Domain 2
What is the first consideration in determining how long records must be retained? a. The amount of space allocated for record filing b. The number of records c. The most stringent law or regulation in the state d. The cost of filing spac
State laws, CMS regulations and other federal regulations, accreditation standards, and facility policies and procedures must also be reviewed when establishing a retention schedule. The HIM professional must adhere to the strictest time limit if the recommended retention period varies among different laws and regulations
Employees in the hospital business office may have legitimate access to patient health information without patient authorization based on what HIPAA standard or principle? a. Minimum necessary b. Compound authorization c. Accounting of disclosures d. Preemption
a Employees in departments such as the business office, information systems, HIM, and infection control, who are not involved directly in patient care, will vary in their need to access patient information. The HIPAA "minimum necessary" principle must be applied to determine what access employees should legitimately have to PHI
An employee accesses ePHI that does not relate to her job functions. What security mechanism should have been implemented to minimize this security breach? a. Access controls b. Audit controls c. Contingency controls d. Security incident controls
a Access controls are the technical policies and procedures used to control access to ePHI. Access controls must be used to provide users with rights and limitations on what they can do in a system containing ePHI. The specific technology is not mandated, but each user must have unique user identification
Identifying appropriate users of specific information is a function of: a. Access control b. Nosology c. Data modeling d. Workflow modeling
a An EHR can provide highly effective access controls to meet the HIPAA Privacy Rule minimum necessary standard requirements. Role-based access controls are used where only specific classes of persons may access protected health information. Context-based access controls add the dimensions that control not only class of persons but specific categories of information and under specific conditions for which access is permitted
Ensuring that data have been accessed or modified only by those authorized to do so is a function of: a. Data integrity b. Data quality c. Data granularity d. Logging functions
a Data integrity means that data should be complete, accurate, consistent and up-to-date.With respect to data security, organizations must put protections in place so that no one may alter or dispose of data in a manner inconsistent with acceptable business and legal rules
A valid subpoena duces tecum seeking health records does not have to: a. Be signed by the plaintiff and defendant b. Include the date, time, and place of the requested appearance c. Include the case docket number d. Include the name of the issuing attorney
a Elements of a valid subpoena commonly include the name of the court from which the subpoena was issued; the caption of action (the names of the plaintiff and defendant); assigned case docket number; date, time, and place of requested appearance; the information commanded, such as testimony or the specific documents sought in a subpoena duces tecum and the form in which that information is to be produced; the name of the issuing attorney; the name of the recipient being directed to disclose the records; and the signature or stamp of the court. The subpoena does not need to be signed by both the plaintiff and the defendant
Which of the following are technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals as a method to prevent a breach of PHI? a. Encryption and destruction b. Recovery and encryption c. Destruction and redundancy d. Interoperability and recovery
a Encryption and destruction are the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to authorized individuals in order to prevent a potential breach of PHI
Scott has requested that all written communications from his cardiologist's office be sent to his work address instead of his home address. The cardiology practice: a. Must honor this confidential communication request if it is deemed reasonable b. Is not required to honor any confidential communication requests of this nature c. Is not required to honor this restriction request d. Must honor this restriction request as long as it is submitted in writing
a Healthcare providers and health plans must give individuals the right of confidential communications, or the opportunity to request that communications of PHI be routed to an alternative location or by an alternative method (45 CFR 164.522(b) ). Healthcare providers must honor a request without requiring a reason if the request is reasonable
Janet's request to access her medical record has been denied. The denial is subject to appeal. Which of the following is the most likely reason for the denial? a. Access to the PHI would likely endanger Janet's life or physical safety. b. Access to PHI is never allowed. c. PHI in the record is subject to the federal Privacy Act. d. PHI was created in the course of research, including treatment, and Janet agreed to suspend her right of access during the study time period
a Individuals do have the right to review a denial of access in situations were a licensed healthcare professional determines that access to PHI would be reasonably likely to endanger the life or physical safety of the individual or another person
A hospital currently includes the patient's social security number in the electronic version of the health record. The hospital risk manager has identified this as a potential identity breach risk and wants the information removed. The physicians and others in the hospital are not cooperating, saying they need the information for identification and other purposes. Given this situation, what should the HIM director suggest? a. Avoid displaying the number on any document, screen, or data collection field b. Allow the information in both electronic and paper forms since a variety of people need this data c. Require employees to sign confidentiality agreements if they have access to social security numbers d. Contact legal counsel for advice
a It is generally agreed that Social Security numbers (SSNs) should not be used as patient identifiers. The Social Security Administration is adamant in its opposition to using the SSN for purposes other than those identified by law. AHIMA is in agreement on this issue due to privacy, confidentiality, and security issues related to the use of the SSN
Under the Privacy Rule, which of the following must be included in a patient accounting of disclosures? a. State-mandated report of a sexually transmitted disease b. Disclosure pursuant to a patient's signed authorization c. Disclosure necessary to meet national security or intelligence requirements d. Disclosure for payment purposes
a Legislation gives a patient the right to obtain an accounting of disclosures of PHI made by the covered entity in the six years or less prior to the request date. Mandatory public health reporting is not considered part of a covered entities' operations. As a result, these disclosures must be included in an accounting of disclosures
Which of the following is required in a risk analysis according to the Security Rule? a. Determine the likelihood of threat occurrence and the potential impact b. Focus on improved efficiency c. Implement successful system migration and interoperability d. Develop a sustainable business plan
a The Security Rule intentionally leaves the methods for conducting the required risk analysis to the discretion of the entity. Regardless of the methods selected for conducting and documenting risk analysis, the Security Rule does mandate several elements that must be included in the analysis. These are: define the scope of the risk analysis, data collection, identify and document potential threats and vulnerabilities, assess current security measures, determine the likelihood of threat occurrence, determine the potential impact of threat occurrence, determine the level of risk, finalize documentation, and perform review and updates to the risk assessment
Under the HIPAA Privacy Rule, a hospital may disclose health information without authorization or subpoena in which of the following cases? a. The patient has been involved in a crime that may result in death. b. The patient has celebrity status and requires protection. c. The father of a 22-year-old is requesting the records. d. An attorney requests records.
