Exam 2 review Legal 10, 11, 12, 13, 15, 16
An emancipated minor is
A person younger than age 18, living independently
A co-worker is called away for a short errand and leaves the clinic PC logged onto the confidential information system. You need to look up information using the same computer. What should you do A. Log your co-worker off and re-log in under your own User-ID and password. B. To save time, just continue working under your co-worker's User-ID. C. Wait for the co-worker to return before disconnecting him/her; or take a long break until the co-worker returns.
A. Log your co-worker off and re-log in under your own User-ID and password
Your supervisor (a physician) is very busy and asks you to log into the clinical information system using her user-ID and password to retrieve some patient reports. What should you do? A. It's your boss, so it's okay to do this. B. Ignore the request and hope she forgets. C. Decline the request and refer to the information security policies.
C. Decline the request and refer to the information security policies.
When staff are instructed to create passwords, it should be recommended that they use __________. a.) A combination of letters and numbers b.) The name of a pet c.) A word found in the dictionary d.) Common dates
a.) A combination of letters and numbers
Crystal's request to access her medical record has been denied. The denial is subject to appeal. Which of the following is the most likely reason for the denial? a.) Access to the PHI would likely endanger Crystal's life or physical safety. b.) The PHI contains psychotherapy notes. c.) PHI in the record is subject to the federal Privacy Act. d.) PHI was created in the course of research including treatment, and Crystal agreed to suspend her right of access during the study time period.
a.) Access to the PHI would likely endanger Crystal's life or physical safety.
A young child is killed by a hit-and-run driver. The case is reported to the medical examiner for all of the following reasons except _____. a.) Age of the child b.) Suspicious death c.) Unexpected death d.) Violence that caused death
a.) Age of the child
A secretary in the nursing office was recently hospitalized with ketoacidosis. She comes to the health information management department and requests to review her health record. Of the options below, what is the best course of action? a.) Allow her to review her record after obtaining authorization from her. b.) Refer the patient to her physician for the information. c.) Tell her to go through her supervisor for the information. d.) Tell her that hospital employees cannot access their own medical records.
a.) Allow her to review her record after obtaining authorization from her.
A 22-year-old male has come to the HIM department and requested to see a copy of his medical record. He indicated he was a patient of Dr. Schmidt, a psychiatrist, and that he was on the sixth floor of St. Joseph's psych ward for the last two months. These records are not psychotherapy notes. Of the options below, what is the best course of action? a.) Allow the patient to access his record if, after contacting his physician, his physician does not feel it will be harmful to the patient. b.) Prohibit the patient from accessing his record, as it contains psychiatric diagnoses that may greatly upset him. c.) Allow the patient to access his record. d.) Deny access because HIPAA prevents patients from reviewing their psychiatric records.
a.) Allow the patient to access his record if, after contacting his physician, his physician does not feel it will be harmful to the patient.
The most common place to find a firewall is between __________. a.) An organization's internal network and the internet. b.) A PC and the internet. c.) The remote server and the PC. d.) The internal network and the intranet.
a.) An organization's internal network and the internet.
Per HIPAA, healthcare operations __________. a.) Are subject to the minimum necessary requirement b.) Include disclosure of information to insurance companies for payment c.) Require patient authorization prior to disclosure d.) Are a "public interest and benefit" exception to the authorization requirement
a.) Are subject to the minimum necessary requirement
Which of the following would be the best tool to determine whether or not access to ePHI was appropriate? a.) Audit trail b.) Access termination c.) Automatic log-off d.) Access control
a.) Audit trail
You have been given the responsibility of deciding which access control to use. Which of the following is NOT one of your options a.) Audit trail b.) Biometrics c.) Password d.) Key cards
a.) Audit trail
Which of the following is not a form of transmission security? a.) Audit trails b.) Encryption c.) Firewalls d.) Routers
a.) Audit trails
When the HIM professional is considering the major departmental functions to include in a disaster plan for emergency operations, which of the following would be the least important? a.) Billing b.) Chart tracking c.) Master patient index d.) Transcription of dictation
a.) Billing
The local police department has contacted the HIM Department of the community hospital, requesting information about a former patient who has been identified as a suspect in a recent felonious assault. Which of the following items about this individual may be disclosed? a.) Blood type b.) Names of all contact persons listed on the health record c.) All information requested d.) No information requested
a.) Blood type
Mark Bates has been declared legally incompetent by the court. Mr. Bates' sister has been appointed his legal guardian. His sister is requesting a copy of Mr. Bates' health records. Of the options below, what is the best course of action? a.) Comply with the sister's request, but first request documentation from the sister that she is Bates' legal guardian. b.) Provide the information as requested by the sister. c.) Require that Mark Bates authorize the release of his health information to the sister. d.) Refer the sister to Mark Bates' doctor.
a.) Comply with the sister's request, but first request documentation from the sister that she is Bates' legal guardian.
Reporting of births by state law is allowable for which of the following reasons? a.) Data are necessary to identify trends. b.) Babies are cute and people want to know about them. c.) Data are necessary to provide to diaper manufacturers. d.) Data are necessary to determine where to build daycare centers.
a.) Data are necessary to identify trends.
With regard to marketing, HITECH has __________. a.) Expanded the scope of the marketing definition b.) Diminished the scope of the marketing definition c.) Prohibited the use and disclosure of PHI for marketing purposes d.) Made no changes
a.) Expanded the scope of the marketing definition
Which of the following disclosures provides an individual with the opportunity to agree? a.) Facility Directory b.) Treatment, payment, and operations c.) Regarding Workers' Compensation d.) Information regarding decedents
a.) Facility Directory
Which of the following is not a HIPAA identifier? a.) Gender b.) License plate number c.) Telephone number d.) Age, if patient is 75 years old
a.) Gender
Dr. Jordan, a member of the medical staff, asks to see the medical records of his adult daughter who was hospitalized in your institution for a tonsillectomy at age 16. The daughter is now 25. Dr. Smith was the patient's physician. Of the options below what is the best course of action? a.) Inform Dr. Jordan that he cannot access his daughter's health record without her signed authorization allowing him access to the record. b.) Allow Dr. Jordan to see the records because he was the daughter's guardian at the time of the tonsillectomy. c.) Call the hospital administrator for authorization to release the record to Dr. Jordan since he is on the medical staff. d.) Refer Dr. Jordan to Dr. Smith and release the record if Dr. Smith agrees.
a.) Inform Dr. Jordan that he cannot access his daughter's health record without her signed authorization allowing him access to the record.
