HIPAA Regulations

What is the length of time that medical records must be maintained? a) Varies from state to state b) 5 years c) 15 years d) 7 years

a) Varies from state to state

How long is the NCCAOM certification valid? a) 4 years b) 2 years c) 3 years d) 1 year

a) 4 years

What is the max time limit to comply with the auth to release med rec's? a) 90 days b) 45 days c) 30 days d) 7 days

a) 90 days

A patient's request to amend their medical record can be done by a) Adding additional notes b) Crossing out certain information c) No changes can be done d) Changing medical entries

a) Adding additional notes

When should medical records be written? a) After treatment b) Within 48 hours c) Within 24 hours d) Within 36 hours

a) After treatment

The following are HIPAA recommendations except one which is a HIPAA regulation/law. Choose the law. a) All medical records must be kept private and secure. b) Health care providers should not take phone calls pertaining to patients while in an exam room with another patient. c) All lab logs, X-ray folders or lab requests should be secured when not in use. d) All lab logs, X-ray folders or lab requests should be stored in areas that are not visible or accessible to non-authorized personnel.

a) All medical records must be kept private and secure.

A copy of an authorization to release protected health information is acceptable if a) All of the required elements are included b) It is notarized c) It is legible d) Never acceptable

a) All of the required elements are included

Which of the following is a patient's fundamental right under HIPAA? a) All of these answers b) The right to receive a notice about your privacy policies c) The right to access their medical information d) The right to limit the uses/disclosures of medical information

a) All of these answers

Which of the following is a patient's fundamental right under HIPAA? a) All of these answers b) The right to request amendments to the medical record c) The right to revoke or limit authorization d) The right to get an accounting of PHI (protected health info) disclosures

a) All of these answers

Other providers in your clinic have a legitimate need to access a patient's chart. Which of the following is correct a) Can be shared without patient waiver and no fee charged b) Can be shared without patient waiver and a fee should be charged c) Can be shared only with patient waiver d) Cannot be shared without patient waiver

a) Can be shared without patient waiver and no fee charged

The release, transfer, provision of access to or divulging in any manner information outside the entity holding the information is a/an a) Disclosure b) Authorization c) Acknowledgment d) Privacy report

a) Disclosure

The medical practice must have a process for using and disclosing PHI based on a) HIPAAs consent and authorization agreements requirements b) The physician's lawyer recommendations c) The American medical association regulations d) State and local regulations

a) HIPAAs consent and authorization agreements requirements

You refer a pt to another practitioner. After a year this practitioner is sued by the pt for sexual misconduct. Which of the following statements is correct? a) It has the possibility of negligent referral b) You are not responsible as too much tie has elapsed between the referral and the charge c) You are not responsible as the pt has become the responsibility of the other practitioner d) You are responsible for the behavior of the practitioners you refer to

a) It has the possibility of negligent referral

Which of the following is false about medical records? a) Medical records are primarily a legal document b) Medical records document treatment for payment purposes c) Medical records are a source of information about communicable diseases d) Medical records document quality of care

a) Medical records are primarily a legal document

You have sold your acupuncture practice to another practitioner. What is the correct procedure for transferring medical records? a) Notify former patients of the transfer of their records by letter b) No need to contact former patients about the transfer of their records c) Put a notice in the local newspaper d) Former patients need to approve the transfer of their medical records

a) Notify former patients of the transfer of their records by letter

A practitioner has rec'd an NCCAOM letter of censure. Which of the following will NCCAOM not do? a) Notify malpractice carriers b) Notify state regulatory agencies c) Publish the name on its' website d) Publish the name in its' newspapers

a) Notify malpractice carriers

An insurance company calls you to request one of your patient's medical records in order to determine whether coverage should be extended. What would you do? a) Only disclose records if the insurance company gives you a written request from the patient b) Send the insurance company the records and charge no fee c) Do not give any information about your patient d) Send the insurance company the records and charge a fee

a) Only disclose records if the insurance company gives you a written request from the patient

Who is authorized to access or remove medical records? a) Only individuals whose job description states they may need access to medical records b) Staff members that the patient has agreed to in the consent form agreement c) Only the physician d) Nurse and physician

a) Only individuals whose job description states they may need access to medical records

An agent from the Homeland Security requests one of your patient's medical records because your patient has a criminal record. What would you do? a) Provide the medical records only if the agent has a written consent from your patient b) Do not give any information about your patient c) Provide the medical records d) Only share general contact information

a) Provide the medical records only if the agent has a written consent from your patient

