Content Area: Health Information Privacy and Security Mock Exam
The administrator states that he should not have to participate in privacy and security training as he does not use PHI. How should you respond? Selected Answer: Correct "All employees are required to participate in training, including top administration" Answers: Correct "All employees are required to participate in training, including top administration" "I will record that in my files" "Did you read the privacy rules?" "You are correct. There is no reason for you to participate in the training"
"All employees are required to participate in training, including top administration"
Which of the following statements demonstrates a violation of protected health information? Selected Answer: Correct "Mary, at work yesterday I saw that Susan had a hysterectomy" Answers: "Can you help me find Mary Smith's record?" A member of the physician's office staff calls centralized scheduling and says, "Dr. Smith wants to perform a bunionectomy on Mary Jones next Tuesday" Correct "Mary, at work yesterday I saw that Susan had a hysterectomy" Dr. Jones tells a nurse on the floor to give Ms. Brown Demerol for her pain
"Mary, at work yesterday I saw that Susan had a hysterectomy"
Which of the following techniques would a facility employ for access control? 1 - automatic log off 2 - authentication 3 - integrity controls 4 - unique user identification Selected Answer: Correct 1 and 4 only Answers: Correct 1 and 4 only 1 and 2 only 2 and 4 only 3 and 4 only
1 and 4 only
Which of the following techniques would a facility employ for access control? 1. automatic logoff 2. authentication 3. integrity controls 4. unique user identification Selected Answer: Correct 1 and 4 only Answers: Correct 1 and 4 only 1 and 2 only 2 and 4 only 3 and 4 only
1 and 4 only
Physical safeguards include: 1-tools to monitor access 3-fire protection 2-tools to control access to computer systems 4-tools preventing unauthorized access to data Selected Answer: Correct 2 and 3 Answers: 1 and 2 1 and 3 Correct 2 and 3 2 and 4
2 and 3
The hospital has received a request for an amendment. How long does the facility have in order to accept or deny the request? Selected Answer: Correct 30 days Answers: Correct 30 days 60 days 14 days 10 days
30 days
Which of the following statements is true about a requested restriction? Selected Answer: Correct ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions Answers: ARRA mandates that a CE must comply with a requested restriction ARRA states that a CE does not have to agree to a requested restriction Correct ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions ARRA does not address restrictions to PHI
ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions
A patient's medical record was breached. The written notification that goes out to the patient should contain only a message to call the hospital Selected Answer: Correct false statment - the patient should receive a brief description of the breach, what the covered entity is doing about the breach, what the patient should do, and whom to contact Answers: true statement - this is too senstivie to address in a letter Correct false statment - the patient should receive a brief description of the breach, what the covered entity is doing about the breach, what the patient should do, and whom to contact false statment - because the patient should be told to contact the Office of the Inspector General false statment - because the patient should be told what happened and that the facility is sorry and hopes the patient will not have any problems as a result of the breach
False statement - the patient should receive a brief description of the breach, what the covered entity is doing about the breach, what the patient should do, and whom to contact
A mechanism to ensure that PHI has not been altered or destroyed inappropriately has been established. This process is called Selected Answer: Correct integrity Answers: entity authentication audit controls access control Correct integrity
Integrity
Margaret looked up PHI on her ex-sister-in-law. A routine audit discovered the violation. Which statemenet is true under ARRA? Selected Answer: Correct Margaret cannot be prosecuted since she is not a covered entity Answers: Correct Margaret cannot be prosecuted since she is not a covered entity Margaret cannot be prosecuted since she is not a covered entity or business associate Margaretcannot be prosecuted since she did not sell the PHI Margaret can be prosecuted
Margaret cannot be prosecuted since she is not a covered entity
Mark, a patient of Schnering Hospital, has asked for an electronic copy of his medical record to go to his physician. According to ARRA, what is the CE's obligation to Mark? Selected Answer: Correct Mark has a right to an electronic copy or to have it sent to someone else Answers: None, as this is prohibited by ARRA None, as this is prohibited by HIPAA Mark has a right to an electronic copy, but it has to go to him, not a third party Correct Mark has a right to an electronic copy or to have it sent to someone else
Mark has a right to an electronic copy or to have it sent to someone else
Mary processed a request for information and mailed it out last week. Today, the requestor, an attorney, called and said that all of the requested information was not provided. Mary pulls the documentation, including the authorization and what was sent. She believes that she sent everything that was required. She confirms this with her supervisor. The requestor still believes that some extra documentation is required. Given the above information, which of the following statements is true? Selected Answer: Correct Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule Answers: Correct Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule Mary is required to release the extra documentation because the requestor knows what is needed Mary is required to release the extra documentation because, in the customer service program for rhe facility, the customer is always right Mary is not required to release the additional information because her administrator agrees with her Question 19
Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule
Nicole is developing an agreement that will be used between the hospital and the health care clearing house. This agreement will require the two parties to protect the privacy of data exchanged. This is called Selected Answer: Correct a business associate agreement Answers: Correct a business associate agreement a business contract a trading partner agreement none of the above
a business associate agreement
Mountain Hospital has discovered a security breach. Someone hacked into the system and viewed 50 medical records. According to ARRA, what is the responsibility of the covered entity? Selected Answer: Correct all individuals must be notified within 60 days Answers: ARRA does not address this issue all individuals must be notified within 30 days Correct all individuals must be notified within 60 days ARRA requires oral notification
all individuals must be notified within 60 days