Which of the following is a best practice to comply with the revised security provisions of the HITECH Act? a.) Inventory BAs to determine which Business Associates Agreements need amending. b.) Take a "wait and see" approach until more is known about the requirements. c.) Update the HIPAA authorization form. d.) Make sure all PHI is electronic.
a.) Inventory BAs to determine which Business Associates Agreements need amending.
Which of the following communicable diseases is typically not required to be reported? a.) Lice b.) Ebola c.) Syphilis d.) Yellow fever
a.) Lice
The following reporting exceptions to the doctrine of preemption are allowable except for which of the following? a.) Marketing b.) Child abuse c.) Disease d.) Injury
a.) Marketing
Security awareness training programs require the implementation of awareness and training of all workforce members and should include___________. a.) Periodic security reminders b.) Malicious software c.) Contingency plans d.) Response reporting
a.) Periodic security reminders
In general, reviews for compliance with various aspects of the security rule should be conducted___________. a.) Periodically b.) Annually c.) Semi-annually d.) Every six years
a.) Periodically
The adoptive parents of Susan, a minor, wish to access her health record. What is the best way for them to obtain a copy of Susan's operative report? a.) Present an authorization that at least the mom or dad signed b.) Present an authorization signed by the court that granted the adoption c.) Present an authorization signed by Susan's natural (birth) parents d.) Wait until Susan is 18
a.) Present an authorization that at least the mom or dad signed
When developing security procedures for remote workforce, the HIM director should reference which of the following? a.) Privacy and security rules, state statutes and other federal statutes b.) Privacy and security rules c.) Security rule, state statutes, other federal statutes, compliance regulations d.) Privacy and security rules, state statutes, and compliance regulations
a.) Privacy and security rules, state statutes and other federal statutes
Telephone callback procedures are used primarily for __________. a.) Remote employees b.) Temporary employees c.) Employees who have been placed on probation d.) Contract employees
a.) Remote employees
Under HIPAA, the following disclosures must be included in a patient accounting of disclosures: a.) Reporting child abuse, venereal disease, occupational diseases b.) Disclosures pursuant to patient's signed authorization c.) Disclosures pursuant to a subpoena accompanied by a patient authorization d.) All of the above
a.) Reporting child abuse, venereal disease, occupational diseases
Responsibility for completing a fetal death certificate is determined by _____. a.) State law b.) Federal law c.) Health department d.) Physician policy
a.) State law
Under the privacy rule, the following must be included in a patient accounting of disclosures: a.) State-mandated report of a sexually transmitted disease b.) Disclosure pursuant to a patient's signed authorization c.) Disclosure pursuant to a subpoena d.) Disclosure for payment purposes
a.) State-mandated report of a sexually transmitted disease
Which of the following can the HIM department require of a patient who is requesting an amendment to her PHI? a.) Submit the request in writing b.) Attend a meeting to discuss the reasons the patient disagrees with the record as currently documented c.) Payment of a nominal fee to address the cost of reviewing the request d.) There are no requirements the HIM Department can require of a requester
a.) Submit the request in writing
You are looking at your policies, procedures, training program, etc. and comparing them to the HIPAA regulations. You are conducting a.) risk assessment b.) policy assessment c.) No answer text provided. d.) No answer text provided.
a.) risk assessment
The age of majority in most states is _____. a.) 16 and older b.) 18 and older c.) 21 and older d.) None of the options are correct
b.) 18 and older
The general retention period for HIPAA-related documentation is __________. a.) 5 years b.) 6 years c.) 10 years d.) Not specified in the HIPAA Privacy Rule
b.) 6 years
A waived authorization for a research study may be granted by __________. a.) A researcher in the research study b.) An Institutional Review Board c.) The CEO of a covered entity that is providing PHI d.) The Office for Civil Rights
b.) An Institutional Review Board
With the initiation of HIPAA audits, complaints __________. a.) Are no longer used as a way to detect HIPAA violations b.) Are still used as a way to detect HIPAA violations c.) Can only be proven through corroboration via a HIPAA audit d.) Must be present before a HIPAA audit can be conducted
b.) Are still used as a way to detect HIPAA violations
Data are sent in encrypted form from one computer to another. Which of the following terms describes the data after the encryption algorithm has been applied to it? a.) Access control b.) Ciphertext c.) Device control d.) Public key cryptography
b.) Ciphertext
State attorneys general can bring __________. a.) Civil actions in state court for individuals wronged by HIPAA violations b.) Civil actions in federal court for individuals wronged by HIPAA violations c.) Criminal actions in state court for individuals wronged by HIPAA violations d.) Criminal actions in federal court for individuals wronged by HIPAA violations
b.) Civil actions in federal court for individuals wronged by HIPAA violations
A conditioned authorization __________. a.) Only allows participants in a research study if they are in good physical condition b.) Conditions treatment, payment and health plan enrollment on an authorization c.) Is the preferred type of research authorization per HIPAA d.) Combines consent to participate in a research study with authorization to use or disclose PHI
b.) Conditions treatment, payment and health plan enrollment on an authorization
The Health Information Technology for Economic and Clinical Health (HITECH) Act has affected HIPAA in which of the following ways? a.) Definition of PHI has changed b.) Consequences to business associate have become greater c.) Number of covered entity categories has increased d.) HITECH did not make any changes to HIPAA
b.) Consequences to business associate have become greater
All of the following are security rule physical safeguard standards except___________. a.) Facility access controls b.) Contingency planning c.) Workstation security d.) Device and media controls
b.) Contingency planning
Which portion of a security program would ensure that ePHI is not stored on recycled equipment? a.) Access control b.) Device and media controls c.) Emergency access control d.) Disaster control
b.) Device and media controls
The best mechanism to protect patient information during transit is __________. a.) E-mail b.) Encryption c.) Two-factor authentication d.) Biometrics
b.) Encryption
The HIPAA Privacy Rule states that required reporting is _____ from the HIPAA Privacy Rule. a.) Preempted b.) Exempt c.) Regulated d.) Mandated
b.) Exempt
Which of the following is most likely to result in a security breach? a.) Transporting records to a satellite clinic b.) Failing to deactivate user access at termination c.) Leaving voice mail patient appointment reminders d.) Calling patient names in the waiting room
b.) Failing to deactivate user access at termination
Medical information loses PHI status and is no longer protected by the HIPAA privacy rule when it __________. a.) Becomes an oral communication b.) Is de-identified c.) Is used for TPO d.) Is individually identifiable
b.) Is de-identified
Shirley Denton has written to request an amendment to her PHI from Bon Voyage Hospital, stating that incorrect information is present on the document in question. The document is an incident report from Bon Voyage Hospital, which was erroneously placed in Ms. Denton's health record. The covered entity declines to grant her request based on which privacy rule provision? a.) It was not created by the covered entity. b.) It is not part of the designated record set. c.) Both a and b d.) None. The covered entity must grant her request.
