RHIT Exam Prep Chp. 11
the patient has requested an amendment to her health record, The facility, after review with the physician, has decided to deny the request. According to HIPAA, the patient must be notified within how many days?
60
The facility had a security breach. The breach was identified on 10/10/16. The investigation was completed on 10/15/16. What is the deadline that the notification must be completed?
60 days from 10/10/16
Which of the following is an example of a security incident?
A hacker accessed PHI from off site
Which of the following is an example of a trigger that might be used to reduce auditing?
A patient and user have the same last name
The admin states that he should not have to participate in privacy and security training as he does not use PHI. How should you respond?
All employees are required to participate in the training, including top administration
When logging into a system, you are instructed to enter a string of characters. These characters appear distorted onscreen, however. What kind of access control is this?
CAPTCHA
The police came to the HIM dept. and asked that a patient's right to an accounting of disclosure be suspended for two months. What is the proper response to this request?
Certainly officer, we will be glad to do that as soon as we have that request in writing.
HIPAA states that release to a coroner is allowed. State law says that the coroner must provide a subpoena. Which of the following is a correct statement?
Follow the state law since it's stricter
Miles has asked you to explain the rights he has via HIPAA privacy standards. Which of the following is one of his HIPAA-given rights?
He can ask to be contacted at an alternate site
The clinic has decided to use mobile technology. Identify the best practice for this technology?
Identify who owns the mobile device
Mary processed a request for information and mailed it out last week. The requestor called and said that not all of the information was received. Mary talked to her supervisor about this with the requestor believing more information is still needed. Given the above information, which of the following statements is true?
Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule.
Which of the following statements demonstrates a violation of PHI?
Mary, at work yesterday I saw Susan had a hysterectomy
Mountain hospital has discovered a security breach. someone hacked into the system and viewed 50 medical records. According to ARRA, what is the responsibility of the covered entity in a reasonable time not to exceed 60 days?
Notify the patient
Which of the following set(s) is an appropriate use of the emergency accede procedure?
One nurse is at lunch and the covering nurse needs patient information AND a patient is crashing and the attending is not in the hospital so a helping physician is available
A doctor's office has requested PHI for continued care. The ROI clerk wants to limit the information provided because of the minimum necessary tule. What should the supervisor tell the clerk?
Patient care is an exception to the minimum necessary rule, so process the request as written
Which of the following is a true statement about private key encryption?
Public encryption uses a private and public key
Which of the following would be a business associate?
ROI company
Which of the following situations violates a patient's privacy?
The hospital provides patients names and addresses to a pharmaceutical company to be used in a mass mailing for free drug samples.
The patient calls and has a telephone consultation. Which of the following is true about notice of privacy practices?
The notice of privacy practices can be mailed to the patient
The physician office you go to has a data integrity issue. What does this mean?
There has been unauthorized alteration of patient information
A nurse has been flagged for review because she logged into the EHR in the evening when she usually works the day shift. Why should this conduct be reviewed?
This needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time.
You have been given some information that includes the patient's account number. Which statement is true?
This not de-identified information, because it is possible to identify the patient
A patient signed an authorization to release information to a physician but decided not to go to the physician. Can he stop the release?
Yes, as long as it has not been released already
Nancy has asked the health care facility for a copy of her grandmother's health record. Her grandmother died 20 years ago. Nancy is not the executor of the estate, and she does not want to ask her aunt for permission. Select the appropriate response to Nancy.
You cannot access your grandmother's privacy, as she has the right of privacy for 50 years after her death
Which of the following examples is an exception to the definition of breach?
a coder accidently sends PHI to a billing clerk in the same facility
to which of the following requesters can a facility release information about a patient without that patient's authorization?
a court with a court order
Someone accessed the covered entity's EHR and sold the information that was accessed. This person is known as which of the following?
a cracker
Researchers can access patient information if it is
a limited data set
When patients are able to obtain a copy of their health record, this is an example of which of the following?
a patient right
You have been asked to create a presentation on intentional and unintentional threats. Which of the following should be included in the list of threats you cite?
a patient's SSN being used for credit card applications
the supervisors have decided to give nursing staff access to the EHR. They can add notes, view, and print. This is an example of what?
