PRG RHIT Prep 2014 - Legal Domain 6
The hospital has received a request for an amendment. How long does the facility have in order to accept or deny the request? A. 10 days B. 30 days C. 60 days D. 14 days REFERENCE: Green and Bowie, pp 84-85 Krager and Krager, pp 23-24, 44 Roach, p 233 Sayles (2013), p 804
60 days The request must be acted on within 60 days after receipt; however, the response may be extended once by 30 days, with a written statement with reason and response date.
Which of the following is an example of a trigger that might be used to reduce auditing? A. A patient and user have the same last name. B. The patient is a Medicare patient. C. A patient has not signed their notice of privacy practices. D. A nurse is caring for a patient and reviews the patient's record. REFERENCE: Sayles and Trawick, p 323
A patient and user have the same last name.
Which of the following statements is true about a requested restriction? A. ARRA states that a CE does not have to agree to a requested restriction. B. ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions. C. ARRA mandates that a CE must comply with a requested restriction. D. ARRA does not address restrictions to PHI. REFERENCE: Rhodes (2009a), p 13 Sayles, p 807
ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions
Puget Sound Health System has set hiring goals and taken steps to guarantee equal employment opportunities for members of protected groups (e.g., American Indians, veterans, etc.). It is complying with A. Affirmative Action. B. Equal Pay Act. C. Minority Hiring Act. D. Civil Rights Act. REFERENCE: Abdelhak, pp 574-575 McConnell, pp 453-454 McWay, p 374
Affirmative Action.
Mountain Hospital has discovered a security breach. Someone hacked into the system and viewed 50 medical records. According to ARRA, what is the responsibility of the covered entity? A. ARRA requires oral notification. B. All individuals must be notified within 30 days. C. All individuals must be notified within 60 days. D. ARRA does not address this issue. REFERENCE: Rhodes (2009a), p 10 Sayles, pp 826-827 U.S. DHHS 2
All individuals must be notified within 60 days
Today is August 30, 2013. When can the training records for the HIPAA privacy training being conducted today be destroyed? A. August 30, 2019 B. August 30, 2017 C. August 30, 2020 D. August 30, 2018 REFERENCE: Hjort (2002), p 60 A-G Krager and Krager, p 90
August 30, 2019
Which of the following agencies is empowered to implement the law governing Medicare and Medicaid? A. Joint Commission B. Department of Health and Human Services C. Institutes of Health D. Centers for Medicare and Medicaid Services (CMS) formerly known as Health Care Financing Administration (HCFA) REFERENCE: Brodnik, p 128 Green and Bowie, p 65 LaTour, Eichenwald-Maki, and Oachs, p 37 McWay (2010), p 12 McWay (2014), pp 12, 52, 56-57 Pozgar, pp 25-28
Centers for Medicare and Medicaid Services (CMS) formerly known as Health Care Financing Administration (HCFA)
What source or document is considered the "supreme law of the land"? A. Bill of Rights B. Constitution of the United States C. Supreme Court decisions D. presidential power REFERENCE: Brodnik, pp 14-15 LaTour and Eichenwald-Maki, p 300 McWay (2014), p 50 Pozgar, p 19
Constitution of the United States
What advice should be given to a physician who has just informed you that she just discovered that a significant portion of a discharge summary she dictated last month was left out? A. Squeeze in the information omitted by writing in available spaces such as the top, bottom, and side margins. B. Dictate the portion omitted with the heading "Discharge Summary-Addendum" and make a reference to the addendum with a note that is dated and signed on the initial Discharge Summary (e.g., "9/1/11-See Addendum to C. Discharge Summary"-Signature). Inform the physician that nothing can be done about the situation. D. Redictate the discharge summary and replace the old one with the new one. REFERENCE: Brodnik, pp 138-140 Green and Bowie, pp 84-85 McWay (2010), p 177 Roach, p 70
Dictate the portion omitted with the heading "Discharge Summary-Addendum" and make a reference to the addendum with a note that is dated and signed on the initial Discharge Summary (e.g., "9/1/11-See Addendum to Discharge Summary"-Signature).
Your HIS Department receives an authorization for Sara May's medical history to be sent to her attorney, but the expiration date noted on the authorization has passed. What action is appropriate according to HIPAA privacy rules? A. Do not honor because the authorization is invalid. B. Contact the attending physician for permission to respond. C. Contact the patient to get permission to respond. D. Honor the authorization since the patient obviously approves of the release. REFERENCE: LaTour, Eichenwald-Maki, and Oachs, pp 618-619 Sayles, pp 788, 810-812
Do not honor because the authorization is invalid.
HIPAA states that release to a coroner is allowed. State law says that the coroner must provide a subpoena. Which of the following is a correct statement? A. Follow the HIPAA requirement since it is a federal law. B. You must request a ruling from a judge. C. You can follow either the state law or the HIPAA rule. D. Follow the state law since it is stricter. REFERENCE: McWay (2014), p 70
Follow the state law since it is stricter
As an HIM supervisor, one of your employees reports that a coworker has returned from lunch on numerous occasions with the smell of alcohol on his breath. What is the best approach in handling this problem? A. Handle the situation as you would any other disease that affects an employee's work. B. Confront the employee and place him on suspension for 1 week. C. Terminate the employee immediately. D. Ignore the report because it is hearsay. REFERENCE: Abdelhak, p 601 McConnell, pp 243-245
Handle the situation as you would any other disease that affects an employee's work.
