RHIT Domain 2

a Original health records may be required by subpoena to be produced in person and the custodian of records is required to authenticate those records through testimony (Rinehart-Thompson 2016a, 198).

The record custodian typically can testify about which of the following when a party in a legal proceeding is attempting to admit a health record as evidence? a. Identification of the record as the one subpoenaed b. The care provided to the patient c. The qualifications of the treating physician d. Identification of the standard of care used to treat the patient

c There are circumstances where PHI can be used or disclosed without the individual's authorization and without granting the individual the opportunity to agree or object. Some of these circumstances include preventing or controlling diseases, injuries, and disabilities, and reporting disease, injury, and vital events such as births and deaths (Rinehart-Thompson 2016b, 235).

Release of birth and death information to public health authorities: a. Is prohibited without patient consent b. Is prohibited without patient authorization c. Is a public interest and benefit disclosure that does not require patient authorization d. Requires both patient consent and authorization

b Data security embodies three basic concepts: protecting the privacy of data, ensuring the integrity of data, ensuring the availability of data (Rinehart-Thompson 2016c, 254).

The three elements of a security program are ensuring data availability, protection, and: a. Suitability b. Integrity c. Flexibility d. Robustness

b The Privacy Rule introduced the standard that individuals should be informed how covered entities use or disclose protected health information (PHI). Section 164.520 requires that, except for certain variations or exceptions for health plans and correctional facilities, an individual has the right to a notice explaining how his or her PHI will be used and disclosed. This is the notice of privacy practices (Rinehart-Thompson 2016b, 230-231).

To comply with HIPAA regulations, a hospital would make its membership in an HIE known to its patients through which of the following? a. Press release b. Notice of Privacy Practices c. Consent form d. Website notice

a Files of patients who have not been at the facility for a specified period, such as two years, may be purged or removed from the active filing area (Sayles 2016b, 61).

Removing health records of patients who have not been treated at the facility for a specific period of time from the storage area is called: a. Purging records b. Assembling records c. Logging records d. Cycling records

d Covered entities (CEs) are responsible for their workforce, which consists not only of employees but also volunteers, student interns, and trainees. Workforce members are not limited to those who receive wages from the CE (45 CFR 160.103; Rinehart-Thompson 2017c, 210-211).

Susan is completing her required high school community service hours by serving as a volunteer at the local hospital. Relative to the hospital, she is a(n): a. Business associate b. Covered entity c. Employee d. Workforce member

b The term access control means being able to identify which employees should have access to what data. The general practice is that employees should have access only to data they need to do their jobs. For example, an admitting clerk and a healthcare provider would not have access to the same kinds of data (Rinehart-Thompson 2016c, 262).

What does the term access control mean? a. Identifying the greatest security risks b. Identifying which data employees should have a right to use c. Implementing safeguards that protect physical media d. Restricting access to computer rooms and facilities

c Employees are the biggest threat to the security of healthcare data. Whether it is disgruntled employees destroying computer hardware, snooping employees accessing information without authorization to do so, or employees accessing information for fraudulent purposes, employees are a real threat to data security (Rinehart-Thompson 2016c, 256).

What is the biggest threat to the security of healthcare data? a. Natural disasters b. Fires c. Employees d. Equipment malfunctions

b Confidentiality, as recognized by law and professional codes of ethics, stems from a relationship such as physician and patient, and pertains to the information resulting from that relationship. Privileged communication is a legal concept designed to protect the confidentiality between two parties (Brodnik 2017a, 7-8).

What is the legal term used to define the protection of health information in a patient-provider relationship? a. Access b. Confidentiality c. Privacy d. Security

b Associated with ownership of health records is the legal concept of the custodian of records. The custodian of health records is the individual who has been designated as having responsibility for the care, custody, control, and proper safekeeping and disclosure of health records (Brodnik 2017a, 9).

What is the term used most often to describe the individual within an organization who is responsible for protecting health information in conjunction with the court system? a. Administrator of records b. Custodian of records c. Director of records d. Supervisor of records

c Because HIPAA defers to state laws on the issue of minors, applicable state laws should be consulted regarding appropriate authorization. In general, the age of maturity is 18 years or older. This is the legal recognition that an individual is considered responsible for, and has control over, his or her actions (Klaver 2017b, 160).

What resource should be consulted in terms of who may authorize access, use, or disclose the health records of minors? a. HIPAA because it has strict rules regarding minors b. Hospital attorneys because they know the rules of the hospital c. State law because HIPAA defers to state laws on matters related to minors d. Federal law because HIPAA overrides state laws on matters related to minors

c Hospitals and other healthcare facilities develop health record retention policies to ensure that health records comply with all applicable state and federal regulations, accreditation standards, as well as meet future patient care needs. Most states have established regulations that address how long health records and other healthcare-related documents must be maintained before they can be destroyed (Fahrenholz 2013a, 109).

What type of health record policy dictates how long individual health records must remain available for authorized use? a. Disclosure policies b. Legal policies c. Retention policies d. Redisclosure policies

a One of the most fundamental terms used in the Privacy Rule is protected health information (PHI). The Privacy Rule defines PHI as individually identifiable health information that is transmitted by electronic media, maintained in any electronic medium, or maintained in any other form or medium (Rinehart-Thompson 2016b, 220, 222).

What types of covered entity health records are subject to the HIPAA privacy regulations? a. Health records in any format b. Only health records in electronic format c. Health records in paper or electronic format d. Only health records in paper format

a Audit controls are required by HIPAA. One method of monitoring is the use of audit trails. Audit trails are a recording of activities occurring in an information system. Audit trails can monitor system level controls such as login, logout, unsuccessful logins, print, query, and other actions. It also records user-identification information and the date and time of the activity. Audits should be scheduled periodically, but can also be performed when a problem is suspected (Sayles and Trawick 2014, 215).

A coding compliance manager is reviewing a tool that identifies when a user logs in and out, what he or she does, and more. What is the manager reviewing? a. Audit trail b. Facility access control c. Forensics d. Security management plan

d Competent adults have a general right to consent to or refuse medical treatment. In general, a competent adult has the right to request, receive, examine, copy, and authorize disclosure of the patient's healthcare information (Brodnik 2017b, 341-342).

A competent individual has the following rights concerning his or her healthcare: a. Right to consent to treatment and the right to destroy their original health record b. Right to destroy their original health record and the right to refuse treatment c. Right to access his or her own PHI and the right to take the original record with them d. Right to consent to treatment and the right to access his or her own PHI

b Device and media controls require the facility to specify proper use of electronic media and devices (external drives, backup devices, etc.). Included in this requirement are controls and procedures regarding the receipt and removal of electronic media that contain protected health information and the movement of such data within the facility. The entity must also address procedures for the transfer, removal, or disposal, including reuse or redeployment, of electronic media (Rinehart-Thompson 2016c, 273).

A dietary department donated its old microcomputer to a school. Some old patient data were still on the computer. What controls would have minimized this security breach? a. Access controls b. Device and media controls c. Facility access controls d. Workstation controls

c Sometimes HIM professionals are subpoenaed to testify as to the authenticity of the health records by confirming that they were compiled in the normal course of business and have not been altered in any way. A subpoena that is issued to elicit testimony is a subpoena ad testificandum (Rinehart-Thompson 2016b, 215).

A health information technician receives a subpoena ad testificandum. To respond to the subpoena, which of the following should the technician do? a. Review the subpoena to determine what documents must be produced b. Review the subpoena and notify the hospital administrator c. Review the subpoena and appear at the time and place supplied to give testimony d. Review the subpoena and alert the hospital's risk management department

c A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a software program or device that filters information between two networks, usually between a private network like an intranet and a public network like the Internet (Rinehart-Thompson 2016c, 265).

A home health agency plans to implement a computer system whereby its nurses document home care services on a laptop computer taken to the patient's home. The laptops will connect to the agency's computer network. The agency is in the process of identifying strategies to minimize the risks associated with the practice. Which of the following would be the best practice to protect laptop and network data from a virus introduced from an external device? a. Biometrics b. Encryption c. Personal firewall software d. Session terminations

b If the paper health record is destroyed, the imaging record would be the legal health record. This may not be the case if the paper record is retained. State laws typically view the original health record as the legal record when it is available. Those who choose to destroy the original health record may do so within weeks, months, or years of scanning. If the record was destroyed according to guidelines for destruction and no scanned record exists, the certificate of destruction should be presented in lieu of the record (Rinehart-Thompson 2017b, 199-200).

