Fundamentals of Law for Health Informatics and Information Management, Third Edition, Exam 4

Which of the following is not an example of a red flag for a healthcare provider? A question from a patient about a collection notice A bill for a product that patient denies receiving A question from a patient about scheduled surgery A patient's receipt of a bill for another individual

A question from a patient about scheduled surgery

Joint Commission standards: Mandate the actual language to be used in patient rights policies Address both patient rights and patient responsibilities Address patient rights, but do not address patient responsibilities Do not address research and clinical trials with regard to patient rights

Address both patient rights and patient responsibilities

A mental health professional cannot be compelled to testify or disclose protected health information without patient authorization in a judicial situation except in what situation? Health professional performs an examination under court order Patient brings up the issue of mental or emotional condition Protect patient from harming self or others a and c All of the above

All of the above

The patient's right to the confidentiality of his or her health information is reinforced through: Professional best practices Accreditation standards Medicare Conditions of Participation None of the above All of the above

All of the above

Patients diagnosed with a mental illness and involuntarily committed: Lose their right to procedural due process Can be confined indefinitely based on the diagnosis Lose their right to consent to or refuse treatment Sacrifice their substantive constitutional rights Are not necessarily deemed incompetent by virtue of the illness

Are not necessarily deemed incompetent by virtue of the illness

When the HIM professional is considering the major departmental functions to include in a disaster plan for emergency operations, which of the following would be the least important? Master patient index Billing Transcription of dictation Chart tracking

Billing

Many states have mandatory reporting requirements for suspected abuse or mistreatment of the following categories of individuals except _____. Competent adults Nursing home residents Residents of state mental health facilities Children

Competent adults

Mark Bates has been declared legally incompetent by the court. Mr. Bates' sister has been appointed his legal guardian. His sister is requesting a copy of Mr. Bates' health records. Of the options below, what is the best course of action? Comply with the sister's request, but first request documentation from the sister that she is Bates' legal guardian. Refer the sister to Mark Bates' doctor. Provide the information as requested by the sister. Require that Mark Bates authorize the release of his health information to the sister.

Comply with the sister's request, but first request documentation from the sister that she is Bates' legal guardian.

Which of the following is not a mechanism to detect external medical identity theft? Request a driver's license to verify identity Conduct a background check on prospective employees Take a photograph of the patient at the time of registration Compare current patient signature with that from a previous encounter

Conduct a background check on prospective employees

Esther is an 86-year-old patient of Dr. Brooks. When taking into consideration that Esther views the physician-patient relationship differently because of her age, Dr. Brooks is exhibiting_________. Transparency Meaningful use Cultural competence Health literacy

Cultural competence

Most state laws deem adoption records to be confidential and allow their release only under what circumstance? Subpoena Authorization adoptee Authorization of adoptive parent(s) Court order

Court order

Key components to a contingency or disaster plan, mandated by the HIPAA Security Rule include __________. Data back-up, data recovery, emergency mode of operations and data encryption Data back-up, data recovery and emergency mode of operations Data back-up and data recovery Data recovery and emergency mode of operations

Data back-up, data recovery and emergency mode of operations

Eleanor has refused life-saving treatment. Which of the following is true? Eleanor does not have the right to refuse treatment Eleanor has the right of self-determination to refuse treatment The hospital may not refer this decision to a court Her refusal is voided because it will result in her death

Eleanor has the right of self-determination to refuse treatment

Which of the following is most likely to result in a security breach? Leaving voice mail patient appointment reminders Transporting records to a satellite clinic Failing to deactivate user access at termination Calling patient names in the waiting room

Failing to deactivate user access at termination

Which of the following requires financial institutions to develop written medical identity theft programs? HIPAA Privacy and Security Rule HITECH Act Fair and Accurate Credit Transactions Act HIPAA Security Rule

Fair and Accurate Credit Transactions Act

Which of the following statements is false about a firewall? A firewall can limit internal users from accessing various portions of the Internet. The most common place to find a firewall is between the healthcare organization's internal network and the Internet. Firewalls are effective for preventing all types of attacks on a healthcare system. It is a system or combination of systems that supports an access control policy between two networks.

Firewalls are effective for preventing all types of attacks on a healthcare system.

