Fundamentals of Law for Health Informatics and Information Management, Third Edition, Exam 4
Which of the following is not an example of a red flag for a healthcare provider? A question from a patient about a collection notice A bill for a product that patient denies receiving A question from a patient about scheduled surgery A patient's receipt of a bill for another individual
A question from a patient about scheduled surgery
Joint Commission standards: Mandate the actual language to be used in patient rights policies Address both patient rights and patient responsibilities Address patient rights, but do not address patient responsibilities Do not address research and clinical trials with regard to patient rights
Address both patient rights and patient responsibilities
A mental health professional cannot be compelled to testify or disclose protected health information without patient authorization in a judicial situation except in what situation? Health professional performs an examination under court order Patient brings up the issue of mental or emotional condition Protect patient from harming self or others a and c All of the above
All of the above
The patient's right to the confidentiality of his or her health information is reinforced through: Professional best practices Accreditation standards Medicare Conditions of Participation None of the above All of the above
All of the above
Patients diagnosed with a mental illness and involuntarily committed: Lose their right to procedural due process Can be confined indefinitely based on the diagnosis Lose their right to consent to or refuse treatment Sacrifice their substantive constitutional rights Are not necessarily deemed incompetent by virtue of the illness
Are not necessarily deemed incompetent by virtue of the illness
When the HIM professional is considering the major departmental functions to include in a disaster plan for emergency operations, which of the following would be the least important? Master patient index Billing Transcription of dictation Chart tracking
Billing
Many states have mandatory reporting requirements for suspected abuse or mistreatment of the following categories of individuals except _____. Competent adults Nursing home residents Residents of state mental health facilities Children
Competent adults
Mark Bates has been declared legally incompetent by the court. Mr. Bates' sister has been appointed his legal guardian. His sister is requesting a copy of Mr. Bates' health records. Of the options below, what is the best course of action? Comply with the sister's request, but first request documentation from the sister that she is Bates' legal guardian. Refer the sister to Mark Bates' doctor. Provide the information as requested by the sister. Require that Mark Bates authorize the release of his health information to the sister.
Comply with the sister's request, but first request documentation from the sister that she is Bates' legal guardian.
Which of the following is not a mechanism to detect external medical identity theft? Request a driver's license to verify identity Conduct a background check on prospective employees Take a photograph of the patient at the time of registration Compare current patient signature with that from a previous encounter
Conduct a background check on prospective employees
Esther is an 86-year-old patient of Dr. Brooks. When taking into consideration that Esther views the physician-patient relationship differently because of her age, Dr. Brooks is exhibiting_________. Transparency Meaningful use Cultural competence Health literacy
Cultural competence
Most state laws deem adoption records to be confidential and allow their release only under what circumstance? Subpoena Authorization adoptee Authorization of adoptive parent(s) Court order
Court order
Key components to a contingency or disaster plan, mandated by the HIPAA Security Rule include __________. Data back-up, data recovery, emergency mode of operations and data encryption Data back-up, data recovery and emergency mode of operations Data back-up and data recovery Data recovery and emergency mode of operations
Data back-up, data recovery and emergency mode of operations
Eleanor has refused life-saving treatment. Which of the following is true? Eleanor does not have the right to refuse treatment Eleanor has the right of self-determination to refuse treatment The hospital may not refer this decision to a court Her refusal is voided because it will result in her death
Eleanor has the right of self-determination to refuse treatment
Which of the following is most likely to result in a security breach? Leaving voice mail patient appointment reminders Transporting records to a satellite clinic Failing to deactivate user access at termination Calling patient names in the waiting room
Failing to deactivate user access at termination
Which of the following requires financial institutions to develop written medical identity theft programs? HIPAA Privacy and Security Rule HITECH Act Fair and Accurate Credit Transactions Act HIPAA Security Rule
Fair and Accurate Credit Transactions Act
Which of the following statements is false about a firewall? A firewall can limit internal users from accessing various portions of the Internet. The most common place to find a firewall is between the healthcare organization's internal network and the Internet. Firewalls are effective for preventing all types of attacks on a healthcare system. It is a system or combination of systems that supports an access control policy between two networks.
Firewalls are effective for preventing all types of attacks on a healthcare system.