A hospital HIM department receives a subpoena duces tecum for records of a former patient. When the health record technician goes to retrieve the patient's health records, it is discovered that the records being subpoenaed have been purged in accordance with the state retention laws. In this situation, how should the HIM department respond to the subpoena? a. Inform defense and plaintiff lawyers that the records no longer exist b. Submit a certification of destruction in response to the subpoena c. Refuse the subpoena since no records exist d. Contact the clerk of the court and explain the situation

a An off-site storage company is usually a contracted service that provides long-term storage of health records. For a fee, the company then retrieves and delivers records requested by the healthcare facility's HIM department. For easy record retrieval it would be important to have records labeled. Because the records are filed in boxes, each box needs a unique identifier so it can be located. The records in each box must be identified and cross-indexed to the box in which they are stored (Sayles 2016b, 62).

A hospital HIM department wants to move five years of health records to a remote storage location. The records will be stored in boxes and will be filed on open shelves at the remote location. Which of the following should be done so that record location can be easily identified in the remote storage area? a. Provide a unique identifier for each box and prepare a log of the records that is cross-indexed by box identifier b. Prepare a sequential list of all records sent to remote storage c. Provide a unique box identifier and list the records by health record number on the outside of each box d. File the records in terminal digit order in each box

b In the HIPAA Security Rule, one of the technical safeguards standards is access control. This includes automatic log-off, which ensures processes that terminate an electronic session after a predetermined time of inactivity (Reynolds and Brodnik 2017, 277).

A hospital is planning on allowing coding professionals to work at home. The hospital is in the process of identifying strategies to minimize the security risks associated with this practice. Which of the following would be best to ensure that data breaches are minimized when the home computer is unattended? a. User name and password b. Automatic session terminations c. Cable locks d. Encryption

d The HIPAA Privacy Rule requires that records be produced within 30 days to a patient or their personal representative, with a one-time extension of an additional 30 days if necessary. If such an additional 30 days is needed, the covered entity must notify the patient in writing of the need for additional time (Thomason 2013, 98).

A patient requests a copy of his health records. When the request is received, the HIM clerk finds that the records are stored off-site. Which is the longest timeframe the hospital can take to remain in compliance with HIPAA regulations? a. Provide copies of the records within 15 days b. Provide copies of the records within 30 days c. Provide copies of the records within 45 days d. Provide copies of the records within 60 days

a The HIPAA Privacy Rule states that the covered entity must provide individuals with their information in the form that is requested by the individuals, if it is readily producible in the requested format. The covered entity can certainly decide, along with the individual, the easiest and least expensive way to provide the copies they request. Per the request of an individual, a covered entity must provide an electronic copy of any and all health information that the covered entity maintains electronically in a designated record set. If a covered entity does not maintain the entire designated record set electronically, there is not a requirement that the covered entity scan paper documents so the documents can be provided in that format (Thomason 2013, 102).

A patient requests copies of her medical records in an electronic format. The hospital does not maintain all of the designated records in an electronic format. How should the hospital respond? a. Provide the records in paper format only b. Scan the paper documents so that all records can be sent electronically c. Provide the patient with both paper and electronic copies of the record d. Inform the patient that PHI cannot be sent electronically

a Review of records by the patient is permitted after the authorization for use and disclosure is verified. Usually hospital personnel should be present during on-site reviews to assist the requester with the paper record or working with the EHR if necessary. Assistance would not be needed if the people requesting on-site review work for the facility (Rinehart-Thompson 2016b, 225, 244). 130 Correct0 Wrong0 Unanswered130

A secretary in the Nursing Office was recently hospitalized with ketoacidosis. She comes to the HIM department and requests to review her health record. Of the options here, what is the best course of action? a. Allow her to review her record after obtaining authorization from her. b. Refer the patient to her physician for the information. c. Tell her to go through her supervisor for the information. d. Tell her that hospital employees cannot access their own medical records.

c A secure patient portal allows for the communication between the provider and the patient and is not just a site for patients to access information. This is part of the effort to engage patients in their care (Sayles and Trawick 2014, 162).

A secure method of communication between the healthcare provider and the patient is a(n): a. Personal health record b. E-mail c. Patient portal d. Online health information

d A portal is a special application to provide secure remote access to specific applications (Brinda 2016, 162).

A special web page that offers secure access to data is a(n): a. Internet b. Home page c. Intranet d. Portal

d A subpoena duces tecum instructs the recipient to bring documents and other records with himself or herself to a deposition or to court (Rinehart-Thompson 2017a, 59).

A subpoena duces tecum compels the recipient to: a. Serve on a jury b. Answer a complaint c. Testify at trial d. Bring records to a legal proceeding

a An audit trail is a record of system and application activity by users. It can track when an employee has accessed the system, the actions taken, and how long the employee has been logged into a system (Rinehart-Thompson 2016c, 265).

A tool that identifies when a user logs in and out, what actions he or she takes, and more is called a(n): a. Audit trail b. Facility access control c. Forensic scan d. Security management plan

a The access controls standard requires implementation of technical procedures to control or limit access to health information. The procedures would be executed through some type of software program. This requirement ensures that individuals are given authorization to access only the data they need to perform their respective jobs (Rinehart-Thompson 2016c, 273).

Access to health records based on protected health information within a healthcare facility should be limited to employees who have a: a. Legitimate need for access b. Password c. Report development program d. Signed confidentiality agreement

d Determining what data to make available to an employee usually involves identifying classes of information based on the employee's role in the organization. Every role in the organization should be identified, along with the type of information required to perform it. This is often referred to as role-based access. Although there are other types of access control strategies, role-based access is probably the one used most often in healthcare organizations. Access to information and information resources (such as computers) must be restricted to those authorized to access the information or the associated resources (Rinehart-Thompson 2016c, 262). 130 Correct0 Wrong0 Unanswered130

An HIT using her password can access and change data in the hospital's master patient index. A billing clerk, using his password, cannot perform the same function. Limiting the class of information and functions that can be performed by these two employees is managed by: a. Network controls b. Audit trails c. Administrative controls d. Access controls

a Metadata are data about data and include information that track actions such as when and by whom a document was accessed or changed, such as in an audit log (Rinehart-Thompson 2016a, 206). 130 Correct0 Wrong0 Unanswered130

An audit log is an example of: a. Metadata b. Encryption c. Admissibility d. Data integrity

a An audit trail is a software program that tracks every single access or attempted access of data in the computer system. It logs the name of the individual who accessed the data, terminal location or IP address, the date and time accessed, the type of data, and the action taken (for example, modifying, reading, or deleting data) (Rinehart-Thompson 2016c, 265).

An audit trail may be used to detect which of the following? a. Unauthorized access to a system b. Loss of data c. Presence of a virus d. Successful completion of a backup

a Risk management begins by conducting a risk analysis. Identifying security threats or risks, determining how likely it is that any given threat may occur, and estimating the impact of an untoward event are all parts of a risk assessment (Rinehart-Thompson 2016c, 260-261).

An electronic health record risk analysis is useful to: a. Identify security threats b. Identify which employees should have access to data c. Establish password controls d. Establish audit controls

a Establishing access controls is a fundamental security strategy. Basically, the term access control means being able to identify which employees should have access to what data. The general practice is that employees should have access only to data they need to do their jobs. For example, an admitting clerk and a healthcare provider would not have access to the same kinds of data (Rinehart-Thompson 2016c, 273).

An employee accesses PHI on a computer system that does not relate to her job functions. What security mechanism should have been implemented to minimize this security breach? a. Access controls b. Audit controls c. Contingency controls d. Security incident controls

a Access to e-PHI can be controlled through the use of the following: user-based access, rolebased access, and context-based access. Role-based access control decisions are based on the roles individual users have as part of an organization. Each user is given various privileges to perform their role or function (Rinehart-Thompson 2016c, 262).

An individual designated as an inpatient coder may have access to an electronic health record to code the record. Under what access security mechanism is the coder allowed access to the system? a. Role based b. User based c. Context based d. Situation based

c Privacy, confidentiality, and security are related, but distinct, concepts. In the context of healthcare, privacy can be defined as the right of individuals to control access to their personal health information. Confidentiality refers to the expectation that the personal information shared by an individual with a healthcare provider during the course of care will be used only for its intended purpose. Security is the protection of the privacy of individuals and the confidentiality of health records (Johns 2015, 210-211).

An individual's right to control access to his or her personal information is known as: a. Security b. Confidentiality c. Privacy d. Access control

a The health record may be valuable evidence in a legal proceeding. To be admissible, the court must be confident that the record is: complete, accurate, and timely (recorded at the time the event occurred); was documented in the normal course of business; and was made by healthcare providers who have knowledge of the "acts, events, conditions, opinions, or diagnoses appearing in it" (Klaver 2017a, 78-79).

