Domain 5: Compliance

Which plan should be devised to respond to issues arising from the clinical documentation improvement (CDI) compliance and operational audit process?

Corrective action plan Most audits should identify some issues, either operational or compliance, in the clinical documentation improvement (CDI) process, even if they are minor issues. An organization needs to develop a corrective action plan for any identified issues

What should be done when the HIM department's error rate is too high or its accuracy rate is too low based on policy?

Corrective action should be taken to meet the department standards Each function should have its own acceptable level of performance and monitoring should be performed to confirm the standards are met. If not, corrective actions should be taken

In performing a coding audit, a health record technician discovers that an inpatient coder is assigning diagnosis and procedure codes specifically for the purpose of obtaining a higher level of reimbursement. The coder believes that this practice helps the hospital in increasing revenue. Which of the following should be done in this case?

Counsel the coder and stop the practice immediately Ethical coding practices must be followed with appropriate employee counseling and remediation

The Medical Record Committee wants to determine if the hospital is in compliance with medical staff rules and regulations for medical record delinquency rates. The HIM director has compiled a report that shows that records are delinquent for an average of 29 days after discharge. Given this information, what can the committee conclude?

Data are insufficient to determine whether the hospital is in compliance. When an incomplete record is not rectified within a specific number of days as indicated in the medical staff rules and regulations, the record is considered to be a delinquent record. Generally, an incomplete record is considered delinquent after it has been available to the physician for completion for 15-30 days. This question does not provide enough information on the standard as the medical staff rules and regulations on delinquent records are not defined

Which of the following describes incomplete records that are not completed by the physician within the time frame specified in the healthcare facility's policies?

Delinquent records Physicians and other practitioners are notified when they have incomplete health records requiring their attention. If a health record remains incomplete for a specified number of days, as defined in the medical staff rules and regulations, the record is considered to be a delinquent record

When the Medicare Recovery Audit Contractor has determined that incorrect payment has been made to an organization, which document is sent to the provider notifying them of this determination?

Demand letter The provider will be notified of RAC determination in a demand letter, which includes the providers identification, reason for the review, list of claims, reasons for any denials, and amount of the overpayment for each claim. The demand letter is the equivalent of a denial letter

During an audit of health records, the HIM director finds that transcribed reports are being changed by the author up to a week after initial transcription. To remedy this situation, the HIM director should recommend which of the following?

Develop a facility policy that defines the acceptable period of time allowed for a transcribed document to remain in draft form An example of unethical documentation in healthcare is retrospective documentation— when healthcare providers add documentation after care has been given, possibly for the purpose of increasing reimbursement or avoiding a medical legal action. The HIM professional is responsible for maintaining accurate and complete records and is able to identify the occurrence and either correct the error or indicate that the entry is a late entry into the health record

During a review of documentation practices, the HIM director finds that nurses are routinely using the copy and paste functionality of the hospital's EHR system for documenting nursing notes. Which of the following should the HIM director do to ensure that the nurses are following acceptable documentation practices?

Develop policy and procedures related to cutting, copying, and pasting documentation in the EHR system The ability to copy previous entries and paste into a current entry leads to a record in which a clinician may, upon signing the documentation, unwittingly swear to the accuracy and comprehensiveness of substantial amounts of duplicated or inapplicable information as well as the incorporation of misleading or erroneous documentation. The HIM professional plays a critical role in developing policies and procedures to ensure the integrity of patient information

One way for a hospital to demonstrate compliance with OIG guidelines is to:

Develop, implement, and monitor written policies and procedures Over the past several years, the OIG has published several documents to help providers develop internal programs that include elements for ensuring compliance. One of the elements included is written policies and procedures

Which of the following practices is an appropriate coding compliance activity?