a News media personnel (and others) may have an interest in obtaining information about a public figure or celebrity who is being treated or about individuals involved in events that have cast them in the public eye. However, the media is not exempt from the restrictions imposed by the HIPAA facility directory requirement, and it is prudent for a healthcare organization to exercise even greater restraint than that mandated by the facility directory requirement with respect to the media. Parents of adult children and attorneys also need an authorization to receive patient records. A hospital may disclose health information to law enforcement when the suspected criminal conduct has resulted in a death
Generally, policies addressing the confidentiality of quality improvement (QI) committee data (minutes, actions, and so forth) state that this kind of data is: a. Protected from disclosure b. Subject to release with patient authorization c. Generally available to interested parties d. May not be reviewed or released to external reviewers such as the Joint Commission
a Outcomes of quality improvement studies may be used to evaluate a physician's application for continued medical staff membership and privileges to practice. These studies are usually conducted as part of the hospital's QI activities. These review activities are considered confidential and protected from disclosure
The outpatient clinic of a large hospital is reviewing its patient sign-in procedures. The registration clerks say it is essential that they know if the patient has health insurance and the reason for the patient's visit. The clerks maintain that having this information on a sign-in sheet will make their jobs more efficient and reduce patient waiting time in the waiting room. What should the HIM director advise in this case? a. To be HIPAA compliant, sign-in sheets should contain the minimal information necessary such as patient name. b. Patient name, insurance status, and diagnoses are permitted by HIPAA. c. Patient name, insurance status, and reason for visit would be considered incidental disclosures if another patient saw this information. d. Any communication overheard by another patient is considered an incidental disclosure.
a Patients may sign in their names on a waiting room list, and if another patient sees it, that is considered an incidental disclosure. However, in determining the content of these sign-in lists, the healthcare provider must take reasonable precautions that the information is limited to the minimum necessary for the purpose
An employee received an email that he thought was from the information technology department. He provided his personal information at the sender's request. The employee was tricked by: a. Phishing b. Ransomware c. Virus d. Bot
a Phishing is a scam by which an individual may receive an email that looks official but it is not. Its intent is to capture usernames, passwords, account numbers, and any other personal information. Users should be cautious in giving out confidential information such as passwords, credit card numbers, and social security numbers as many requests for this information received via email is a phishing scam
The Privacy Rule establishes that a patient has the right of access to inspect and obtain a copy of his or her PHI: a. For as long as it is maintained b. For six years c. Forever d. For 12 months
a The Privacy Rule states that an individual has a right of access to inspect and obtain a copy of his or her own PHI that is contained in a designated record set, such as a health record. The individual's right extends for as long as the PHI is maintained
If a healthcare provider is accused of breaching the privacy and confidentiality of a patient, what resource may a patient rely on to substantiate the provider's responsibility for keeping health information private? a. Professional Code of Ethics b. Federal Code of Fair Practice c. Federal Code of Silence d. State Code of Fair Practice
a The Professional Code of Ethics is based on ethical principles regarding privacy and confidentiality of patient information that have been an inherent part of the practice of medicine since the 4th century BC, when the Hippocratic Oath was created. Courts in various jurisdictions have concluded that a physician has a fiduciary duty to the patient to not disclose the patient's health and medical information
HIPAA was designed to accomplish all of the following except: a. Designate HIM professionals as privacy officers b. Establish a consistent set of privacy and security rules for healthcare information nationwide c. Simplify the sharing of health information for legitimate purposes d. Authorize that only the minimum necessary should be released upon proper authorization
a The implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in 2003 established a consistent set of privacy and security rules. These rules, designed to protect the privacy of patients, also attempted to simplify the sharing of health information for legitimate purposes. For example, before implementation of HIPAA, a healthcare provider who needed access to a health record maintained by another provider usually could not directly request the information. The former provider required the patient's written authorization to release information to the current provider. In many cases, the patient or the patient's legal representative had to facilitate the transfer of medical information to a current healthcare provider. Under federal privacy regulations, the healthcare provider can directly request protected medical information, and a written authorization from the patient is not required when the information is used for treatment purposes. The privacy rule states that protected health information used for treatment, payment, or healthcare operations does not require patient authorization to allow providers access, use, or disclosure. However, only the minimum necessary information needed to satisfy the specified purpose can be used or disclosed. The release of information for purposes unrelated to treatment, payment, or healthcare operations still requires the patient's written authorization
In the case of behavioral healthcare information, a healthcare provider may disclose health information on a patient without the patient's authorization in which of the following situations? a. Court order, duty to warn, and involuntary commitment proceedings b. Duty to warn, release of psychotherapy notes, and court order c. Involuntary commitment proceedings, court order, and substance abuse treatment records d. Release of psychotherapy notes, substance abuse treatment records, and duty to warn
a The mental health professional can disclose information without an authorization from the patient in the following situations: The patient brings up the issue of the mental or emotional condition The health professional performs an examination under a court order Involuntary commitment proceedings A legal "duty to warn" an intended victim when a patient threatens to harm an identifiable victim(s) The mental health professional believes that the patient is likely to actually harm the individual(s)
Which of the following statements is true in regard to training in protected health information (PHI) policies and procedures? a. Every member of the covered entity's workforce must be trained. b. Only individuals employed by the covered entity must be trained. c. Training only needs to occur when there are material changes to the policies and procedures. d. Documentation of training is not required
a Training in HIPAA policies and procedures regarding PHI is required for all workforce members to carry out their job functions appropriately. The training should be ongoing and documented for each employee
Mary Jones has been declared legally incompetent by the court. Mrs. Jones's sister has been appointed her legal guardian. Her sister requested a copy of Mrs. Jones's health records. Of the options listed here, what is the best course of action? a. Comply with the sister's request but first request documentation from the sister that she is Mary Jones's legal guardian b. Provide the information as requested by the sister c. Require that Mary Jones authorize the release of her health information to the sister d. Refer the sister to Mary Jones's doctor
a When an individual who is at or above the age of majority becomes incapacitated, either permanently or temporarily, another person should be designated to make decisions for that individual including decisions about the use and disclosure of the individual's PHI. Whoever serves as the incompetent adult's personal representative should, at minimum, hold the incompetent adult's durable power of attorney (DPOA) or durable power of attorney for healthcare decisions
Notices of privacy practices must be available at the site where the individual is treated and: a. Must be posted next to the entrance b. Must be posted in a prominent place where it is reasonable to expect that patients will read them c. May be posted anywhere at the site d. Do not have to be posted at the site
b A notice of privacy practices must be available at the site where the individual is treated and must be posted in a prominent place where the patient can be reasonably expected to read it
An original goal of HIPAA Administrative Simplification was to standardize: a. Privacy notices given to patients b. The electronic transmission of health data c. Disclosure of information for treatment purposes d. The definition of PHI
b A significant part of the administrative simplification process is the creation of standards for the electronic transmission of data
Which of the following is a direct command that requires an individual or a representative ofa healthcare entity to appear in court or to present an object to the court? a. Judicial decision b. Subpoena c. Credential d. Regulation
b A subpoena is a direct command that requires an individual or a representative of an organization to appear in court or to present an object to the court
Which of the following is an administrative safeguard action? a. Facility access control b. Documentation retention guidelines c. Maintenance record d. Media reuse
b Administrative safeguards are administrative actions such as policies and procedures and documentation retention to manage the selection, development, implementation, and maintenance of security measures to safeguard ePHI and manage the conduct of the covered entities or business associates' workforce
The HIM manager received notification that a user accessed the PHI of a patient with the same last name as the user. This is an example of a(n): a. Encryption b. Trigger flag c. Transmission security d. Redundancy
b Audit trail are used to facilitate the determination of security violations and to identify areas for improvement. Their usefulness is enhanced when they include trigger flags for automatic, intensified review
What is the legal term used to define the protection of health information in a patient-provider relationship? a. Access b. Confidentiality c. Privacy d. Security
b Confidentiality is a legal ethical concept that establishes the healthcare provider's responsibility for protecting health records and other personal and private information from unauthorized use or disclosure
Kay Denton wrote to Mercy Hospital requesting an amendment to her PHI. She states that her record incorrectly lists her weight at 180 lbs. instead of her actual 150 lbs., and amending it would look better on her record. The information is present on a copy of a history and physical that General Hospital sent to Mercy Hospital. Mercy Hospital may decline to grant her request based on which privacy rule provision? a. Individuals do not have the right to make amendment requests. b. The history and physical was not created by Mercy Hospital. c. A history and physical is not part of the designated record set. d. Mercy Hospital must grant her request.