a workforce clearance procedure
The company's policy states that audit logs, access reports, and security incident reports should be reviewed daily. This review is known as
an information system activity review
Before a user is allowed to access PHI, the system confirms that this is a valid user. This is known as
authentication
Which of the following is the term used to identify who made an entry into a health record?
authorship
You have been asked to provide examples of technical security measures. Which of the following would you include in your list of examples?
automatic logout
Three components of a data security program are protecting the privacy of data, ensuring the integrity of data, and ensuring the
availability of data
Which security measure utilizes fingerprints or retina scans?
biometrics
In case your system crashes, your facility has defined the policies and procedures necessary to keep your business going. This is known as
business continuity plan.
The computer system containing the EHR was located in a room that was flooded. As a result, the system is inoperable. Which of the following would be implemented?
business continuity processes
The HIPAA security rule impacts which of the following PHI?
clinical data repository
You are a nurse who works on 3West during the day shift. One day, you had to work the night shift because they were shorthanded. However, you were unable to access the EHR. What type of access controls are being used?
context-based
Alisa has trouble remembering her password. She is trying to come up with a solution that will help her remember. Which one of the following would be the best practice?
creating a password that utilized a combo of letters and numbers.
In a recent review, it was determined that the EHR is essential to the operations of the home health agency. What type of review is this?
criticality analysis
Your organization is sending confidential patient information across the internet using technology that will transform the original data into unintelligible code that can be re-created by authorized users. This technique is called:
data encryption
You have been asked to give an example of secure information. Which of the following will you give as your answer?
data is encrypted which makes it unreadable
Which of the following can be released without consent or authorization?
de-identified health information
You have been given the responsibility of destroying the PHI contained in the system's old server before it is trashed. What destruction method do you recommend?
degaussing
Our website was attacked by malware that overloaded it. What type of malware was this?
denial of service
As chief privacy officer for Premier Medical Center, you are responsible for which of the following?
developing a plan for reporting privacy complaints
What type of digital signature uses encryption?
digital signature
Contingency planning includes which of the following processes?
disaster planning
You are defining the designated record set for south beach healthcare center. which of the following would be included?
discharge summary
The patient has the right to agree or object in which of the following situations?
disclosing information to family member who is directly involved in care.
A hacker recently accessed our database. We are trying to determine how the hacker got through the firewall and exactly what was accessed. The process used to gather this evidence is called
forensics
A certification agency validates the use of encryption between two organization's website. How do they validate it ?
hypertext markup language
An employee in the admission dept stole the patient's name, SSN, and other information and used it to get a charge card in the patient's name. This is an example of
identity theft
The fair and accurate credit transactions act works to reduce
identity theft
The surgeon comes out to speak to a patient's family. He tells them that the patient came through the surgery fine. The man was benign and they could see the patient in an hour. He talks low so the other people in the waiting room will not hear but someone walked by and heard.This is called a(n)
incidental disclosure
A covered entity:
includes health care providers who performs specified actions electronically
PHI includes
individually identifiable health information in any format stored by a health care provider or business associate
A mechanism to ensure that PHI has not been altered or destroyed inappropriately has been established. This process is called?
integrity
The information system has just notified you that someone has attempted to access the system inappropriately. This process is known as?
intrusion detection
Which of the following statements is true about the privacy act of 1974?
it applies to the federal government
John is a 45y male who is mentally unstable. Who can authorize release of his health record?
legal guardian
Which of the following is an example of administrative safeguards under the security rule?
monitoring the computer access activity of the user
I have been asked if I want to be in the directory. The admission clerk explains that if I am in the directory,
my friends and family can find out my room number
Intrusion detection systems analyze
network traffic
The purpose of the notice of privacy practices is to
notify the patient of uses of PHI
An effective monitoring program contains which of the following?
outlining how employees suspected of a breach will be confronted
Which of the following is an example of two-factor authentication?
password and token
Which of the following is allowed by HIPAA?
permitting a spouse to pick up medication for the patient
The HIM director received an email from the technology support services dept about her email being full and asking for her password. The director contacted tech support and it was confirmed that their dept did not send this email. This is an example of what type of malware?
