RHIT Domain 5

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

A(n) ________ is imposed on providers by the OIG when fraud and abuse is discovered through an audit or self-disclosure. a. Corporate Integrity Agreement b. OIG Workplan c. Red Flags Rule d. Resource Agreement

a A corporate integrity agreement (CIA) is essentially a compliance program imposed by the government, with substantial government oversight and outside expert involvement in the organization's compliance activities. The OIG negotiates CIAs with health care providers and other entities as part of the settlement of federal health care program investigations arising under a variety of civil false claims statutes. Providers or entities agree to the obligations, and in exchange, OIG agrees not to seek their exclusion from participation in Medicare, Medicaid, or other federal healthcare programs (Bowman 2017, 460).

The leaders of a healthcare organization are expected to select an organization-wide performance improvement approach and to clearly define how all levels of the organization will monitor and address improvement issues. The Joint Commission requires ongoing data collection that might require improvement for which of the following areas? a. Operative and other invasive procedures, medication management, and blood and blood product use b. Blood and blood product use, medication management, and appointment to the board of directors c. Medication management, marketing strategy, and blood use d. Operative and other invasive procedures, appointments to the board of directors, and restraint and seclusion use

a Appointments to the Board of Directors is important information, but the Joint Commission requires detailed information on the responsibilities and actions of the Board, not necessarily its composition. The Joint Commission requires healthcare organizations to collect data on each of these areas: medication management, blood and blood product use, restraint and seclusion use, behavior management and treatment, operative and other invasive procedures, and resuscitation and its outcomes (Shaw and Carter 2015, 378, 382).

Organizations use of audits in data analysis in order to ensure compliance with policies and procedures is a component of: a. Internal monitoring b. Benchmarking c. Corrective action d. Educating staff

a As part of an effective compliance plan organizations must perform internal monitoring. These organizations must be diligent to ensure compliance with policies and procedures, such as through the use of audits and data analysis (Foltz et al. 2016, 458).

Calling out patient names in a physician's office is: a. An incidental disclosure b. Not subject to the minimum necessary requirement c. A disclosure for payment purposes d. An automatic violation of the HIPAA Privacy Rule

a Calling out patients' names in a physician office is an incidental disclosure because it occurs as part of office operations. It is permitted as long as the information disclosed is the minimum necessary (Rinehart-Thompson 2016b, 238).

Which of the following is a good question for a supervisor of coding to ask when evaluating potential fraud or abuse risk areas in the coding area? a. Are the assigned codes supported by the health record documentation? b. Does the hospital have a compliance plan? c. How many claims have not been coded? d. Which members of the medical staff have the most admissions to the hospital?

a Codes are used to determine reimbursement, therefore code assignment is critical. Assigning the incorrect codes with the intent of receiving more money is fraudulent. The coding supervisor should regularly compare assigned codes to health record documentation to ensure compliance (Foltz et al. 2016, 461).

Sarah, a new graduate of a health information technology program, sits for the registered health information technician (RHIT) exam and fails. She does not want her employer to know she failed and tells her coworkers she passed the examination. Sarah then starts using the RHIT credential after her name in work correspondence. A coworker, Nancy, discovers that Sarah is using the RHIT credential fraudulently and notifies the supervisor, Joan. What is the responsibility of Nancy and Joan in this situation? a. Contact AHIMA and report the abuse b. Contact the state licensing division c. Contact the office of the inspector general d. Contact the HIT program

a HIM professionals should be guided by the AHIMA Code of Ethics in making ethical decisions that relate to the HIM profession. In this situation, Joan and Nancy should contact AHIMA and report the abuse (Gordon and Gordon 2016c, 614).

A coder's misrepresentation of the patient's clinical picture through intentional incorrect coding or the omission of diagnosis or procedure codes would be an example of: a. Healthcare fraud b. Payment optimization c. Payment reduction d. Healthcare creativity

a Healthcare fraud is an intended and deliberate deception or misrepresentation by a provider, or by representative of a provider, that results in a false or fictitious claim. These false claims then result in an inappropriate payment by Medicare or other insurers (Foltz et al. 2016, 448).

The deception or misrepresentation by a healthcare provider that may result in a false or fictitious claim for inappropriate payment by Medicare or other insurers for items or services either not rendered or rendered to a lesser extent than described in the claim is: a. Healthcare fraud b. Optimization c. Upcoding d. Healthcare abuse

a Healthcare fraud is defined as an intentional representation that an individual knows to be false or does not believe to be true and makes, knowing that the representation could result in some unauthorized benefit to himself or herself or some other person. An example of fraud is billing for a service that was not furnished (Casto and Forrestal 2015, 36).

Which of the following is an example of a common form of healthcare fraud and abuse? a. Billing for services not furnished to patients b. Clinical documentation improvement c. Refiling claims after denials d. Use of a claim scrubber prior to submitting bills

a Healthcare fraud is defined as an intentional representation that an individual knows to be false or does not believe to be true and makes, knowing that the representation could result in some unauthorized benefit to himself or herself or some other person. An example of fraud is billing for a service that was not furnished. The other three options are acceptable practices for healthcare organizations to use to effectively manage their revenue cycles (Casto and Forrestal 2015, 36).

Mary's PHI has been breached. She must be informed of all of the following except: a. Who committed the breach b. Date the breach was discovered c. Types of unsecured PHI involved d. What she may do to protect herself

a Individuals who are notified that their PHI has been breached must be given a description of what occurred (including date of breach and date that breach was discovered); the types of unsecured PHI that were involved (such as name, Social Security number, date of birth, home address, account number); steps that the individual may take to protect himself or herself; what the entity is doing to investigate, mitigate, and prevent future occurrences; and contact information for the individual to ask questions and receive updates (Rinehart- Thompson 2016b, 240).

Medical identity theft includes which of the following: a. Using another person's name to obtain durable medical equipment b. Purchasing an EHR c. Purchasing surgical equipment d. Using another healthcare provider's national provider identifier to submit a claim

a Medical identity theft is a crime that challenges healthcare organizations and the health information profession. A type of healthcare fraud that includes both financial fraud and identity theft, it involves either (a) the inappropriate or unauthorized misrepresentation of one's identity (for example, the use of one's name and Social Security number) to obtain medical services or goods, or (b) the falsifying of claims for medical services in an attempt to obtain money (Rinehart-Thompson 2016b, 247).

Which type of identity theft occurs when a patient uses another person's name and insurance information to receive healthcare benefits? a. Medical b. Financial c. Criminal d. Health

a Medical identity theft occurs when a patient uses another person's name and insurance information to receive healthcare benefits. Most often this is done so a person can receive healthcare with an insurance benefit and pay less or nothing for the care received (Rinehart- Thompson 2016b, 247).

Which item below is not recommended by the HHS and the OIG for minimum compliance with clinical documentation regulations? a. Physicians should include vaccination records b. Progress, response, and changes are to be documented c. Health record should be completely legible d. Past and present diagnosis should be easily accessible

a Progress, response, and changes to the patient's condition must be documented. All health records should be completely legible and accessible to patient and present diagnosis information. These are all required elements of the Medicare Conditions of Participation. Physician inclusion of vaccination records is not mandated (Hess 2015, 7).

Which of the following is part of qualitative analysis review? a. Checking that only approved abbreviations are used b. Checking that all forms and reports are present c. Checking that documents have patient identification information d. Checking that reports requiring authentication have signatures

a Qualitative analysis is about the quality of the documentation including the use of approved abbreviations (Sayles 2016b, 63).

Using data mining, an RAC makes a claim determination at the system-level without a human review of the health record. This type of review is called: a. Automated review b. Complex review c. Detailed review d. Systematic review

a RACs conduct three types of audits: automated reviews, semi-automated reviews, and complex reviews. An automated review occurs when an RAC makes a claim determination at the system level without a human review of the health record, such as data mining. Errors found must be clearly non-covered services or incorrect applications of coding rules and must be supported by Medicare policy, approved article, or coding guidance (Foltz et al. 2016, 453-454).