Which statement is true? a) State privacy/security laws supercede HIPAA if state laws are stricter b) Which law takes precedence is still under appeal c) Whether state laws supercede HIPAA varies from state to state d) HIPAA laws always take precedence

a) State privacy/security laws supercede HIPAA if state laws are stricter

Which of the following statements is true regarding a deceased patient's PHI (protected health info) a) Subject to the same rules as all living patients b) Can be made public 100 years after death c) Can be made part of the public record d) Subject only to HIPAA citation 164.508

a) Subject to the same rules as all living patients

What does a letter terminating the doc/pt relationship need not include? a) The exact reason why you cannot provide care b) State that you can no longer provide effective service c) Provide referrals d) Keep whatever appointment is already there

a) The exact reason why you cannot provide care

When a patient requests access to their medical records which of the following statements is FALSE a) The original medical record must always be provided b) A copy of the record can be provided c) A fee must be agreed to in advance d) A summary can be provided if the record is too difficult to interpret

a) The original medical record must always be provided

Informed consent is not required in an emergency situation if all of the following apply except: a) The treating physician can receive permission from the pt's primary care physician b) No close family member is available to give consent on behalf of the pt c) The physician has no evidence to suggest that the pt would oppose treatment d) Delay in treatment would be life threatening

a) The treating physician can receive permission from the pt's primary care physician

A signed Business Associate contract is required with only a) Third party vendors who have access to PHI b) Transcription services c) Offsite disposal record storage or disposable storage d) Billing services and collection agencies

a) Third party vendors who have access to PHI

A doctor can speak directly about health and treatment information to any of the following EXCEPT a) To any family member b) Only to immediate family members unless the patient has explicitly indicated the contrary c) Only to a spouse unless the patient has explicitly indicted the contrary d) Referring physician

a) To any family member

Penalties for disclosing PHI such as accidentally leaving a patient's chart on the reception desk for others to see if reported are a) $10k per occurrence b) $100 or less per occurrence c) $100,000 per occurrence d) $1000 per occurrence

b) $100 or less per occurrence

Criminal penalties for improperly disclosing patient health information can be as high as a) $500,000 and up to 5 years in prison b) $250,000 and up to 10 years in prison c) Varies from state to state d) 5 years in prison

b) $250,000 and up to 10 years in prison

According to NCCAOM code of ethics how much time must elapse after the patient-practitioner relationship ends before a practitioner can have a sexual relationship w/ a former patient? a) 1 year b) 6 months c) 2 years d) Never

b) 6 months

The following are HIPAA recommendations except one which is a HIPAA regulation/law. Choose the law. a) To protect confidentiality, medical practices should avoid using both first and last names together when calling pts back for treatment. b) A patient privacy consent form must be signed prior to providing any service. c) Patients should sign a consent allowing for answering machine/voice mail messages and other forms of contact. d) Correspondence to pts should be labeled "Personal and Confidential" and if possible should not identify the nature of the practice

b) A patient privacy consent form must be signed prior to providing any service.

In the US a TCM college is accredited by a) Federal office of education b) ACAOM c) AAAOM d) NCCAOM

b) ACAOM

A patient's consent agreement regarding their PHI must be a) Given to the patient b) Filed in the patient's medical record c) Filed in a separate file with all other patient's consent agreements d) Notarized

b) Filed in the patient's medical record

For which of the following sanctions will the NCCAOM not publish the person's name? a) Suspension b) Letter of reprimand c) Probation d) Letter of censure

b) Letter of reprimand

The following are HIPAA recommendations except one which is a HIPAA regulation/law. Choose the law. a) Exam room doors should b closed while a provider is examining a patient or discussing PHI with a patient. b) Only PHI that is necessary for carrying out TPO (treatment, payment, health care operations) should b transported to office satellite locations c) All phone calls that include a discussion of PHI must take place in a private area. d) All discussion and dictation of PHI should take place in a private area.

b) Only PHI that is necessary for carrying out TPO (treatment, payment, health care operations) should b transported to office satellite locations

The following are HIPAA recommendations EXCEPT one which is a HIPAA regulation/law. Choose the law a) The identity of the patients who call via telephone requesting scheduling, billing requests, lab results, etc. must be verified via patient provided confirming info such as DOB, SSN, mother's maiden name or other unique identifier. b) Only permit office personnel to view PHI whose job description states needed access to medical records c) All staff should log out of all programs containing PHI prior to leaving a computer unattended d) Protected health info must be rendered unreadable when it is destroyed

b) Only permit office personnel to view PHI whose job description states needed access to medical records

A medical practice can refuse a patient's request to amend their medical record a) If unrelated to patient care b) Under specific circumstances c) Only if insurance coverage is not affected d) Under no circumstances

b) Under specific circumstances

A medical practice must respond to a patient's request to amend a record a) When the physician has time b) Within 60 days c) Within 30 days d) Only if it does not affect patient care

b) Within 60 days

An acupuncture student, a non- NCCAOM diplomat, needles a friend outside of clinical supervision and does not ask for payment for treatment. Has the acupuncturist endangered their future NCCAOM certification? a) No - no money has changed hands b) Yes - violation of the code of ethics prior to cert is not a defense. c) No - they weren't NCCAOM certified at the time d) No - it was between friends

b) Yes - violation of the code of ethics prior to cert is not a defense.