b HIPAA permits an individual to request that a covered entity make an amendment to PHI in a designated record set. However, the covered entity may deny the request if it determines that the PHI or the record was not created by the covered entity. In this scenario the history and physical was created by General Hospital. Mercy Hospital would be able to deny the request because they did not create the history and physical for this patient
The HIPAA Privacy Rule permits charging patients for labor and supply costs associated with copying health records. Mercy Hospital is located in a state where state law allows charging patients a $100 search fee associated with locating records that have been requested. Which of the following statements is true when applied to this scenario? a. State law will not be preempted in this situation. b. The Privacy Rule will preempt state law in this situation. c. The Privacy Rule never preempts existing state law.
b If a fee is assessed for a request, the fee schedule must be consulted and an invoice prepared. The fee schedule should be regularly reviewed for compliance with the HIPAA Privacy Rule and applicable state laws. A system should be developed to determine situations in which fees are not assessed, when prepayment is required, and to implement collection procedures for delinquent payments following record disclosure
HealthConnect has been the target of a network server hacking incident. Three hundred patients were affected. HealthConnect: a. Is not required to report this to the affected patients because there were fewer than 500 b. Must inform the patients of what occurred, the type of PHI involved, and what steps HealthConnect is taking to prevent future hacking incidents c. Is required to publish a list of the 300 patients who were affected d. Must inform the patients of what occurred, the type of PHI involved, what steps HealthConnect is taking to prevent future hacking incidents, and the names of the other affected patients
b Individuals whose PHI has been breached must be provided with a description of what occurred, the type of unsecured PHI that were involved, what the entity is doing to prevent future hacking incidents
The hospital's public relations department in conjunction with the local high school is holding a job shadowing day. The purpose of this event is to allow high school seniors an opportunity to observe the various jobs in the hospital and to help the students with career planning. The public relations department asks for input on this event from the standpoint of HIPAA compliance. In this case, what should the HIM department advise? a. Job shadowing is allowed by HIPAA under the provision of allowing students and trainees to practice. b. Job shadowing should be limited to areas in which the likelihood of exposure to PHI is very limited, such as administrative areas. c. Job shadowing is allowed by HIPAA under the provision of volunteers. d. Job shadowing is specifically prohibited by HIPAA.
b Job shadowing should be limited to areas where the likelihood of exposure to PHI is very limited, such as in administrative areas. There is a provision in the Privacy Rule that permits students and trainees to practice and improve their skills in the healthcare environment; however, the context of this provision appears to imply that the students are already enrolled in a healthcare field of study and that they are under the supervision of the covered entity. Most covered entities require students to be trained on confidentiality and other requirements of the Privacy Rule, and job shadowing activities do not appear to apply in this exception
Donna Johnson has written to request an amendment to her PHI from Community Hospital. She states that incorrect information is present on the document in question. The document is an incident report from Community Hospital, which was erroneously placed in Mrs. Johnson's health record. The covered entity declines to grant her request based on which Privacy Rule provision? a. It was not created by the covered entity. b. It is not part of the designated record set. c. The patient cannot request that documentation be amended in their record. d. None. The covered entity must grant her request.
b Many states have laws or regulations that permit individuals to amend their health records. The Privacy Rule also permits individuals to request that a CE and PHI or a record about the individual in a designated record set. However, the CE may deny the request if it determines that the PHI or the record is not part
Which of the following is true of health record destruction? a. It is prohibited because every piece of health information must be kept forever. b. It is permitted pursuant to an approved retention schedule and destruction policy. c. It is encouraged if a health record is involved in litigation. d. It is allowed if the attending physician gives permission to destroy it.
b Not every piece of data or information needs to be kept permanently. Destruction of health records should be carried out according to federal and state law and pursuant to an approved retention schedule and destruction policy
Under the HIPAA Security Rule, these types of safeguards have to do with protecting the environment: a. Administrative b. Physical c. Security d. Technical
b Physical safeguards have to do with protecting the environment, including ensuring applicable doors have locks that are changed when needed and that fire, flood, and other natural disaster preparedness is in place (for example, fire alarms, sprinklers, smoke detectors, raised cabinets). Other physical controls include badging and escorting visitors and other typical security functions such as patrolling the premises, logging equipment in and out, and camera-monitoring key areas. HIPAA does not provide many specifics on physical facility controls but does require a facility security plan with the expectation that these matters will be addressed
Authorization management involves: a. The process used to protect the reliability of a database b. Limiting user access to a database c. Allowing unlimited use of the database d. Developing definitions for database elements
b Protecting the security and privacy of data in the database is called authorization management. Two of the important aspects of authorization management are user access control and usage monitoring
Which of the following is a "public interest and benefit" exception to the authorization requirement? a. Payment b. PHI regarding victims of domestic violence c. Information requested by a patient's attorney d. Treatment
b Pursuant to the Privacy Rule, the hospital may disclose health information to law enforcement officials without authorization for law enforcement purposes for certain situations, including situations involving a crime victim. Disclosure is made in response to law enforcement officials' request for such information about an individual who is, or is suspected to be, a victim of a crime
Per the HITECH breach notification requirements, which of the following is the threshold in which the media and the Secretary of Health and Human Services should be notified of the breach? a. more than 1,000 individuals affected b. more than 500 individuals affected c. more than 250 individuals affected d. Any number of individuals affected requires notification
b Reporting requirements mandate notification to the individual whose information was breached, and in the case of breaches of more than 500 individuals' information, to the media and the Secretary of Health and Human Services
According to the HIPAA Security Rule, how should a covered entity instruct a physician who needs a new smartphone when her current smartphone contains ePHI? a. Keep her old smartphone b. Turn in her old smartphone to have the memory wiped c. Recycle the old smartphone by giving it to a charity d. Do what she wants since IT is busy with other projects
b Steps have been taken by the organization to secure laptops, tablets, and mobile devices, such as smartphones and flash drives, including memory wipe to erase all data, even in instance of media reuse
The Medical Record Committee is reviewing the privacy policies for a large outpatient clinic. One of the members of the committee remarks that he feels that the clinic's practice of calling out a patient's full name in the waiting room is not in compliance with HIPAA regulations and that only the patient's first name should be used. Other committee members disagree with this assessment. What should the HIM director advise the committee? a. HIPAA does not allow a patient's name to be announced in a waiting room. b. There is no violation of HIPAA in announcing a patient's name, but the committee may want to consider implementing practices that might reduce this practice. c. HIPAA allows only the use of the patient's first name. d. HIPAA requires that patients be given numbers and that only the number be announced.
