WEEK 3: Domain 6 Confidentiality Quiz

When should the patient receive a copy of the Notice of Privacy Practices? A. With any preappointment information B. Initial encounter C. Facility is only required to publicly post the Notice of Privacy Practices. D. Within 3 days after the initial appointment

According to the HIPAA Privacy Rule the patient must be provided a copy of the Notice of Privacy Practices at the initial encounter. Here's a great link: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-health-information/index.html

All the following are examples of a Business Associate EXCEPT A. janitor service. B. answering service. C. IT consultant. D. law office.

Business associates are vendors (to a covered entity) that create, receive, maintain, or transmit protected health information (PHI). A member of the covered entity's workforce is NOT a business associate, nor is someone who may encounter patient information by chance (like a janitor service or an electrician).

Under the HIPAA Privacy Rule, all the following are considered workforce members EXCEPT for a A. pharmacy technician trainee. B. health care volunteer. C. electrician. D. clinical lab intern.

C. electrician

Ensuring that data have been modified or accessed only by individuals who are authorized to do so is a function of data A. validity. B. accuracy. C. quality. D. integrity.

Data integrity refers to the assurance that information can only be accessed and modified by those authorized to do so.

The final HITECH Omnibus Rule expanded some of HIPAA's original requirements, including changes in immunization disclosures. As a result, where states require immunization records of a minor prior to admitting a student to a school, a covered entity is permitted to disclose proof of immunization to a school without A. any communication with the parent. B. documentation of any kind. C. written authorization by the child. D. written authorization of the parent.

The "Disclosure of Student Immunizations to Schools" provision of the final rule permits a covered entity to disclose proof of immunization to a school (where state law requires it prior to admitting a student) without written authorization of the parent. An agreement must still be obtained and documented, but no signature by the parent is required.

The three components of a data security program are confidentiality, integrity, and A. validity. B. protection. C. availability. D. authentication.

The three components of a security plan are confidentiality, integrity, and availability.

This is an example of an administrative safeguard. A. Locking offices and file cabinets containing PHI. B. Shredding unneeded documents containing PHI. C. Minimizing the amount of PHI on desktops. D. Implement policies and procedures to prevent, detect, and correct security violations.

Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information. Locking offices and file cabinets, minimizing the amount of PHI on desktops, and shredding unneeded documents are physical safeguards.

A physician has come to the HIM department because he wants a new smartphone to be able to access patient records. This way he can enter orders when he is outside of the hospital. You need to direct the IT department to A. encrypt the phone so access is protected. B. send the physician to computer classes. C. limit the physician's access to the hospital's network. D. explain that this would be a HIPAA violation.

All transmissions to and from the hospital should be encrypted, especially mobile devices, such as a smartphone. The HIPAA Privacy Rule establishes national standards for giving patients the right to access and request amendment of their protected health information (PHI) as well as requesting restrictions on the use or disclosure of such information. The HIPAA Security Rule establishes a national set of security standards for the confidentiality, integrity, and availability of electronic protected health information. The HIPAA Privacy and Security Rules apply to covered entities. Covered entities include health care providers and professionals such as doctors, nurses, psychologists, dentists, and chiropractors. Individuals and organizations that meet the definition of a covered entity and who transmit health information in electronic form in connection with certain transactions must comply with the Rules' requirements to protect the privacy and security of health information, even when using mobile devices.

It is recommended that all but which of the following information should be permanently retained in some format, even when the remainder of the health record is destroyed? A. discharge summaries B. physician names C. nursing notes D. dates of admission, discharge, and encounters

Although most of the medical record information can be destroyed after a certain time constraint, dates of admission, discharge, and encounters are permanently retained in the facility's master patient index (MPI). The following is recommended to be permanently retained in some format, even when the remainder of the health record is destroyed: physician names, nursing notes, and discharge summaries.

Identify the requester that requires patient authorization before releasing PHI. A. patient's attorney B. the nurse caring for the patient C. the public health department D. a business associate

An authorization is not required for TPO, which includes business associates. It is also not required for public health activities. It is, however, required for release to the patient's attorney.

