RHIT Exam Prep Chp. 11

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

the patient has requested an amendment to her health record, The facility, after review with the physician, has decided to deny the request. According to HIPAA, the patient must be notified within how many days?

60

The facility had a security breach. The breach was identified on 10/10/16. The investigation was completed on 10/15/16. What is the deadline that the notification must be completed?

60 days from 10/10/16

Which of the following is an example of a security incident?

A hacker accessed PHI from off site

Which of the following is an example of a trigger that might be used to reduce auditing?

A patient and user have the same last name

The admin states that he should not have to participate in privacy and security training as he does not use PHI. How should you respond?

All employees are required to participate in the training, including top administration

When logging into a system, you are instructed to enter a string of characters. These characters appear distorted onscreen, however. What kind of access control is this?

CAPTCHA

The police came to the HIM dept. and asked that a patient's right to an accounting of disclosure be suspended for two months. What is the proper response to this request?

Certainly officer, we will be glad to do that as soon as we have that request in writing.

HIPAA states that release to a coroner is allowed. State law says that the coroner must provide a subpoena. Which of the following is a correct statement?

Follow the state law since it's stricter

Miles has asked you to explain the rights he has via HIPAA privacy standards. Which of the following is one of his HIPAA-given rights?

He can ask to be contacted at an alternate site

The clinic has decided to use mobile technology. Identify the best practice for this technology?

Identify who owns the mobile device

Mary processed a request for information and mailed it out last week. The requestor called and said that not all of the information was received. Mary talked to her supervisor about this with the requestor believing more information is still needed. Given the above information, which of the following statements is true?

Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule.

Which of the following statements demonstrates a violation of PHI?

Mary, at work yesterday I saw Susan had a hysterectomy

Mountain hospital has discovered a security breach. someone hacked into the system and viewed 50 medical records. According to ARRA, what is the responsibility of the covered entity in a reasonable time not to exceed 60 days?

Notify the patient

Which of the following set(s) is an appropriate use of the emergency accede procedure?

One nurse is at lunch and the covering nurse needs patient information AND a patient is crashing and the attending is not in the hospital so a helping physician is available

A doctor's office has requested PHI for continued care. The ROI clerk wants to limit the information provided because of the minimum necessary tule. What should the supervisor tell the clerk?

Patient care is an exception to the minimum necessary rule, so process the request as written

Which of the following is a true statement about private key encryption?

Public encryption uses a private and public key

Which of the following would be a business associate?

ROI company

Which of the following situations violates a patient's privacy?

The hospital provides patients names and addresses to a pharmaceutical company to be used in a mass mailing for free drug samples.

The patient calls and has a telephone consultation. Which of the following is true about notice of privacy practices?

The notice of privacy practices can be mailed to the patient

The physician office you go to has a data integrity issue. What does this mean?

There has been unauthorized alteration of patient information

A nurse has been flagged for review because she logged into the EHR in the evening when she usually works the day shift. Why should this conduct be reviewed?

This needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time.

You have been given some information that includes the patient's account number. Which statement is true?

This not de-identified information, because it is possible to identify the patient

A patient signed an authorization to release information to a physician but decided not to go to the physician. Can he stop the release?

Yes, as long as it has not been released already

Nancy has asked the health care facility for a copy of her grandmother's health record. Her grandmother died 20 years ago. Nancy is not the executor of the estate, and she does not want to ask her aunt for permission. Select the appropriate response to Nancy.

You cannot access your grandmother's privacy, as she has the right of privacy for 50 years after her death

Which of the following examples is an exception to the definition of breach?

a coder accidently sends PHI to a billing clerk in the same facility

to which of the following requesters can a facility release information about a patient without that patient's authorization?

a court with a court order

Someone accessed the covered entity's EHR and sold the information that was accessed. This person is known as which of the following?

a cracker

Researchers can access patient information if it is

a limited data set

When patients are able to obtain a copy of their health record, this is an example of which of the following?

a patient right

You have been asked to create a presentation on intentional and unintentional threats. Which of the following should be included in the list of threats you cite?

a patient's SSN being used for credit card applications

the supervisors have decided to give nursing staff access to the EHR. They can add notes, view, and print. This is an example of what?

a workforce clearance procedure

The company's policy states that audit logs, access reports, and security incident reports should be reviewed daily. This review is known as

an information system activity review

Before a user is allowed to access PHI, the system confirms that this is a valid user. This is known as

authentication

Which of the following is the term used to identify who made an entry into a health record?

authorship

You have been asked to provide examples of technical security measures. Which of the following would you include in your list of examples?

automatic logout

Three components of a data security program are protecting the privacy of data, ensuring the integrity of data, and ensuring the

availability of data

Which security measure utilizes fingerprints or retina scans?

biometrics

In case your system crashes, your facility has defined the policies and procedures necessary to keep your business going. This is known as

business continuity plan.