From the time a stroke starts, how much time do emergency medical personnel have to mitigate the fx of the stroke by using clot busting meds? a) 6 hours b) 1 hour c) 3 hours d) 12 hours

c) 3 hours

When does the doc/pt relationship begin? a) During the intake b) After they sign the consent form c) As soon as you give advice d) When the appointment is made

c) As soon as you give advice

The following are HIPAA recommendations except one which is a HIPAA regulation/law. Choose the law. a) Appointment schedules should be placed out of sight from patients and other non-authorized personnel. b) A private area should be available for staff to discuss PHI with patients c) A Notice of Privacy Practices must be made easily visible in the office. d) Computer screens should be facing away from pts or have screens that allow only straight on viewing.

c) A Notice of Privacy Practices must be made easily visible in the office.

The patient's written statement that he/she has received the notice of your privacy policies & procedures is a) A privacy report b) A disclosure c) An acknowledgment d) An authorization

c) An acknowledgment

When a patient requests copies of their medical records a) Any amount can be charged b) $1 per copy can be charged c) A reasonable cost based fee for copying can be charged d) Retrieval fees and copying fees can be charged

c) A reasonable cost based fee for copying can be charged

A patient consent agreement regarding their protected health information (PHI) must be signed a) After the health care provider's intake interview b) Within 10 days c) Before providing any service d) Within 60 days

c) Before providing any service

Your patient's medical record states that he has a sexually transmitted disease. The state licensing board of your state has the legal right to request this pt's medical records to evaluate a complaint against you. What do you do? a) Refuse on the basis of confidentiality b) Send a copy of the records c) Call your lawyer and get specific consent from your patient d) Send the original records.

c) Call your lawyer and get specific consent from your patient

The NCCAOM professional discipline governs a) Personal behavior relating to practicing acupuncture b) Competency c) Character and competency d) Character

c) Character and competency

You make an error in your written medical notes. How should you correct it? a) Write over the error and sign your signature b) Cross out the error and make a new entry c) Cross out the error, make a new entry, and sign your signature next to the change d) Erase the error

c) Cross out the error, make a new entry, and sign your signature next to the change

How long is an employer required to maintain confidential medical records? a) Duration of employment + 10 years b) Duration of employment + 5 years c) Duration of employment + 30 yrs d) Duration of employment + 1 yr

c) Duration of employment + 30 yrs

When should a medical office's privacy policies and procedures be reviewed? a) Before a new employee is hired b) When HIPAA regulations are amended c) Every year d) Every other year

c) Every year

If a patient comes to you via a referral from their medical doctor, which of the following should you do? a) Be clear about how your malpractice insurance will handle the situation if there is litigation b) Treat based on their western dx c) Find out the purpose of the referral d) Do a TCM evaluation

c) Find out the purpose of the referral

What would you say to a persistently seductive patient? a) I can only have a sexual relationship with you after our treatments are over b) We can only have a casual relationship outside of our treatment c) I can no longer treat you b/c you cannot acknowledge that I cannot be anything more than your practitioner d) I cannot have a romantic relationship with you

c) I can no longer treat you b/c you cannot acknowledge that I cannot be anything more than your practitioner

Components of an informed consent form include all of the following EXCEPT: a) Alternative treatments for the patient b) The type of treatment for which informed consent is required c) Insurance provider d) The risk of treatment

c) Insurance provider

When does the confidentiality of medical records end? a) After 50 years b) After 100 years c) It does not end d) After the death of the patient

c) It does not end

The owner of the NCCAOM certificate is a) State regulating agencies b) Federal regulating agencies c) NCCAOM d) The certificate holder

c) NCCAOM

A deceased patient's PHI consent agreement expires a) Depends on each state's regulations b) Twenty years after death c) Never d) At the time of death

c) Never

A patient's consent to use and disclose their protected health information for the purpose of treatment, payment, and health care operations needs to be obtained a) Every year b) At the beginning of treatment and when patient is discharged c) Once d) Only when the patient authorizes release of their medical information

c) Once

Who can sign your medical notes? a) You or your assistant b) Anyone you give permission to c) Only you d) The nurse