Miles has asked you to explain the rights he has via HIPAA privacy standards. Which of the following is one of his HIPAA-given rights? A. He can discuss financial arrangements with business office staff. B. He can ask a patient advocate to sit in on all appointments at the facility. C. He can review his bill. D. He can ask to be contacted at an alternative site. REFERENCE: LaTour, Eichenwald-Maki, and Oachs, pp 314-315 McWay (2014), p 104 Sayles, p 802 U.S. Office of Civil Rights (n.d.), pp 1-2
He can ask to be contacted at an alternative site.
Which of the following acts was passed to stimulate the development of standards to facilitate electronic maintenance and transmission of health information? A. Health Insurance for the Aged B. Health Insurance Portability and Accountability Act C. Hospital Survey and Construction Act D. Conditions of Participation REFERENCE: Brodnik, pp 155-156 Green and Bowie, pp 10, 320 LaTour, Eichenwald-Maki, and Oachs, pp 151-152, 309-310 McWay (2010), p 161 McWay (2014), pp 68-70 Pozgar, pp 27, 282
Health Insurance Portability and Accountability Act
Which of the following statements is correct regarding HIPAA preemption analysis? A. Even if the state law that recognizes a patient's right to health care information privacy is more stringent than the HIPAA federal rule, the HIPAA federal rule will still prevail. B. State law regarding a patient's right to health care information privacy can never prevail over the HIPAA federal rule. C. If a state law that recognizes a patient's right to health care information privacy is more stringent than the HIPAA federal rule, then the courts must decide which shall prevail. D. If the state law that recognizes a patient's right to health care information privacy is more stringent than the HIPAA federal rule, then the state law prevails. REFERENCE: Brodnik, pp 186, 271 Green and Bowie, p 283 LaTour, Eichenwald-Maki, and Oachs, p 313 McWay (2010), p 201 McWay (2014), p 70 Roach, pp 100-101
If the state law that recognizes a patient's right to health care information privacy is more stringent than the HIPAA federal rule, then the state law prevails.
Jason, an HIM educator, plans to lecture on department design and the legislative act or agency that was created to ensure that workers have a safe and healthy work environment. Which of the following legal issue will he describe? A. OSHA Act B. Wagner Act C.Labor Management Relations Act D. Taft-Hartley Law REFERENCE: Abdelhak, p 577 LaTour, Eichenwald-Maki, and Oachs, p 722 McWay, p 373 Sayles, p 1231
OSHA Act
While performing routine quantitative analysis of a record, a medical record employee finds an incident report in the record. The employee brings this to the attention of her supervisor. Which best practice should the supervisor follow to deal with this situation? A. Tell the employee to leave the report in the record. B. Remove the incident report and send it to the patient. C. Refer this record to the Risk Manager for further review and removal of the incident report. D. Remove the incident report and have nursing personnel transfer all documentation from the report to the medical record. REFERENCE: Brodnik, pp 295-297 Green and Bowie, p 88 LaTour, Eichenwald-Maki, and Oachs, p 335 McWay (2010), pp 262-263 McWay (2014), p 132 Pozgar, pp 329-330 Roach, p 393
Refer this record to the Risk Manager for further review and removal of the incident report
Which of the following would be an inappropriate procedure for the custodian of the medical record to perform prior to taking a medical record from a health care facility to court? A. Document in the file folder the total number of pages in the record. B. Prepare an itemized list of sheets contained in the medical record. C. Number each page of the record in ink. D. Remove any information that might prove detrimental to the hospital or physician. REFERENCE: Brodnik, pp 33-34 Pozgar, pp 284-287
Remove any information that might prove detrimental to the hospital or physician.
Your facility just learned that one of its business associates is out of compliance with your contract and with the privacy rule. What should your response be according to ARRA? A. Educate the business associate and conduct an audit in 30 days. B. Request that the problem be corrected by the business associate within 60 days. C. Educate the business associate. Request that the problem be corrected by the business associate within 60 days. D. Request that the business associate correct the problem or stop doing business with the organization. REFERENCE: Rhodes and Rode, p 39
Request that the business associate correct the problem or stop doing business with the organization.
A 21-year-old employee of National Services was treated in an acute care hospital for an illness unrelated to work. A representative from the personnel department of National Services calls to request information regarding the employee's diagnosis. What would be the appropriate course of action? A. Release the information because the employer is paying the patient's bill. B. Call the patient to obtain verbal permission. C. Request that the personnel office send an authorization for release of information that is signed and dated by the patient. D. Require parental consent. REFERENCE: Brodnik, pp 244-245, 255 Green and Bowie, pp 291-292 LaTour, Eichenwald-Maki, and Oachs, pp 316-317
Request that the personnel office send an authorization for release of information that is signed and dated by the patient.