The computer system containing the EHR was located in a room that was flooded. As a result, the system is inoperable. Which of the following would be implemented?

business continuity processes

The HIPAA security rule impacts which of the following PHI?

clinical data repository

You are a nurse who works on 3West during the day shift. One day, you had to work the night shift because they were shorthanded. However, you were unable to access the EHR. What type of access controls are being used?

context-based

Alisa has trouble remembering her password. She is trying to come up with a solution that will help her remember. Which one of the following would be the best practice?

creating a password that utilized a combo of letters and numbers.

In a recent review, it was determined that the EHR is essential to the operations of the home health agency. What type of review is this?

criticality analysis

Your organization is sending confidential patient information across the internet using technology that will transform the original data into unintelligible code that can be re-created by authorized users. This technique is called:

data encryption

You have been asked to give an example of secure information. Which of the following will you give as your answer?

data is encrypted which makes it unreadable

Which of the following can be released without consent or authorization?

de-identified health information

You have been given the responsibility of destroying the PHI contained in the system's old server before it is trashed. What destruction method do you recommend?

degaussing

Our website was attacked by malware that overloaded it. What type of malware was this?

denial of service

As chief privacy officer for Premier Medical Center, you are responsible for which of the following?

developing a plan for reporting privacy complaints

What type of digital signature uses encryption?

digital signature

Contingency planning includes which of the following processes?

disaster planning

You are defining the designated record set for south beach healthcare center. which of the following would be included?

discharge summary

The patient has the right to agree or object in which of the following situations?

disclosing information to family member who is directly involved in care.

A hacker recently accessed our database. We are trying to determine how the hacker got through the firewall and exactly what was accessed. The process used to gather this evidence is called

forensics

A certification agency validates the use of encryption between two organization's website. How do they validate it ?

hypertext markup language

An employee in the admission dept stole the patient's name, SSN, and other information and used it to get a charge card in the patient's name. This is an example of

identity theft

The fair and accurate credit transactions act works to reduce

identity theft

The surgeon comes out to speak to a patient's family. He tells them that the patient came through the surgery fine. The man was benign and they could see the patient in an hour. He talks low so the other people in the waiting room will not hear but someone walked by and heard.This is called a(n)

incidental disclosure

A covered entity:

includes health care providers who performs specified actions electronically

PHI includes

individually identifiable health information in any format stored by a health care provider or business associate

A mechanism to ensure that PHI has not been altered or destroyed inappropriately has been established. This process is called?

integrity

The information system has just notified you that someone has attempted to access the system inappropriately. This process is known as?

intrusion detection

Which of the following statements is true about the privacy act of 1974?

it applies to the federal government

John is a 45y male who is mentally unstable. Who can authorize release of his health record?

legal guardian

Which of the following is an example of administrative safeguards under the security rule?

monitoring the computer access activity of the user

I have been asked if I want to be in the directory. The admission clerk explains that if I am in the directory,

my friends and family can find out my room number

Intrusion detection systems analyze

network traffic

The purpose of the notice of privacy practices is to

notify the patient of uses of PHI

An effective monitoring program contains which of the following?

outlining how employees suspected of a breach will be confronted

Which of the following is an example of two-factor authentication?

password and token

Which of the following is allowed by HIPAA?

permitting a spouse to pick up medication for the patient

The HIM director received an email from the technology support services dept about her email being full and asking for her password. The director contacted tech support and it was confirmed that their dept did not send this email. This is an example of what type of malware?

phishing

The physician office has set the information systems so that they will log out after 5 minutes of inactivity. This is an example of which of the following?

physician safeguard

In conducting an environmental risk assessment, which of the following would be considered in the assessment?

