RHIA Domain 2
Mary processed a request for information and mailed it out last week. Today, the requestor, an attorney, called and said that all of the requested information was not provided. Mary pulls the documentation, including the authorization and what was sent. She believes that she sent everything that was required based on what was requested. She confirms this with her supervisor. The requestor still believes that some extra documentation is required. Given the above information, which of the following statements is true? - Mary is required to release the extra documentation because the requestor knows what is needed. - Mary is not required to release the additional information because her administrator agrees with her. - Mary is required to release the extra documentation because, in the customer service program for the facility, the customer is always right. - Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule.
- Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule.
The patient has requested an amendment to her heath record. The facility, after review with the physician, has decided to deny the request. According to HIPAA, the patient must be notified within how many days? 90 30 60 45
60
Which of the following is an example of a security incident? - A handheld device was left unattended on the crash cart in the hall for 10 minutes. - An employee took home a laptop with unsecured PHI. - A hacker accessed PHI from off site. - Temporary employees were not given individual passwords.
A hacker accessed PHI from off site.
Which of the following is an example of a trigger that might be used to reduce auditing? The patient is a Medicare patient. A nurse is caring for a patient and reviews the patient's record. A patient has not signed their notice of privacy practices. A patient and user have the same last name.
A patient and user have the same last name.
Centric Medical Center established a business associate agreement with Quenlinks Solutions to provide mobile devices for their physicians and nurses to enter patient information into the organizations EHR in real-time. Which of the following should be considered as a best practice for the use of mobile technology in this given scenario? identification of device ownership required authorization for mobile technology use safeguards and techniques for adequate protection of ePHI All of these answers apply.
All of these answers apply.
What source or document is considered the "supreme law of the land"? - Constitution of the United States - presidential power - Bill of Rights - Supreme Court decisions
Constitution of the United States.
Mountain Hospital has discovered a security breach. Someone hacked into the system and viewed 50 medical records. According to ARRA, what is the responsibility of the covered entity in a reasonable time not to exceed 60 days? ARRA does not address this issue. Notify CMS. Notify FTC. Notify the patient.
Notify the patient.
The legislation that required all federally funded facilities to inform patients of their rights under state law to accept or refuse medical treatment is known as - advance directives. - Patient Self-Determination Act. - living wills. - durable power of attorney.
Patient Self-Determination Act.
Which of the following is allowed by HIPAA? - Releasing patient information to the patient's attorney without an authorization - Mandating that a health care facility can amend the health record of a patient at the patient's request - Permitting a spouse to pick up medication for the patient - Letting a business associate use PHI in whatever manner they see fit
Permitting a spouse to pick up medication for the patient
Intrusion detection systems analyze firewalls. network traffic. authentications. audit trails.
network traffic
While performing routine quantitative analysis of a record, a medical record employee finds an incident report in the record. The employee brings this to the attention of her supervisor. Which best practice should the supervisor follow to deal with this situation? - Tell the employee to leave the report in the record. - Remove the incident report and send it to the patient. - Refer this record to the Risk Manager for further review and removal of the incident report. - Remove the incident report and have nursing personnel transfer all documentation from the report to the medical record.
Refer this record to the Risk Manager for further review and removal of the incident report.
When operating under the Health Insurance Portability and Accountability Act of 1996, what is a basic tenet in information security for health care professionals to follow? - Patients are not educated about their right to confidentiality of health information. - The information system encourages mass copying, printing, and downloading of patient records. - When paper-based records are no longer needed, they are bundled and sent to a recycling center. - Security training is provided to all levels of staff.
Security training is provided to all levels of staff.
Which one of the following actions would NOT be included in the professional obligations of the health information practitioner that lead to responsible handling of patient health information? - Take a compromising position toward optimal interpretation of nonspecific regulations and laws. - Extend privacy and security principles into all aspects of the data use, access, and control program adopted in the organization. - Educate consumers about their rights and responsibilities regarding the use of their personal health information. - Honor the patient-centric direction of the national agenda.
Take a compromising position toward optimal interpretation of nonspecific regulations and laws.
Focus In general, which of the following statements is correct? When federal and state laws conflict, valid state laws supersede federal laws. When federal and state laws conflict, valid federal laws supersede state laws. When federal and state laws conflict, valid corporate policies supersede federal and state laws. When federal and state laws conflict, valid local laws supersede federal and state laws.
When federal and state laws conflict, valid federal laws supersede state laws.
To which of the following requesters can a facility release information about a patient without that patient's authorization? - a court with a court order - the public health department - the nurse caring for the patient - a business associate
a court with a court order
Someone accessed the covered entity's electronic health record and sold the information that was accessed. This person is known as which of the following? - a hacker - a virus - a cracker - malware
a cracker
Researchers can access patient information if it is a limited data set. related to identity theft. patient specific. protected health information.
a limited data set.