You have been asked to provide examples of technical security measures. Which of the following would you include in your list of examples? Selected Answer: Correct automatic logout Answers: locked doors Correct automatic logout minimum necessary training
automatic logout
Which security measure utilizes fingerprints or retina scans? Selected Answer: Correct biometrics Answers: audit trail Correct biometrics authentication encryption
biometrics
The computer system containing the electronic health record was located in a room that was flooded. As a result, the system is inoperable. Which of the following would be implemented? Selected Answer: Correct business continuity processes Answers: SWOT analysis information systems strategic planning request for proposal Correct business continuity processes
business continuity processes
Alisa has trouble remembering her password. She is trying to come up with a solution that will help her remember. Which one of the following would be the BEST practice? Selected Answer: Correct creating a password that utilizes a combination of letters and numbers Answers: using the word "password" for her password using her daugher's name for her password writing the complex password on the last page of her calendar Correct creating a password that utilizes a combination of letters and numbers
creating a password that utilizes a combination of letters and numbers
Your organization is sending confidential patient information across the Internet using technology that will transform the original data into unintelligible code that can be re-created by authorized users. This technique is called Selected Answer: Correct data encryption Answers: a firewall validity processing a call-back process Correct data encryption
data encryption
Intentional threats to security could include Selected Answer: Correct data theft Answers: a natural disaster equipment failure human error Correct data theft
data theft
As Chief Privacy Officer for Premier Medical Center, you are responsible for which of the following? Selected Answer: Correct developing a plan for reporting privacy complaints Answers: backing up data Correct developing a plan for reporting privacy complaints writing policies on protecting hardware writing policies on encryption standards
developing a plan for reporting privacy complaints
Contingency planning includes which of the following processes? Selected Answer: Correct disaster planning Answers: data quality systems of analysis Correct disaster planning hiring practices
disaster planning
You are defining the designated record set for South Beach Healthcare Center. Which of the following would be included? Selected Answer: Correct discharge summary Answers: quality reports psychotherapy notes Correct discharge summary information compiled for use in civil hearing
discharge summary
You are writing a policy on how to document the amendment process. What information should be required by the policy? Selected Answer: Incorrect documentation of request and refusal Answers: none documentation of request and refusal documentation of request Correct documentation of a request, a refusal, and a patient's right to write a statement of disagreement
documentation of a request, a refusal, and a patient's right to write a statement of disagreement
Dr. Brown has just approved the patient's request to amend the medical record. Dr. Brown has routed the request with his approval to the HIM Department. What should the HIM Department do? Selected Answer: Correct file the request where the erroneous information is located and send a copy of the amendment to anyone who has a copy of the erroneous information plus anyone the patient requests Answers: file the request where the erroneous information is located file the request where the erroneous information is located and send a copy of the amendment to anyone who has a copy of the erroneous information file in the front of the chart Correct file the request where the erroneous information is located and send a copy of the amendment to anyone who has a copy of the erroneous information plus anyone the patient requests
file the request where the erroneous information is located and send a copy of the amendment to anyone who has a copy of the erroneous information plus anyone the patient requests
The surgeon comes out to speak to a patient's family. He tells them that the patient came through the surgery fine. The mass was benign and they could see the patient in an hour. He talks low so that the other people in the waiting room will not hear but someone walked by and heard. This is called a (n) Selected Answer: Correct incidental disclosure Answers: privacy breach violation of policy Correct incidental disclosure privacy incident
incidental disclosure
Patricia is processing a request for medical records. The record contains an operative note and a discharge summary from another hospital. The records are going to another physician for patient care. What should Patricia do? Selected Answer: Correct include the documents from the other hospital Answers: notify the requestor that redisclosure is illegal and so he must get the operative note and discharge summary records from the original source hospital Correct include the documents from the other hospital redisclose when necessary for patient care redisclose when allowed by law
include the documents from the other hospital
Which of the following statements is true about the Privacy Act of 1974? Selected Answer: Incorrect it applies to all organizations that maintain health care data in any form Answers: it applies to all organizations that maintain health care data in any form it applies to all health care organizations Correct it applies to the federal government it applies to federal government except for the Veterans Health Administration
it applies to the federal government
I have been asked if I want to be in the directory. The admission clerk explains that if I am in the directory Selected Answer: Correct my friends and family can find out my room number Answers: Correct my friends and family can find out my room number my condition can be discussed with any caller in detail my condition can be released to the news media my condition can be released to hospital staff only
my friends and family can find out my room number
Facility access controls, workstation use, workstation security, and device/media controls are all part of Selected Answer: Correct physical safeguards Answers: Correct physical safeguards technical safeguards administrative safeguards organizational requirements
physical safeguards
America LTD has developed a PHR. According to ARRA, the health information that they store is Selected Answer: Correct protected Answers: not protected Correct protected mandated to be de-identified subject to security, but not priavcy, requirements
protected
Ms. Thomas was a patient at your facility. She has been told that there are some records that she cannot have access to. These records are most likely Selected Answer: Correct psychotherapy notes Answers: Correct psychotherapy notes alcohol and drug records AIDS records mental health assessment
