domain 2

).Identifying appropriate users of specific information is a function of: a. Access control b. Nosology c. Data modeling d. Workflow modeling

. a An EHR can provide highly effective access controls to meet the HIPAA Privacy Rule minimum necessary standard requirements. Role-based access controls are used where only specific classes of persons may access protected health information. Context-based access controls add the dimensions that control not only class of persons but specific categories of information and under specific conditions for which access is permitted (Amatayakul 2017, 376-377).

. Ensuring that data have been accessed or modified only by those authorized to do so is a function of: a. Data integrity b. Data quality c. Data granularity d. Logging functions

. a Data integrity means that data should be complete, accurate, consistent and up-to-date. With respect to data security, organizations must put protections in place so that no one may alter or dispose of data in a manner inconsistent with acceptable business and legal rules (Johns 2015, 211).

Employees in the hospital business office may have legitimate access to patient health information without patient authorization based on what HIPAA standard or principle? a. Minimum necessary b. Compound authorization c. Accounting of disclosures d. Preemption

. a Employees in departments such as the business office, information systems, HIM, and infection control, who are not involved directly in patient care, will vary in their need to access patient information. The HIPAA "minimum necessary" principle must be applied to determine what access employees should legitimately have to PHI (45 CFR 164.502 [b]; Brodnik 2017b, 345).

. Community Hospital wants to provide transcription services for transcription of office notes of the private patients of physicians. All of these physicians have medical staff privileges at the hospital. This will provide an essential service to the physicians as well as provide additional revenue for the hospital. In preparing to launch this service, the HIM director is asked whether a business associate agreement is necessary. Which of the following should the hospital HIM director advise to comply with HIPAA regulations? a. Each physician practice should obtain a business associate agreement with the hospital. b. The hospital should obtain a business associate agreement with each physician practice. c. Because the physicians all have medical staff privileges, no business associate agreement is necessary. d. Because the physicians are part of an Organized Health Care Arrangement (OHCA) with the hospital, no business associate agreement is necessary

. a If physicians were to dictate information on patients they are treating in the facility, the disclosure of protected health information to the transcriptionists would be considered healthcare operations and, therefore, permitted under the HIPAA Privacy Rule. If physicians, who are separate covered entities, are dictating information on their private patients, however, it would be necessary for physicians to obtain a business associate agreement with the facility. It is permitted by the Privacy Rule for one covered entity to be a business associate of another covered entity (Thomason 2013, 26).

. Which of the following is a direct command that requires an individual or a representative of a healthcare entity to appear in court or to present an object to the court? a. Judicial decision b. Subpoena c. Credential d. Regulation

. b A subpoena is a direct command that requires an individual or a representative of an organization to appear in court or to present an object to the court (Fahrenholz 2017b, 90-91).

. A hospital currently includes the patient's social security number in the electronic version of the health record. The hospital risk manager has identified this as a potential identity breach risk and wants the information removed. The physicians and others in the hospital are not cooperating, saying they need the information for identification and other purposes. Given this situation, what should the HIM director suggest? a. Avoid displaying the number on any document, screen, or data collection field b. Allow the information in both electronic and paper forms since a variety of people need this data c. Require employees to sign confidentiality agreements if they have access to social security numbers d. Contact legal counsel for advice

. a It is generally agreed that Social Security numbers (SSNs) should not be used as patient identifiers. The Social Security Administration is adamant in its opposition to using the SSN for purposes other than those identified by law. AHIMA is in agreement on this issue due to privacy, confidentiality, and security issues related to the use of the SSN (Fahrenholz 2017b, 74).

Generally, policies addressing the confidentiality of quality improvement (QI) committee data (minutes, actions, and so forth) state that this kind of data is: a. Protected from disclosure b. Subject to release with patient authorization c. Generally available to interested parties d. May not be reviewed or released to external reviewers such as the Joint Commission

. a Outcomes of quality improvement studies may be used to evaluate a physician's application for continued medical staff membership and privileges to practice. These studies are usually conducted as part of the hospital's QI activities. These review activities are considered confidential and protected from disclosure (Shaw and Carter 2019, 392-393).

. The outpatient clinic of a large hospital is reviewing its patient sign-in procedures. The registration clerks say it is essential that they know if the patient has health insurance and the reason for the patient's visit. The clerks maintain that having this information on a sign-in sheet will make their jobs more efficient and reduce patient waiting time in the waiting room. What should the HIM director advise in this case? a. To be HIPAA compliant, sign-in sheets should contain the minimal information necessary such as patient name. b. Patient name, insurance status, and diagnoses are permitted by HIPAA. c. Patient name, insurance status, and reason for visit would be considered incidental disclosures if another patient saw this information. d. Any communication overheard by another patient is considered an incidental disclosure.

. a Patients may sign in their names on a waiting room list, and if another patient sees it, that is considered an incidental disclosure. However, in determining the content of these sign-in lists, the healthcare provider must take reasonable precautions that the information is limited to the minimum necessary for the purpose (Thomason 2013, 38).

. If a healthcare provider is accused of breaching the privacy and confidentiality of a patient, what resource may a patient rely on to substantiate the provider's responsibility for keeping health information private? a. Professional Code of Ethics b. Federal Code of Fair Practice c. Federal Code of Silence d. State Code of Fair Practice

. a The Professional Code of Ethics is based on ethical principles regarding privacy and confidentiality of patient information that have been an inherent part of the practice of medicine since the 4th century BC, when the Hippocratic Oath was created. Courts in various jurisdictions have concluded that a physician has a fiduciary duty to the patient to not disclose the patient's health and medical information (Theodos 2017, 14, 23).

In the case of behavioral healthcare information, a healthcare provider may disclose health information on a patient without the patient's authorization in which of the following situations? a. Court order, duty to warn, and involuntary commitment proceedings b. Duty to warn, release of psychotherapy notes, and court order c. Involuntary commitment proceedings, court order, and substance abuse treatment records d. Release of psychotherapy notes, substance abuse treatment records, and duty to warn

. a The mental health professional can disclose information without an authorization from the patient in the following situations: The patient brings up the issue of the mental or emotional condition The health professional performs an examination under a court order Involuntary commitment proceedings A legal "duty to warn" an intended victim when a patient threatens to harm an identifiable victim(s) The mental health professional believes that the patient is likely to actually harm the individual(s) (Brodnik 2017b, 347-348).

Which of the following statements is true in regard to training in protected health information (PHI) policies and procedures? a. Every member of the covered entity's workforce must be trained. b. Only individuals employed by the covered entity must be trained. c. Training only needs to occur when there are material changes to the policies and procedures. d. Documentation of training is not required.

. a Training in HIPAA policies and procedures regarding PHI is required for all workforce members to carry out their job functions appropriately. The training should be ongoing and documented for each employee (Biedermann and Dolezel 2017, 371).

Mary Jones has been declared legally incompetent by the court. Mrs. Jones's sister has been appointed her legal guardian. Her sister requested a copy of Mrs. Jones's health records. Of the options listed here, what is the best course of action? a. Comply with the sister's request but first request documentation from the sister that she is Mary Jones's legal guardian b. Provide the information as requested by the sister c. Require that Mary Jones authorize the release of her health information to the sister d. Refer the sister to Mary Jones's doctor

. a When an individual who is at or above the age of majority becomes incapacitated, either permanently or temporarily, another person should be designated to make decisions for that individual including decisions about the use and disclosure of the individual's PHI. Whoever serves as the incompetent adult's personal representative should, at minimum, hold the incompetent adult's durable power of attorney (DPOA) or durable power of attorney for healthcare decisions (DPOA-HCD) (Brodnik 2017b, 342).