Determine which one of the following is NOT a technical security control employed by electronic health record systems. A. automatic log off B. audit trails C. data encryption protocols D. user-based access controls

Automatic log off after a period of inactivity is an administrative safeguard, not a technical security control employed by electronic health record systems. Technical safeguards consist of five categories: access controls, audit controls, integrity, person or identity authentication, and transmission security.

Identify when the covered entity has to notify CMS immediately. A. when 100 or more patients are impacted B. when 500 or more patients are impacted C. when 250 or more patients are impacted D. when 200 or more patients are impacted

CMS must be notified immediately when 500 or more patients are impacted. Below that number, the notification can be done at the end of the year.

A health care facility has made a decision to destroy computerized data. AHIMA recommendations identify which of the following methods as the preferred method of destruction for computerized data? A. magnetic degaussing B. overwriting data with a series of characters C. disk reformatting D. overwriting the backup tapes

Computerized data can be erased by neutralizing the magnetic field. This destruction method is called magnetic degaussing. Incorrect answers: Disk reformatting is the process of preparing or revising a device such as a USB flash drive to store new or different data. Overwriting the backup tapes is a recycling process by overwriting backup tapes with new backup data. This is usually done on a schedule, for example, daily or weekly. This deletion process is not secure. Overwriting data with a series of characters is a process to remove data by overwriting the data with algorithms. This deletion method is never secure.

You have been given the responsibility of destroying the PHI contained in the information system's old server before it is trashed. Recommend an appropriate destruction method. A. degaussing B. overwriting data C. incineration D. crushing

Degaussing is an appropriate method of destruction for electronic data as it renders it irretrievable. Crushing is usually used for destroying CDs and DVDs. Shredding is used for paper PHI. Incineration can also be used for paper PHI.

John is a 45-year-old male who is mentally disabled. Identify who can authorize release of his health record. A. John's sister B. John C. executive of his will D. legal guardian

Even though John is of age, he is mentally incompetent and therefore requires a guardian to sign the release. John's sister could only sign the authorization if she was his legal guardian. The executive of his will only applies if John is deceased.

A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until _____ years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments. A. 5 B. 7 C. 6 D. 10

HIPAA Policies and Procedures and Documentation Requirements A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments. Updates. A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).

HIPAA allows health care providers to charge patients reasonable cost-based charges for copies of their health record. Identify when the patient can be charged. A. utilities B. preparing a summary C. retrieval fees D. insurance for the healthcare organization

HIPAA allows patients to be charged for preparing a summary; however, nonpatients may be charged for the other listed fees.

According to the HIPAA Privacy Rule, which of the following would be considered a covered entity? A. Department of Health and Human Services B. Joint Commission C. Health plans D. Office of Inspector General

HIPAA rules define a covered entity as (1) health plans, (2) healthcare clearinghouses, and (3) healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Department of Health and Human Services was created to protect the health of all Americans and providing essential human services. Joint Commission evaluates healthcare organizations and inspiring them to excel in providing safe and effective care of the highest quality and value. Office of Inspector General is to detect and deter fraud, waste, and abuse.

To ensure that protected health information (PHI) is kept secure, internal audits are necessary to confirm the facility's compliance with A. the Security Rule. B. the False Claims Act. C. Stark Law. D. the Anti-Kickback Statute.

HIPAA's Security Rule is a federal law the covers administrative, physical, and technical safeguards to protect patient PHI. The False Claims Act, Stark Law, and Anti-Kickback Statute (AKS) are three other important federal fraud and abuse laws that apply to physicians. The False Claim Act (FCA) is a federal law that makes it a crime for any person or organization to knowingly make a false record or file a false claim regarding any federal health care program which is funded directly, in whole or in part, by the United States Government or any state health care system. The physician Self-Referral Law, commonly referred to as the Stark Law, prohibits physicians from referring patients to receive "designated health services" payable by Medicare or Medicaid from entities with which the physician or an immediate family member has a financial relationship, unless an exception applies. Financial relationships include both ownership/investment interests and compensation arrangements. The Anti-Kickback Statute (AKS) is a criminal law that prohibits the knowing and willful payment of "remuneration" to induce or reward patient referrals or the generation of business involving any item or service payable by the Federal health care programs.

An employee in the admission department stole the patient's name, Social Security number, and other information and used it to get a credit card in the patient's name. This is an example of A. mitigation. B. disclosure. C. identity theft. D. release of information.