A Recovery Auditing Contractor (RAC) is conducting a review of claims for improper payment at Wildcat Hospital. The review is performed electronically utilizing a software program that analyzes claims data to identify proper payments. This type of review is referred to as: a. Automated review b. Complex review c. Semi-automated review d. Semi-complex review

a Recovery Audit Contractor (RAC) is a governmental program whose goal is to identify improper payments made on claims of healthcare services provided to Medicare beneficiaries. Improper payments may be overpayments or underpayments. Automated reviews are performed electronically rather than by humans. A software program analyzes claims data to identify improper payments (Foltz et al. 2016, 453-454).

Risk determination considers the factors of: a. Likelihood and impact b. Risk prioritization and control recommendations c. Risk prioritization and impact d. Likelihood and control recommendations

a Risk determination considers how likely is it that a particular threat will actually occur and, if it does occur, how great its impact or severity will be. Risk determination quantifies an organization's threats and enables it to both prioritize its risks and appropriately allocate its limited resources (namely, people, time, and money) accordingly (Rinehart-Thompson 2013, 124).

Community hospital is looking for ways to increase physician referrals. One board member suggested that they offer local physician $100 for every patient referred to the hospital for care. If the hospital goes ahead with the board member's suggestion, what statute is the hospital violating? a. Anti-Kickback Statute b. False Claims Act c. Health Insurance Portability and Accountability Act d. Red Flags Rule

a The Anti-Kickback Statute dictates that physicians cannot receive money or other benefits for referring patients to a healthcare facility. In this example, a hospital cannot give a physician $100 for every patient referred to the hospital for care (Foltz et al. 2016, 449).

Which of the following can be used to discover current risk or focused areas of compliance? a. The OIG workplan b. AHA newsletter c. HIPAA Privacy Rule d. Local medical review policy

a The OIG workplan should be reviewed each year. This document provides insight into the directions the OIG is taking, as well as highlights hot areas of compliance (Casto and Forrestal 2015, 40).

Which of the following groups are included in the feedback loop between denials, management, and clinical documentation improvement (CDI) program staff? a. Compliance b. Office of the Inspector General c. Center for Medicare and Medicaid Services d. Payers

a The clinical documentation improvement (CDI) manager should coordinate a feedback loop with functional managers that involved reporting data from the department to CDI and then from CDI back to the department. The three areas for CDI best practices include operationalizing feedback loops with denials management, compliance, and HIM (Hess 2015, 242).

In developing a monitoring program for inpatient coding compliance, which of the following should be regularly audited? a. ICD-10-CM and ICD-10-PCS coding b. CPT/HCPCS and LOINC coding c. ICD-10-CM and SNOMED coding d. CPT/HCPCS and ICD-10-PCS coding

a The corporate compliance program addresses the coding function. Because the accuracy and completeness of ICD-10-CM and ICD-10-PCS for inpatient code assignment determine the provider payment, the coding compliance program should regularly audit these codes. It is important that healthcare organizations have a strong coding compliance program (Foltz et al. 2016, 462).

Per the Fair and Accurate Credit Transactions Act (FACTA), which of the following is not a red flag category? a. An account held by a person who is over 80 years old b. Warnings from a consumer-reporting agency c. Unusual activity relating to a covered account d. Suspicious documents

a The federal Fair and Accurate Credit Transactions Act (FACTA) requires financial institutions and creditors to develop and implement written identity theft programs that identify, detect, and respond to red flags that may signal the presence of identity theft. There are five categories of red flags that are used as triggers to alert the organization to a potential identity theft (16 CFR Part 681). The categories are: Alerts, notifications, or warnings from a consumer reporting agency; Suspicious documents; Suspicious personally identifying information such as a suspicious address; Unusual use of, or suspicious activity relating to, a covered account; Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account (Rinehart-Thompson 2016b, 248).

The goal of coding compliance programs is to prevent: a. Accusations of fraud and abuse b. Delays in claims processing c. Billing errors d. Inaccurate code assignments

a The government and other third-party payers are concerned about potential fraud and abuse in claims processing. Therefore, ensuring that bills and claims are accurate and correctly presented is an important focus of healthcare compliance (Foltz et al. 2016, 462).

Quality Improvement Organizations perform medical peer review of Medicare and Medicaid claims through a review of which of the following? a. Validity of hospital diagnosis and procedure coding data completeness b. Appropriateness of EHR used c. Policies, procedures and standards of conduct d. Professional standards

a The responsibilities of the quality improvement organizations include reviewing health records to confirm the validity of hospital diagnosis and procedure coding data completeness (Foltz et al. 2016, 454).

Our computer system just notified us that Mary Burchfield has just looked up another patient with the same last name. This notification is called a(n): a. Trigger b. Audit reduction tool c. Integrity d. Audit control

a The security audit process should include triggers that identify the need for a closer inspection. These trigger events cannot be used as the sole basis of the review, but they can significantly reduce the amount of reviews performed. An example of a trigger is when a user has same last name as patient (Sayles and Trawick 2014, 215-216).

Which of the following is a legal concern regarding the EHR? a. Ability to subpoena audit trails b. Template design c. ANSI standards d. Data sets

a There are a number of legal issues facing the electronic health record (EHR). State laws vary as to what is and is not acceptable in a court of law regarding EHRs. Healthcare providers frequently receive subpoenas requesting the production of the health record. The subpoena may require the production of audit trails (Sayles and Trawick 2014, 178-179).

A provider's office calls to retrieve emergency room records for a patient's follow-up appointment. The HIM professional refused to release the emergency room records without a written authorization from the patient. Was this action in compliance? a. No; the records are needed for continued care of the patient, so no authorization is required b. Yes; the release of all records requires written authorization from the patient c. No; permission of the ER physician was not obtained d. Yes; one covered entity cannot request the records from another covered entity

a Treatment, payment, and operations (TPO) is an important concept because the Privacy Rule provides a number of exceptions for PHI that is being used or disclosed for TPO purposes. Treatment means providing, coordinating, or managing healthcare or healthcare-related services by one or more healthcare providers (Rinehart-Thompson 2016b, 223).

The Breach Notification Rule requires covered entities to do which of the following: a. Notify affected individuals when a breach occurs b. Establish a policy on minimum necessary c. Provide each patient with a new notice of privacy practices d. Assign a new patient record number

a When a breach occurs, facilities must notify affected individuals. Facilities do not need to create a new health record number for each patient, provide a new copy of the Notice of Privacy Practices, or establish a policy on minimum necessary (Rinehart-Thompson 2016b, 239-240).

A hospital receives a valid request from a patient for copies of her health records. The HIM clerk who is preparing the records removes copies of the patient's records from another hospital where the patient was previously treated. According to HIPAA regulations, was this action correct? a. No; the records from the previous hospital are considered to be included in the designated record set and should be given to the patient. b. Yes; this is hospital policy for which HIPAA has no control. c. No; the records from the previous hospital are not included in the designated record set but should be released anyway. d. Yes; HIPAA only requires that current records be produced for the patient.

a When other healthcare providers provide records, it is done to ensure the continuity of care for the individual. Many covered entities either include the whole file or copies of the file as part of the covered entity's record, with the assumption that the treating physician has used some or all of the records to decide how to treat the patient. Any copies that are included with the records of the individual are, therefore, considered part of the individual's designated record set and should be released (Thomason 2013, 99).

Which of the following is an investigational technique that facilitates the identification of the various factors that contribute to a problem? a. Affinity grouping b. Cause-and-effect diagram c. Force-field analysis d. Nominal group technique

b A cause-and-effect diagram is an investigational technique that facilitates the identification of the various factors that contribute to a problem (Carter and Palmer 2016, 515).

A patient was taken into surgery at a local hospital for treatment of colon cancer. A large section of the colon was removed during surgery and the patient was taken to the medical floor after surgery. Within the first 24 hours post-op, the patient developed fever, chills, and abdominal pain. An abdominal CT scan revealed the presence of a foreign body. This situation describes a: a. Near miss b. Sentinel event c. Security incident d. Time out

b A sentinel event includes any process variation for which a recurrence would carry a significant chance of serious adverse outcome. Such events are called "sentinel" because they signal the need for immediate investigation and response. Examples of sentinel events include infant abduction from the nursery or a foreign body left in a patient from surgery (Shaw and Carter 2015, 221).