b The HIPAA Privacy Rule allows communications to occur for treatment purposes. The preamble repeatedly states the intent of the rule is not to interfere with customary and necessary communications in the healthcare of the individual. Calling out a patient's name in a waiting room, or even on the facility's paging system, is considered an incidental disclosure and, therefore, allowed in the Privacy Rule
City Hospital has implemented a procedure that allows inpatients to decide whether they want to be listed in the hospital's directory. The directory information includes the patient's name, location in the hospital, and general condition. If a patient elects to be in the directory, this information is used to inform callers who know the patient's name. Some patients have requested that they be listed in the directory, but information is to be released to only a list of specific people the patient provides. A hospital committee is considering changing the policy to accommodate these types of patients. In this case, what type of advice should the HIM director provide? a. Approve the requests because this is a patient right under HIPAA regulations b. Deny these requests because screening of calls is difficult to manage and if information is given in error, this would be considered a violation of HIPAA c. Develop two different types of directories—one directory for provision of all information and one directory for provision of information to selected friends and family of the patient d. Deny these requests and seek approval from the Office of Civil Rights
b The HIPAA Privacy Rule allows individuals to decide whether they want to be listed in a facility directory when they are admitted to a facility. If the patient decides to be listed in the facility directory, the patient should be informed that only callers who know his or her name will be given any of this limited information. Covered entities generally do not, however, have to provide screening of visitors or calls for patients because such an activity is too difficult to manage with the number of employees and volunteers involved in the process of forwarding calls and directing visitors. If the covered entity agreed to the screening and could not meet the agreement, it could be considered a violation of this standard of the Privacy Rule
Health Insurance Portability and Accountability Act's Privacy Rule states that "________ used for the purposes of treatment, payment, or healthcare operations does not require patient authorization to allow providers access, use, or disclosure." However, only the ________ information needed to satisfy the specified purpose can be used or disclosed. a. Demographic information, minimum necessary b. Protected health information, minimum necessary c. Protected health information, diagnostic d. Demographic information, diagnostic
b The HIPAA Privacy Rule states that protected health information used for purposes of treatment, payment, or healthcare operations does not require patient authorization to allow providers access, use, or disclosure. However, only the minimum necessary information needed to satisfy the specified purpose can be used or disclosed
The technology, along with the policies and procedures for its use, that protects and controls access to ePHI are: a. Administrative safeguards b. Technical safeguards c. Physical safeguards d. Integrity controls
b The Security Rule defines technical safeguards as the technology and the policy and procedures for its use that protect ePHI and controls access to it. A covered entity must determine which security measures and technologies are reasonable and appropriate for implementation
According to the Privacy Rule, which of the following statements must be included in the notice of privacy practices? a. A description (including at least one example) of the types of uses and disclosures the physician is permitted to make for marketing purposes b. A description of each of the other purposes for which the covered entity is permitted or required to use or disclose PHI without the individual's written consent or authorization c. A statement that other uses and disclosures will be made without the individual's written authorization and that the individual may not revoke such authorization d. A statement that all disclosures will be prohibited from future redisclosures
b The notice of privacy practices must explain and give examples of the uses of the patient's health information for treatment, payment, and healthcare operations, as well as other disclosures for purposes established in the regulations. If a particular use of information is not covered in the notice of privacy practices, the patient must sign an authorization form specific to the additional disclosure before his or her information can be released
Dr. Williams is on the medical staff of Sutter Hospital, and he has asked to see the health record of his wife, who was recently hospitalized. Dr. Jones was the patient's physician. Of the options listed here, which is the best course of action? a. Refer Dr. Williams to Dr. Jones and release the record if Dr. Jones agrees b. Inform Dr. Williams that he cannot access his wife's health information unless she authorizes access through a written release of information c. Request that Dr. Williams ask the hospital administrator for approval to access his wife's record d. Inform Dr. Williams that he may review his wife's health record in the presence of the privacy officer
b The physician would not have access to records of a patient he or she is not treating unless the physician is performing designated healthcare operations such as research, peer review, or quality management. Otherwise the physician would need to have an authorization from the patient
Which of the following statements is true with regard to responding to requests from individuals for access to their PHI? a. A cost-based fee may be charged for retrieval of the PHI. b. A cost-based fee may be charged for making a copy of the PHI. c. No fees of any type may be charged. d. A minimal fee may be charged for retrieval and copying of PHI.
