ELECTRONIC HEALTH RECORDS , TEST CHAPTER 6
42. A chiropractor is looking at the Security Standards Matrix and believes that it is unnecessary to address the encryption and decryption procedures. What should the chiropractor's office document as a reason for not implementing this standard? a. The system used does not enable transmission of information; therefore, the standard is not applicable. c. The office only accepts cash payments; therefore, the standard is not applicable. b. This is a solo practice and there is no need to encrypt information. d. None of the answers are correct
a. The system used does not enable transmission of information; therefore, the standard is not applicable.
17. In which of the following cases was the minimum necessary rule violated? a. A patient's attorney asked for a copy of the last surgical procedure and received it within 25 days c. In communication with the patient, the doctor informed the patient about his diagnosis b. A patient's attorney asked for a copy of the last operative report and received it along with the pathology report d. In communication with the patient, the doctor informed the patient about his diagnosis and the prognosis if left untreated
b. A patient's attorney asked for a copy of the last operative report and received it along with the pathology report pg 163
12. Which of the following would NOT be a permitted disclosure? a. Disclosure to a specialist with whom the patient needs to follow up c. Disclosure to the health insurance company to verify services b. Disclosure to the worker's compensation upon their request d. None of the answers are correct
b. Disclosure to the worker's compensation upon their request pg 161
43. In the wake of multiple Security Rule breaches, it would be advisable to do which of the following in order to reduce risk of breaches? a. Continue to work with paper records; electronic ones are riskier c. Disable data transmission as it creates additional risk for the organization b. Implement an enterprise data storage to manage and protect data d. All of the answers are correct
b. Implement an enterprise data storage to manage and protect data pg 173
6. Which of the following is the correct definition of the protected health information (PHI)? a. Patient's identifiable information stored in an electronic format c. Patient's identifiable information that can be transmitted to another party b. Individually identifiable health information held or transmitted by a covered entity or its business associate orally, or in electronic or paper format d. Individually identifiable health information held by a covered entity in electronic or paper format
b. Individually identifiable health information held or transmitted by a covered entity or its business associate orally, or in electronic or paper format pg 157
19. Which of the following entities is responsible for enforcing HIPAA Privacy and Security Rules? a. Department of Health and Human Services c. Office of Inspector General b. Office of Civil Rights d. State courts
b. Office of Civil Rights pg 163
24. Considering historical complaints along with several cases discussing breaches of privacy and confidentiality, what could be considered the greatest threat to privacy and confidentiality? a. Technology c. Lack of legal process b. People d. Lack of policies
b. People
9. Which of the following is NOT a permitted disclosure? a. Use of health information for operations c. Use of health information for payment b. Use of health information in litigation d. All of the answers are correct
b. Use of health information in litigation pg 158
36. Which of the following is NOT considered an administrative safeguard? a. Employee training on information security aspects c. Policies that address a disaster backup plan and incident reporting b. User authentication process d. Assignment of a security officer
b. User authentication process pg169
32. Security rule provisions address: a. protected health information. c. patient health information. b. electronic health information. d. de-identified information.
b. electronic health information. Pg 168
40. A new HIM director is reviewing policies and procedures and organizing the prior security implementation and assessment documentation. Before destroying any documentation in the process of updating, he should review: a. the Security Rule section on administrative safeguards. c. the Privacy Rule section on permissible uses and disclosures. b. the Security Rule section on policies and procedures and documentation requirements. d. the facility's policies and procedures.
b. the Security Rule section on policies and procedures and documentation requirements.
15. Which of the following may NOT be considered incidental to a permitted use or disclosure? a. A patient or visitor glimpses the patient's sign-in sheet. c. An attorney receives the wrong patient's information via fax. b. A patient or a visitor overhears the conversation between the nurse and the patient. d. An attorney receives less information than requested.
