HIPAA practice test
The monetary penalties for improperly disclosing patient health information can be as high as: A. 1.5 million dollars B. $500,000 C. $250,000 D. $125,000
A. 1.5 million dollars
For PHI disclosures in which their is personal gain, or for malicious purposes, federal penalties can include up to _____ year(s) in prison.
A. 10
_______________ is defined as an impermissible disclosure of PHI that compromises the security or privacy of the patient. A. Breach B. Notice of Privacy Practices C. Disclosure D. Data dictionary
A. Breach
The HIPAA Security Rule protects: A. electronic data B. written data C. verbal data
A. Electronic data
Copies (not originals) of patient information may be disposed of properly in the regular garbage of the healthcare facility. A. False B. True
A. False
PHI can be recorded on paper or verbally. The electronic documentation of PHI is not covered under the HIPAA rules. A. False B. True
A. False
The HIPAA Omnibus Rule has lessened the individual rights of patients. A. False B. True
A. False
Under HIPAA, patients are not allowed to view their PHI. A. False B. True
A. False. Patients can view their own information when they request it by the facility's proper procedures.
Students who are participating in "clinical rotations" in hospitals are not subject to HIPAA penalties because of their student designation. A. True B. False
B. False
A facility's Notice of Privacy Practices should be posted anywhere, as long as it is in the lobby. A. True B. False
B. False. A facility's Notice of Privacy Practices must be posted in a prominent location where it is reasonable to expect individuals seeking services could read it.
Patients, generally, will not be informed of their rights under HIPAA, but have the right to view the information on the government web site.: A. True B. False
B. False. Patients must be given a copy of the facility's Notice of Privacy Practices on their first visit to the facility.
Under HIPAA, a patient has the right to request an amendment to his/her medical record, and the hospital has a duty to comply. A. True B. False
B. False. The hospital is not required to make a change to the medical record if the hospital believes the record to be accurate and complete.
A healthcare employee's access to PHI is usually determined by their: A. Education B. Job duties in the healthcare organization. C. Length of employment
B. Job duties in the healthcare organization.
A document that explains your organization's rules for releasing a patient's medical information is called: A. Authorization for Release of Information B. Notice of Privacy Practices C. Medical Consent D. Personal Health Information
B. Notice of Privacy Practices
A covered entity (CE) is liable for civil money penalties for a violation based on the act or omission of the CE's business associate. A. False B. True
B. True
A facility's Notice of Privacy Practices must be given to a patient on the first visit. A. False B. True
B. True
Federal penalties can be taken against a hospital or an individual for PHI breaches. A. false B. true
B. True
Patients who believe that their PHI has been compromised by the hospital have the right to make a complaint to the federal government. A. False B. True
B. True
Prior to a student entering into a "clinical rotation" at a hospital, HIPAA training must be provided to the student. A. False B. True
B. True
The Privacy Rule requires covered entities to develop and implement reasonable policies and procedures to verify the identity of any person who requests PHI, as well as the authority of the person to have access to the information, if the identity or authority of the person is not already known. A. False B. True
B. True
Under HIPAA, as part of a patient's right to restrict their PHI, a patient can request that they not be listed in the patient directory: A. False B. True
B. True
Under the HIPAA Omnibus Rule, patients can ask for and receive copies of their medical records in an electronic form. A. False B. True
B. True
When patients pay for their healthcare bills, "out of their own pocket", they can have information kept private from their health insurance plan. A. False B. True
B. True
While at her daughter's open house at Nelson Elementary School, Brittany, a receptionist at Dr. Walden's Neurology practice, mentions to a friend that she saw a mutual friend at the office last Friday. Is this a violation of HIPAA? A. No B. Yes
B. Yes. Accidental disclosures of PHI are a HIPAA violation. A healthcare provider may accidentally violate the HIPAA Rule simply by saying to a third party that they saw a particular individual at the office. That statement discloses that the individual is a patient who sought care, and both of those facts are PHI under HIPAA
Restricting access to the IT Department of a hospital would fall under which type of safeguard required by the Security Rule of HIPAA? A. administrative B. physical C. electronic D. technical
B. physical
The HIPAA Omnibus Rule provides ________ penalties for violation of HIPAA rules. A. fewer B. tougher C. limited D. more lenient
B. tougher
Which of the following would be considered a Business Associate? A. covered entity B. government agency C. documentation consultant D. healthcare provider
C. Documentation Consultant
