HITT 1301 Ch. 7-10 Study Guide
Within the context of data security, protecting data privacy means defending or safeguarding:
Access to information
When would PHI loses its status?
After an individual has been deceased more than 50 years
Types of registries
Cancer, trauma, birth defects, diabetes, implant, transplant, immunization, cystic fibrosis, cardiac, chronic disease management and gastroenterology.
In order for Susan to be able to prove negligence, she must be able to prove injury, standard of care, breach of standard of care and which of the following?
Causation
The Registered Health Technician (RHIT) credential is an example of which of the following?
Certification
The individual responsible for ensuring that everyone follows the organization's data security policies and procedures is which of the following?
Chief security officer
Which of the following should be included in a covered entity's notice of privacy practices?
Description with one example of disclosures made for treatment purposes
HIPAA administrative requirements
Designation of privacy officer Standards for Policies and Procedures Privacy training Establishing privacy safeguards
A dietary department donated its old microcomputer to a school. Some old patient data were still on the microcomputer. What controls would have minimized this security breach?
Device and media controls
Which of the following statements about facility directory of patients is true?
Disclosures from the directory need to be included in an accounting of disclosures
Which stage of the litigation process focuses on how strong a case the opposing party has?
Discovery
In Lindsay's lawsuit against her physical therapist, her attorney a) obtained copies of most documents that he requested such as medical records, contracts, e-mail communications, bills, and receipts. However, at trial, Lindsay was surprised to learn that b) several of these documents were not permitted to be considered by the jury as evidence. The concepts associated with a) and b) are which of the following?
Discovery; admissibility
Dr. Smith is being sued by a former patient. At issue is whether the care he provided the patient was consistent with that which would be provided by an ordinary and reasonable physician treating a patient in the plaintiff's condition. The concept in question is whether _____________.
Dr. Smith met the standard of care
A hospital is looking to use something to act as a buffer between two networks. What should be recommended?
Firewall
Under the HIPAA Privacy Rule, which of the following is a covered entity category?
Healthcare clearinghouse
Computer downtime
Healthcare organizations must have backup and downtime procedures in to ensure patient care and business operations can continue in the event of a disruption; for example, if the computer network goes down and data cannot be accessed electronically. Can have planned or unplanned downtime, planned during an upgrade, unplanned during unforeseen disruption such as an electrical outage or hardware failure.
Biggest threat to the security of healthcare data
Humans
The greatest threat category to electronic health information is which of the following?
Humans
Identify a characteristic of the legal health record
It is the record disclosed upon receipt
Which of the following is true of the notice of privacy practices?
It must be posted in a prominent place
The maintenance of health records ______
Is governed by Medicare Conditions of Participation for organizations that treat Medicare and Medicaid patients
Intentional tort
Issue related to the act of injuring or a tort in malpractice.
Which of the following is a true statement about the legal health record?
It includes PHI stored on any medium
Which of the following statements is true of the notice of privacy practices?
It must be provided to every individual at the first time of contact or service within the covered entity
Which of the following statements about a business associate agreement is true?
It requires the business associate to make available records relating to PHI use and disclosure to the HHS.
For HIPAA implementation specifications that are addressable, the covered entity____
Must conduct a risk assessment to determine if the specification is appropriate to its environment
A subpoena should be accompanied by which of the following?
Patient authorization
The American Recovery and Reinvestment Act expanded the definition of business associates to include which of the following?
Patient safety organizations
Components of a valid authorization
Permission from that individual for the information to be disclosed. A specific and meaningful description of the PHI to be used or disclosed The identification of the persons or class of persons authorized to make the use or disclosure of PHI (who do you want to get information from including your own hospital, practice group, etc.) The identification of the persons or class of persons to whom the covered entity is authorized to make the disclosure (what internal or external persons or entities will be getting the information) Description of each purpose for which the specific PHI identified earlier is to be used or disclosed (when individual initiates an authorization for their own purposes, the purpose may be stated as "at the request of the individual.") An expiration date or event (this must be a certain date or an event tied to the individual) The individual's signature and date, and if signed by a personal representative, a description of his or her authority to act for the individual
Locks on computer room doors illustrate a type of _________.
Physical control
Which type of law defines the rights and duties among people and private businesses?
Private law
Security controls
Protect the privacy of data by limiting the access to personal and sensitive information and protecting the data from unauthorized access, use, and disclosure as well as protect the data from unauthorized alteration and destruction. administrative,physical and technical safeguards.
Which of the following is true of the Health Insurance Portability and Accountability Act (HIPAA)
Provides a federal floor for healthcare privacy
Administrateive law is a type of
Public law
Laws are classified as
Public or private
Which of the following types of destruction is appropriate for paper health records?