When Greg was released from Metro Hospital substance abuse inpatient facility, he authorized his records to be released to General Hospital, where he had his knee replaced. Greg's physical therapist has requested copies of his health record from the hospital. General Hospital releases Greg's information from Metro Hospital along with its own information to the physical therapy service. Select the statement that best addresses this situation. Redisclosure of Metro's information on Greg has occurred, but it is okay since Greg signed an authorization to release his records to General Hospital. General Hospital has violated redisclosure regulations by releasing the records from Metro Hospital to Physical Therapy Services. Redisclosure of substance abuse health information is always permitted under HIPAA regulations. Release of the information was appropriate since it follows the alcohol and drug abuse patient records reg
General Hospital has violated redisclosure regulations by releasing the records from Metro Hospital to Physical Therapy Services.
Emancipated minors _____. Generally may authorize disclosure of their own PHI Must be married to be declared emancipated by a court Are under the custody of their parents Are determined by federal law
Generally may authorize disclosure of their own PHI
Patients diagnosed with a mental illness and involuntarily committed_________. Have the right to procedural due process Are also deemed incompetent by virtue of the illness Can be confined indefinitely based on the diagnosis Sacrifice their substantive constitutional rights Lose their right to consent to or refuse treatment
Have the right to procedural due process
What term best describes an organization that has been formed to create an electronic framework that connects hospitals, physicians, pharmacies, and other healthcare entities for the purpose of sharing patient information?
Health information exchange
Mr. Thompson was working on his roof and fell off, sustaining a severe head injury that has left him in a coma. Before he fell from the ladder, he and his wife were in the process of getting a divorce. However, the divorce was not final. Which statement best describes the circumstance regarding who may authorize access to Mr. Thompson's records? Mr. Jones eldest son can authorize the access. His wife cannot authorize access because they were getting a divorce. His wife may authorize access because she is next of kin and they are still married. Legal counsel must be sought to represent Mr. Thompson.
His wife may authorize access because she is next of kin and they are still married.
Which of the following is not a HIPAA individual right? Request restrictions regarding PHI use and disclosure for treatment Import PHR content into the provider's health record Request amendments to PHI Access to PHI
Import PHR content into the provider's health record
What is the most common type of security threat to a health information system?
Internal to the organization
The community benefit standard_________. Is required for tax-exempt status Requires hospitals to accommodate all languages spoken by patients in a community Requires communities to provide a percentage of tax revenue to their hospitals Ensures that healthcare providers do not violate the Civil Rights Act of 1964
Is required for tax-exempt status
The community benefit standard_________. Requires hospitals to provide uncompensated care to 50 percent of its elective patients Is required for tax-exempt status Ensures that healthcare providers do not violate the Civil Rights Act of 1964 Requires hospitals to accommodate all languages spoken by patients in a community
Is required for tax-exempt status
Sally uses a patient health information portal. It limits Sally's access to her physician because it serves as a replacement It increases her 24/7 access to her health information It lessens her access to her health information because she can no longer access her full medical record It increases price transparency
It increases her 24/7 access to her health information
Which of the following is the best option for password management? User changes password every 60 days User changes password every 45 days System auto-assigns password Users assign password
System auto-assigns password
"Against medical advice" discharges_________. May result, if prohibited by the provider, in a battery claim against the provider Are legally prohibited Are not associated with outcomes that differ from physician-ordered discharges Do not require a protocol because the action is initiated by the patient, not the provider
May result, if prohibited by the provider, in a battery claim against the provider
The EMTALA regulations include all but which of the following? Transfer of non-stabilized patients must only occur under certain specific conditions Every patient arriving at the emergency department must receive an appropriate medical screening exam If an emergency medical condition exists, the hospital must treat and stabilize the emergency condition or transfer the patient Non-Medicare, indigent patients must be transferred to the nearest Level 1 trauma center
Non-Medicare, indigent patients must be transferred to the nearest Level 1 trauma center
Which of the following statements is not part of the EMTALA regulations? If an emergency medical condition exists, the hospital must treat and stabilize the emergency condition or transfer the patient Non-Medicare, indigent patients must be transferred to the nearest Level 1 trauma center Transfers of non-stabilized patients must only occur under certain specific conditions Every patient arriving at the emergency department must receive an appropriate medical screening exam