As the corporate director of HIM services and enterprise privacy officer, you are asked to review a patient's health record in preparation for a legal proceeding for a malpractice case. The lawsuit was brought by the patient 72 days after the procedure. Health information contains a summary of two procedures that were dictated 95 days after the procedure. The physician in question has a longstanding history of being lackadaisical with record completion practices. Previous concerns regarding this physician's record maintenance practices had been reported to the facility's Credentialing Committee. Is this information admissible in court? a. This information could be rejected because the physician dictated the procedure note after the malpractice suit was filed. b. This information will be admissible in court because it is part of the patient's health record. c. This information could be rejected because it is not relevant to the malpractice case. d. This information will be rejected because the patient did not authorize its release.

b Because of cost and space limitations, permanently storing paper and microfilm-based health record documents is not an option for most hospitals. Acceptable destruction methods for paper documents include burning, shredding, pulping, and pulverizing (Fahrenholz 2013a, 111).

Burning, shredding, pulping, and pulverizing are all acceptable methods in which process? a. Deidentification of electronic documents b. Destruction of paper-based health records c. Deidentification of records stored on microfilm d. Destruction of computer-based health records

c There are certain circumstances where the minimum necessary requirement does not apply, such as to healthcare providers for treatment; to the individual or his personal representative; pursuant to the individual's authorization to the secretary of the HHS for investigations, compliance review, or enforcement; as required by law; or to meet other Privacy Rule compliance requirements (164.502(b)(2); Rinehart-Thompson 2017c, 234).

Central City Clinic has requested that Ghent Hospital send its hospital records for Susan Hall's most recent admission to the clinic for her follow-up appointment. Which of the following statements is true? a. The Privacy Rule requires that Susan Hall complete a written authorization. b. The hospital may send only the discharge summary, history and physical, and operative report. c. The Privacy Rule's minimum necessary requirement does not apply. d. This "public interest and benefit" disclosure does not require the patient's authorization.

c The HIPAA Privacy Rule concept of "minimum necessary" does not apply to disclosures made for treatment purposes. However, the covered entity must define, within the organization, what information physicians need as part of their treatment role (Thomason 2013, 5).

Community Hospital is discussing restricting the access that physicians have to electronic health records. The medical record committee is divided on how to approach this issue. Some committee members maintain that all information should be available, whereas others maintain that HIPAA restricts access. The HIM director is part of the committee. Which of the following should the director advise the committee? a. HIPAA restricts the access of physicians to all information. b. The "minimum necessary" concept does not apply to disclosures made for treatment purposes; therefore, physician access should not be restricted. c. The "minimum necessary" concept does not apply to disclosures made for treatment purposes, but the organization must define what physicians need as part of their treatment role. d. The "minimum necessary" concept applies only to attending physicians, and therefore, restriction of access must be implemented.

c The HIPAA Privacy Rule permits healthcare providers to access protected health information for treatment purposes. However, there is also a requirement that the covered entity provide reasonable safeguards to protect the information. These requirements are not easy to meet when the access is from an unsecured location, although policies, medical staff bylaws, confidentiality or other agreements, and a careful use of new technology can mitigate some risks (Thomason 2013, 46).

Community Hospital is planning implementation of various elements of the EHR in the next six months. Physicians have requested the ability to access the EHR from their offices and from home. What advice should the HIM director provide? a. HIPAA regulations do not allow this type of access. b. This access would be covered under the release of PHI for treatment purposes and poses no security or confidentiality threats. c. Access can be permitted providing that appropriate safeguards are put in place to protect against threats to security. d. Access can be permitted because the physicians are on the medical staff of the hospital and are covered by HIPAA as employees.

c The HIPAA Privacy Rule requires the covered entity to have business associate agreements in place with each business associate. This agreement must always include provisions regarding destruction or return of protected health information (PHI) upon termination of a business associate's services. Upon notice of the termination, the covered entity needs to contact the business associate and determine if the entity still retains any protected health information from, or created for, the covered entity. The PHI must be destroyed, returned to the covered entity, or transferred to another business associate. Once the PHI is transferred or destroyed, it is recommended that the covered entity obtain a certification from the business associate that either it has no PHI, or all PHI it had has been destroyed or returned to the covered entity (Thomason 2013, 18).

Community Hospital is terminating its business associate relationship with a medical transcription company. The transcription company has no further need for any identifiable information that it may have obtained in the course of its business with the hospital. The CFO of the hospital believes that to be HIPAA compliant, all that is necessary is for the termination to be in a formal letter signed by the CEO. In this case, how should the director of HIM advise the CFO? a. Determine that a formal letter of termination meets HIPAA requirements and no further action is required. b. Confirm that a formal letter of termination meets HIPAA requirements and no further action is required except that the termination notice needs to be retained for seven years. c. Confirm that a formal letter of termination is required and that the transcription company must provide the hospital with a certification that all PHI that it had in its possession has been destroyed or returned. d. Inform the CFO that business associate agreements cannot be terminated.

a If physicians were to dictate information regarding patients they are treating in the facility, the disclosure of protected health information to the transcriptionists would be considered healthcare operations and, therefore, permitted under the HIPAA Privacy Rule. If physicians, who are separate covered entities, are dictating information on their private patients, however, it would be necessary for physicians to obtain a business associate agreement with the facility. It is permitted by the Privacy Rule for one covered entity to be a business associate of another covered entity (Thomason 2013, 26).

Community Hospital wants to provide transcription services for office notes of the private patients of physicians. All of these physicians have medical staff privileges at the hospital. This will provide an essential service to the physicians as well as provide additional revenue for the hospital. In preparing to launch this service, the HIM director is asked whether a business associate agreement is necessary. Which of the following should the hospital HIM director advise in order to comply with HIPAA regulations? a. Each physician practice should obtain a business associate agreement with the hospital. b. The hospital should obtain a business associate agreement with each physician practice. c. Because the physicians all have medical staff privileges, no business associate agreement is necessary. d. Because the physicians are part of an Organized Health Care Arrangement with the hospital, no business associate agreement is necessary.

c Administrative safeguards are documented, formal practices to manage data security measures throughout the organization. Basically, they require the facility to establish a security management process. The administrative provisions detail how the security program should be managed from the organization's perspective. Administrative safeguards have nine standards, including the development and testing of a contingency plan. This is to ensure that procedures are in place to handle an emergency response in the event of an untoward event such as a power outage (Rinehart-Thompson 2016c, 271-272).

Covered entities must do which of the following to comply with HIPAA security provisions? a. Appoint an individual who has the title of chief security officer who is responsible for security management b. Conduct employee security training sessions every six months for all employees c. Establish a contingency plan d. Conduct technical and nontechnical evaluations every six years

c Single sign-on allows sign-on to multiple related, but independent, software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems (Rinehart-Thompson 2016c, 263).

During user acceptance testing of a new EHR system, physicians are complaining that they have to use multiple log-on screens to access all the system modules. For example, they have to use one log-on for CPOE and another log-on to view laboratory results. One physician suggests having a single sign-on that would provide access to all the EHR system components. However, the hospital administrator thinks that one log-on would be a security issue. What information should the HIM director provide? a. Single sign-on is not supported by HIPAA security measures. b. Single sign-on is discouraged by the Joint Commission. c. Single sign-on is less frustrating for the end user and can provide better security. d. Single sign-on is not possible given today's technology.

c All threats can be categorized as either internal threats (threats that originate within an organization) or external threats (threats that originate outside an organization). People are not the only threats to data security. Natural disasters such as earthquakes, tornadoes, floods, and hurricanes can demolish physical facilities and electrical utilities (Rinehart-Thompson 2016c, 256-257).

External security threats can be caused by which of the following? a. Employees who steal data during work time b. A facility's water pipes bursting c. Tornadoes d. The failure of a facility's software

c Implementation specifications define how standards are to be implemented. Implementation specifications are either "required" or "addressable." Covered entities must implement all implementation specifications that are "required." For those implementation specifications that are labeled addressable, the covered entity must conduct a risk assessment and evaluate whether the specification is appropriate to its environment (Rinehart-Thompson 2016c, 271).

For HIPAA implementation specifications that are addressable, which of the following statements is true? a. The covered entity must implement the specification. b. The covered entity may choose not to implement the specification if implementation is too costly. c. The covered entity must conduct a risk assessment to determine whether the specification is appropriate to its environment. d. If the covered entity is a small hospital, the specification does not have to be implemented.

a The covered entity may require the individual to make an amendment request in writing and provide a rationale for their amendment request. Such a process must be communicated in advance to the individual (Rinehart-Thompson 2017d, 246-247).