Notices of privacy practices must be available at the site where the individual is treated and: a. Must be posted next to the entrance b. Must be posted in a prominent place where it is reasonable to expect that patients will read them c. May be posted anywhere at the site d. Do not have to be posted at the site

. b A notice of privacy practices must be available at the site where the individual is treated and must be posted in a prominent place where the patient can be reasonably expected to read it (Rinehart-Thompson 2017d, 219).

When ownership of a physician practice changes: a. Patients must pick up their health records and take them to another provider b. The health records of the practice may be transferred as assets c. Patients have no right to their health records d. The health records of the original physician must be destroyed

. b An ownership change may occur when a healthcare organization is sold. In physician or other provider practices where the providers have a shared ownership, an ownership change can also occur when one of the providers retires, dies, or otherwise relinquishes his or her interest in a practice. In these cases, health records are considered assets and are most likely to be transferred to successors who purchased or assumed responsibility for the organization (Rinehart-Thompson 2017c, 200).

What is the legal term used to define the protection of health information in a patient-provider relationship? a. Access b. Confidentiality c. Privacy d. Security

. b Confidentiality is a legal ethical concept that establishes the healthcare provider's responsibility for protecting health records and other personal and private information from unauthorized use or disclosure (Brodnik 2017a, 7-8).

. Kay Denton wrote to Mercy Hospital requesting an amendment to her PHI. She states that her record incorrectly lists her weight at 180 lbs. instead of her actual 150 lbs., and amending it would look better on her record. The information is present on a copy of a history and physical that General Hospital sent to Mercy Hospital. Mercy Hospital may decline to grant her request based on which privacy rule provision? a. Individuals do not have the right to make amendment requests. b. The history and physical was not created by Mercy Hospital. c. A history and physical is not part of the designated record set. d. Mercy Hospital must grant her request.

. b HIPAA permits an individual to request that a covered entity make an amendment to PHI in a designated record set. However, the covered entity may deny the request if it determines that the PHI or the record was not created by the covered entity. In this scenario the history and physical was created by General Hospital. Mercy Hospital would be able to deny the request because they did not create the history and physical for this patient (Rinehart-Thompson 2018, 86).

Which of the following is a "public interest and benefit" exception to the authorization requirement? a. Payment b. PHI regarding victims of domestic violence c. Information requested by a patient's attorney d. Treatment

. b Pursuant to the Privacy Rule, the hospital may disclose health information to law enforcement officials without authorization for law enforcement purposes for certain situations, including situations involving a crime victim. Disclosure is made in response to law enforcement officials' request for such information about an individual who is, or is suspected to be, a victim of a crime (Brinda and Watters 2020, 325

. The Medical Record Committee is reviewing the privacy policies for a large outpatient clinic. One of the members of the committee remarks that he feels that the clinic's practice of calling out a patient's full name in the waiting room is not in compliance with HIPAA regulations and that only the patient's first name should be used. Other committee members disagree with this assessment. What should the HIM director advise the committee? a. HIPAA does not allow a patient's name to be announced in a waiting room. b. There is no violation of HIPAA in announcing a patient's name, but the committee may want to consider implementing practices that might reduce this practice. c. HIPAA allows only the use of the patient's first name. d. HIPAA requires that patients be given numbers and that only the number be announced.

. b The HIPAA Privacy Rule allows communications to occur for treatment purposes. The preamble repeatedly states the intent of the rule is not to interfere with customary and necessary communications in the healthcare of the individual. Calling out a patient's name in a waiting room, or even on the facility's paging system, is considered an incidental disclosure and, therefore, allowed in the Privacy Rule (Thomason 2013, 37).

Health Insurance Portability and Accountability Act's Privacy Rule states that "________ used for the purposes of treatment, payment, or healthcare operations does not require patient authorization to allow providers access, use, or disclosure." However, only the ________ information needed to satisfy the specified purpose can be used or disclosed. a. Demographic information, minimum necessary b. Protected health information, minimum necessary c. Protected health information, diagnostic d. Demographic information, diagnostic

. b The HIPAA Privacy Rule states that protected health information used for purposes of treatment, payment, or healthcare operations does not require patient authorization to allow providers access, use, or disclosure. However, only the minimum necessary information needed to satisfy the specified purpose can be used or disclosed (Rinehart-Thompson 2017d, 216-217).

The technology, along with the policies and procedures for its use, that protects and controls access to ePHI are: a. Administrative safeguards b. Technical safeguards c. Physical safeguards d. Integrity controls

. b The Security Rule defines technical safeguards as the technology and the policy and procedures for its use that protect ePHI and controls access to it. A covered entity must determine which security measures and technologies are reasonable and appropriate for implementation (Biedermann and Dolezel 2017, 393).

Sara Anderson presented to the HIM department upset that her health information was sent to the state department of health. The HIM director explained to Sara that this information is part of their mandatory legal reporting requirements even though the information in her health record is owned by: a. The healthcare facility b. Sara's physician c. Sara, the patient d. The state

. c Although the entity that created and maintains a patient's record is responsible for its physical integrity, and it is impossible to separate the information from the medium on which it resides, the information itself is the patient's (Rinehart-Thompson 2020, 60-61).

In Medical Center Hospital's clinical information system, nurses may write nursing notes and may read all parts of the patient health record for patients on the unit in which they work. This type of authorized use is called: a. Password limitation b. Security clearance c. Role-based access d. User grouping

. c An EHR can provide highly effective access controls to meet the HIPAA Privacy Rule minimum necessary standard requirements. Role-based access controls are used where only specific classes of persons (for example, nurses) may access protected health information (Amatayakul 2017, 376-377).

Which of the following data management domains would be responsible for establishing standards for data retention and storage? a. Data architecture management b. Metadata management c. Data life cycle management d. Master data management

. c Data management is based on the assumption that all data have a life cycle. Typical data life cycle functions requiring data governance include: establishing what data are to be collected and how they are to be captured; setting standards for data retention and storage; determining processes for data access and distribution; establishing standards for data archival and destruction (Johns 2020, 82).

Which of the following is a kind of technology that focuses on data security? a. Clinical decision support b. Bitmapped data c. Firewalls d. Smart cards

. c Firewalls are hardware and software security devices situated between the routers of a private and public network. They are designed to protect computer networks from unauthorized outsiders (Sayles and Kavanaugh-Burke 2018, 233).

149. The Latin phrase meaning "let the master answer" that puts responsibility for negligent actions of employees on the employer is called: a. Res ipsa locquitor b. Res judicata c. Respondeat superior d. Restitutio in integrum

. c Generally, a hospital is liable to patients for the torts of its employees (including nurses and employed physicians) under the doctrine of respondeat superior (Latin for "let the master answer"). Also referred to as vicarious liability, under this doctrine the hospital holds itself out as responsible for the actions of its employees, provided that these individuals were acting within the scope of their employment or at the hospital's direction at the time they conducted the tortious activity in question (Rinehart-Thompson 2017c, 106-107).

