Mock RHIA part 1

The Device and Media Controls Standard requires organizations to implement policies and procedures to:

Address the final disposition of ePHI, hardware, and electronic media Organizations must address the final disposition of ePHI, hardware, and electronic media. There are four implementation specifications within this standard: disposal, media reuse, accountability, and data backup and storage.

A secretary in the nursing office was recently hospitalized with ketoacidosis. She comes to the HIM department and requests to review her health record. Of the options listed, what is the best course of action?

Allow her to review her record after obtaining authorization from her. Review of records by the patient is permitted after the authorization for use and disclosure is verified. Usually hospital personnel should be present during on-site reviews to assist the requester with the paper record or EHR if necessary.

The MPI is necessary to physically locate health records within the paper-based storage system for all types of filing systems exceptwhich of the following?

Alphabetical The master patient index (MPI) includes information for all patients who have been registered or treated at any location in a facility. Regardless of the format of the MPI, it associates the patient with the particular number under which patient treatment information can be located. In an alphabetical filing system, you would be able to locate the patient information without having access to the MPI.

Facility-based cancer registries receive approval as part of the facility cancer program from which of the following agencies?

American College of Surgeons The American College of Surgeons (ACS) Commission on Cancer has an approval process for cancer programs. One of the requirements of this process is the existence of a cancer registry as part of the program. When the ACS surveys the cancer program, part of the survey process is a review of cancer registry activities.

In data quality management the purpose for which data are collected is:

Application Data quality management functions involve continuous improvement for data quality throughout an organization. This includes the application process that is the purpose for which data are collected.

A database rule that states "patient gender must be recorded as M=male, F=female, and U= unknown" is referred to as:

Application control Databases contain rules known as application controls that must be satisfied by the stored data. Data integrity happens when all of the data in the database conform to all rules. Certain fields, such as dates, must be entered in a certain format, such as MM/DD/YYYY. Application controls such as edit checks help ensure that the originally-entered data and changes to these data follow certain rules.

Which of the following is an example of a technical safeguard?

Assigning passwords that limit access to information stored electronically The Security Rule defines technical safeguards as the technology and the policy and procedures for its use that protect ePHI and controls access to it. A covered entity must determine which security measures and technologies are reasonable and appropriate for implementation. A password fulfills the unique user identification requirement of this specification.

A visitor to the hospital looks at the screen of the admitting clerk's computer workstation when the clerk leaves her desk to copy some documents. What security mechanism would best have minimized this security breach?

Automatic logoff controls The Workstation Use Standard requires organizations to set policies and procedures that specify the proper functions to be performed and the manner in which those functions are to be performed. Examples of this kind of safeguard are timeouts and logouts that break the system connection if the workstation remains idle for a specified period of time

The standard that requires covered entities and business associates to have an agreement regarding use, disclosure, and security of protected health information is the

Business Associate Contracts and Other Arrangements Standard The final standard in the administrative safeguard section of the Security Rule is the Business Associate Contracts and Other Arrangements Standard. Specific items that were addressed are that business associates follow the security rule for Electronic Protected Health Information (ePHI), have business associate agreements with their subcontractors who must follow the security rule for ePHI, and obtain authorization prior to marketing.

A medical staff committee wants to compare long-term survival rates for breast cancer by comparing outcomes for the mastectomy versus lumpectomy approaches. The best source of this information is the:

Cancer registry A cancer registry collects demographic information (such as name, health record number, address), type and site of the cancer, diagnostic methodologies, treatment methodologies, and stage at the time of diagnosis as well as periodically collects follow-up information on the patient's survival status.

What is the unique impact HIM professionals have on coded data?

Combining knowledge of the clinical content, documentation principles, coding systems, and data use provides accurate information for the industry. One role of the HIM professional is to code data by assigning diagnosis and procedural codes according to patient record documentation, and by applying coding guidelines and edits when assigning codes or auditing for coding quality and accuracy

At Medical Center Hospital, HIM professionals are located in the nursing stations, where they are responsible for all aspects of health record processing. While the patient is in the facility, the HIM professional does a daily review of the record to ensure complete documentation. This approach is called a _____.