Per the HITECH breach notification requirements, what is the threshold for the immediate notification of each individual? a. 1,000 individuals affected b. 500 individuals affected c. 250 individuals affected d. Any number of individuals affected requires individual notification.

b All individuals whose information has been breached must be notified without unreasonable delay, and not more than 60 days, by first-class mail or a faster method (such as telephone) if there is the potential for imminent misuse. If 500 or more individuals are affected, they must be individually notified immediately and media outlets must be used as a notification mechanism as well. The Secretary of HHS must specifically be notified of the breach (AHIMA 2009; Rinehart-Thompson 2016b, 240).

In developing an internal coding audit review program, which of the following would be risk areas that should be targeted for audit? a. Admission diagnosis and complaints b. Chargemaster description and medical necessity c. Clinical laboratory results d. Radiology orders

b An auditing process identifies risk areas such as chargemaster description, medical necessity, MS-DRG coding accuracy, variations in case mix, and the like. Admission diagnosis and complaints, clinical laboratory results, and radiology orders are not risk areas that should be targeted for audit (Foltz et al. 2016, 458-459).

During an audit of health records, the HIM director finds that transcribed reports are being changed by the author up to a week after initial transcription. To remedy this situation, the HIM director should recommend which of the following? a. Immediately stop the practice of changing transcribed reports b. Develop a facility policy that defines the acceptable period of time allowed for a transcribed document to remain in draft form c. Conduct a verification audit d. Alert hospital legal counsel of the practice

b An example of unethical documentation in healthcare is retrospective documentation— when healthcare providers add documentation after care has been given, possibly for the purpose of increasing reimbursement or avoiding a medical legal action. The HIM professional is responsible for maintaining accurate and complete records and is able to identify the occurrence and either correct the error or indicate that the entry is a late entry into the health record (Gordon and Gordon 2016c, 615).

A facility recently submitted two claims for the same service for a patient's recent encounter for chemotherapy. If the third-party payer pays both of these claims, the facility will receive a higher reimbursement than deserved. This is called: a. Appropriate payment b. Overpayment c. Unbundling d. Waste

b An overpayment occurs when a facility receives higher reimbursement than the facility deserves. One example of this is when a facility submits two or more claims for the same service (Foltz et al. 2016, 450).

The breach notification requirement applies to: a. All PHI b. Unsecured PHI only c. Electronic PHI only d. PHI on paper only

b Breach notification requirements only apply to unsecured PHI that technology has not made unusable, unreadable, or indecipherable to unauthorized persons. This PHI is considered to be the most at-risk (Rinehart-Thompson 2016b, 240).

What is the goal of the clinical documentation improvement (CDI) compliance review? a. To ensure adequate CDI improvement b. Compliant query generation and physician responses c. To ensure corrective action for any compliance concerns d. To ensure compliance between CDI program staff

b Clinical documentation improvement (CDI) should be part of the organizational compliance program. The goal of a CDI compliance review is to monitor compliant query generation and physician responses (Hess 2015, 221-222).

The evaluation of coders is recommended at least quarterly for the purpose of measurement and assurance of: a. Speed b. Data quality and integrity c. Accuracy d. Effective relationships with physicians and facility personnel

b Coders should be evaluated at least quarterly, with appropriate training needs identified, facilitated, and reassessed over time. Only through this continuous process of evaluation can data quality and integrity be accurately measured and ensured (Schraffenberger and Kuehn 2011, 270).

Which of the following practices is an appropriate coding compliance activity? a. Reviewing all accurately paid claims b. Developing procedures for identifying coding errors c. Providing a financial incentive for coding claims improperly d. Instruct coders to code diagnoses and submit the bill before all applicable information is documented in the health record

b Coding compliance activities would not include a financial incentive for coders to commit fraud, to code diagnoses and procedures before documentation is complete, or to spend resources reviewing accurately paid claims. Providing a financial incentive to coders for coding claims improperly would be against any coding compliance plan and would also be a violation of AHIMA's Standards of Ethical Coding. One of the basic elements of a coding compliance program includes developing policies and procedures for identifying coding errors (Foltz et al. 2016, 461-462).

How many basic elements are included in an effective compliance program? a. Five b. Seven c. Nine d. Three

b Each healthcare facility should have a compliance program. There are seven basic elements that should be included in an effective compliance program. These include: policies, procedures and standards of conduct; identifying a compliance officer and committee; educating staff; establish communication channels; perform internal monitoring; penalties for noncompliance with standards; and taking immediate corrective action when a problem is identified (Fotlz et al. 2016, 457-458).

Each healthcare organization must identify and prioritize which processes and outcomes (in other words, which types of data) are important to monitor. This data collection should be based on the scope of care and services they provide and: a. The number of employees they employ b. Their mission c. The QI methodology used d. Their accreditation status

b Each healthcare organization must identify and prioritize which processes and outcomes are important to monitor on the basis of its mission and the scope of care and services it provides (Shaw and Carter 2015, 27-28).

The clinical documentation improvement (CDI) program must keep high-quality records of the query process for: a. Revenue cycle analysis b. Compliance issues c. Chart deficiency tracking d. Reducing the workload on HIM

b Every organization should apply the same criteria for high-quality clinical documentation to the recording of clinical documentation improvement (CDI) program activities (queries and case notes) as it does to the review of clinical documentation. Maintaining thorough query documentation is necessary for compliance purposes (Hess 2015, 241-242).

The Joint Commission is conducting an audit at Community Hospital to determine the hospital's compliance with The Joint Commission standards regarding patient rights. This is an example of a(n): a. Complex review b. External audit c. Internal audit d. Casefinding review

b External audits are conducted by accreditation, insurance companies, or other organizations monitoring the healthcare provider for compliance with their standards and regulations. In this scenario The Joint Commission is doing an external audit to determine compliance with The Joint Commission standards regarding patients' rights (Foltz et al. 2016, 461).

A pharmacist who submits Medicaid claims for reimbursement on brand name drugs when less expensive generic drugs were actually dispensed has committed the crime of: a. Criminal negligence b. Fraud c. Perjury d. Products' liability

b Fraud in healthcare is defined as a deliberate false representation of fact, a failure to disclose a fact that is material (relevant) to a healthcare transaction, damage to another party that reasonably relies on the misrepresentation, or failure to disclose. This situation would fall under category 2 (Foltz et al. 2016, 448).

Examples of high-risk billing practices that create compliance risks for healthcare organizations include all except which of the following? a. Altered claim forms b. Returned overpayments c. Duplicate billings d. Unbundled procedures

b Fraudulent billing practices represent a major compliance risk for healthcare organizations. High-risk billing practices include: billing for noncovered services, altered claim forms, duplicate billing, misrepresentation of facts on a claim form, failing to return overpayments, unbundling, billing for medically unnecessary services, overcoding and upcoding, billing for items or services not rendered, and false cost reports (Bowman 2017, 440-441, 466).

Detailed query documentation can be used to: a. Protect the hospital from lawsuits b. Protect the hospital against claims from physicians about leading queries c. Show the effects of follow-up training d. Protect the auditor from corrective action

b Healthcare organizations should keep detailed query data. There should be documented evidence of all queries the clinical documentation improvement (CDI) specialists ask, to whom they ask them, the clinical documentation or information supporting the query, and responses to queries. Detailed query documentation can also protect the hospital when against claims from physicians about leading queries (Hess 2015, 209).

The process that involves ongoing surveillance and prevention of infections so as to ensure the quality and safety of healthcare for patients and employees is known as: a. Case management b. Infection control c. Risk management d. Utilization management

b Infection control is a system for the prevention of communicable diseases that concentrates on protecting healthcare workers and patients against exposure to disease causing organisms and promotes compliance with applicable legal requirements through early identification of potential sources of contamination and implementation of policies and procedures that limit the spread of disease (AHIMA 2014, 78).

If an HIM department acts in deliberate ignorance or in disregard of official coding guidelines, it may be committing: a. Abuse b. Fraud c. Malpractice d. Kickbacks

b Medicare defines fraud as an intentional representation that an individual knows to be false or does not believe to be true but makes, knowing that the representation could result in some unauthorized benefit to himself or herself or some other person. Disregard for official coding guidelines would be considered fraud (Casto and Forrestal 2015, 36).

Which of the following should be the first step in any quality improvement process? a. Analyzing the problem b. Identifying the performance measures c. Developing an alternative solution d. Deciding on the best solution

b Most quality improvement methodologies recognize that the organization must identify and continuously monitor the important organizational and patient-focused functions that they perform. The first step in this process is to identify performance measures (Shaw and Carter 2015, 45).