The privacy officer was conducting training for new employees and posed the following question to the trainees to help them understand the rule regarding breach notification: "If a breach occurs, which of the following must be provided to the individual whose PHI has been breached?" a. The facility's notice of privacy practices b. An authorization to release the individual's PHI c. The types of unsecured PHI that were involved d. A promise to never do it again

. c Individuals whose protected health information (PHI) has been breached must be provided with the following information: a description of what occurred (including date of breach and date that breach was discovered); the types of unsecured PHI that were involved (such as name, SSN, DOB, home address, and account number); steps that the individual may take to protect himself or herself; what the entity is doing to investigate, mitigate, and prevent future occurrences; contact information for the individual to ask questions and receive updates (AHIMA 2009; Rinehart-Thompson 2017e, 250-251).

Caitlin has been experiencing abdominal pain. Removal of her gallbladder was recommended. Who is responsible to obtain Caitlin's informed consent? a. The anesthesiologist who will be administering general anesthesia b. The surgical nurse who will assist during surgery c. The physician who will be performing the surgery d. The administrator in the surgery department

. c It is the responsibility of the treating provider, in this case the physician who will be performing the surgery, to obtain informed consent and it may not be delegated to some other person (Klaver 2017c, 141).

Which professional has the responsibility of determining when an individual or entity has the right to access healthcare information in a hospital setting? a. Physicians b. Nurses c. Health information management professionals d. Hospital administrators

. c Patients (along with their next of kin or legal representatives) have the right to access their health records. However, health information management (HIM) professionals must validate the appropriateness of access. When a patient's next of kin or legal representative requests information belonging to the patient, HIM professionals should be familiar with state and federal laws regarding the right to access and who can authorize the use or disclosure of the information at issue (Fahrenholz 2017a, 45).

What is the first consideration in determining how long records must be retained? a. The amount of space allocated for record filing b. The number of records c. The most stringent law or regulation in the state d. The cost of filing space

. c State laws, CMS regulations and other federal regulations, accreditation standards, and facility policies and procedures must also be reviewed when establishing a retention schedule. The HIM professional must adhere to the strictest time limit if the recommended retention period varies among different laws and regulations (Reynolds and Morey 2020, 135).

Community Hospital is terminating its business associate relationship with a medical transcription company. The transcription company has no further need for any identifiable information that it may have obtained in the course of its business with the hospital. The CFO of the hospital believes that to be HIPAA compliant all that is necessary is for the termination to be in a formal letter signed by the CEO. In this case, how should the director of HIM advise the CFO? a. Confirm that a formal letter of termination meets HIPAA requirements and no further action is required b. Confirm that a formal letter of termination meets HIPAA requirements and no further action is required except that the termination notice needs to be retained for seven years c. Confirm that a formal letter of termination is required and that the transcription company must provide the hospital with a certification that all PHI that it had in its possession has been destroyed or returned d. Inform the CFO that business associate agreements cannot be terminated

. c The HIPAA Privacy Rule requires the covered entity to have business associate agreements in place with each business associate. This agreement must always include provisions regarding destruction or return of protected health information (PHI) upon termination of a business associate's services. Upon notice of the termination, the covered entity needs to contact the business associate and determine if the entity still retains any protected health information from, or created for, the covered entity. The PHI must be destroyed, returned to the covered entity, or transferred to another business associate. Once the PHI is transferred or destroyed, it is recommended that the covered entity obtain a certification from the business associate that either it has no protected health information, or all protected health information it had has been destroyed or returned to the covered entity (Thomason 2013, 18).

. One of the four general requirements a covered entity must adhere to in order to be in compliance with the HIPAA Security Rule is to: a. Ensure the confidentiality, integrity, and addressability of ePHI b. Ensure the confidentiality, integrity, and accuracy of ePHI c. Ensure the confidentiality, integrity, and availability of ePHI d. Ensure the confidentiality, integrity, and accountability of ePHI

. c The HIPAA Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of ePHI. The Security Rule contains provisions that require covered entities to adopt administrative, physical, and technical safeguards (Reynolds and Brodnik 2017a, 266-267).

Per HITECH, an accounting of disclosures must include disclosures made during the previous: a. 10 years b. 6 years c. 3 years d. 1 year

. c The Health Information Technology for Economic and Clinical Health Act (HITECH) shortened the time frame for an accounting of disclosures. Previously, an accounting had to include disclosures made during the previous six years. This has been shortened to disclosures made during the previous three years (Rinehart-Thompson 2018, 94).

The legal health record for disclosure consists of: a. Any and all protected health information collected or used by a healthcare entity when delivering care b. Only the protected health information requested by an attorney for a legal proceeding c. The data, documents, reports, and information that comprise the formal business records of any healthcare entity that are to be utilized during legal proceedings d. All of the data and information included in the HIPAA designated record set

. c The concept of legal health records (LHRs) was created to describe the data, documents, reports, and information that comprise the formal business records of any healthcare organization that are to be utilized during legal proceedings (Biedermann and Dolezel 2017, 424).

A visitor sign-in sheet to a computer area is an example of what type of control? a. Administrative b. Audit c. Facility access d. Workstation

. c The facility access control standard requires covered entities to control and validate a person's access to a facility including visitor control (Biedermann and Dolezel 2017, 390-391).

Jill has been asked to revise the health record retention policy for her organization. In particular, administration believes the current policy does not properly reflect the length of time that the records of minors should be retained. In conducting her research, Jill refers to the AHIMA best practices for record retention. Based on her research, which of the following should she recommend regarding retention of the health records of minors? a. 10 years plus statute of limitations b. 20 years plus statute of limitations c. Age of majority plus statute of limitations d. Do not address them separately; they should conform to the same retention period as all other records in the organization

. c The statute of limitations for minors, which is generally those who are younger than 18 years of age, may exceed the time for when health records are ordinarily retained. Whereas a minor may file a lawsuit on his or her own behalf upon reaching the age of majority, the statute of limitations does not being to run until the minor reaches the age of majority (Rinehart-Thompson 2017c, 195

. Which of the following is considered a two-factor authentication system? a. User ID and password b. User ID and voice scan c. Password and swipe card d. Password and PIN

. c The three methods of two-factor authentication are something you know, such as a password or PIN; something you have, such as an ATM card, token, or swipe/smart card; and something you are, such as a biometric fingerprint, voice scan, iris, or retinal scan (Sayles and Kavanaugh-Burke 2018, 230).

Central City Clinic has requested that Ghent Hospital send its hospital records from Susan Hall's most recent admission to the clinic for her follow-up appointment. Which of the following statements is true? a. The Privacy Rule requires that Susan Hall complete a written authorization. b. The hospital may send only discharge summary, history, and physical and operative report. c. The Privacy Rule's minimum necessary requirement does not apply. d. This "public interest and benefit" disclosure does not require the patient's authorization.

. c There are certain circumstances where the minimum necessary requirement does not apply, such as to healthcare providers for treatment; to the individual or his or her personal representative; pursuant to the individual's authorization to the Secretary of the HHS for investigations, compliance review, or enforcement; as required by law; or to meet other Privacy Rule compliance requirements (Rinehart-Thompson 2017d, 234).