Pulping
4 purposes for collecting secondary data
Quality, performance, and patient safety. Research. Population health. Administrative.
Congress passes laws, which are then developed by federal agencies to provide a blueprint for carrying out these laws. What do the federal agencies develop?
Regulations
Breach notification
Requires covered entities to notify affected individuals, U.S. Department of Health & Human Services (HHS), and in some cases, the media of a breach of unsecured PHI.
Operation index
Secondary data source arranged in numerical order by the patients procedure codes. (ICD-10-PCS or CPT)
Physician index
Secondary data source listing of cases organized by physician name or physician identification number.
Disease index
Secondary data source. Listing in diagnosis code number order of patients discharged from the healthcare organization during a specific time period. patient identifiable
An employee observes an outside individual putting some computer disks in her purse. The employee does not report this security breach. What security measures should have been in place to minimize this threat?
Security incident procedures
The content of the health record _______
Should facilitate retrieval of data
HIPAA requires that policies and procedures be maintained for a minimum of:
Six years from date of creation or date when last in effect, whichever is later
Which document directs an individual to bring originals or copies of records to court?
Subpoena duces tecum
Critique this statement: According to HIPAA, workforce members include students.
This is a true statement
Facility-specific indexes
This kind of index makes it possible to retrieve specific health records in a variety of ways including by disease, physician, operation, or other data element. Secondary data source
In which of the following instances must patient authorization be obtained prior to disclosure?
To the patient's attorney
"Something you have" is demonstrated by:
Token
A user recently opened a file that they thought would help them with their job but it copied files to unsecured areas of the computer. What type of malware was activated?
Trojan horse
HIM supervisors and managers are internal users of secondary data
True
Primary data source
The health record is considered this because it contains information about a patient that has been documented by the professionals who provided care or services to that patient. An original data source where the data are documented or collected by the provider of care.
Who owns the physical health record
The healthcare provider, physician, or hospital that maintains it
Stacie is writing a health record retention policy. She is taking into account the statute of limitations for malpractice and contract actions in her state. A statute of limitations refers to which of the following?
The period of time in which a lawsuit must be filed
Secondary data may be used to improve the health of an entire human population
True
secondary data may be used to improve the health of an entire human population
True
The breach notification requirement applies toL
Unsecured PHI only
Policies that address how PHI is used inside the organization deal with which of the following?
Use
A laboratory employee forgot his user ID badge at home and uses another lab employee's badge to access the computer system. What controls should have been in place to minimize this security breach?
Workforce security awareness training
Statutes
Written laws enacted by legislatures Form statutory law
Data integrity
data is complete, accurate, consistent, and up to date so the data are reliable.
Notice of Privacy Practices (NPP)
description of a covered entity's principles and procedures related to the protection of patients' health information
Registries
different from indexes in that they contain more extensive data. Index reports can usually be produced using data from the facility's existing databases. Registries often require more extensive data from the patient record. their sole purpose to to collect data from the patient health record and make them available to users Facility or population based registries
Risk analysis
involved in risk management, assessing security threats and vulnerabilities and the likely impact of any vulnerability.
Acession registry
list of cases in a cancer registry in the order in which they were entered.
Medicare Provider Analysis and Review (MEDPAR) File
made of acute care hospital and skilled nursing facility claims data for all Medicare claims. Used for research on topics such as charges for particular types of care and MS-DRGs,
Physical safeguards
refer to the physical protection of information resources from physical damage, loss from natural or other disasters, and theft. This includes protection and monitoring of the workplace, data center, and any type of hardware or supporting information system infrastructure such as wiring closets, cables, and telephone and data lines.
HIPAA data integrity standard
requires organizations to keep documented logs of system access attempts
Clinical privileges
the defined set of services a qualified physician is permitted to perform in that organization such as admitting patients, performing surgeries, or delivering infants.
Collaborative stage data set
•A new standardized staging system •This system uses computer algorithms to describe how far a cancer has spread •After the initial information is collected at the patient's first encounter, information in the registry is updated periodically through the follow-up process
A patient health record is a secondary data source
False
How many days does a covered entity have to respond to an individual's request for access to his or her PHI when the PHI is stored off-site?
60 days
Unsecured PHI
1. PHI not secured through technology or a method specified by the secretary through guidance 2. secured = encryption or destruction
AHIMA's record retention guidelines for adult health records
10 years after the most recent encounter
Under usual circumstances, a covered entity must act on a patient's request to review or copy his or her health information within how many days?
30 days
Who of the following would be considered a member of a hospital's workforce?