Which of the following is a true statement about symmetric encryption? A. Symmetric encryption uses a private and public key. B. Symmetric encryption assigns a secret key to data. C. Symmetric encryption assigns a public key to data. D. Symmetric encryption is also known as secure socket layer. REFERENCE: Roach, pp 466-468
Symmetric encryption assigns a secret key to data
Referring to Case Study #3, which of the following can the attorney of the resident's family also use as a basis for the lawsuit and why? A. The doctrine of res ipsa loquitur because it allows the plaintiff to shift the burden of proof to the defendant because direct evidence is available. B. The doctrine of charitable immunity because the nursing facility is a private institution and is shielded from liability for any torts committed on its property. C. The failure to warn theory because the doctor did not inform the resident's family that the resident was in danger at the nursing facility. D. The Good Samaritan Statutes because they protect the Director of Nursing, an employee of the nursing facility, who was not present when the injury occurred. REFERENCE: Brodnik, pp 71-72 Green and Bowie, pp 267, 350 McWay (2010), pp 75-76, 414 McWay (2014), p 65 Pozgar, pp 56, 115-117, 582
The doctrine of res ipsa loquitur because it allows the plaintiff to shift the burden of proof to the defendant because direct evidence is available.
You work in a unionized organization and have filed a grievance. Which of the following will most likely take place? A. The facility policies and procedures for prompt and fair action on any grievance will be followed. B. The grievance procedure regulations stipulated in the union contract will be followed. C. You can be terminated for registering a grievance. D. The time from complaint to resolution should be no longer than 90 days. REFERENCE: Abdelhak, pp 603-604 LaTour, Eichenwald-Maki, and Oachs, p 756 McWay, p 378 Sayles, p 1106
The grievance procedure regulations stipulated in the union contract will be followed. It is illegal for an organization to fire an employee for filing a grievance. The union contract stipulates the policy and procedures for resolving grievances. You would need to refer to the union contract for any specific time boundaries.
Which of the following situations violate a patient's privacy? A. The physician on the quality improvement committee reviews medical records for potential quality problems. B. The hospital uses aggregate data to determine whether or not to add a new operating room suite. C. The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples. D. The hospital sends patients who are scheduled for deliveries information on free childbirth classes. REFERENCE: Amatayakul (2001b), p 16B Green and Bowie, p 294 Krager and Krager, p 39 Sayles, p 827
The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples. The release of childbirth information is acceptable because it is related to the reason for admission. The mass mailing of samples violates giving out confidential information to outside agencies.
In a court of law, Attorney A, the attorney for Sun City Hospital, introduces the medical record from the hospital as evidence. However, Attorney B, the attorney for the defendant, objects on the grounds that the medical record is subject to the hearsay rule, which prohibits its admission as evidence. Attorney B's objection is overridden. Why? A. It would violate physician-patient privilege, even though the patient signed a proper release of information form. B. The medical record does not belong to the hospital; therefore, the hospital has no right to release the medical record as evidence. C. The medical record may be admitted as business records or as an explicit exception to hearsay rule. D. The doctrine of res ipsa loquitur prevails; therefore, reference to the medical record is moot. REFERENCE: Brodnik, pp 57-58, 125, 127 Green and Bowie, pp 270-271 McWay (2010), pp 50-51, 409 Pozgar, pp 120-122 Roach, pp 383-384
The medical record may be admitted as business records or as an explicit exception to hearsay rule.
You have been given some information that includes the patient's account number. Which statement is true? A. These data are individually identified data. B. These data are a limited data set. C. This is de-identified information because the patient's name and social security are not included in the data. D. This is not de-identified information, because it is possible to identify the patient. REFERENCE: McWay, pp 72, 242, 244
This is not de-identified information, because it is possible to identify the patient.
Barbara, a nurse, has been flagged for review because she logged in to the EHR in the evening when she usually works the day shift. Why should this conduct be reviewed? A. This is not a violation since Barbara, as a nurse, has full access to data in the EHR. B. No action is required. C. This needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time. D. This is a privacy violation. REFERENCE: Sayles and Trawick, p 324
This needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time.
The protection of a patient's health information is addressed in each of the following EXCEPT A. U.S. Patriot Act. B. Health Insurance Portability and Accountability Act. C. Privacy Act. D. Drug Abuse and Treatment Act. REFERENCE: Brodnik, pp 238-242, 247-248, 256, 263-264 Green and Bowie, pp 284-285 McWay (2010), pp 47, 285, 292 Pozgar, pp 26-27, 279-280 Roach, pp 104-106
U.S. Patriot Act.
In general, which of the following statements is correct? A. When federal and state laws conflict, valid corporate policies supersede federal and state laws. B. When federal and state laws conflict, valid federal laws supersede state laws. C. When federal and state laws conflict, valid state laws supersede federal laws. D. When federal and state laws conflict, valid local laws supersede federal and state laws. REFERENCE: Brodnik, p 128 LaTour, Eichenwald-Maki, and Oachs, p 300 McWay (2010), p 201 McWay (2014), p 70
When federal and state laws conflict, valid federal laws supersede state laws.
