HITT 1301 Ch. 7-10 Study Guide

Within the context of data security, protecting data privacy means defending or safeguarding:

Access to information

When would PHI loses its status?

After an individual has been deceased more than 50 years

Types of registries

Cancer, trauma, birth defects, diabetes, implant, transplant, immunization, cystic fibrosis, cardiac, chronic disease management and gastroenterology.

In order for Susan to be able to prove negligence, she must be able to prove injury, standard of care, breach of standard of care and which of the following?

Causation

The Registered Health Technician (RHIT) credential is an example of which of the following?

Certification

The individual responsible for ensuring that everyone follows the organization's data security policies and procedures is which of the following?

Chief security officer

Which of the following should be included in a covered entity's notice of privacy practices?

Description with one example of disclosures made for treatment purposes

HIPAA administrative requirements

Designation of privacy officer Standards for Policies and Procedures Privacy training Establishing privacy safeguards

A dietary department donated its old microcomputer to a school. Some old patient data were still on the microcomputer. What controls would have minimized this security breach?

Device and media controls

Which of the following statements about facility directory of patients is true?

Disclosures from the directory need to be included in an accounting of disclosures

Which stage of the litigation process focuses on how strong a case the opposing party has?

Discovery

In Lindsay's lawsuit against her physical therapist, her attorney a) obtained copies of most documents that he requested such as medical records, contracts, e-mail communications, bills, and receipts. However, at trial, Lindsay was surprised to learn that b) several of these documents were not permitted to be considered by the jury as evidence. The concepts associated with a) and b) are which of the following?

Discovery; admissibility

Dr. Smith is being sued by a former patient. At issue is whether the care he provided the patient was consistent with that which would be provided by an ordinary and reasonable physician treating a patient in the plaintiff's condition. The concept in question is whether _____________.

Dr. Smith met the standard of care

A hospital is looking to use something to act as a buffer between two networks. What should be recommended?

Firewall

Under the HIPAA Privacy Rule, which of the following is a covered entity category?

Healthcare clearinghouse

Computer downtime

Healthcare organizations must have backup and downtime procedures in to ensure patient care and business operations can continue in the event of a disruption; for example, if the computer network goes down and data cannot be accessed electronically. Can have planned or unplanned downtime, planned during an upgrade, unplanned during unforeseen disruption such as an electrical outage or hardware failure.

Biggest threat to the security of healthcare data

Humans

The greatest threat category to electronic health information is which of the following?

Humans

Identify a characteristic of the legal health record

It is the record disclosed upon receipt

Which of the following is true of the notice of privacy practices?

It must be posted in a prominent place

The maintenance of health records ______

Is governed by Medicare Conditions of Participation for organizations that treat Medicare and Medicaid patients

Intentional tort

Issue related to the act of injuring or a tort in malpractice.

Which of the following is a true statement about the legal health record?

It includes PHI stored on any medium

Which of the following statements is true of the notice of privacy practices?

It must be provided to every individual at the first time of contact or service within the covered entity

Which of the following statements about a business associate agreement is true?

It requires the business associate to make available records relating to PHI use and disclosure to the HHS.

For HIPAA implementation specifications that are addressable, the covered entity____

Must conduct a risk assessment to determine if the specification is appropriate to its environment

A subpoena should be accompanied by which of the following?

Patient authorization

The American Recovery and Reinvestment Act expanded the definition of business associates to include which of the following?

Patient safety organizations

Components of a valid authorization

Permission from that individual for the information to be disclosed. A specific and meaningful description of the PHI to be used or disclosed The identification of the persons or class of persons authorized to make the use or disclosure of PHI (who do you want to get information from including your own hospital, practice group, etc.) The identification of the persons or class of persons to whom the covered entity is authorized to make the disclosure (what internal or external persons or entities will be getting the information) Description of each purpose for which the specific PHI identified earlier is to be used or disclosed (when individual initiates an authorization for their own purposes, the purpose may be stated as "at the request of the individual.") An expiration date or event (this must be a certain date or an event tied to the individual) The individual's signature and date, and if signed by a personal representative, a description of his or her authority to act for the individual

Locks on computer room doors illustrate a type of _________.

Physical control

Which type of law defines the rights and duties among people and private businesses?

Private law

Security controls

Protect the privacy of data by limiting the access to personal and sensitive information and protecting the data from unauthorized access, use, and disclosure as well as protect the data from unauthorized alteration and destruction. administrative,physical and technical safeguards.

Which of the following is true of the Health Insurance Portability and Accountability Act (HIPAA)

Provides a federal floor for healthcare privacy

Administrateive law is a type of

Public law

Laws are classified as

Public or private

Which of the following types of destruction is appropriate for paper health records?