A clerk working in the hospital's registration office
National Practitioner Data Bank (NPDB)
A data bank established by the federal government through the 1986 Health Care Quality Improvement Act that contains information on professional review actions taken against physicians and other licensed healthcare practitioners, which healthcare organizations are required to check as part of the credentialing process
Case definition
A method of determining criteria for cases that should be included in a registry
Healthcare Integrity and Protection Data Bank (HIPDB)
A national health care fraud and abuse data collection program established by HIPAA for the reporting and disclosure of certain adverse actions taken against health care providers, suppliers or practitioners.
Covered entity under the HIPAA Privacy Rule
A person or organization that must comply with the HIPAA Privacy Rule. Healthcare providers Health plans Healthcare clearinghouses
Joint Commission
A private, not-for-profit organization that evaluates and accredits hospitals and other healthcare organizations on the basis of predefined performance standards
Abbreviated Injury Scale (AIS)
A set of numbers used in a trauma registry to indicate the nature and severity of injuries by body system
The Agency for Healthcare Research and Quality
AHRQ Most involved in health services research Looks at issues related to the efficiency and effectiveness of the healthcare delivery system, disease protocols, and guidelines for improved disease outcomes.
An employee accesses PHI on a computer system that does not relate to her job functions. What security mechanism should have been implemented to minimize this security breach?
Access controls
The healthcare organization would like to get approval for their cancer program
American College of Surgeon's Commission on Cancer
Which of the following statements is true?
An authorization must contain an expiration date or event
National Cancer Registrars Association (NCRA)
An organization of cancer registry professionals that promotes research and education in cancer registry administration and practice.
Injury Severity Score (ISS)
An overall severity measurement maintained in the trauma registry and calculated from the abbreviated injury scores for the three most severe injuries of each patient
Audit trail
Application control, a software program that tracks every single access or attempted access of data in the information system. Logs the name of the individual who accessed the data, terminal location or IP address, the date and time accessed, the type of data, and the action taken.
These are automatic checks that help preserve data confidentiality and integrity.
Application controls
durable power of attorney for health care decisions______
Applies when the individual is no longer competent.
A visitor to the hospital looks at the screen of the admitting clerk's computer workstation when she leaves her desk to copy some admitting documents. What security mechanism would best have minimized this security breach?
Automatic logoff controls
Training that educates employees on the confidential nature of PHI is known as which of the following?
Awareness
If a patient is not asked to sign a general form when entering the hospital, and later sues the hospital for contact that was offensive, harmful, or not otherwise agreed to, what cause of action has the plaintiff most likely included in his lawsuit?
Battery
Elizabeth arrived at the nearest urgent care facility after being bitten by her cat, Felix. The physician examined her and gave her a tetanus shot. Based on these facts, a physician-patient relationship has _________.
Been created by implied contract
The designated record set includes which of the following?
Billing records
Error in the health record should be which of the following?
Corrected by drawing a single line in ink through the incorrect entry
Certified Tumor Registrar (CTR)
Credential for a cancer registrar achieved by passing an examination provided by the National Board for Certification of Registrars (NBCR); eligibility requirements for the certification examination include a combination of experience and education
Metadata are which of the following? a. Found in personal health records only b. Data about data c. Found in paper records only d. A patient's billing records
Data about data
Secondary data sources
Data derived from the primary health record, such as an index or a database. Can be patient identifiable.
Aggregate data
Data extracted from individual health records and combined to form de-identified information about groups of patients that can be compared and analyzed
U.S. Constitution
Defines and sets forth the powers of the 3 branches of the federal government Legislative branch- creates statutory law(Medicare & HIPAA Executive branch- enforces the law (CMS and HHS enforce Medicare laws) Judicial branch- court system, interprets laws passed by legislative.
An admission coordinator consistently enters the wrong patient gender while entering data in the MPI. What security measures should be in place to minimize this security breach
Edit checks
Threats to data security are most likely to come from which of the following?
Employees
The first and most fundamental strategy for minimizing security threats is to:
Establish a secure organization
A visitor walks through the computer department and picks up a CD from an employee's desk. What security controls should have been implemented to prevent this security breach?
Facility access controls
An employee in the physical therapy department arrives early every morning to snoop through the clinical information system for potential information about neighbors and friends. What security mechanisms should have been implemented that could minimize this security breach?
Facility access controls (information access controls)
In which of the following situations can PHI be disclosed without authorization, as long as there was an opportunity for the individual to agree or object?
Facility directory disclosures
A patient health record contains aggregate data
False
Which of the following statements is true regarding HIPAA security?
HIPAA allows flexibility in the way an institution implements the security standards.
Centers for Disease Control and Prevention (CDC)
Has national standards regarding the completeness, timeliness, and quality of cancer registry data from stat registries through the National Program of Cancer Registries (NPCR)
The length of time health information is retained ______________.