If an authorization is missing a Social Security number, can it be valid? A. only if the patient is a minor B. no C. yes D. only if the patient is an adult REFERENCE: McWay (2014), p 75
YES
Someone accessed the covered entity's electronic health record and sold the information that was accessed. This person is known as which of the following? A. a virus B. malware C. a cracker D. a hacker REFERENCE: McWay (2014), p 290
a cracker
When patients are able to obtain a copy of their health record, this is an example of which of the following? A. a required standard B. a patient right C. a preemption D. an addressable requirement REFERENCE: McWay (2014), p 69
a patient right
You have been asked to create a presentation on intentional and unintentional threats. Which of the following should be included in the list of threats you cite? A. hard drive failures B. a patient's Social Security number being used for credit card applications C. data loss due to electrical failures D. data deleted by accident REFERENCE: Sayles and Trawick, p 301
a patient's Social Security number being used for credit card applications
A major drug company wants to promote a fundraiser targeting patients with congestive heart failure. The drug company representative has requested a list of patients treated at your facility. As privacy and security officer, you tell them that A. they just need to send a written request for the list. B. a prior authorization is required before any PHI can be released. C. you will need to confer with the medical director. D. if the fundraising was conducted by a business associate without authorization, and the funds were to benefit your facility (the covered entity), that you could disclose the information. REFERENCE: LaTour, Eichenwald-Maki, and Oachs, p 318 Sayles, pp 827-828, 836, 1050, 1160
a prior authorization is required before any PHI can be released.
The supervisors have decided to give nursing staff access to the EHR. They can add notes, view, and print. This is an example of what? A. the termination process B. spoliation C. an information system activity review D. a workforce clearance procedure REFERENCE: Green and Bowie, p 281
a workforce clearance procedure
The minimum record retention period for patients who are minors is A. 5 years past treatment. B. age of majority. C. age of majority plus the statute of limitations. D. 2 years past treatment. REFERENCE: Brodnik, pp 141-146 Green and Bowie, p 94 McWay (2014) pp 53, 136, 400, 520 Roach, pp 43-44
age of majority plus the statute of limitations
HIM professionals have a duty to maintain health information that complies with A. state statutes. B. all of these. C. accreditation standards. D. federal statutes. REFERENCE: Brodnik, p 128 Green and Bowie, p 273 LaTour, Eichenwald-Maki, and Oachs, p 328 McWay (2010), pp 147, 201 McWay (2014), pp 70-71 Roach, pp 40-41
all of these
Which of the following is considered confidential information if the patient is seeking treatment in a substance abuse facility? A. patient's address B. all of these C. patient's name D. patient's diagnosis REFERENCE: Brodnik, pp 247-250 Green and Bowie, pp 284-285
all of these
Which of the following should be required to sign a confidentiality statement before having access to patients' medical information? A. all of these B. medical students C. HIM students D. nursing students REFERENCE: Brodnik, pp 158, 215, 442 Green and Bowie, pp 43-48 Pozgar, pp 290-292
all of these
One of your new employees has just completed orientation, receiving basic HIPAA training. You are now providing more specific training related to her job. She asks whether the information she provided during the hiring process, as well as benefits claims, are also protected under HIPAA. Which of the following can you assure her that the Human Resources Department protects? A. benefits enrollment B. all personal health information (PHI) C. OSHA information D. Employee Assistance Program contacts REFERENCE: Abdelhak, p 577 LaTour, Eichenwald-Maki, and Oachs, pp 756-757 McConnell, pp 272, 477 McWay, p 375
all personal health information (PHI)
The company's policy states that audit logs, access reports, and security incident reports should be reviewed daily. This review is known as A. an information system activity review. B. a workforce clearinghouse. C. a data criticality analysis. D. a risk analysis. REFERENCE: Green and Bowie, p 281
an information system activity review
Before a user is allowed to access protected health information, the system confirms that the patient is who he or she says they are. This is known as A. authentication. B. access control. C. notification. D. authorization. REFERENCE: McWay (2014), p 290
authentication
You have been asked to provide examples of technical security measures. Which of the following would you include in your list of examples? A. automatic logout B. training C. locked doors D. minimum necessary REFERENCE: Green and Bowie, p 283 Krager and Krager, pp 90-100 McWay (2014), p 292
automatic logout
A record that has been requested by subpoena duces tecum is currently located at an off-site microfilm company. By contacting the microfilm provider, you learn that the microfilm is ready and the original copy of the record still exists. What legal requirement would compel you to produce the original record for the court? A. motion to quash B. best evidence rule C. subpoena instanter D. hearsay rule REFERENCE: Brodnik, pp 56-57 Roach, pp 487-488
best evidence rule
To be admitted into court as evidence, medical records or health information are introduced as A. business records or exception to hearsay rule. B. product liability. C. privileged information. D. torts or contracts. REFERENCE: Brodnik, pp 44-45 Green and Bowie, pp 270-271 LaTour, Eichenwald-Maki, and Oachs, p 333 McWay (2010), p 51 Roach, pp 383-386
business records or exception to hearsay rule
Which of the following is subject to the HIPAA security rule? A. x-ray films stored in radiology B. clinical data repository C. paper medical record D. faxed records REFERENCE: Roach, p 459
clinical data repository The security rule only applies to e-PHI.
A health care organization's compliance plans should not only focus on regulatory compliance, but also have a A. coding compliance program that prevents fraudulent coding and billing. B. substantial program that increases the availability of clinical data. C. strong personnel component that reduces the rapid turnover of nursing personnel. D. component that increases the security of medical records. REFERENCE: Brodnik, pp 316-318 Green and Bowie, p 323 LaTour, Eichenwald-Maki, and Oachs, pp 453-454 McWay (2010), p 318 McWay (2014), pp 81, 158 Pozgar, pp 332-333
coding compliance program that prevents fraudulent coding and billing.