c. An attorney receives the wrong patient's information via fax
30. In which of the following cases is a notice to the media required? a. Severe breaches c. Breaches involving more than 500 residents of a state or jurisdiction b. Breaches involving damage of $100,000 or more d. Breaches involving 500 patients
c. Breaches involving more than 500 residents of a state or jurisdiction pg 167
2. The HIPAA Privacy Rule, published in 2000, was modified by the HIPAA Privacy, Security, and Enforcement Rule of 2013. What was mainly addressed in these modifications? a. Administrative simplifications c. Electronic health records b. Portability of health insurance d. None of the answers are correct
c. Electronic health records pg 155
37. Which of the following is NOT considered a physical safeguard under HIPAA Security Rule? a. Locking the server room c. Encrypting data b. Locking the file room d. Protecting the information from flood damage pg
c. Encrypting data pg 170
39. Which part of the HIPAA Security Rule addresses the contracting standards for business associates? a. Administrative safeguards c. Organizational requirements b. General requirements d. Technical requirements
c. Organizational requirements
31. Which of the following is NOT an objective of HIPAA Security Rule? a. Ensuring confidentiality, integrity, and availability of ePHI c. Protecting against flood damage to paper records b. Protecting against reasonably anticipated threats to ePHI d. Ensuring compliance by the workforce
c. Protecting against flood damage to paper records pg 168
27. Which of the following cases is considered a breach? a. Forgetting to lock the computer screen in the HIM department before walking away c. Releasing information to the ex-husband of a patient who in turn uses it for his divorce benefits b. Releasing information upon valid request and authorization d. Releasing the medical records to the hospital the patient was transferred to
c. Releasing information to the ex-husband of a patient who in turn uses it for his divorce benefits pg 165
38. A healthcare facility has implemented a new dictation and transcription system that requires physicians to review their own reports and sign them electronically. Some of the physicians do not support this process and continue to ask their assistants to print the dictated reports. Upon review, it was discovered that they are allowing their assistants to use their username and password to sign reports electronically. What HIPAA Security safeguard is this practice violating? a. Administrative safeguards c. Technical safeguards b. Physical security safeguards d. All of the answers are correct
c. Technical safeguards
41. The difference between required standards and addressable standards is: a. a facility must report on compliance with the required standards and simply keep track of addressable ones. c. a facility must comply with required standards and address the addressable ones as needed. b. required standards are mandatory; addressable ones are optional. d. required standards are mandatory; addressable ones can be negotiated.
c. a facility must comply with required standards and address the addressable ones as needed.
34. One of the reasons that prompted HIPAA security standards was: a. increased patient complaints about breaches of confidentiality. c. increased use and promotion of electronic health records. b. more stringent privacy requirement imposed on healthcare facilities. d. increased pressures from third parties.
c. increased use and promotion of electronic health records.
13. According to HIPAA, permitted disclosures include all of the following EXCEPT releasing information for _____ purposes. a. treatment c. litigation b. Payment d. operation
c. litigation
26. One of the requirements of a Resolution Agreement is to: a. send employees to a HIPAA conference. c. send reports to the federal government. b. not release information without federal government approval. d. pay a monetary penalty for non-compliance.
c. send reports to the federal government.
29. A hospital experienced a breach that affected 120 patients who had been discharged on the same day. In response, the hospital sent a breach notification to all the patients that included a description of the breach, the information involved, steps the individuals could take to protect themselves from harm, and the hospital's contact information. What was the notification missing? a. How the facility didn't know about the breach until now c. what the facility was doing to investigate breach pg??? b. A promise that this would not happen again d. Nothing; the notice was complete
c. what the facility was doing to investigate breach
5. Which of the following is a non-covered entity under HIPAA? a. A private company that provides billing services for a private clinic c. A public company that provides billing services for a hospital b. A health insurance carrier d. A casualty insurance carrier pg 156
d. A casualty insurance carrier
44. Data stewardship refers to: a. increasing awareness about information security. c. responsibility when collecting and storing health information. b. responsibility when using health information and reporting it. d. All of the answers are correct
d. All of the answers are correct
1. The Health Insurance Portability and Accountability Act was the first federal law that addressed the confidentiality of the patient's information. What else did HIPAA address? a. Portability of health insurance c. Group health plan requirements b. Administrative simplifications in healthcare d. All of the answers are correct
d. All of the answers are correct pg 151
22. Privacy rule enforcement is taken very seriously and can involve which of the following? a. Monetary penalties c. Imprisonment b. Resolution agreements. d. All of the answers are correct
d. All of the answers are correct pg 154
7. Which of the following is an example of individually identifiable health information? a. Patient's name in relation to a medical condition c. Patient's past or current medical condition b. Patient's date of birth d. All of the answers are correct
d. All of the answers are correct pg 157
8. Which of the following is true about the de-identified health information? a. Can be used by a hospital marketing department for outreach purposes c. Can be used by a public health office to determine the flu vaccines needed b. Can be used by a nursing home administrator to order new wheelchairs d. All of the answers are correct
d. All of the answers are correct pg 157
10. In which of the following situations is a covered entity obliged to disclose protected health information (PHI)? a. Releasing patient's information to the Department of Health and Human Services for review purposes c. Releasing patient's information to the patient's legal representative upon his request b. Releasing an accounting of disclosures of the patient's PHI to the patient d. All of the answers are correct
d. All of the answers are correct pg 158
16. When a state law is not in sync with fed eral law, the federal law prevails UNLESS: a. the state law requires health plan reporting. c. the state law is more stringent in terms of privacy protection. b. the state law allows for the reporting of injuries. d. All of the answers are correct
d. All of the answers are correct pg 162
14. Which of the following is considered healthcare operations? a. Analysis to identify risk areas c. Review for quality improvement purposes b. De-identifying health information d. All of the answers are correct
d. All of the answers are correct pg ??