c) Only you

You use a transcription service for your dictated medical records. Which of the following actions should you take? a) Write dictated but not read b) Stamp the document as read c) Review, initial, and date the document d) No other action is necessary

c) Review, initial, and date the document

What is the best way of disposing of medical records? a) Return them to the patient b) Have them picked up by a recycling company c) Shred or burn d) Throw them into a garbage can

c) Shred or burn

One of your patients makes an explicit seductive move towards you. What should you do? a) Tactfully confront the patient and refuse b) Tell them it is inappropriate in the clinic but that you will see them outside of the clinic c) Tactfully confront the patient and make a note on the patient's record d) Tell them that you feel flattered

c) Tactfully confront the patient and make a note on the patient's record

Which statement is true about the medical practice personnel, such as the assistants and nurses, having access to PHI? a) They have access to all patient's PHI b) There is no regulation c) They have access to the minimum PHI necessary to perform treatment d) They have access only to those portions of PHI that the patient has agreed to

c) They have access to the minimum PHI necessary to perform treatment

A notice of Privacy Practices outlining how PHI may be used must be made available upon request a) To patients and doctors b) Only to patients c) To patients and non-patients d) To any office staff which comes in contact with PHI

c) To patients and non-patients

Who does HIPAA require to address and respond to a patient's request regarding PHI? a) Lawyer b) Advocacy group c) Trained staff member d) Only the physician

c) Trained staff member

If it is your first DUI, as an NCCAOM diplomat a) You need not report it unless there was an injury or loss of life b) You need to report to the NCCAOM only if it involves your state regulatory agency c) You need to report it to the NCCAOM d) You need not report it to NCCAOM as it is non-practice related

c) You need to report it to the NCCAOM

If a patient requests a restriction on disclosing their PHI a) It must be notarized b) The health care provider must agree to it c) The patient cannot restrict disclosure d) It must be in writing

d) It must be in writing

How long should medical records and other forms of documentation be kept? a) 10 years b) 5 years c) Indefinitely d) Varies from state to state

d) Varies from state to state

A patient consent agreement regarding their protected health information (PHI) must be a) Verbal b) Witnessed by a 3rd party c) Digital d) Written

d) Written

You received a subpoena for the release of a patient's medical records. Which action is correct? a) Contact an attorney b) Release the information without a patient waiver c) Even with subpoena, portions of the record can be protected d) A and C

d) A and C

Which of the following is part of a standard release form? a) Pt's dated signature/auth for release b) Addressed to the acupuncturist and identity of patient c) What information is to be released and who is to receive the info d) A, B and C

d) A, B and C

Individually Identifiable Health Information (IIHI) includes a) Diagnoses, procedures, symptoms b) Name, address, phone number, email c) Insurance information such as employer or carrier d) All of these answers

d) All of these answers

Which of the following is TRUE? a) A minor may obtain health care services without the consent of an adult b) A medical practice must require that personal representatives (parents/guardians) of minors comply with the same privacy rules as individuals do c) The personal representative (parent/guardian) can consent to an agreement of confidentiality between the minor and the medical practice d) All of these answers

d) All of these answers

Which of the following is the most accurate about PHI? a) Past, present or future payment information b) Dates for office visits, birth, admission, discharge, death c) Past, present or future physical or mental conditions d) Any information that may be used to identify a patient e) Name, address, social security number, phone, email

d) Any information that may be used to identify a patient

The medical practice should document and maintain records of all disclosures of PHI for reasons other than treatment, payment and health care operations (TPO) for a period of a) Three months b) Unto perpetuity c) Until the death of the patient d) At least 6 years

d) At least 6 years

The patient's written permission to disclose information for uses outside of treatment, payment and health operations is a) Acknowledgment b) Privacy report c) Disclosure d) Authorization

d) Authorization

You disagree with an entry into the medical record made by another member of the health care team but that person stands by their entry. Which of the following actions would you take? a) File an incident report in the medical record b) Make a note in the medical record that you disagree c) No longer personally continue to treat the pt or let other members of the team follow up d) Discuss and resolve the issue verbally and personally w/ him/her or in a peer review setting

d) Discuss and resolve the issue verbally and personally w/ him/her or in a peer review setting