b The release of information is a function of doing business and thus has a cost associated with it. The HIPAA Privacy Rule permits reasonable, cost-based charges for labor, postage, and supplies involved in photocopying health information for the patient and his or her personal representative
Betty Hunter, a patient at Community Health, fell out of bed. An incident report was created. Betty's attorney is now seeking all records relevant to Betty's fall. The incident report is least likely to be protected from discovery if it is maintained in: a. The administrative files of the chief nursing officer b. Betty's medical record c. The hospital attorney's office d. The hospital risk manager's office
b While none of the above actions may ultimately protect the incident report from discovery, options a, c, and d demonstrate that the incident report is being held by a relevant party, with no indication that it is being disseminated (dissemination may negate attempts to prevent discovery). Placement of the incident report in Betty's medical record leads to a greater argument that it is part of the legal health record and part of a valid request; further, if placed in the medical record, it is much more likely to be disclosed as part of that record
A nurse administrator who is not typically on call to cover staffing shortages gets called in over the weekend to staff the emergency department. She does not have access to enter notes since this is not a part of her typical role. In order to meet the intent of the HIPAA Security Rule, the hospital policy should include a: a. Requirement for her to attend training before accessing ePHI b. Provision for another nurse to share his or her password with the nurse administrator c. Provision to allow her emergency access to the system d. Restriction on her ability to access ePHI
c Access control requires the implementation of technical policies and procedures for electronic information systems that maintain electronic protected health information (ePHI) to allow access only to those persons or software programs that have been granted access rights as specified in the administrative safeguards. There are four implementation specifications with this standard, one of which includes emergency access procedures, which are procedures established to grant individuals access to ePHI in an emergency
In Medical Center Hospital's clinical information system, nurses may write nursing notes and may read all parts of the patient health record for patients on the unit in which they work. This type of authorized use is called: a. Password limitation b. Security clearance c. Role-based access d. User grouping
c An EHR can provide highly effective access controls to meet the HIPAA Privacy Rule minimum necessary standard requirements. Role-based access controls are used where only specific classes of persons (for example, nurses) may access protected health information
Which of the following is a characteristic of breach notification? a. It is required only when 500 or more individuals are affected. b. It applies to both secured and unsecured PHI. c. It applies when any person's PHI is breached. d. Is applies only when 20 or more individuals are affected
c Breaches by covered entities and BAs (both governed by HHS breach notification regulations) are deemed discovered when the breach is first known or reasonably should have been known. All individuals whose information has been breached must be notified without unreasonable delay, and within 60 days, by first-class mail or a faster method, such as by telephone, if there is the potential for imminent misuse
Which of the following data management domains would be responsible for establishing standards for data retention and storage? a. Data architecture management b. Metadata management c. Data life cycle management d. Master data management
c Data management is based on the assumption that all data have a life cycle. Typical data life cycle functions requiring data governance include: establishing what data are to be collected and how they are to be captured; setting standards for data retention and storage; determining processes for data access and distribution; establishing standards for data archival and destruction
An employer has contacted the HIM department and requested health information on one of his employees. Of the options listed here, what is the best course of action? a. Provide the information requested b. Refer the request to the attending physician c. Request the employee's written authorization for release of information d. Request the employer's written authorization for release of the employee's information
c Employers who may or may not be HIPAA-covered healthcare organizations may request patient information for a number of reasons, including family medical leave certification, return to work certification for work-related injuries, and information for company physicians. Patient authorization is required for such disclosures, except in some states the patient's employer, employer's insurer, and employer's and employee's attorneys do not need patient authorization to obtain health information for workers' compensation purposes
Which of the following is a kind of technology that focuses on data security? a. Clinical decision support b. Bitmapped data c. Firewalls d. Smart cards
c Firewalls are hardware and software security devices situated between the routers of a private and public network. They are designed to protect computer networks from unauthorized outsiders
The Latin phrase meaning "let the master answer" that puts responsibility for negligent actions of employees on the employer is called: a. Res ipsa locquitor b. Res judicata c. Respondeat superior d. Restitutio in integrum
c Generally, a hospital is liable to patients for the torts of its employees (including nurses and employed physicians) under the doctrine of respondeat superior (Latin for "let the master answer"). Also referred to as vicarious liability, under this doctrine the hospital holds itself out as responsible for the actions of its employees, provided that these individuals were acting within the scope of their employment or at the hospital's direction at the time they conducted the tortious activity in question
The privacy officer was conducting training for new employees and posed the following question to the trainees to help them understand the rule regarding breach notification: "If a breach occurs, which of the following must be provided to the individual whose PHI has been breached?" a. The facility's notice of privacy practices b. An authorization to release the individual's PHI c. The types of unsecured PHI that were involved d. A promise to never do it again
c Individuals whose protected health information (PHI) has been breached must be provided with the following information: a description of what occurred (including date of breach and date that breach was discovered); the types of unsecured PHI that were involved (such as name, SSN, DOB, home address, and account number); steps that the individual may take to protect himself or herself; what the entity is doing to investigate, mitigate, and prevent future occurrences; contact information for the individual to ask questions and receive updates
Caitlin has been experiencing abdominal pain. Removal of her gallbladder was recommended. Who is responsible to obtain Caitlin's informed consent? a. The anesthesiologist who will be administering general anesthesia b. The surgical nurse who will assist during surgery c. The physician who will be performing the surgery d. The administrator in the surgery department
c It is the responsibility of the treating provider, in this case the physician who will be performing the surgery, to obtain informed consent and it may not be delegated to some other person
Which one of the following has access to personally identifiable data without authorization or subpoena? a. Law enforcement in a criminal case b. The patient's attorney c. Public health departments for disease reporting purposes d. Workers' compensation for disability claim settlement
c No authorization is needed to use or disclose PHI for public health activities. Some health records contain information that is important to the public welfare. Such information must be reported to the state's public health service to ensure public safety
Which of the following is not an identifier under the Privacy Rule? a. Visa account 2773 985 0468 b. Vehicle license plate BZ LITYR c. Age 75 d. Street address 265 Cherry Valley Road
c One of the most fundamental terms in the Privacy Rule is PHI, defined by the rule as "individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium" (45 CFR 160.103). To meet the individually identifiable element of PHI, information must meet all three portions of a three-part test. (1) It must either identify the person or provide a reasonable basis to believe the person could be identified from the information given. (2) It must relate to one's past, present, or future physical or mental health condition; the provision of healthcare; or payment for the provision of healthcare. (3) It must be held or transmitted by a covered entity or its business associate
Which professional has the responsibility of determining when an individual or entity has the right to access healthcare information in a hospital setting? a. Physicians b. Nurses c. Health information management professionals d. Hospital administrators
c Patients (along with their next of kin or legal representatives) have the right to access their health records. However, health information management (HIM) professionals must validate the appropriateness of access. When a patient's next of kin or legal representative requests information belonging to the patient, HIM professionals should be familiar with state and federal laws regarding the right to access and who can authorize the use or disclosure of the information at issue
Regarding an individual's right of access to their own PHI, per HIPAA, a covered entity: a. Must act on the request within 90 days b. May extend its response by 60 days if it gives the reasons for the delay c. May require individuals to make their requests in writing d. Does not have limits regarding what it can charge individuals for copies of their health record
c Per HIPAA, covered entities may require individuals to make their access requests in writing if it has informed them of this requirement. A covered entity must act on an individual's request within 30 days, and may extend the response just once by no more than 30 days as long as it responds within the initial 30-day window and gives the reason for the delay and a date by which it will respond
A federal confidentiality statute specifically addresses confidentiality of health information about ________ patients. a. Developmentally disabled b. Elderly c. Drug and alcohol recovery d. Cancer
c The Confidentiality of Alcohol and Drug Abuse Patient Records Rule is a federal rule that applies to information created for patients treated in a federally assisted drug or alcohol abuse program and specifically protects the identity, diagnosis, prognosis, or treatment of these patients. The rule generally prohibits redisclosure of health information related to this treatment except as needed in a medical emergency or when authorized by an appropriate court order or the patient's authorization
Community Hospital is planning implementation of various elements of the EHR in the next six months. Physicians have requested the ability to access the EHR from their offices and from home. What advice should the HIM director provide? a. HIPAA regulations do not allow this type of access. b. This access would be covered under the release of PHI for treatment purposes and poses no security or confidentiality threats. c. Access can be permitted providing that appropriate safeguards are put in place to protect against threats to security. d. Access cannot be permitted because the physicians would not be accessing information for treatment purposes.
