RHIA- CH 11-health information privacy and security
Richard has asked to view his medical record. How long does the facility have to provide this record to him?
30 days
The hospital has received a request for an amendment. How long does the facility have in order to accept or deny the request?
30 days
Covered entities must retain documentation of their security policies for at least:
6 years from the date when last in effect.
The hospital has received a request for an amendment. How long does the facility have in order to accept or deny the request?
60 days
The authorization document must be easy to understand and must include the following:
- A description of the information to be used or disclosed - The name or other specific identification of the persons authorized to use or disclose the information - The name of the persons or group to whom the covered entity may make the use or disclosure - A description of each purpose of the requested use or disclosure - An expiration date - The signature of the individual (or authorized representative) and the date
The HIPPA legislation was designed for?
- Ensure the portability of insurance coverage as employees moved from job to job - Increase accountability and decrease fraud and abuse in health care - Improve the efficiency of health care transactions and mandate standards for health information - Ensure the security and privacy of health information
The Privacy Rule says that covered entities must:
- Have privacy policies and procedures that are appropriate for their health care services - Notify patients about their privacy rights and how their information can be used or disclosed - Train employees so that they understand the privacy practices - Appoint a privacy official responsible for seeing that the privacy policies and procedures are implemented - Safeguard patients' records
In addition, the rule states that a valid authorization must include statements:
- Of the individual's right to revoke the authorization in writing - About whether the covered entity is able to base treatment, payment, enrollment, or eligibility for benefits on the authorization - That information used or disclosed after the authorization may be disclosed again by the recipient and may no longer be protected by the rule
Covered entities must comply with a number of requirements, including:
- Possessing a set of privacy practices that are appropriate for their health care services - Notifying patients about their privacy rights and how their information can be used or disclosed - Training employees so that they understand the privacy practices - Appointing a member of the staff to be the privacy official responsible for seeing that the privacy practices are implemented - Keeping patients' records safe and secure
The HIPAA Privacy Rule also provides significant rights to patients, what are these rights?
- Receive a written notice of information practices - Ask to access, inspect, and obtain a copy of their PHI - Request an accounting of disclosures - Request amendment of records - Request restrictions on uses and disclosures of their PHI - Receive accommodation of reasonable alternate communications request - File a complaint about violation with the organization or with the Office for Civil Rights (OCR) in the Department of Health and Human Services
A patient authorizes Hospital A to send a copy of a discharge summary for the latest hospitalization to Hospital B. Hospital B uses the discharge summary in the patient's care and files it in the medical record. When Hospital B receives a request for records, a copy of Hospital A's discharge summary is sent. This is an example of: A. a privacy violation. B. redisclosure. C. satisfactory assurance. D. inappropriate release.
B. redisclosure.
You are looking for potential problems and violations of the privacy rule. What is this security management process called? A. policy assessment. B. risk assessment. C. compliance audit. D. none of the above.
B. risk assessment
Cindy, Tiffany, and LaShaundra are all nurses at Sandyshore Health Care. They all have access to the same functions in the information system. It is likely that this facility is using: A. user-based access. B. role-based access. C. DAC. D. MAC.
B. role-based access.
Encryption, access control, emergency access to records, and biometrics are examples of: A. transmission security. B. technical security. C. a security incident. D. telecommunications.
B. technical security.
The HIPAA technology rule does not require specific technologies to be used but rather provides direction on the outcome. The term used to describe this philosophy is: A. technology free. B. technology neutral. C. administrative rules. D. generic technology.
B. technology neutral.
Which of the following is an example of a security incident? A. Temporary employees were not given individual passwords. B. An employee took home a laptop with unsecured PHI. C. A handheld device was left unattended on the crash cart in the hall for 10 minutes. D. A hacker accessed PHI from off site.
C. A handheld device was left unattended on the crash cart in the hall for 10 minutes.
Which of the following statements is true about a requested restriction? A. ARRA mandates that a CE must comply with a requested restriction. B. ARRA states that a CE does not have to agree to a requested restriction. C. ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions. D. ARRA does not address restrictions to PHI.
C. ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions.
(special permission) permission to use and disclose information for uses other than TPO.
Authorization
______ must be obtained for uses and disclosures other than for TPO.
Authorization
Which of the following techniques would a facility employ for access control?
Automatic log-off Unique user identification
Which of the following techniques would a facility employ for access control? 1. Automatic logoff 2. Passwords 3. Token 4. Unique user identification A. 1 and 4 B. 1 and 2 only C. 2 and 4 only D. all of the above
B 1. Automatic logoff 2. Passwords
Margaret has signed an authorization to release information regarding her ER visit for a fractured finger to her attorney. Specifically, she says to release the ER history and physical, x-rays, and any procedure notes for finger fracture. Which of the following violates her privacy? A. Release of face sheet used in ER as a history B. X-ray of chest C. X-ray of finger D. Documentation of suturing of finger
B The chest x-ray has no bearing on the finger fracture.
Richard has asked to view his medical record. The record is stored off-site. How long does the facility have to provide this record to him? A. 30 days B. 60 days C. 14 days D. 10 days
B. 60 days
You have been asked to provide examples of technical security measures. Which of the following would you add to your list of examples? A. Locked doors B. Automatic logout C. Minimum necessary D. Training
B. Automatic logout
The quality or state of being hidden from, or undistributed by, the observation or activities of other persons. It is also freedom from unauthorized instrusion, The right of a patient to control disclosure of certain information.
Privacy
What is one of Americans' civil rights?
Privacy
What type of digital signature uses encryption? A. Digitized signature B. Electronic signature C. Digital signature D. Encryption is not a part of digital signatures
C. Digital signature
You are evaluating what makes up the designated record set for South Beach Healthcare Center. Which of the following would be included? A. Quality reports B. Psychotherapy notes C. Discharge summary D. Information compiled for use in civil hearing
C. Discharge summary
Critique this statement. ARRA eliminated the accounting of disclosure. A. True statement. B. False statement. ARRA eliminated the TPO exception. C. False statement. ARRA eliminated the TPO exception when the CE utilizes an EHR. D. False statement. ARRA did not address the accounting of disclosure.
C. False statement. ARRA eliminated the TPO exception when the CE utilizes an EHR.
Which of the following is a true statement regarding psychotherapy notes? A. Patients have open access to psychotherapy notes. B. Psychotherapy notes are never intended to be shared with anyone. C. Psychotherapy notes cannot be used in defending oneself in a court case. D. Psychotherapy notes are to be destroyed after one year because of their confidential nature.
B. Psychotherapy notes are never intended to be shared with anyone.
Which of the following statements is true? A. Records retained by a business associate are not part of the designated record set. B. Records retained by a business associate are a part of the designated record set. C. Shadow records are those utilized by the business associate and are therefore part of the designated record set. D. Shadow records are those utilized by the business associate and are therefore not part of the designated record set.