144. Appropriate documentation of health record destruction must be maintained permanently no matter how the process is carried out. This documentation usually takes the form of a: a. Policy of destruction b. Retention schedule c. Regulation schedule d. Certificate of destruction

. d Appropriate documentation of health record destruction must be maintained permanently no matter how the process is carried out. This documentation usually takes the form of a certificate of destruction (Fahrenholz 2017b, 108).

. Following a data breach with less than 500 impacted, how long does a covered entity have to provide notification of the breach to the secretary of the Department of Health and Human Services? a. Immediately after determination of the data breach b. Within 30 days c. Within 60 days d. 60 days after the end of the calendar year in which the breach occurred

. d If the data breach impacts less than 500 individuals, the covered entity or business associate must notify the secretary of the HHS annually; however, the notification must occur no later than 60 days after end of the calendar year in which the data breach occurred (Brinda and Watters 2020, 320).

Of the following, what is the most likely to happen to a patient's health record when his or her physician leaves an office practice? a. It will be sent to the state department of health. b. It will be sent to outside storage. c. It will be destroyed. d. It will be retained by the practice.

. d In physician practices, patients are informed of their option to transfer their records to another provider. The majority of complete contracts specify that health records are owned by the provider group (Rinehart-Thompson 2017c, 199-200).

. The baby of a mother who is 15 years old was recently discharged from the hospital. The mother is seeking access to the baby's health record. Who must sign the authorization for release of the baby's health record? a. Both mother and father of the baby b. Maternal grandfather of the baby c. Maternal grandmother of the baby d. Mother of the baby

. d Many state laws allow a minor to be treated as an adult for drug or alcohol dependency and sexually transmitted diseases or be given contraceptives and prenatal care without parental or legal guardian consent. This gives minors the right to treatment and access of their health records as a competent adult (Brodnik 2017b, 343-344).

When a patient revokes authorization for release of information after a healthcare entity has already released the information, the healthcare entity in this case: a. May be prosecuted for invasion of privacy b. Has become subject to civil action c. Has violated the security regulations of HIPAA d. Is protected by the Privacy Act

. d One of the specifications found within the consent for use and disclosure of information should state that the individual has the right to revoke the consent in writing, except to the extent that the covered entity has already taken action based on the consent. In this situation, the facility acted in good faith based on the prior authorization and therefore the release is covered under the Privacy Act (Rinehart-Thompson 2017d, 223).

All of the following are factors that influence health record retention periods except: a. Federal and state laws b. Statutes of limitations c. Costs of retention d. Patient mortality

. d Some of the factors that influence health record retention are: federal and state laws, statutes of limitations, and costs of retention. Patient mortality does not impact health record retention as records are not destroyed solely on the basis that a patient has expired (Rinehart-Thompson 2017c, 194).

. Lane Hospital has a contract with Ready-Clean, a local company, to come into the hospital to pick up all the facility's linens for off-site laundering. Ready-Clean is: a. A business associate because Lane Hospital has a contract with it b. Not a business associate because it is a local company c. A business associate because its employees may see PHI d. Not a business associate because it does not use or disclose individually identifiable health information

. d Vendors who have a presence in a healthcare facility, agency, or organization will often have access to patient information in the course of their work. If the vendor meets the definition of a business associate (that is, it is using or disclosing an individual's PHI on behalf of the healthcare organization), a business associate agreement must be signed. If a vendor is not a business associate, employees of the vendor should sign confidentiality agreements because of their routine contact with and exposure to patient information. In this situation, Ready-Clean is not a business associate (Brodnik 2017b, 346).

Which of the following is the appropriate method for destroying electronic data? a. Burning b. Shredding c. Pulverizing d. Degaussing

106. d The destruction of patient-identifiable clinical documentation should be carried out in accordance with relevant federal and state regulations and organizational policy. Electronic data can be destroyed with magnetic degaussing (demagnetizing) as this is an acceptable form of destruction for that medium. Burning, shredding, and pulverizing are acceptable destruction methods for paper-based records (Fahrenholz 2017b, 107).

The hospital's public relations department in conjunction with the local high school is holding a job shadowing day. The purpose of this event is to allow high school seniors an opportunity to observe the various jobs in the hospital and to help the students with career planning. The public relations department asks for input on this event from the standpoint of HIPAA compliance. In this case, what should the HIM department advise? a. Job shadowing is allowed by HIPAA under the provision of allowing students and trainees to practice. b. Job shadowing should be limited to areas in which the likelihood of exposure to PHI is very limited, such as administrative areas. c. Job shadowing is allowed by HIPAA under the provision of volunteers. d. Job shadowing is specifically prohibited by HIPAA

154. b Job shadowing should be limited to areas where the likelihood of exposure to PHI is very limited, such as in administrative areas. There is a provision in the Privacy Rule that permits students and trainees to practice and improve their skills in the healthcare environment; however, the context of this provision appears to imply that the students are already enrolled in a healthcare field of study and that they are under the supervision of the covered entity. Most covered entities require students to be trained on confidentiality and other requirements of the Privacy Rule, and job shadowing activities do not appear to apply in this exception (Thomason 2013, 41).

Based on which of the following concepts can a clinic requesting health records for one of its patients be reasonably assured that the correct patient information will be sent? a. Verification b. Confirmation c. Authentication d. Certification

93. a Policies and procedures created by the covered entity or business associate to manage the use and disclosures of PHI should address the process for patient identification, including verification of the individual or personal representatives (Brinda and Watters 2020, 327).

A physician is conducting a research study on the medication compliance of diabetic patients. The facility's consent-for-treatment form includes authorization for the use and disclosure of PHI for research, so the physician wants to begin the study. Why is this not acceptable? a. The Privacy Rule prohibits compound authorizations. b. Research does not require an authorization. c. The physician must call the participants of the study first. d. HIPAA prohibits the use and disclosure of information for research.

a Compound authorizations combine the use and disclosure of PHI with other legal permissions such as consent for treatment, which is prohibited by the current HIPAA Privacy Rule (Brinda and Watters 2020, 324).

. Which of the following are technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals as a method to prevent a breach of PHI? a. Encryption and destruction b. Recovery and encryption c. Destruction and redundancy d. Interoperability and recovery

a Encryption and destruction are the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to authorized individuals in order to prevent a potential breach of PHI (Biedermann and Dolezel 2017, 401).

Scott has requested that all written communications from his cardiologist's office be sent to his work address instead of his home address. The cardiology practice: a. Must honor this confidential communication request if it is deemed reasonable b. Is not required to honor any confidential communication requests of this nature c. Is not required to honor this restriction request d. Must honor this restriction request as long as it is submitted in writing

a Healthcare providers and health plans must give individuals the right of confidential communications, or the opportunity to request that communications of PHI be routed to an alternative location or by an alternative method (45 CFR 164.522(b) ). Healthcare providers must honor a request without requiring a reason if the request is reasonable (Rinehart-Thompson 2017e, 249).