All privacy breaches to PHI must be a) Documented w/ the FPPA (Federal Privacy Protection Agency) b) Reported to the patient c) Reported to state regulators d) Documented and followed up on

d) Documented and followed up on

Which statement is FALSE about employee privacy training? a) New employees should be trained during orientation (effective 4/14/2003) b) Employee privacy training must be documented in the employees personnel file c) Employees are to receive training whenever a change in the privacy law will have an effect upon the performance of their job d) Employee privacy training must be repeated every year

d) Employee privacy training must be repeated every year

The following are HIPAA recommendations except one which is a HIPAA regulation/law. Choose the law. a) Only parties authorized to receive PHI under applicable law and the medical practice's privacy policies should receive PHI via a fax. b) All fax numbers should be confirmed prior to dialing. c) Fax machines should be located away from areas where patients or non-authorized persons may have visual access. d) Except otherwise authorized by law, a written authorization from the patient must be obtained prior to the release of PHI for purposes other than TPO (treatment, payment, health care operations).

d) Except otherwise authorized by law, a written authorization from the patient must be obtained prior to the release of PHI for purposes other than TPO (treatment, payment, health care operations).

An authorization to release protected health information can be revoked a) Only within 60 days of signed authorization b) By telephone request c) It cannot be revoked under any circumstances d) If the requested action has not already taken place

d) If the requested action has not already taken place

Which is NOT true in regards to medical records a) Records should be returned or destroyed after they have served their purpose b) Information about the pt given by phone should have a signed pt release and verification of the recipient c) Info regarding release of records should be maintained in the pts file d) Information about the patient can be sent via email

d) Information about the patient can be sent via email

If you are on probation with both a state and the NCCAOM and the probation period is over: a) The state removes your name, but NCCAOM doesn't b) NCCAOM will remove your name after a 1 year period c) Both NCCAOM and the state remove your name d) NCCAOM removes your name, the state doesn't

d) NCCAOM removes your name, the state doesn't

What agency req's the employer to provide the Hep vaccine to all health professional employees? a) CDC b) FDA c) WHO d) OSHA

d) OSHA

You have made an error in recording your medical notes. Who can make corrections? a) Nurse b) You or assistant c) Anyone you give permission to d) Only you

d) Only you

You receive a medical request for the HIV status of one of your patients. Which of the following statements is true? a) Release the info as it is a sexually transmitted disease that needs to be federally documented b) Fulfill the request as the pt has already signed an informed consent release c) You need to consult w/ your lawyer before releasing such sensitive information d) Patients must consent separately to the release of information regarding HIV status

d) Patients must consent separately to the release of information regarding HIV status

You are treating a famous rock star for substance abuse. The National Enquirer calls you to confirm whether she is a patient being treated for substance abuse. What would you do? a) Deny that she is a patient b) Confirm that she is a patient being treated for a cocaine problem c) State that she is a patient but cannot divulge the reasons for seeing you d) Refuse to deny or confirm that the person is a patient

d) Refuse to deny or confirm that the person is a patient

A physician you have referred your patient to asks for the medical records. Which of the following actions would you not take? a) Log into the chart what, when, and to whom the records were provided b) Get the pt's written permission c) Make a copy of the records to give to the physician d) Transfer or loan the original record to the physician

d) Transfer or loan the original record to the physician

A state regulatory agency has sanctioned an acupuncturist. The acupuncturist then voluntarily forfeits their NCCAOM certificate to avoid the NCCAOM sanctioning process. Which of the following statements is true? a) She can still be sanctioned by the NCCAOM but not have her name published b) The NCCAOM can sanction her only within 30 days after the state issues their finding c) The NCCAOM cannot sanction someone who has forfeited their certificate d) She will be sanctioned by the NCCAOM and have her name published

d) She will be sanctioned by the NCCAOM and have her name published

Who does the medical record belong to? a) The patient b) The doctor c) The state d) The health care provider

d) The health care provider

What is the critical factor for patients filing malpractice claims? a) News reports b) Iatrogenic injury c) Clinical error d) The patient or patient's family

d) The patient or patient's family

The following are HIPAA recommendations EXCEPT one which is a HIPAA regulation/law. Choose the law. a) When a privacy breach has occurred, a medical practice must put appropriate measure to prevent similar occurrences b) The medical practice should have policies to authenticate the recipients and senders of e-mail containing PHI c) Except in emergencies related to patient care, health care providers should not take medical records out of the practice. d) The practice should have a business associate contract with third party vendors who have access to PHI

d) The practice should have a business associate contract with third party vendors who have access to PHI

An acupuncturist rec'd a complaint from their state regulatory agency that is later dismissed. Which of the following statements is true? a) Need not be reported b/c NCCAOM and state regulatory agencies operate as independent entities. b) State agency will report complaint and dismissal to NCCAOM c) As the complaint was dismissed it needs not be reported to NCCAOM d) You will be sanctioned by the NCCAOM if you don't report it to them.

d) You will be sanctioned by the NCCAOM if you don't report it to them.