Pulping

4 purposes for collecting secondary data

Quality, performance, and patient safety. Research. Population health. Administrative.

Congress passes laws, which are then developed by federal agencies to provide a blueprint for carrying out these laws. What do the federal agencies develop?

Regulations

Breach notification

Requires covered entities to notify affected individuals, U.S. Department of Health & Human Services (HHS), and in some cases, the media of a breach of unsecured PHI.

Operation index

Secondary data source arranged in numerical order by the patients procedure codes. (ICD-10-PCS or CPT)

Physician index

Secondary data source listing of cases organized by physician name or physician identification number.

Disease index

Secondary data source. Listing in diagnosis code number order of patients discharged from the healthcare organization during a specific time period. patient identifiable

An employee observes an outside individual putting some computer disks in her purse. The employee does not report this security breach. What security measures should have been in place to minimize this threat?

Security incident procedures

The content of the health record _______

Should facilitate retrieval of data

HIPAA requires that policies and procedures be maintained for a minimum of:

Six years from date of creation or date when last in effect, whichever is later

Which document directs an individual to bring originals or copies of records to court?

Subpoena duces tecum

Critique this statement: According to HIPAA, workforce members include students.

This is a true statement

Facility-specific indexes

This kind of index makes it possible to retrieve specific health records in a variety of ways including by disease, physician, operation, or other data element. Secondary data source

In which of the following instances must patient authorization be obtained prior to disclosure?

To the patient's attorney

"Something you have" is demonstrated by:

Token

A user recently opened a file that they thought would help them with their job but it copied files to unsecured areas of the computer. What type of malware was activated?

Trojan horse

HIM supervisors and managers are internal users of secondary data

True

Primary data source

The health record is considered this because it contains information about a patient that has been documented by the professionals who provided care or services to that patient. An original data source where the data are documented or collected by the provider of care.

Who owns the physical health record

The healthcare provider, physician, or hospital that maintains it

Stacie is writing a health record retention policy. She is taking into account the statute of limitations for malpractice and contract actions in her state. A statute of limitations refers to which of the following?

The period of time in which a lawsuit must be filed

Secondary data may be used to improve the health of an entire human population

True

secondary data may be used to improve the health of an entire human population

True

The breach notification requirement applies toL

Unsecured PHI only

Policies that address how PHI is used inside the organization deal with which of the following?

Use

A laboratory employee forgot his user ID badge at home and uses another lab employee's badge to access the computer system. What controls should have been in place to minimize this security breach?

Workforce security awareness training

Statutes

Written laws enacted by legislatures Form statutory law

Data integrity

data is complete, accurate, consistent, and up to date so the data are reliable.

Notice of Privacy Practices (NPP)

description of a covered entity's principles and procedures related to the protection of patients' health information

Registries

different from indexes in that they contain more extensive data. Index reports can usually be produced using data from the facility's existing databases. Registries often require more extensive data from the patient record. their sole purpose to to collect data from the patient health record and make them available to users Facility or population based registries

Risk analysis

involved in risk management, assessing security threats and vulnerabilities and the likely impact of any vulnerability.

Acession registry

list of cases in a cancer registry in the order in which they were entered.

Medicare Provider Analysis and Review (MEDPAR) File

made of acute care hospital and skilled nursing facility claims data for all Medicare claims. Used for research on topics such as charges for particular types of care and MS-DRGs,

Physical safeguards

refer to the physical protection of information resources from physical damage, loss from natural or other disasters, and theft. This includes protection and monitoring of the workplace, data center, and any type of hardware or supporting information system infrastructure such as wiring closets, cables, and telephone and data lines.

HIPAA data integrity standard

requires organizations to keep documented logs of system access attempts

Clinical privileges

the defined set of services a qualified physician is permitted to perform in that organization such as admitting patients, performing surgeries, or delivering infants.

Collaborative stage data set

•A new standardized staging system •This system uses computer algorithms to describe how far a cancer has spread •After the initial information is collected at the patient's first encounter, information in the registry is updated periodically through the follow-up process

A patient health record is a secondary data source

False

How many days does a covered entity have to respond to an individual's request for access to his or her PHI when the PHI is stored off-site?

60 days

Unsecured PHI

1. PHI not secured through technology or a method specified by the secretary through guidance 2. secured = encryption or destruction

AHIMA's record retention guidelines for adult health records

10 years after the most recent encounter

Under usual circumstances, a covered entity must act on a patient's request to review or copy his or her health information within how many days?

30 days

Who of the following would be considered a member of a hospital's workforce?