Concurrent review Concurrent review or analysis means that the record is analyzed during the patient's stay in the healthcare facility. It has the advantage of HIM or other personnel being present on the floors where the physicians see patients. HIM personnel can remind providers to complete items in the record and to sign orders and progress notes

The Physical Safeguards Standards of the Security Rule requires organizations to:

Consider all aspects of physical access to an organization's ePHI All aspects of physical access (physical measures, policies and procedures to protect a covered entity's Electronic Protected Health Information (ePHI), buildings and equipment from natural and environmental hazards, and unauthorized intrusion) to ePHI are included in the Physical Safeguards Standards

If a nurse uses the abbreviation CPR to mean cardiopulmonary resuscitation one time and computer-based patient record another time, which leads to confusion, what would be a concern when applying this dimension of data quality?

Consistency Data quality needs to be consistent. A difference in the use of abbreviations provides a good example of how the lack of consistency can lead to problems.

Which activity would typically occur during the analysis phase of the systems development life cycle (SDLC)?

Defining deficiencies in the existing system In the analysis phase new system requirements are defined. In particular, deficiencies in the existing system are addressed with specific proposals for improvement.

An adult patient's daughter who identifies herself as the patient's representative requests to access her father's health information. The patient has not been treated in this health care organization for the last three years. How should you respond to this request?

Determine whether the daughter has documentation that identifies her as the patient's representative. The Privacy Rule recognizes that patient representatives who are actively participating in the patient's care may be given information to assist in the care of the patient. If you cannot determine that the daughter is active in the care of the patient then documentation (for example, Power of Attorney or Healthcare Power of Attorney) to establish her as the patient's representative or patient authorization should be obtained

What relationship is the following entity relationship diagram showing?

Each patient has one physician, but each physician has many patients. This model shows that the relationship between the data table (or entity) PHYSICIAN and the data table (or entity) PATIENT is one-to-many. A one-to-many relationship means that for every instance of PHYSICIAN stored in the database, many related instances of PATIENT may be stored. Reading the diagram in the other direction, each instance of PATIENT stored in the database is related to only one instance of PHYSICIAN

HIPAA allows what form of signature?

Electronic The Federal Electronic Signatures in Global and National Commerce Act of 2000 (ESIGN) permits an electronic signature to be any electronic sound, symbol, or process attached to or logically associated with a contract or other record that is executed or adopted by the person with the intent to sign the record.

The Contingency Plan Standard includes all of the following as required implementation standards except for which plan?

Environmental risk plan The Contingency Plan Standard is central to being able to ensure availability of data. The standard requires covered entities to establish and implement as needed policies and procedures for responding to an emergency or other occurrence. These policies and procedures include a data backup plan, disaster recovery plan, and emergency mode operation plan. An environmental risk plan is not part of the implementation specifications.

The first and most fundamental strategy for minimizing security threats is to:

Establish a security organization The foundational basis of a covered entities and business associates information security program rests on its identification and management of potential risks to Electronic Protected Health Information (ePHI). The Security Rule outlines a broad set of regulations that include administrative, technical, and physical safeguards intended to ensure confidentiality, integrity, and availability of ePHI.

A visitor walks through the IT department and picks up a flash drive from an employee's desk. What security controls should have been implemented to prevent this security breach?

Facility access controls The facility access control standard states that organizations should consider methods such as lock and key controls, security tagging equipment, using video camera surveillance, monitoring identification badges, and employing human workforce to perform facility security controls

Of the following disclosures of PHI, which one allows an individual the option to agree or disagree with the disclosure of the information?

Facility directory A facility may maintain a facility directory of patients being treated. The Privacy Rule permits the facility to maintain in its directory the following information about an individual once the individual has agreed: name, location in the facility, condition described in general terms, and religious affiliation. This information may be disclosed to persons who ask for the individual by name. Disclosure of an individual's religious affiliation is limited to members of the clergy.

A security breach has been reported. What concept describes the process used to gather evidence?

Forensics Forensics is the process used to gather intact and validated evidence and should be used to gather evidence of the security incident.

A patient's name is typically stored in a database as three data elements—last name, first name, and middle name—and not as a single data element. Which dimension of data quality is being applied when this occurs?

Granularity Data granularity is sometimes referred to as data "atomicity," which means that the individual data elements cannot be further subdivided; they are "atomic".

Which of the following statements is true regarding HIPAA security?

HIPAA allows flexibility in the way an institution implements the security standards. Covered entities (CEs) and business associates (BAs) must decide which security measures to implement using a risk analysis to determine the circumstances that lead them to unauthorized access and disclosure of ePHI. Security is not a one-time project but an ongoing process that requires constant analysis as the business practices of the CE and BA change, technologies advance, and new systems are implemented.

Which of the following is a retention concern with electronic health records?