A patient has written to request a copy of his own record. When the clerk checked the record, it was noted that the patient was last admitted to the psychiatric unit of the facility. You advise the clerk to A. comply with the request immediately. B. ignore the request and advise you if it is repeated. C. ask the patient to send the required fee prior to the release. D. contact the patient's attending physician before complying. REFERENCE: Abdelhak, pp 538-539 Green and Bowie, pp 294-295 LaTour, Eichenwald-Maki, and Oachs, pp 314, 319 Sayles, p 800
contact the patient's attending physician before complying
When a health care facility fails to investigate the qualifications of a physician hired to work as an independent contractor in the emergency room and is accused of negligence, the health care facility can be held liable under A. contributory negligence. B. respondeat superior. C. corporate negligence. D. general negligence. REFERENCE: Brodnik, p 74 LaTour and Eichenwald-Maki, pp 329-330 McWay (2010), pp 77-78 McWay (2013), p 66 Pozgar, pp 150-152
corporate negligence
Alisa has trouble remembering her password. She is trying to come up with a solution that will help her remember. Which one of the following would be the BEST practice? A. using her daughter's name for her password B. creating a password that utilizes a combination of letters and numbers C. using the word "password" for her password D. writing the complex password on the last page of her calendar REFERENCE: Amatayakul and Walsh, p 16C Krager and Krager, pp 88-89, 97 Sayles, p 1038
creating a password that utilizes a combination of letters and numbers
A valid authorization for the disclosure of health information should not be A. dated prior to discharge of the patient. B. addressed to the health care provider. C. in writing. D. signed by the patient. REFERENCE: Brodnik, pp 259-260 LaTour, Eichenwald-Maki, and Oachs, p 317
dated prior to discharge of the patient
Intentional threats to security could include A. equipment failure (software failure). B. a natural disaster (flood). C. data theft (unauthorized downloading of files). D. human error (data entry error). REFERENCE: Sayles, pp 1029-1030
data theft (unauthorized downloading of files) Natural disasters, equipment failure, and human error are usually unintentional threats to security. Data theft is intentional.
Referring to Case Study #2, the sworn verbal testimony you are asked to provide is called a(n) A. court order. B. physical and mental examination. C. deposition. D. interrogatory. REFERENCE: Brodnik, p 28 Green and Bowie, pp 265, 337 McWay (2010), pp 34, 39, 57, 406 Pozgar, p 578
deposition
What type of digital signature uses encryption? A. digital signature B. encryption is not a part of digital signatures C. digitized signature D. electronic signature REFERENCE: Sayles and Trawick, p 253
digital signature
Contingency planning includes which of the following processes? A. hiring practices B. disaster planning C. systems analysis D. data quality REFERENCE: McWay (2014), p 290
disaster planning
Referring to Case Study #2, what phase of the lawsuit are you involved in? A. appeal B. trial C. pretrial conference D. discovery REFERENCE: Brodnik, p 35 Green and Bowie, pp 265, 338 LaTour and Eichenwald-Maki, p 325 McWay (2010), pp 34, 57, 263, 407 McWay (2014), pp 62-63 Pozgar, pp 110-111, 579 Roach, pp 374-375
discovery
Which of the following elements of negligence must be present in order to recover damages? A. duty of care; breach of duty of care; value attached to injury is greater than a certain value (ordinarily $1,000); provisions of the HIPAA privacy rule have been met B. duty of care; breach of duty of care; suffered an injury; defendant's conduct caused the plaintiff harm C. breach of duty of care; suffered an injury; value attached to injury is greater than a certain value (ordinarily $1,000); provision of HIPAA privacy rule have been met D. duty of care; breach of the duty of care; suffered an injury; value attached to injury is greater than a certain value (ordinarily $1,000) REFERENCE: Brodnik, pp 70-71, 75-76, 79 Green and Bowie, p 267 LaTour, Eichenwald-Maki, and Oachs, p 304 McWay (2014), p 65
duty of care; breach of duty of care; suffered an injury; defendant's conduct caused the plaintiff harm
Spoliation is the term that refers to the wrongful destruction of evidence or the failure to preserve property, which addresses which of the following methods of discovery? A. deposition B. e-discovery C. interrogatories D. request for admissions REFERENCE: Brodnik, pp 50-51 LaTour, Eichenwald-Maki, and Oachs, p 325 McWay (2010), pp 34-35
e-discovery
Human Resources provide training for new supervisors. It includes discussion of the Equal Pay Act, which was passed to eliminate discrimination based on which of the following? A. merit of the employee B. seniority of the employee C. employee gender D. personal productivity, such as in a incentive compensation system REFERENCE: Abdelhak, p 578 Davis and LaCour, pp 448-450 McConnell, p 456 McWay, p 374 Sayles, p 835
employee gender
A health information manager develops a formal plan or record retention schedule for the automatic transfer of records to inactive storage and potential destruction based on all but which one of the following factors? A. volume of research B. file area staffing C. readmission rate D. statute of limitations REFERENCE: Green and Bowie, pp 9394 LaTour, Eichenwald-Maki, and Oachs, pp 276279 McWay, pp 136139 Sayles, pp 336337
file area staffing
A hacker recently accessed our database. We are trying to determine how the hacker got through the firewall and exactly what was accessed. The process used to gather this evidence is called A. security event. B. incident. C. forensics. D. mitigation. REFERENCE: Sayles and Trawick, p 310
forensics
Under traditional rules of evidence, a medical/health record is considered ________ and is ________ into evidence. A. reliable; admissible B. hearsay; admissible C. hearsay; inadmissible D. reliable; inadmissible REFERENCE: Brodnik, pp 56-58 Green and Bowie, pp 270-271 LaTour, Eichenwald-Maki, and Oachs, p 324 McWay (2010), pp 50-51, 409 Roach, pp 383-385
hearsay; inadmissible
An employee in the admission department took the patient's name, Social Security number, and other information and used it to get a charge card in the patient's name. This is an example of A. identity theft. B. release of information. C. mitigation. D. disclosure. REFERENCE: McWay (2010), p 219
identity theft
The ideal consent for medical treatment obtained by the physician is A. expressed. B. verbal. C. informed. D. implied. REFERENCE: Brodnik, pp 96-99 Green and Bowie, pp 129, 132, 134 McWay (2010), p 173 McWay (2014), pp 76-77 Pozgar, pp 302-303 Roach, pp 78-81
informed.