If a patient wants to amend his or her health record, the covered entity may require the individual to: a. Make an amendment request in writing and provide a rationale for the amendment. b. Ask the attending physician for his or her permission to amend their record. c. Require the patient to wait 30 days before their request will be considered and processed. d. Provide a court order requesting the amendment.

c The HIPAA Privacy Rule provides patients with significant rights that allow them to have some measure of control over their health information. As long as state laws or regulations or the physician does not state otherwise (such as when a licensed healthcare professional has determined that access would likely endanger the life or safety of the individual) competent adult patients have the right to access their health record (Rinehart-Thompson 2017d, 243-244).

In which of the following situations must a covered entity provide an appeals process for denials to requests from individuals to see their own health information? a. Any time access is requested b. When the covered entity is a correctional institution c. When a licensed healthcare professional has determined that access to PHI would likely endanger the life or safety of the individual d. When the covered entity is unable to produce the health record

b The Privacy Rule lists two circumstances where protected health information (PHI) can be used or disclosed without the individual's authorization (although the individual must be informed in advance and given an opportunity to agree or object). One of these circumstances is disclosing PHI to a family member or a close friend that is directly relevant to his or her involvement with the patient's care or payment. Likewise, a covered entity may disclose PHI, including the patient's location, general condition, or death, to notify or assist in the notification of a family member, personal representative, or some other person responsible for the patient's care (Rinehart-Thompson 2016b, 234-235).

Jennifer's widowed mother is elderly and often confused. She has asked Jennifer to accompany her to the physician office visits because she often forgets to tell the physician vital information. Under the Privacy Rule, the release of her mother's PHI to Jennifer is: a. Never allowed b. Allowed when the information is directly relevant to Jennifer's involvement in her mother's care or treatment c. Allowed only if Jennifer's mother is declared incompetent by a court of law d. Any family member is always allowed access to PHI

b Although a person or organization may, by definition, be subject to the Privacy Rule by virtue of the type of organization it is, not all information that it holds or comes into contact with is protected by the Privacy Rule. For example, the Privacy Rule has specifically excluded from its scope employment records held by the covered entity in its role as employer (45 CFR 160.103). Under this exclusion, employee physical examination reports contained within personnel files are specifically exempted from this rule (Rinehart-Thompson 2017c, 215).

Jeremy Lykins was required to undergo a physical exam prior to becoming employed by San Fernando Hospital. Jeremy's medical information is: a. Protected by the Privacy Rule because it is individually identifiable b. Not protected by the Privacy Rule because it is part of a personnel record c. Protected by the Privacy Rule because it contains his physical exam results d. Protected by the Privacy Rule because it is in the custody of a covered entity

d Vendors who have a presence in a healthcare facility, agency, or organization will often have access to patient information in the course of their work. If the vendor meets the definition of a business associate (that is, it is using or disclosing an individual's PHI on behalf of the healthcare organization), a business associate agreement must be signed. If a vendor is not a business associate, employees of the vendor should sign confidentiality agreements because of their routine contact with and exposure to patient information. In this situation, Ready-Clean is not a business associate (Brodnik 2017b, 346).

Lane Hospital has a contract with Ready-Clean, a local company, to come into the hospital to pick up all of the facility's linens for off-site laundering. Ready-Clean is: a. A business associate because Lane Hospital has a contract with it b. Not a business associate because it is a local company c. A business associate because its employees may see PHI d. Not a business associate because it does not use or disclose individually identifiable health information

a Since this breach applies to one patient, it must be reported to HHS within 60 days after the end of the calendar year (Rinehart-Thompson 2016b, 240).

Mary's PHI was breached by her physician office when it was disclosed in error to another patient. Which of the following breach notification statements is correct regarding the physician office's required action? a. It must report the breach to HHS within 60 days after the end of the calendar year in which the breach occurred b. It must report the breach to HHS within 60 days of the breach c. It must notify all local media outlets and HHS immediately d. It is not required to take any action since the breach affected only one person

b When entries are made in the health record regarding a patient who is particularly hostile or irritable, general documentation principles apply, such as charting objective facts and avoiding the use of personal opinions, particularly those that are critical of the patient. The degree to which these general principles apply is heightened because a disagreeable patient may cause a provider to use more expressive and inappropriate language. Further, a hostile patient may be more likely to file legal action in the future if the hostility is a personal attribute and not simply a manifestation of his or her medical condition (Rinehart-Thompson 2017b, 179).

Mrs. Bolton is an angry patient who resents her physicians "bossing her around." She refuses to take a portion of the medications the nurses bring to her pursuant to physician orders and is verbally abusive to the patient care assistants. Of the following options, the most appropriate way to document Mrs. Bolton's behavior in the patient medical record is: a. Mean b. Noncompliant and hostile toward staff c. Belligerent and out of line d. A pain in the neck

c Audit trails are usually examined by system administrators who use special analysis software to identify suspicious or abnormal system events or behavior. Because the audit trail maintains a complete log of system activity, it can also be used to help reconstruct how and when an adverse event or failure occurred (Rinehart-Thompson 2016c, 273).

On review of the audit trail for an EHR system, the HIM director discovers that a departmental employee who has authorized access to patient records is printing far more records than the average user. In this case, what should the supervisor do? a. Reprimand the employee b. Fire the employee c. Determine what information was printed and why d. Revoke the employee's access privileges

c Physical safeguards protect physical equipment, media, or facilities. For example, doors leading to the areas that house mainframes and other principal computing equipment should have locks on them (Rinehart-Thompson 2016c, 264).

Placing locks on computer room doors is considered what type of security control? a. Access control b. Workstation control c. Physical safeguard d. Security breach

c Maintaining some type of accounting procedure for monitoring and tracking PHI disclosures has been a common practice in departments that manage health information. However, the Privacy Rule has a specific standard with respect to such record keeping. Disclosures for which an accounting is not required and which are therefore exempt include some of the following examples: TPO disclosures, pursuant to an authorization, and to meet national security or intelligence requirements. PHI sent to a physician that has not treated the patient would need to be accounted for (Rinehart-Thompson 2017d, 247-248).

Sally has requested an accounting of PHI disclosures from Community Hospital. Which of the following must be included in an accounting of disclosures to comply with this request? a. PHI related to treatment, payment, and operations b. PHI provided to meet national security or intelligence requirements c. PHI sent to a physician who has not treated Sally d. PHI released to Sally's attorney upon her request

c To preserve discoverable data, they must also ensure that records involved in litigation or potential litigation are preserved through a legal hold, which is generally a court order to preserve a health record if there is concern about destruction. A legal hold supersedes routine destruction procedures. It also prevents spoliation—the act of destroying, changing, or hiding evidence intentionally (Rinehart-Thompson 2016b, 216).

Spoliation can be defined as which of the following? a. It is required after a legal hold is imposed b. It is the negligent destruction or changing of information c. It is destroying, changing, or hiding evidence intentionally d. It can only be performed on records that are involved in a court proceeding

c The HIPAA Privacy Rule provides patients with significant rights that allow them to have some measure of control over their health information. As long as state laws or regulations or the physician do not state otherwise, competent adult patients have the right to access their health record (Rinehart-Thompson 2017d, 243-244).

St. Joseph's Hospital has a psychiatric service on the sixth floor of the hospital. A 31-year-old male has come to the HIM department and requested to see a copy of his medical record. He indicated he was a patient of Dr. Schmidt, a psychiatrist, and that he was on the sixth floor of St. Joseph's for the last two months. These records are not psychotherapy notes. Of the options here, what is the best course of action? a. Prohibit the patient from accessing his record, as it contains psychiatric diagnoses that may greatly upset him. b. Allow the patient to access his record. c. Allow the patient to access his record if, after contacting his physician, his physician does not think it will be harmful to the patient. d. Deny access because HIPAA prevents patients from reviewing their psychiatric records.

d Because minors are, as a general rule, legally incompetent and unable to make decisions regarding the use and disclosure of their own health information, this authority belongs to the minor's parent(s) or legal guardian(s) unless an exception applies. Because privacy, security, and confidentiality of minor records are extremely regulated, HIM professionals should also consult state regulations or legal counsel for specific questions. Generally, only one parent signature is required to authorize the use or disclosure of the minor's PHI (Brodnik 2017b, 343).

Ted and Mary are the adoptive parents of Susan, a minor. What is the best way for them to obtain a copy of Susan's operative report? a. Wait until Susan is 18 b. Present an authorization signed by the court that granted the adoption c. Present an authorization signed by Susan's natural (birth) parents d. Present an authorization that at least one of them (Ted or Mary) has signed

d The custodian of health records is the individual who has been designated as having responsibility for the care, custody, control, and proper safekeeping and disclosure of health records for such persons or institutions that prepare and maintain records of healthcare. The custodian of the health record does not have the responsibility or expertise to testify regarding the care of the patient (Brodnik 2017a, 9).