When Greg was released from Metro Hospital substance abuse inpatient facility, he authorized his records to be released to General Hospital, where he had his knee replaced. Greg's physical therapist has requested copies of his health record from the hospital. General Hospital releases Greg's information from Metro Hospital along with its own information to the physical therapy service. Select the statement that best addresses this situation. Redisclosure of Metro's information on Greg has occurred, but it is okay since Greg signed an authorization to release his records to General Hospital. General Hospital has violated redisclosure regulations by releasing the records from Metro Hospital to Physical Therapy Services. Redisclosure of substance abuse health information is always permitted under HIPAA regulations. Release of the information was appropriate since it follows the alcohol and drug abuse patient records reg

General Hospital has violated redisclosure regulations by releasing the records from Metro Hospital to Physical Therapy Services.

Emancipated minors _____. Generally may authorize disclosure of their own PHI Must be married to be declared emancipated by a court Are under the custody of their parents Are determined by federal law

Generally may authorize disclosure of their own PHI

Patients diagnosed with a mental illness and involuntarily committed_________. Have the right to procedural due process Are also deemed incompetent by virtue of the illness Can be confined indefinitely based on the diagnosis Sacrifice their substantive constitutional rights Lose their right to consent to or refuse treatment

Have the right to procedural due process

What term best describes an organization that has been formed to create an electronic framework that connects hospitals, physicians, pharmacies, and other healthcare entities for the purpose of sharing patient information?

Health information exchange

Mr. Thompson was working on his roof and fell off, sustaining a severe head injury that has left him in a coma. Before he fell from the ladder, he and his wife were in the process of getting a divorce. However, the divorce was not final. Which statement best describes the circumstance regarding who may authorize access to Mr. Thompson's records? Mr. Jones eldest son can authorize the access. His wife cannot authorize access because they were getting a divorce. His wife may authorize access because she is next of kin and they are still married. Legal counsel must be sought to represent Mr. Thompson.

His wife may authorize access because she is next of kin and they are still married.

Which of the following is not a HIPAA individual right? Request restrictions regarding PHI use and disclosure for treatment Import PHR content into the provider's health record Request amendments to PHI Access to PHI

Import PHR content into the provider's health record

What is the most common type of security threat to a health information system?

Internal to the organization

The community benefit standard_________. Is required for tax-exempt status Requires hospitals to accommodate all languages spoken by patients in a community Requires communities to provide a percentage of tax revenue to their hospitals Ensures that healthcare providers do not violate the Civil Rights Act of 1964

Is required for tax-exempt status

The community benefit standard_________. Requires hospitals to provide uncompensated care to 50 percent of its elective patients Is required for tax-exempt status Ensures that healthcare providers do not violate the Civil Rights Act of 1964 Requires hospitals to accommodate all languages spoken by patients in a community

Is required for tax-exempt status

Sally uses a patient health information portal. It limits Sally's access to her physician because it serves as a replacement It increases her 24/7 access to her health information It lessens her access to her health information because she can no longer access her full medical record It increases price transparency

It increases her 24/7 access to her health information

Which of the following is the best option for password management? User changes password every 60 days User changes password every 45 days System auto-assigns password Users assign password

System auto-assigns password

"Against medical advice" discharges_________. May result, if prohibited by the provider, in a battery claim against the provider Are legally prohibited Are not associated with outcomes that differ from physician-ordered discharges Do not require a protocol because the action is initiated by the patient, not the provider

May result, if prohibited by the provider, in a battery claim against the provider

The EMTALA regulations include all but which of the following? Transfer of non-stabilized patients must only occur under certain specific conditions Every patient arriving at the emergency department must receive an appropriate medical screening exam If an emergency medical condition exists, the hospital must treat and stabilize the emergency condition or transfer the patient Non-Medicare, indigent patients must be transferred to the nearest Level 1 trauma center

Non-Medicare, indigent patients must be transferred to the nearest Level 1 trauma center

Which of the following statements is not part of the EMTALA regulations? If an emergency medical condition exists, the hospital must treat and stabilize the emergency condition or transfer the patient Non-Medicare, indigent patients must be transferred to the nearest Level 1 trauma center Transfers of non-stabilized patients must only occur under certain specific conditions Every patient arriving at the emergency department must receive an appropriate medical screening exam

