a combination of letters and numbers

creating a password that utilizes a combination of letters and numbers

Your organization is sending confidential patient information across the Internet using technology that will transform the original data into unintelligible code that can be re-created by authorized users. This technique is called Selected Answer: Correct data encryption Answers: a firewall validity processing a call-back process Correct data encryption

data encryption

Intentional threats to security could include Selected Answer: Correct data theft Answers: a natural disaster equipment failure human error Correct data theft

data theft

As Chief Privacy Officer for Premier Medical Center, you are responsible for which of the following? Selected Answer: Correct developing a plan for reporting privacy complaints Answers: backing up data Correct developing a plan for reporting privacy complaints writing policies on protecting hardware writing policies on encryption standards

developing a plan for reporting privacy complaints

Contingency planning includes which of the following processes? Selected Answer: Correct disaster planning Answers: data quality systems of analysis Correct disaster planning hiring practices

disaster planning

You are defining the designated record set for South Beach Healthcare Center. Which of the following would be included? Selected Answer: Correct discharge summary Answers: quality reports psychotherapy notes Correct discharge summary information compiled for use in civil hearing

discharge summary

You are writing a policy on how to document the amendment process. What information should be required by the policy? Selected Answer: Incorrect documentation of request and refusal Answers: none documentation of request and refusal documentation of request Correct documentation of a request, a refusal, and a patient's right to write a statement of disagreement

documentation of a request, a refusal, and a patient's right to write a statement of disagreement

Dr. Brown has just approved the patient's request to amend the medical record. Dr. Brown has routed the request with his approval to the HIM Department. What should the HIM Department do? Selected Answer: Correct file the request where the erroneous information is located and send a copy of the amendment to anyone who has a copy of the erroneous information plus anyone the patient requests Answers: file the request where the erroneous information is located file the request where the erroneous information is located and send a copy of the amendment to anyone who has a copy of the erroneous information file in the front of the chart Correct file the request where the erroneous information is located and send a copy of the amendment to anyone who has a copy of the erroneous information plus anyone the patient requests

file the request where the erroneous information is located and send a copy of the amendment to anyone who has a copy of the erroneous information plus anyone the patient requests

The surgeon comes out to speak to a patient's family. He tells them that the patient came through the surgery fine. The mass was benign and they could see the patient in an hour. He talks low so that the other people in the waiting room will not hear but someone walked by and heard. This is called a (n) Selected Answer: Correct incidental disclosure Answers: privacy breach violation of policy Correct incidental disclosure privacy incident

incidental disclosure

Patricia is processing a request for medical records. The record contains an operative note and a discharge summary from another hospital. The records are going to another physician for patient care. What should Patricia do? Selected Answer: Correct include the documents from the other hospital Answers: notify the requestor that redisclosure is illegal and so he must get the operative note and discharge summary records from the original source hospital Correct include the documents from the other hospital redisclose when necessary for patient care redisclose when allowed by law

include the documents from the other hospital

Which of the following statements is true about the Privacy Act of 1974? Selected Answer: Incorrect it applies to all organizations that maintain health care data in any form Answers: it applies to all organizations that maintain health care data in any form it applies to all health care organizations Correct it applies to the federal government it applies to federal government except for the Veterans Health Administration

it applies to the federal government

I have been asked if I want to be in the directory. The admission clerk explains that if I am in the directory Selected Answer: Correct my friends and family can find out my room number Answers: Correct my friends and family can find out my room number my condition can be discussed with any caller in detail my condition can be released to the news media my condition can be released to hospital staff only

my friends and family can find out my room number

Facility access controls, workstation use, workstation security, and device/media controls are all part of Selected Answer: Correct physical safeguards Answers: Correct physical safeguards technical safeguards administrative safeguards organizational requirements

physical safeguards

America LTD has developed a PHR. According to ARRA, the health information that they store is Selected Answer: Correct protected Answers: not protected Correct protected mandated to be de-identified subject to security, but not priavcy, requirements

protected

Ms. Thomas was a patient at your facility. She has been told that there are some records that she cannot have access to. These records are most likely Selected Answer: Correct psychotherapy notes Answers: Correct psychotherapy notes alcohol and drug records AIDS records mental health assessment

psychotherapy notes

Which of the following would be a business associate? Selected Answer: Correct release of information company Answers: Correct release of information company bulk food service provider childbirth class instructor security force

release of information company

Which of the following disclosures would require patient authorization? Selected Answer: Incorrect law enforcement activities Answers: law enforcement activities workers' compensation Correct release to patient's attorney public health activities

release to patient's attorney

You are writing a policy for the release of information area. This policy will include the requirements for a valid authorization. Which of the following would not be included? Selected Answer: Incorrect expiration Answers: expiration Correct request for an accounting of disclosure statement or right to revoke description of information to be disclosed