The "custodian of health records" refers to the individual within an organization who is responsible for all except which of the following actions? a. Authorized to certify records b. Supervising inspection and copying of record c. Testifying to the authenticity of records d. Testifying regarding the care of the patient

b Data security can be defined as the protection measures and tools for safeguarding information and information systems (Rinehart-Thompson 2016c, 254).

The protection measures and tools for safeguarding information and information systems is a definition of: a. Confidentiality b. Data security c. Informational privacy d. Informational access control

c The HIM supervisor should determine if a breach has occurred before action is taken. This can be done using an audit trail, which is a software program that tracks access to data in the EHR. It logs the name of the individual who accessed the data, the date and time, and the action taken (for example, modifying, reading, or deleting data) (Rinehart-Thompson 2016c, 265).

The HIM supervisor suspects that a departmental employee is accessing the EHR for personal reasons, but has no specific data to support this suspicion. In this case, what should the supervisor do? a. Confront the employee. b. Send out a memorandum to all department employees reminding them of the hospital policy on Internet use. c. Ask the security officer for audit trail data to confirm or disprove the suspicion. d. Transfer the employee to another job that does not require computer usage.

a The Privacy Rule introduced the standard of minimum necessary to limit the amount of PHI used, disclosed, and requested. This means that healthcare providers and other covered entities must limit uses, disclosures, and requests to only the amount needed to accomplish the intended purpose. For example, for payment purposes, only the minimum amount of information necessary to substantiate a claim for payment should be disclosed (Sharp 2016, 186).

The HIPAA Privacy Rule requires that covered entities must limit use, access, and disclosure of PHI to only the amount needed to accomplish the intended purpose. What concept is this an example of? a. Minimum necessary b. Notice of privacy practices c. Authorization d. Consent

d With the passage of the Privacy Rule, a minimum amount of protection (that is, a floor) was achieved uniformly across all the states through the establishment of a consistent set of standards that affected providers, healthcare clearinghouses, and health plans (Rinehart- Thompson 2017c, 210).

The HIPAA Privacy Rule: a. Protects only medical information that is not already specifically protected by state law b. Supersedes all state laws that conflict with it c. Is federal common law d. Sets a minimum (floor) of privacy requirements

a Another administrative safeguard specification requires that a covered entity implement a security awareness and training program for all members of its workforce. Special protections must be taken to ensure information is not inappropriately released or accessed. These protections include log-in monitoring, password management, and security reminders (Reynolds and Brodnik 2017, 274).

The HIPAA Security Awareness and Training administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except: a. Disaster recovery plan b. Log-in monitoring c. Password management d. Security reminders

b The HIPAA Privacy Rule allows communications to occur for treatment purposes. The preamble repeatedly states the intent of the rule is to not interfere with customary and necessary communications in the healthcare of the individual. Calling out a patient's name in a waiting room, or even on the facility's paging system, is considered an incidental disclosure, and therefore, allowed in the Privacy Rule (Thomason 2013, 37).

The Medical Record Committee is reviewing the privacy policies for a large outpatient clinic. One of the members of the committee remarks that he feels that the clinic's practice of calling out a patient's full name in the waiting room is not in compliance with HIPAA regulations and that only the patient's first name should be used. Other committee members disagree with this assessment. What should the HIM director advise the committee? a. HIPAA does not allow a patient's name to be announced in a waiting room. b. There is no violation of HIPAA in announcing a patient's name, but the committee may want to consider implementing a change that might reduce this practice. c. HIPAA allows only the use of the patient's first name. d. HIPAA requires that patients be given numbers and only the number be announced.

a A patient has a right to a notice of privacy practices as defined in the HIPAA Privacy Rule. A healthcare provider has to provide the notice no later than the first service delivery. After that first provision of service, there is no requirement to provide a notice every time a patient receives service (Thomason 2013, 113).

The admissions director maintains that a notice of privacy practices must be provided to the patient on each admission. How should the HIM director respond? a. Notice of privacy practices is required on the first provision of service. b. Notice of privacy practices is required every time the patient is provided service. c. Notice of privacy practices is only required for inpatient admissions. d. Notice of privacy practices is required on the first inpatient admission but for every outpatient encounter.

d The process of releasing health record documentation originally created by a different provider is called redisclosure. Federal and state regulations provide specific redisclosure guidelines; however, when in doubt, follow the same principles as the release and disclosure guidelines for other types of health record information (Fahrenholz 2013a, 104).

The process of releasing health record documentation originally created by a different provider is called: a. Privileged communication b. Subpoena c. Jurisdiction d. Redisclosure

d User-based access is a security mechanism that grants users of a system access based on their identity (Rinehart-Thompson 2016c, 262).

The director of health information services is allowed access to the health record tracking system when providing the proper log-in and password. What is this access security mechanism called? a. Context based b. Role based c. Situation based d. User-based

c Identity management provides security functionality, including determining who (or what information system) is authorized to access information, authentication services, audit logging, encryption, and transmission controls (Amatayakul 2016, 307).

The function used to provide access controls, authentication, and audit logging in an HIE is: a. Patient identification b. Record location service c. Identity management d. Consent management

a The legal health record is a defined subset of all patient-specific data. The legal health record is the record that will be disclosed upon request by third parties. It includes documentation about health services provided and stored on any media (Rinehart-Thompson 2016a, 206).

The legal health record (LHR) is a(n): a. Defined subset of all patient-specific data created or accumulated by a healthcare provider that may be released to third parties in response to a legally permissible request for patient information b. Entire set of information created or accumulated by a healthcare provider that may be released to third parties in response to a legally permissible request for patient information c. Set of patient-specific data created or accumulated by a healthcare provider that is defined to be legal by the local, state, or federal authorities d. Set of patient-specific data that is defined to be legal by state or federal statute and that is legally permissible to provide in response to requests for patient information

c Privacy is when a patient has the right to maintain control over certain health information (Rinehart-Thompson 2016b, 214).

The legal term used to describe when a patient has the right to maintain control over certain personal information is referred to as: a. Access b. Confidentiality c. Privacy d. Security

d The Business Records Exception is the rule under which a record is determined not to be hearsay if it was made at or near the time by, or from information transmitted by, a person with knowledge; it was kept in the course of a regularly conducted business activity; and it was the regular practice of that business activity to make the record (Klaver 2017a, 80).

The medical record of Kathy Smith, the plaintiff, has been subpoenaed for a deposition. The plaintiff's attorney wishes to use the records as evidence to prove his client's case. In this situation, although the record constitutes hearsay, it may be used as evidence based on the: a. Admissibility exception b. Discovery exception c. Direct evidence exception d. Business records exception

c Release of information (ROI) is the process of providing PHI access to individuals or entities that are deemed to be authorized to either receive or review it. Protecting the security and privacy of patient information is one of a healthcare organization's top priorities, and the HIM department is usually responsible for determining appropriate access to and ROI from patient health records. Knowledge of state and federal confidentiality laws is critical to the ROI function (Rinehart-Thompson 2016b, 243-244).

The release of information function requires the HIM professional to have knowledge of: a. Clinical coding principles b. Database development c. Federal and state confidentiality laws d. Human resource management

c In the context of healthcare, privacy can be defined as the right of individuals to control access to their personal health information (Rinehart-Thompson 2016b, 214).

The right of an individual to keep personal health information from being disclosed to anyone is a definition of: a. Confidentiality b. Integrity c. Privacy d. Security

c The Privacy Rule addresses the issue of personal representatives. Personal representatives are those who are legally authorized to make healthcare decisions on an individual's behalf or to act on behalf of a deceased individual or that individual's estate. Under the Privacy Rule, then, a personal representative must be treated the same as the individual regarding the use and disclosure of the individual's PHI. In this instance, the fact that the sister is listed in the health record as the caregiver does not make her legally authorized as a personal representative under the Privacy Rule. Her request should be refused (Rinehart-Thompson 2017c, 215-216).

The sister of a patient requests the HIM department to release copies of her brother's health record to her. She states that because the doctor documented her name as her brother's caregiver that HIPAA regulations apply and that she may receive copies of her brother's health record. In this case, how should the HIM department proceed? a. Provide the copies as requested since the sister was a caregiver. b. Provide only copies of the reports where the sister's name is mentioned. c. Refuse the request. d. Refer the individual to legal counsel.

c A covered entity must act on an individual's request for review of PHI no later than 30 days after the request is made, extending the response period by no more than 30 additional days if it gave the individual a written statement within the 30-day time period explaining the reasons for the delay and the date by which the covered entity will complete its action on the request. The covered entity may extend the time for action on a request for access only once (Rinehart- Thompson 2016b, 225).