Traditionally, the medical record is accepted as being the property of the A. court. B. patient's guardian. C. patient. D. institution. REFERENCE: Brodnik, pp 239-241 Green and Bowie, pp 72-73 LaTour and Eichenwald-Maki, p 312 McWay (2010), pp 194-196 McWay (2014), pp 73-75 Pozgar, p 279
institution
A written consent from the patient is required from which of the following entities in order to learn a patient's HIV status? A. health care workers B. emergency medical personnel C. insurance companies D. spouse or needle partner REFERENCE: Brodnik, pp 250-251 Green and Bowie, p 292 McWay (2010), pp 181-183 McWay (2014), pp 78, 109 Pozgar, pp 358-559 Roach, pp 352-362
insurance companies
A mechanism to ensure that PHI has not been altered or destroyed inappropriately has been established. This process is called A. entity authentication. B. audit controls. C. access control. D. integrity. REFERENCE: Green, p 283
integrity
What type of testimony is inappropriate for a health information manager serving as custodian of the record when he or she is called to be a witness in court? A. whether the record is in the practitioner's possession B. interpretation of documentation in the record C. whether the medical record was made in the usual course of business D. title and position held in the health care facility REFERENCE: Brodnik, pp 29-31
interpretation of documentation in the record
An improper disclosure of patient information to unauthorized individuals, agencies, or news media may be considered a(n) A. slander. B. defamation. C. libel. D. invasion of privacy. REFERENCE: Green and Bowie, p 271 McWay (2010), p 81 McWay (2014), p 64 Pozgar, p 52 Roach, pp 406-407, 410
invasion of privacy
With regard to confidentiality, when HIM functions are outsourced (i.e., record copying, microfilming, or transcription), the HIM professional should confirm that the outside contractor's A. is contractually bound to handle confidential information appropriately by means of a signed business associate agreement. B. costs are not prohibitive, thus compromising confidentiality. C. is located in an easy to find place. D. hours of operation permit easy access by all health care providers. REFERENCE: Brodnik, pp 158-159 McWay (2010), pp 215-216
is contractually bound to handle confidential information appropriately by means of a signed business associate agreement.
Which of the following claims of negligence fits into the category of res ipsa loquitur? A. incorrect administration of anesthesia B. leaving a foreign body inside a patient C. improper use of x-rays D. failure to refer patient to a specialist REFERENCE: Brodnik, pp 71-72 Green and Bowie, pp 267, 350 McWay (2010), pp 75-76, 414 Pozgar, pp 56, 115-117, 582
leaving a foreign body inside a patient
Referring to Case Study #1, the written statement by Dr. Roberts about Nurse Parrish's professional competence in the patient's medical record can constitute A. perjury. B. defamation. C. slander. D. libel. REFERENCE: Brodnik, pp 76-77 LaTour, Eichenwald-Maki, and Oachs, p 305 McWay (2010), pp 80, 411 Pozgar, pp 47-48, 580 Roach, p 401
libel
Dr. Sam Vineyard improperly performed a knee replacement surgery, which caused the patient to develop an infection that lead to the amputation of the leg and thigh. The best term to describe the action performed is A. malpractice. B. malfeasance. C. misfeasance. D. nonfeasance. REFERENCE: Brodnik, p 70 LaTour, Eichenwald-Maki, and Oachs, p 304 Pozgar, p 33
misfeasance
Which of the following is an example of administrative safeguards under the security rule? A. monitoring the computer access activity of the user B. encryption C. assigning unique identifiers D. monitoring traffic on the network REFERENCE: McWay (2014), p 291
monitoring the computer access activity of the user
Referring to Case Study #3, the resident's family brought legal action against the nursing facility for A. vicarious liability. B. assault and battery. C. medical abandonment. D. negligence. REFERENCE: Brodnik, pp 69-71 Green and Bowie, pp 267, 345 LaTour and Eichenwald-Maki, pp 304-305, 933 McWay (2010), pp 71-72, 412 McWay (2014), p 65 Pozgar, pp 32-40, 150-152, 581
negligence
The ownership of the information contained in the physical medical/health record is considered to belong to the A. physician. B. hospital. C. insurance company. D. patient. REFERENCE: Green and Bowie, pp 72-73 LaTour and Eichenwald-Maki, p 312 McWay (2010), pp 194-196 McWay (2014), pp 73-76 Pozgar, p 279
patient
Which of the following HIPAA components would the general New Employee Orientation training most likely cover? A. physical/workstation security B. job-specific training (e.g., patient's right to amend record) C. business associate agreements D. marketing issues REFERENCE: AHIMA Practice Brief
physical/workstation security Physical/workstation security is the correct choice - training would be appropriate for all employees in general orientation training. Job-specific training would be better suited to training in the department in which the employee will work, so that is not correct. The remaining choices are also not correct because they indicate higher levels of functions that would not be performed by all new employees.