B. Records retained by a business associate are a part of the designated record set.
You are writing a policy for the release of information area. This policy will include the requirements for a valid authorization. Which of the following would not be included? A. Expiration B. Request for an accounting of disclosure C. Statement or right to revoke D. Description of information to be disclosed
B. Request for an accounting of disclosure
You have to decide which type of firewall that you want to use in your facility. Which of the following is one of your options? A. Packet filter B. Secure socket layer C. CCOW D. Denial of service
B. Secure socket layer
As Chief Privacy Officer, you have been asked why you are conducting a risk assessment. Which reason would you give? A. Get rid of problem staff B. Change organizational culture C. Prevent breach of confidentiality D. None of the above
C. Prevent breach of confidentiality
Mark is an HIM employee who utilizes six different information systems as part of his job. Each of these has a different password. In order to keep up with the password for each system, Mark has written them all on paper and taped it to the back of his wife's picture on his desk. What technology could be used to eliminate this problem for Mark and other employees in the same situation? A. Role-based access B. User-based access C. SSO D. DAC
C. SSO
You have been assigned the responsibility of performing an audit to confirm that all of the workforce's access is appropriate for their role in the organization. This process is called: A. risk assessment. B. information system activity review. C. workforce clearance procedure. D. information access management.
C. workforce clearance procedure.
The information is shared only among authorized individuals or organizations.
Confidentiality of ePHI
Intentional threats to security could include A. a natural disaster (flood). B. equipment failure (software failure). C. human error (data entry error). D. data theft (unauthorized downloading of files).
D Natural disasters, equipment failure, and human error are usually unintentional threats to security. Data theft is intentional.
Your organization is sending confidential patient information across the Internet using technology that will transform the original data into unintelligible code that can be recreated by authorized users. This technique is called: A. a firewall. B. validity processing. C. a call-back process. D. data encryption.
D. data encryption.
Protected health information includes: A. only electronic individually identifiable health information. B. only paper individually identifiable health information. C. individually identifiable health information in any format stored by a health care provider. D. individually identifiable health information in any format stored by a health care provider or business associate.
D. individually identifiable health information in any format stored by a health care provider or business associate.
You have been asked to explain the purpose of the new security awareness program. Your response is to: A. help staff realize the importance of security. B. remind users of procedures. C. lock down PHI. D. train staff on the security measures related to transmission security and physical security.
D. train staff on the security measures related to transmission security and physical security.
Corporate negligence- established a hospital's responsibility for patient care.
Darling vs. Charleston Community Hospital
Critique this statement: ARRA eliminates the state preemption rule: . A. This is a true statement. B. This is a false statement, as ARRA privacy and security rules are subject to the same state preemption as HIPAA. C. This is a false statement, as HIPAA is still subject to the state preemption rule but ARRA is not. D. This is a false statement, as ARRA is subject to the state preemption rule but HIPAA is not.
B. This is a false statement, as ARRA privacy and security rules are subject to the same state preemption as HIPAA.
You have been given some information that includes the patient's account number. Which statement is true? A. This is de-identified information as the patient's name and social security is not included in the data. B. This is not de-identified information, as it is possible to identify the patient. C. This data is individually identified data. D. This data is a limited data set.
B. This is not de-identified information, as it is possible to identify the patient.
You are walking around the facility to identify any privacy and security issues. You walk onto the 6W nursing unit and are able to watch the nurse entering confidential patient information. How can you best improve the privacy of the patient's health information? A. Ask the nurse to type the data at another computer. B. Turn the computer screen so that the public cannot see it. C. Give the nurse additional training. D. None of the above
B. Turn the computer screen so that the public cannot see it.
A data use agreement is required when A. a complaint has been filed. B. a limited data set is used. C. a notice of disclosure is requested. D. information is provided to a business associate.
B. a limited data set is used.
Your system just crashed. Fortunately, you have established a site that holds computer processors that can be converted to meet our needs quickly. This is a: A. hot site. B. cold site. C. redundant site D. backup site.
B. cold site.
As Chief Privacy Officer for Premier Medical Center, you are responsible for which of the following? A. backing up data B. developing a plan for reporting privacy complaints C. writing policies on protecting hardware D. writing policies on encryption standards
B. developing a plan for reporting privacy complaints
Retail America has started a PHR. According to ARRA, the health information that they store is: A. not protected. B. protected. C. mandated to be de-identified. D. subject to security but not privacy requirements.
B. protected.
The facility can release information to which of the following requesters without a patient authorization?
a court with a court order
Someone accessed the covered entity's electronic health record and sold the information that was accessed. This person is known as which of the following?
a cracker
You have been asked to create a presentation on intentional and unintentional threats. Which of the following should be included in the list of threats you cite?
a patient's Social Security number being used for credit card applications
A patient authorizes Park Hospital to send a copy of a discharge summary for the latest hospitalization to Flowers Hospital. The hospital uses the discharge summary in the patient's care and files it in the medical record. When Flowers Hospital receives a request for records, a copy of Park Hospital's discharge summary is sent. This is an example of
redisclosure.
You are reviewing your privacy and security policies, procedures, training program, and so on, and comparing them to the HIPAA and ARRA regulations. You are conducting a
risk assessment.
You work for a 60-bed hospital in a rural community. You are conducting research on what you need to do to comply with HIPAA. You are afraid that you will have to implement all of the steps that your friend at a 900-bed teaching hospital is implementing at his facility. You continue reading and learn that you only have to implement what is prudent and reasonable for your facility. This is called
scalable.
Encryption, access control, emergency access to records, and biometrics are examples of
technical security
The HIPAA security rule does not require specific technologies to be used but rather provides direction on the outcome. The term used to describe this philosophy is
technology neutral
Bob submitted his resignation from Coastal Hospital. His last day is today. He should no longer have access to the EHR and other systems as of 5:00 PM today. The removal of his privileges is known as
terminating access.
You have been given the responsibility of destroying the PHI contained in the system's old server before it is trashed. What destruction method do you recommend?
degaussing
Our Web site was attacked by malware that overloaded it. What type of malware was this?
denial of service
What type of digital signature uses encryption?
digital signature
You are defining the designated record set for South Beach Healthcare Center. Which of the following would be included?
discharge summary
You are writing a policy on how to document the amendment process. What information should be required by the policy?
documentation of a request, a refusal, and a patient's right to write a statement of disagreement
You have been asked what should be done with the notice of privacy practice acknowledgment when the patient had been discharged before it was signed. Your response is to
try to get it signed, and if not, to document the action taken.
What are the basic types of threats that come from individuals?