Hardware obsolescence Planning for the eventual obsolescence of a technology is often not given high enough priority. Hardware obsolescence is a retention concern with electronic health records (EHRs). Record managers need to understand how long data will need to be migrated to ensure compliance with the long retention periods (years to decades) required for EHR systems

All states have a health department with a division required to track and record communicable diseases. When a patient is diagnosed with one of the diseases from the health department's communicable disease list, the public health department must be notified. Which of the following diseases would be reportable to the public health department?

Hepatitis B Hepatitis B is caused by the hepatitis B virus and is considered a communicable disease that is reportable to the public health department. This reporting process may be in writing, by telephone, or by total number of cases.

"Mother died of breast cancer, father still living but has heart disease" is an example of what type of health record documentation

History report The history is the first part of the history and physical, which is generally the first clinical document created for the patient's record. Health record documentation of the patient's medical history usually includes the following elements: chief complaint, present illness, past medical history, social and personal history, family medical history, and review of systems. This is an example of family history

If a patient suffers from an acute myocardial infarction (AMI) and has a new AMI within the four-week time frame of the initial AMI, codes from what category or categories are assigned? I21 ST elevation (STEMI) and non-ST elevation (NSTEMI) myocardial information I22 Subsequent ST elevation (STEMI) and non-ST elevation (NSTEMI) myocardial information I25 Chronic ischemic heart disease

I21, I22 A code from I22 is to be used when a patient who has suffered an acute myocardial infarction (AMI) has a new AMI within the four-week time frame of the initial AMI. A code from category I22 must be used in conjunction with a code from category I21

Which of the following is a factor that affects the cost of release of information?

Labor and postage Federal laws and some state laws address the reimbursement of costs for releasing health information. The HIPAA Privacy Rule permits reasonable, cost-based charges for labor, postage, and supplies involved in photocopying health information for the patient or his or her personal representative

The four major issues that have an impact on the record retention policy of a healthcare facility are patient care, research, space, and:

Legal and statutory requirements Hospitals and other healthcare facilities develop health record retention policies to ensure that health records comply with all applicable state and federal regulations and accreditation standards.

What is the term for the record of care in any health-related setting that is used by healthcare professionals while providing patient-care services or for administrative, business, or payment purposes?

Legal health record The legal health record can be defined as official business records used for evidentiary purposes created by or for healthcare organizations. The legal health record includes documentation of health care services provided to an individual during any aspect of healthcare delivery in any type of healthcare organization as well as the source of the documentation.

A health record that includes all health-related information generated for an individual during his or her lifetime is called:

Longitudinal health record The longitudinal health record is a health record that may include all health-related information generated for an individual during his or her lifetime. These records have many benefits for consumers. However, maintaining such records for every American will be impossible until every healthcare provider in the country has implemented an EHR system

Community Hospital is implementing a hybrid record. Some documentation will be paper-based and digitally scanned after discharge. Other parts of the record will be totally electronic. The Medical Record Committee is discussing how interim reports in the health record should be handled. Some on the committee think that all interim reports should be discarded and only the final reports retained in the scanned record. Others take the opposite position. Which of the following is a best practice that the health information management (HIM) director should suggest to the committee?

Maintaining all interim reports provides the greatest measure of security. Maintaining all interim reports provides the greatest measure of security. Managing health information in a hybrid record environment is challenging, but by maintaining the reports the facility will reduce some potential problems.

Why are metadata essential in information systems?

Metadata are often referred to as "data about data." Metadata are structured information used to increase the effective use of data. By describing data, metadata makes it easier to locate, retrieve, use, and manage.

The EMTALA regulations include all of the following except which?

Non-Medicare indigent patients must be transferred to the nearest level-1 trauma center. Under the EMTALA regulations, hospitals must comply with the following: an appropriate "medical screening exam" must be provided to anyone coming to the emergency department who is seeking medical care; if an emergency medical condition is found, the hospital must treat and stabilize that condition or transfer the individual; and transfers of non-stabilized patients are not allowed unless several specific conditions have been met

An HIM professional who releases health information that he or she knows will result in genetic discrimination is violating the ethical principle of:

Nonmaleficence Nonmaleficence means to do no harm. With regard to the patient and the healthcare team, the HIM professional is obligated to protect health, medical, genetic, social, personal, financial, and adoption information

Securing the authorization of the attending physician, in addition to the patient's authorization, for the release of medical information to the patient's insurance company is:

Not legally required An authorization to use or disclose information is required if the requester is a third party to the patient such as an insurance company or attorney. But the attending physician does not need to provide any authorization to release this information.