b.) It is not part of the designated record set.
Mitigation is __________. a.) Paying a patient who has been harmed by a breach b.) Lessening the harmful effects of wrongful use or disclosure of PHI c.) Responding to the OCR's investigation of a HIPAA violation complaint d.) A gesture of goodwill to a patient to compensate for a HIPAA infraction
b.) Lessening the harmful effects of wrongful use or disclosure of PHI
The baby of a mother who is 15 years old was recently discharged from the hospital. The mother is seeking access to the baby's health record. Who must sign the authorization for release of the baby's health record? a.) Both mother and father of the baby b.) Mother of the baby c.) Maternal grandfather of the baby d.) Maternal grandmother of the baby
b.) Mother of the baby
Securing the authorization of the attending physician, in addition to the patient's authorization, for the release of medical information to the patient's insurance company is a.) A legal requirement under privileged communication statute b.) Not legally required c.) A legal requirement under common law d.) Necessary only if the patient is a minor
b.) Not legally required
Jeremy Lykins was required to undergo a physical exam prior to becoming employed by San Fernando Hospital. Jeremy's medical information is __________. a.) Protected by the Privacy Rule because it is individually identifiable b.) Not protected by the Privacy Rule because it is part of a personnel record c.) Protected by the Privacy Rule because it contains his physical exam results d.) Protected by the Privacy Rule because it is in the custody of a covered entity
b.) Not protected by the Privacy Rule because it is part of a personnel record
Dr. Blake is selling his practice to Dr. Walton. If he sells patient information as part of the sale of the practice, he is __________. a.) Violating HIPAA b.) Not violating HIPAA c.) Not violating HIPAA as long as he sells only patient demographic information d.) Violating HIPAA unless he obtains authorization from each patient
b.) Not violating HIPAA
When a patient is an organ donor whose death is imminent, notifying the family members that the organ procurement organization will be contacted is _____. a.) Required b.) Not-required c.) Recommended d.) Not-recommended
b.) Not-required
Which of the following is a "public interest and benefit" exception to the authorization requirement? a.) Payment b.) PHI regarding victims of domestic violence c.) Information requested by a patient's attorney d.) Treatment
b.) PHI regarding victims of domestic violence
You have been asked to provide examples of technical security measures. Which of the following would NOT be included a.) Automatic log out b.) Passwords Training c.) Audit trail d.) No answer text provided.
b.) Passwords Training
Per the HIPAA Privacy Rule, a hybrid entity is defined as one that __________. a.) Serves both self-pay patients and insured patients b.) Performs both covered and non-covered functions under the Privacy Rule c.) Educates students and provides medical services to those students as well d.) Is both a healthcare provider and a health insurer
b.) Performs both covered and non-covered functions under the Privacy Rule
The HIPAA Security Rule requires which of the following to achieve compliance? a.) Hiring a full-time security officer b.) Protecting ePHI c.) Eliminating security threats d.) Hiring security consultants
b.) Protecting ePHI
You are walking around the facility to identify any privacy and security issues. You walk onto the 6W nursing unit and are able to watch the nurse entering confidential patient information. You make a note of this. What are you doing? a.) Gap analysis b.) Risk assessment c.) Monitoring audit trail
b.) Risk assessment
The Uniform Health-Care Decision Act (UHCDA) refers to _____. a.) Medicaid and Medicare funding priorities b.) Selecting an individual to make healthcare decisions for a competent adult c.) Requiring the selection of a guardian for an incompetent adult d.) Use of CPT and HCPCS for reporting healthcare claims
b.) Selecting an individual to make healthcare decisions for a competent adult
Which of these PHI communications will NOT require encryption on your part? a.) Posting info on an Internet web page. b.) Sending e-mail from your Hospital address to another address within your hospital c.) Sending the PHI as a file attachment via Gmail
b.) Sending e-mail from your Hospital address to another address within your hospital
Minors are basically deemed legally incompetent to access, use, or disclose their health information. What resource should be consulted in terms of who may authorize access, use, or disclose the health records of minors? a.) HIPAA because there are strict HIPAA rules regarding minors b.) State law because HIPAA defers to state laws on matters related to minors c.) Hospital attorney because they know the rules of the hospital d.) None of the options are correct
b.) State law because HIPAA defers to state laws on matters related to minors
When determining which immunizations must be reported, which of the following would you refer to first? a.) HIPAA Privacy Rule b.) State reporting requirements c.) Providers d.) AMA pediatric section
b.) State reporting requirements
Examples of reportable deaths include which of the following? a.) Sudden, expected, violent, suspicious b.) Sudden, unexpected, violent, suspicious c.) Sudden, expected, non-violent, suspicious d.) Sudden, unexpected, non-violent, suspicious
b.) Sudden, unexpected, violent, suspicious
The Privacy Rule permits charging patients for labor and supply costs associated with copying health records. Mercy Hospital is located in a state where state law allows charging patients a $100 search fee associated with locating records that have been requested. a.) State law will not be preempted in this situation. b.) The privacy rule will preempt state law in this situation. c.) The privacy rule never preempts existing state law. d.) The privacy rule always preempts existing state law.
b.) The privacy rule will preempt state law in this situation.