Identity theft is using an individual's Social Security number and other identifying information to obtain credit cards or otherwise represent them. Mitigation is limiting the negative impact on a patient when there is a privacy or security breach. Disclosure is releasing patient information outside of the healthcare organization. Release of information is the process of releasing health information.

According to the HIPAA privacy rule, protected health information includes A. individually identifiable health information in any format stored by a health care provider or business associate. B. only electronic individually identifiable health information. C. non-individually identifiable health information in any format stored by a health care provider. D. only paper individually identifiable health information.

Individually identifiable health information in any format stored by a health care provider or business associate. PHI includes all individually identified health information, regardless of format. ePHI, however, includes only electronic PHI. Incorrect answers: 1) non-individually identifiable health information in any format stored by a health care provider. 2) Only electronic individually identifiable health information. 3) Only paper individually identifiable health information.

A mechanism used to ensure that PHI has not been altered or destroyed inappropriately is known as A. integrity. B. audit controls. C. entity authentication. D. access control.

Integrity is ensuring that data is not inappropriately changed. This can be in motion or at rest. Access control is determining who has access to an information and what they have access to. Audit controls are methods of monitoring the information system for security breaches and incidents. Entity authentication is determining if an information system user is who he or she claims to be.

In most situations the person who authorizes release of medical information is the A. CEO. B. CFO. C. patient. D. health care provider.

Medical facilities frequently receive medical record release requests from multiple sources, including subpoenas, attorney letters, and patients themselves. However, in most situations the patient signs a release form including signature, printed name, date, and records desired. Release a copy only, not the original. CFO—A health care chief financial officer is the person who ensures that a hospital or hospital systems runs in the most cost-effective manner. CEO—Chief Executive Officer—the executive who holds the position to ensure that almost every aspect of the health care facilities under their care perform efficiently while ensuring that all employees have the equipment and resources, they need to deliver the best quality patient. Provider—an individual health professional or a health facility organization licensed to provide healthcare diagnosis and treatment services including medication, surgery, and medical devices.

A document requirement of health organizations pursuant to HIPAA legislation, that informs patient how a covered entity intends to use and disclose protected health information is called A. periodic performance review (PPR). B. Notice of Privacy Practices (NPP). C. incident report. D. informed consent.

Notice of Privacy Practices is a requirement of HIPAA's Privacy Rule. None of the other documents are related to HIPAA.

If the health care facility uses a business associate offshore, the business associate A. requires written authorization from the patient. B. is required to follow HIPAA. C. is exempt from following HIPAA. D. is violation of HIPAA.

Offshore business associates are permitted under HIPAA and the law applies to them in the same way it applies to ones located within the United States. As a covered entity, you will want your business associate agreement to require them to agree to the jurisdiction of U.S. courts.

Which of the following is an example of an external data threat? A. Intern accessing celebrity medical records B. Power outage C. Unlocked workstation computer D. Malware and phishing attempts to steal log in credentials

One of the most challenging issues dealing with malware is that it only takes one seemingly authentic link to introduce a malicious cyber presence into the network. Sophisticated malware and phishing attempts can plant malicious scripts on a computer or steal login credentials that can compromise an entire system. Unlocked workstation computer and Intern accessing celebrity medical records are examples of an internal breach.

Which of the following would be deleted in the process of de-identification of protected patient information? A. Principal diagnosis code B. Facility NPI number C. Place of service code D. Date of birth

Patient identifiers include patient's full name, date of birth, social security number, contact information such as address and phone numbers, name and contact information of the next of kin, emergency contact information, and other personal information deemed necessary for health care delivery operations (e.g., employer information and insurance information). The facility NPI number—National Provider Identifier Number—is a 10-digit numerical identifier that identifies an individual provider or a health care entity. Principal diagnosis code establishes medical necessity for procedures provided to the patient. Place of service codes are two-digit codes placed on health care professional claims to indicate the setting in which a service was provided

The admissions clerk asks why he has to check the patient's driver's license to ensure that this is the correct patient. Educate the admissions clerk. A. The is meeting the HIPAA requirement of access control. B. This meets the HIPAA requirement of authentication. C. This meets the HIPAA requirement of verification. D. This meets the HIPAA requirement of authorization.