Which of the following provides a complete description to patients about how PHI is used in a healthcare facility?

Notice of Privacy Practices The Notice of Privacy Practice (NPP) explains how protected health information (PHI) is used or disclosed. This document explains the patients' rights and the covered entity's legal duties with respect to PHI.

Which of the following clinicians would use the DSM-V system to assist with establishing a diagnosis?

Practicing psychiatrists DSM-V is a multiaxial coding system with five axes. Axis I includes the mental disorders or illnesses comparable to general medical illnesses. Axis II includes personality disorders. Axis III includes general medical illnesses. Axis IV covers life events or social problems that affect the patient. Axis V is the overall level of the patient's functioning, usually as determined by the Global Assessment of Functioning (GAF). The American Psychiatric Association (APA) states two general uses for DSM: as a source of diagnostic information that enhances clinical practice, research, and education.

The primary purpose of a Minimum Data Set in healthcare is to:

Recommend common data elements to be collected in health records The need for standardized data definitions was recognized in the 1960s, and the National Committee on Vital and Health Statistics took the lead developing uniform Minimum Data Sets for various sites of care. As technology has driven the development of the data or information systems, the early data sets have been supplemented with healthcare information standards that focus on EHR systems. A number of standards-setting organizations are involved in developing uniform definitions, data fields, and views for health record content and structure.

Violations of the need-to-know principle and misuse of blanket authorizations are ethical problems pertaining to _____.

Release of information Two primary ethical problems pertinent to the release of information include: violations of the need-to-know principle and misuse of blanket authorizations. The need-to-know principle is based on the minimum necessary standard. Another common ethical problem is misuse of blanket authorizations, which is when the patient signs an authorization allowing the ROI specialist to release any and all information from that point forward.

Competent individuals have which of the following rights in regard to healthcare?

Right to consent to treatment and the right to access his or her own PHI Competent adults have a general right to consent to or refuse medical treatment. In general, the competent adult has the right to request, receive, examine, copy, and authorize disclosure of the patient's healthcare information.

Which terminology provides a common language that enables a consistent way of capturing, sharing, and aggregating health data across specialties and sites of care for electronic health record (EHR) adoption?

SNOMED CT As a core terminology for the EHR, Systematized Nomenclature of Medicine Clinical Terminology (SNOMED CT) provides a common language that enables a consistent way of capturing, sharing, and aggregating health data across specialties and sites of care. SNOMED CT has several components: concept tables, description tables, and relationship tables.

An employee observes an outside individual putting a flash drive in her purse. The employee does not report this security breach. What security measures should have been in place to minimize this threat?

Security incident procedures Response and reporting is the single required implementation specification that states that covered entities (CEs) must identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the CE; document security incidents that are known to the CE; and document security incidents and their outcomes.

The Uniform Health-Care Decisions Act ranks the next-of-kin in the following order for medical decision-making purposes:

Spouse, adult child, parent, adult sibling The Uniform Health-Care Decisions Act suggests that decision-making priority for an individual's next-of-kin be as follows: spouse, adult child, parent, adult sibling. If no one is available who is so related to the individual, authority may be granted to "an adult who exhibited special care and concern for the individual".

In most cases, minors are deemed legally incompetent to access, use, or disclose their health information. What resource should be consulted in terms of who may authorize the ability to access, use, or disclose the health records of minors?

State law, since HIPAA defers to state laws on matters related to minors Because HIPAA defers to state laws on the issue of minors, applicable state laws should be consulted regarding appropriate authorization. Generally speaking, the age of majority is 18 years old or older. This is the legal recognition that an individual is considered responsible for and has control over his or her actions.

The legal health record must meet requirements from the following

State laws and accreditation body standards The legal health record must meet accepted standards as defined by applicable federal regulations, state laws, and standards of accreditation agencies as well as the policies of the healthcare provider

Which of the following statements about compiling a directory of patients being treated in the hospital is true?

The covered entity must inform the individual what information is maintained in a directory and to whom this information may be disclosed. When a healthcare facility is compiling a directory of patients the facility must inform the individual what information is maintained in a directory and to whom it may be disclosed. Once the individual has agreed to be included in the directory, the Privacy Rule permits the facility to maintain in its directory the following information about an individual: name, location in the facility, condition described in general terms, and religious affiliation. This information may be disclosed to persons who ask for the individual by name. A patient has the right to "opt-out" of inclusion in the directory

Who may sign an authorization for use and disclosure when the patient is a minor?