Security Scenario #2 You are a research nurse coming off of a double shift at the hospital and a physician asks you to fax a patient's lab test results to his office fax. The results are ready but it is after hours in his office and none of the office staff are available to receive the fax. a.) Acceptable b.) Unacceptable
b.) Unacceptable
Which of the following is the public or known portion of most user log-ins? a.) Password b.) User ID c.) Firewall d.) Token
b.) User ID
Under which of the following conditions is the patient's authorization required for the use or disclosure of medical information? a.) When information is requested by the state's QIO for Medicare audit purposes b.) When a patient's life insurance company requests the information c.) When information on the patient's venereal disease is given to the health department d.) When the federal government suspects the patient is involved in terrorism activity e.) a and c f.) b and d
b.) When a patient's life insurance company requests the information
Over a 24hour time period a large number of individuals have arrived in the emergency department of a local hospital complaining of severe abdominal pain, vomiting, and diarrhea that they have all seemed to pick up at a local restaurant in town. The hospital has provided the public health department with the PHI of all patients treated for the illness. Did the hospital have the right to disclose this information? a.) No, under no circumstance can the hospital release PHI without patient authorization. b.) Yes, the hospital may disclose PHI to a public health department if state law does not specifically require it if the disclosure is for controlling the spread of disease. c.) No, the hospital needed to verbally ask the patient if it was ok to release the PHI. d.) None of the options are correct
b.) Yes, the hospital may disclose PHI to a public health department if state law does not specifically require it if the disclosure is for controlling the spread of disease.
To ensure compliance with the HIPAA security rule training requirement, the HIIM Director should do which of the following? a.) rely solely on IT since they are experts in security b.) determine special needs of HIM staff and provide training c.)rely solely on him/herself since IT does not know about HIIM functions d.) rely on a consultant to determine what training the HIIM staff needs
b.) determine special needs of HIM staff and provide training
If a healthcare facility sustains physical damage caused by a tornado, the disaster recovery mechanism which provides the greatest protection of the data is __________. a.) password management b.) off-site data storage c.) anti-virus automatic software updates d.) automatic log-off
b.) off-site data storage
A subcontractor of a business associate may a.) always transmit ePHI on the business associate's behalf b.) transmit ePHI on the business associate's behalf if it provides satisfactory assurances that the information will be appropriately safeguarded c.) never transmit ePHI on the business associate's behalf d.) transmit ePHI on the business associate's behalf if the subcontractor believes it is necessary to do so
b.) transmit ePHI on the business associate's behalf if it provides satisfactory assurances that the information will be appropriately safeguarded
Which of the following techniques would a facility employ for access control? a.) Virus protection b.) Automatic logoff c) Passwords d.) No answer text provided.
c) Passwords
Healthcare organizations should implement medical identity theft prevention programs because they are __________. a.) Required by the HIPAA Security Rule b.) Required by state law c.) Helpful to protect patient information d.) Trendy to implement
c.) Helpful to protect patient information
The privacy rule generally requires documentation related to its requirements to be retained for __________. a.) 3 years b.) 5 years c.) 6 years d.) 10 years
c.) 6 years
Which of the following is not an identifier under the privacy rule? a.) Visa account 2773 985 0468 b.) Vehicle license plate BZ LITYR c.) Age 75 d.) Street address 265 Cherry Valley Road
c.) Age 75
St. Joseph's Hospital has a psychiatric service on the sixth floor of the hospital. A 31-year-old male has come to the HIM department and requested to see a copy of his medical record. He has told your clerk he was a patient of Dr. Schmidt, a psychiatrist, and was on the sixth floor of St. Joseph's for the last two months. These records are not psychotherapy notes. As the HIM director, the best course of action for you to take is to __________. a.) Prohibit the patient from accessing his record, as it contains psychiatric diagnoses that may greatly upset him b.) Allow the patient to access his record c.) Allow the patient to access his record if, after contacting his physician, his physician does not feel it will be harmful to the patient d.) Deny access because HIPAA prevents patients from reviewing their psychiatric records
c.) Allow the patient to access his record if, after contacting his physician, his physician does not feel it will be harmful to the patient
Your transcription system is set to back up your hard drive every five minutes. The back up is on the hard drive of another computer. This computer is located in another room next door to the primary computer - what should be done to improve the back up process a.) Place on optical disk b.) Back up on a daily basis c.) Back up on external hard drive d.) Back up to the cloud
c.) Back up on external hard drive
Which of the following would provide the best support of an organization's efforts toward compliance with the security rule? a.) implement mandatory password changes every 30 days b.) Create a mascot for security awareness c.) Build security into software and systems d.) Prohibit remote access to ePHI
c.) Build security into software and systems
Which of the following is not a mechanism to detect external medical identity theft? a.) Request a driver's license to verify identity b.) Take a photograph of the patient at the time of registration c.) Conduct a background check on prospective employees d.) Compare current patient signature with that from a previous encounter
c.) Conduct a background check on prospective employees
Which of the following is not an element that makes information "PHI" under the HIPAA privacy rule? a.) Identifies an individual b.) In the custody of or transmitted by a CE or its BA c.) Contained within a personnel file d.) Relates to one's health condition
c.) Contained within a personnel file
Which of the following are required components of a HIPAA-compliant disaster plan? a.) Data back-up and data recovery b.) Data back-up and emergency mode of operations c.) Data back-up, data recovery, and emergency mode of operations d.) Data back-up, data recovery, emergency mode of operations, and user IDs
c.) Data back-up, data recovery, and emergency mode of operations
"Public interest and benefit" uses and disclosures under the privacy rule __________. a.) Can only be made with the patient's written authorization b.) Require at least the patient's verbal agreement c.) Don't require the patient's agreement or authorization d.) Sometimes require the patient's agreement or authorization