A clerk working in the hospital's registration office

National Practitioner Data Bank (NPDB)

A data bank established by the federal government through the 1986 Health Care Quality Improvement Act that contains information on professional review actions taken against physicians and other licensed healthcare practitioners, which healthcare organizations are required to check as part of the credentialing process

Case definition

A method of determining criteria for cases that should be included in a registry

Healthcare Integrity and Protection Data Bank (HIPDB)

A national health care fraud and abuse data collection program established by HIPAA for the reporting and disclosure of certain adverse actions taken against health care providers, suppliers or practitioners.

Covered entity under the HIPAA Privacy Rule

A person or organization that must comply with the HIPAA Privacy Rule. Healthcare providers Health plans Healthcare clearinghouses

Joint Commission

A private, not-for-profit organization that evaluates and accredits hospitals and other healthcare organizations on the basis of predefined performance standards

Abbreviated Injury Scale (AIS)

A set of numbers used in a trauma registry to indicate the nature and severity of injuries by body system

The Agency for Healthcare Research and Quality

AHRQ Most involved in health services research Looks at issues related to the efficiency and effectiveness of the healthcare delivery system, disease protocols, and guidelines for improved disease outcomes.

An employee accesses PHI on a computer system that does not relate to her job functions. What security mechanism should have been implemented to minimize this security breach?

Access controls

The healthcare organization would like to get approval for their cancer program

American College of Surgeon's Commission on Cancer

Which of the following statements is true?

An authorization must contain an expiration date or event

National Cancer Registrars Association (NCRA)

An organization of cancer registry professionals that promotes research and education in cancer registry administration and practice.

Injury Severity Score (ISS)

An overall severity measurement maintained in the trauma registry and calculated from the abbreviated injury scores for the three most severe injuries of each patient

Audit trail

Application control, a software program that tracks every single access or attempted access of data in the information system. Logs the name of the individual who accessed the data, terminal location or IP address, the date and time accessed, the type of data, and the action taken.

These are automatic checks that help preserve data confidentiality and integrity.

Application controls

durable power of attorney for health care decisions______

Applies when the individual is no longer competent.

A visitor to the hospital looks at the screen of the admitting clerk's computer workstation when she leaves her desk to copy some admitting documents. What security mechanism would best have minimized this security breach?

Automatic logoff controls

Training that educates employees on the confidential nature of PHI is known as which of the following?

Awareness

If a patient is not asked to sign a general form when entering the hospital, and later sues the hospital for contact that was offensive, harmful, or not otherwise agreed to, what cause of action has the plaintiff most likely included in his lawsuit?

Battery

Elizabeth arrived at the nearest urgent care facility after being bitten by her cat, Felix. The physician examined her and gave her a tetanus shot. Based on these facts, a physician-patient relationship has _________.

Been created by implied contract

The designated record set includes which of the following?

Billing records

Error in the health record should be which of the following?

Corrected by drawing a single line in ink through the incorrect entry

Certified Tumor Registrar (CTR)

Credential for a cancer registrar achieved by passing an examination provided by the National Board for Certification of Registrars (NBCR); eligibility requirements for the certification examination include a combination of experience and education

Metadata are which of the following? a. Found in personal health records only b. Data about data c. Found in paper records only d. A patient's billing records

Data about data

Secondary data sources

Data derived from the primary health record, such as an index or a database. Can be patient identifiable.

Aggregate data

Data extracted from individual health records and combined to form de-identified information about groups of patients that can be compared and analyzed

U.S. Constitution

Defines and sets forth the powers of the 3 branches of the federal government Legislative branch- creates statutory law(Medicare & HIPAA Executive branch- enforces the law (CMS and HHS enforce Medicare laws) Judicial branch- court system, interprets laws passed by legislative.

An admission coordinator consistently enters the wrong patient gender while entering data in the MPI. What security measures should be in place to minimize this security breach

Edit checks

Threats to data security are most likely to come from which of the following?

Employees

The first and most fundamental strategy for minimizing security threats is to:

Establish a secure organization

A visitor walks through the computer department and picks up a CD from an employee's desk. What security controls should have been implemented to prevent this security breach?

Facility access controls

An employee in the physical therapy department arrives early every morning to snoop through the clinical information system for potential information about neighbors and friends. What security mechanisms should have been implemented that could minimize this security breach?

Facility access controls (information access controls)

In which of the following situations can PHI be disclosed without authorization, as long as there was an opportunity for the individual to agree or object?

Facility directory disclosures

A patient health record contains aggregate data

False

Which of the following statements is true regarding HIPAA security?

HIPAA allows flexibility in the way an institution implements the security standards.

Centers for Disease Control and Prevention (CDC)

Has national standards regarding the completeness, timeliness, and quality of cancer registry data from stat registries through the National Program of Cancer Registries (NPCR)

The length of time health information is retained ______________.

