Domain 2: Access Disclosure, Privacy, Security Practice Questions

Within the context of electronic health records, protecting data privacy means defending or safeguarding: A. Access to information B. Data availability C. Health record quality D. System implementation

A. Access to information

Which of the following is NOT an identifier under the Privacy Rule? A. Age 75 B. Vehicle license plate BZLITYR C. Street address 265 Cherry Valley Rd D. Visa account 2773 985 0468

A. Age 75

A secretary in the Nursing Office was recently hospitalized with ketoacidosis. She comes to the HIM department and requests her health record. Of the options here, what is the best course of action? A. Allow her to review her record after obtaining authorization from her B. Refer the patient to her physician for the information C. Tell her to through her supervisor for the information D. Tell her that hospital employees cannot access their own medical records

A. Allow her to review her record after obtaining authorization from her

Which of the following administrative safeguards includes policies and procedures for responding to emergencies or failures in systems that contain e-PHI? A. Contingency plan B. Security training C. Workforce security D. Information access managment

A. Contingency plan

An electronic health record risk analysis is helpful to: A. Identify security threats B. Identify which employees should have access to data C. Establish password controls D. Establish audit controls

A. Identify security threats

An audit trail may be used to detect which of the following: A. Unauthorized access to a system B. Loss of data C. Presence of a virus D. Success completion of a back up

A. Unauthorized access to a system

Which of the following statements is true in regard to responding to requests from individuals for access to their protected health information (PHI)? A. A cost-based fee may be charged for retrieval of PHI B. A cost-based fee may be charged for making a copy of the PHI C. No fees of any type may be charged D. A minimal fee may be charged for the retrieval and copying of PHI

B. A cost-based fee may be charged for making a copy of the PHI

Which of the following are policies and procedures required by HIPAA that address the management of computer resources and security? A. Access controls B. Administrative safeguards C. Audit safeguards D. Role-based controls

B. Administrative safeguards

Which of the following laws created the HITECH act? A. Health Insurance Portability and Accountability Act B. American Recovery and Reinvestment Act C. Consolidated Omnibus Budget Reconciliation Act D. Healthcare Quality Improvement Act

B. American Recovery and Reinvestment Act (ARRA)

The protection measures and tools for safeguarding information and information systems is a definition of: A. Confidentiality B. Data security C. Informational privacy D. Informational access control

B. Data security

What does the term access control mean? A. Identifying the greatest security risks B. Identifying which data employees should have a right to use C. Implementing safeguards that protect physical media D. Restricting access to computer rooms and facilities

B. Identifying which data employees should have a right to use

Which of the following are security safeguards that protect equipment, media, and facilities? A. Administrative controls B. Physical safeguards C. Audit controls D. Role-based safeguards

B. Physical safeguards

St. Joseph's Hospital has a psychiatric service on the sixth floor of the hospital. A 31-year old male has come to the HIM department and requested to see a copy of his medical record. He indicated he was a patient of Dr. Schmidt, a psychiatrist, and that he was on the sixth floor of St. Joseph's for the last two months. These records are not psychotherapy notes. Of the options here, what is the best course of action? A. Prohibit the patient from accessing his record, as it contains psychiatric diagnoses that may greatly upset him B. Allow the patient to access his record C. Allow the patient to access his record if, after contacting his physician, his physician does not think it will be harmful tot he patient D. Deny access because HIPAA prevents patients from reviewing their psychiatric records

C. Allow the patient to access his record if, after contacting his physician, his physician does not think it will be harmful tot he patient

The HIM supervisor suspects that a departmental employee is accessing the EHR for personal reasons, but has no specific data to support this suspicion. In this case, what should the supervisor do? A. Confront the employee B. Send out information to all department employees reminding htem of the hospital policy on internet use C. Ask the security officer for audit trail data to confirm or disprove the suspicion D. Transfer the employee to another job that does not require computer usage

C. Ask the security officer for audit trail data to confirm or disprove the suspicion

Which of the following is an example of data security? A. Contingency planning B. Fire protection C. Automatic logoff after inactivity D. Card key for access to data center

C. Automatic logoff after inactivity

What is the biggest threat to the security of healthcare data? A. Natural disasters B. Fires C. Employees D. Equipement malfunctions

C. Employees

The function used to provide access controls, authentication, and audit logging in an HIE is: A. Patient identification B. Record location service C. Identity management D. Consent management

C. Identity management

A secure method of communication between the healthcare provider and the patient is a(n): A. Personal health record B. E-mail C. Patient portal D. Online health information

C. Patient portal

Placing locks on computer room doors is considered what type of security control? A. Access controls B. Workstation control C. Physical safeguard D. Security breach

C. Physical safeguard

During user acceptance testing of a new EHR system, physicians are complaining that they have to use multiple log-on screens to access all system modules. For example, they have to use one log-on for CPOE and another log-on to view laboratory results. One physician suggest having a single sign-on that would provide access to all the EHR system components. However, the hospital administrator thinks that one log-on would be a security issue. What information should the HIM director provide? A. Single sign-on is not supported by HIPAA security measures B. Single sign-on is discouraged by the Joint Commission C. Single sign-on is less frustrating for the end user and can provide better security D. Single sign-on is not possible given today's technology

C. Single sign-on is less frustrating for the end user and can provide better security

What resource should be consulted in terms of who may authorize access, use, or disclose the health records of minors? A. HIPAA because it has strict rules regarding minors B. Hospital attorneys because they know the rules of the hospital C. State law because HIPAA defers to state laws on matters related to minors D. Federal law because HIPAA overrides state laws on matters related to minors

C. State law because HIPAA defers to state laws on matters related to minors

In which of the following situations must a covered entity provide an appeals process for denials to requests from individuals to see their own health information? A. Any time access is requested B. When the covered entity is a correctional institution C. When a licensed healthcare professional has determined that access to PHI would likely endanger the life or safety of the individual D. When the covered entity is unable to produce the health record

C. When a licensed healthcare professional has determined that access to PHI would likely endanger the life or safety of the individual

Under HIPAA rules, when an individual asks to see his or her own health information, a covered entity? A. Must always provide access B. Can always deny access C. Can demand that the individual pay to see his or her record D. Can deny access to psychotherapy notes

D. Can deny access to psychotherapy notes

An individual designated as an inpatient coder may have access to an electronic medical record to code the record. Under what access security mechanism is the coder allowed access to the system? A. Situation based B. User based C. Context based D. Role based

D. Role based

Which of the following is NOT an automatic control that helps preserve data confidentiality and integrity in an electronic system? A. Edit Checks B. Audit trails C. Password management D. Security awareness program

D. Security awareness program