Patient verification is ensuring that the patient is who they say they are. Authentication is verifying that the USER of the information system is who they say they are. Authorization is gaining the patient's consent to utilize PHI. Access control is controlling who can access an information and what they can do.

Which of the following is an example of a physical safeguard? A. Audit controls B. Identifying a privacy officer C. A dual authentication for log in D. Locking offices and file cabinets containing PHI

Physical Safeguards are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion. Some examples of physical safeguards are the following: Controlling building access with a photo-identification/swipe card system. Locking offices and file cabinets containing PHI. Turning computer screens displaying PHI away from public view. Minimizing the amount of PHI on desktops. Shredding unneeded documents containing PHI. Audit controls and effective security safeguards are part of normal operational management processes to mitigate, control, and minimize risks that can negatively impact business operations and expose sensitive data. Dual authentication is a security safeguard—combination would be a username and password

Identify the type of health records that the patient cannot have access to. A. AIDS records B. Psychotherapy notes C. A mental health assessment D. Alcohol and drug records

Psychotherapy notes are not part of the designated record set and therefore cannot be released to the patient. They are for use by the health care professional only. AIDS records, mental health assessments, and alcohol and drug records can be released at the request of the patient.

All of these details must be included in the documentation of record destruction EXCEPT A. statement that records were destroyed in the normal course of business B. dates the patient had surgery C. method of destruction D. signature of the individuals supervising and witnessing the destruction

Record destruction documentation should include the dates of service of the records that are being destroyed, but not specific dates of service. Documentation of record destruction should also include: a statement that records were destroyed in the normal course of business; the method of destruction; and signatures of the individuals supervising and witnessing the destruction.

Using a Role-Based Access Control methodology to determine who gets access to which files within an electronic health record (EHR) means that password controls will be identified by A. the workstation being used. B. full-time / part-time status. C. seniority (who has been there the longest). D. the individual's job description.

Role-Based Access Control to an EHR is determined by the individual's job description, identifying which records they are permitted to access and whether they can read and write or read only.

All of these are acceptable destruction methods when health records are no longer required, EXCEPT A. burning, shredding, or pulverizing of paper records. B. shredding or cutting of DVDs. C. magnetic degaussing for computerized data. D. deleting files from the server.

Simply deleting files from a computer or server does not sufficiently destroy them. In the absence of any state law to the contrary, medical offices must ensure paper and electronic records are destroyed by a method that provides for no possibility that the protected health information can be reconstructed. A common destruction method is magnetic degaussing for computerized data.

You submitted your resignation from Coastal Hospital. Your last day is today. You should no longer have access to the EHR and other information systems as of 5:00 PM today. The removal of your information system privileges is known as A. terminating access. B. isolating access. C. password management. D. sanction policy.

Terminating access is eliminating an employee's access to an information system once they leave the organization. Password management is the process of establishing policies and processes related to passwords. Isolating access is completely separating data between two parts of an organization. For example, a company owns a home health organization and a widget manufacturing company. The home health organization must design their information systems to prevent the widget portion of the company from accessing PHI.

Which of the following HIPAA regulation titles require the Department of Health and Human Service to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers? A. Title V: Revenue Offsets B. Title II: HIPAA Administrative Simplification C. Title III: HIPAA Tax Related Health Provisions D. Title I: HIPAA Health Insurance Reform

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data. Title I of the Health Insurance Portability and Accountability Act of 1996 protects health insurance coverage for workers and their families when they change or lose their jobs. Title III provides for certain deductions for medical insurance and makes other changes to health insurance law. Title V includes HIPAA provisions related to company-owned life insurance, treatment of individuals who lose U.S. Citizenship for income tax purposes and repeals the financial institution rule to interest allocation rules.