Non-Medicare, indigent patients must be transferred to the nearest Level 1 trauma center
A competent adult female has a diagnosis of ovarian cancer and while on the operating table suffers a stroke and is in a coma. Her son would like to access her health records from a clinic she recently visited for pain in her right arm. The patient is recently divorced and lives with her two grown children. According to the Uniform Health-Care Decision Act (UHCDA), who is the logical person to request and sign an authorization to access the woman's health records from the clinic? Spouse Adult child making request Patient Oldest adult child
Oldest adult child
Patient responsibilities generally include all of the following except: Make good-faith efforts to meet financial obligations Show respect for providers and other patients Pay in advance for treatment rendered Provide full and honest information to providers
Pay in advance for treatment rendered
The Hill-Burton Act_________. Decreased the obligation to provide uncompensated care Was passed by Congress in 2000 Exempts hospitals from complying with EMTALA Provided hospitals with money for construction and modernization
Provided hospitals with money for construction and modernization
Which of the following health information handlers are required to provide authorization for access and disclosure of PHI. Release of information Contractor Zone Program Integrity Contractor Medicare Administrative Contractor Recovery Audit Contractor
Release of information Contractor
Medicare requirements pertaining to seclusion and restraint_________. Prohibit seclusion for patients less than 18 years old Restrict their use Encourage their use through flexible standards Prohibit restraint for patients less than 18 years old
Restrict their use
Elements to include in a security system risk analysis program include all but which of the following? Limiting access to the minimum necessary Installing protective hardware devices Restricting remote access to users Requiring user names and passwords
Restricting remote access to users
Minors are basically deemed legally incompetent to access, use, or disclose their health information. What resource should be consulted in terms of who may authorize access, use, or disclose the health records of minors? HIPAA because there are strict HIPAA rules regarding minors State law because HIPAA defers to state laws on matters related to minors Hospital attorney because they know the rules of the hospital None of the options are correct
State law because HIPAA defers to state laws on matters related to minors
What is the term used when public health departments engage in the systematic gathering and analysis of health data which may include PHI to detect a bioterrorism threat or an outbreak of Ebola? Quality indicators Disease surveillance Syndromic surveillance Data surveillance
Syndromic surveillance
The director of health information services is allowed access to the medical record tracking system when providing the proper log-in and password. Under which access security mechanism is the director allowed access to the system? Role-based User-based Nontext-based None of the above
User-based
Which of the following is an example of two-factor authentication? Password User name and password and token User name and PIN User name and password
User name and password and token
During the flu season, a nursing home reports the cases of known flu in the nursing home population. The local health department calls and wants more information on the recent hospitalizations of these flu patients. How should the request be handled? Call the nursing home attorney for advice. Obtain an authorization from each of the patients and provide the information. Inform the sheriff of suspicion of medical identity theft. Verify the authenticity of the request and provide information.
Verify the authenticity of the request and provide information.
Under which of the following conditions is Mr. Smith's authorization required for the use and disclosure of his health information? When information on the patient's venereal disease is given to the health department When Mr. Smith's attorney is requesting the information When information is requested by the RAC for audit purposes When the federal government suspects the patient is involved in terrorism activity
When Mr. Smith's attorney is requesting the information
User name and password and token
Worm
Over a 24hour time period a large number of individuals have arrived in the emergency department of a local hospital complaining of severe abdominal pain, vomiting, and diarrhea that they have all seemed to pick up at a local restaurant in town. The hospital has provided the public health department with the PHI of all patients treated for the illness. Did the hospital have the right to disclose this information? No, under no circumstance can the hospital release PHI without patient authorization. Yes, the hospital may disclose PHI to a public health department if state law does not specifically require it if the disclosure is for controlling the spread of disease. No, the hospital needed to verbally ask the patient if it was ok to release the PHI. None of the options are correct
Yes, the hospital may disclose PHI to a public health department if state law does not specifically require it if the disclosure is for controlling the spread of disease.