To comply with HIPAA, under usual circumstances, a covered entity must act on a patient's request to review or copy his or her health information within ________ days. a. 10 b. 20 c. 30 d. 60

b All data security policies and procedures should be reviewed and evaluated annually to make sure they are up-to-date and still relevant to the organization (Rinehart-Thompson 2016c, 264).

To ensure relevancy, an organization's security policies and procedures should be reviewed at least: a. Once every six months b. Once a year c. Every two years d. Every five years

c A covered entity must act on an individual's request for review of protected health information (PHI) no later than 30 days after the request is made, extending the response period by no more than 30 additional days if it gave the individual a written statement within the 30-day time period explaining the reasons for the delay and the date by which the covered entity will complete its action on the request. The covered entity may extend the time for action on a request for access only once. If PHI is not maintained or located on-site, the covered entity is given within 60 days of receipt to respond to a request (Rinehart-Thompson 2016b, 225).

Under HIPAA regulations, how many days does a covered entity have to respond to an individual's request for access to his or her PHI when the PHI is stored off-site? a. 10 days beyond the original requirement b. 30 days c. 60 days d. 90 days

b Section 164.524 of the Privacy Rule states that an individual has a right of access to inspect and obtain a copy of his or her own protected health information (PHI) that is contained in a designated record set, such as a health record. The individual's right extends for as long as the PHI is maintained. However, there are exceptions to what PHI may be accessed. For example, psychotherapy notes; information compiled in reasonable anticipation of a civil, criminal, or administrative action or proceeding; or PHI subject to the Clinical Laboratory Improvements Act (CLIA) are all exceptions (Rinehart-Thompson 2016b, 225).

Under HIPAA rules, when an individual asks to see his or her own health information, a covered entity: a. Must always provide access b. Can deny access to psychotherapy notes c. Can demand that the individual pay to see his or her record d. Can always deny access

d An outsourced transcription company and vendor would be business associates of a covered entity (CE). Although business associates are not directly regulated by the Privacy Rule, they do come under the Privacy Rule's requirements by virtue of their association with one or more CEs. A business associate is a person or organization other than a member of a CE's workforce that performs functions or activities on behalf of or affecting a CE that involve the use or disclosure of individually identifiable health information (45 CFR 160.103(1); Rinehart- Thompson 2017c, 210-211).

Under HIPAA, which of the following is not named as a covered entity? a. Attending physician b. Healthcare clearinghouse c. Health plan d. Outsourced transcription company

a In order for an authorization to be valid, it must contain an expiration date or event that relates to the individual or the purpose of the use or disclosure (Rinehart-Thompson 2016b, 245-246).

Under the HIPAA Privacy rule, which of the following statements is true? a. An authorization must contain an expiration date or event. b. A consent for use and disclosure of information must be obtained from every patient. c. An authorization must be obtained for uses and disclosures for treatment, payment, and operations. d. A notice of privacy practices must give 10 examples of a use or disclosure for healthcare operations.

d An individual may revoke an authorization at any time, provided that he or she does so in writing. However, the revocation does not apply when the covered entity has already taken action on the authorization (Rinehart-Thompson 2017c, 223).

When a patient revokes authorization for release of information after a healthcare facility has already released the information, the facility in this case: a. May be prosecuted for invasion of privacy b. Has become subject to civil action c. Has violated the security regulations of HIPAA d. Is protected by the Privacy Act

a HIPAA gives individuals the right to request access to their PHI, but the covered entity may require that requests be in writing. HIPAA allows a reasonable cost-based fee when the individual requests a copy of PHI or agrees to accept summary or explanatory information (Rinehart-Thompson 2016b, 225).

When an individual requests a copy of the PHI or agrees to accept summary or explanatory information, the covered entity may: a. Impose a reasonable cost-based fee b. Not charge the individual c. Impose any fee authorized by state statute d. Charge only for the cost of the paper on which the information is printed

b Data recovery is the process of recouping lost data or reconciling conflicting data after the system fails. These data may be from events that occurred while the system was down or from backed-up data (Sayles and Trawick 2014, 213).

When data has been lost in an EHR, which action is taken to remedy this problem? a. Build a firewall b. Data recovery c. Review the audit trail d. Develop data integrity plan

b A court order is a document issued by a judge that compels a certain action, such as testimony or the production of documents such as health records. If a document requesting the production of health records is determined to be a court order, it must be complied with regardless of the presence or absence of patient authorization (Rinehart-Thompson 2017a, 58-59).

When served with a court order directing the release of health records, an individual: a. May ignore it b. Must comply with it c. Must request patient authorization before disclosing the records d. May determine whether or not to comply with it

c A subpoena duces tecum means to bring documents and other records with oneself. Such subpoenas may direct the heath information technology (HIT) professional to bring originals or copies of health records, laboratory reports, x-rays, or other records to a deposition or to court. Each state has different rules governing the production of health records in litigation. Often, the component state HIM association of AHIMA has a legal handbook that outlines the various conditions and how HITs should respond to a subpoena (Rinehart-Thompson 2016b, 215).

Which document directs an individual to bring originals or copies of records to court? a. Summons b. Subpoena c. Subpoena duces tecum d. Deposition

a A contingency plan is a standard that requires the establishment and implementation of policies and procedures for responding to emergencies or failures in systems that contain e-PHI. It includes a data backup plan, disaster recovery plan, emergency mode of operation plan, testing and revision procedures, and applications and data criticality analysis to prioritize data and determine what must be maintained or restored first in an emergency (Rinehart-Thompson 2016c, 272).

Which of the following administrative safeguards includes policies and procedures for responding to emergencies or failures in systems that contain e-PHI? a. A contingency plan b. Security training c. Workforce security d. Information access management

b Administrative safeguards include policies and procedures that address the management of computer resources. For example, one such policy might direct users to log off the computer system when they are not using it or employ automatic logoffs after a period of inactivity (Rinehart-Thompson 2016c, 264-265).

Which of the following are policies and procedures required by HIPAA that address the management of computer resources and security? a. Access controls b. Administrative safeguards c. Audit safeguards d. Role-based controls

b Physical safeguards protect physical equipment, media, or facilities. For example, doors leading to the areas that house mainframes and other principal computing equipment should have locks on them (Rinehart-Thompson 2016c, 264).

Which of the following are security safeguards that protect equipment, media, and facilities? a. Administrative controls b. Physical safeguards c. Audit controls d. Role based safeguards

c A kiosk is a special form of input device geared to people less familiar with computers that is located in a provider's waiting room allowing patients to have access to some of their health information and other services (Amatayakul 2016, 305).

Which of the following best describes the function of kiosks? a. A computer station that physicians can use to order medications b. A computer station that unlocks workstations c. A computer station that facilitates integrated communications within the healthcare organization d. A computer station that promotes the healthcare organization's services

a Confidentiality refers to the expectation that the personal information shared by an individual with a healthcare provider during the course of care will be used only for its intended purpose (Rinehart-Thompson 2016b, 214).

Which of the following definitions best describes the concept of confidentiality? a. The expectation that personal information shared by an individual with a healthcare provider during the course of care will be used only for its intended purpose b. The protection of healthcare information from damage, loss, and unauthorized alteration c. The right of individuals to control access to their personal health information d. The expectation that only individuals with the appropriate authority will be allowed to access healthcare information

b Beneficence would require the HIM professional to ensure that the information is released only to individuals who need it to do something that will benefit the patient (for example, to an insurance company for payment of a claim) (Gordon and Gordon 2016c, 604).

Which of the following ethical principles is being followed when a health information management professional ensures that patient information is only released to those who have a legal right to access it? a. Autonomy b. Beneficence c. Justice d. Nonmaleficence

c Covered entities may disclose PHI to public health entities even if the law does not specifically require the disclosure is for the purpose of preventing or controlling disease; injury; or disability; including, but not limited to, the reporting of disease; injury; vital events such as birth or death; and the conduct of public health surveillance (Brodnik 2017c, 411).

Which of the following has access to personally identifiable data without authorization or subpoena? a. Insurance company for life insurance eligibility b. The patient's attorney c. Public health department for disease reporting purposes d. Workers' compensation for disability claim settlement

b Emancipated minors generally may authorize the access and disclosure of their own PHI. If the minor is married or previously married, the minor may authorize the disclosure or use of his or her information. If the minor is under the age of 18 and is the parent of a child, the minor may authorize the access and disclosures of his or her own information as well as that of his or her child (Brodnik 2017b, 343-344).