Under the Privacy Rule, which of the following must be included in a patient accounting of disclosures? a. State-mandated report of a sexually transmitted disease b. Disclosure pursuant to a patient's signed authorization c. Disclosure necessary to meet national security or intelligence requirements d. Disclosure for payment purposes

a Legislation gives a patient the right to obtain an accounting of disclosures of PHI made by the covered entity in the six years or less prior to the request date. Mandatory public health reporting is not considered part of a covered entities' operations. As a result, these disclosures must be included in an accounting of disclosures (Rinehart-Thompson 2017e, 247-248).

. Under the HIPAA Privacy Rule, a hospital may disclose health information without authorization or subpoena in which of the following cases? a. The patient has been involved in a crime that may result in death. b. The patient has celebrity status and requires protection. c. The father of a 22-year-old is requesting the records. d. An attorney requests records.

a News media personnel (and others) may have an interest in obtaining information about a public figure or celebrity who is being treated or about individuals involved in events that have cast them in the public eye. However, the media is not exempt from the restrictions imposed by the HIPAA facility directory requirement, and it is prudent for a healthcare organization to exercise even greater restraint than that mandated by the facility directory requirement with respect to the media. Parents of adult children and attorneys also need an authorization to receive patient records. A hospital may disclose health information to law enforcement when the suspected criminal conduct has resulted in a death (Brodnik 2017b, 365

An employee received an email that he thought was from the information technology department. He provided his personal information at the sender's request. The employee was tricked by: a. Phishing b. Ransomware c. Virus d. Bot

a Phishing is a scam by which an individual may receive an email that looks official but it is not. Its intent is to capture usernames, passwords, account numbers, and any other personal information. Users should be cautious in giving out confidential information such as passwords, credit card numbers, and social security numbers as many requests for this information received via email is a phishing scam (Sayles and Kavanaugh-Burke 2018, 235).

The Privacy Rule establishes that a patient has the right of access to inspect and obtain a copy of his or her PHI: a. For as long as it is maintained b. For six years c. Forever d. For 12 months

a The Privacy Rule states that an individual has a right of access to inspect and obtain a copy of his or her own PHI that is contained in a designated record set, such as a health record. The individual's right extends for as long as the PHI is maintained (Rinehart-Thompson 2017e, 243-244).

HIPAA was designed to accomplish all of the following except: a. Designate HIM professionals as privacy officers b. Establish a consistent set of privacy and security rules for healthcare information nationwide c. Simplify the sharing of health information for legitimate purposes d. Authorize that only the minimum necessary should be released upon proper authorization

a The implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in 2003 established a consistent set of privacy and security rules. These rules, designed to protect the privacy of patients, also attempted to simplify the sharing of health information for legitimate purposes. For example, before implementation of HIPAA, a healthcare provider who needed access to a health record maintained by another provider usually could not directly request the information. The former provider required the patient's written authorization to release information to the current provider. In many cases, the patient or the patient's legal representative had to facilitate the transfer of medical information to a current healthcare provider. Under federal privacy regulations, the healthcare provider can directly request protected medical information, and a written authorization from the patient is not required when the information is used for treatment purposes. The privacy rule states that protected health information used for treatment, payment, or healthcare operations does not require patient authorization to allow providers access, use, or disclosure. However, only the minimum necessary information needed to satisfy the specified purpose can be used or disclosed. The release of information for purposes unrelated to treatment, payment, or healthcare operations still requires the patient's written authorization (Fahrenholz 2017a, 45).

94. In the state of California, healthcare organizations must provide patients a copy of their medical record within 15 days of the request, whereas HIPAA requires organizations to provide records within 30 days of the request. This is example of state law being ________ in relation to federal law. a. Stringent b. Contrary c. Standardized d. Conflicting

a Under HIPAA, state law is considered more stringent if the law prohibits or restricts use or disclosure in circumstances under which such use or disclosure would be permitted under federal law (Brinda and Watters 2020, 330).

. According to the Medicare Conditions of Participation, how long must health records be retained? a. 2 years b. 5 years c. 10 years d. Permanently

b A health record must be maintained for every individual evaluated or treated in the hospital. Health records must be retained in their original or legally reproduced form for a period of at least 5 years (Fahrenholz 2017b, 106).

. An original goal of HIPAA Administrative Simplification was to standardize: a. Privacy notices given to patients b. The electronic transmission of health data c. Disclosure of information for treatment purposes d. The definition of PHI

b A significant part of the administrative simplification process is the creation of standards for the electronic transmission of data (Rinehart-Thompson 2017d, 207).

. Jan Carlson is the HIM manager at Community Hospital, and she is designing a health record retention policy for the facility. Which legal source should she use to determine how long medical records should be retained by the facility? a. AHIMA record retention guidelines b. State law c. County or city codes d. Joint Commission accreditation standards

b AHIMA provides professional guidelines, but it is not a legal source (option a). Option c does not dictate health record retention. Option d (Joint Commission) defers to state law (option b). Note that state law may or may not dictate retention periods, but it is the best option among those presented (Rinehart-Thompson 2020, 60).

Which of the following is an administrative safeguard action? a. Facility access control b. Documentation retention guidelines c. Maintenance record d. Media reuse

b Administrative safeguards are administrative actions such as policies and procedures and documentation retention to manage the selection, development, implementation, and maintenance of security measures to safeguard ePHI and manage the conduct of the covered entities or business associates' workforce (Biedermann and Dolezel 2017, 383).

The HIM manager received notification that a user accessed the PHI of a patient with the same last name as the user. This is an example of a(n): a. Encryption b. Trigger flag c. Transmission security d. Redundancy

b Audit trail are used to facilitate the determination of security violations and to identify areas for improvement. Their usefulness is enhanced when they include trigger flags for automatic, intensified review (Sayles and Kavanaugh-Burke 2018, 232).

Gladys, a 90-year-old patient, calls the HIM department and tells the HIM professional that her daughter Joan will be in to pick up a copy of her records to take to her specialist. Which of the following is required for the HIM professional to comply with this request? a. Nothing is required; Gladys has provided her consent over the phone. b. Gladys must provide a written authorization. c. Gladys must repeat her request so that it can be verbally recorded. d. Joan must sign an authorization when she presents to the facility.

b HIPAA provides specific requirements regarding when protected health information can be used or disclosed with and without a signed authorization form by the patient. In this scenario a written authorization from the patient is needed in order to release the records to the daughter (Brinda and Watters 2020, 323).

The HIPAA Privacy Rule permits charging patients for labor and supply costs associated with copying health records. Mercy Hospital is located in a state where state law allows charging patients a $100 search fee associated with locating records that have been requested. Which of the following statements is true when applied to this scenario? a. State law will not be preempted in this situation. b. The Privacy Rule will preempt state law in this situation. c. The Privacy Rule never preempts existing state law. d. The Privacy Rule always preempts existing state law.

b If a fee is assessed for a request, the fee schedule must be consulted and an invoice prepared. The fee schedule should be regularly reviewed for compliance with the HIPAA Privacy Rule and applicable state laws. A system should be developed to determine situations in which fees are not assessed, when prepayment is required, and to implement collection procedures for delinquent payments following record disclosure (Brodnik 2017b, 372-373).

The HIM manager typically can testify about which of the following when a party in a legal proceeding is attempting to admit a health record as evidence? a. The care provided to the patient b. Identification of the record as the one subpoenaed c. The qualifications of the treating physician d. Identification of the standard of care used to treat the patient

b Original health records may be required by subpoena to be produced in person and the custodian of records is required to authenticate those records through testimony (Rinehart-Thompson 2017a, 59).

