Health Information Privacy and security( RHIT Review)
You have been asked what should be done with the notice of privacy practice acknowledgment when the patient had been discharged before it was signed. Your response is to
Try to get it signed, and if not , to document the action taken.
The administrator states that he should not have to participate in privacy and security training as he does not use PHI. How should you respond?
" All employees are required to participate in the training , including top administration."
The police came to the HIM Department today and asked that a patient's right to an accounting of disclosure be suspended for two months. What is the proper response to this request?
" Certainly officer. We will be glad to do that as soon as we have the request in writing."
Which of the following statements demonstrates a violation of protected health information?
" Mary, at work yesterday I saw that Susan had a hysterectomy."
Physical safeguards include 1. tools to monitor access 2. tools to control access to computer systems 3. fire protection 4. tools preventing unauthorized access to data
2 and 3 only
Richard has asked to view his medical record. How long does the facility have this record to him?
30days.
Which of the following techniques would a facility employ for access control? 1. automatic logoff 2. authentication 3. integrity controls 4. unique user identification
1 and 4 only.
The facility had a security breach. The breach was identified on October 10, 2013. The investigation was completed on October 15, 2013. What is the deadline that the notification must be completed?
60 days from October 10
The hospital has received a request for an amendment . How long does the facility have in order to accept or deny the request?
60 days
Which of the following set( s) is an appropriate use of the emergency access procedure?
A and B -A. A patient is crashing . The attending physician is not in the hospital , so a physician who is available helps the patient. -B. One of the nurses is at lunch. The nurse covering for her needs patient information.
Which of the following examples is an exception to the definition of a breach?
A coder accidentally sends PHI to a billing clerk in the same facility.
The facility can release information to which of the following requesters without a patient authorization?
A court with a court order
Someone accessed the covered entity's electronic health record and sold the information that was accessed. This person is known as which of the following?
A cracker.
A data use agreement is required when
A limited data set is used.
Which of the following is an example of a security incident?
A hacker accessed PHI from off site.
Researchers can access patient information if it is
A limited data set.
Which of the following is an example of a trigger that might be used to reduce auditing?
A patient and user have the same last name.
When patient are able to obtain a copy of their record, this is an example of which of the following?
A patient right.
You have been asked to create a presentation on intentional and unintentional threats. Which of the following should be included in the list of threats you cite?
A patient's social security number being used for credit card applications.
The supervisors have decided to give nursing staff access to the EHR. They can add notes , view, and print. This is an example of what?
A workforce clearance procedure.
Which of the following statements is true about a requested restriction?
ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions.
Mountain Hospital has discovered a security breach . Someone hacked into the system and viewed 50 medical records . According to the ARRA , what is the responsibility of the covered entity?
All individuals must be notified within 60 days.
Which of the following statements are true?
All patients except inmates must be given a notice of privacy practices.
The company's policy states that audit logs, access reports, and security incident reports should be reviewed daily. This review is known as
An information system activity review.
Today is August 30, 2014. When can the training records for the HIPAA privacy training being conducted today be destroyed?
August 30, 2020. ( 6 years)
Before a user is allowed to access protected health information, the system confirms that the patient is who he or she says they are. This is known as
Authentication.
You have been asked to provide examples of technical security measures. Which of the following would you included in your list of examples?
Automatic logout.
Which security measure utilizes fingerprints or retina scans?
Biometrics
IN case your system crashed , your facility has defined the policies and procedures necessary to keep your business going . This is known as:
Business continuity Plan.
The computer system containing the electronic health record was located in a room that was flooded. AS a result, the system is inoperable. Which of the following would be implemented?
Business continuity.
The HIPAA security rule impacts which of the following protected health information?
Clinical data repository
You are a nurse who works on 3west during the day shift. One day , you had to work the night shift because they were shorthanded. However , you were unable to access the EHR. What type of access control(s) are being used?
Context-based.
Alisa has trouble remembering her password. She is trying to come up with a solution that will help her remember . Which one of the following would be the BEST practice?
Creating a password that utilizes a combination of letters and numbers
Your organization is sending confidential patient information across the Internet using technology that will transform the original data into unintelligible code that can be re-created by authorized users. This technique is called
Data encryption.