The minor's parent or legal guardian As a general rule, minors are legally incompetent and unable to make decisions regarding the use and disclosure of their own healthcare information. This authority belongs to the minor's parent(s) or legal guardians(s) unless an exception applies.

What information does not have to be included in a covered entity's notice of privacy practice?

The signature of the patient and date the notice was given to the patient The Notice of Privacy Practices (NPP) is a statement mandated by the HIPAA Privacy Rule that is issued by a healthcare organization to inform individuals of the uses and disclosures of patient-identifiable health information that may be made by the organization as well as to inform the individuals of rights and the organization's legal duties with respect to that information. The actual signature of the patient and the date the notice was given to the patient does not need to be included in the statement, but all other items (examples of TPO, other disclosures permitted without authorization, individual rights) must be included in the Notice of Privacy Practices.

As the corporate director of HIM Services and enterprise privacy officer, you are asked to review a patient's health record in preparation for a legal proceeding for a malpractice case. The lawsuit was brought by the patient 72 days after the procedure. Health information contains a summary of two procedures that were dictated 95 days after the procedure. The physician in question has a longstanding history of being lackadaisical with record completion practices. Previous concerns regarding this physician's record maintenance practices had been reported to the facility's Credentialing Committee. Are the summaries of the two procedures admissible in court?

This information could be rejected since the physician dictated the procedure note after the malpractice suit was filed. The health record may be valuable evidence in a legal proceeding. To be admissible, the court must be confident that the record is complete, accurate, and timely (recorded at the time the event occurred); was documented in the normal course of business; and was made by healthcare providers who have knowledge of the "acts, events, conditions, opinions, or diagnoses appearing in it".

Dr. Smith dies while in solo medical practice. The best way to handle his patients' health records is to:

Transfer each record to each patient's new attending physician When a facility or practice is closed or sold, its health records are transferred to the successor provider—meaning the entity or individual that purchases the facility. In ambulatory care settings or physician offices, patients are informed of their options to transfer their records to another provider or choice before their health records are transferred to the successor provider

In which of the following situations must a covered entity provide an appeals process for denials to requests from individuals who want to see their own health information?

When a licensed healthcare professional has determined that access to PHI would likely endanger the life or safety of the individual The HIPAA Privacy Rule provides patients with significant rights that allow them to have some measure of control over their health information. As long as state laws or regulations or the physician does not state otherwise (it might endanger the life or safety of the individual or another person), competent adult patients have the right to access their health record.

There are instances under the HIPAA Privacy Rule in which a person can informally agree or object to the release of their protected health information. All of the following are examples except:

When releasing information for public health purposes Use or disclosure is permitted even without patient authorization for public health interest and benefits. As required by law, public health interest and benefits may be public health activities or activities essential for government functions.

The process of reviewing and validating a physician's education and experience prior to granting medical staff membership is called:

credentialing Credentialing is the process of reviewing and validating qualifications, granting professional or medical staff membership, and awarding delineated privileges. Specific policies and procedures are used by healthcare organizations to accomplish this process. The credentialing process verifies the education, training, experience, current competence, and ability to perform the privileges requested as well as any other background information pertinent to an individual requesting medical staff membership.

Highland Hospital requires all dates be recorded in its clinical information system as MM/DD/YYYY. This required data definition and format should be part of the________.

data dictionary A data dictionary is like a map of the database. Whenever a set of data is created, it should have an accompanying data dictionary. A data dictionary can ensure consistency by standardizing definitions. A typical data dictionary allows for the format of each attribute such as MM/DD/YYYY for the date.

The HIPAA Security Awareness and Training administrative safeguards require all but one of the following addressable implementation programs for an entity's workforce.

disaster recovery plan HIPAA administrative safeguards require that a covered entity implements a security awareness and training program for all members of its workforce. Special protections must be taken to ensure information is not inappropriately released or accessed. These protections include login monitoring, password management, and security reminders.

When an Entity Relationship Diagram (ERD) is implemented as a relational database, an attribute will become a(n):

field Attributes are the characteristics or data elements to be collected about each entity. They can be depicted in an ERD as oval shapes coming off an entity. Attributes become the fields or column headings within the data tables of a relational database.