- Employees who make unintentional mistakes - Employees who abuse their security priviledges - Outsiders who try to damage or steal information - Employees who hold grudges or make threats
Some of the provisions the HHS was required to establish included:
- National standards for electronic health care transactions - National identifiers for providers, health plan, and employers - Rules to protect the privacy and security of health information, known as the Privacy Rule and the Security Rule
Which of the following examples is an exception to the definition of a breach?
A coder accidently sends PHI to a billing clerk in the same facility.
Which of the following is an example of a security incident?
A hacker accessed PHI from off site.
Which of the following is an example of a trigger that might be used to reduce auditing?
A patient and user have the same last name.
How long, per HITECH, should an accounting of disclosures include disclosures for?
A three year period.
Seeking health records does not have to be signed by the plaintiff and defendant
A valid subpoena duces tecum
Physical safeguards include: 1. Tools to monitor access 2. Tools to control access to computer systems 3. Fire protection 4. Tools preventing unauthorized access to data A. 1 and 2 only B. 1 and 3 only C. 2 and 3 only D. 2 and 4 only
A. 1. Tools to monitor access 2. Tools to control access to computer systems
Robert Burchfield was recently caught accessing his wife's medical record. The system automatically notified the staff of a potential breach due to the same last name for the user and the patient. This was an example of a: A. trigger. B. biometrics. C. telephone callback procedures. D. transmission security.
A. trigger.
Which of the following statements is true about a requested restriction?
ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions.
Administrative actions such as policies & procedures & documentation retention to manage the selection, development, implementation & maintenance of security measures to safeguard ePHI and manage the conduct of the CE or BAs workforce.
Administrative Safeguards
HIPPA Title II on the uniform transfer of electronic health care data and privacy protection.
Administrative Simplification
Which of the following statements are true?
All patients except inmates must be given a notice of privacy practices.
When should patients be given a copy of the NPP?
At the time of their first encounter, and at least every three years thereafter.
Today is August 30, 2014. When can the training records for the HIPAA privacy training being conducted today be destroyed?
August 30, 2020 (6 years)
Today is August 30, 2010. When can the training records for the HIPAA privacy training being conducted today be destroyed? A. August 30, 2015 B. August 30, 2016 C. August 30, 2017 D. August 30, 2018
B. August 30, 2016
You have been given the responsibility of deciding which access control to use. Which of the following is one of your options? A. Audit trail B. Biometrics C. Authentication D. Mitigations
B. Biometrics
You are walking around the facility to identify any privacy and security issues. You walk onto the 6W nursing unit and stand in a public area to look for possible violations. From where you are standing, you see that anyone can watch the nurse entering confidential patient information. You make a note of this. What are you doing? A. Conducting a gap analysis B. Conducting a risk assessment C. Monitoring audit trail D. None of the above
B. Conducting a risk assessment
Ms. Hall has requested that Dr. Moore amend her medical record. He emphatically refused. What type of documentation is required, if any? A. No documentation is required B. Documentation of request and refusal C. Documentation of request D. None of the above
B. Documentation of request and refusal
To ensure that confidential health information is protected once it is exchanged with non-CE, HIPAA requires CEs to enter into contracts with?
Business Associates
entity that works under contract for a covered entity and is therefore subject to the CEs HIPAA policies and procedures.
Business Associates
Rule under which a record is determined to not be hearsay if it was made at or near the time by, or from information transmitted by, a person with knowledge; it was kept in the course of a regularly conducted business activity; and it was the regular activity of business to make the record.
Business Record Exception
Which of the following techniques would a facility employ for access control? 1. automatic logoff 2. authentication 3. integrity controls 4. unique user identification
1 and 4 only
The administrator states that he should not have to participate in privacy and security training as he does not use PHI. How should you respond?
"All employees are required to participate in the training, including top administration."
The police came to the HIM Department today and asked that a patient's right to an accounting of disclosure be suspended for two months. What is the proper response to this request?
"Certainly officer. We will be glad to do that as soon as we have the request in writing."
Which of the following statements demonstrates a violation of protected health information?
"Mary, at work yesterday I saw that Susan had a hysterectomy."
The original HIPAA legislation required adoption of four identifiers: employees, providers, health plans and individuals. Which one is on hold?
Individuals. Employee Identification Number (EIN) National Provider Identifier (NPI) Health Plan Identifier (HPID)
The information is not changed in any way during storage or transmission, is authentic and complete, and can be relied on to be suffieceintly accurate for its purpose.
Integrity of ePHI
Which of the following statements is true about the Privacy Act of 1974?
It applies to the federal government.
Mabel is a volunteer at a hospital. She works at the information desk. A visitor comes to the desk and says that he wants to know what room John Brown is in. What should Mabel do?
Look the patient up to see if John has agreed to be in the directory. If he has, then give the room number to the visitor.
Margaret looked up PHI on her ex-sister-in-law. A routine audit discovered the violation. Which statement is true under ARRA?
Margaret cannot be prosecuted since she is not a covered entity
Mark, a patient of Schnering Hospital, has asked for an electronic copy of his medical record to go to his physician. According to ARRA, what is the CE's obligation to Mark?
Mark has a right to an electronic copy or to have it sent to someone else
A breach has been identified. How quickly must the patient be notified?
No more than 60 days
The Office of Civil Rights; charged with investigating complaints that HIPAA privacy regulations have been violated.
OCR
This purpose includes activities such as tracking and measuring adherence to quality standards, accreditation, staff training, and business planning.
Operations
Providers usually submit claims to health plans on behalf of patients, which involves exchanging demographic and diagnostic information.
Payment
Which of the following is allowed by HIPAA?
Permitting a spouse to pick up medication for the patient
people or organizations that furnish, bill, or are paid for health care in the normal course of business
Providers
Which of the following is a true statement about private key encryption?
Public encryption uses a private and public key. THIS QUESTION HAS AN ERROR!! It should read "Which of the following is a true statement about PUBLIC key encryption?
Is a function of doing business and has a cost associated with it. The HIPAA privacy rule permits reasonable, cost-based charges for labor, postage and supplies involved in copying health information.
Release of Information
You work for an organization that publishes a health information management journal and provides clearinghouse services. What must you do?
Separate the e-PHI from the noncovered entity portion of the organization.
(Federal Physician Self Referral Statute) prohibits physicians ordering services for Medicare patients from entities with which the physician or an immediate family member has a financial relationship.
Stark Law
Under the Privacy Rule, which of the following must be included in a patient accounting of disclosures?
State-mandated report of a sexually transmitted disease. Legislation gives a patient the right to obtain an accounting of disclosures of PHI made by the CE in the 6 years or less prior to the request date. Mandatory public health reporting is not considered part of a CE's operations. As a result, these disclosures must be included in an accounting of disclosures.
Which of the following is a true statement about symmetric encryption?
Symmetric encryption assigns a secret key to data.
treatment, payment, and operations; conditions under which PHI can be released without patient consent.
