Content Area IX, RHIT Exam: Health Information Privacy and Security
The administrator states that he should not have to participate in privacy and security training as he does not use PHI. How should you respond?
"All employees are required to participate in training, including top administration"
Which of the following statements demonstrates a violation of protected health information?
"Mary, at work yesterday I saw that Susan had a hysterectomy"
The hospital has received a request for an amendment. How long does the facility have in order to accept or deny the request?
30 days
Which of the following statements is true about a requested restriction?
ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions
Mountain Hospital has discovered a security breach. Someone hacked into the system and viewed 50 medical records. According to ARRA, what is the responsibility of the covered entity?
All individuals must be notified within 60 days
Which of the following techniques would a facility employ for access control?
Automatic log-off Unique user identification
Which security measure utilizes fingerprints or retina scans?
Biometrics
A patient's medical record was breached. The written notification that goes out to the patient should contain only a message to call the hospital
False statement - the patient should receive a brief description of the breach, what the covered entity is doing about the breach, what the patient should do, and whom to contact
Dr. Brown has just approved the patient's request to amend the medical record. Dr. Brown has routed the request with his approval to the HIM Department. What should the HIM Department do?
File the request where the erroneous information is located and send a copy of the amendment to anyone who has a copy of the erroneous information plus anyone the patient requests
Which of the following statements is true about the Privacy Act of 1974?
It applies to the federal government
Margaret looked up PHI on her ex-sister-in-law. A routine audit discovered the violation. Which statement is true under ARRA?
Margaret cannot be prosecuted since she is not a covered entity
Mark, a patient of Schnering Hospital, has asked for an electronic copy of his medical record to go to his physician. According to ARRA, what is the CE's obligation to Mark?
Mark has a right to an electronic copy or to have it sent to someone else
Mary processed a request for information and mailed it out last week. Today, the requestor, an attorney, called and said that all of the requested information was not provided. Mary pulls the documentation, including the authorization and what was sent. She believes that she sent everything that was required. She confirms this with her supervisor. The requestor still believes that some extra documentation is required. Given the above information, which of the following statements is true?
Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule
Which of the following disclosures would require patient authorization?
Release to patient's attorney
You are looking for potential problems and violations of the privacy rule. What is this security management process called?
Risk assessment
Which of the following should the record destruction program include?
The method of destruction
A patient has submitted an authorization to release information to a physician office for continued care. The release of information clerk wants to limit the information provided because of the minimum necessary rule. What should the supervisor tell the clerk?
The patient is an exception to the minimum necessary rule, so process the request as written
Barbara, a nurse, has been flagged for review because she logged in to the EHR in the evening when she usually works the day shift. Why should this conduct be reviewed?
This needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time
Physical safeguards include:
Tools to control access to computer systems Fire protection
Nicole is developing an agreement that will be used between the hospital and the health care clearing house. This agreement will require the two parties to protect the privacy of data exchanged. This is called
a business associate agreement
You have been asked to provide examples of technical security measures. Which of the following would you include in your list of examples?
automatic logout
The computer system containing the electronic health record was located in a room that was flooded. As a result, the system is inoperable. Which of the following would be implemented?
business continuity processes
Alisa has trouble remembering her password. She is trying to come up with a solution that will help her remember. Which one of the following would be the BEST practice?
creating a password that utilizes a combination of letters and numbers
Your organization is sending confidential patient information across the Internet using technology that will transform the original data into unintelligible code that can be re-created by authorized users. This technique is called
data encryption
Intentional threats to security could include
data theft
As Chief Privacy Officer for Premier Medical Center, you are responsible for which of the following?
developing a plan for reporting privacy complaints
Contingency planning includes which of the following processes?
disaster planning
You are defining the designated record set for South Beach Healthcare Center. Which of the following would be included?
discharge summary
You are writing a policy on how to document the amendment process. What information should be required by the policy?
documentation of a request, a refusal, and a patient's right to write a statement of disagreement
The surgeon comes out to speak to a patient's family. He tells them that the patient came through the surgery fine. The mass was benign and they could see the patient in an hour. He talks low so that the other people in the waiting room will not hear but someone walked by and heard. This is called a (n)
incidental disclosure
Patricia is processing a request for medical records. The record contains an operative note and a discharge summary from another hospital. The records are going to another physician for patient care. What should Patricia do?
include the documents from the other hospital
A mechanism to ensure that PHI has not been altered or destroyed inappropriately has been established. This process is called
integrity
I have been asked if I want to be in the directory. The admission clerk explains that if I am in the directory
my friends and family can find out my room number
Facility access controls, workstation use, workstation security, and device/media controls are all part of
physical safeguards
America LTD has developed a PHR. According to ARRA, the health information that they store is
protected
Ms. Thomas was a patient at your facility. She has been told that there are some records that she cannot have access to. These records are most likely Selected Answer: Incorrect
psychotherapy notes
Which of the following would be a business associate?
release of information company
You are writing a policy for the release of information area. This policy will include the requirements for a valid authorization. Which of the following would not be included?
request for an accounting of disclosure
You are reviewing your privacy and security policies, procedures, training programs, and so on, and comparing them to the HIPAA and ARRA regulations. You are conducting a
risk assessment
Kyle, the HIM Director, has received a request to amend a patient's medical record. The appropriate action for him to take is
route the request to the physician who wrote the note in question to determine the appropriateness of the amendment
You work for a 60-bed hospital in a rural community. You are conducting research on what you need to do to comply with HIPAA. You are afraid that you will have to implement all of the steps that your friend at a 900-bed teaching hospital is implementing at his facility. You continue reading and learn that you only have to implement what is prudent and reasonable for your facility. This is called
scalable
Encryption, access control, emergency access to records, and biometrics are examples of
technical security
The HIPAA security rule does not require specific technologies to be used but rather provides direction on the outcome. The term used to describe this philosophy is
technology neutral
Which of the following situations violate a patient's privacy?
the hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples
Which statement is true about when a family member can be provided with PHI?
the patient's mother can always receive PHI on her child
Your department was unable to provide a patient with a copy of his record within the 30-day limitation. What should you do?
write the patient and tell him that you will need a 30-day extension
Margaret has signed an authorization to release information regarding her ER visit for a fractured finger to her attorney. Specifically, she says to release the ER history and physical, x-rays, and any procedure notes related to a finger fracture with laceration. Which of the following violates her privacy if released based on this authorization?
x-ray of chest