Developing procedures for identifying coding errors Coding compliance activities would not include a financial incentive for coders to commit fraud, to code diagnoses and procedures before documentation is complete, or to spend resources reviewing accurately paid claims. Providing a financial incentive to coders for coding claims improperly would be against any coding compliance plan and would also be a violation of AHIMA's Standards of Ethical Coding. One of the basic elements of a coding compliance program includes developing policies and procedures for identifying coding errors

The removal of medication from its usual stream of preparation, dispensing, and administration by personnel involved in those steps in order to use or sell the medication in nonhealthcare settings is called:

Diversion Diversion is the removal of a medication from its usual stream of preparation, dispensing, and administration by personnel involved in those steps in order to use or sell the medication in non-healthcare settings. An individual might take the medication for personal use, to sell on the street, to sell directly to a user as a dealer or to sell to others who will redistribute for the diverting individual

A postoperative patient was prescribed Lortab prn. Nurse Jones documented in the patient record that she administered one dose of Lortab to the patient, but never actually administered this medication. Nurse Jones then took the Lortab herself. This action would be called?

Drug diversion Drug diversion is the removal of a medication from its usual stream of preparation, dispensing, and administration by personnel involved in those steps in order to use or sell the medication in non-healthcare settings. An individual might take the medication for personal use, to sell on the street, to sell directly to a user as a dealer or to sell to others who will redistribute for the diverting individual

A Joint Commission-accredited organization must review its formulary annually to ensure a medication's continued:

Efficacy and safety The formulary is composed of medications used for commonly occurring conditions or diagnoses treated in the healthcare organization. Organizations accredited by the Joint Commission are required to maintain a formulary and document that they review it at least annually for a medication's continued safety and efficacy

The nursing staff routinely sends text messages to attending physicians to clarify orders during the night shift. The HIM professional should recommend which of the following to refine the policy as the best practice for protecting information that is text messaged.

Encrypt text messages during transmission Although text messaging is often used in healthcare, it presents privacy and security risks. One best practice for text messaging in healthcare is to use encryption during transmission

The Joint Commission is conducting an audit at Community Hospital to determine the hospital's compliance with The Joint Commission standards regarding patient rights. This is an example of a(n):

External audit External audits are conducted by accreditation, insurance companies, or other organizations monitoring the healthcare provider for compliance with their standards and regulations. In this scenario The Joint Commission is doing an external audit to determine compliance with The Joint Commission standards regarding patients' rights

Corporate compliance programs became common after adoption of which of the following?

Federal Sentencing Guidelines The U.S. Federal Sentencing Guidelines outline seven steps as the hallmark of an effective program to prevent and detect violations of law. These seven steps were the basis for the OIG's recommendations regarding the fundamental elements of an effective compliance program

A pharmacist who submits Medicaid claims for reimbursement on brand name drugs when less expensive generic drugs were actually dispensed has committed the crime of:

Fraud Fraud in healthcare is defined as a deliberate false representation of fact, a failure to disclose a fact that is material (relevant) to a healthcare transaction, damage to another party that reasonably relies on the misrepresentation, or failure to disclose. This situation would fall under category 2

A coder's misrepresentation of the patient's clinical picture through intentional incorrect coding or the omission of diagnosis or procedure codes would be an example of:

Healthcare fraud Healthcare fraud is an intended and deliberate deception or misrepresentation by a provider, or by representative of a provider, that results in a false or fictitious claim. These false claims then result in an inappropriate payment by Medicare or other insurers

The deception or misrepresentation by a healthcare provider that may result in a false or fictitious claim for inappropriate payment by Medicare or other insurers for items or services either not rendered or rendered to a lesser extent than described in the claim is:

Healthcare fraud Healthcare fraud is defined as an intentional representation that an individual knows to be false or does not believe to be true and makes, knowing that the representation could result in some unauthorized benefit to himself or herself or some other person. An example of fraud is billing for a service that was not furnished

What is the most constant threat to health information integrity?

Humans Health information can be threatened by humans as well as by natural and environmental factors. Threats posed by humans can be either unintentional or intentional. Threats to health information can result in compromised integrity (that is, alteration of information, either intentional or unintentional), theft (intentional by nature), loss (unintentional) or intentional misplacement, other wrongful uses or disclosures (either intentional or unintentional), and destruction (intentional or unintentional)

In developing a monitoring program for inpatient coding compliance, which of the following should be regularly audited?