TPO
Requires CEs to ensure the confidentiality, integrity and availability of ePHI. The Security Rule contains provisions that require CEs to adopt administrative, physical and technical safeguards.
The HIPAA Security Rule
Which database was created to collect information on the legal actions (both civil and criminal) taken against healthcare providers?
The Healthcare Integrity and Protection Data Bank
What federal agency is charged with the responsibility for the oversight and enforcement of the HIPAA Privacy regulations?
The Office of Civil Rights of the Department of Health and Human Services.
Which of the following situations violate a patient's privacy?
The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples.
The patient calls and has a telephone consultation. Which of the following is true about notice of privacy practices?
The notice of privacy practices can be mailed to the patient.
A patient has submitted an authorization to release information to a physician office for continued care. The release of information clerk wants to limit the information provided because of the minimum necessary rule. What should the supervisor tell the clerk?
The patient is an exception to the minimum necessary rule, so process the request as written.
If the patient has agreed to be in the directory, which of the following statements would be true?
The patient's condition can be described in general terms like "good" and "fair."
John is allowed to delete patients in the EHR. Florence is not. They both have the same role in the organization. What is different?
Their permissions
Critique this statement: A business associate has the right to use a health care facility's information beyond the scope of their agreement with the health care facility.
This is a false statement because it is prohibited by the HIPAA privacy rule.
Barbara, a nurse, has been flagged for review because she logged in to the EHR in the evening when she usually works the day shift. Why should this conduct be reviewed?
This needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time.
What are the two parts/titles of the legislation?
Title I - Health Insurance Reform ; Title II - Administrative Simplification Standards
the section of the law that allows individuals to continue health insurance coverage when they change jobs.
Title I Health Insurance Reform
is the section of HIPPA that is important to the discussions in this chapter
Title II Administrative Simplification Standards
Original goal of HIPAA Administrative Simplification?
To standardize the electronic transmission of health data.
Physical safeguards include:
Tools to control access to computer systems Fire protection
This purpose primarily consists of discussion of the patient's case with other providers.
Treatment
Uses a secure tunnel through a public network, usually the internet, to connect remote sites or users. Security procedures include firewalls, encryption, and server authentication.
Virtual Private Network (VPN)
Contingency planning includes which of the following processes? A. Data quality B. Systems analysis C. Disaster planning D. Hiring practices
C. disaster planning
The surgeon comes out to speak to a patient's family. He tells them that the patient came through the surgery fine. The mass was benign and they could see the patient in an hour. He talks low so that the other people in the waiting room will not hear but someone walked by and heard. This is called a(n) : A. privacy breach. B. violation of policy. C. incidental disclosure. D. privacy incident.
C. incidental disclosure.
A covered entity: A. is exempt from the HIPAA privacy and security rules. B. includes all healthcare providers. C. includes healthcare providers who perform specified actions electronically. D. must utilize business associates.
C. includes healthcare providers who perform specified actions electronically.
Which of the following disclosures would require patient authorization? A. law enforcement activities B. workers compensation C. release to patient's attorney D. public health activities
C. release to patient's attorney
Kyle, the HIM Director, has received a request to amend a patient's medical record. The appropriate action for him to take is A. make the modification. B. file the request in the chart. C. route the request to the physician who wrote the note in question. D. return the notice to the patient.
C. route the request to the physician who wrote the note in question to determine appropriateness of the amendment.
HIPAA workforce security requires: A. a criminal background check. B. a two-factor authentication. C. that access to PHI be appropriate. D. the use of card keys.
C. that access to PHI be appropriate.
companies that process health information and execute electronic transactions, such as the submission of insurance claims, on behalf of providers.
Clearinghouses
The most stringent type- takes into account the person attempting to access the data, the type of data being accessed and the context of the transaction in which the access attempt is being made (proper log-in/password, belongs to a specific group, and his/her workstation is located in a specific place within the facility)
Context-based Access
professionals and organizations that normally provide health care and electronically transmit PHI.
Covered Entities (CEs)
The following is a sentence from the notice of privacy practices. What problem do you identify? The party of the first part vows to mitigate breaches should a security incident occur. A. None, because that is the responsibility of a covered entity. B. None, because that is the responsibility of a business associate. C. It is not the responsibility of a covered entity. D. It is not written in plain English.
D The Notice of Privacy must be written in plain English so that it can be understood.
Reporting breaches under ARRA are required of: 1. Covered entities 2. Business associates 3. Non-HIPAA entities A. 1 only B. 1 and 2 only C. 2 and 3 only D. 1, 2, and 3
D. 1, 2, and 3
Which of the following is an example of an intentional activity? A. Hard drive failure. B. Data was deleted by accident. C. Data was lost due to an electrical failure. D. A patient's social security number is used to file for a credit card.
D. A patient's social security number is used to file for a credit card.
When addressing physical security, which of the following should be taken into consideration? A. Natural threats B. Human-made threats C. Damaging nearby activities D. All of the above
D. All of the above
Crystal has received a copy of some documents from her medical record. In the request, she had specifically requested the discharge summary, history and physical, operative report, pathology report, laboratory results, and x-ray reports. The records that she received only included the discharge summary and history and physical. The enclosed letter said that the other documents were not enclosed because of the minimum necessary rule. What should the director tell Crystal when she calls? A. The clerk was appropriate in what was sent. B. The operative report should have been included too. C. The operative report and pathology report should have been included. D. All of the requested information should have been sent because the patient is an exception to the minimum necessary rule.
D. All of the requested information should have been sent because the patient is an exception to the minimum necessary rule.
The HIPAA term for a group of records. And information that includes PHI and is maintained by a covered entity.
Designated Record Set (DRS)
refers to the release of PHI to an outside provider or organization.
Disclosure
A data use agreement is required when
a limited data set is used.
Researchers can access patient information if it is
a limited data set.
When patients are able to obtain a copy of their health record, this is an example of which of the following?
a patient right
The supervisors have decided to give nursing staff access to the EHR. They can add notes, view, and print. This is an example of what?
a workforce clearance procedure
The company's policy states that audit logs, access reports, and security incident reports should be reviewed daily. This review is known as
an information system activity review.
For purposes of the HIPAA privacy rule what does record mean?
any item, collection, or grouping of information that includes PHI and is maintained by the covered entity.
Covered entities may use and disclose PHI only .....?
as permitted by HIPAA or by a more protective state rule if one applies.
Before a user is allowed to access protected health information, the system confirms that the patient is who he or she says they are. This is known as
authentication.