c The HIPAA Privacy Rule permits healthcare providers to access protected health information for treatment purposes. However, there is also a requirement that the covered entity provide reasonable safeguards to protect the information. These requirements are not easy to meet when the access is from an unsecured location, although policies, medical staff bylaws, confidentiality or other agreements, and a careful use of new technology can mitigate some risks
Community Hospital is terminating its business associate relationship with a medical transcription company. The transcription company has no further need for any identifiable information that it may have obtained in the course of its business with the hospital. The CFO of the hospital believes that to be HIPAA compliant all that is necessary is for the termination to be in a formal letter signed by the CEO. In this case, how should the director of HIM advise the CFO? a. Confirm that a formal letter of termination meets HIPAA requirements and no further action is required b. Confirm that a formal letter of termination meets HIPAA requirements and no further action is required except that the termination notice needs to be retained for seven years c. Confirm that a formal letter of termination is required and that the transcription companymust provide the hospital with a certification that all PHI that it had in its possession has been destroyed or returned d. Inform the CFO that business associate agreements cannot be terminated
c The HIPAA Privacy Rule requires the covered entity to have business associate agreements in place with each business associate. This agreement must always include provisions regarding destruction or return of protected health information (PHI) upon termination of a business associate's services. Upon notice of the termination, the covered entity needs to contact the business associate and determine if the entity still retains any protected health information from, or created for, the covered entity. The PHI must be destroyed, returned to the covered entity, or transferred to another business associate. Once the PHI is transferred or destroyed, it is recommended that the covered entity obtain a certification from the business associate that either it has no protected health information, or all protected health information it had has been destroyed or returned to the covered entity
One of the four general requirements a covered entity must adhere to in order to be in compliance with the HIPAA Security Rule is to: a. Ensure the confidentiality, integrity, and addressability of ePHI b. Ensure the confidentiality, integrity, and accuracy of ePHI c. Ensure the confidentiality, integrity, and availability of ePHI d. Ensure the confidentiality, integrity, and accountability of ePHI
c The HIPAA Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of ePHI. The Security Rule contains provisions that require covered entities to adopt administrative, physical, and technical safeguards
Per HITECH, an accounting of disclosures must include disclosures made during the previous: a. 10 years b. 6 years c. 3 years d. 1 year
c The Health Information Technology for Economic and Clinical Health Act (HITECH) shortened the time frame for an accounting of disclosures. Previously, an accounting had to include disclosures made during the previous six years. This has been shortened to disclosures made during the previous three years
Per the Privacy Rule, which of the following requires authorization for research purposes? a. Use of Mary's deidentified information about her myocardial infarction b. Use of Mary's information about her asthma in a limited data set c. Use of Mary's individually identifiable information related to her asthma treatments d. Use of medical information about Jim, Mary's deceased husband
c The Privacy Rule's general requirement is that authorization must be obtained for uses and disclosures of PHI created for research that includes treatment of the individual. Public information, deidentified data, or data that is recorded by the investigation so that the subject cannot be directly identified or identified through links are not subject to the Common Rule
Which standard in the Security Rule provides guidance for covered entities to secure laptops and other small portable mobile technologies used within the healthcare facility? a. Workstation security standard b. Technical safeguard standard c. Device and media controls standard d. Facility access control standard
c The device and media controls standard states that covered entities are to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility. This implementation specification includes maintaining a record of the movements of the hardware and electronic media and presents a growing challenge in many healthcare organizations where mobile technology is increasing in use
A visitor sign-in sheet to a computer area is an example of what type of control? a. Administrative b. Audit c. Facility access d. Workstation
c The facility access control standard requires covered entities to control and validate a person's access to a facility including visitor control
John Smith was seen in his primary care physician's office. When the provider attempted to call him with his laboratory results, he inadvertently called the incorrect John Smith and verbally provided him the lab result. Which of the following would apply to this situation in the context of breach notification? a. The provider would be required to report the breach to the media. b. No reporting is necessary because the laboratory results are not considered PHI and no breach can occur based on this fact. c. Even though the results were discussed with the incorrect patient, no hard copy results were sent to the wrong person, so because the wrong John Smith could not keep the PHI, no reporting is necessary. d. The provider would be required to report the breach to the Secretary of HHS.
c The final exception to reporting requirements for breaches of PHI is applicable when covered entities and business associates who made an inadvertent disclosure has reason to believe that the recipient of the PHI would not have been able to retain the information. In this example, the provider called the patient with a common name to discuss laboratory results and dialed the wrong phone number. Although the provider discussed the results with "John Smith," no hard copy results were sent to the wrong patient, it is reasonable to believe that the wrong John Smith could not "keep" the information
Covered entities must retain documentation of their security policies for at least: a. Five years b. Five years from the date of origination c. Six years from the date when last in effect d. Six years from the date of the last incident
c The maintenance of policies and procedures implemented to comply with the Security Rule must be retained for six years from the date of its creation or the date when it was last in effect, whichever is later
Which of the following is considered a two-factor authentication system? a. User ID and password b. User ID and voice scan c. Password and swipe card d. Password and PIN
c The three methods of two-factor authentication are something you know, such as a password or PIN; something you have, such as an ATM card, token, or swipe/smart card; and something you are, such as a biometric fingerprint, voice scan, iris, or retinal scan
Central City Clinic has requested that Ghent Hospital send its hospital records from Susan Hall's most recent admission to the clinic for her follow-up appointment. Which of the following statements is true? a. The Privacy Rule requires that Susan Hall complete a written authorization. b. The hospital may send only discharge summary, history, and physical and operative report. c. The Privacy Rule's minimum necessary requirement does not apply. d. This "public interest and benefit" disclosure does not require the patient's authorization.