request for an accounting of disclosure

You are looking for potential problems and violations of the privacy rule. What is this security management process called? Selected Answer: Correct risk assessment Answers: risk management Correct risk assessment risk aversion business continuity planning

risk assessment

You are reviewing your privacy and security policies, procedures, training programs, and so on, and comparing them to the HIPAA and ARRA regulations. You are conducting a Selected Answer: Incorrect compliance audit Answers: policy assessment Correct risk assessment compliance audit risk management

risk assessment

Kyle, the HIM Director, has received a request to amend a patient's medical record. The appropriate action for him to take is Selected Answer: Correct route the request to the physician who wrote the note in question to determine the appropriateness of the amendment Answers: make the modification because you have received the request file the request in the chart to document the disagreement with the information contained in the medical record Correct route the request to the physician who wrote the note in question to determine the appropriateness of the amendment return the notice to the patient because amendments are not allowed

route the request to the physician who wrote the note in question to determine the appropriateness of the amendment

You work for a 60-bed hospital in a rural community. You are conducting research on what you need to do to comply with HIPAA. You are afraid that you will have to implement all of the steps that your friend at a 900-bed teaching hospital is implementing at his facility. You continue reading and learn that you only have to implement what is prudent and reasonable for your facility. This is called Selected Answer: Correct scalable Answers: Correct scalable risk assessment technology neutral access control

scalable

Encryption, access control, emergency access to records, and biometrics are examples of Selected Answer: Correct technical security Answers: transmission security Correct technical security a security incident telecommunications

technical security

The HIPAA security rule does not require specific technologies to be used but rather provides direction on the outcome. The term used to describe this philosophy is Selected Answer: Correct technology neutral Answers: technology free Correct technology neutral administrative rules generic technology

technology neutral

Which of the following situations violate a patient's privacy? Selected Answer: Correct the hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples Answers: the hospital sends patients who are scheduled for deliveries information on free childbirth classes the physician on the quality improvement committee reviews medical records for potential quality problems Correct the hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples the hospital uses aggregate data to determine whether or not to add a new operating room suite

the hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples

Which of the following should the record destruction program include? Selected Answer: Correct the method of destruction Answers: Correct the method of destruction the name of the supervisor destroying the records citing the laws followed requirement of daily destruction

the method of destruction

A patient has submitted an authorization to release information to a physician office for continued care. The release of information clerk wants to limit the information provided because of the minimum necessary rule. What should the supervisor tell the clerk? Selected Answer: Correct the patient is an exception to the minimum necessary rule, so process the request as written Answers: good call Correct the patient is an exception to the minimum necessary rule, so process the request as written the minimum necessary rule was eliminated with ARRA the minimum necessary rule only applies to attorney

the patient is an exception to the minimum necessary rule, so process the request as written

Which statment is true about when a family member can be provided with PHI? Selected Answer: Incorrect the family member is directly involved in the patient's care Answers: Correct the patient's mother can always receive PHI on their child the family member lives out of town and cannot come to the facility to check on the patient the family member is a health care professional the family member is directly involved in the patient's care

the patient's mother can always receive PHI on their child

Barbara, a nurse, has been flagged for review because she logged in to the EHR in the evening when she usually works the day shift. Why should this conduct be reviewed? Selected Answer: Correct this needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time Answers: this is a privacy violation Correct this needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time this is not a violation since Barbara, a nurse, has full access to data in the EHR no action is required

this needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time

Your department was unable to provide a patient with a copy of his record within the 30-day limitation. What should you do? Selected Answer: Incorrect both write and call the patient to tell him you need a 30-day extension Answers: call the patient and apologize call the patient and let him know that you will need a 30-day extension Correct write the patient and tell him that you will need a 30-day extension both write and call the patient to tell him you need a 30-day extension

write the patient and tell him that you will need a 30-day extension

Margaret has signed an authorization to release information regarding her ER visit for a fractured finger to her attorney. Specifically, she says to release the ER history and physical, x-rays, and any procedure notes related to a finger fracture with laceration. Which of the following violates her privacy if released based on this authorization? Selected Answer: Correct x-ray of chest Answers: release of face sheet used in ER as a history Correct x-ray of chest x-ray of finger documentation of suturing of finger

x-ray of chest


Kaugnay na mga set ng pag-aaral

ITNW 1358 Chapter 8: TCP/IP Applications

View Set

Chapter 8: Basics of Electricity

View Set

DCF - Child Growth and Development (CGDR)

View Set

Athletic Training Administration Midterm

View Set

Unit 16 Advanced Automatic Controls

View Set