Facility access controls include:
Establishing safeguards to prohibit the physical hardware and computer system itself from unauthorized access while ensuring that proper authorized access is allowed (eg- visitor takes a flash drive from employees desk)
insurance plan that provides or pays fpr medical care
Health Plan
Which security measure utilizes fingerprints or retina scans?
biometrics
In case your system crashes, your facility has defined the policies and procedures necessary to keep your business going. This is known as:
business continuity plan
The computer system containing the electronic health record was located in a room that was flooded. As a result, the system is inoperable. Which of the following would be implemented?
business continuity processes
Electronic Protected Health Information; PHI created, received, maintained, or transmitted in electronic form.
ePHI
What are some of the environmental hazards?
fires, floods, and earthquakes, utility failures (power outages)
A hacker recently accessed our database. We are trying to determine how the hacker got through the firewall and exactly what was accessed. The process used to gather this evidence is called
forensics.
Many in Congress believed that establishing national standards for electronic health information, and the greater use of technology in transaction processing, would lead to.......?
gains in efficiency and significant cost savings.
Who does the Security Rule apply too?
health care professionals and organizations that meet the definition of covered entity, just as the HIPAA Privacy Rule does. And only covers Electronic Protected Health Information.
HIPPA only applies to.....?
health care professionals and organizations that provide health care in the normal course of business and that electronically transmit information that is protected under HIPPA.
Which of the following is an example of administrative safeguards under the security rule?
monitoring the computer access activity of the user
I have been asked if I want to be in the directory. The admission clerk explains that if I am in the directory,
my friends and family can find out my room number.
Intrusion detection systems analyze
network traffic.
The purpose of the notice of privacy practices is to
notify the patient of uses of PHI.
The CE may be held responsible for the actions of its business associates if it knew?
of a pattern of activity that was in violation of the contract and it failed to take reasonable steps to fix the problem.
You have to decide which type of firewall you want to use in your facility. Which of the following is one of your options?
packet filter
Facility access controls, workstation use, workstation security, and device/media controls are all part of
physical safeguards
n conducting an environmental risk assessment, which of the following would be considered in the assessment?
placement of water pipes in the facility
The patient has the right to control access to his or her health information. This is known as
privacy.
America LTD has developed a PHR. According to ARRA, the health information that they store is
protected
What type of patient information is not subjected to law?
protected health information (PHI)
What is the challenge health care is facing today with electronic health information?
protecting information exchanged over computer networks with many access points and convincing the public to trust the electronic systems.
Ms. Thomas was a patient at your facility. She has been told that there are some records that she cannot have access to. These records are most likely
psychotherapy notes
These rules for use and disclosure do not apply to the release of PHI in certain circumstances, including....?
public interest purposes as public health, law enforcement, research, workers' compensation cases, and national security situations.
To prevent our network from going down, we have duplicated much of our hardware and cables. This duplication is called
redundancy.
Which of the following would be a business associate?
release of information company
Which of the following disclosures would require patient authorization?
release to patient's family
Which of the following situations would require authorization before disclosing PHI?
releasing information to the Bureau of Disability Determination
You are writing a policy for the release of information area. This policy will include the requirements for a valid authorization. Which of the following would not be included?
request for an accounting of disclosure
Which of the following documents is subject to the HIPAA security rule?
scanned operative report stored on CD
You have to decide which type of firewall you want to use in your facility. Which of the following is one of your options?
secure socket layer
Which of the following is prohibited by ARRA?
selling aggregated patient data without patient consent
Information about alcohol and drug abuse, sexually transmitted diseases, HIV, and behavioral and mental health services may not be released without a?
specific authorization
The information systems department was performing their routine destruction of data that they do every year. Unfortunately, they accidently deleted a record that is involved in a medical malpractice case. This unintentional destruction of evidence is called
spoliation.
HIPPA was created in part to improve.....?
the efficiency of financial and administrative health care transactions
Which of the following should the record destruction program include?
the method of destruction
The Security Rule defines technical safeguards as :
the technology and the policy & procedures for its use that protect ePHI and control access to it.
How do you complain to the OCR?
they must be in writing and sent either on paper or electronically, and must be filed within 180 days of when the individual knew or should have known that the act had occured.
As Chief Privacy Officer, you have been asked why you are conducting a risk assessment. Which reason would you give?
to prevent breach of confidentiality
Which of the following is an example of an administrative safeguard?
training
Under the HIPAA privacy standards, covered entities may use and disclose PHI for?
treatment, payment, and operations (TPO) purposes without special permission from a patient.
Robert Burchfield was recently caught accessing his wife's medical record. The system automatically notified the staff of a potential breach due to the same last name for the user and the patient. This was an example of a
trigger.
A data use agreement allows the organization receiving the data to
use data only within the bounds of the agreement.
Before an employee can be given access to the EHR, someone has to determine what they have access to. What is this known as?
workforce clearance procedure
You have been assigned the responsibility of performing an audit to confirm that all of the workforce's access is appropriate for their role in the organization. This process is called
workforce clearance procedure.
If an authorization is missing a Social Security number, can it be valid?
yes
The facility had a security breach. The breach was identified on October 10, 2013. The investigation was completed on October 15, 2013. What is the deadline that the notification must be completed?
60 days from October 10 (60 days from the day of the breach)
You work for an organization that publishes a health information management journal and provides clearinghouse services. What must you do? A. Have the same security plan for the entire organization. B. Separate the e-PHI from the noncovered entity portion of the organization. C. Train the journal staff on HIPAA security awareness. D. Follow the same rules in all parts of the organization.
B. Separate the e-PHI from the noncovered entity portion of the organization.
Mountain Hospital has discovered a security breach. Someone hacked into the system and viewed 50 medical records. According to ARRA, what is the responsibility of the covered entity? A. ARRA does not address this issue. B. All individuals must be notified within 30 days. C. All individuals must be notified within 60 days. D. ARRA requires oral notification.
C. All individuals must be notified within 60 days.
You have been asked to provide examples of technical security measures. Which of the following would you include in your list of examples?
automatic logout
Which statement is true about when a family member can be provided with PHI?
the patient's mother can always receive PHI on her child
Differentiate between authentication and authorization:. A. Authentication is confirming that you are able to log into the system; authorization is determining what you can do. B. Authentication is determining what you can do; authorization is confirming that you are able to log into the system. C. Authentication is confirming that you are able to log into the system; authorization is identifying what a user did in the system. D. Authentication is determining what you can do and authorization is identifying what a user did in the system.
A. Authentication is confirming that you are able to log into the system; authorization is determining what you can do.
Choosing to be in the directory means which of the following? B. Your condition can be released to any caller in specific terms C. Your condition can be released to the public D. No information can be released
A. Friends and family can find out what room you are in
Margot looked up PHI on her ex-sister-in-law. A routine audit discovered the violation. Which statement is true under ARRA? A. Margot cannot be prosecuted since she is not a covered entity. B. Margot cannot be prosecuted since she is not a covered entity or business associate. C. Margot cannot be prosecuted since she did not sell the PHI. D. Margot can be prosecuted.