Which of the following is an exception to the HIPAA "Minimum Necessary" standard? A. Requests from the spouse of a patient for their records B. Request for lab for test's medical necessity C. Requests from patients for copies of their own medical records D. Request for operative reports from a family member of a patient

The HIPAA "Minimum Necessary" standard applies to most uses and disclosures of PHI, but there are six exceptions as detailed below. Health care providers making requests for PHI for the purpose of providing treatment to a patient Requests from patients for copies of their own medical records Requests for PHI when there is a valid authorization from the subject of the PHI Requests for PHI that are required for compliance with the HIPAA Administrative Simplifications Rules Requests for a disclosure of PHI by the Department of Health and Human Services required for the enforcement of compliance with HIPAA Rules under 45 CFR Part 160 Subpart C Requests for PHI that are otherwise required by law

The standard that requires all HIPAA covered entities and business associates to restrict the uses and disclosures of protected health information (PHI) is called A. minimum Necessary. B. No disclosure is permitted. C. PFSH. D. patient consent.

The HIPAA "Minimum Necessary" standard requires all HIPAA covered entities and business associates to restrict the uses and disclosures of protected health information (PHI) to the minimum amount necessary to achieve the purpose for which it is being used, requested, or disclosed. Patient consent—The process of informed consent occurs when communication between a patient and physician results in the patient's authorization or agreement to undergo a specific medical intervention. The Past, Family and/or Social History (PFSH) includes a review in three areas: Past History: The patient's past illnesses, operations, injuries, medications, allergies, and/or treatments

The HIPAA enforcement agency is the A. Department Health and Human Services. B. Office for Civil Rights. C. Joint Commission. D. Office of Inspector General.

The Office for Civil Rights (OCR) is the HIPAA enforcement agency. OCR laws protect the rights of individuals and entities from unlawful discrimination based on race, color, national origin, disability, age, or sex in health and human services. Department of Health and Human Services was created to protect the health of all Americans and providing essential human services. Joint Commission evaluates health care organizations and inspiring them to excel in providing safe and effective care of the highest quality and value. Office of Inspector General is to detect and deter fraud, waste, and abuse

The HIPAA Privacy Rule allows patients access to their personal health information. The exception to this rule is A. medical management record. B. psychotherapy notes. C. billing records. D. radiology records.

The Privacy Rule generally requires HIPAA covered entities (health plans and most healthcare providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more "designated record sets" maintained by or for the covered entity. An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. Two categories of information are expressly excluded from the right of access: Psychotherapy notes, which are the personal notes of a mental healthcare provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient's medical record. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

The health facility uses an answering system business. Medical information is never included, only the name and number of a patient for a callback. The answering system business is considered a(n) A. adjunct employee. B. business associate. C. corporate entity. D. clearinghouse.

The answering system business is considered a business associate because PHI is more than a medical diagnosis (or complaint). A name alone, or a phone number alone, in connection with a request for health care is PHI, and by answering the phone for a health care provider they are "receiving" PHI. Adjunct employee is a nonfaculty title given to a healthcare provider under special circumstances by the Medical School to provide health care in university settings. Clearinghouses include organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations. A corporate entity is a business structure formed specifically to perform activities, such as running an enterprise or holding assets.

Determine an appropriate use of the emergency access procedure. A. The coder who usually codes the emergency room charts is out sick and the charts are left on a desk in the ER admitting area. B. Data is collected for administrative purposes. C. An audit is being conducted by the OIG. D. A patient is crashing. The attending physician is not in the hospital, so a physician who is available helps the patient.

The correct answer is the attending physician is not in the hospital, so a physician who is available helps the patient. The emergency mode operation is used when someone who normally does not have access to the PHI needs access. This is generally used in patient care emergencies. It may also be called "breaking the ice." Wrong answers: Emergency access procedure indicates a loss of data and systems containing electronic protected health information due to an emergency. The following would not be appropriate use of the emergency access procedure 1) Data is collected for administrative purposes. 2) The coder who usually codes the emergency room health records is out sick and the health records are left on a desk in the ER admitting area. 3) An audit is being conducted by the OIG.

The expert determination method is a method of A. disclosure. B. criticality assessment. C. emergency mode operation plan. D. de-identification.

The expert determination method is one method that can be used to deidentify protected health information. It removes all identifiers so that the patient cannot be identified. The criticality assessment is determining how important an information system is. The information systems that are the most critical are given priority if multiple information systems are down. Disclosure is providing health information outside of the healthcare organization. The emergency mode operation plan is the process that allows a user to gain access to health information in an emergency. De-identification is removing all identifying data elements from the health record.

