Chapter 9 - Data Privacy and Confidentiality Review Quiz
In court, hearsay is generally _____ A. Non-admissible B. A key component of the decision making process C. Admissible D. E-discovery
A. Non-admissible
Who of the following would be considered a member of a hospital's workforce? a. A clerk working in the hospital's registration office b. A lawn care service for the hospital grounds c. An employee of a company that picks up laundry from the hospital every day d. An employee of one of the hospital's business associates who is on the hospital premises occasionally
a. A clerk working in the hospital's registration office
Which of the following should be included in a covered entity's notice of privacy practices? a. Description with one example of disclosures made for treatment purposes b. Description of one other purposes for which a covered entity is permitted or required to disclose PHI without consent or authorization c. Statement of the healthcare organization's rights d. Patient's signature and e-mail address
a. Description with one example of disclosures made for treatment purposes
When would PHI loses its status? a. If health information is not identified by the person's name b. After an individual has been deceased more than 50 years c. When it is being used for research d. When it is in the hands of a business associate
a. If health information is not identified by the person's name
A covered entity may deny an individual's amendment request for which of the following reasons? a. If the PHI in question is not part of the designated record set b. If the PHI in question was created by the covered entity and therefore cannot be amended c. If the PHI in question cannot be amended in an electronic health record d. If the PHI in question was created over a year ago
a. If the PHI in question is not part of the designated record set
The HIPAA Privacy Rule requires that covered entities limit use, access, and disclosure of PHI to the least amount necessary to accomplish the intended purpose. What concept is this? a. Minimum necessary b. Notice of privacy practice c. Authorization d. Consent
a. Minimum necessary
A subpoena should be accompanied by which of the following? a. Patient authorization b. Patient consent c. Court order d. Interrogatory
a. Patient authorization
Which of the following is true of the Health Insurance Portability and Accountability Act (HIPAA)? a. Provides a federal floor for healthcare privacy b. Duplicates state laws c. Does not need to be followed if it is not feasible to do so d. Duplicates Joint Commission standards
a. Provides a federal floor for healthcare privacy
Critique this statement: According to HIPAA, workforce members include students. a. This is a true statement b. This is a false statement as students are not employees in the organization c. This is a false statement as workforce includes employees only d. This is a false statements as the workforce includes employees and physicians only
a. This is a true statement
In which of the following instances must patient authorization be obtained prior to disclosure? a. To an insurance company for payment b. To the patient's attorney c. To public health authorities as required by law d. To another provider for treatment
a. To an insurance company for payment
Under the HIPAA Privacy Rule, which of the following is a covered entity category? a. Business associate b. Healthcare clearinghouse c. Physician office d. Document disposal company
b. Healthcare clearinghouse
Which of the following statements about a facility directory of patients is true? a. Disclosures from the directory need not be included in an accounting of disclosures. b. Individuals must provide a written authorization before information can be placed in the directory. c. The directory must contain only the patient's name and birth date. d. The directory may contain diagnostic information as long as it is kept confidential.
b. Individuals must provide a written authorization before information can be placed in the directory.
Which of the following is true of the notice of privacy practices? a. It must be made available at the corporate headquarters b. It must be posted in a prominent place c. Its content cannot be changed d. It cannot be posted on the website
b. It must be posted in a prominent place
Which of the following statements is true of the notice of privacy practices? a. It gives the covered entity permission to use information for treatment purposes. b. It must be provided to every individual at the first time of contact or service with the covered entity. c. It must be provided to the individual by the covered entity within 10 days after receipt of treatment or service. d. It serves the same purpose as the authorization.
b. It must be provided to every individual at the first time of contact or service with the covered entity.
The breach notification requirement applies to: a. All PHI b. Unsecured PHI only c. Electronic PHI only d. PHI on paper only
b. Unsecured PHI only
Under usual circumstances, a covered entity must act on a patient's request to review or copy his or her health information within what time frame? a. 10 days b. 20 days c. 30 days d. 60 days
c. 30 days
How many days does a covered entity have to respond to an individual's request for access to his or her PHI when the PHI is stored offsite? a. 10 days beyond the original requirement b. 30 days c. 60 days d. 90 days
c. 60 days
Which of the following statements is true? a. An authorization must contain an expiration date or event b. A consent for use and disclosure of information must be obtained from every patient. c. An authorization must be obtained for uses and disclosures for treatment, payment, and operations. d. A notice of privacy practices must give ten examples of a use or disclosure for healthcare operations.
c. An authorization must be obtained for uses and disclosures for treatment, payment, and operations.
Which of the following statements about a business associate agreement is true? a. It allows the business associate to use or disclose PHI for any purpose. b. It allows the business associate to maintain PHI indefinitely after termination of the contract. c. It allows the business associate to use or disclose PHI in limited ways. d. It requires the business associate to make available records relating to PHI use and disclosure to the HHS.
c. It allows the business associate to use or disclose PHI in limited ways.
Under the HIPAA Privacy Rule, an impermissible use or disclosure should be presumed to be a breach unless the covered entity or business associate demonstrates that the probability the PHI has been compromised is __________. a. High b. Moderate c. Low d. Non-existent
c. Low
The American Recovery and Reinvestment Act expanded the definition of business associates to include which of the following? a. Consultants b. Billing companies c. Patient safety organizations d. Transcription companies
c. Patient safety organizations
Which of the following is true about a facility's patient directory? a. A written authorization from the patient is required before any information about the patient is placed in a facility directory. b. Only the patient's name may be placed in a facility directory. c. The covered entity must inform the individual of the information to be included in the facility directory. d. Because this is considered a normal hospital operation, an individual may not prohibit his or her inclusion in the directory
c. The covered entity must inform the individual of the information to be included in the facility directory.
The designated record set includes which of the following? a. Strategic plan b. Policies and procedures c. Audits d. Billing records
d. Billing records
In which of the following situations can PHI be disclosed without authorization, as long as there was an opportunity for the individual to agree or object? a. Disclosures for public health purposes b. Disclosures to health oversight agencies c. Disclosures regarding decedents d. Facility directory disclosures
d. Facility directory disclosures
Which of the following is a public interest and benefit exception to the authorization requirement? a. Treatment, payment and operations b. Facility directory c. Notification of relatives and friends d. Judicial and administrative proceedings
d. Judicial and administrative proceedings