In developing an internal audit review program, which of the following would be risk areas that should be targeted for audit? a. Admission diagnosis and complaints b. Chargemaster description c. Clinical laboratory results d. Radiology orders

b One of the elements of the auditing process is identification of risk areas. Selecting the types of cases to review is also important. Examples of various case selection possibilities include chargemaster description for accuracy (Foltz et al. 2016, 458-459).

The process that is followed to mitigate and fix issues that arise during a review of systems that contain PHI to reduce vulnerabilities is called: a. Risk analysis b. Risk management c. Results documentation d. Recommendations for controls

b One strategy in protecting the organization's data is to establish a risk management program. Risk management encompasses the identification, evaluation, and control of risks that are inherent in unexpected and inappropriate events (Rinehart-Thompson 2016c, 260).

Which of the following is the principal goal of internal auditing programs for billing and coding? a. Increase revenues b. Protect providers from sanctions or fines c. Improve patient care d. Limit unnecessary changes to the chargemaster

b Ongoing evaluation is critical to successful coding and billing for third-party payer reimbursement. In the past, the goal of internal audit programs was to increase revenues for the provider. Today, the goal is to protect providers from sanctions or fines. Healthcare organizations can implement monitoring programs by conducting regular, periodic audits (Foltz et al. 2016, 457-458).

If a patient notices an unknown item in the explanation of benefits they receive from an insurance company and they do not recognize the service being paid for, the patient should: a. Not do anything b. Contact the insurer and the provider who billed for the services to correct the information c. Contact the police d. Contact human resources and let them know there has been a mistake

b Patients should review and monitor the information found within their explanation of benefits (EOBs). Patients should not assume that their healthcare services have been accurately submitted to and paid by their insurance companies as claims submission is an error-prone process (Casto and Forrestal 2015, 73).

A cause-and-effect diagram is an investigational technique that facilitates the identification of the various factors that contribute to a problem (Carter and Palmer 2016, 515).

b Physicians and other practitioners are notified when they have incomplete health records requiring their attention. If a health record remains incomplete for a specified number of days, as defined in the medical staff rules and regulations, the record is considered to be a delinquent record (Sayles 2016b, 64-65).

HHS has identified a healthcare facility guilty of fraud. HHS saw that the facility tried to comply but their efforts failed. What category does this fall into? a. Reasonable cause b. Reasonable diligence c. Willful neglect d. Abuse

b Reasonable diligence is when the healthcare provider has taken reasonable actions to comply with the legislative requirements (Foltz et al. 2016, 451).

The Medicare Integrity Program was established to battle fraud and abuse and is charged with which of the following responsibilities? a. Audit of expense reports and notifying beneficiaries of their rights b. Payment determinations and audit of cost reports c. Publishing of new coding guidelines and code changes d. Monitoring of physician credentials and payment determinations

b The Medicare Integrity Program was established under the HIPAA legislation to battle healthcare fraud and abuse. Not only did Medicare continue to review provider claims for fraud and abuse, but the focus expanded to cost reports, payment determinations, and the need for ongoing compliance education (Casto and Forrestal 2015, 37).

The National Patient Safety Goals (NPSGs) have effectively mandated all healthcare organizations to examine care processes that have a potential for error that can cause injury to patients. Which of the following processes are included in the NPSGs? a. Identify patients correctly, prevent infection, and file claims for reimbursement b. Check patient medicines, prevent infection, and identify patients correctly c. File claims for reimbursement, check patient medicines, and improve staff communication d. Improve staff communication, process claims timely, and prevent infection

b The National Patient Safety Goals (NPSGs) have effectively mandated all healthcare organizations examine care processes that have a potential for error and can cause injury to patients. The NPSGs include identifying patients correctly, improving staff communication, using medicines safely, preventing infection, checking patient medicines, preventing patients from falling, preventing bed sores, and identifying patient safety risks (Shaw and Carter 2015, 174).

A group practice has hired an HIT as its chief compliance officer. The current compliance program includes written standards of conduct and policies, and procedures that address specific areas of potential fraud. It also has audits in place to monitor compliance. Which of the following should the compliance officer also ensure are in place? a. A bonus program for coders who code charts with higher paying MS-DRGs b. A hotline to receive complaints and adoption of procedures to protect whistleblowers from retaliation c. Procedures to adequately identify individuals who make complaints so that appropriate followup can be conducted d. A corporate compliance committee that reports directly to the CFO

b The OIG has outlined seven elements as the minimum necessary for a comprehensive compliance program. One of the seven elements is the maintenance of a process, such as a hotline, to receive complaints and the adoption of procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation (Foltz et al. 2016, 457; Casto and Forrestal 2015, 37).

Corporate compliance programs became common after adoption of which of the following? a. False Claims Act b. Federal Sentencing Guidelines c. Office of the Inspector General for HHS d. Federal Physician Self-Referral Statute

b The U.S. Federal Sentencing Guidelines outline seven steps as the hallmark of an effective program to prevent and detect violations of law. These seven steps were the basis for the OIG's recommendations regarding the fundamental elements of an effective compliance program (Bowman 2017, 463).

What is one key component of a compliant clinical documentation improvement program? a. Detailed review of Joint Commission findings b. Documented, mandatory physician education c. Revenue cycle team involvement d. Exceeding query response targets

b There are three components an organization should include early in the implementation of a compliant clinical documentation improvement (CDI) program. These include: documented, mandatory physician education; detailed query documentation; CDI policies and procedures with annual sign-off from all program staff (Hess 2015, 208).

Which of the following situations is considered a breach of PHI? a. A nurse sees the record of a patient that she is not caring for b. A patient's attorney is sent records not authorized by that patient c. A nurse starts to place PHI in a public area where a patient is standing and immediately picks it up d. An HIM employee keys in the wrong health record number but closes it out as soon as it is realized

b There are three exceptions to a breach. All of these answers fall into one of these categories with the exception of the records sent to the patient's attorney. He does not work for the covered entity and an authorization is required (Rinehart-Thompson 2016b, 240).

City Hospital submitted 175 claims where they unbundled laboratory charges. They were overpaid by $75 on each claim. What is the fine for City Hospital? a. $40,300 b. $39,375 c. $26,250 d. $13,125

b Unbundling is the practice of using multiple codes to bill for the various individual steps in a single procedure rather than using a single code that includes all of the steps of the comprehensive procedure code. In this situation, the penalty is the overpayment of the $75 for all 175 claims overpaid as well as 3 times the total amount of the overpayment (175 × $75 = $13,125 then; $13,125 × 3 = $39,375) (Foltz et al. 2016, 450).

Exceptions to the Federal Anti-Kickback Statute that allow legitimate business arrangements and are not subject to prosecution are: a. Qui tam practices b. Safe practices c. Safe harbors d. Exclusions

c A common theme runs through safe harbors and that is the intent to protect certain arrangements in which commercially reasonable items or services are exchanged for fair market value compensation. Safe harbors are an exception to the Federal Anti-Kickback Statute. Congress authorized HHS to establish additional safe harbors by regulation. These safe harbors are activities that are not subject to prosecution and protect the organization from civil or criminal penalties (Bowman 2017, 445).

Which of the following would be an example of a reviewable sentinel event? a. Incidence of hospital acquired infection b. Incidence of an unruly patient c. Incidence of infant abduction d. Incidence of blood transfusion reaction

c A sentinel event includes any process variation for which a recurrence would carry a significant chance of serious adverse outcome. Such events are called "sentinel" because they signal the need for immediate investigation and response. Examples of sentinel events include infant abduction from the nursery or a foreign body left in a patient from surgery (Shaw and Carter 2015, 221).

Healthcare abuse relates to practices that may result in: a. False representation of fact b. Failure to disclose a fact c. Medically unnecessary services d. Knowingly submitting altered claim forms

c Abuse occurs when a healthcare provider unknowingly or unintentionally submits an inaccurate claim for payment. Abuse generally results from unsound medical, business, or fiscal practices that directly or indirectly result in unnecessary costs to the Medicare program. The performance of medically unnecessary services and submitting them for payment would be an example of healthcare abuse (Casto and Forrestal 2015, 36).