In conducting an environmental risk assessment, which of the following would be considered in the assessment? A. authentication B. placement of water pipes in the facility C. verifying that virus checking software is in place D. use of single sign-on technology REFERENCE: Dennis, p 18 McWay (2014), p 327 Sayles, p 1034
placement of water pipes in the facility
Sally is a HIM professional with many years of experience. Unlike some of her colleagues, Sally loves the challenge of adapting to change. She is happy that HIPAA empowers the Secretary of DHHS to adopt standards for electronically maintained health information. Sally hopes that the standardization under HIPAA will make it easier to design safeguards for electronic data, to protect against unauthorized access, to A. submit revisions of claims as they are denied, and to track third-party payers. B. protect electronic records from corruption, and to prosecute hackers under federal law. C. prevent the corruption of electronically stored data, and to protect the integrity of the information itself. D. make and use copies of the data, and to guard against unauthorized data integration. REFERENCE: Abdelhak, p 209 LaTour, Eichenwald-Maki, and Oachs, pp 17, 99-101, 132, 134, 161-163 187, 208, 229, 343 Sayles, pp 1041, 1229
prevent the corruption of electronically stored data, and to protect the integrity of the information itself.
Bay Area Home Care utilizes a discipline system that provides for stronger penalties for each successive repeat offense. They are most likely using A. preventive discipline. B. progressive discipline. C. corrective discipline. D. terminating discipline. REFERENCE: Abdelhak, pp 601-603 LaTour, Eichenwald-Maki, and Oachs, p 755 Liebler and McConnell, pp 413-416 McConnell, p 219 McWay, p 378 Sayles, pp 1102-1103
progressive discipline
A patient authorizes Park Hospital to send a copy of a discharge summary for the latest hospitalization to Flowers Hospital. The hospital uses the discharge summary in the patient's care and files it in the medical record. When Flowers Hospital receives a request for records, a copy of Park Hospital's discharge summary is sent. This is an example of A. satisfactory assurance. B. inappropriate release. C. a privacy violation. D. redisclosure. REFERENCE: Abdelhak, p 540 Green and Bowie, pp 295-296 Krager and Krager, pp 127-128 Servais, pp 345-349
redisclosure
A clerk's work performance has diminished dramatically during the past 2 weeks. The supervisor initiates a discussion with the clerk, during which the clerk reveals that he recently accepted that he has an alcohol addiction. The clerk states an intention to quit drinking completely. The supervisor should A. suspend the clerk if alcohol has diminished the clerk's job performance. B. refer the clerk to the facility's Employee Assistance Program. C. give the clerk a leave of absence until these problems can be resolved. D. terminate the clerk if it can be proved that alcohol was used on the job. REFERENCE: Abdelhak, p 602 McWay (2014), pp 376-377
refer the clerk to the facility's Employee Assistance Program.
In which of the following circumstances would release of information without the patient's authorization be permissible? A. release to third-party payers B. release to insurance companies C. release to an attorney D. release to state workers' compensation agencies REFERENCE: Brodnik, pp 170-175, 281-282 Green and Bowie, p 291 LaTour, Eichenwald-Maki, and Oachs, p 318 McWay (2010), pp 202-209
release to state workers' compensation agencies
Which of the following situations would require authorization before disclosing PHI? A. releasing information to the Bureau of Disability Determination B. health oversight activity C. workers' compensation D. public health activities REFERENCE: Green & Bowie, p 291
releasing information to the Bureau of Disability Determination
You are reviewing your privacy and security policies, procedures, training program, and so on, and comparing them to the HIPAA and ARRA regulations. You are conducting a A. risk management. B. policy assessment. C. risk assessment. D. compliance audit. REFERENCE: Hjort (2001), p 64A Krager and Krager, pp 86-87, 105 McWay (2010), pp 258-259
risk assessment
Kyle, the HIM Director, has received a request to amend a patient's medical record. The appropriate action for him to take is A. file the request in the chart to document the disagreement with the information contained in the medical record. B. route the request to the physician who wrote the note in question to determine appropriateness of the amendment. C. make the modification because you have received the request. D. return the notice to the patient because amendments are not allowed. REFERENCE: Green and Bowie, pp 84-85 Krager and Krager, pp 44-45 McWay (2014), p 104 Sayles, p 803 Thieleman, p 46
route the request to the physician who wrote the note in question to determine appropriateness of the amendment.