. Under the HIPAA Security Rule, these types of safeguards have to do with protecting the environment: a. Administrative b. Physical c. Security d. Technical

b Physical safeguards have to do with protecting the environment, including ensuring applicable doors have locks that are changed when needed and that fire, flood, and other natural disaster preparedness is in place (for example, fire alarms, sprinklers, smoke detectors, raised cabinets). Other physical controls include badging and escorting visitors and other typical security functions such as patrolling the premises, logging equipment in and out, and camera-monitoring key areas. HIPAA does not provide many specifics on physical facility controls but does require a facility security plan with the expectation that these matters will be addressed (Biedermann and Dolezel 2017, 390).

. Authorization management involves: a. The process used to protect the reliability of a database b. Limiting user access to a database c. Allowing unlimited use of the database d. Developing definitions for database elements

b Protecting the security and privacy of data in the database is called authorization management. Two of the important aspects of authorization management are user access control and usage monitoring (Rob and Coronel 2009; Amatayakul 2017, 376-377).

. Per the HITECH breach notification requirements, which of the following is the threshold in which the media and the Secretary of Health and Human Services should be notified of the breach? a. more than 1,000 individuals affected b. more than 500 individuals affected c. more than 250 individuals affected d. Any number of individuals affected requires notification

b Reporting requirements mandate notification to the individual whose information was breached, and in the case of breaches of more than 500 individuals' information, to the media and the Secretary of Health and Human Services (Biedermann and Dolezel 2017, 401).

Which of the following is a mechanism that records and examines activity in information systems? a. eSignature laws b. Security audits c. Minimum necessary rules d. Access controls

b Security audits are the mechanisms that record and examine activity in information systems. HIPAA does not specify what form of security audits must be used, how or how often they must be examined, or how long they must be retained (Brinda and Watters 2020, 334).

. According to the Privacy Rule, which of the following statements must be included in the notice of privacy practices? a. A description (including at least one example) of the types of uses and disclosures the physician is permitted to make for marketing purposes b. A description of each of the other purposes for which the covered entity is permitted or required to use or disclose PHI without the individual's written consent or authorization c. A statement that other uses and disclosures will be made without the individual's written authorization and that the individual may not revoke such authorization d. A statement that all disclosures will be prohibited from future redisclosures

b The notice of privacy practices must explain and give examples of the uses of the patient's health information for treatment, payment, and healthcare operations, as well as other disclosures for purposes established in the regulations. If a particular use of information is not covered in the notice of privacy practices, the patient must sign an authorization form specific to the additional disclosure before his or her information can be released (Reynolds and Morey 2020, 108).

145. City Hospital has implemented a procedure that allows inpatients to decide whether they want to be listed in the hospital's directory. The directory information includes the patient's name, location in the hospital, and general condition. If a patient elects to be in the directory, this information is used to inform callers who know the patient's name. Some patients have requested that they be listed in the directory, but information is to be released to only a list of specific people the patient provides. A hospital committee is considering changing the policy to accommodate these types of patients. In this case, what type of advice should the HIM director provide? a. Approve the requests because this is a patient right under HIPAA regulations b. Deny these requests because screening of calls is difficult to manage and if information is given in error, this would be considered a violation of HIPAA c. Develop two different types of directories—one directory for provision of all information and one directory for provision of information to selected friends and family of the patient d. Deny these requests and seek approval from the Office of Civil Rights

b The HIPAA Privacy Rule allows individuals to decide whether they want to be listed in a facility directory when they are admitted to a facility. If the patient decides to be listed in the facility directory, the patient should be informed that only callers who know his or her name will be given any of this limited information. Covered entities generally do not, however, have to provide screening of visitors or calls for patients because such an activity is too difficult to manage with the number of employees and volunteers involved in the process of forwarding calls and directing visitors. If the covered entity agreed to the screening and could not meet the agreement, it could be considered a violation of this standard of the Privacy Rule (Thomason 2013, 105).

. The _____ requires organizations to implement policies and procedures to safeguard the facility and equipment from unauthorized access, tampering, and theft. a. Contingency plan b. Security Rule c. Media and device controls d. Emergency mode operations plan

b The Security Rule operationalizes the Privacy Rule and requires administrative safeguards such as policies and procedures to protect physical entities like information systems, buildings, and equipment (Brinda and Watters 2020, 319).

Dr. Williams is on the medical staff of Sutter Hospital, and he has asked to see the health record of his wife, who was recently hospitalized. Dr. Jones was the patient's physician. Of the options listed here, which is the best course of action? a. Refer Dr. Williams to Dr. Jones and release the record if Dr. Jones agrees b. Inform Dr. Williams that he cannot access his wife's health information unless she authorizes access through a written release of information c. Request that Dr. Williams ask the hospital administrator for approval to access his wife's record d. Inform Dr. Williams that he may review his wife's health record in the presence of the privacy officer

b The physician would not have access to records of a patient he or she is not treating unless the physician is performing designated healthcare operations such as research, peer review, or quality management. Otherwise the physician would need to have an authorization from the patient (Brodnik 2017b, 345-346).

. A secure method of communication between the healthcare provider and the patient is: a. Personal health record b. E-mail c. Patient portal d. Online health information

c A secure patient portal does allow for the communication between the provider and the patient and is not just a site for patients to access information. This is part of the effort to engage patients in their care (Biedermann and Dolezel 2017, 458).

. Recently, a healthcare organization has noticed an increase in the number of whooping cough cases in children under 5 years old. The healthcare organization reports the information to the state department of health. Which of the following statements is most applicable to the disclosure of this information? a. The healthcare organization violated HIPAA because it didn't get authorization prior to the disclosure. b. The healthcare organization did not violate HIPAA because it can disclose information to anyone as it sees fit. c. The healthcare organization did not violate HIPAA because the disclosure impacted the public health of everyone. d. The healthcare organization violated HIPAA because it did not get authorization from the state department of health prior to the disclosure.

c Covered entities (healthcare organizations) are allowed to disclose protected health information for public health reporting purposes without an authorization or consent from the patient or family members. Since the whooping cough outbreak is a public health issue, it can be reported without authorization (Brinda and Watters 2020, 325).

An employer has contacted the HIM department and requested health information on one of his employees. Of the options listed here, what is the best course of action? a. Provide the information requested b. Refer the request to the attending physician c. Request the employee's written authorization for release of information d. Request the employer's written authorization for release of the employee's information

c Employers who may or may not be HIPAA-covered healthcare organizations may request patient information for a number of reasons, including family medical leave certification, return to work certification for work-related injuries, and information for company physicians. Patient authorization is required for such disclosures, except in some states the patient's employer, employer's insurer, and employer's and employee's attorneys do not need patient authorization to obtain health information for workers' compensation purposes (Brodnik 2017b, 345).

Retention of medical records is mandated by: a. HIPAA b. Joint Commission standards c. State and federal law d. Professional association guidelines

c HIPAA does not address record retention. Joint Commission refers to applicable law. Professional guidelines (for example, AHIMA) may address record retention, but they do not have the force of law and are therefore not mandates (Rinehart-Thompson 2020, 60).