Which of the following types of information include areas like genetics, adoption, and drug use that require special attention? a. Special information b. Scientific information c. Sensitive information d. Super information

c All health information must be protected; however, there is some information that requires special attention because it is considered sensitive health information such as genetic, adoptive, drug, alcohol, sexual health, and behavioral information. This type of information not only has strict rules and regulations, but also providers an ethical gray area when it comes to releasing and providing records (Gordon and Gordon 2016c, 618).

The organization that you work for just concluded an investigation of a USB thumb drive that was lost and contained a file with the information of 765 patients on it, including name, address, telephone number, and social security number. As the privacy officer, you are required to manage the notification process for the data breach. All of the following would need to be notified of this data breach within 60 days of the discovery except: a. Individual patients b. Local media c. Attending physicians of the patients d. Department of Health and Human Services

c All individuals whose information has been breached must be notified without unreasonable delay, and not more than 60 days, by first-class mail or a faster method such as by telephone if there is the potential for imminent misuse. If 500 or more individuals are affected they must be individually notified immediately and media outlets must be used as a notification mechanism as well. The Secretary of HHS must specifically be notified of the breach. The attending physicians of the patients do not need to be notified of the breach (Rinehart-Thompson 2016b, 240).

The nursing staff routinely sends text messages to attending physicians to clarify orders during the night shift. The HIM professional should recommend which of the following to refine the policy as the best practice for protecting information that is text messaged. a. Send a text message to more than one person b. Enter a person's telephone number each time a text message is sent to him c. Encrypt text messages during transmission d. Presume that telephone numbers stored in memory remain valid

c Although text messaging is often used in healthcare, it presents privacy and security risks. One best practice for text messaging in healthcare is to use encryption during transmission (Rinehart- Thompson 2013, 134-135).

The risk manager's principal tool for capturing the facts about potentially compensable events is the: a. Accident report b. RM report c. Incident report d. Event report

c An incident report is a structured data tool that risk managers use to gather information about potentially compensable events. Effective incident reports carefully structure the collection of data, information, and facts in a relatively simple format (Shaw and Carter 2015, 222).

Community Hospital is identifying strategies to minimize the security risks associated with employees leaving their workstations unattended. Which of the following solutions will minimize the security risk of unattended workstations? a. Use biometrics for access to the system. b. Implement firewall and virus protection. c. Implement automatic session terminations. d. Install encryption and similar devices.

c Automatic log-off is a security procedure that causes a computer session to end after a predetermined period of inactivity, such as 10 minutes. Multiple software products are available to allow network administrators to set automatic log-off parameters (Reynolds and Brodnik 2017, 277).

Why is it essential for members of the compliance team to be involved in the entire EHR implementation process? a. To ensure HIPAA compliance b. Evolving regulatory guidelines c. To monitor cut and paste documentation d. Reimbursement risk

c Because of compliance concerns, such as cutting and pasting documentation in the EHR, it is essential to ensure that a member of the compliance team is involved in the entire EHR implementation process, as well as the part of the process involving clinical documentation practice (Hess 2015, 269).

Coding policies should include which of the following elements? a. Lunch or break schedule b. How to access the computer system c. AHIMA Standards of Ethical Coding d. Nonofficial coding guidelines

c Coding policies should include the following components: AHIMA Code of Ethics, AHIMA Standards of Ethical Coding, Official Coding Guidelines, applicable federal and state regulations, internal documentation policies requiring the presence of physician documentation to support all coded diagnosis and procedure code assignments (Schraffenberger and Kuehn 2011, 384).

All of the following are measures used to track and assess clinical documentation improvement (CDI) programs except: a. Record review rate b. Physician query rate c. Record agreement rate d. Query agreement rate

c Each of these percentages should be tracked within the first few months of program operation. The target percentage may need adjustment over time as the CDS staff members become more familiar with their responsibilities and physician documentation improves. These percentages are record review rate, physician query rate, and query agreement rate (Hess 2015, 174-175).

In performing a coding audit, a health record technician discovers that an inpatient coder is assigning diagnosis and procedure codes specifically for the purpose of obtaining a higher level of reimbursement. The coder believes that this practice helps the hospital in increasing revenue. Which of the following should be done in this case? a. Compliment the coder for taking initiative in helping the hospital b. Report the coder to the FBI for coding fraud c. Counsel the coder and stop the practice immediately d. Provide the coder with incentive pay for her actions

c Ethical coding practices must be followed with appropriate employee counseling and remediation (Foltz et al. 2016, 458).

A local nonprofit community hospital is looking to do a fundraiser to add to their surgical center. HIPAA rules restrict activities related to fundraising for healthcare organizations. Which of the following must the hospital do to comply with the HIPAA requirements for fundraising? a. Fundraising materials do not have to include opt-out instructions b. Prior authorization is only required if individuals are not targeted based on diagnosis c. Individuals must be informed in the notice of privacy practices that their information may be used for fundraising purposes d. Authorization is never required for fundraising solicitations

c For fundraising activities that benefit the covered entity, the covered entity may use or disclose to a BA or an institutionally related foundation, without authorization, demographic information and dates of healthcare provided to an individual. However, the covered entity must inform individuals in its notice of privacy practices that PHI may be used for this purpose. It must also include in its fundraising materials instructions on how to opt out of receiving materials in the future (Rinehart-Thompson 2016b, 241).

When a staff member documents in the health record that an incident report was completed about a specific incident, in a legal proceeding how is the confidentiality of the incident report affected? a. There is no impact. b. The person making the entry in the health record may not be called as a witness in trial. c. The incident report likely becomes discoverable because it is mentioned in a discoverable document. d. The incident report cannot be discovered even though it is mentioned in a discoverable document.

c Hospitals strive to keep incident reports confidential, and in some states, incident reports are protected under statutes protecting quality improvement studies and activities. Incident reports themselves should not be considered a part of the health record. Because the staff member mentioned in the record that an incident report was completed, it will likely be discoverable as the health record is already a discoverable document (Carter and Palmer 2016, 522).

From an evidentiary standpoint, incident reports: a. Are universally nonadmissible during trial proceedings b. May be referenced in the patient's health record c. Should not be placed in a patient's health record d. Are universally nondiscoverable during litigation

c Incident reports involving patient care are not created to treat the patient, but rather to provide a basis for investigating the incident. From an evidentiary standpoint, incident reports should not be placed in a patient's health record, nor should the record refer to an incident report (Klaver 2017a, 90).

Which of the following is the whistleblower provision of the False Claims Act that provides a means for individuals to report healthcare information non-compliance? a. Quid pro quo b. Query c. Qui tam d. Quasi reporting

c One of the key components of the False Claims Act is qui tam. Qui tam is the whistleblower provisions of the False Claims Act—private persons, known as relators, may enforce the Act by filing a complaint, under seal, alleging fraud committed against the government. For example, if a coder is told to assign codes in violation of coding rules, then he or she can report the facility for fraud (Foltz et al. 2016, 449).

The supervisor over the coding division in the HIM Department at Community Hospital reviewed the productivity logs of four newly hired coders after their first month. Using the information below, which employee will require additional assistance in order to meet the standard of 20 medical records coded per day? Community Hospital Coding Productivity Report Coding Standard: 20 health records per day Coder Week 1 Week 2 Week 3 Week 4 1 90 105 98 107 2 100 105 105 95 3 75 80 85 105 4 80 95 115 110 a. Coder 1 b. Coder 2 c. Coder 3 d. Coder 4

c Productivity is defined as a unit of performance defined by management in quantitative standards. Productivity allows organizations to measure how well the organization converts input into output or labor into a product or service. 20 records per day × 5 days × 4 weeks = 400 records required to be coded. Coder 1 coded 400 records; Coder 2 coded 405 records; Coder 3 coded 345 records; Coder 4 coded 400 records (Horton 2016a, 185).

A visitor to the hospital looks at the screen of the admitting clerk's computer workstation when she leaves her desk to copy some admitting documents. What security mechanism would best have minimized this security breach? a. Access controls b. Audit controls c. Automatic logoff controls d. Device and media controls

c Provisions must also be made to protect workstations that are more exposed to the public. For example, locking devices can be used to prevent removal of computer equipment and other devices. Automatic logouts can be used to prevent access by unauthorized (Rinehart-Thompson 2016c, 264).