Which of the following individuals may authorize release of information? a. An 86-year-old patient with a diagnosis of advanced dementia b. A married 15-year-old father c. A 15-year-old minor d. The parents of an 18-year-old student

c Breaches by covered entities and BAs (both governed by HHS breach notification regulations) are deemed discovered when the breach is first known or reasonably should have been known. All individuals whose information has been breached must be notified without unreasonable delay, and within 60 days, by first-class mail or a faster method, such as by telephone, if there is the potential for imminent misuse (Rinehart-Thompson 2016b, 240).

Which of the following is a characteristic of breach notification? a. It is only required when 500 or more individuals are affected b. It applies to both secured and unsecured PHI c. It applies when one person's PHI is breached d. Is only applies when 20 or more individuals are affected

b The HIM professional's core ethical obligations are to protect patient privacy and confidential information and communication and to assure security of that information (Gordon and Gordon 2016c, 609).

Which of the following is a core ethical obligation of health information professionals? a. Coding diseases and operations b. Protecting patients' privacy and confidential communications c. Transcribing health reports d. Performing quantitative analysis on record content

b The audit trail is a software program that tracks every single access to data in the computer system. It logs the name of the individual who accessed the data, the date and time, and the action taken (for example, modifying, reading, or deleting data). Review of audit trails can help detect whether a breach of security has occurred (Rinehart-Thompson 2016c, 265).

Which of the following is a software program that tracks every access to data in the computer system? a. Access control b. Audit trail c. Edit check d. Risk assessment

a Although business associates are not directly regulated by the Privacy Rule, they do come under the Privacy Rule's requirements by virtue of their association with one or more covered entities. Some examples of business associates are contract coder, billing companies, consultants, accounting firms, and the like (Rinehart-Thompson 2017c, 211-212).

Which of the following is an example of a business associate? a. Contract coder b. Environmental services department c. Hospital security officer d. Employee with access to e-PHI

c Physical safeguards refer to the physical protection of information resources from physical damage, loss from natural or other disasters, and theft. This includes protection and monitoring of the workplace, computing facilities, and any type of hardware or supporting information system infrastructure such as wiring closets, cables, and telephone and data lines. To protect from intrusion, there should be proper physical separation from the public. Doors, locks, audible alarms, and cameras should be installed to protect particularly sensitive areas such as data centers (Rinehart-Thompson 2016c, 264).

Which of the following is an example of a physical safeguard that should be provided for in a data security program? a. Using password protection b. Prohibiting the sharing of passwords c. Locking computer rooms d. Annual employee training

c Data security includes insuring that workstations are protected from unauthorized access. If a workstation is inactive for a period of time specified by the organization, it should log itself off automatically. The automatic log off helps prevent unauthorized users from accessing e-PHI when an authorized user walks away from the computer without logging out of the system (Sayles and Trawick 2014, 223-224).

Which of the following is an example of data security? a. Contingency planning b. Fire protection c. Automatic logoff after inactivity d. Card key for access to data center

b Disaster planning occurs through a contingency plan—a set of procedures, documented by the organization to be followed when responding to emergencies. It encompasses what an organization and its personnel need to do both during and after events that limit or prevent access to facilities and patient information (Rinehart-Thompson 2016c, 267).

Which of the following is an organization's planned response to protect its information in the case of a natural disaster? a. Administrative controls b. Contingency plan c. Audit trail d. Physical controls

c Strong authentication requires providing information from two of the three different types of authentication information. The three methods are something you know such as a password or PIN; something you have, such as an ATM card, token, swipe card, or smart card; and something you are, such as a biometric fingerprint, voice scan, iris, or retinal scan. An individual who provides something he knows (password) and something he has (swipe card) is called two-factor authentication (Rinehart-Thompson 2016c, 262-263).

Which of the following is considered a two-factor authentication system? a. User ID with a password b. User ID with voice scan c. Password and swipe card d. Password and PIN

d Security awareness requires entities to provide security training for all staff. They must address security reminders, detection and reporting of malicious software, login monitoring, and password management. Edit checks, audit trails, and password management can all be programmed to be automatic controls where a security awareness program cannot (Rinehart- Thompson 2016c, 272).

Which of the following is not an automatic control that helps preserve data confidentiality and integrity in an electronic system? a. Edit checks b. Audit trails c. Password management d. Security awareness program

c To meet the individually identifiable element of PHI, the information must meet all three portions of a three-part test: it must either identify the person or provide a reasonable basis to believe the person could be identified from the information given; it must relate to one's past, present, or future physical or mental health condition, the provision of healthcare, or payment for the provision of healthcare; and it must be held or transmitted by a covered entity or its business associate (Rinehart-Thompson 2017c, 213).

Which of the following is not an element that makes information "PHI" under the HIPAA Privacy Rule? a. Identifies an individual b. In the custody of or transmitted by a CE or its BA c. Contained within a personnel file d. Relates to one's health condition

a One of the most fundamental terms in the Privacy Rule is protected health information (PHI), defined by the rule as "individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium" (45 CFR 160.103). To meet the individually identifiable element of PHI, information must meet all three portions of a three-part test. It must either identify the person or provide a reasonable basis to believe the person could be identified from the information given. It must relate to one's past, present, or future physical or mental health condition; the provision of healthcare; or payment for the provision of healthcare. It must be held or transmitted by a covered entity or its business associate (Rinehart-Thompson 2017c, 213).

Which of the following is not an identifier under the Privacy Rule? a. Age 75 b. Vehicle license plate BZ LITYR c. Street address 265 Cherry Valley Road d. Visa account 2773 985 0468

a AHIMA outlines the requirements for the content of the notice of privacy practices. One requirement is that a description (including at least one example) is to be given of the types of uses and disclosures the covered entity is permitted to make for treatment, payment, and healthcare operations (Rinehart-Thompson 2016b, 230-231).

Which of the following is not true about the Notice of Privacy Practices? a. It must include at least two examples of how information is used for both treatment and operations. b. It must include a description of the right to request restrictions on certain uses and disclosures. c. It must explain the patient's right to inspect and copy PHI. d. It must include a description of the patient's right to amend PHI.

c Healthcare providers with a direct treatment relationship with an individual must provide the notice of privacy practices no later than the date of the first service delivery (for example, first visit to a physician's office, first admission to a hospital, or first encounter at a clinic), including service delivered electronically. Notices must be available at the site where the individual is treated and must be posted in a prominent place where patients can reasonably be expected to read it. If the facility has a website with information on the covered entity's services or benefits, the notice of privacy practices must be prominently posted to it (Rinehart-Thompson 2016b, 230-231).

Which of the following is not true of Notices of Privacy Practices? a. Must be made available at the site where the individual is treated b. Must be posted in a prominent place c. Must contain content that may not be changed d. Must be prominently posted on the covered entity's website when the entity has one

b The HIM professional must consider multiple factors when developing health record retention policies that determine how long health records are to be kept. These factors include applicable federal and state statutes and regulations; accreditation standards; operational needs of the organization; and the type of organization, thus retention policies differ among healthcare facilities (Rinehart-Thompson 2016a, 206-207).

Which of the following is true about health information retention? a. Retention depends only on accreditation requirements b. Retention periods differ among healthcare facilities c. The operational needs of a healthcare facility cannot be considered d. Retention periods are frequently shorter for health information about minors

a Not all information must be kept forever. Just as the HIM professional must consider multiple factors when determining retention, many factors must also be taken into consideration with regard to health record destruction. These include applicable federal and state statutes and regulations; accreditation standards; pending or ongoing litigation; storage capabilities; and cost (Rinehart-Thompson 2016a, 208).

Which of the following is true regarding the development of health record destruction policies? a. All applicable laws must be considered b. The organization must find a way not to destroy any health records c. Health records involved in pending or ongoing litigation may be destroyed d. Only state laws must be considered

b The American Recovery and Reinvestment Act of 2009 (ARRA) is considered one of the major health information technology laws that provided stimulus funds to the US economy in the midst of a major economic downturn. A substantial portion of the bill, Title XIII of the Act entitled the Health Information Technology for Economic and Clinical Health (HITECH) Act, was part of ARRA (Kellogg 2016a, 28).

Which of the following laws created the HITECH act? a. Health Insurance Portability and Accountability Act b. American Recovery and Reinvestment Act c. Consolidated Omnibus Budget Reconciliation Act d. Healthcare Quality Improvement Act

b The General Rules provide the objective and scope for the HIPAA Security Rule as a whole. They specify that covered entities must develop a security program that includes a range of security safeguards that protect individually identifiable health information maintained or transmitted in electronic form (Rinehart-Thompson 2016c, 271).