Disclosure of workers' compensation records is governed by_____. Medical staff by-laws Federal statutes HIPAA State statutes
state statutes
Except as provided by law, who controls access to a patient's health information by third parties such as insurance companies? Patient Patient's legal representative Physician a and b only a and c only
a and b only
Substance abuse patient information is afforded federal protection through HIPAA and Alcohol and Drug Abuse Regulations. If a minor wishes to authorize release of his or her health information he or she may do so if _____. State statute allows the minor to authorize release State statute allows minor and parent to authorize release He or she gets permission from the court to release Both court and minor authorizes release a and b c and d a, b, c, d, are correct
a and b
A young child is killed by a hit-and-run driver. The case is reported to the medical examiner for all of the following reasons except _____. Age of the child Violence that caused death Suspicious death Unexpected death
age of the child
Which of the following is a potential consequence to the medical identity theft victim? Intermingling of the victim's and perpetrator's medical information __________. Insurance denials Debt collection attempts All of the above
all of the above
Which of the following would be the best tool to determine whether or not access to ePHI was appropriate? Access control Audit trail Automatic log-off Access termination
audit trail
Which of the following is not a form of transmission security? Audit trails Firewalls Routers Encryption
audit trails
Data are sent in encrypted form from one computer to another. Which of the following terms describes the data after the encryption algorithm has been applied to it? Ciphertext Public key cryptography Access control Device control
ciphertext
The best mechanism to protect patient information during transit is __________. Two-factor authentication E-mail Biometrics Encryption
encryption
Who owns the health record of a patient treated in a healthcare facility? Patient's family Facility Physician Patient
facility
With whom may patients file a complaint if they suspect medical identity theft violations? Office of Civil Rights Federal Trade Commission Internal Revenue Service Centers for Medicare and Medicaid Services
federal trade commission
Report for a fetal death would be reported on which required form? Fetal birth certificate Birth certificate Death certificate Fetal death certificate
fetal death certificate
At Frank's recent medical appointment, his physician provided information to Frank, but Frank made his own treatment decisions. This situation describes what type of relationship? Mutual Paternalistic Interpretive Informative
informative
Which of the following pieces of information is not typically mandated by state law child abuse reporting requirements? Age of child Name of parents Name of child Name of siblings
name of siblings
When a patient is an organ donor whose death is imminent, notifying the family members that the organ procurement organization will be contacted is _____. Not-required Not-recommended Required Recommended
not-required
Common data reported to the medical examiner in cases of reportable deaths typically includes all but which data element? Age Marital statue Number of children Ethnicity
number of children
If a healthcare facility sustains physical damage caused by a tornado, the disaster recovery mechanism which provides the greatest protection of the data is __________. off-site data storage password management automatic log-off anti-virus automatic software updates
off-site data storage
Which of the following is not an access control commonly utilized by covered entities for compliance with the HIPAA security rule? Passwords Palm scanners User-based access
palm scanners
What is the most common method for implementing entity authentication? Password systems Token systems Personal identification number Biometric identification systems
password systems
Kimberly has just completed an appointment with her physician. The physician told Kimberly about her medical condition and explained the preferred treatment options to her. It was the physician's expectation that Kimberly would follow his recommendations. This situation describes what type of relationship? Paternalistic Informative Interpretive Mutual
paternalistic
Which of the following information is not included about a physician in the National Practitioner Data Bank? Malpractice lawsuits Credentialing information from other facilities Personal bankruptcy Disciplinary actions
personal bankruptcy
Reporting events for the conduct of public health surveillance is allowed under the doctrine of CDC authority Executive order Preemption Stare decisis
preemption
Trauma registry data is used for all of the following purposes except _____. Public safety law Performance improvement Research Prosecution of drunk drivers
prosecution of drunk drivers
Which of the following is not considered to be a vital record? Birth certificate Death certificate Fetal death certificate Public health certificate
public health certificate
Healthcare facilities are required to report vital statistics to which of the following authority? State department of health Centers for Disease Control and Prevention National Center for Vital Statistics World Health Organization
state department of health
Under the Privacy Rule, which of the following must be included in a patient accounting of disclosures? Disclosure for internal utilization review purposes State-mandated report of a sexually transmitted disease Disclosure pursuant to a patient's signed authorization Disclosure pursuant to a valid subpoena
state-mandated report of a sexually transmitted disease