Practice Quiz 9.1 (RHIA & RHIT)
Identify an example of a security incident. An employee took home a laptop with unsecured PHI. A handheld device was left unattended on the crash cart in the hall for 10 minutes. A hacker accessed PHI from off site. Temporary employees were not given individual passwords.
A hacker accessed PHI from off site
You have been asked to provide an example of a trigger that might be used to reduce auditing. The example you should provide is: A patient and user have the same last name. A patient has not signed his or her notice of privacy practices. A nurse is caring for a patient and reviews the patient's record. The patient is a Medicare patient.
A patient and user have the same last name
The patient was admitted and discharged before a notice of privacy practices could be provided to him. The proper action to take is Send someone to the patient's home to get the patient to sign for receipt. Mail the notice of privacy practices to the patient. Ask the patient to come back within 72 hours to sign the document. Give the patient the notice on the next visit.
Mail the notice of privacy practices to the patient.
Mary processed a request for information and mailed it out last week. Today, the requestor, an attorney, called and said that all of the requested information was not provided. Mary pulls the documentation, including the authorization and what was sent. She believes that she sent everything that was required based on what was requested. She confirms this with her supervisor. The requestor still believes that some extra documentation is required. Given the above information, identify the true statement.
Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule.
The physician office you go to has a data integrity issue. This means that Someone in the practice has released information inappropriately. There has been unauthorized alteration of patient information. The user's access has not been defined. A break-in attempt has been identified.
There has been unauthorized alteration of patient information
Alisa has trouble remembering her password. She taped the password to the bottom of her keyboard. As the chief privacy officer, your appropriate response is: A better place would be somewhere in your desk. Use something like your daughter's name so that you will remember and not need to write it down. This is inappropriate and must be removed. Great idea!
This is inappropriate and must be removed
You have been given some data. The patient's name, address, social security number have all been removed. It does include the patient's account number. Identify the true statement. This data is aggregate data . This is not de-identified information, because it is possible to identify the patient. This is de-identified information because the patient's name and Social Security number are not included in the data. This information is a limited data set.
This is not de-identified information, because it is possible to identify the patient.
You are asked by an HIM student to provide him or her an example of an administrative safeguard under the security rule. The appropriate response is monitoring traffic on the network. monitoring the computer access activity of the user. assigning unique identifiers. encryption.
Write the patient and tell him that you will need a 30-day extension. --- HIPAA requires patient notification of a delay in providing PHI to be in writing
The physician's office has set the information systems to automatically log out after 5 minutes of inactivity. This falls under cryptography. administrative safeguard requirements. physical safeguards. access control.
access control.
The coder logs into the EHR and she is able to access some data and perform some functions. The process of determining what data and functions she has access to is known as notification. authentication. authorization. access control.
authentication --- Authentication is the process of determining what data a user has access to and what they can do with it. --- Authorization is a term used to describe the document signed by the patient to release health information. --- Notification is the term used when telling the patient and other required parties of a privacy breach. --- Access control is the term used regarding who can log-in to an information system.
The three components of a data security program are confidentiality, integrity, and authentication. validity. protection. availability.
availability. --- The three components of a security plan are confidentiality, integrity, and availability.
The chief security officer has recommended a security measure that utilizes fingerprints or retina scans. He recommended encryption. biometrics. audit trail. authentication.
biometrics
When developing the security plan, the plan must address the records subject to the security rule. This would include paper health records. X-ray films stored in radiology. cancer registry. faxed records.
cancer registry
Identify the information that can be released without patient authorization. de-identified health information designated record set summary of patient care for the latest discharge protected health information
de-identified health information
You have been asked to provide examples of technical security measures. Identify what you would include in your list of examples. encryption locked doors minimum necessary training
encryption
You are writing the policy that will be used to determine a valid authorization. You are basing the policy on the HIPAA Privacy Rule. The policy will require the authorizations to have a(n) statement regarding release of psychiatric information. expiration date. Social Security number. statement that the PHR is subject to privacy rule.
expiration date.
The HIPAA security rule term for instructions on how to comply with security standards is known as access control. safeguards. implementation specification. validation.
implementation specification
The company's policy states that audit logs, access reports, and security incident reports should be reviewed daily. This review is known as a(n) information system activity review risk analysis. data criticality analysis. workforce clearinghouse.
information system activity review
I have been asked if I want to be in the facility directory. The admission clerk explains that if I am in the facility directory, my condition can be released to the news media. my condition can be discussed with any caller in detail. my friends and family can find out my room number. my condition can be released to hospital staff only.
my friends and family can find out my room number
Identify the requester that requires patient authorization before releasing PHI. the public health department a business associate the nurse caring for the patient patient's attorney
patient's attorney
Identify the requester that requires patient authorization before releasing PHI. the public health department a business associate the nurse caring for the patient patient's attorney
patient's attorney
Identify the disclosure that would require patient authorization. workers' compensation public health activities law enforcement activities release to patient's family
release to patient's family
Your job is to determine the health information subject to the HIPAA Security Rule. The document that you identify is paper medical record . document faxed to the facility. copy of discharge summary. scanned operative report stored on CD.
scanned operative report stored on CD --- The HIPAA Security Rule applies only to electronic protected health information. Fax is not considered to be electronic protected health information.
Bob submitted his resignation from Coastal Hospital. His last day is today. He should no longer have access to the EHR and other information systems as of 5:00 PM today. The removal of his information system privileges is known as isolating access. terminating access. sanction policy. password management.
terminating access
The coder reviewed 10 patients' health records in order to assign diagnosis and procedure codes. Identify the term used for this practice. discovery release use disclosure
use