When patients are able to obtain a copy of their health record, this is an example of which of the following? a required standard a patient right a preemption an addressable requirement
a patient right
Which of the following measures should a health care facility incorporate into its institution-wide security plan to protect the confidentiality of the patient record? use of unique computer passwords, key cares, or biometric identification All of these answers apply. locked access to data processing and record areas verification of employee identification
all of these answers apply
One best practice to follow in order to establish safeguards for the security and confidentiality of a patient's information when a person makes a request for his or her records in person is to - refer the requester to the facility's attorney. - charge an exorbitant fee. - ask the requester for identification and the request in writing. - refuse the request.
ask the requester for identification and the request in writing.
Your facility is archiving scanned records for long-term storage on optical disk. The Disaster Recovery Committee has recommended that copies of the disks be stored - in a separate department within the facility. - in a locked file maintained in the administrative offices. - at a remote location. - in a clinic on the hospital campus.
at a remote location.
Darling v. Charleston Community Memorial Hospital is considered one of the benchmark cases in health care because it was with this case that the doctrine of _______________ was eliminated for nonprofit hospitals. - contributory negligence - charitable immunity - professional negligence - corporate negligence
charitable immunity.
A health care organization's compliance plans should not only focus on regulatory compliance, but also have a component that increases the security of medical records. coding compliance program that prevents fraudulent coding and billing. substantial program that increases the availability of clinical data. strong personnel component that reduces the rapid turnover of nursing personnel.
coding compliance program that prevents fraudulent coding and billing.
When a health information professional (record custodian) brings the medical record to court in response to a subpoena duces tecum, it is his or her responsibility to - present the case favorably for the patient involved. - confirm whether or not the record is complete, accurate, and made in the ordinary course of business. - leave the original record in the possession of the plaintiff's attorney. - explain details of the medical treatment given to the patient.
confirm whether or not the record is complete, accurate, and made in the ordinary course of business.
You are a nurse who works on 3West during the day shift. One day, you had to work the night shift because they were shorthanded. However, you were unable to access the EHR. What type of access control(s) are being used? role-based user-based context-based either user- or role-based
context-based
When a health care facility fails to investigate the qualifications of a physician hired to work as an independent contractor in the emergency room and is accused of negligence, the health care facility can be held liable under general negligence. corporate negligence. respondeat superior. contributory negligence.
corporate negligence.
Alisa has trouble remembering her password. She is trying to come up with a solution that will help her remember. Which one of the following would be the BEST practice? using her daughter's name for her password using the word "password" for her password writing the complex password on the last page of her calendar creating a password that utilizes a combination of letters and numbers
creating a password that utilizes a combination of letters and numbers
In a recent review, it was determined that the EHR is essential to the operations of the home health agency. What type of review is this? risk assessment risk analysis emergency mode operation plan criticality analysis
criticality analysis
A valid authorization for the disclosure of health information should not be - dated prior to discharge of the patient. - in writing. - signed by the patient. - addressed to the health care provider.
dated prior to discharge of the patient.
In electronic health records, authentication may be achieved by verbal statement. digital signature, handwritten signature, and verbal statement. digital signature. handwritten signature.
digital signature
You are the director of the Health Information Management Department for Bayshore Hospital. A former patient of the hospital, Barbara Masters, is suing the hospital for negligent care of an infected decubitus ulcer. You are asked by Barbara's attorney to provide sworn verbal testimony and/or written answers to questions. Referring to Case Study #2, what phase of the lawsuit are you involved in? - trial - discovery - pretrial conference - appeal
discovery.
The proper method for correcting a documentation error in a medical record is for the author to - white it out, date, and initial the change. - draw an "X" through the incorrect documentation. - draw a single line through the incorrect information, date, and initial the change. - remove the form from the chart and add a revised form.
draw a single line through the incorrect information, date, and initial the change.
Focus All of the following are elements of a contract EXCEPT acceptance. duty. price/consideration. offer/communication.
duty
Spoliation is the term that refers to the wrongful destruction of evidence or the failure to preserve property, which addresses which of the following methods of discovery? deposition interrogatories request for admissions e-discovery
e-discovery
AHIMA and HIMSS recommend that organizations participating in HIE take all of the following steps to reduce the risk of unauthorized disclosures EXCEPT - conduct a risk analysis to evaluate potential risks. - create a policy and procedure to manage HIE within the organization. - ensure that all HIE participants have full access to patient information. - educate/train the workforce.
ensure that all HIE participants have full access to patient information.
A risk manager needs to locate a full report of a patient's fall from his bed, including witness reports and probable reasons for the fall. She would most likely find this information in the incident report. nurses' notes. doctors' progress notes. integrated progress notes.
incident report
A mechanism to ensure that PHI has not been altered or destroyed inappropriately has been established. This process is called - access control. - integrity. - entity authentication. - audit controls.
integrity
Joint Commission requires the attending physician to countersign health record documentation that is entered by consulting physicians. physician partners. interns or medical students. business associates.
interns or medical students
You are the director of the Health Information Management Department for Bayshore Hospital. A former patient of the hospital, Barbara Masters, is suing the hospital for negligent care of an infected decubitus ulcer. You are asked by Barbara's attorney to provide sworn verbal testimony and/or written answers to questions. Referring to Case Study #2, the written answers to questions you have been asked to provide are known as a(n) interrogatory. deposition. physical and mental examination. court order.
interrogatory.