c.) Don't require the patient's agreement or authorization
Tarasoff v. The Regents of the University of California is a landmark case related to the release of psychiatric patient information without patient authorization. The healthcare provider must release such information based on what circumstance? a.) Admission of facts b.) Involuntary commitment proceedings c.) Duty to warn d.) Res judicata
c.) Duty to warn
The Safe Medical Devices Act requires the reporting of medical device injuries to which agency? a.) Centers for Medicare and Medicaid Services b.) Federal Communication Commission c.) Food and Drug Administration d.) World Health Organization
c.) Food and Drug Administration
Jack Mitchell, a patient in Ross Hospital, is being treated for gallstones. He has not opted out of the facility directory. Callers who request information about him may be given __________. a.) No information due to the highly sensitive nature of his illness b.) Admission date and location in the facility c.) General condition and acknowledgement of admission d.) Location in the facility and diagnosis
c.) General condition and acknowledgement of admission
With addressable standards, the covered entity may do all but which of the following? a.) Implement the standard as written b.) Implement an alternative standard c.) Ignore the standard since it is addressable d.) Determine that the risk of not implementing is negligible
c.) Ignore the standard since it is addressable
The HIPAA Security Rule allows flexibility in implementation based on reasonableness and appropriateness. This means that covered entities can___________. a.) Ignore addressable standards b.) Implement only required standards c.) Implement based on organizational assessment d.) Mitigate standards with a clearinghouse
c.) Implement based on organizational assessment
The designated record set __________. a.) Must be maintained outside a covered entity b.) Includes incident reports c.) Includes medical and billing records d.) Is not used to make decisions about an individual
c.) Includes medical and billing records
One of the four general requirements a covered entity must adhere to for compliance with the HIPAA security rule is to ensure the confidentiality, ________, and availability of ePHI. a.) Implementation b.) Information c.) Integrity d.) Identity
c.) Integrity
Which of the term does the security rule use to define data or information that has not been altered or destroyed in an unauthorized manner? a.) Applicability b.) Security c.) Integrity d.) Confidentiality
c.) Integrity
Which of the following is true about a restriction request? a.) It can be terminated by the covered entity only. b.) It can be terminated by the individual only. c.) It can be terminated by either the covered entity or the individual. d.) It cannot be terminated once agreed upon by the covered entity and the individual.
c.) It can be terminated by either the covered entity or the individual.
A limited data set: a.) Is the same as deidentified information b.) Is not permitted to be used or disclosed without patient authorization c.) May be used or disclosed without patient authorization in specific limited circumstances d.) Is not a HIPAA-recognized concept
c.) May be used or disclosed without patient authorization in specific limited circumstances
Employees in the hospital business office may have legitimate access to patient health information without patient authorization based on what HIPAA standard/principle? a.) Compound authorization b.) Accounting of disclosures c.) Minimum necessary d.) Preemption
c.) Minimum necessary
Which of the following facilities must report information about implantable cardiac defibrillators? a.) Assisted living facilities b.) All nursing homes c.) Only hospitals seeking reimbursement d.) All rehabilitation hospitals with cardiac services
c.) Only hospitals seeking reimbursement
Which of the following information is not included about a physician in the National Practitioner Data Bank? a.) Malpractice lawsuits b.) Disciplinary actions c.) Personal bankruptcy d.) Credentialing information from other facilities
c.) Personal bankruptcy
Select the best response to complete this statement: Natural (birth) parents of a child who has been adopted by adoptive parents _____. a.) Are permitted to inspect their child's health records for three years after the adoption occurs b.) Are permitted to inspect their child's medical records when that child reaches the age of majority c.) Relinquish the right to inspect their child's health records once their parental rights have been terminated d.) None of the options are correct
c.) Relinquish the right to inspect their child's health records once their parental rights have been terminated
Kelly is a nurse at Riverview Hospital. She believes there are numerous HIPAA privacy rule violations occurring, but they are not being corrected even though she has brought them to the privacy officer's attention. She contacts the Office for Civil Rights (OCR) to complain. Riverview Hospital learns that she has submitted a complaint to OCR. a.) Riverview may not retaliate against Kelly b.) Riverview may retaliate against Kelly, but not against patients who complain of violations c.) Riverview may retaliate neither against Kelly nor against patients who complain of violations d.) The HIPAA Privacy Rule does not address the issue of retaliation
c.) Riverview may retaliate neither against Kelly nor against patients who complain of violations
Dr. Watson is known to chronically not remember his password and ask other physicians and nurses to use their passwords. This is reported by various staff, but the security officer ignores the complaints since Dr. Watson is the chief of staff. The hospital most likely has not complied with which of the following? a.) Risk analysis b.) Risk management c.) Sanction policy d.) Security management
c.) Sanction policy
Which statement best describes the right of a mother about the reporting of her child's birth? a.) She may object to the reporting of the birth. b.) She may limit the amount of information that is reported. c.) She may request an account of the disclosure about the birth. d.) She may request a restriction to the amount of information that is reported.
c.) She may request an account of the disclosure about the birth.
Healthcare facilities are required to report vital statistics to which of the following authority? a.) Centers for Disease Control and Prevention b.) National Center for Vital Statistics c.) State department of health d.) World Health Organization
c.) State department of health
Linda Wallace is being admitted to the hospital. She is presented with a "Notice of Privacy Practices." In the notice, it is explained that her PHI will be used and disclosed for treatment, payment, and operations (TPO) purposes. Linda states that she does not want her PHI used for those purposes. Which of the following is true? a.) The hospital must honor her wishes and not use her PHI for TPO. b.) The hospital may decline to treat Linda because of her refusal. c.) The hospital is not required to honor her wishes. d.) None of the above
c.) The hospital is not required to honor her wishes.