c There are certain circumstances where the minimum necessary requirement does not apply, such as to healthcare providers for treatment; to the individual or his or her personal representative; pursuant to the individual's authorization to the Secretary of the HHS for investigations, compliance review, or enforcement; as required by law; or to meet other Privacy Rule compliance requirements
Mr. Martin has asked his physician's office to review a copy of his PHI. His request must be responded to no later than ________ after the request was made. a. 90 days b. 60 days c. 30 days d. 6 weeks
c Timely response is an important part of the Privacy Rule. A covered entity must act on an individual's request for review of PHI no later than 30 days after the request is made, extending the response by no more than 30 days if within the 30 day time period it gives the reasons for the delay and the date by which it would respond
Appropriate documentation of health record destruction must be maintained permanently no matter how the process is carried out. This documentation usually takes the form of a: a. Policy of destruction b. Retention schedule c. Regulation schedule d. Certificate of destruction
d Appropriate documentation of health record destruction must be maintained permanently no matter how the process is carried out. This documentation usually takes the form of a certificate of destruction
In all of the following situations, PHI may be disclosed without providing the opportunity for an individual to object or to provide an authorization except: a. For disclosures for public health purposes as required by law b. For disclosures to health oversight agencies as required by law c. For reporting certain types of wounds or other physical injuries as required by law d. For including the individual's name in the facility directory
d A facility may maintain a facility directory of patients being treated. HIPAA's Privacy Rule permits the facility to maintain in its directory the following information about an individual if the individual has not objected: name, location in the facility, and condition described in general terms. This information may be disclosed to persons who ask for the individual by name. An authorization is not necessary for public health purposes, health oversight agencies, and other reporting that is required by law
AHIMA recommends that documents of health record destruction include all of the following except: a. Date and method of destruction b. Statement that records were destroyed in the normal course of business c. Description of disposed records series, numbers, or items d. Reason for destruction
d AHIMA recommends that documents of health record destruction include the many items including: data and method of destruction, a statement that records were destroyed in the normal course of business, and also includes the description of the disposed record series of numbers or items. The reason for destruction is not one of these recommendations
What is the most common method for implementing entity authentication? a. Personal identification number b. Biometric identification systems c. Token systems d. Password systems
d Access control mechanisms are an effective means of controlling what and how users gain access to an electronic health information system. To authenticate the legitimate user of ePHI, the user must be assigned a unique identifier. Because of the public nature of the log-on, there is a need to authenticate the identity of the user, commonly with a password. Password systems allow for easily remembered log-ons that are hard to crack
Mrs. Guindon is requesting every piece of health information that exists about her from Garrett Hospital. The Garrett Hospital privacy officer must explain to her that, under HIPAA privacy regulations, she does not have the right to access her: a. History and physical report b. Operative report c. Discharge summary d. Psychotherapy notes
d Access to information may be denied in some situations because it is specifically exempted from access by the Privacy Rule or it is not part of the designated record set. The Privacy Rule preamble makes clear that individuals do not have the right of access to psychotherapy notes
The confidentiality of incident reports is generally protected in cases when the report is filed in: a. The nursing notes b. The patient's health record c. The physician's progress notes d. The hospital risk manager's office
d Because incident reports contain facts, hospitals strive to protect their confidentiality. To ensure incident report confidentiality, no copies should be made and the original must not be filed in the health record nor removed from the files in the department responsible for maintaining them, typically risk management or QI. Also no reference to the completion of an incident report should be made in the health record. Such a reference would likely render the incident report discoverable because it is mentioned in a document that is discoverable in legal proceedings
Ted and Mary are the adoptive parents of Susan, a minor. What is the best way for them to obtain a copy of Susan's operative report? a. Wait until Susan is 18 b. Present an authorization signed by the court that granted the adoption c. Present an authorization signed by Susan's natural (birth) parents d. Present an authorization that at least one of them (Ted or Mary) has signed
d Because minors are, as a general rule, legally incompetent and unable to make decisions regarding use and disclosure of their own healthcare information, this authority belongs to the minor's parent(s) or legal guardian(s) unless an exception applies. Generally, only one parent's signature is required to authorize the use or disclosure of a minor's PHI. In this case, the adoptive parents are the legal guardians of the minor
Which process requires the verification of the educational qualifications, licensure status, and other experience of healthcare professionals who have applied for the privilege of practicing within a healthcare facility? a. Deemed status b. Judicial decision c. Subpoena d. Credentialing
d Credentialing is the process that requires the verification of the educational qualifications, licensure status, and other experience of healthcare professionals who have applied for the privilege of practicing within a healthcare facility
Which of the following controls external access to a network? a. Access controls b. Alarms c. Encryption d. Firewall
d Firewalls are hardware and software security devices situated between the routers of a private and public network. They are designed to protect computer networks from unauthorized outsiders. However, they also can be used to protect entities within a single network, for example, to block laboratory technicians from getting into payroll records. Without firewalls, IT departments would have to deploy multiple-enterprise security programs that would soon become difficult to manage and maintain
A physician practice was warned last year by auditors that its disposal of paper records (dumping them in bins without shredding or deidentifying them) violated HIPAA, but it did nothing to correct the problem. When the records were found in a city dumpster, an anonymous caller notified the Office for Civil Rights (OCR). An investigation by OCR confirmed that the practice had been warned about the violations. What level of violation is OCR likely to assess in this situation? a. Unknowing b. Reasonable cause c. Willful neglect, corrected within 30 days of discovery d. Willful neglect, uncorrected
d HITECH has increased civil penalties based on levels, or tiers, of intent and neglect. The nature and extent of both the violation and the harm are used to determine the amount assessed with each range. In this instance the category of the violation would be willful neglect, uncorrected (
Which of the following would be included in an accounting of disclosures? a. Incidental to an otherwise permitted or required use disclosure b. Disclosures to the individual about whom the information pertains c. Disclosures made pursuant to an authorization d. Patient information faxed to the bank
d Maintaining a procedure to track PHI disclosures has been a common practice in departments that manage health information. However, HIPAA provides for an accounting of disclosures that gives an individual the right to receive a list of certain disclosures that a covered entity has made. Some of the disclosures for which an accounting is not required include: to the individual to whom the information pertains, incidental to an otherwise permitted or required use or disclosure, and pursuant to an authorization. A disclosure would be required for patient information faxes to an erroneous fax number
The baby of a mother who is 15 years old was recently discharged from the hospital. The mother is seeking access to the baby's health record. Who must sign the authorization for release of the baby's health record? a. Both mother and father of the baby b. Maternal grandfather of the baby c. Maternal grandmother of the baby d. Mother of the baby
d Many state laws allow a minor to be treated as an adult for drug or alcohol dependency and sexually transmitted diseases or be given contraceptives and prenatal care without parental or legal guardian consent. This gives minors the right to treatment and access of their health records as a competent adult
Charlie went to the HIM department at Langford Hospital to request an amendment to his PHI. The HIM staff required that he make the request in writing. He said this violated his HIPAA rights. Who is correct? a. Charlie, because the Privacy Rule requires amendment requests to be oral b. The HIM department, because the Privacy Rule requires amendment requests to be in writing c. Charlie, because the Privacy Rule requires immediate responses to all amendment requests d. The HIM department, because the Privacy Rule allows covered entities to require thatamendment requests be made in writing
d Many states have laws or regulations that permit individuals to amend their health records. The CE may require the individual to make an amendment request in writing and provide a reason for the amendment
Which of the following presents the greatest risk of large-scale health information breaches? a. Unlocked rooms b. Computer monitors positioned toward high-traffic areas c. Unattended computer workstations d. Laptop theft
d One of the biggest risk areas is the control of portable devices that contain ePHI. This area is particularly important because their use is growing and the likelihood of losing portable devices either accidentally or as the result of malicious acts is great. Portable devices include laptop and notebook computers, smartphones, CDs, personal digital assistants, USB drives, and handheld dictation devices. Data from the United States Department of Health and Human Services (HHS) shows that laptop theft is the most frequent cause of health information breaches, affecting 500 or more people
When a patient revokes authorization for release of information after a healthcare entity has already released the information, the healthcare entity in this case: a. May be prosecuted for invasion of privacy b. Has become subject to civil action c. Has violated the security regulations of HIPAA d. Is protected by the Privacy Act
d One of the specifications found within the consent for use and disclosure of information should state that the individual has the right to revoke the consent in writing, except to the extent that the covered entity has already taken action based on the consent. In this situation, the facility acted in good faith based on the prior authorization and therefore the release is covered under the Privacy Act
Brittany is a new health information department employee. She is trained on the special procedures that must be followed prior to disclosure of health information that is deemed to be highly sensitive. Whitney knows that highly sensitive information receives special protections because it pertains to conditions that: a. Are generally fatal b. Are untreatable c. Are highly contagious d. Have a stigma or sensitivity associated with them
d Option d categorically describes behavioral health, substance abuse, HIV/AIDS, genetic testing and adoption records, which are identified as highly sensitive information
Debbie, an HIM professional, was recently hired as the privacy officer at a large physician practice. She observes the following practices. Which is a violation of the HIPAA Privacy Rule? a. Dr. Graham recommends a medication to a patient with asthma. b. Dr. Herman gives a patient a pen with the name of a pharmaceutical company on it. c. Dr. Martin recommends acupuncture to a patient. d. Dr. Lawson gives names of asthma patients to a pharmaceutical company.