psychotherapy notes
Which of the following would be a business associate? Selected Answer: Correct release of information company Answers: Correct release of information company bulk food service provider childbirth class instructor security force
release of information company
Which of the following disclosures would require patient authorization? Selected Answer: Incorrect law enforcement activities Answers: law enforcement activities workers' compensation Correct release to patient's attorney public health activities
release to patient's attorney
You are writing a policy for the release of information area. This policy will include the requirements for a valid authorization. Which of the following would not be included? Selected Answer: Incorrect expiration Answers: expiration Correct request for an accounting of disclosure statement or right to revoke description of information to be disclosed
request for an accounting of disclosure
You are looking for potential problems and violations of the privacy rule. What is this security management process called? Selected Answer: Correct risk assessment Answers: risk management Correct risk assessment risk aversion business continuity planning
risk assessment
You are reviewing your privacy and security policies, procedures, training programs, and so on, and comparing them to the HIPAA and ARRA regulations. You are conducting a Selected Answer: Incorrect compliance audit Answers: policy assessment Correct risk assessment compliance audit risk management
risk assessment
Kyle, the HIM Director, has received a request to amend a patient's medical record. The appropriate action for him to take is Selected Answer: Correct route the request to the physician who wrote the note in question to determine the appropriateness of the amendment Answers: make the modification because you have received the request file the request in the chart to document the disagreement with the information contained in the medical record Correct route the request to the physician who wrote the note in question to determine the appropriateness of the amendment return the notice to the patient because amendments are not allowed
route the request to the physician who wrote the note in question to determine the appropriateness of the amendment
You work for a 60-bed hospital in a rural community. You are conducting research on what you need to do to comply with HIPAA. You are afraid that you will have to implement all of the steps that your friend at a 900-bed teaching hospital is implementing at his facility. You continue reading and learn that you only have to implement what is prudent and reasonable for your facility. This is called Selected Answer: Correct scalable Answers: Correct scalable risk assessment technology neutral access control
scalable
Encryption, access control, emergency access to records, and biometrics are examples of Selected Answer: Correct technical security Answers: transmission security Correct technical security a security incident telecommunications
technical security
The HIPAA security rule does not require specific technologies to be used but rather provides direction on the outcome. The term used to describe this philosophy is Selected Answer: Correct technology neutral Answers: technology free Correct technology neutral administrative rules generic technology
technology neutral
Which of the following situations violate a patient's privacy? Selected Answer: Correct the hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples Answers: the hospital sends patients who are scheduled for deliveries information on free childbirth classes the physician on the quality improvement committee reviews medical records for potential quality problems Correct the hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples the hospital uses aggregate data to determine whether or not to add a new operating room suite
the hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples
Which of the following should the record destruction program include? Selected Answer: Correct the method of destruction Answers: Correct the method of destruction the name of the supervisor destroying the records citing the laws followed requirement of daily destruction
the method of destruction
A patient has submitted an authorization to release information to a physician office for continued care. The release of information clerk wants to limit the information provided because of the minimum necessary rule. What should the supervisor tell the clerk? Selected Answer: Correct the patient is an exception to the minimum necessary rule, so process the request as written Answers: good call Correct the patient is an exception to the minimum necessary rule, so process the request as written the minimum necessary rule was eliminated with ARRA the minimum necessary rule only applies to attorney
the patient is an exception to the minimum necessary rule, so process the request as written
Which statment is true about when a family member can be provided with PHI? Selected Answer: Incorrect the family member is directly involved in the patient's care Answers: Correct the patient's mother can always receive PHI on their child the family member lives out of town and cannot come to the facility to check on the patient the family member is a health care professional the family member is directly involved in the patient's care
the patient's mother can always receive PHI on their child
Barbara, a nurse, has been flagged for review because she logged in to the EHR in the evening when she usually works the day shift. Why should this conduct be reviewed? Selected Answer: Correct this needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time Answers: this is a privacy violation Correct this needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time this is not a violation since Barbara, a nurse, has full access to data in the EHR no action is required
this needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time
Your department was unable to provide a patient with a copy of his record within the 30-day limitation. What should you do? Selected Answer: Incorrect both write and call the patient to tell him you need a 30-day extension Answers: call the patient and apologize call the patient and let him know that you will need a 30-day extension Correct write the patient and tell him that you will need a 30-day extension both write and call the patient to tell him you need a 30-day extension
write the patient and tell him that you will need a 30-day extension
Margaret has signed an authorization to release information regarding her ER visit for a fractured finger to her attorney. Specifically, she says to release the ER history and physical, x-rays, and any procedure notes related to a finger fracture with laceration. Which of the following violates her privacy if released based on this authorization? Selected Answer: Correct x-ray of chest Answers: release of face sheet used in ER as a history Correct x-ray of chest x-ray of finger documentation of suturing of finger
x-ray of chest