Central City Clinic has requested that Ghent Hospital send its hospital records from Susan Hall's most recent admission to the clinic for her follow-up appointment. Which of the following statements is true? a.) The privacy rule requires that Susan Hall complete a written authorization. b.) The hospital may send only discharge summary, history and physical, and operative report. c.) The privacy rule's minimum necessary requirement does not apply. d.) This "public interest and benefit" disclosure does not require the patient's authorization.
c.) The privacy rule's minimum necessary requirement does not apply.
Which of the following must notify the Federal Trade Commission of a breach? a.) Covered entity b.) Business associate c.) Third-party service providers of PHR vendors d.) All of these entities must notify the Federal Trade Commission of a breach
c.) Third-party service providers of PHR vendors
The privacy rule resides in __________. a.) Title I of HIPAA b.) Title I of the Federal Privacy Act c.) Title II of HIPAA d.) Title II of the Federal Privacy Act
c.) Title II of HIPAA
Per the Privacy Rule, which of the following requires authorization for research purposes? a.) Use of Mary's information about her myocardial infarction, de-identified b.) Use of Mary's information about her asthma, in a limited data set c.) Use of Mary's individually identifiable information related to her asthma treatments d.) Use of medical information about Jim, Mary's deceased husband
c.) Use of Mary's individually identifiable information related to her asthma treatments
During the flu season, a nursing home reports the cases of known flu in the nursing home population. The local health department calls and wants more information on the recent hospitalizations of these flu patients. How should the request be handled? a.) Call the nursing home attorney for advice. b.) Inform the sheriff of suspicion of medical identity theft. c.) Verify the authenticity of the request and provide information. d.) Obtain an authorization from each of the patients and provide the information.
c.) Verify the authenticity of the request and provide information.
A security procedure that causes a computer session to end after a predetermined period of inactivity is a(n) a.) audit trial b.) termination of access c.) automatic log-off d.) access control
c.) automatic log-off
Assessing HIPAA training programs is important for which of the following reasons? a.) It is how the workforce knows what to do. b.) It is highly visible to auditors. c.) both a and b d.) neither a nor b
c.) both a and b
The workforce security administrative safeguard requires policies and procedures that a.) ensure appropriate ePHI access by workforce members b.) prevent access to ePHI by workforce members who should not have access c.) both a and b d.) neither a nor b
c.) both a and b
Which of the following best describes the role that the HIIM professional should play in HIPAA security compliance? a.) minimal involvement since the rule is very technical b.) substantial involvement since the rule is very basic c.) moderate involvement since the rule is very operational d.) minimal involvement since the rule is difficult to interpret
c.) moderate involvement since the rule is very operational
Fred resigned from his position at University Hospital. According to the HIPAA security rule, his access to the electronic health record system should be terminated a.) one week after his resignation date b.) 30 days after his resignation date c.) promptly upon resignation d.) never; because he resigned and was not terminated, continued access presents little risk to the hospital
c.) promptly upon resignation
When external reviewers request access to electronic patient records, the IT professionals at Charity Clinic determine that giving the reviewers a user name and password to access all records in the database is the quickest and easiest approach. As the HIIM Director, your response to this would be to a.) agree with IT and grant access to the records b.) disagree with IT and deny access to the records c.) suggest records necessary for audit be placed in a queue d.) contact a clinic attorney to get a legal opinion about access to the records
c.) suggest records necessary for audit be placed in a queue
Which of the following is not an example of a red flag for a healthcare provider? a.) A patient's receipt of a bill for another individual b.) A bill for a product that patient denies receiving c.) A question from a patient about a collection notice d.) A question from a patient about scheduled surgery
d.) A question from a patient about scheduled surgery
Which of the following statements does the Privacy Rule not require the notice of privacy practices to contain? a.) A description (including at least one example) of the types of uses and disclosures the covered entity is permitted to make for treatment, payment, and healthcare operations b.) A description of each of the other purposes for which the covered entity is permitted or required to use or disclose PHI without the individual's written consent or authorization c.) A statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such authorization d.) A statement that all disclosures will be prohibited from future redisclosures
d.) A statement that all disclosures will be prohibited from future redisclosures
The May 31, 2011 proposed rule introduced the concept of a(n) _________. a.) Accounting of disclosures b.) Penalty for HIPAA violations resulting from malicious behavior c.) Limitation on records of the deceased as PHI d.) Access report
d.) Access report
Based on the "Red Flags Rule," entities are considered creditors if they __________. a.) Use consumer reports in connection with credit transactions b.) Furnish information to consumer reporting agencies c.) Extend credit d.) All of the above
d.) All of the above
Breach notification requirements apply to __________. a.) HIPAA covered entities b.) HIPAA business associates c.) Non-business associate PHR vendor d.) All of the above
d.) All of the above
Under HIPAA, a covered entity may deny a patient's amendment request for which of the following reasons? a.) The information is accurate and complete b.) The information in question was not created by this covered entity c.) The information is not part of the individual's designated record set d.) All of the above
d.) All of the above
Which of the following is a potential consequence to the medical identity theft victim? a.) Intermingling of the victim's and perpetrator's medical information __________. b.) Insurance denials c.) Debt collection attempts d.) All of the above
d.) All of the above