Non-Medicare, indigent patients must be transferred to the nearest Level 1 trauma center

A competent adult female has a diagnosis of ovarian cancer and while on the operating table suffers a stroke and is in a coma. Her son would like to access her health records from a clinic she recently visited for pain in her right arm. The patient is recently divorced and lives with her two grown children. According to the Uniform Health-Care Decision Act (UHCDA), who is the logical person to request and sign an authorization to access the woman's health records from the clinic? Spouse Adult child making request Patient Oldest adult child

Oldest adult child

Patient responsibilities generally include all of the following except: Make good-faith efforts to meet financial obligations Show respect for providers and other patients Pay in advance for treatment rendered Provide full and honest information to providers

Pay in advance for treatment rendered

The Hill-Burton Act_________. Decreased the obligation to provide uncompensated care Was passed by Congress in 2000 Exempts hospitals from complying with EMTALA Provided hospitals with money for construction and modernization

Provided hospitals with money for construction and modernization

Which of the following health information handlers are required to provide authorization for access and disclosure of PHI. Release of information Contractor Zone Program Integrity Contractor Medicare Administrative Contractor Recovery Audit Contractor

Release of information Contractor

Medicare requirements pertaining to seclusion and restraint_________. Prohibit seclusion for patients less than 18 years old Restrict their use Encourage their use through flexible standards Prohibit restraint for patients less than 18 years old

Restrict their use

Elements to include in a security system risk analysis program include all but which of the following? Limiting access to the minimum necessary Installing protective hardware devices Restricting remote access to users Requiring user names and passwords

Restricting remote access to users

Minors are basically deemed legally incompetent to access, use, or disclose their health information. What resource should be consulted in terms of who may authorize access, use, or disclose the health records of minors? HIPAA because there are strict HIPAA rules regarding minors State law because HIPAA defers to state laws on matters related to minors Hospital attorney because they know the rules of the hospital None of the options are correct

State law because HIPAA defers to state laws on matters related to minors

What is the term used when public health departments engage in the systematic gathering and analysis of health data which may include PHI to detect a bioterrorism threat or an outbreak of Ebola? Quality indicators Disease surveillance Syndromic surveillance Data surveillance

Syndromic surveillance

The director of health information services is allowed access to the medical record tracking system when providing the proper log-in and password. Under which access security mechanism is the director allowed access to the system? Role-based User-based Nontext-based None of the above

User-based

Which of the following is an example of two-factor authentication? Password User name and password and token User name and PIN User name and password

User name and password and token

During the flu season, a nursing home reports the cases of known flu in the nursing home population. The local health department calls and wants more information on the recent hospitalizations of these flu patients. How should the request be handled? Call the nursing home attorney for advice. Obtain an authorization from each of the patients and provide the information. Inform the sheriff of suspicion of medical identity theft. Verify the authenticity of the request and provide information.

Verify the authenticity of the request and provide information.

Under which of the following conditions is Mr. Smith's authorization required for the use and disclosure of his health information? When information on the patient's venereal disease is given to the health department When Mr. Smith's attorney is requesting the information When information is requested by the RAC for audit purposes When the federal government suspects the patient is involved in terrorism activity

When Mr. Smith's attorney is requesting the information

User name and password and token

Worm

Over a 24hour time period a large number of individuals have arrived in the emergency department of a local hospital complaining of severe abdominal pain, vomiting, and diarrhea that they have all seemed to pick up at a local restaurant in town. The hospital has provided the public health department with the PHI of all patients treated for the illness. Did the hospital have the right to disclose this information? No, under no circumstance can the hospital release PHI without patient authorization. Yes, the hospital may disclose PHI to a public health department if state law does not specifically require it if the disclosure is for controlling the spread of disease. No, the hospital needed to verbally ask the patient if it was ok to release the PHI. None of the options are correct

Yes, the hospital may disclose PHI to a public health department if state law does not specifically require it if the disclosure is for controlling the spread of disease.