The quality improvement organizations (QIOs) under contract with CMS conduct audits on highrisk and hospital-specific data from claims data in this report: a. Hospital Payment Monitoring Program b. Payment Error Prevention Program c. Program for Evaluation Payment Patterns Electronic Report d. Compliance Program Guidance for Hospitals

c QIOs are currently under contract with CMS to perform a Hospital Payment Monitoring Program. This program targets specific DRGs and discharges that have been identified as at high-risk for payment errors. The high-risk hospital specific data are identified in an electronic report called Program for Evaluating Payment Patterns Electronic Report (PEPPER) (Schraffenberger and Kuehn 2011, 32).

Every healthcare organization's risk management plan should include the following components except: a. Loss prevention and reduction b. Safety and security management c. Peer review d. Claims management

c Risk management programs have three functions: risk identification and analysis, loss prevention and reduction, and claims management (Carter and Palmer 2016, 522).

A risk manager is called in to evaluate a situation in which a visitor to the hospital slipped on spilled water, fell, and fractured his femur. This situation was referred to the risk manager because it involves a: a. Medical error b. Claims management issue c. Potentially compensable event d. Sentinel event

c Risk management systems today are sophisticated programs that function to identify, reduce, or eliminate potentially compensable events (PCEs), thereby decreasing the financial liability of injuries or accidents to patients, staff, or visitors (Carter and Palmer 2016, 522).

Which of the following would be an example of a reviewable sentinel event? a. Incidence of hospital acquired infection b. Incidence of an unruly patient c. Incidence of infant abduction d. Incidence of blood transfusion reaction

c Sentinel events usually involve significant injury to, or the death of, a patient or an employee through avoidable causes. Hospital acquired infections, blood transfusion reactions, or incidences of an unruly patient are monitored processes, but in and of themselves would not be considered sentinel events. An infant abduction would be considered an avoidable occurrence and therefore a sentinel event (Shaw and Carter 2015, 46).

Which of the following is a risk of copying and pasting patient documentation in the electronic health record? a. Reduction in the time required to document b. System may not save data c. Copying the note in the wrong patient's record d. System thinking that the information belongs to the patient from whom the content is being copied

c Some EHR users prefer to copy and paste text from existing documents in order to speed up the documentation process. Allowing this practice should be assessed carefully as certain risks are inherent in the use of copy functionality. These tools, if used inappropriately, may undermine the clinical decision-making process. Specific risks to documentation integrity of using copy functionality include: inaccurate or outdated information that may adversely impact patient care, inability to identify the author or what they thought, inability to identify when the documentation was created, inability to accurately support or defend E/M codes for professional or technical billing notes, propagation of false information, copying the wrong information into the wrong patient's chart, and internally inconsistent progress notes. Because of these issues, the healthcare facility should have policies and procedures in place that are related to the copying and pasting of free text in the EHR. Similar to documentation in paper-based records, individuals who document in the EHR must be held accountable for their entries (Sayles 2016b, 69).

A hospital employee destroyed a health record so that its contents—which would be damaging to the employee—could not be used at trial. In legal terms, the employee's action constitutes: a. Mutilation b. Destruction c. Spoliation d. Spoilage

c Spoliation is a legal concept applicable to both paper and electronic records. When evidence is destroyed that relates to a current or pending civil or criminal proceeding, it is reasonable to infer that the party had a consciousness of guilt or another motive to avoid the evidence (Klaver 2017a, 87-88).

The clinical documentation improvement (CDI) staff might create a feedback loop with which department to prevent disgruntled physicians from filing claims against them? a. Billing or finance b. Health information management c. Compliance d. Case management

c The clinical documentation improvement (CDI) manager should see the compliance function as an opportunity to discuss concerns about physicians who may not be cooperating with program staff or who are ignoring queries. If not managed appropriately, these physicians may become disgruntled with the CDI process and file complaints with CMS, the state's attorney general, or even the OIG (Hess 2015, 244).

Which step of risk analysis identifies information assets that need protection? a. Identifying vulnerabilities b. Control analysis c. System characterization d. Likelihood determination

c The first step of risk analysis is system characterization. It focuses on what the organization possesses by identifying which information assets need protection. The assets may be identified either because they are critical to business operations (for example, the data itself, such as e-PHI) or because critical data is processed and stored on the system (such as hardware) (Rinehart-Thompson 2013, 117).

A Joint Commission-accredited organization must review its formulary annually to ensure a medication's continued: a. Safety and dose b. Efficiency and efficacy c. Efficacy and safety d. Dose and efficiency

c The formulary is composed of medications used for commonly occurring conditions or diagnoses treated in the healthcare organization. Organizations accredited by the Joint Commission are required to maintain a formulary and document that they review it at least annually for a medication's continued safety and efficacy (Shaw and Carter 2015, 246).

When the Medicare Recovery Audit Contractor has determined that incorrect payment has been made to an organization, which document is sent to the provider notifying them of this determination? a. Appeal request b. Claims denial c. Demand letter d. Medicare Summary Notice

c The provider will be notified of RAC determination in a demand letter, which includes the providers identification, reason for the review, list of claims, reasons for any denials, and amount of the overpayment for each claim. The demand letter is the equivalent of a denial letter (Foltz et al. 2016, 454).

What resource should the facility compliance officer consult to provide information on new and ongoing reviews or audits each year in programs administered by the Department of Health and Human Services? a. Regional health information organizations b. Corporate compliance plans c. OIG workplans d. Federal register

c The resource that the facility compliance officer should consult to provide information on ongoing reviews and audits each year in programs administered by the department of Health and Human Services (HHS) is the OIG workplan (Foltz et al. 2016, 457).

The risk manager's principal tool for capturing the facts about potentially compensable events is the: a. Accident report b. RM report c. Occurrence report d. Event report

c The risk manager's principal tool for capturing the facts about potentially compensable events is the occurrence report, sometimes called the incident report. Effective occurrence reports carefully structure the collection of data, information, and facts in a relatively simple format (Shaw and Carter 2015, 222).

How many identifiers must be removed for a data to be considered deidentified under the Safe Harbor Method? a. 12 b. 15 c. 18 d. 20

c The safe harbor method of deidentification requires the removal of 18 specific identifiers from the protect health information (Marc and Sandefer 2016, 22).

The HIM Department has been receiving complaints about the turnaround time for release of information (ROI) requests. A PI team is created to investigate this issue. What data source would be appropriate to use to investigate this issue further? a. ROI employee evaluations b. Survey requestors c. ROI tracking system d. ADT system

c The supervisor is responsible for ensuring turnaround times are met. Turnaround time is the time between receipt of the request and when the request is sent to the requester. The ROI system tracks requests for the information (Sayles 2016b, 73, 75).

The benefits of a coding compliance plan include the following: a. Improving patient care b. Identifying those who participate in fraud and abuse c. Retention of high standard of coding d. Increasing the number of denials of healthcare services reimbursement based on coding errors

c There are a number of benefits of a coding compliance plan including retention of high standard of coding (Foltz et al. 2016, 461).

The overutilization or inappropriate utilization of services and misuse of resources, typically not a criminal or intentional act is called which of the following? a. Fraud b. Abuse c. Waste d. Audit

c Waste is the overutilization or inappropriate utilization of services and misuse of resources, and typically is not a criminal or intentional act. Waste includes practice like over prescribing and ordering tests inappropriately (Foltz et al. 2016, 448).

Dr. Smith always orders the same 10 things when a new patient is admitted to the hospital in addition to some patient-specific orders. What would assist in assuring that the specific patient is not allergic to a drug being ordered? a. Clinical decision support b. Electronic medication administration record system c. Pharmacy information system d. Standard order set

c When the pharmacy information system receives an order for a drug, it will aid the pharmacist in checking for contraindications, directs staff in compounding any drugs requiring special preparation, and aids in dispensing the drug in the appropriate dose and route of administration. Indication of an allergy would be considered a contraindication (Amatayakul 2016, 292).

A notice that suspends the process or destruction of paper or electronic records is called: a. Subpoena b. Consent form c. Rule d. Legal hold

d A legal hold (also known as a preservation order, preservation notice, or litigation hold) basically suspends the processing or destruction of paper or electronic records. It may be initiated by a court if there is concern that information may be destroyed in cases of current or anticipated litigation, audit, or government investigation. Or, it may be initiated by the organization as part of their pre-litigation planning and duty to preserve information in anticipation of litigation (Klaver 2017a, 86-87).