You work for a 60-bed hospital in a rural community. You are conducting research on what you need to do to comply with HIPAA. You are afraid that you will have to implement all of the steps that your friend at a 900-bed teaching hospital is implementing at his facility. You continue reading and learn that you only have to implement what is prudent and reasonable for your facility. This is called A. access control. B. risk assessment. C. scalable. D. technology neutral. REFERENCE: Krager and Krager, p 87 McWay (2014), p 291
scalable
Referring to Case Study #1, the oral statement by Nurse Parrish about Dr. Roberts's professional practices at the nurses' station can constitute A. libel. B. slander. C. defamation. D. perjury. REFERENCE: Brodnik, pp 76-77 LaTour, Eichenwald-Maki, and Oachs, p 305 McWay (2010), pp 80, 415 Pozgar, p 600 Roach, p 401
slander.
The information systems department was performing their routine destruction of data that they do every year. Unfortunately, they accidently deleted a record that is involved in a medical malpractice case. This unintentional destruction of evidence is called A. a security event. B. mitigation. C. forensics. D. spoliation. REFERENCE: Sayles and Trawick, p 310
spoliation
The doctrine that the decisions of the court should stand as precedents for future guidance is A. stare decisis. B. statute of limitations. C. respondeat superior. D. res ipsa loquitur. REFERENCE: Brodnik, p 17 Green and Bowie, p 257 McWay (2010), pp 12-13, 15, 18, 415 Pozgar, pp18, 1582 Roach, pp 16-18
stare decisis.
HIM personnel charged with the responsibility of bringing a medical record to court would ordinarily do so in answer to a A. deposition. B. personal subpoena. C. subpoena duces tecum. D. judgment. REFERENCE: Brodnik, p 31 Green and Bowie, p 289 McWay (2010), pp 40-41, 54, 416 McWay (2014), p 77 Pozgar, p 115 Roach, p 317
subpoena duces tecum
You will be choosing the type of encryption to be used for the new EHR. What are your choices? A. public key and integrity B. symmetric and asymmetric C. asymmetric and public key D. symmetric and conventional REFERENCE: Stallings, p 651
symmetric and asymmetric
Bob submitted his resignation from Coastal Hospital. His last day is today. He should no longer have access to the EHR and other systems as of 5:00 p.m. today. The removal of his privileges is known as A. isolating access. B. password management. C. sanction policy. D. terminating access. REFERENCE: Green and Bowie, p 281
terminating access
Which of the following should the record destruction program include? A. the method of destruction B. citing the laws followed C. the name of the supervisor of the person destroying the records D. requirement of daily destruction REFERENCE: Green and Bowie, pp 96-97 LaTour, Eichenwald-Maki, and Oachs, p 279 McWay (2014), p 136 Sayles, pp 346-347
the method of destruction
In your state, it is legal for minors to seek medical treatment for a sexually transmitted disease without parental consent. When this occurs, who would be expected to authorize the release of the medical information documented in this episode of care to the patient's insurers? A. a court-appointed guardian on behalf of the patient B. the patient C. the custodial parent of the patient D. the patient's doctor on behalf of the patient REFERENCE: Eichenwald-Maki and Oachs, p 317 McWay (2010), p 186
the patient
In preparing the retention schedule for health records, the most concrete guidance in determining when records may be destroyed will be A. the average readmission rate for the facility. B. the available options for inactive records. C. the statute of limitations in your state. D. Joint Commission and AOA standards regarding minimum retention periods. REFERENCE: LaTour, Eichenwald-Maki, and Oachs, pp 274-275 Sayles, p 346
the statute of limitations in your state
Consent forms may be challenged on all the following grounds EXCEPT A. wording was too technical. B. the treating physician obtained the patient's signature. C. it is written in a language that the patient could not understand. D. the signature was not voluntary. REFERENCE: Brodnik, pp 115-118 Green and Bowie, pp 129, 132, 134 Roach, p 97
the treating physician obtained the patient's signature.
Internal disclosures of patient information for patient care purposes should not be granted A. to a family member who is a registered nurse at the facility. B. to the attending physician. C. on a need to know basis. D. to the facility's legal counsel. REFERENCE: Green and Bowie, pp 271, 275 McWay (2014), pp 69-75
to a family member who is a registered nurse at the facility.
As Chief Privacy Officer, you have been asked why you are conducting a risk assessment. Which reason would you give? A. to get rid of problem staff B. to learn about the organization C. to prevent breach of confidentiality D. to change organizational culture REFERENCE: Dennis, p 36 Krager and Krager, pp 86-87, 105 McWay (2014), p 326
to prevent breach of confidentiality
The HIPAA Privacy and Security Rule requires that training be documented. What methods of documenting training efforts need to be used? A. signed confidentiality statements B. training content, training dates, and attendee names C. retention of training aids and handouts D. meeting handouts and minutes REFERENCE: AHIMA Practice Brief
training content, training dates, and attendee names You are required to document the training content, dates, and attendees.