John is a 45-year-old male who is mentally retarded. Who can authorize release of his health record? - John - legal guardian - John's sister - executive of his will
legal guardian.
An effective monitoring program contains which of the following? log-ins to be reviewed outlining how employees suspected of a breach will be confronted training employees on what a breech is and the importance of security of ePHI installation of software that will monitor for and remove malware from any system that contains ePHI
outlining how employees suspected of a breach will be confronted
Substance abuse records cannot be redisclosed by a receiving facility to another health care facility unless the - physician signs the DNR form. - patient expires at the receiving facility. - patient gives written consent. - charge nurse signs the release form.
patient gives written consent.
The HIM director received an e-mail from the technology support services department about her e-mail being full and asking for her password. The director contacted tech support and it was confirmed that their department did not send this e-mail. This is an example of what type of malware? - phishing - spyware - denial of service - virus
phishing.
You are the director of the Health Information Management Department for Bayshore Hospital. A former patient of the hospital, Barbara Masters, is suing the hospital for negligent care of an infected decubitus ulcer. You are asked by Barbara's attorney to provide sworn verbal testimony and/or written answers to questions. Referring to Case Study #2, Barbara Masters is the _____________ in this case. - plaintiff - appellee - defendant - appellant
plaintiff.
A pharmacist at your facility was caught running a drug ring. The pharmacist filled orders of valuable medications with cheap outdated ones purchased on the Internet and then sold the good drugs for profit. Patients have been injured and the lawsuits are starting. Unfortunately, your facility is going to be held responsible for the pharmacist's negligent acts under the doctrine of - adjudicus res. - res ipsa loquitur. - respondeat superior. - stare decisis.
res ipsa loquitur.
You work for a 60-bed hospital in a rural community. You are conducting research on what you need to do to comply with HIPAA. You are afraid that you will have to implement all of the steps that your friend at a 900-bed teaching hospital is implementing at his facility. You continue reading and learn that you only have to implement what is prudent and reasonable for your facility. This is called access control. risk assessment. scalable. technology neutral.
scalable.
Case Study #1 Dr. Roberts, an orthopedic surgeon, and Nurse Parrish, head nurse on the orthopedic surgery unit, have had an acrimonious working relationship for years. While making rounds on the unit, Dr. Roberts discovered that the physical therapy evaluation he had ordered for one of his patients had not been performed and became outraged. Even though he did not have proof, Dr. Roberts placed the blame for the missed evaluation with Nurse Parrish. Dr. Roberts wrote in the patient's medical record that Nurse Parrish failed to properly order the physical therapy evaluation because she was incompetent and could not be trusted to carry out even the simplest order. After having read Dr. Roberts's note, Nurse Parrish countered by making a disparaging remark about Dr. Roberts to the medical personnel at the nurses' station. Nurse Parrish stated that Dr. Roberts was the one who was incompetent and was responsible for the needless suffering of countless patients over the years. Referring to Case Study #1, the oral statement by Nurse Parrish about Dr. Roberts's professional practices at the nurses' station can constitute defamation. slander. libel. perjury.
slander.
HIM personnel charged with the responsibility of bringing a medical record to court would ordinarily do so in answer to a - deposition. - personal subpoena. - judgment. - subpoena duces tecum.
subpoena duces tecum.
Before we can go any further with our risk analysis, we need to determine what systems/information need to be protected. This step is known as risk determination. system characterization. vulnerability. control analysis.
system characterization.
Elements of a breach notification should include all of the following EXCEPT a description of what occurred, including the date of the breach and the date the breach was discovered. steps individuals should take in order to protect themselves. the name of the individual within the entity responsible for the breach so that a civil claim can be filed against the individual. what the entity is doing to investigate, mitigate, and prevent future occurrences.
the name of the individual within the entity responsible for the breach so that a civil claim can be filed against the individual.
Which of the following health care systems have to comply with the requirements of the Freedom of Information Act? - physicians' offices - veterans' hospitals - private hospitals - single-day surgery clinics
veterans' hopsitals
The data on a hard drive were erased by a corrupted file that had been attached to an e-mail message. Which of the following can be used to prevent this? virus checker acceptance testing encryption messaging standards
virus checker
Before an employee can be given access to the EHR, someone has to determine what the employee is allowed to have access to. What is this known as? - authentication - workforce clearance procedure - authorization - health care clearinghouse
workforce clearance procedure
You have been assigned the responsibility of performing an audit to confirm that all of the workforce's access is appropriate for their role in the organization. This process is called risk assessment. workforce clearance procedure. information system activity review. information access management.
workforce clearance procedure.