25. A Resolution Agreement is a contract that is signed between the federal government and a covered entity, and it includes: a. an agreement to comply with audits of all releases of health information. c. an agreement to send reports to the federal government for a specified time period. b. an agreement to train staff on privacy and confidentiality. d. All of the answers are correct
d. All of the answers are correct pg165
21. While releasing information upon the patient's authorization, a HIM professional released a copy of another patient's report that was filed by mistake in the record being processed. What does this case constitute? a. A criminal violation c. A breach of privacy rule b. A civil violation d. B and C
d. B and C pg 164
35. What is one of the differences between the Privacy Rule and the Security Rule? a. Privacy Rule applies to paper records; Security Rule applies to electronic records c. Privacy Rule covers hospitals; Security Rule coves companies that design EHRs b. Privacy Rule addresses oral breaches; Security Rule addresses written breaches d. Privacy Rule applies to all forms of PHI; Security Rule applies to electronic PHI
d. Privacy Rule applies to all forms of PHI; Security Rule applies to electronic PHI pg169
11. Mary works in a hospital and receives a request for copies of 50 records that will be reviewed by an audit company working for Medicare. What should Mary do? a. She should select the records and seek patient authorizations before releasing. c. She should select the records and make sure information is de-identified. b. She should select the records and seek approval by the hospital's privacy and security officer. d. She should comply with the request.
d. She should comply with the request. Pg 158
20. The HIPAA Privacy and Security Rule complaint process includes all of the following EXCEPT: a. review of complaint. c. corrective actions b. investigation. d. case transfer.
d. case transfer.
28. HIPAA requires covered entities to notify individuals of a breach: a. immediately after discovering the breach. c. within 60 days after the breach has occurred. b. within 30 days after discovering the breach. d. within 60 days after discovering the breach.
d. within 60 days after discovering the breach.
4. Which of the following must comply with HIPAA's requirements to protect the privacy and security of health information? a. A business associate working with Medicaid c. A vendor working with a pharmaceutical manufacturer b. A worker's compensation carrier d. A pharmacy benefits management program
a. A business associate working with Medicaid pg156
3. Which of the following is NOT a covered entity? a. A life insurance company c. A health insurance company b. A psychologist providing counseling service d. A healthcare clearinghouse
a. A life insurance company pg 156
33. A physician's office has implemented a new electronic health record that enables it to send patient information electronically to the hospital it is affiliated with and to most of the insurance companies it works with. What steps should the office take to comply with the HIPAA Security Rule? a. Ensure integrity of the information during transmission. c. Ensure that the privacy practices are followed. b. Obtain patient authorizations. d. All of the answers are correct
a. Ensure integrity of the information during transmission.
23. Which of the following is considered the most frequently investigated compliance issue? a. Impermissible use and disclosure of PHI c. Lack of patients' access to their own PHI b. Lack of administrative safeguards of electronic PHI d. Lack of technical safeguards
a. Impermissible use and disclosure of PHI pg 166
45. A researcher is studying treatment effectiveness of a new medication. You are asked to provide health information that will assist in this research. What is the best course of action? a. Provide a limited data set c. Provide a medication lists only b. Provide copies of patients who were treated with the medication being studied d. Refuse to release any information as this is a violation of information privacy
a. Provide a limited data set pg ???
18. A patient was transferred from a mental health facility to an acute care hospital for a suspected heart attack. Which of the following would constitute a violation of the minimum necessary rule? a. Sending a complete copy of the record from the first facility c. Sending the list of allergies b. Sending the progress notes related to the chest pain complaints d. All of the answers are correct
a. Sending a complete copy of the record from the first facility pg ???