A pharmacist who submits Medicaid claims for reimbursement of brand name drugs when less expensive generic drugs were actually dispensed has committed the crime of:

fraud Fraud in healthcare is defined independently by a number of legal authorities, but all definitions share common elements: a false representation of fact, a failure to disclose a fact that is material (relevant) to a healthcare transaction, damage to another party that reasonably relies on the misrepresentation, or failure to disclose. This situation would fall under the second category

Problems that would be faced by an HIM professional responsible for _____ include curious employees who should not have access to health information, failures to log off electronic systems, and inappropriate data being stored on a personal laptop.

information security The health information management (HIM) professionals are trained in the ethical issues related to EHR systems, such as information security, because staff have access to more information than what is needed to do their job. Employees accessing the records should not explore information out of curiosity, as this would be unethical.

Placing a condition about the award of a contract for laboratory services on the provision of an "under the table" percentage payback to a physician who has the ability to influence the decision about who is awarded the contract is called a(n):

kickback The Federal Anti-Kickback Statute (42 USC 1320a-7b[B]) establishes criminal penalties for individuals and entities that knowingly and willfully offer, pay, solicit, or receive remuneration in order to induce business for which payment may be made under any federal healthcare program, including kickbacks, bribes, and rebates.

Which one of the following facility types is required to release information under the Freedom of Information Act?

military The Freedom of Information Act (FOIA) (1996) is a federal law that states individuals can seek access to information without authorization of the person to whom the information applies. This Act applies only to federal agencies and not the private sector. The Veterans Administration and Defense Department hospital systems are subject to this Act.

The HIPAA Privacy Rule requires that covered entities must limit use, access, and disclosure of PHI to the least amount necessary to accomplish the intended purpose. What concept is this an example of?

minimum necessity The Privacy Rule introduced the standard of minimum necessary, which is a "need to know" filter applied to limit access to a patient's protected health information (PHI) as well as the amount of PHI used, disclosed, and requested.

The SOAP format is an example of a structured progress note commonly used with the ______ health record.

problem-oriented The subjective, objective, assessment, and plan (SOAP) format is an example of a structured progress note commonly used with the problem-oriented health record

The director of Health Information Services is allowed access to the health record tracking system when providing the proper login and password. Under what kind of access security mechanism is the director allowed access to the system?

user-based User-based access is a security mechanism used to grant users of a system access based on the identity of the user

Refer to the 0CQ table below. Which of the following codes would be considered invalid?

0CQ9XZZ ICD-10-PCS coding guideline A9 emphasizes that the code-building process has to take place by selecting values from a given row in a table. It is not permissible to pick values for a given character in one row and then select a value from a different row for the next character. In this case, the Body Part character 9, Parotid Gland, Left does not correspond to a row with the Approach character of X, External

Which of the following is an example of demographic data?

125 Oak Street, Smallville, KS Demographic data includes basic factual details about the individual patient. The main purpose of collecting demographic data is to confirm the patients' identity. Hospitals and other healthcare-related organizations use the demographic data collected from patients as the basis of statistical records, research, and resource planning

What is the correct CPT code assignment for electrosurgical removal of three (3) nevi of the arm (size approximately 2.0 cm, 1.5 cm, 0.5 cm)? 11056 Paring or cutting of benign hyperkeratotic lesion (e.g., corn or callus); 2 to 4 lesions 11200 Removal of skin tags, multiple fibrocutaneous tags, any area, up to and including 15 lesions 11400 Excision, benign lesion including margins, except skin tag (unless listed elsewhere), trunk, arms or legs; excised diameter 0.5 cm or less 11402 Excision, benign lesion including margins, except skin tag (unless listed elsewhere), trunk, arms or legs; excised diameter 1.1 cm to 2.0 cm 17000 Destruction (e.g., laser surgery, electrosurgery, cryosurgery, chemosurgery, surgical curettement), premalignant lesions (eg, actinic keratoses); first lesion +17003 Destruction (e.g., laser surgery, electrosurgery, cryosurgery, chemosurgery, surgical curettement), premalignant lesions (e.g., actinic keratoses); second through 14 lesions, each (List separately in addition to code for first lesion.)

17000, 17003, 17003 The plus symbol (+) indicates the code following the symbol is an add-on code. In this situation, there are three lesions; therefore, 17000 is coded for the first lesion and then 17003 is coded twice for lesions 2 and 3.

Medicare requires that a history and physical examination be completed within what time frame after a patient's admission to a hospital?

24 hours CMS requires that the history and physical examination be completed no more than 30 days before or 24 hours after admission and the report must be placed in the record within 24 hours after admission.