HIPAA is a federal law which is enforced by: A. OIG - Office of the Inspector General B. Centers for Disease Control C. OCR - Office for Civil Rights of the Department of Health and Human Services D. CMS - Centers for Medicare and Medicaid Services
C. OCR - Office for Civil Rights of the Department of Health and Human Services
The establishment of computer passwords and firewalls would fall under which type of safeguard required by the Security Rule of HIPAA?: A. electronic B. administrative C. technical D. physical
C. technical
The HIPAA Privacy Rule protects: A. written data B. verbal data C. written, verbal and electronic data D. electronic data
C. written, verbal and electronic data
A covered entity must act upon a request for access to PHI no later than ____ days after receipt of the request, under normal circumstances. A. 14 B. 15 C. 45 D. 30
D. 30
If a breach of PHI involves more than ______ patient(s), a press release must be issued to the major media informing the public of the breach. A. 100 B. 1 C. 250 D. 500
D. 500
Using PHI for quality assurance, teaching or auditing purposes would fall under which portion of the allowed purposes for release of PHI? A. Administration B. Payment C. Teaching D. Operations
D. Operations
Using PHI for patient registration or coding purposes would fall under which portion of the allowed purposes for release of PHI? A. Treatment B. Administration C. Operations D. Payment
D. Payment
An oncology practice requires all patients to sign in when they arrive at the office. Is this a violation of HIPAA? A. No B. Yes
A. No. Covered entities, such as physician's offices, may use patient sign-in sheets or call out patient names in waiting rooms, as long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician)
Are members of the workforce who are not involved in a patient's care allowed to review the patient's chart out of curiosity?: A. No. Viewing a medical record for the sake of curiosity is not allowed under HIPAA. Only those healthcare providers involved in the patient's care should review the record, as needed for that care. B. Yes. It is allowed, as long as the contents are not discussed publicly.
A. No. Viewing a medical record for the sake of curiosity is not allowed under HIPAA. Only those healthcare providers involved in the patient's care should review the record, as needed for that care.
Karen, my co-worker and friend, forgot her newly assigned password. Is it OK if I let her use mine just for today? A. No. Your password should never be shared. Karen needs to begin the process to receive a new password. B. Yes,if your supervisor is aware of the situation and approves. C. Yes, but only for a limited time.
A. No. Your password should never be shared. Karen needs to begin the process to receive a new password.
What does the abbreviation NPP represent in relation to HIPAA? A. Notice of Privacy Practices B. Notice of Potential Problems C. Notice of Patient Practices D. Notice of Practice Problems
A. Notice of Privacy Practices
The Privacy Rule states that release of patient information may be done for three purposes only. These are Treatment, Payment and A. Operations B. Organization C. Administration D. Coding
A. Operations
If you suspect someone is violating the healthcare facility's privacy policy, you should: A. Report the activity to your supervisor for further follow-up B. Approach the person yourself and inform them of the correct way to do things. C. Say nothing. D. Watch the person closely in order to determine that you are correct with your suspicions.
A. Report the activity to your supervisor for further follow-up
The HIPAA Omnibus Rule has (had) a compliance date of: A. September 23, 2013 B. July 1, 2014 C. January 1, 2014 D. October 1, 2013
A. September 23, 2013
A disclosure of PHI must be limited to the minimum necessary amount of information in order to correctly complete the request. A. True B. False
A. True
If a patient is deceased, a covered entity may disclose to a family member who was involved in the patient's care or payment for healthcare prior to the death, PHI of the deceased unless there is an expressed statement to the contrary. A. True B. False
A. True
If a patient requests copies of their PHI, the covered entity may impose a fee for labor, photocopying, supplies and postage. A. True B. False
A. True
It is the responsibility of the employer to offer adequate HIPAA education and training to their employees. A. True B. False
A. True
Protected health information (PHI) is anything that connects a patient identifier to his or her health information. A. True B. False
A. True
The non-compliance of HIPAA rules could lead to civil and criminal penalties. A. True B. False
A. True
While the the HIPAA Privacy Rule's right of access belongs primarily to the individual who is the subject of the PHI, the Privacy Rule also generally requires that persons who are legally authorized to act on behalf of the individual regarding health care matters be granted the same right of access. A. True B. False
A. True
The development of policies and procedures that address e-PHI security would fall under which type of safeguard required by the Security Rule of HIPAA? A. administrative B. electronic C. technical D. physical
A. administrative