A. Margot cannot be prosecuted since she is not a covered entity.
The HIM director received an e-mail from the technology support services department about her email being full and asking for her password. The director contacted tech support and it was confirmed that their department did not send this e-mail. This is an example of what type of malware? A. Phishing. B. Spyware. C. Denial of service. D. Virus.
A. Phishing.
In conducting an environmental risk assessment, which of the following would be considered in the assessment? A. Placement of water pipes in the facility B. Verifying that virus checking software is in place C. Use of single sign-on technology D. Authentication
A. Placement of water pipes in the facility
Which of the following would be a business associate? A. Release of information company B. Bulk food service provider C. Childbirth class instructor D. Marketing consultant
A. Release of information company
Which of the following should record destruction program include? A. The method of destruction B. Name of person responsible for destruction C. Cite of laws followed D. Requirement of daily destruction
A. The method of destruction
Accessing PHR identifiable health information without approval is: A. breach of security. B. PHR identifiable health information. C. unsecured PHR identifiable health information. D. preemption.
A. breach of security.
Nicole is developing an agreement that will be used between the hospital and the health care clearing house. This agreement will require the two parties to protect the privacy of data exchanged. This is called a: A. business associate agreement. B. business contract. C. trading partner agreement. D. none of the above.
A. business associate agreement.
We have just identified that an employee looked up his own medical record. Which of the following actions should be taken? A. Notify his or her supervisor because this is a minor incident and therefore not subject to the incident response procedure. B. Follow the incident response procedure. C. Terminate the employee on the spot. D. Notify OCR.
B. Follow the incident response procedure.
Which of the following situations violate a patient's privacy? A. The hospital sends patients who are scheduled for deliveries information on free childbirth classes. B. The physician on the quality improvement committee reviews medical records for potential quality problems. C. The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples. D. The hospital uses aggregate data to determine whether or not to add a new operating room suite.
C The release of childbirth information is acceptable because it is related to the reason for admission. The mass mailing of samples violates giving out confidential information to outside agencies.
Which of the following statements demonstrates a violation of protected health information? A. "Yes, Mr. Smith is in room 222. I will transfer your call." B. A member of the physician's office staff calls centralized scheduling and says, "Dr. Smith wants to perform a bunionectomy on Mary Jones next Tuesday." C. "Mary, at work yesterday I saw that Susan had a hysterectomy." D. Dr. Jones tells a nurse on the floor to give Ms. Brown Demerol for her pain.
C. "Mary, at work yesterday I saw that Susan had a hysterectomy."
The computer system containing the electronic health record was located in a room that was flooded. As a result, the system is inoperable. Which of the following would be implemented? A. SWOT analysis B. Information systems strategic planning C. Request for proposal D. Business continuity processing
D. Business continuity processing
Which of the following is subject to the HIPAA security rule? A. x-ray films stored in radiology B. paper medical record C. faxed records D. Clinical data repository
D. Clinical data repository The security rule only applies to e-PHI.
Which of the following is excluded from the definition of PHI? A. Identifiable patient information that is held by a covered entity B. Identifiable patient information that is held by a business associate C. Identifiable patient information that is stored electronically D. Employment records stored by a covered entity as an employer
D. Employment records stored by a covered entity as an employer
Mark, a patient of Schnering Hospital, has asked for an electronic copy of his medical record to go to his physician. According to ARRA, what is the CE's obligation to Mark? A. None, as this is prohibited by HIPAA. B. None, as this is prohibited by ARRA. C. Mark has a right to an electronic copy, but it has to go to him, not a third party. D. Mark has a right to an electronic copy or to have it sent to someone else.
D. Mark has a right to an electronic copy or to have it sent to someone else.
Your transcription system is set up to back up your hard drive every 5 minutes. The backup is on the hard drive of another computer. This computer is located in the room next door to the primary computer. What should be done to improve the backup process? A. Place the backup on an optical disk. B. Back up on a daily basis. C. Back up on a diskette. D. Move backup computer to an office 100 miles away.
D. Move backup computer to an office 100 miles away.
With the ARRA changes to the accounting of disclosure rules, which of the following statements is true? A. All CE must account for all disclosures-not just nonroutine. B. Only organizations using a hybrid record must account for all disclosures. C. Only organizations still using the paper record must account for all disclosures to encourage the transition to the EHR. D. Only organizations with an EHR is required to account for all disclosures
D. Only organizations with an EHR is required to account for all disclosures
Which of the following documents is subject to the HIPAA security rule? A. Document faxed to the facility B. Copy of discharge summary C. Paper medical record D. Scanned operative report stored on CD
D. Scanned operative report stored on CD
Dr. Brown has just approved the patient's request to amend the medical record. Dr. Brown has routed the request with his approval to the HIM Department. What should the HIM Department do? A. File the request where the erroneous information is located. B. File the request where the erroneous information is located and send a copy of the amendment to anyone who has a copy of the erroneous information. C. File in the front of the chart. D. File the request where the erroneous information is located and send a copy of the amendment to anyone who has a copy of the erroneous information plus anyone the patient requests.
File the request where the erroneous information is located and send a copy of the amendment to anyone who has a copy of the erroneous information plus anyone the patient requests
We have just identified that an employee looked up his own medical record. Which of the following actions should be taken?
Follow the incident response procedure
HIPAA states that release to a coroner is allowed. State law says that the coroner must provide a subpoena. Which of the following is a correct statement?
Follow the state law since it is stricter.
was enacted to protect the confidentially, integrity, and availability of of electronic health information.
HIPAA Privacy Rule
____ is the most significant legislation affecting the health care field since the Medicare and Medicaid programs were introduced in 1965.
HIPPA 1996
protects the confidentiality, integrity, and availability of electronic health information.
HIPPA Security Rule
Who are considered covered entities?
HIPPA, health plans, providers, and clearinghouses
Miles has asked you to explain the rights he has via HIPAA privacy standards. Which of the following is one of his HIPAA-given rights?
He can ask to be contacted at an alternative site.
Mary processed a request for information and mailed it out last week. Today, the requestor, an attorney, called and said that all of the requested information was not provided. Mary pulls the documentation, including the authorization and what was sent. She believes that she sent everything that was required based on what was requested. She confirms this with her supervisor. The requestor still believes that some extra documentation is required. Given the above information, which of the following statements is true?
Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule.
means using reasonable safeguards to protect PHI from being accidentally released---to those who do not need access to the information---during an appropriate use or disclosure.
Minimum Necessary Standard
Notice of Privacy Practices; document describing practices regarding use and disclosure of PHI.
NPP
Which statement is true about when a family member can be provided with PHI?
The family member is directly involved in the patient's care.
The Legal Health Record of Disclosure consists of:
The data, documents, reports, and information that comprise the formal business record(s) of any healthcare organization that are being utilized during legal proceedings
A home health care agency employee has contacted the Center for Medicare and Medicaid Services to report health care fraud. Patient information is provided in the report. Which of the following is true?