. Emma is getting ready to begin kindergarten. Her school is requesting her immunization records as required by state law. Per HIPAA, Emma's pediatrician may: a. Not disclose this PHI without the authorization of Emma's parent b. Disclose this information because it is not PHI c. Disclose this PHI with verbal permission from Emma's parent d. Not disclose this PHI because it is an exception to the public health activity authorization exception

c HITECH makes it easier for schools to receive student immunization records where state or other law requires it prior to student admission. HITECH permits CEs to disclose a child's immunization records (considered a public health activity) to a school with the oral consent of the parent or guardian. This contrasts with the previous written authorization requirement (Rinehart-Thompson 2017e, 246).

Which one of the following has access to personally identifiable data without authorization or subpoena? a. Law enforcement in a criminal case b. The patient's attorney c. Public health departments for disease reporting purposes d. Workers' compensation for disability claim settlement

c No authorization is needed to use or disclose PHI for public health activities. Some health records contain information that is important to the public welfare. Such information must be reported to the state's public health service to ensure public safety (Brinda and Watters 2020, 325).

. Which of the following is not an identifier under the Privacy Rule? a. Visa account 2773 985 0468 b. Vehicle license plate BZ LITYR c. Age 75 d. Street address 265 Cherry Valley Road

c One of the most fundamental terms in the Privacy Rule is PHI, defined by the rule as "individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium" (45 CFR 160.103). To meet the individually identifiable element of PHI, information must meet all three portions of a three-part test. (1) It must either identify the person or provide a reasonable basis to believe the person could be identified from the information given. (2) It must relate to one's past, present, or future physical or mental health condition; the provision of healthcare; or payment for the provision of healthcare. (3) It must be held or transmitted by a covered entity or its business associate (Rinehart-Thompson 2017d, 213).

. Regarding an individual's right of access to their own PHI, per HIPAA, a covered entity: a. Must act on the request within 90 days b. May extend its response by 60 days if it gives the reasons for the delay c. May require individuals to make their requests in writing d. Does not have limits regarding what it can charge individuals for copies of their health records

c Per HIPAA, covered entities may require individuals to make their access requests in writing if it has informed them of this requirement. A covered entity must act on an individual's request within 30 days, and may extend the response just once by no more than 30 days as long as it responds within the initial 30-day window and gives the reason for the delay and a date by which it will respond (Rinehart-Thompson 2018, 87).

. A federal confidentiality statute specifically addresses confidentiality of health information about ________ patients. a. Developmentally disabled b. Elderly c. Drug and alcohol recovery d. Cancer

c The Confidentiality of Alcohol and Drug Abuse Patient Records Rule is a federal rule that applies to information created for patients treated in a federally assisted drug or alcohol abuse program and specifically protects the identity, diagnosis, prognosis, or treatment of these patients. The rule generally prohibits redisclosure of health information related to this treatment except as needed in a medical emergency or when authorized by an appropriate court order or the patient's authorization (Rinehart-Thompson 2020, 66).

Community Hospital is planning implementation of various elements of the EHR in the next six months. Physicians have requested the ability to access the EHR from their offices and from home. What advice should the HIM director provide? a. HIPAA regulations do not allow this type of access. b. This access would be covered under the release of PHI for treatment purposes and poses no security or confidentiality threats. c. Access can be permitted providing that appropriate safeguards are put in place to protect against threats to security. d. Access cannot be permitted because the physicians would not be accessing information for treatment purposes.

c The HIPAA Privacy Rule permits healthcare providers to access protected health information for treatment purposes. However, there is also a requirement that the covered entity provide reasonable safeguards to protect the information. These requirements are not easy to meet when the access is from an unsecured location, although policies, medical staff bylaws, confidentiality or other agreements, and a careful use of new technology can mitigate some risks (Thomason 2013, 46).

A patient requests copies of her medical records in an electronic format. The hospital maintains a portion of the designated record set in a paper format and a portion of the designated record set in an electronic format. How should the hospital respond? a. Provide the records in paper format only b. Scan the paper documents so that all records can be sent electronically c. Provide the patient with both paper and electronic copies of the record d. Inform the patient that PHI cannot be sent electronically

c The HIPAA Privacy Rule states that the covered entity must provide individuals with their information in the form that is requested by the individuals, if it is readily producible in the requested format. The covered entity can certainly decide, along with the individual, the easiest and least expensive way to provide the copies they request. Per the request of an individual, a covered entity must provide an electronic copy of any and all health information that the covered entity maintains electronically in a designated record set. If a covered entity does not maintain the entire designated record set electronically, there is not a requirement that the covered entity scan paper documents so the documents can be delivered electronically (Thomason 2013, 102).

Covered entities must retain documentation of their security policies for at least: a. Five years b. Five years from the date of origination c. Six years from the date when last in effect d. Six years from the date of the last incident

c The maintenance of policies and procedures implemented to comply with the Security Rule must be retained for six years from the date of its creation or the date when it was last in effect, whichever is later (Reynolds and Brodnik 2017a, 278-279).

. Barbara requested a copy of her PHI from her physician office on August 31. It is now October 10 and she has not heard anything from the physician office. Which of the following statements is correct? a. This is not a HIPAA violation because the physician's office has 60 days to respond. b. This is not a HIPAA violation because Barbara does not have a right to her information. c. This is a HIPAA violation because the physician's office did not respond within 30 days. d. This is a HIPAA violation because the physician's office did not respond within 15 days.

c Timely response is an important part of the Privacy Rule. A covered entity must act on an individual's request for review of PHI no later than 30 days after the request is made, extending the response by no more than 30 days if within the 30 day time period it gives the reasons for the delay and the date by which it would respond (Rinehart-Thompson 2017, 245).

. Mr. Martin has asked his physician's office to review a copy of his PHI. His request must be responded to no later than ________ after the request was made. a. 90 days b. 60 days c. 30 days d. 6 weeks

c Timely response is an important part of the Privacy Rule. A covered entity must act on an individual's request for review of PHI no later than 30 days after the request is made, extending the response by no more than 30 days if within the 30 day time period it gives the reasons for the delay and the date by which it would respond (Rinehart-Thompson 2017, 245).

. AHIMA recommends that documents of health record destruction include all of the following except: a. Date and method of destruction b. Statement that records were destroyed in the normal course of business c. Description of disposed records series, numbers, or items d. Reason for destruction

d AHIMA recommends that documents of health record destruction include the many items including: data and method of destruction, a statement that records were destroyed in the normal course of business, and also includes the description of the disposed record series of numbers or items. The reason for destruction is not one of these recommendations (Rinehart-Thompson 2017c, 199).

. When a healthcare entity destroys health records after the acceptable retention period has been met, a certificate of destruction is created. How long must the healthcare entity maintain the certificate of destruction? a. 2 years b. 5 years c. 10 years d. Permanently

d Appropriate documentation of health record destruction must be maintained permanently no matter how the process is carried out. This documentation usually takes the form of a certificate of destruction (Fahrenholz 2017b, 108).