Which of the following provide the objective and scope for the HIPAA Security Rule as a whole? a. Administrative provisions b. General rules c. Physical safeguards d. Technical safeguards

b Data integrity means that data should be complete, accurate, consistent, and up-to-date. With respect to data security, organizations must put protections in place so that no one may alter or dispose of data in a manner inconsistent with acceptable business and legal rules (Johns 2015, 211).

Which of the following refers to guarding against improper information modification or destruction? a. Confidentiality b. Integrity c. Privacy d. Security

c One security strategy is to implement application safeguards. These are controls contained in the application software or computer programs. One common application control is password management. It involves keeping a record of end users' identifications and passwords and then matching the passwords to each end user's privileges (Rinehart-Thompson 2016c, 265).

Which of the following security controls are built into a computer software program? a. Physical safeguards b. Administration safeguards c. Application safeguards d. Media safeguards

a Health record retention policies depend on a number of factors. They must comply with state and federal statutes and regulations. Retention regulations vary by state and possibly by organization type. Health records should be retained for at least the period specified by the state's statute of limitations for malpractice, and other claims must be taken into consideration when determining the length of time to retain records as evidence (Rinehart-Thompson 2016a, 206).

Which of the following should be considered first when establishing health record retention policies? a. State retention requirements b. Accreditation standards c. AHIMA's retention guidelines d. Federal requirements

a A patient has the opportunity to agree or disagree with being placed in a patient directory. They must be given the opportunity to determine if they want to be placed in the directory or not, but it does not need to be in writing (Rinehart-Thompson 2016b, 234).

Which of the following statements about the directory of patients maintained by a covered entity is true? a. Individuals must be given an opportunity to restrict or deny permission to place information about them in the directory. b. Individuals must provide a written authorization before information about them can be placed in the directory. c. The directory may contain only identifying information such as the patient's name and birth date. d. The directory may contain private information as long as it is kept confidential.

c Under the Privacy Rule, healthcare providers are not required to obtain patient consent to use or disclose personal identifiable information for treatment, payment, and healthcare operations (Rinehart-Thompson 2016b, 223).

Which of the following statements is false with regard to the HIPAA Privacy Rule? a. A notice of privacy practices must be written in plain language. b. A notice of privacy practices must have a statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such authorization. c. An authorization must be obtained for uses and disclosures for treatment, payment, and operations. d. A notice of privacy practices must give an example of a use or disclosure for healthcare operations.

b Agreements between the covered entity and a business associate include: requiring the business associate to make available all of its books and records relating to protected health information (PHI) use and disclosure to the Department of Health and Human Services or its agent; prohibiting the business associate from using or disclosing PHI in any way that would violate the HIPAA Privacy Rule; and prohibiting the business associate from using or disclosing PHI for any purpose other than that described in the contract with the covered entity; and other agreements. But, it does not allow the business associate to maintain PHI indefinitely (Rinehart- Thompson 2016b, 220-222).

Which of the following statements is not true about a business associate agreement? a. It prohibits the business associate from using or disclosing PHI for any purpose other than that described in the contract with the covered entity. b. It allows the business associate to maintain PHI indefinitely. c. It prohibits the business associate from using or disclosing PHI in any way that would violate the HIPAA Privacy Rule. d. It requires the business associate to make available all of its books and records relating to PHI use and disclosure to the Department of Health and Human Services or its agents.

b HIPAA allows the covered entity to impose a reasonable cost-based fee when the individual requests a copy of PHI or agrees to accept summary or explanatory information. The fee may include the cost of: copying, including supplies, labor, and postage. HIPAA does not permit "retrieval fees" to be charged to patients (Rinehart-Thompson 2016b, 225).

Which of the following statements is true in regard to responding to requests from individuals for access to their protected health information (PHI)? a. A cost-based fee may be charged for retrieval of the PHI. b. A cost-based fee may be charged for making a copy of the PHI. c. No fees of any type may be charged. d. A minimal fee may be charged for retrieval and copying of PHI.

b HIPAA allows a covered entity to adopt security protection measures that are appropriate for its organization as long as they meet the minimum HIPAA security standards. Security protections in a large medical facility will be more complex than those implemented in a small group practice (Rinehart-Thompson 2016c, 271).

Which of the following statements is true regarding HIPAA security? a. All institutions must implement the same security measures. b. Institutions are allowed flexibility in the way they implement HIPAA standards. c. All institutions must implement all HIPAA specifications. d. A security risk assessment must be performed every year.

a Nonmaleficence would require the HIM professional to ensure that the information is not released to someone who does not have authorization to access it and who might harm the patient if access were permitted (for example, a newspaper seeking information about a famous person) (Gordon and Gordon 2016c, 604).

Which of the following statements represents an example of nonmaleficence? a. HITs must ensure that patient-identifiable information is not released to unauthorized parties. b. HITs must apply rules fairly and consistently to every case. c. HITs must ensure that patient-identifiable information is released to the parties who need it to provide services to their patients. d. HITs must ensure that patients themselves, and not other parties, are authorizing access to the patients' individual health information.

c As EHRs are being implemented without paper backup, contingency planning and disaster recovery is becoming increasingly important. Not only must a healthcare organization be able to replace data if a server or storage device is destroyed in some manner, but organizations need to be able to instantaneously failover to another server during a server crash. Back up of stored data has been routinely performed by most healthcare organizations. To reduce the risk of downtime, healthcare organizations now must also have server redundancy with server failover (Sayles and Trawick 2014, 212-213).

Which of the following technologies would reduce the risk that information is not accessible during a server crash? a. RAID b. Storage area network c. Server redundancy d. Tape or disk backup

a A security threat is anything that can exploit a security vulnerability. Vulnerability is a weakness or gap in security protection. In this situation the lack of encryption for the laptop would be considered a security vulnerability as the contents could be more easily accessed (Johns 2015, 219).

Which of the following would be considered a security vulnerability? a. Lack of laptop encryption b. Workforce employees c. Tornado d. Electrical outage

b Customized letters are critical to the ROI system. Customized letters and forms may be used to communicate with the requestor for many purposes including a letter notifying the individual making a request that the authorization is invalid (Sayles and Trawick 2014, 114).

Which of the following would be part of the release of information system? a. Letter asking for additional information on a patient previously treated at the hospital b. Letter notifying the individual that the authorization was invalid c. Letter notifying the physician that he has delinquent health records d. Letter asking the physician to clarify primary diagnosis

d Data must be available continuously. When paper as a backup no longer exists in a paperless electronic health record (EHR) environment, users must be assured that the computer system is available to them at all times. To achieve such availability, an EHR should have server redundancy. This means that as data are entered and processed by one server, they are entered and processed simultaneously by a second server. Should the primary server crash, the system should be designed to "fail over" to the second server and can continue processing as if, at least from the user's point of view, nothing had happened (Rinehart-Thompson 2016a, 212-213).

Which of the following would be the best course of action to take to ensure continuous availability of electronic data? a. Acquire storage management software. b. Send data to a remote site using the Internet. c. Store data on RAID. d. Use redundant servers.

b Ownership of the health record has traditionally been granted to the provider who generates the record (Brodnik 2017a, 9).

Who owns the health record? a. Patient b. Provider who generated the information c. Insurance company who paid for the care recorded in the record d. No one

a Every member of the covered entity's workforce must be trained in PHI policies and procedures to maintain the privacy of patient information, uphold individual rights guaranteed by the Privacy Rule, and report alleged breaches and other Privacy Rule violations (Rinehart- Thompson 2016b, 249).

With regard to training in PHI policies and procedures: a. Every member of the covered entity's workforce must be trained b. Only individuals employed by the covered entity must be trained c. Training only needs to occur when there are material changes to the policies and procedures d. Documentation of training is not required

a Within the context of data security, protecting data privacy means safeguarding access to information. Only those individuals who need to know information should be authorized to access it (Johns 2015, 210-211).

Within the context of electronic health records, protecting data privacy means defending or safeguarding: a. Access to information b. Data availability c. Health record quality d. System implementation

c Covered entities must obtain a written contract with business associates or other entities who handle e-PHI. The written contract must stipulate that the business associate will implement HIPAA administrative, physical, and technical safeguards and procedures and documentation requirements that safeguard the confidentiality, integrity, and availability of the e-PHI that it creates, receives, maintains, or transmits on behalf of the covered entity (Rinehart-Thompson 2016b, 220).

Written business associate agreements are required with: a. Any company where work is outsourced b. Any outside company that handles electronic data c. Any outside company that handles electronic PHI d. Every outside company