If a patient is readmitted to a facility after a recent admission, CMS allows the facility to use the existing history and physical from the first admission if it is for a related condition and was completed within _____ of the second admission and if an interval note updating any changes to the patient's condition has been documented.

30 days If the history and physical have been completed within the 30 days prior to admission, it can still be used as long as an updated entry (interval note) is made in the medical record that documents an examination and any changes in the patient's condition since the original history and physical was completed. This entry must be included in the record within the first 24 hours of admission

How many days does a covered entity have to respond to an individual's request for access to his or her protected health information (PHI) when the PHI is stored off-site?

60 days If the PHI is not maintained or located on-site, the covered entity must respond to the request within 60 days of receiving it

Which of the following would be part of the release of information system?

A letter notifying an individual that the authorization was invalid Customized letters are critical to the ROI system. Customized letters and forms may be used to communicate with the requestor for many purposes, such as notifying the individual making a request that the authorization is invalid. The other items: requesting information for continued care, notifying a physician of delinquent medical records, and clarifying a diagnosis, are not related to ROI.

A 65-year-old white male was admitted to the hospital on 1/15 complaining of abdominal pain. The attending physician requested an upper-GI series and laboratory evaluation of CBC and urinalysis. The x-ray revealed possible cholelithiasis and the urinalysis showed an elevated white blood count. The patient was taken to surgery for an exploratory laparotomy and a ruptured appendix was discovered. After an appendectomy was performed and appropriate postoperative care given, the patient was discharged from the hospital on 1/20. According to Joint Commission standards, the surgeon's operative report must be written or dictated and filed on the patient's health record:

Immediately after surgery The operative report should be written or dictated immediately after surgery and filed in the patient's health record as soon as possible. Some hospitals may require surgeons to include brief descriptions of the operations in their postoperative progress notes when delays in dictation or transcription are likely

The designated record set:

Includes medical and billing records A designated record set (DRS) is defined (45 CRF 164.501) as a group of records maintained by or for a covered entity that is (1) the health records and billing records about individuals maintained by or for a covered healthcare provider; (2) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; (3) or used, in whole or in part, by or for the covered entity to make decisions about individuals

An employee in the physical therapy department arrives early every morning to snoop through the clinical information system for potential information about neighbors and friends. What security mechanisms should have been implemented that could minimize this security breach?

Information access controls The information access management standard restricts access to electronic protected health information (ePHI) only to those that need it to perform their jobs. In this scenario, the physical therapist needs access to PHI for the job but is violating that privilege by accessing ePHI on individuals that are not under the therapist's care.

Which type of record is arranged in strictly chronological order?

Integrated The content of the integrated health record is arranged in strict chronological order. Different types of information and sources of information are mixed together according to the dates on the entries.

A physician takes the health records of a group of HIV-positive patients out of the hospital to complete research tasks at home. The physician mistakenly leaves the records in a restaurant where they are read by a newspaper reporter who publishes an article that identifies the patients. The physician can be sued for:

Invasion of privacy Invasion of privacy is the intrusion upon one's solitude, another major concern in healthcare. A person's right to privacy is "the right to be let alone". This includes the rights of individuals to be free from surveillance and interference, as well as the right to keep one's information from being disclosed. One major actionable offense of concern in healthcare involving invasion of privacy is the unlawful disclosure of patient's health information

Which of the following statements is true of data quality management?

It affects the collection, application, warehousing, and analysis of data to improve information quality. Data quality management is the collection, application, warehousing, and analysis of data to improve information quality.

Protected health information, subject to HIPAA protection, is defined by all of the following criteria except:

It must be identifiable health information regardless of who holds or uses it To be PHI, it first must be deemed to be individually identifiable by meeting the first two parts of a three-part test: 1) it must either identify the person or provide a reasonable basis to believe the person could be identified from the information given; 2) it must relate to one's past, present, or future physical or mental health condition; the provisions of healthcare or payment for the provision of healthcare; 3) or it must be held or transmitted by a covered entity or its business associate in any form or medium, including electronic, paper, or oral forms.