A physician takes the medical records of a group of HIV-positive patients out of the hospital to complete research tasks at home. The physician mistakenly leaves the records in a restaurant, where they are read by a newspaper reporter who publishes an article that identifies the patients. The physician can be sued for: a. Slander b. Willful infliction of mental distress c. Libel d. Invasion of privacy

d A person's right to privacy is the right to be left alone and protected against physical or psychological invasion. It includes freedom from intrusion into one's private affairs to include their healthcare diagnoses (Brodnik 2017a, 6-7).

A patient requested a copy of a payment made by her insurance company for a surgery she had last month. The business office copied the remittance advice (RA) notice the organization received from the insurance company but failed to delete or remove the PHI for 10 other patients listed on the same RA. This is an example of: a. Double billing b. Stereotyping c. Retrospective review d. Security breach

d A security breach of PHI has occurred in this scenario because business office provided the patient with not only her information on the remittance advice, but also that of 10 other patients (Gordon and Gordon 2016c, 615).

A laboratory employee forgot his password to the computer system while trying to record the results for a STAT request. He asked his coworker to log in for him so that he could record the results and said he would then contact technical support to reset his password. What controls should have been in place to minimize this security breach? a. Access controls b. Security incident procedures c. Security management process d. Workforce security awareness training

d A strategy included in a good security program is employee security awareness training. Employees are often responsible for threats to data security. Consequently, employee awareness is a particularly important tool in reducing security breaches (Rinehart-Thompson 2016c, 272).

Which of the following is the process of establishing an organizational culture that promotes the prevention, detection, and resolution of instances of conduct that do not conform to federal, state, or private payer healthcare program requirements or the healthcare organization's ethical and business policies? a. Corporate integrity b. Meaningful Use c. Benchmarking d. Compliance

d Compliance is the process of establishing an organizational culture that promotes the prevention, detection, and resolution of instances of conduct that do not conform to federal, state, or private payer healthcare program requirements or the healthcare organization's ethical and business policies. In other words, compliance actively prevents fraud and abuse (Foltz et al. 2016, 448).

HIPAA requires that data security policies and procedures be maintained for a minimum of: a. 3 years from date of creation b. 5 years from date of creation c. 5 years from date of creation or the date when last in effect, whichever is later d. 6 years from date of creation or the date when last in effect, whichever is later

d Covered entities must maintain their security policies and procedures in written form. This includes formats that may be electronic. Any actions, assessments, or activities of the HIPAA Security Rule also must be documented in a written format. Documentation must be retained for six years from the date of its creation or the date when it last was in effect, whichever is later (Rinehart-Thompson 2016c, 274).

The removal of medication from its usual stream of preparation, dispensing, and administration by personnel involved in those steps in order to use or sell the medication in nonhealthcare settings is called: a. Prescribing b. Adverse drug reaction c. Sentinel event d. Diversion

d Diversion is the removal of a medication from its usual stream of preparation, dispensing, and administration by personnel involved in those steps in order to use or sell the medication in non-healthcare settings. An individual might take the medication for personal use, to sell on the street, to sell directly to a user as a dealer or to sell to others who will redistribute for the diverting individual (Shaw and Carter 2015, 253).

A postoperative patient was prescribed Lortab prn. Nurse Jones documented in the patient record that she administered one dose of Lortab to the patient, but never actually administered this medication. Nurse Jones then took the Lortab herself. This action would be called? a. Drug prescribing b. Adverse drug reaction c. Sentinel event d. Drug diversion

d Drug diversion is the removal of a medication from its usual stream of preparation, dispensing, and administration by personnel involved in those steps in order to use or sell the medication in non-healthcare settings. An individual might take the medication for personal use, to sell on the street, to sell directly to a user as a dealer or to sell to others who will redistribute for the diverting individual (Shaw and Carter 2015, 253).

What should be done when the HIM department's error rate is too high or its accuracy rate is too low based on policy? a. Re-audit the problem area b. The problem should be treated as an isolated incident c. The formula for determining the rate may need to be adjusted d. Corrective action should be taken to meet the department standards

d Each function should have its own acceptable level of performance and monitoring should be performed to confirm the standards are met. If not, corrective actions should be taken (Sayles 2016b, 66).

Community Hospital has launched a clinical documentation improvement (CDI) initiative. Currently, clinical documentation does not always adequately reflect the severity of illness of the patient or support optimal HIM coding accuracy. Given this situation, which of the following would be the best action to validate that the new program is achieving its goals? a. Hire clinical documentation specialists to review records prior to coding b. Ask coders to query physicians more often c. Provide physicians the opportunity to add addenda to their reports to clarify documentation issues d. Conduct a retrospective review of all query opportunities for the year

d Facilities may design the CDI program based on several different models. Improvement work can be done with retrospective record review and queries, with concurrent record review and queries, or with concurrent coding. Staffing models may include the involvement of the CDS discussed previously or could be done by enhancing the role of the utilization review staff or case managers or a combination of these models. Retrospective review of all query opportunities for the year would help to validate the effectiveness of the new program (Schraffenberger and Kuehn 2011, 363).

Which of the following issues compliance program guidance? a. AHIMA b. CMS c. Federal Register d. HHS Office of Inspector General

d From February 1998 until the present, the Office the Inspector General (OIG) continues to issue compliance program guidance for various types of healthcare organizations. The OIG website (www.oig.hhs.gov) posts the documents that most healthcare organizations need to develop fraud and abuse compliance plans (Casto and Forrestal 2015, 37).

What is the most constant threat to health information integrity? a. Natural threats b. Environmental threats c. Internal threats d. Humans

d Health information can be threatened by humans as well as by natural and environmental factors. Threats posed by humans can be either unintentional or intentional. Threats to health information can result in compromised integrity (that is, alteration of information, either intentional or unintentional), theft (intentional by nature), loss (unintentional) or intentional misplacement, other wrongful uses or disclosures (either intentional or unintentional), and destruction (intentional or unintentional) (Rinehart-Thompson 2013, 118).

Healthcare fraud is all except which of the following? a. Damage to another party that reasonably relied on misrepresentation b. False representation of fact c. Failure to disclose a material fact d. Unnecessary costs to a program

d Healthcare fraud is the intentional deception or misrepresentation that an individual knows (or should know) to be false, or does not believe to be true, and makes, knowing the deception could result in some unauthorized benefit to himself or some other person(s). Unnecessary costs to a program, in and of itself, would not be healthcare fraud, there would need to be some intentional deception for it to be considered fraud (Sayles and Gordon 2016, 651).

If a patient receives a ________ from a healthcare organization it indicated that the patient's protected health information was involved in a data breach. a. Notice of Breach b. Release of Information c. Protected Health Breach Notice d. Receipt of Breach Notice

d If a patient receives a Receipt of Breach Notice from a healthcare organization it indicates that the patient's protected health information was involved in a data breach (Gordon and Gordon 2016c, 613).

In Medicare, the most common forms of fraud and abuse include all except which of the following? a. Billing for services not furnished b. Misrepresenting the diagnosis to justify payment c. Unbundling or exploding charges d. Implementing a clinical documentation improvement program

d In Medicare, the most common forms of fraud and abuse include billing for services not furnished; misrepresenting the diagnosis to justify payment; soliciting, offering, or receiving a kickback; unbundling; falsifying certificates of medical necessity; and billing for a service not furnished as billed, known as upcoding (Casto and Forrestal 2015, 36).

In developing a coding compliance program, which of the following would not be ordinarily included as participants in coding compliance education? a. Current coding personnel b. Medical staff c. Newly hired coding personnel d. Nursing staff

d In conjunction with the corporate compliance officer, the health information manager should provide education and training related to the importance of complete and accurate coding, documentation, and billing on an annual basis. Technical education for all coders should be provided. Documentation education is also part of compliance education. A focused effort should be made to provide documentation education to the medical staff (Schraffenberger and Kuehn 2011, 386-387).

The coding staff should be updated at least ________ on compliance requirements. a. Weekly b. Monthly c. Every six months d. Annually

d It is imperative that all staff be trained in compliance policies, procedures, and standards of conduct as it applies to their position in the organization. This training should occur, at a minimum, in their initial orientation training and on an annual basis (Foltz et al. 2016, 457).

