Ch 9 study guide (health information)
Which of the following should be included in a covered entity's notice of privacy practices?
Description with one example of disclosures made for treatment purposes
HIPAA administrative requirements include which of the following?
Designating a privacy officer
Which of the following statements about a facility directory of patients is true?
Disclosures from the directory need not be included in an accounting of disclosures.
Which of the following is true of the Health Insurance Portability and Accountability Act (HIPAA)?
Provides a federal floor for healthcare privacy
PHR vendors that are not part of a covered entity or business associate must report PHI breaches to ______________.
The Federal Trade Commission
How many days does a covered entity have to respond to an individual's request for access to PHI under HIPAA rules?
30 days
Under usual circumstances, a covered entity must act on a patient's request to review or copy his or her health information within what time frame?
30 days
How many days does a covered entity have to respond to an individual's request for access to his or her PHI when the PHI is stored off-site?
60 days
Who of the following would be considered a member of a hospital's workforce?
A clerk working in the hospital's registration office
Which of the following statements is true in responding to requests from individuals who wish to access their PHI?
A cost-based fee may be charged for making a copy of the PHI.
Which of the following situations is considered a breach of PHI?
A patient's attorney is sent records not requested by that patient
When would PHI loses its status?
After an individual has been deceased more than 50 years
Which of the following statements is true??
An authorization must contain an expiration date or event
A valid authorization requires which of the following?
An expiration date or event
Under the HIPAA Privacy Rule, when an individual asks to see his or her own health information, a covered entity _______________.
Can deny access to psychotherapy notes
In which of the following situations can PHI be disclosed without authorization, as long as there was an opportunity for the individual to agree or object?
Facility directory disclosures
True or false. In all cases, a covered entity may deny an individual's request to restrict the use or disclosure of his or her PHI.
False
Which of the following actions by a physician requires the patient's authorization?
Giving the name of an expectant mother to a baby formula manufacturer
What types of health records are subject to the HIPAA Privacy Rule?
Health records in any format
Under the HIPAA Privacy Rule, which of the following is a covered entity category?
Healthcare clearinghouse
A covered entity may deny an individual's amendment request for which of the following reasons?
If the PHI in question is not part of the designated record set
True or false. A notice of privacy practices should include a statement explaining that individuals may complain to the Secretary of the Department of Health and Human Services if they believe that their privacy rights have been violated.
True
Which of the following statements about the directory of patients maintained by a covered entity is true?
Individuals must be given an opportunity to deny permission to place information about them in the directory.
Which of the following is true of the notice of privacy practices?
It must be posted in a prominent place
Which of the following statements is true of the notice of privacy practices?
It must be provided to every individual at the first time of contact or service with the covered entity.
Mary's PHI was breached by her physician office when it was disclosed in error to another patient. Which of the following breach notification statements is correct regarding the physician office's required action?
It must report the breach to HHS within 60 days after the end of the calendar year in which the breach occurred
Which of the following statements about a business associate agreement is true?
It requires the business associate to make available records relating to PHI use and disclosure to the HHS.
Which of the following is a public interest and benefit exception to the authorization requirement?
Judicial and administrative proceedings
Under the HIPAA Privacy Rule, an impermissible use or disclosure should be presumed to be a breach unless the covered entity or business associate demonstrates that the probability the PHI has been compromised is ___________.
Low
The HIPAA Privacy Rule requires that covered entities limit use, access, and disclosure of PHI to the least amount necessary to accomplish the intended purpose. What concept is this?
Minimum necessary
In court, hearsay is generally ____________.
Non-admissible
Which of the following provides a complete description to patients about how PHI is used in a healthcare facility?
Notice of privacy practices
Which of the following is unsecured PHI?
PHI that technology has not made unusable, unreadable, or indecipherable to an unauthorized person
The American Recovery and Reinvestment Act expanded the definition of business associates to include which of the following?
Patient safety organizations
Which of the following rights did HIPAA give patients?
Right to request an amendment of the health record
ARRA and HITECH granted which of the following the ability to bring civil actions in federal district court on behalf of residents believed to have been affected by a HIPAA violation?
State attorneys general
Which of the following statements is true?
State law preempts HIPAA, if stricter
True or false. Stricter state statutes that provide greater confidentiality of healthcare information take precedence over the provisions of the HIPAA Privacy Rule
True
Which of the following is true about a facility's patient directory?
The covered entity must inform the individual of the information to be included in the facility directory.
Critique this statement: According to HIPAA, workforce members include students.
This is a true statement
In which of the following instances must patient authorization be obtained prior to disclosure?
To the patient's attorney
The breach notification requirement applies to:
Unsecured PHI only
In which of the following circumstances does the patient have an opportunity to agree or object?
When a court order is received
In which of the following situations must a covered entity provide an appeal process for denials to requests from individuals to see their own health information
When a licensed healthcare professional has determined that access to PHI would likely endanger the life or safety of the individual
Which of the following statements is true of the notice of privacy practices?
it must be provided to every individual at the first time of contact or service with the covered entity.
A subpoena should be accompanied by which of the following
patient authorization
The designated record set includes which of the following?
Billing records
Which of the following is a covered entity under the HIPAA Privacy Rule?
Pharmacy
What does the acronym PHI stand for?
Protected health information