Disclosure of workers' compensation records is governed by_____. Medical staff by-laws Federal statutes HIPAA State statutes

state statutes

Except as provided by law, who controls access to a patient's health information by third parties such as insurance companies? Patient Patient's legal representative Physician a and b only a and c only

a and b only

Substance abuse patient information is afforded federal protection through HIPAA and Alcohol and Drug Abuse Regulations. If a minor wishes to authorize release of his or her health information he or she may do so if _____. State statute allows the minor to authorize release State statute allows minor and parent to authorize release He or she gets permission from the court to release Both court and minor authorizes release a and b c and d a, b, c, d, are correct

a and b

A young child is killed by a hit-and-run driver. The case is reported to the medical examiner for all of the following reasons except _____. Age of the child Violence that caused death Suspicious death Unexpected death

age of the child

Which of the following is a potential consequence to the medical identity theft victim? Intermingling of the victim's and perpetrator's medical information __________. Insurance denials Debt collection attempts All of the above

all of the above

Which of the following would be the best tool to determine whether or not access to ePHI was appropriate? Access control Audit trail Automatic log-off Access termination

audit trail

Which of the following is not a form of transmission security? Audit trails Firewalls Routers Encryption

audit trails

Data are sent in encrypted form from one computer to another. Which of the following terms describes the data after the encryption algorithm has been applied to it? Ciphertext Public key cryptography Access control Device control

ciphertext

The best mechanism to protect patient information during transit is __________. Two-factor authentication E-mail Biometrics Encryption

encryption

Who owns the health record of a patient treated in a healthcare facility? Patient's family Facility Physician Patient

facility

With whom may patients file a complaint if they suspect medical identity theft violations? Office of Civil Rights Federal Trade Commission Internal Revenue Service Centers for Medicare and Medicaid Services

federal trade commission

Report for a fetal death would be reported on which required form? Fetal birth certificate Birth certificate Death certificate Fetal death certificate

fetal death certificate

At Frank's recent medical appointment, his physician provided information to Frank, but Frank made his own treatment decisions. This situation describes what type of relationship? Mutual Paternalistic Interpretive Informative

informative

Which of the following pieces of information is not typically mandated by state law child abuse reporting requirements? Age of child Name of parents Name of child Name of siblings

name of siblings

When a patient is an organ donor whose death is imminent, notifying the family members that the organ procurement organization will be contacted is _____. Not-required Not-recommended Required Recommended

not-required

Common data reported to the medical examiner in cases of reportable deaths typically includes all but which data element? Age Marital statue Number of children Ethnicity

number of children

If a healthcare facility sustains physical damage caused by a tornado, the disaster recovery mechanism which provides the greatest protection of the data is __________. off-site data storage password management automatic log-off anti-virus automatic software updates

off-site data storage

Which of the following is not an access control commonly utilized by covered entities for compliance with the HIPAA security rule? Passwords Palm scanners User-based access

palm scanners

What is the most common method for implementing entity authentication? Password systems Token systems Personal identification number Biometric identification systems

password systems

Kimberly has just completed an appointment with her physician. The physician told Kimberly about her medical condition and explained the preferred treatment options to her. It was the physician's expectation that Kimberly would follow his recommendations. This situation describes what type of relationship? Paternalistic Informative Interpretive Mutual

paternalistic

Which of the following information is not included about a physician in the National Practitioner Data Bank? Malpractice lawsuits Credentialing information from other facilities Personal bankruptcy Disciplinary actions

personal bankruptcy

Reporting events for the conduct of public health surveillance is allowed under the doctrine of CDC authority Executive order Preemption Stare decisis

preemption

Trauma registry data is used for all of the following purposes except _____. Public safety law Performance improvement Research Prosecution of drunk drivers

prosecution of drunk drivers

Which of the following is not considered to be a vital record? Birth certificate Death certificate Fetal death certificate Public health certificate

public health certificate

Healthcare facilities are required to report vital statistics to which of the following authority? State department of health Centers for Disease Control and Prevention National Center for Vital Statistics World Health Organization

state department of health

Under the Privacy Rule, which of the following must be included in a patient accounting of disclosures? Disclosure for internal utilization review purposes State-mandated report of a sexually transmitted disease Disclosure pursuant to a patient's signed authorization Disclosure pursuant to a valid subpoena

state-mandated report of a sexually transmitted disease