The role of the HIM professional in medical identity theft protection programs includes all of the following except: a. Ensure safeguards are in place to protect the privacy and security of PHI b. Balance patient privacy protection with disclosing medical identity theft to victims c. Identify resources to assist patients who are victims of medical identity theft d. Send all issues related to medical identity theft to the in-house attorney

d Medical identity theft is distinguished from other types of identity theft because it creates negative consequences to both the victim's financial status and health information. The HIM professional should ensure safeguards are in place to protect PHI and provide resources to assist victims of medical identity theft. It is important to balance patient privacy protection with disclosure of medical identity theft to victims (Gordon and Gordon 2016c, 612-613).

Which plan should be devised to respond to issues arising from the clinical documentation improvement (CDI) compliance and operational audit process? a. CDI response plan b. Quality assurance plan c. CDI plan d. Corrective action plan

d Most audits should identify some issues, either operational or compliance, in the clinical documentation improvement (CDI) process, even if they are minor issues. An organization needs to develop a corrective action plan for any identified issues (Hess 2015, 214).

Events that occur in a healthcare organization that do not necessarily affect an outcome but carry significant chance of being a serious adverse event if they were to recur are: a. Time-out b. Serious events c. Sentinel events d. Near misses

d Near misses include occurrences that do not necessarily affect an outcome but if they were to recur they would carry significant chance of being a serious adverse event. Near misses fall under the definition of a sentinel event, but are not reviewable by The Joint Commission under its current sentinel event policy (Shaw and Carter 2015, 221).

One way for a hospital to demonstrate compliance with OIG guidelines is to: a. Designate a privacy officer b. Continuously monitor PEPPER reports c. Obtain ABNs for all Medicare registrations d. Develop, implement, and monitor written policies and procedures

d Over the past several years, the OIG has published several documents to help providers develop internal programs that include elements for ensuring compliance. One of the elements included is written policies and procedures (Foltz et al. 2016, 457-458).

Which of the following is a principle of contemporary performance improvement? a. Success must never be celebrated as this does not encourage more success. b. Systems never demonstrate variation. c. Performance improvement works by identifying the individuals responsible for quality problems and reprimanding them. d. Performance improvement relies on the collection and analysis of data to increase knowledge.

d Performance improvement (PI) is based on several fundamental principles, including: the structure of a system determines its performance; all systems demonstrate variation; improvements rely on the collection and analysis of data that increase knowledge; PI requires the commitment and support of top administration; PI works best when leaders and employees know and share the organization's mission, vision, and values (Carter and Palmer 2016, 505).

During a review of documentation practices, the HIM director finds that nurses are routinely using the copy and paste functionality of the hospital's EHR system for documenting nursing notes. Which of the following should the HIM director do to ensure that the nurses are following acceptable documentation practices? a. Inform the nurses that copy and paste is not acceptable and to stop this practice immediately b. Determine how many nurses are involved in this practice c. Institute an in-service training session on documentation practices d. Develop policy and procedures related to cutting, copying, and pasting documentation in the EHR system

d The ability to copy previous entries and paste into a current entry leads to a record in which a clinician may, upon signing the documentation, unwittingly swear to the accuracy and comprehensiveness of substantial amounts of duplicated or inapplicable information as well as the incorporation of misleading or erroneous documentation. The HIM professional plays a critical role in developing policies and procedures to ensure the integrity of patient information (Russo 2013b, 339-340).

Which of the following would not be a focus area of claims auditing for healthcare services provided in the emergency department? a. Ensuring claims are not submitted more than once b. Procedures are reported at the appropriate level c. Ensuring documentation supports services reported on the claim d. Patients are satisfied with their services

d The data elements collected during the audit vary based on the audit objective. As in this example, auditing a claim for healthcare services in the emergency department could consider the following areas: procedures that are reported at the appropriate level, claims are not submitted more than once, documentation supports services reported on the claim. Patient satisfaction with their services would not be an area of claim audit (Foltz et al. 2016, 459).

In a typical acute-care setting, the Explanation of Benefits, Medicare Summary Notice, and Remittance Advice documents (provided by the payer) are monitored in which revenue cycle area? a. Preclaims submission b. Claims processing c. Accounts receivable d. Claims reconciliation and collections

d The last component of the revenue cycle is reconciliation and collections. The healthcare facility uses the EOB, MSN, and RA to reconcile accounts. These are monitored in the claims reconciliation and collections area of the revenue cycle (Casto and Forrestal 2015, 256).

The national patient safety goals score organizations on areas that: a. Affect the financial stability of the organization b. Commonly lead to overpayment c. Affect compliance with state law d. Commonly lead to patient injury

d The national patient safety goals outline for healthcare organizations the areas of organizational practice that most commonly lead to patient injury or other negative outcomes that can be prevented when staff utilize standardized procedures (Carter and Palmer 2016, 520).

The policies and procedures section of a coding compliance plan should include all except which of the following? a. Physician query process b. Unbundling c. Assignment of discharge disposition codes d. Utilization review

d The policies and procedures section of a coding compliance plan should include physician query process, coding diagnosis not supported by health documentation, upcoding, correct use of encoder software, unbundling, coding health records without complete documentation, assignment of discharge destination codes, and complete process for using scrubber software. Utilization review would not be part of the policies and procedures section of a Coding Compliance Plan (Casto and Forrestal 2015, 44).

HIPAA requires a covered entity to establish policy to ensure that protected health information could not identify a specific individual. One method used to meet this deidentification standard is the expert determination model. The expert determination model requires these four steps: Determine the statistical and scientific method to be used to determine the risk of reidentification Analyze and assess the risk to the deidentified data The expert applies the method to the deidentified data The facility should choose the expert for the deidentification analysis What is the correct order in which these steps should be performed? a. 4, 1, 2, 3 b. 1, 2, 3, 4 c. 2, 4, 3, 1 d. 4, 1, 3, 2

d The process for expert determination of de-identification has four recommended steps that include: Step 1: The facility should choose the expert for the deidentification analysis; Step 2: Determine the statistical and scientific method to be used to determine the risk of reidentification; Step 3: The expert applies the method to the deidentified data; and Step 4: Analyze and assess the risk to the deidentified data (Marc and Sandefer 2016, 22-23).

The basic functions of healthcare risk management programs are similar for most organizations and should include which of the following? a. Reporting of claims, initial investigation of claims, protection of primary and secondary health records, negotiation of settlements, management of litigations, and use of information for claim's resolution in performance management activities b. Risk acceptance, risk avoidance, risk reduction or minimization, and risk transfer c. Safety management, security management, claims management, technology management, and facilities management d. Risk identification and analysis, loss prevention and reduction, and claims management

d The purpose of the risk management program is to link risk management functions to related processes of quality assessment and PI. The basic functions of healthcare risk management programs are similar for most organizations and include: risk identification and analysis, loss prevention and reduction, and claims management (Carter and Palmer 2016, 522).

The Medical Record Committee wants to determine if the hospital is in compliance with medical staff rules and regulations for medical record delinquency rates. The HIM director has compiled a report that shows that records are delinquent for an average of 29 days after discharge. Given this information, what can the committee conclude? a. Delinquency rate is within medical staff rules and regulations. b. All physicians are performing at optimal levels. c. The chart deficiency process is working well. d. Data are insufficient to determine whether the hospital is in compliance.

d When an incomplete record is not rectified within a specific number of days as indicated in the medical staff rules and regulations, the record is considered to be a delinquent record. Generally, an incomplete record is considered delinquent after it has been available to the physician for completion for 15-30 days. This question does not provide enough information on the standard as the medical staff rules and regulations on delinquent records are not defined (Sayles 2016b, 64-65).


Kaugnay na mga set ng pag-aaral

Ch. 16 & 17 Care of a Toddler and School Aged

View Set

Chapter 13 -- Intangible Assets and Goodwill

View Set

Psychology and Sociology mcat princeton textbook

View Set

Combo with "Music Appreciation Pt. 1" and 1 other

View Set

Mechanical Ventilation Practice Questions

View Set

Microcomputer Applications 1 Final

View Set

Ch 15 Assembly Language and Related Topics

View Set