ICD-10-CM and ICD-10-PCS coding The corporate compliance program addresses the coding function. Because the accuracy and completeness of ICD-10-CM and ICD-10-PCS for inpatient code assignment determine the provider payment, the coding compliance program should regularly audit these codes. It is important that healthcare organizations have a strong coding compliance program

Which of the following should be the first step in any quality improvement process?

Identifying the performance measures Most quality improvement methodologies recognize that the organization must identify and continuously monitor the important organizational and patient-focused functions that they perform. The first step in this process is to identify performance measures

Which of the following would be an example of a reviewable sentinel event?

Incidence of infant abduction Sentinel events usually involve significant injury to, or the death of, a patient or an employee through avoidable causes. Hospital acquired infections, blood transfusion reactions, or incidences of an unruly patient are monitored processes, but in and of themselves would not be considered sentinel events. An infant abduction would be considered an avoidable occurrence and therefore a sentinel event A sentinel event includes any process variation for which a recurrence would carry a significant chance of serious adverse outcome. Such events are called "sentinel" because they signal the need for immediate investigation and response. Examples of sentinel events include infant abduction from the nursery or a foreign body left in a patient from surgery

The risk manager's principal tool for capturing the facts about potentially compensable events is the:

Incident report or occurrence report An incident report is a structured data tool that risk managers use to gather information about potentially compensable events. Effective incident reports carefully structure the collection of data, information, and facts in a relatively simple format The risk manager's principal tool for capturing the facts about potentially compensable events is the occurrence report, sometimes called the incident report. Effective occurrence reports carefully structure the collection of data, information, and facts in a relatively simple format

A local nonprofit community hospital is looking to do a fundraiser to add to their surgical center. HIPAA rules restrict activities related to fundraising for healthcare organizations. Which of the following must the hospital do to comply with the HIPAA requirements for fundraising?

Individuals must be informed in the notice of privacy practices that their information may be used for fundraising purposes For fundraising activities that benefit the covered entity, the covered entity may use or disclose to a BA or an institutionally related foundation, without authorization, demographic information and dates of healthcare provided to an individual. However, the covered entity must inform individuals in its notice of privacy practices that PHI may be used for this purpose. It must also include in its fundraising materials instructions on how to opt out of receiving materials in the future

Organizations use of audits in data analysis in order to ensure compliance with policies and procedures is a component of:

Internal monitoring As part of an effective compliance plan organizations must perform internal monitoring. These organizations must be diligent to ensure compliance with policies and procedures, such as through the use of audits and data analysis

A physician takes the medical records of a group of HIV-positive patients out of the hospital to complete research tasks at home. The physician mistakenly leaves the records in a restaurant, where they are read by a newspaper reporter who publishes an article that identifies the patients. The physician can be sued for:

Invasion of privacy A person's right to privacy is the right to be left alone and protected against physical or psychological invasion. It includes freedom from intrusion into one's private affairs to include their healthcare diagnoses

Which type of identity theft occurs when a patient uses another person's name and insurance information to receive healthcare benefits?

Medical Medical identity theft occurs when a patient uses another person's name and insurance information to receive healthcare benefits. Most often this is done so a person can receive healthcare with an insurance benefit and pay less or nothing for the care received

Healthcare abuse relates to practices that may result in:

Medically unnecessary services Abuse occurs when a healthcare provider unknowingly or unintentionally submits an inaccurate claim for payment. Abuse generally results from unsound medical, business, or fiscal practices that directly or indirectly result in unnecessary costs to the Medicare program. The performance of medically unnecessary services and submitting them for payment would be an example of healthcare abuse

Events that occur in a healthcare organization that do not necessarily affect an outcome but carry significant chance of being a serious adverse event if they were to recur are:

Near misses Near misses include occurrences that do not necessarily affect an outcome but if they were to recur they would carry significant chance of being a serious adverse event. Near misses fall under the definition of a sentinel event, but are not reviewable by The Joint Commission under its current sentinel event policy

A provider's office calls to retrieve emergency room records for a patient's follow-up appointment. The HIM professional refused to release the emergency room records without a written authorization from the patient. Was this action in compliance?