Intentional threats to security could include
Data theft ( unauthorized downloading of files).
Which of the following can be released without consent or authorization?
De-identified health information.
You have been given the responsibility of destroying the PHI contained in the system's old server before it is trashed. What destruction method do you recommend?
Degaussing.
Our web site was attacked by malware that overloaded it . What type of malware was this ?
Denial of service.
As chief Privacy Officer for Premier Medical Center, you are responsible for which of the following?
Developing a plan for reporting privacy complaints.
What type of digital signature uses encryption?
Digital signature
Contingency planning includes which of the following processes?
Disaster planning.
You are defining the designated record set for South Beach Healthcare Center. Which of the following would be included?
Discharge summary
HIPAA states that release to a coroner is allowed . State law says that the coroner must provide a subpoena. Which of the following is a correct statement?
Follow the state law since it is stricter.
A hacker recently accessed our database. We are trying to determine how the hacker got through the firewall and exactly what accessed. The process use to gather this evidence is called
Forensics.
Miles has asked you to explain the rights he has via HIPAA privacy standards. Which of the following is one of his HIPAA- given rights?
He can ask to be contacted at an alternative site.
An employee in the admission department took the patient's name , social security number, and other information and used it to get a charge card in the patient's name. This is an example of
Identify theft.
Patricia is processing a request for medical records. The record contains an operative note and a discharge summary from another hospital. The records are going to another physician for patient care. What should Patricia do?
Include the documents from the other hospital.
The surgeon comes out to speak to a patient's family . He tells them that the patient came through the surgery fine. The mass was benign and they could see the patient in an hour. He talks low so that the other people in the waiting room will hear but someone walked by and hear. This is called a (n)
Incidental disclosure.
A covered entity
Includes health care providers who perform specified actions electronically.
Protected health information includes
Individually identifiable health information in any format stored by a health care provider or business associate.
A mechanism to ensure that PHI has not been altered or destroyed inappropriately has been established. This process is called
Integrity.
Which of the following statements is true about the Privacy Act of 1947?
It applies to the federal government
Mabel is a volunteer at a hospital. She works at the information desk . A visitor comes to the desk and says that he wants to know what room John Brown is in . What should Mabel do?
Look the patient up to see if John has agreed to be in the directory. If he has, then give the room number to the visitor.
Mary processed a request for information and mailed it out last week. Today, the requestor , an attorney, called and said that all of the requested information was not provided. Mary pulls the documentation, including the authorization and what was sent. She believes that she sent everything that was required based on what was requested. She confirms this with her supervisor. The requestor still believes that some extra documentation is required . Given the above information , which of the following statements is true?
Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule.
Which of the following is an example of administrative safeguards under the security rule?
Monitoring the computer access activity of the user.
I have been asked if I want to be in directory. The admission clerk explain that if I am in the directory,
My friend and family can find out my room number.
Intrusion detection systems analyze
Network traffic.
A breach has been identified . How quickly must the patient be notified?
No more than 60 days.
The purpose of the notice of privacy practices is to
Notify the patient of uses of PHI
Which of the following is allowed by HIPAA?
Permitting a spouse to pick up medication for the patient.
The HIM director received an e-mail from technology support services department about her e-mail being full and asking for her password. The director contacted tech support and it was confirmed that their department did not send this e-mail. This is an example of what type of malware?
Phishing
In conducting an environmental risk assessment , which of the following would be considered in the assessment?
Placement of water pipes in the facility.
The patient has the right to control access to his or her health information. This is known as
Privacy
Mrs. Thomas was a patient at your facility . She has been told that there are some records that she cannot have access to. These records are most likely
Psychotherapy notes.
Which of the following is true statement about private key encryption?
Public encryption uses a private and public key.
A patient authorizes Park Hospital to send a copy of a discharge summary for the latest hospitalization to Flowers Hospital. The hospital uses the discharge summary in the patient's care and files it in the medical record. When Flowers Hospital receives a request for records, a copy of Park Hospital 's discharge summary is sent. This is an example of
Redisclosure.
To prevent our network from going down, we have duplicated much of our hardware and cables. This duplication is called
Redundancy.
Which of the following would be a business associate?
Release of information company
Which of the following disclosures would require patient authorization?