The disclosure is not a violation of HIPAA if the information was provided in good faith.
Your department was unable to provide a patient with a copy of his record within the 30-day limitation. What should you do?
Write the patient and tell him that you will need a 30-day extension.
A patient signed an authorization to release information to a physician but decided not to go see that physician. Can he stop the release?
Yes, as long has it has not been released already
A clinic has a contract with the city government to perform all new employee physicals and work injury evaluations. Is it appropriate that a patient's family history of cancer be reported to the employer?
Yes, unless the employer has allowed for such exclusion. In this case, the patient is being treated or examined at the request of the employer, so the employer is a BA of the clinic.
The HIPAA security rule impacts which of the following protected health information?
clinical data repository
The Privacy Rule applies to PHI in any form....What forms can they be?
communicated verbally, written or printed on paper, or maintained in an electronic format.
What does the ePHI physical devices are covered?
computers, USB flash drives, CDs, and magnetic tapes, computer networks, and information sent or received over the Internet.
What are the goals of the HIPAA security standards?
confidentiality, integrity, availability
You are a nurse who works on 3West during the day shift. One day, you had to work the night shift because they were shorthanded. However, you were unable to access the EHR. What type of access control(s) are being used?
context-based
Alisa has trouble remembering her password. She is trying to come up with a solution that will help her remember. Which one of the following would be the BEST practice?
creating a password that utilizes a combination of letters and numbers
Your organization is sending confidential patient information across the Internet using technology that will transform the original data into unintelligible code that can be re-created by authorized users. This technique is called
data encryption.
Intentional threats to security could include
data theft (unauthorized downloading of files).
Which of the following can be released without consent or authorization?
de-identified health information
An organization that is a covered entity, that performs functions that are covered and noncovered by HIPAA, and that specifies the portion of the organization that will be subject to HIPAA is called a(n)
hybrid entity.
An employee in the admission department took the patient's name, Social Security number, and other information and used it to get a charge card in the patient's name. This is an example of
identity theft.
The surgeon comes out to speak to a patient's family. He tells them that the patient came through the surgery fine. The mass was benign and they could see the patient in an hour. He talks low so that the other people in the waiting room will not hear but someone walked by and heard. This is called a(n)
incidental disclosure.
A covered entity
includes health care providers who perform specified actions electronically.
Protected health information includes
individually identifiable health information in any format stored by a health care provider or business associate
Threats to information security come from a number of sources, what are some of these sources?
individuals, the environment, and computer hardware, software and networks.
What are some of the electronic hazards?
insufficient security in the hardware or software, programming errors, changes to existing software including upgrades, and the addition of new users to the system.
A mechanism to ensure that PHI has not been altered or destroyed inappropriately has been established. This process is called
integrity.
Certain health care benefits are exempt from the HIPAA standards even when provided by health plans:
- Workers' compensation - Coverage for on-site medical clinics - Accident or disability income insurance - General and automotive liability insurance - Automobile medical payment insurance
The administrator states that he should not have to participate in privacy and security training. How should you respond? A. "All employees are required to participate in the training, including top administration." B. "I will record that in my files." C. "Did you read the privacy rules?" D. "You are correct. There is no reason for you to participate in the training."
A. "All employees are required to participate in the training, including top administration."
The hospital has received a request for an amendment. How long does the facility have in order to accept or deny the request? A. 30 days B. 60 days C. 14 days D. 10 days
A. 30 days
The facility had a security breach. The breach was identified on October 10, 2010. The investigation was completed on October 15, 2010. What is the deadline that the notification must be completed? A. 60 days from October 10 B. 60 days from October 15 C. 30 days from October 10 D. 30 days from October 15
A. 60 days from October 10
A hacker recently accessed our database. We are trying to determine how the hacker got through the firewall and exactly what was accessed. The process used to gather this evidence is called: A. forensics. B. mitigation. C. security event. D. incident.
A. forensics.
An organization that is a covered entity, performs functions that are covered and noncovered by HIPAA, and specifies the portion of the organization that will be subject to HIPAA is called a(n): A. hybrid entity. B. affiliated covered entity. C. organized health care arrangement. D. business associate.
A. hybrid entity.
An employee utilizes the patient's name and Social Security number to obtain a credit card. This is an example of: A. identity theft. B. de-identified information. C. limited data set. D. security incident.
A. identity theft.
The purpose of the notice of privacy practices is to A. notify the patient of uses of PHI. B. notify patient of audits. C. report incidents to the OIG. D. notify researchers of allowable data use.
A. notify the patient of uses of PHI.
Facility access controls, workstation use, workstation security, and device/media controls are all of part of : A. physical safeguards. B. technical safeguards. C. administrative safeguards. D. organizational requirements.
A. physical safeguards.
Ms. Thomas was a patient at your facility. She has been told that there are some records that she cannot have access to. These records are most likely: A. psychotherapy notes. B. alcohol and drug records. C. AIDS records. D. mental health assessment.
A. psychotherapy notes.
You work for a 60-bed hospital in a rural community. You are conducting research on what you need to do to comply with HIPAA. You are afraid that you will have to implement all of the steps that your friend at a 900-bed teaching hospital is implementing at his facility. You continue reading and learn that you only have to implement what is prudent and reasonable for your facility. This is called: A. scalable. B. risk assessment. C. technology neutral. D. access control.
A. scalable.
What type of access safeguard is more people focused in nature?
Administrative are more people-focused and include requirements such as training and assignment of an individual responsibility for security.
A patient's medical record was breached. The written notification that goes out to the patient should contain only a message to call the hospital. A. True statement. This is too sensitive to address in a letter. B. False statement. The patient should receive a brief description of the breach, what the covered entity is doing about the breach, what the patient should do, and who to contact. C. False statement, as the patient should be told to contact the Office of the Inspector General. D. False statement, as the patient should be told what happened and that the facility is sorry and hopes the patient will not have any problems as a result of the breach.
B. False statement - the patient should receive a brief description of the breach, what the covered entity is doing about the breach, what the patient should do, and whom to contact
Miles has asked you to explain the rights that he has via HIPAA privacy standards. Which of the following is one of his HIPAA-given rights? A. He can review his bill. B. He can ask to be contacted at an alternative site. C. He can discuss financial arrangements with business office staff. D. He can ask a patient advocate to sit in on all appointments at the facility.
B. He can ask to be contacted at an alternative site.
Patricia is processing a request for medical records. The record contains an operative note and a discharge summary from another hospital. The records are going to another physician for patient care. What should Patricia do? A. Notify the requestor that redisclosure is illegal and so he must get the operative and discharge summary records from the original source hospital. B. Include the documents from the other hospital. C. Redisclose when necessary for patient care. D. Redisclose when allowed by law.