No; the records are needed for continued care of the patient, so no authorization is required Treatment, payment, and operations (TPO) is an important concept because the Privacy Rule provides a number of exceptions for PHI that is being used or disclosed for TPO purposes. Treatment means providing, coordinating, or managing healthcare or healthcare-related services by one or more healthcare providers

A hospital receives a valid request from a patient for copies of her health records. The HIM clerk who is preparing the records removes copies of the patient's records from another hospital where the patient was previously treated. According to HIPAA regulations, was this action correct?

No; the records from the previous hospital are considered to be included in the designated record set and should be given to the patient. When other healthcare providers provide records, it is done to ensure the continuity of care for the individual. Many covered entities either include the whole file or copies of the file as part of the covered entity's record, with the assumption that the treating physician has used some or all of the records to decide how to treat the patient. Any copies that are included with the records of the individual are, therefore, considered part of the individual's designated record set and should be released

The Breach Notification Rule requires covered entities to do which of the following:

Notify affected individuals when a breach occurs When a breach occurs, facilities must notify affected individuals. Facilities do not need to create a new health record number for each patient, provide a new copy of the Notice of Privacy Practices, or establish a policy on minimum necessary

In developing a coding compliance program, which of the following would not be ordinarily included as participants in coding compliance education?

Nursing staff In conjunction with the corporate compliance officer, the health information manager should provide education and training related to the importance of complete and accurate coding, documentation, and billing on an annual basis. Technical education for all coders should be provided. Documentation education is also part of compliance education. A focused effort should be made to provide documentation education to the medical staff

What resource should the facility compliance officer consult to provide information on new and ongoing reviews or audits each year in programs administered by the Department of Health and Human Services?

OIG workplans The resource that the facility compliance officer should consult to provide information on ongoing reviews and audits each year in programs administered by the department of Health and Human Services (HHS) is the OIG workplan

The leaders of a healthcare organization are expected to select an organization-wide performance improvement approach and to clearly define how all levels of the organization will monitor and address improvement issues. The Joint Commission requires ongoing data collection that might require improvement for which of the following areas?

Operative and other invasive procedures, medication management, and blood and blood product use Appointments to the Board of Directors is important information, but the Joint Commission requires detailed information on the responsibilities and actions of the Board, not necessarily its composition. The Joint Commission requires healthcare organizations to collect data on each of these areas: medication management, blood and blood product use, restraint and seclusion use, behavior management and treatment, operative and other invasive procedures, and resuscitation and its outcomes

A facility recently submitted two claims for the same service for a patient's recent encounter for chemotherapy. If the third-party payer pays both of these claims, the facility will receive a higher reimbursement than deserved. This is called:

Overpayment An overpayment occurs when a facility receives higher reimbursement than the facility deserves. One example of this is when a facility submits two or more claims for the same service

Which of the following would not be a focus area of claims auditing for healthcare services provided in the emergency department?

Patients are satisfied with their services The data elements collected during the audit vary based on the audit objective. As in this example, auditing a claim for healthcare services in the emergency department could consider the following areas: procedures that are reported at the appropriate level, claims are not submitted more than once, documentation supports services reported on the claim. Patient satisfaction with their services would not be an area of claim audit

Every healthcare organization's risk management plan should include the following components except:

Peer review Risk management programs have three functions: risk identification and analysis, loss prevention and reduction, and claims management

Which of the following is a principle of contemporary performance improvement?