Release to patient's family
Which of the following situations would require authorization before disclosing PHI?
Releasing information to the Bureau of Disability Determination.
You are looking for potential problem and violations of the privacy rule. What is this security management process called?
Risk assessment.
You are reviewing your privacy and security policies, procedures , training program, and so on, and comparing them to the HIPAA and ARRA regulations. You are conducting a
Risk assessment.
Kyle, the HIM Director, has received a request to amend a patient's medical record. The appropriate action for him to take is
Route the request to the physician who wrote the note in question to determine appropriateness of the amendment.
You work for 60-bed hospital in a rural community. You are conducting research on what you need to do to comply with HIPAA. you are afraid that you will have to implement all of the steps that your friend at a 900-bed teaching hospital is implementing at his facility. You continue reading and learn that you have to implement what is prudent and reasonable for your facility. This is called..
Scalable.
Which of the following documents is subjects to the HIPAA security rule?
Scanned operative report stored on CD.
You have to decide which type of firewall you want to use in your facility. Which of the following is one of your options?
Secure socket layer
Which of the following is prohibited by ARRA?
Selling aggregated patient data without patient consent
You work for an organization that publishes a health information management journal and provides clearinghouse services. What must you do?
Separate the e-PHI from the noncovered entity portion of the organization.
The information systems department was performing their routine destruction of data that they do every year. Unfortunately , they accidentally deleted a record that is involved in a medical malpractice case. This unintentional destruction of evidence is called
Spoiliation
Bob submitted his resignation from coastal Hospital. His last day is today. He should no longer have access to the EHR and other systems as of 5:00 PM today . The removal of his privileges is known as
Terminating access.
John is allowed to delete patients in the EHR. Florence is not . They both have the same role in the organization. What is different?
Their permissions.
A home health care agency employee has contacted the Center for Medicare and Medicaid Services to report health care fraud. Patient information is provided in the report. Which of the following is true?
The disclosure is not a violation of HIPAA if the information was provided in good faith.
Which statement is true about when a family member can be provided with PHI
The family member is directly involves in the patient's care.
Which of the following situations violate a patient's privacy?
The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drugs samples.
Which of the following should the record destruction program include?
The method of destruction.
The patient calls and has a telephone consultation. Which of following is true about notice of privacy practices?
The notice of privacy practices can be mailed to the patient.
A patient has submitted an authorization to release information to a physician office for continued care. The release of information clerk wants to limit the information provided because of the minimum necessary rule. What should the supervisor tell the clerk?
The patient is an exception to the minimum necessary rule, so process the request as written.
If the patient has agreed to be in the directory, which of the following statements would be true ?
The patient's condition can be described in general terms like" good " and " fair".
The physician office you go to has a data integrity issue. What does this mean?
There has been unauthorized alteration of patient information.
Critique the statement: A business associate has the right to use a health care facility's information beyond the scope of their agreement with the health care facility.
This is a false statement because it is prohibited by the HIPAA privacy rule.
You have been given some information that includes the patient's account number. Which statement is true?
This is not de- identified information because it is possible to identify the patient.
Barbara, a nurse, has been flagged for review because she logged in to EHR in the evening when she usually works the day shift. Why should this conduct be reviewed?
This needs to be investigated before a decision is made because there may be a legitimate reason why she logged in a this time.
As Chief Privacy Officer, you have asked why you are conducting a risk assessment. Which reason would you give?
To prevent breach of confidentiality.
Which of the following is an example of an administrative safeguard?
Training
Robert Burchfield was recently caught accessing his wife's medical record. The system automatically notified staff of potential breach due to the same last name for the user and the patient. This was an example of a
Trigger.
Before an employee can be given access to the EHR , someone has to determine what they have access to. What is this known as?
Workforce clearance procedure
You have been assigned the responsibility of performing an audit to confirm that all of the workforce's access is appropriate for their role in the organization. This process is called
Workforce clearance procedure.
Your department was unable to provide a patient with a copy of his record within the 30- day limitation. What should you do?
Write the patient and tell him that you will need a 30- day extension.
A patient signed an authorization to release information to a physician but decided not to go see that physician. Can he stop the release?
Yes, as long has it has not been released already.
If an authorization is missing a Social Security number, can it be valid?
yes