B. Include the documents from the other hospital.
Mabel is a volunteer at a hospital. She works at the information desk. A visitor comes to the desk and says that he wants to know what room John Brown is in. What should Mabel do? A. Look the patient up and give the room number to the visitor. B. Look the patient up to see if John has agreed to be in the directory. If he has, then give the room number to the visitor. C. Look the patient up to see if the patient signed a notice of privacy practice. If so, then give the visitor the room number. D. Look the patient up in the system to determine if the patient has agreed to TPO usage and then give the room number to the visitor if he had.
B. Look the patient up to see if John has agreed to be in the directory. If he has, then give the room number to the visitor.
Surf Side Hospital has conducted extensive privacy training for their employees. They trust their employees because it is a small community. There have not been any breaches in the past. They feel that monitoring compliance through an audit trail is not necessary. In this circumstance, would it be reasonable to forgo keeping an audit trail? A. Yes, since it is a small community C. Yes, if there is a hotline where violations can be reported D. Yes, if employees are well trained
B. No
Your facility just learned that some PHI was posted to the Internet in error. The PHI was online for 2 days before the problem was found. Unfortunately, there were people who visited the webpage during this time. Four hundred patients were impacted. Which of the following applies? A. The media must be notified. B. Patients must be notified. C. Health and Human Services must be notified within 60 days D. The media and Health and Human Services must be notified.
B. Patients must be notified.
Which of the following statements is true about the Privacy Act of 1974? A. It applies to all organizations who maintain health care data in any form. B. It applies to all health care organizations. C. It applies to the federal government. D. It applies to federal government except for the Veterans Health Administration.
C. It applies to the federal government.
Sarah is the director of HIM at a Brandon Community Hospital. This small hospital does not have an alcohol or drug abuse unit, nor does it treat patients of this type. Last night in the ER, a patient came in who was diagnosed with acute alcoholism and was transferred to another facility for treatment. Does this facility have to follow the regulations on the confidentiality of alcohol and drug abuse patients? A. Yes, if the patient was in withdrawal and any treatment was provided to him B. Yes, since they treated the patient C. No, since they do not have a program and there is no staff whose primary function is to treat these patients D. No, since they immediately transferred the patient from the emergency room
C. No, since they do not have a program and there is no staff whose primary function is to treat these patients
You will be choosing the type of encryption to be used for the new EHR. What are your choices? A. Symmetric and conventional B. Asymmetric and public key C. Symmetric and asymmetric D. Public key and integrity
C. Symmetric and asymmetric
A copy of a medical record was sitting on a counter when a patient walked up to the counter and stood there until the receptionist realized the patient was there. The receptionist immediately removed the copy of the record. Which of the following statements is true? A. This is a breach even if the patient did not see the information contained in the record. B. This is a breach only if the patient looked at it. C. This is not a breach since the patient is unable to retain the information. D. This is a breach whether or not the patient saw the information.
C. This is not a breach since the patient is unable to retain the information.
A data use agreement allows the organization receiving the data to: A. use the non-PHI data any way they want. B. use PHI data any way they want. C. use data only within the bounds of the agreement. D. conduct business for the organization.
C. use data only within the bounds of the agreement.
Which of the following set(s) is an appropriate use of the emergency access procedure? A. A patient is crashing. The attending physician is not in the hospital, so a physician who is available helps the patient. B. One of the nurses is at lunch. The nurse covering for her needs patient information. C. The coder who usually codes the emergency room charts is out sick and the charts are left on a desk in the ER admitting area. D. A and B.
D. A and B. A patient is crashing. The attending physician is not in the hospital, so a physician who is available helps the patient. B. One of the nurses is at lunch. The nurse covering for her needs patient information.
Alisa has trouble remembering her password. She is trying to come up with a solution that will help her remember. She reads the policies on passwords. Based on the policy, she chooses which of the following options? A. The word "password" for her password B. His daughter's name for her password C. To write the complex password on the last page of her calendar D. A combination of letters and numbers
D. A combination of letters and numbers
Two of your staff members are debating how far to go back to comply with a request for an accounting of disclosure. What is your best response? A. HIPAA requires us to go back 6 years. B. HIPAA requires us to go back 3 years. C. ARRA requires us to go back 6 years. D. ARRA requires us to go back 3 years.
D. ARRA requires us to go back 3 years.
Rachel, a nurse, can write progress notes in the patient's electronic health record. Vera, a coder, can view the progress notes but is not authorized to write a progress note. What controls this? A. Authentication B. Two-factor authentications C. Biometrics D. Based access control
D. Based access control
Which of the following set(s) is an appropriate use of the emergency access procedure? C. The coder who usually codes the emergency room charts is out sick and the charts are left on a desk in the ER admitting area. A. A patient is crashing. The attending physician is not in the hospital, so a physician who is available helps the patient. B. One of the nurses is at lunch. The nurse covering for her needs patient information. D. Both A and B.
D. Both A and B.
Your facility just learned that one of their business associates is out of compliance with your contract and with the privacy rule. What should your response be according to ARRA? A. Educate the business associate and conduct an audit in 30 days. B. Educate the business associate. Request that the problem be corrected by the business associate within 60 days C. Request that the problem be corrected by the business associate within 60 days D. Request that the business associate correct the problem or stop doing business with the organization.
D. Request that the business associate correct the problem or stop doing business with the organization.
The term "de-identified" indicates: A. the patient's name has been removed. B. the patient's name and medical record number have been removed. C. the patient's name, medical record number, and social security number have been removed. D. all of the HIPAA specified patient identifiers have been removed.
D. all of the HIPAA specified patient identifiers have been removed.
is information that neither identifies nor provides a reasonable basis for identifying and individual.
De-identified health information
this process provides Covered Entities and business associates with the structural framework upon which to build their HIPAA security plan. The value of risk analysis stems from its uniqueness to the specific organization in which its conducted.
The Security Risk Analysis
The physician office you go to has a data integrity issue. What does this mean?
There has been unauthorized alteration of patient information.
You have been given some information that includes the patient's account number. Which statement is true?
This is not de-identified information, because it is possible to identify the patient.
The most relevant title to the management of health information, containing provisions relating to the prevention of healthcare fraud and abuse & medical liability reform, as well as administrative simplification. The Privacy Rule derives from the administrative simplification of Title II along with the HIPAA Security regulations, transactions, and code set standardization requirements unique NPIs and the enforcement rules.
Title II of HIPAA
Nicole is developing an agreement that will be used between the hospital and the health care clearing house. This agreement will require the two parties to protect the privacy of data exchanged. This is called
a business associate agreement
Under the HIPPA Privacy Rule, covered entities must list their privacy policies and procedures in?
a Notice of Privacy Practices (NPP)
The HIM director received an e-mail from the technology support services department about her e-mail being full and asking for her password. The director contacted tech support and it was confirmed that their department did not send this e-mail. This is an example of what type of malware?
phishing