Which of the following is a reason for not using e-mail to communicate sensitive patient information? a.) It may be intercepted. b.) The identity of the recipient may be unclear. c.) It may consist of large amounts of data. d.) All of the above
d.) All of the above
In the situation of behavioral healthcare information a healthcare provider may disclose health information on a patient without the patient's authorization in which of the following circumstances? a.) Court order b.) Duty to warn c.) Involuntary commitment proceedings d.) All of the options are correct
d.) All of the options are correct
Which of the following is an example of mitigation? a.) Breach notification b.) Apology c.) Payment of a bill for financial loss resulting from an infraction d.) All of these are examples of mitigation
d.) All of these are examples of mitigation
Which of the following types of abuse and neglect of the elderly is required to be reported? a.) Sexual b.) Physical c.) Emotional d.) All options are correct
d.) All options are correct
Which of the following is not a mechanism to control access to PHI? a.) User-based access b.) Role-based access c.) Context-based access d.) Anti-virus software
d.) Anti-virus software
The latest provisions to HIPAA include___________. a.) Breach notification and modification to the security rule b.) Breach notification and enforcement c.) Breach notification and modifications to the security rule d.) Breach notification, enforcement and modifications to the privacy and security rules
d.) Breach notification, enforcement and modifications to the privacy and security rules
The computer system containing the computerized patient record was located in a room that was flooded. As a result, the system is inoperable. Which of the following would be implemented? a.) SWOT analysis b.) IT strategic planning c.) RFP d.) Business continuity processing
d.) Business continuity processing
Elaine has moved to a new state to assume the director of HIM in a large community hospital. In her previous position, reporting of trauma injuries was required by state law. However, in her new position it is apparent that the hospital is not reporting traumatic injuries. Which of the following is the most appropriate action for Elaine to take? a.) Begin reporting trauma injuries b.) Refer to HIPAA about reporting of trauma injuries c.) Inform the hospital administrator and start reporting trauma injuries d.) Check state law to determine if reporting of trauma injuries is required
d.) Check state law to determine if reporting of trauma injuries is required
Many states have mandatory reporting requirements for suspected abuse or mistreatment of the following categories of individuals except _____. a.) Children b.) Nursing home residents c.) Residents of state mental health facilities d.) Competent adults
d.) Competent adults
Your organization is sending confidential patient information across the internet using technology that will transform the original data into unintelligible code that can be recreated by authorized users this is a.) Firewall b.) Validity processing c.) Call back process d.) Data encryption (cryptography)
d.) Data encryption (cryptography)
The best source for obtaining primary information on addressing the HIPAA Security Rule would be which of the following sources? a.) Journal of AHIMA b.) security consultants c.) AHIMA annual meeting d.) Department of HHS
d.) Department of HHS
Helpful University Health System has a laptop sharing program which allows users to request laptop computers to use for short-term projects. Many of the projects involve the use of ePHI. When the laptops are returned to the office, they are often immediately recirculated to another user in the system. This is an example of a violation of which of the following aspects of the security rule? a.) Workstation use b.) Facility access controls c.) Access control d.) Device and media controls
d.) Device and media controls
What statement best addresses disclosure of information about abortions? a.) Should never be disclosed b.) Disclosed at the direction of the physician c.) Deferred to the chief of staff for determination d.) Disclosed based on required reporting statutes
d.) Disclosed based on required reporting statutes
Debbie, an HIM professional, was recently hired as the privacy officer at a large physician practice. She observes the following practices, all of which occur without patient authorization. Which is a violation of the HIPAA privacy rule? a.) Dr. Graham recommends a medication to a patient with asthma. b.) Dr. Herman gives a patient a pen with the name of a pharmaceutical company on it. c.) Dr. Martin recommends acupuncture to a patient. d.) Dr. Lawson gives names of asthma patients to a pharmaceutical company.
d.) Dr. Lawson gives names of asthma patients to a pharmaceutical company.
The security rule's five sections includes all of the following except___________. a.) Administrative safeguards b.) Physical safeguards c.) Organizational requirements d.) Encryption requirements
d.) Encryption requirements
Report for a fetal death would be reported on which required form? a.) Birth certificate b.) Death certificate c.) Fetal birth certificate d.) Fetal death certificate
d.) Fetal death certificate
Emancipated minors _____. a.) Must be married to be declared emancipated by a court b.) Are under the custody of their parents c.) Are determined by federal law d.) Generally may authorize disclosure of their own PHI
d.) Generally may authorize disclosure of their own PHI
The state department of behavioral health (SDBH) funds services by private providers throughout the state. It also issues regulations pertaining to the administration of behavioral healthcare throughout the state. It operates five outpatient sites and three inpatient sites around the state. SDBH is a: a.) Business associate b.) Deidentified covered entity c.) Affiliated covered entity d.) Hybrid entity e.) Organized healthcare arrangement
d.) Hybrid entity
Dr. Williams is on the medical staff of Sutter Hospital, and he has asked to see the health record of his wife, who was recently hospitalized. Dr. Jones was the patient's physician. Of the options below, which is the best course of action? a.) Refer Dr. Williams to Dr. Jones and release the record if Dr. Jones agrees. b.) Request that Dr. Williams ask the hospital administrator for approval to access his wife's record. c.) Inform Dr. Williams that he may review his wife's health record in the presence of the privacy officer. d.) Inform Dr. Williams that he cannot access his wife's health information unless she authorizes access through a written release of information.
d.) Inform Dr. Williams that he cannot access his wife's health information unless she authorizes access through a written release of information.