Must account for state retention laws, if they exist

Patient data such as name, age, and address are known as:

Identification data

A covered entity may deny an individual's amendment request for which of the following reasons?

If the PHI in question is not part of the designated record set

Plaintiff

Initiates a lawsuit by filing a complaint in court.

Data security includes protecting data availability, privacy, and ____

Integrity

Users of healthcare secondary data

Internal users-individuals located within the healthcare organization External users-individuals and institutions outside the healthcare organization.

A physician-patient relationship

Is established by contract

Jeremiah files a medical malpractice lawsuit against Dr. Watson, who performed his surgery. He names no other defendants in the lawsuit. Dr. Watson files a complaint against his assistant surgeon, Dr. Crick. By doing this, Dr. Watson has completed which legal action? a. Counterclaim b. Crossclaim c. Default judgment d. Joinder

Joinder

Which of the following is a public interest and benefit exception to the authorization requirement?

Judicial and administrative proceedings

A courts legal authority to make decisions is called

Jurisdiction

Under the HIPAA Privacy Rule, an impermissible use or disclosure should be presumed to be a breach unless the covered entity or business associate demonstrates that the probability the PHI has been compromised is _____

Low

Administrative safeguards include policies and procedures that address which of the following regarding computer resources?

Management

Disclosure of health information without the patient's authorization _____________.

May be required by specific state statutes

The HIPAA Privacy Rule requires that covered entities limit use, access, and disclosure of PHI to the least amount necessary to accomplish the intended purpose. What concept is this?

Minimum necessary

National Center for Health Statistics (NCHS)

Nation's primary statistics organization; it works to compile, analyze, and disseminate information on the nation's health to influence and guide health policy and practice in a manner that best serves the population..

In court, hearsay is generally ____________.

Non-admissible

Alex fell from a tree and was taken to the emergency room. The physician did a physical exam and diagnosed Alex with contusions. In fact, Alex suffered a punctured lung that would have been detected by a radiologic image. In this case, the physician committed which of the following?

Nonfeasance

What type of negligence would apply when a physician does not order the necessary test?

Nonfeasance

Which of the following indexes would be used if a physician wanted to conduct a study on patients who had a C-section?

Operation Index

North American Association of Central Cancer Registries (NAACCR)

Organization that has a certification program for state population-based registries.

American College of Surgeons (ACS) Commission on Cancer

Organization that has developed an approval processes for cancer programs

Rights given to patients by HIPAA

The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form. Health insurers and providers who are covered entities must comply with your right to: Ask to see and get a copy of your health records Have corrections added to your health information Receive a notice that tells you how your health information may be used and shared Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing Get a report on when and why your health information was shared for certain purposes If you believe your rights are being denied or your health information isn't being protected, you can File a complaint with your provider or health insurer

A child's health record should be retained for how long?

The age of majority plus the statute of limitation

Which of the following is true about a facility's patient directory?

The covered entity must inform the individual of the information to be included in the facility directory

Licensure

a designation given to an individual or an organization by a governmental agency or board that gives the individual permission to practice, or the healthcare organization to operate, within a certain field of practice.

Network control

a method of protecting data from unauthorized change and corruption at rest and during transmission among information systems.

Health Information Exchange (HIE)

a network that enables the sharing of health-related information among provider organizations according to nationally recognized standards

Acession number

a number unique to the patient, when a case is first entered in the registry

Business continuity plan

a program that incorporates policies and procedures for continuing business operations during a computer system shutdown

Traumatic injury

a would or other injury caused by an external physical force such as a motor vehicle crash, a gunshot wound, a stabbing or a fall.

Context-based

access control (CBAC), an access control system that limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information.

Policies are which type of safeguards?

administrative

Retention guidelines for diagnostic images (ex. x-rays)

adults - 5 years miors - 5 years after the age of majority

Case finding

after the cases to be included are identified; a method used to identify the patients who have been seen or treated in the healthcare organization for the specific disease or condition of interest to the registry.

Patient consent

agreement to recieve medical treatment. general consent-routine treatment informed consent-basic understanding

Defendant

an individual, company, or institution sued or accused in a court of law by the plaintiff.

National Library of Medicine (NLM)

biomedical library that maintains and makes available a vast amount of print collections and produces electronic information resources on a wide range of topics

Disease registries

collections of secondary data related to patients with a specific diagnosis, condition, or procedure.

HIPAA Privacy Rule

one of the key federal regulations that governs the protection of protected health information. establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.

AHIMA's record retention guidelines for the master patient index

permanently

Patient identifiable data

the patient is identified within the data either by name, address, date of birth, or social security number or other government issued identification.