15. A patient was admitted for cellulitis of the right palm of the hand following a non-venomous insect bite three days prior to the encounter. How would this encounter be coded? L03.011 Cellulitis of right finger L03.113 Cellulitis of right upper limb S60.561A Insect bite (nonvenomous) of right hand, initial encounter S60.561D Insect bite (nonvenomous) of right hand, subsequent encounter S60.571A Other superficial bite of hand of right hand, initial encounter W57.XXXA Bitten or stung by nonvenomous insect and other nonvenomous arthropods, initial encounter W57.XXXD Bitten or stung by nonvenomous insect and other nonvenomous arthropods, subsequent encounter

L03.113, S60.561A, W57.XXXA The cellulitis is of the palm and should be coded first as the reason for the encounter. Additional codes are also used to represent the insect bite. The seventh character A for initial encounter is used while the patient is receiving active treatment for the injury.

17. A 27-year-old female has a vaginal delivery with a single liveborn female at 40 weeks gestation. Episiotomy and repair. What diagnosis and procedure codes would be assigned for this patient? O70.0 First degree perineal laceration during delivery O70.9 Perineal laceration during delivery, unspecified O80 Encounter for full-term uncomplicated delivery Z37.0 Single live birth Z3A.40 40 weeks of gestation of pregnancy Section Body System Root Operation Body Part Approach Device Qualifier Medical and Surgical Anatomical Regions, General Division Perineum, Female External No Device No Qualifier 0 W 8 N X Z Z Section Body System Root Operation Body Part Approach Device Qualifier Medical and Surgical Anatomical Regions, General Repair Perineum, Female External No Device No Qualifier 0 W Q N X Z Z

O80, Z37.0, Z3A.40, 0W8NXZZ This is an example of a normal delivery, full-term, single, healthy liveborn infant with an episiotomy. No other procedures or manipulation needed to aide in delivery. The Z3A code is used to indicate the 40 weeks of gestation of the pregnancy. The correct ICD-10-PCS procedure code is 0W8NXZZ, division of the female perineum.

What data set provides the underpinning of the home health prospective payment system (HH PPS)?

OASIS The HHPPS is based on a predetermined rate for a 60-day episode of home health care. OASIS data are essential to home health agency's reimbursement under the HHPPS. OASIS data drive the determination of the case-based adjustment. There are three components in the structure of payment under the HHPPS: the national standardized episode rate, the HHA case-mix group, and adjustments.

The HIM manager at Community Hospital needs to choose a database model that allows the facility to store images, video, and data. Which of the following should the HIM manager choose?

Object-oriented database The object-oriented database is a database model that handles text, images, audio, video, and other objects. In the model these images and other non-text items are stored as objects with hierarchy and a navigational style of programming

This report should be written or dictated immediately after the procedure is done and filed in the patient's health record as soon as possible:

Operative report The operative report should be written or dictated immediately after surgery and filed in the patient's health record as soon as possible. Some hospitals may require surgeons to include brief descriptions of the operations in their postoperative progress notes when delays in dictation or transcription are unavoidable. Other caregivers can then refer to the progress note until the final operative report becomes available

89. The CPT codes for Emergency Department visits are: 99281 - Level 1 Emergency Department Visit 99282 - Level 2 Emergency Department Visit 99283 - Level 3 Emergency Department Visit 99284 - Level 4 Emergency Department Visit 99285 - Level 5 Emergency Department Visit This set of CPT codes is an example of:

Ordinal data Ordinal data are discrete categories or groups with a natural or inferred order. Examples of ordinal data include patient satisfaction responses on a five-point scale, patient severity scores, or CPT codes for emergency department visits.

The incidence of postoperative wound infections occurring in ORIF procedures in which antibiotics were and were not utilized is an example of which type of performance measure?

Outcome measure Performance measurement in healthcare provides an indication of an organization's performance in relation to a specified process or outcome. An outcome measure may be the effect of care, treatment, or services on a customer.

Which of the following is an example of a 1:M relationship?

Patients to hospital admissions The one-to-many (1:M) relationship exists when one instance of an entity is associated with many instances of another entity. In this case, the relationship between PATIENT and HOSPITAL ADMISSIONS is one-to-many. For each instance of PATIENT in the database, there could be many instances of HOSPITAL ADMISSION. In other words, each patient may have many hospital admissions, but each hospital admission is associated with only one patient

Establishing security, confidentiality, retention, integrity, and access standards are examples of which HIM function?

Policy development A policy is a critical tool to ensure to consistent quality performance. It is a statement about what an organization or department does. One function of the HIM professional is to develop policies related to security, confidentiality, retention, integrity, and access standards

Which dimension of data quality is defined as "data that is free of errors?"

accuracy Data that are free of errors are accurate. Typographical errors in discharge summaries or misspellings of names are examples of inaccurate data