Domain 2: Access Disclosure, Privacy, Security Practice Questions
Within the context of electronic health records, protecting data privacy means defending or safeguarding: A. Access to information B. Data availability C. Health record quality D. System implementation
A. Access to information
Which of the following is NOT an identifier under the Privacy Rule? A. Age 75 B. Vehicle license plate BZLITYR C. Street address 265 Cherry Valley Rd D. Visa account 2773 985 0468
A. Age 75
A secretary in the Nursing Office was recently hospitalized with ketoacidosis. She comes to the HIM department and requests her health record. Of the options here, what is the best course of action? A. Allow her to review her record after obtaining authorization from her B. Refer the patient to her physician for the information C. Tell her to through her supervisor for the information D. Tell her that hospital employees cannot access their own medical records
A. Allow her to review her record after obtaining authorization from her
Which of the following administrative safeguards includes policies and procedures for responding to emergencies or failures in systems that contain e-PHI? A. Contingency plan B. Security training C. Workforce security D. Information access managment
A. Contingency plan
An electronic health record risk analysis is helpful to: A. Identify security threats B. Identify which employees should have access to data C. Establish password controls D. Establish audit controls
A. Identify security threats
An audit trail may be used to detect which of the following: A. Unauthorized access to a system B. Loss of data C. Presence of a virus D. Success completion of a back up
A. Unauthorized access to a system
Which of the following statements is true in regard to responding to requests from individuals for access to their protected health information (PHI)? A. A cost-based fee may be charged for retrieval of PHI B. A cost-based fee may be charged for making a copy of the PHI C. No fees of any type may be charged D. A minimal fee may be charged for the retrieval and copying of PHI
B. A cost-based fee may be charged for making a copy of the PHI
Which of the following are policies and procedures required by HIPAA that address the management of computer resources and security? A. Access controls B. Administrative safeguards C. Audit safeguards D. Role-based controls
B. Administrative safeguards
Which of the following laws created the HITECH act? A. Health Insurance Portability and Accountability Act B. American Recovery and Reinvestment Act C. Consolidated Omnibus Budget Reconciliation Act D. Healthcare Quality Improvement Act
B. American Recovery and Reinvestment Act (ARRA)
The protection measures and tools for safeguarding information and information systems is a definition of: A. Confidentiality B. Data security C. Informational privacy D. Informational access control
B. Data security
What does the term access control mean? A. Identifying the greatest security risks B. Identifying which data employees should have a right to use C. Implementing safeguards that protect physical media D. Restricting access to computer rooms and facilities
B. Identifying which data employees should have a right to use
Which of the following are security safeguards that protect equipment, media, and facilities? A. Administrative controls B. Physical safeguards C. Audit controls D. Role-based safeguards
B. Physical safeguards
St. Joseph's Hospital has a psychiatric service on the sixth floor of the hospital. A 31-year old male has come to the HIM department and requested to see a copy of his medical record. He indicated he was a patient of Dr. Schmidt, a psychiatrist, and that he was on the sixth floor of St. Joseph's for the last two months. These records are not psychotherapy notes. Of the options here, what is the best course of action? A. Prohibit the patient from accessing his record, as it contains psychiatric diagnoses that may greatly upset him B. Allow the patient to access his record C. Allow the patient to access his record if, after contacting his physician, his physician does not think it will be harmful tot he patient D. Deny access because HIPAA prevents patients from reviewing their psychiatric records
C. Allow the patient to access his record if, after contacting his physician, his physician does not think it will be harmful tot he patient
The HIM supervisor suspects that a departmental employee is accessing the EHR for personal reasons, but has no specific data to support this suspicion. In this case, what should the supervisor do? A. Confront the employee B. Send out information to all department employees reminding htem of the hospital policy on internet use C. Ask the security officer for audit trail data to confirm or disprove the suspicion D. Transfer the employee to another job that does not require computer usage
C. Ask the security officer for audit trail data to confirm or disprove the suspicion
Which of the following is an example of data security? A. Contingency planning B. Fire protection C. Automatic logoff after inactivity D. Card key for access to data center
C. Automatic logoff after inactivity
What is the biggest threat to the security of healthcare data? A. Natural disasters B. Fires C. Employees D. Equipement malfunctions
C. Employees
The function used to provide access controls, authentication, and audit logging in an HIE is: A. Patient identification B. Record location service C. Identity management D. Consent management
C. Identity management
A secure method of communication between the healthcare provider and the patient is a(n): A. Personal health record B. E-mail C. Patient portal D. Online health information
C. Patient portal
Placing locks on computer room doors is considered what type of security control? A. Access controls B. Workstation control C. Physical safeguard D. Security breach
C. Physical safeguard
During user acceptance testing of a new EHR system, physicians are complaining that they have to use multiple log-on screens to access all system modules. For example, they have to use one log-on for CPOE and another log-on to view laboratory results. One physician suggest having a single sign-on that would provide access to all the EHR system components. However, the hospital administrator thinks that one log-on would be a security issue. What information should the HIM director provide? A. Single sign-on is not supported by HIPAA security measures B. Single sign-on is discouraged by the Joint Commission C. Single sign-on is less frustrating for the end user and can provide better security D. Single sign-on is not possible given today's technology
C. Single sign-on is less frustrating for the end user and can provide better security
What resource should be consulted in terms of who may authorize access, use, or disclose the health records of minors? A. HIPAA because it has strict rules regarding minors B. Hospital attorneys because they know the rules of the hospital C. State law because HIPAA defers to state laws on matters related to minors D. Federal law because HIPAA overrides state laws on matters related to minors
C. State law because HIPAA defers to state laws on matters related to minors
In which of the following situations must a covered entity provide an appeals process for denials to requests from individuals to see their own health information? A. Any time access is requested B. When the covered entity is a correctional institution C. When a licensed healthcare professional has determined that access to PHI would likely endanger the life or safety of the individual D. When the covered entity is unable to produce the health record
C. When a licensed healthcare professional has determined that access to PHI would likely endanger the life or safety of the individual
Under HIPAA rules, when an individual asks to see his or her own health information, a covered entity? A. Must always provide access B. Can always deny access C. Can demand that the individual pay to see his or her record D. Can deny access to psychotherapy notes
D. Can deny access to psychotherapy notes
An individual designated as an inpatient coder may have access to an electronic medical record to code the record. Under what access security mechanism is the coder allowed access to the system? A. Situation based B. User based C. Context based D. Role based
D. Role based
Which of the following is NOT an automatic control that helps preserve data confidentiality and integrity in an electronic system? A. Edit Checks B. Audit trails C. Password management D. Security awareness program
D. Security awareness program