The patient was admitted through the Emergency Department and she is anxious about notifying her spouse and her sister. Her spouse is out of town on business and her sister lives in another state. The patient is worried about how they can get updates when she is in surgery, when they cannot prove how they are related to her to clear HIPAA limitations. You tell her not to worry, because A. the hospital can use voice recognition. B. they will need to wait until she is out of surgery. C. the hospital can use facial recognition. D. the hospital can assign special pass codes.

The hospital can assign a special pass code for the patient which she can share with whomever she wants to permit a HIPAA release for information. This will identify them as approved by the patient to be informed on her condition. There are required disclosures, according to HIPAA regulations which include those to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information.

The health care facility is running a contingency plan drill where the EHR is inaccessible. Where would the medical documentation forms that replace the EHR documentation be located? A. State medical boards B. Medical bylaws C. Online D. Hospital board

The medical staff bylaws are a document approved by the hospital's board and establishes the requirements for the members of the medical staff to perform their duties, as well as the standards for the performance of those duties. The facility bylaws should contain every medical form used at the health care facility. The hospital board of directors' role is to serve as the governing body of the hospital. The board is responsible for oversight of the hospital. State medical boards are the agencies that license medical doctors, investigate complaints, discipline physicians who violate the medical practice act, and refer physicians for evaluation and rehabilitation when appropriate.

Identify the purpose of the notice of privacy practices. A. report incidents to the OIG. B. notify the patient of audits. C. notify the patient of uses of PHI. D. notify researchers of allowable data use.

The purpose of the notice of privacy practices is to notify the patient how the covered entity will use the PHI and what the patient's rights are related to PHI. It notifies the patient of typical uses of the health information but does not tell the patient of any audits that their health record is involved in. The notice of privacy practices is given to patients not researchers or the OIG.

The minimum length of time for retaining original medical records is primarily governed by A. Joint Commission. B. state law. C. readmission rates. D. medical staff.

The statute of limitations for each state is information that is crucial in determining record retention schedules.The wrong answers: Readmission rates, medical staff and the Joint Commission must abide by the state law when it comes to the minimum length of time set for retaining original medical records.

Identify the true statement regarding healthcare provider's use of mobile devices. A. ePHI should always be stored on mobile devices. B. Mobile devices are exempt from encryption. C. A specific procedure must be followed for reporting and addressing a lost device. D. Devices should only be owned by the covered entity.

There should be policies in place regarding how to handle lost and stolen mobile devices. Devices may be owned by the covered entity or the user. Mobile devices should use encryption if data is stored on the device however data can be stored remotely such as in the cloud.

Alisa has trouble remembering her password. She taped the password to the bottom of her keyboard. As the chief privacy officer, your appropriate response is: A. This is inappropriate and must be removed. B. A better place would be somewhere in your desk. C. Use something like your daughter's name so that you will remember and not need to write it down. D. Great idea!

This is inappropriate and must be removed. Wrong answers: 1) Passwords should not be written down anywhere 2) Passwords should be unique 3) never use personal information such as your daughter's name or birth date.

HIPAA requires patient permission to be obtained before PHI can be used or disclosed. However, most states mandate health care professionals to report situations, such as suspected child abuse or a contagious disease diagnosis, to their Department of Health. This mandate overrides patient consent. HIM professionals must comply with A. their individual facility's compliance policies because each facility gets to set its own compliance policies. B. state laws which always override federal laws. C. HIPAA, which permits reporting to the state to comply with mandates. D. HIPAA, which does not permit reporting to the state without patient permission.

When a state mandates the reporting of certain specific health concerns, such as contagious diseases or abuse and neglect, HIPAA permits the reporting for the good of public health.

It has been decided that the coders will have access to all e-PHI in the EHR but they will not be able to add or edit data. This process is known as A. workforce clearance procedure. B. information system activity review. C. incidental disclosure D. limited data set.

Workforce clearance procedure is the process of determining what a user has access to in an information system and what they can do. The information system activity review is monitoring the information for unauthorized access. The limited data set is a subset of health information that HIPAA allowed to be released for research, public health and other approved purposes. Incidental disclosure is the release of limited risk such as calling the patient's name.