placement of water pipes in the facility

HIPAA allows health care providers to charge patients reasonable cost-based charges. Which of the following is allowed when determining the charge?

preparing a summary

The patient has the right to control access to his or her health information. This is known as

privacy

Ms. Thomas was a patient at your facility. She has been told that there are some records that she cannot have access to. These records are most likely

psychotherapy notes

To prevent their network from going down, a company has duplicated much of its hardware and cables. This duplication is called

redundancy

Which of the following disclosures would require patient authorization?

release to patient's family

Which of the following situations would require authorization before disclosing PHI?

releasing information to the Bureau of Disability Determination

You are looking for potential problems and violations of the privacy rule. What is this security management process called?

risk assessment

you are reviewing your privacy and security policies, procedures, training program, and so on, and comparing them to the HIPAA and ARRA regulations. You are conducting a

risk assessment

You have to determine how likely a threat will occur. What is this assessment known as?

risk determination

Kyle, the HIM director, has received a request to amend a patient's health record. The appropriate action for him to take is

route the request to the physician who wrote the note in question to determine appropriateness of the amendment

You are conducting research on what you need to do to comply with HIPAA. You are afraid that you will have to implement all of the steps tat your friend at a 900-bed teaching hospital is implementing at his facility. You continue reading and learn that you only have to implement what is prudent and reasonable for your facility. This is called?

scalable

Which of the following documents is subject to the HIPAA security rule?

scanned operative report stored on CD

You have to decide which type of firewall you want to use in your facility. Which of the following is one of your options?

secure socket layer

You work for an organization that publishes a health information management journal and provides clearinghouse services. What must you do?

separate the e-PHI form the non covered entity portion of the organization

The info systems dept. was performing their routine destruction of data that they do every year. Unfortunately they accidently deleted a record that is involved in a medical malpractice case. This unintentional destruction of evidence is called?

spoliation

Before we can go any further with our risk analysis, we need to determine what systems/information needs to be protected. This step is known as

system characterization

Bob submitted his resignation from Coastal Hospital. His last day is today, he should no longer have access to the EHR and other systems as of 5pm. The removal of his privileges is known as

terminating access

A home health care agency employee has contacted the CMS to report health care fraud. Patient information is provided in the report. Which of the following is true?

the disclosure is not a violation of HIPAA if the information was provided in good faith

Which statement is true about when a family member can be provided with PHI?

the family member is directly involved in the patient's care

Which of the following should the record destruction program include?

the method of destruction

Breach notification is required unless:

the probability of PHI being compromised is low

John is allowed to delete patients in the EHR. Florence is not. They both have the same role in the organization. Whaat is different?

their permissions

Critique this statement: a business associate has the right to use a health care facility's information beyond the scope of their agreement with the health care facility.

this is a false statement because it is prohibited by the HIPAA privacy rule.

As chief privacy officer, you have been asked why you are conducting a risk assessment. Which reason would you give?

to prevent breach of confidentiality

Which of the following is an example of an administrative safeguard?

training

Critique this statement: security training must be face to face

training can use many different methods

An employee was recently caught accessing his wife's health record. The system automatically notified the staff of potential breach due to the same last name for the user and the patient. This was an example of a

trigger

The research coordinator viewed 10 patients records for a research study being conducted. Select the term used for this practice.

use

The data on a hard drive were erased by a corrupted file that had been attached to an email message. Which of the following can be used to prevent this?

virus checker

Before an employee can be given access to the EHR someone has to determine what the employee is allowed to have access to. What is this known as?

workforce clearance procedure

You have been assigned the responsibility of performing an audit to confirm that all of the workforce's access is appropriate for their role in the organization. This process is called

workforce clearance procedure

Your dept was unable to provide a patient with a copy of his record within the 30-day limitation. What should you do?

write the patient and let them know that you will need a 30-day extension

If an authorization is missing a SSN, can it be valid

yes


Kaugnay na mga set ng pag-aaral

Module 7 Economic Growth, Productivity, and Living Standards

View Set

Human Environment Interaction and Movement

View Set

The Consumer Financial Protection Bureau

View Set

Solar System - Planets, Moons and Stars

View Set

Quiz 1 - Quality and Performance Improvement in Health care chps 2-9

View Set