phishing
The physician office has set the information systems so that they will log out after 5 minutes of inactivity. This is an example of which of the following?
physician safeguard
In conducting an environmental risk assessment, which of the following would be considered in the assessment?
placement of water pipes in the facility
HIPAA allows health care providers to charge patients reasonable cost-based charges. Which of the following is allowed when determining the charge?
preparing a summary
The patient has the right to control access to his or her health information. This is known as
privacy
Ms. Thomas was a patient at your facility. She has been told that there are some records that she cannot have access to. These records are most likely
psychotherapy notes
To prevent their network from going down, a company has duplicated much of its hardware and cables. This duplication is called
redundancy
Which of the following disclosures would require patient authorization?
release to patient's family
Which of the following situations would require authorization before disclosing PHI?
releasing information to the Bureau of Disability Determination
You are looking for potential problems and violations of the privacy rule. What is this security management process called?
risk assessment
you are reviewing your privacy and security policies, procedures, training program, and so on, and comparing them to the HIPAA and ARRA regulations. You are conducting a
risk assessment
You have to determine how likely a threat will occur. What is this assessment known as?
risk determination
Kyle, the HIM director, has received a request to amend a patient's health record. The appropriate action for him to take is
route the request to the physician who wrote the note in question to determine appropriateness of the amendment
You are conducting research on what you need to do to comply with HIPAA. You are afraid that you will have to implement all of the steps tat your friend at a 900-bed teaching hospital is implementing at his facility. You continue reading and learn that you only have to implement what is prudent and reasonable for your facility. This is called?
scalable
Which of the following documents is subject to the HIPAA security rule?
scanned operative report stored on CD
You have to decide which type of firewall you want to use in your facility. Which of the following is one of your options?
secure socket layer
You work for an organization that publishes a health information management journal and provides clearinghouse services. What must you do?
separate the e-PHI form the non covered entity portion of the organization
The info systems dept. was performing their routine destruction of data that they do every year. Unfortunately they accidently deleted a record that is involved in a medical malpractice case. This unintentional destruction of evidence is called?
spoliation
Before we can go any further with our risk analysis, we need to determine what systems/information needs to be protected. This step is known as
system characterization
Bob submitted his resignation from Coastal Hospital. His last day is today, he should no longer have access to the EHR and other systems as of 5pm. The removal of his privileges is known as
terminating access
A home health care agency employee has contacted the CMS to report health care fraud. Patient information is provided in the report. Which of the following is true?
the disclosure is not a violation of HIPAA if the information was provided in good faith
Which statement is true about when a family member can be provided with PHI?
the family member is directly involved in the patient's care
Which of the following should the record destruction program include?
the method of destruction
Breach notification is required unless:
the probability of PHI being compromised is low
John is allowed to delete patients in the EHR. Florence is not. They both have the same role in the organization. Whaat is different?
their permissions
Critique this statement: a business associate has the right to use a health care facility's information beyond the scope of their agreement with the health care facility.
this is a false statement because it is prohibited by the HIPAA privacy rule.
As chief privacy officer, you have been asked why you are conducting a risk assessment. Which reason would you give?
to prevent breach of confidentiality
Which of the following is an example of an administrative safeguard?
training
Critique this statement: security training must be face to face
training can use many different methods
An employee was recently caught accessing his wife's health record. The system automatically notified the staff of potential breach due to the same last name for the user and the patient. This was an example of a
trigger
The research coordinator viewed 10 patients records for a research study being conducted. Select the term used for this practice.
use
The data on a hard drive were erased by a corrupted file that had been attached to an email message. Which of the following can be used to prevent this?
virus checker
Before an employee can be given access to the EHR someone has to determine what the employee is allowed to have access to. What is this known as?
workforce clearance procedure
You have been assigned the responsibility of performing an audit to confirm that all of the workforce's access is appropriate for their role in the organization. This process is called
workforce clearance procedure
Your dept was unable to provide a patient with a copy of his record within the 30-day limitation. What should you do?
write the patient and let them know that you will need a 30-day extension
If an authorization is missing a SSN, can it be valid
yes