The confidentiality of incident reports is generally protected in cases when the report is filed in: a. The nursing notes b. The patient's health record c. The physician's progress notes d. The hospital risk manager's office

d Because incident reports contain facts, hospitals strive to protect their confidentiality. To ensure incident report confidentiality, no copies should be made and the original must not be filed in the health record nor removed from the files in the department responsible for maintaining them, typically risk management or QI. Also no reference to the completion of an incident report should be made in the health record. Such a reference would likely render the incident report discoverable because it is mentioned in a document that is discoverable in legal proceedings (Rinehart-Thompson 2020, 68-69).

Which process requires the verification of the educational qualifications, licensure status, and other experience of healthcare professionals who have applied for the privilege of practicing within a healthcare facility? a. Deemed status b. Judicial decision c. Subpoena d. Credentialing

d Credentialing is the process that requires the verification of the educational qualifications, licensure status, and other experience of healthcare professionals who have applied for the privilege of practicing within a healthcare facility (Fahrenholz 2017b, 79-80).

Which of the following controls external access to a network? a. Access controls b. Alarms c. Encryption d. Firewall

d Firewalls are hardware and software security devices situated between the routers of a private and public network. They are designed to protect computer networks from unauthorized outsiders. However, they also can be used to protect entities within a single network, for example, to block laboratory technicians from getting into payroll records. Without firewalls, IT departments would have to deploy multiple-enterprise security programs that would soon become difficult to manage and maintain (Sayles and Kavanaugh-Burke 2018, 233).

Charlie went to the HIM department at Langford Hospital to request an amendment to his PHI. The HIM staff required that he make the request in writing. He said this violated his HIPAA rights. Who is correct? a. Charlie, because the Privacy Rule requires amendment requests to be oral b. The HIM department, because the Privacy Rule requires amendment requests to be in writing c. Charlie, because the Privacy Rule requires immediate responses to all amendment requests d. The HIM department, because the Privacy Rule allows covered entities to require that amendment requests be made in writing

d Many states have laws or regulations that permit individuals to amend their health records. The CE may require the individual to make an amendment request in writing and provide a reason for the amendment (Rinehart-Thompson 2017e, 246).

. Debbie, an HIM professional, was recently hired as the privacy officer at a large physician practice. She observes the following practices. Which is a violation of the HIPAA Privacy Rule? a. Dr. Graham recommends a medication to a patient with asthma. b. Dr. Herman gives a patient a pen with the name of a pharmaceutical company on it. c. Dr. Martin recommends acupuncture to a patient. d. Dr. Lawson gives names of asthma patients to a pharmaceutical company.

d PHI may not be used or disclosed by a covered entity unless the individual who is the subject of the information authorizes the use or disclosure in writing or the Privacy Rule requires or permits such use or disclosure without the individual's authorization. In this situation, Dr. Lawson is a covered entity and thus releasing the names of his asthma patients to a pharmaceutical company requires the patients' authorization (Rinehart-Thompson 2017d, 225).

. A hospital releases information to an insurance company with proper authorization by the patient. The insurance company forwards the information to a medical data clearinghouse. This process is referred to as: a. Admissibility b. Civil release c. Privileging process d. Redisclosure

d Redisclosure of health information is of significant concern to the healthcare industry. As such, the HIM professional must be alerted to state and federal statutes addressing this issue. A consent obtained by a hospital pursuant to the Privacy Rule in 45 CFR 164.506(a)(5) does not permit another hospital, healthcare provider, or clearinghouse to use or disclose information. However, the authorization content required in the Privacy Rule in 45 CFR 164.508(c)(1) must include a statement that the information disclosed pursuant to the authorization may be disclosed by the recipient and thus is no longer protected (Rinehart-Thompson 2017d, 231-232).

A competent adult female has a diagnosis of ovarian cancer and while on the operating table suffers a stroke and is in a coma. Her son would like to access her health records from a clinic she recently visited for pain in her right arm. The patient is married and lives with her husband and two grown children. According to the Uniform Health Care Decisions Act (UHCDA), who is the logical person to request and sign an authorization to access the woman's health records from the clinic? a. Adult child making request b. Oldest adult child c. Patient d. Spouse

d The Uniform Health Care Decisions Act suggests that decision-making priority for an individual's next-of-kin be as follows: spouse, adult child, parent, adult sibling, or if no one is available who is so related to the individual, authority may be granted to "an adult who exhibited special care and concern for the individual" (Klaver 2017c, 159-160).

. Under HIPAA, when is the patient's written authorization required to release his or her healthcare information? a. For purposes related to treatment b. For purposes related to payment c. For administrative healthcare operations d. For any purpose unrelated to treatment, payment, or healthcare operations

d The implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in 2003 established a consistent set of privacy and security rules. The Privacy Rule states that protected health information used for treatment, payment, or healthcare operations does not require patient authorization to allow providers access, use, or disclosure. However, only the minimum necessary information needed to satisfy the specified purpose can be used or disclosed. The release of information for purposes unrelated to treatment, payment, or healthcare operations still requires the patient's written authorization (Fahrenholz 2017a, 45-46).

The privacy officer was conducting training for new employees and posed the following question to the trainees to help them understand the rule regarding protected health information (PHI): "Which of the following is an element that makes information 'PHI' under the HIPAA Privacy Rule?" a. Identifies an attending physician b. Specifies the insurance provider for the patient c. Contained within a personnel file d. Relates to one's health condition

d The key to defining PHI is that it requires the information to either identify an individual or provide a reasonable basis to believe the person could be identified from the information given. In this situation, the information relates to a patient's health condition and could identify the patient (Rinehart-Thompson 2017d, 214

. Which of the following does not have to be included in a covered entity's notice of privacy practices? a. Description with one example of disclosures made for treatment purposes b. Description of all the other purposes for which a covered entity is permitted or required to disclose PHI without consent or authorization c. Statement of individual's rights with respect to PHI and how the individual can exercise those rights d. Patient's signature and e-mail address

d The notice of privacy practices must explain and give examples of the uses of the patient's health information for treatment, payment, and healthcare operations, as well as other disclosures for purposes established in the regulations. If a particular use of information is not covered in the notice of privacy practices, the patient must sign an authorization form specific to the additional disclosure before his or her information can be released. Patient signature and e-mail address are not part of the notice of privacy practices (Reynolds and Morey 2020, 108).

. Where can you find guidelines for the retention and destruction of healthcare information? a. Institute of Medicine b. Municipal regulations c. HIPAA d. Accreditation standards

d The processes of storing health information and destroying it when it is no longer needed are called retention and destruction. The development of EHRs has given healthcare organizations the ability to retain and store health information without the physical space restriction of paper-based health records. These processes are subject to specific regulations in many states. Federal regulations and accreditation standards also include specific guidelines on the release and retention of patient-identified health information (Fahrenholz 2017a 46).

The Administrative Simplification portion of Title II of HIPAA addresses which of the following? a. Creating standardized forms for release of information throughout the industry b. Computer memory requirements for health plans maintaining patient health information c. Security regulations for personal health records d. Uniform standards for transactions and code sets

d Title II of HIPAA is the most relevant title to the management of health information, containing provisions relating to the prevention of healthcare fraud and abuse and medical liability reform, as well as administrative simplification. The Privacy Rule derives from the administrative simplification provision of Title II along with the HIPAA security regulations, transactions and code set standardization requirements, unique national provider identifiers, and the enforcement rule (Rinehart-Thompson 2017d, 207).