d PHI may not be used or disclosed by a covered entity unless the individual who is the subject of the information authorizes the use or disclosure in writing or the Privacy Rule requires or permits such use or disclosure without the individual's authorization. In this situation, Dr. Lawson is a covered entity and thus releasing the names of his asthma patients to a pharmaceutical company requires the patients' authorization
A hospital releases information to an insurance company with proper authorization by the patient. The insurance company forwards the information to a medical data clearinghouse. This process is referred to as: a. Admissibility b. Civil release c. Privileging process d. Redisclosure
d Redisclosure of health information is of significant concern to the healthcare industry.As such, the HIM professional must be alerted to state and federal statutes addressing this issue. A consent obtained by a hospital pursuant to the Privacy Rule in 45 CFR 164.506(a)(5) does not permit another hospital, healthcare provider, or clearinghouse to use or disclose information. However, the authorization content required in the Privacy Rule in 45 CFR 164.508(c)(1) must include a statement that the information disclosed pursuant to the authorization may be disclosed by the recipient and thus is no longer protected
A ________ helps a healthcare entity proactively ensure that the information they store and maintain is only being accessed in the normal course of business. a. Contingency plan b. Workflow analysis c. Documentation audit d. Security audit
d Security audits can help a healthcare organization proactively ensure that the information it stores and maintains is only being accessed for the normal course of business
All of the following are factors that influence health record retention periods except: a. Federal and state laws b. Statutes of limitations c. Costs of retention d. Patient mortality
d Some of the factors that influence health record retention are: federal and state laws, statutes of limitations, and costs of retention. Patient mortality does not impact health record retention as records are not destroyed solely on the basis that a patient has expired
A competent adult female has a diagnosis of ovarian cancer and while on the operating table suffers a stroke and is in a coma. Her son would like to access her health records from a clinic she recently visited for pain in her right arm. The patient is married and lives with her husband and two grown children. According to the Uniform Health Care Decisions Act (UHCDA), who is the logical person to request and sign an authorization to access the woman's health records from the clinic? a. Adult child making request b. Oldest adult child c. Patient d. Spouse
d The Uniform Health Care Decisions Act suggests that decision-making priority for an individual's next-of-kin be as follows: spouse, adult child, parent, adult sibling, or if no one is available who is so related to the individual, authority may be granted to "an adult who exhibited special care and concern for the individual
Under HIPAA, when is the patient's written authorization required to release his or her healthcare information? a. For purposes related to treatment b. For purposes related to payment c. For administrative healthcare operations d. For any purpose unrelated to treatment, payment, or healthcare operations
d The implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in 2003 established a consistent set of privacy and security rules. The Privacy Rule states that protected health information used for treatment, payment, or healthcare operations does not require patient authorization to allow providers access, use, or disclosure. However, only the minimum necessary information needed to satisfy the specified purpose can be used or disclosed. The release of information for purposes unrelated to treatment, payment, or healthcare operations still requires the patient's written authorization
The privacy officer was conducting training for new employees and posed the following question to the trainees to help them understand the rule regarding protected health information (PHI): "Which of the following is an element that makes information 'PHI' under the HIPAA Privacy Rule?" a. Identifies an attending physician b. Specifies the insurance provider for the patient c. Contained within a personnel file d. Relates to one's health condition
d The key to defining PHI is that it requires the information to either identify an individual or provide a reasonable basis to believe the person could be identified from the information given. In this situation, the information relates to a patient's health condition and could identify the patient
Which of the following does not have to be included in a covered entity's notice of privacy practices? a. Description with one example of disclosures made for treatment purposes b. Description of all the other purposes for which a covered entity is permitted or required to disclose PHI without consent or authorization c. Statement of individual's rights with respect to PHI and how the individual can exercise those rights d. Patient's signature and e-mail address
d The notice of privacy practices must explain and give examples of the uses of the patient's health information for treatment, payment, and healthcare operations, as well as other disclosures for purposes established in the regulations. If a particular use of information is not covered in the notice of privacy practices, the patient must sign an authorization form specific to the additional disclosure before his or her information can be released. Patient signature and e-mail address are not part of the notice of privacy practices
Where can you find guidelines for the retention and destruction of healthcare information? a. Institute of Medicine b. Municipal regulations c. HIPAA d. Accreditation standards
d The processes of storing health information and destroying it when it is no longer needed are called retention and destruction. The development of EHRs has given healthcare organizations the ability to retain and store health information without the physical space restriction of paper-based health records. These processes are subject to specific regulations in many states. Federal regulations and accreditation standards also include specific guidelines on the release and retention of patient-identified health information
The Administrative Simplification portion of Title II of HIPAA addresses which of the following? a. Creating standardized forms for release of information throughout the industry b. Computer memory requirements for health plans maintaining patient health information c. Security regulations for personal health records d. Uniform standards for transactions and code sets
d Title II of HIPAA is the most relevant title to the management of health information, containing provisions relating to the prevention of healthcare fraud and abuse and medical liability reform, as well as administrative simplification. The Privacy Rule derives from the administrative simplification provision of Title II along with the HIPAA security regulations, transactions and code set standardization requirements, unique national provider identifiers, and the enforcement rule
Lane Hospital has a contract with Ready-Clean, a local company, to come into the hospital to pick up all the facility's linens for off-site laundering. Ready-Clean is: a. A business associate because Lane Hospital has a contract with it b. Not a business associate because it is a local company c. A business associate because its employees may see PHI d. Not a business associate because it does not use or disclose individually identifiable health information
d Vendors who have a presence in a healthcare facility, agency, or organization will often have access to patient information in the course of their work. If the vendor meets the definition of a business associate (that is, it is using or disclosing an individual's PHI on behalf of the healthcare organization), a business associate agreement must be signed. If a vendor is not a business associate, employees of the vendor should sign confidentiality agreements because of their routine contact with and exposure to patient information. In this situation, Ready-Clean is not a business associate