Which of the following is a public interest and benefit exception to the HIPAA authorization requirement? a.) Information on payment b.) Information on birth control c.) Information on workers' compensation d.) Information on domestic violence
d.) Information on domestic violence
When a state requirement exists that compels a healthcare facility to report patient information and there is an absence of specific data elements required for reporting, what should be disclosed? a.) Demographic information b.) Diagnostic information c.) Protected health information d.) Minimum necessary information
d.) Minimum necessary information
Which of the following pieces of information is not typically mandated by state law child abuse reporting requirements? a.) Age of child b.) Name of child c.) Name of parents d.) Name of siblings
d.) Name of siblings
Lane Hospital has a contract with Ready-Clean, a local company, to come into the hospital to pick up all of the facility's linens for off-site laundering. Ready-Clean is __________. a.) A business associate because Lane Hospital has a contract with it b.) Not a business associate because it is a local company c.) A business associate because its employees may see PHI d.) Not a business associate because it does not use or disclose individually identifiable health information
d.) Not a business associate because it does not use or disclose individually identifiable health information
Common data reported to the medical examiner in cases of reportable deaths typically includes all but which data element? a.) Age b.) Ethnicity c.) Marital statue d.) Number of children
d.) Number of children
Trauma registry data is used for all of the following purposes except _____. a.) Performance improvement b.) Public safety law c.) Research d.) Prosecution of drunk drivers
d.) Prosecution of drunk drivers
An employer has contacted the Health Information Management Department and requested health information on one of his employees. Of the options below, what is the best course of action? a.) Provide the information requested b.) Refer the request to the attending physician c.) Request the employer's written authorization for release of the employee's information d.) Request employee's written authorization for release of information
d.) Request employee's written authorization for release of information
Which of the following entity authentication processes would be the most difficult to breach? a.) Password b.) Token c.) Password and token d.) Retinal scan
d.) Retinal scan
Uniform access to patient information for all nursing staff best describes __________. a.) Data warehouse b.) Group-based access c.) Passwords d.) Role-based access
d.) Role-based access
The most common place to find intrusion detection software would be on the network __________. a.) Back-up servers b.) Cell phones c.) Fax machines d.) Routers
d.) Routers
Augusta Clinic has requested that Furr Hospital send its health records from Helena Smith's most recent admission to the clinic for her follow-up appointment. Which of the following statements is true? a.) Per the privacy rule, Helena must complete a written authorization. b.) This "public interest and benefit" disclosure does not require Helena's authorization. c.) Furr Hospital may only send Helena's discharge summary. d.) The Privacy Rule's minimum necessary requirement does not apply.
d.) The Privacy Rule's minimum necessary requirement does not apply.
Mrs. Rollins was admitted to University Hospital by Dr. Connor. Mrs. Rollins' hospital bill will be paid by Blue Cross Insurance. Upon discharge from the hospital, who owns the health record of Mrs. Rollins? a.) Mrs. Rollins b.) Dr. Connor c.) Blue Cross d.) University Hospital
d.) University Hospital
Which of the following is a good policy for faxing PHI? a.) Fax only sensitive information b.) Never fax PHI c.) Place fax machines in open areas so they are easier for staff to access d.) Use a cover sheet with a confidentiality statement
d.) Use a cover sheet with a confidentiality statement
A physician practice was warned last year by auditors that its disposal of paper records (dumping them in bins without shredding or deidentifying them) violated HIPAA, but it did nothing to correct the problem. When the records were found in a city dumpster, an anonymous caller notified the Office for Civil Rights (OCR). An investigation by OCR confirmed that the practice had been warned about the violations. What level of violation is OCR likely to assess in this situation? a.) Unknowing b.) Reasonable cause c.) Willful neglect, corrected within 30 days of discovery d.) Willful neglect, uncorrected
d.) Willful neglect, uncorrected
Disabling the USB drive on a computer is an example of what type of security? a.) Access b.) Encryption c.) Workforce d.) Workstation
d.) Workstation
Which computer virus stores and replicates itself? a.) Trojan horse b.) Hacker c.) Macro virus d.) Worm
d.) Worm
The Kids' Foundation, a foundation related to Children's Hospital, is mailing fundraising information to the families of all patients who have been treated at Children's in the past three years. Based on the facts given, which of the following are true? a.) Children's Hospital violated the Privacy Rule by giving information to the foundation b.) The Privacy Rule was not violated as long as the fundraising activity was not based on the patients' diagnoses c.) Children's Hospital must have notified the patients or patients' guardians of this potential use in the notice of privacy practices d.) b and c e.) None of the above
d.) b and c
Which of the following is true regarding breaches and breach notification per HITECH? a.) It applies to both encrypted and unencrypted PHI. b.)Affected individuals must be notified within 30 days. c.) If just one person's information is wrongfully disclosed, it is not a breach. d.) It is only a breach if 500 or more individuals' information is affected. e.) There are exceptions to the breach definition, and notification is therefore not required.
e.) There are exceptions to the breach definition, and notification is therefore not required.
Substance abuse patient information is afforded federal protection through HIPAA and Alcohol and Drug Abuse Regulations. If a minor wishes to authorize release of his or her health information he or she may do so if _____. a.) State statute allows the minor to authorize release b.) State statute allows minor and parent to authorize release c.) He or she gets permission from the court to release d.) Both court and minor authorizes release e.) a and b f.) c and d g.)a, b, c, d, are correct
e.) a and b State statute allows the minor to authorize release State statute allows minor and parent to authorize release
What rights does a competent individual have in regard to his or her healthcare? a.) Right to consent to treatment b.) Right to access his or her own phi c.) Right to refuse treatment d.) a and c e.) a, b and c
e.) a, b and c Right to consent to treatment Right to access his or her own phi Right to refuse treatment
Which is usually the most secure place to store PHI data? a.) on your personal computer b.) on your usb c.) No answer text provided. d.) on your smart phone e.) on your facilities central server
e.) on your facilities central server
In some states, if an individual has filed a workers' compensation claim, who may access the individual's health information without the individual's authorization? a.) Employer's insurer b.) Employer's attorney c.) Patient's employer d.) Employee's attorney e.) a, b, and c f.) b and c g.) a, b, c, and d
g.) a, b, c, and d Employer's insurer Employer's attorney Patient's employer Employee's attorney
A competent adult may appoint another person to be his or her personal representative, which gives that person the right to _____. a.) Make healthcare decisions for the individual b.) Request healthcare information related to the individual c.) Receive information on the mental health of the individual d.) Request information on the personal affairs of the individual e.) a and b f.) a and c g.) b and d h.) a, b, c, and d i.) None of the above
h.) a, b, c, and d Make healthcare decisions for the individual Request healthcare information related to the individual Receive information on the mental health of the individual Request information on the personal affairs of the individual