Must account for state retention laws, if they exist
Patient data such as name, age, and address are known as:
Identification data
A covered entity may deny an individual's amendment request for which of the following reasons?
If the PHI in question is not part of the designated record set
Plaintiff
Initiates a lawsuit by filing a complaint in court.
Data security includes protecting data availability, privacy, and ____
Integrity
Users of healthcare secondary data
Internal users-individuals located within the healthcare organization External users-individuals and institutions outside the healthcare organization.
A physician-patient relationship
Is established by contract
Jeremiah files a medical malpractice lawsuit against Dr. Watson, who performed his surgery. He names no other defendants in the lawsuit. Dr. Watson files a complaint against his assistant surgeon, Dr. Crick. By doing this, Dr. Watson has completed which legal action? a. Counterclaim b. Crossclaim c. Default judgment d. Joinder
Joinder
Which of the following is a public interest and benefit exception to the authorization requirement?
Judicial and administrative proceedings
A courts legal authority to make decisions is called
Jurisdiction
Under the HIPAA Privacy Rule, an impermissible use or disclosure should be presumed to be a breach unless the covered entity or business associate demonstrates that the probability the PHI has been compromised is _____
Low
Administrative safeguards include policies and procedures that address which of the following regarding computer resources?
Management
Disclosure of health information without the patient's authorization _____________.
May be required by specific state statutes
The HIPAA Privacy Rule requires that covered entities limit use, access, and disclosure of PHI to the least amount necessary to accomplish the intended purpose. What concept is this?
Minimum necessary
National Center for Health Statistics (NCHS)
Nation's primary statistics organization; it works to compile, analyze, and disseminate information on the nation's health to influence and guide health policy and practice in a manner that best serves the population..
In court, hearsay is generally ____________.
Non-admissible
Alex fell from a tree and was taken to the emergency room. The physician did a physical exam and diagnosed Alex with contusions. In fact, Alex suffered a punctured lung that would have been detected by a radiologic image. In this case, the physician committed which of the following?
Nonfeasance
What type of negligence would apply when a physician does not order the necessary test?
Nonfeasance
Which of the following indexes would be used if a physician wanted to conduct a study on patients who had a C-section?
Operation Index
North American Association of Central Cancer Registries (NAACCR)
Organization that has a certification program for state population-based registries.
American College of Surgeons (ACS) Commission on Cancer
Organization that has developed an approval processes for cancer programs
Rights given to patients by HIPAA
The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form. Health insurers and providers who are covered entities must comply with your right to: Ask to see and get a copy of your health records Have corrections added to your health information Receive a notice that tells you how your health information may be used and shared Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing Get a report on when and why your health information was shared for certain purposes If you believe your rights are being denied or your health information isn't being protected, you can File a complaint with your provider or health insurer
A child's health record should be retained for how long?
The age of majority plus the statute of limitation
Which of the following is true about a facility's patient directory?
The covered entity must inform the individual of the information to be included in the facility directory
Licensure
a designation given to an individual or an organization by a governmental agency or board that gives the individual permission to practice, or the healthcare organization to operate, within a certain field of practice.
Network control
a method of protecting data from unauthorized change and corruption at rest and during transmission among information systems.
Health Information Exchange (HIE)
a network that enables the sharing of health-related information among provider organizations according to nationally recognized standards
Acession number
a number unique to the patient, when a case is first entered in the registry
Business continuity plan
a program that incorporates policies and procedures for continuing business operations during a computer system shutdown
Traumatic injury
a would or other injury caused by an external physical force such as a motor vehicle crash, a gunshot wound, a stabbing or a fall.
Context-based
access control (CBAC), an access control system that limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information.
Policies are which type of safeguards?
administrative
Retention guidelines for diagnostic images (ex. x-rays)
adults - 5 years miors - 5 years after the age of majority
Case finding
after the cases to be included are identified; a method used to identify the patients who have been seen or treated in the healthcare organization for the specific disease or condition of interest to the registry.
Patient consent
agreement to recieve medical treatment. general consent-routine treatment informed consent-basic understanding
Defendant
an individual, company, or institution sued or accused in a court of law by the plaintiff.
National Library of Medicine (NLM)
biomedical library that maintains and makes available a vast amount of print collections and produces electronic information resources on a wide range of topics
Disease registries
collections of secondary data related to patients with a specific diagnosis, condition, or procedure.
HIPAA Privacy Rule
one of the key federal regulations that governs the protection of protected health information. establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
AHIMA's record retention guidelines for the master patient index
permanently
Patient identifiable data
the patient is identified within the data either by name, address, date of birth, or social security number or other government issued identification.