Performance improvement relies on the collection and analysis of data to increase knowledge. Performance improvement (PI) is based on several fundamental principles, including: the structure of a system determines its performance; all systems demonstrate variation; improvements rely on the collection and analysis of data that increase knowledge; PI requires the commitment and support of top administration; PI works best when leaders and employees know and share the organization's mission, vision, and values

Dr. Smith always orders the same 10 things when a new patient is admitted to the hospital in addition to some patient-specific orders. What would assist in assuring that the specific patient is not allergic to a drug being ordered?

Pharmacy information system When the pharmacy information system receives an order for a drug, it will aid the pharmacist in checking for contraindications, directs staff in compounding any drugs requiring special preparation, and aids in dispensing the drug in the appropriate dose and route of administration. Indication of an allergy would be considered a contraindication

Which item below is not recommended by the HHS and the OIG for minimum compliance with clinical documentation regulations?

Physicians should include vaccination records Progress, response, and changes to the patient's condition must be documented. All health records should be completely legible and accessible to patient and present diagnosis information. These are all required elements of the Medicare Conditions of Participation. Physician inclusion of vaccination records is not mandated

A risk manager is called in to evaluate a situation in which a visitor to the hospital slipped on spilled water, fell, and fractured his femur. This situation was referred to the risk manager because it involves a:

Potentially compensable event Risk management systems today are sophisticated programs that function to identify, reduce, or eliminate potentially compensable events (PCEs), thereby decreasing the financial liability of injuries or accidents to patients, staff, or visitors

The quality improvement organizations (QIOs) under contract with CMS conduct audits on highrisk and hospital-specific data from claims data in this report:

Program for Evaluation Payment Patterns Electronic Report QIOs are currently under contract with CMS to perform a Hospital Payment Monitoring Program. This program targets specific DRGs and discharges that have been identified as at high-risk for payment errors. The high-risk hospital specific data are identified in an electronic report called Program for Evaluating Payment Patterns Electronic Report (PEPPER)

Detailed query documentation can be used to:

Protect the hospital against claims from physicians about leading queries Healthcare organizations should keep detailed query data. There should be documented evidence of all queries the clinical documentation improvement (CDI) specialists ask, to whom they ask them, the clinical documentation or information supporting the query, and responses to queries. Detailed query documentation can also protect the hospital when against claims from physicians about leading queries

The HIM Department has been receiving complaints about the turnaround time for release of information (ROI) requests. A PI team is created to investigate this issue. What data source would be appropriate to use to investigate this issue further?

ROI tracking system The supervisor is responsible for ensuring turnaround times are met. Turnaround time is the time between receipt of the request and when the request is sent to the requester. The ROI system tracks requests for the information

HHS has identified a healthcare facility guilty of fraud. HHS saw that the facility tried to comply but their efforts failed. What category does this fall into?

Reasonable diligence Reasonable diligence is when the healthcare provider has taken reasonable actions to comply with the legislative requirements

All of the following are measures used to track and assess clinical documentation improvement (CDI) programs except:

Record agreement rate Each of these percentages should be tracked within the first few months of program operation. The target percentage may need adjustment over time as the CDS staff members become more familiar with their responsibilities and physician documentation improves. These percentages are record review rate, physician query rate, and query agreement rate

The benefits of a coding compliance plan include the following:

Retention of high standard of coding There are a number of benefits of a coding compliance plan including retention of high standard of coding

The basic functions of healthcare risk management programs are similar for most organizations and should include which of the following?

Risk identification and analysis, loss prevention and reduction, and claims management The purpose of the risk management program is to link risk management functions to related processes of quality assessment and PI. The basic functions of healthcare risk management programs are similar for most organizations and include: risk identification and analysis, loss prevention and reduction, and claims management

The process that is followed to mitigate and fix issues that arise during a review of systems that contain PHI to reduce vulnerabilities is called:

Risk management One strategy in protecting the organization's data is to establish a risk management program. Risk management encompasses the identification, evaluation, and control of risks that are inherent in unexpected and inappropriate events

A patient requested a copy of a payment made by her insurance company for a surgery she had last month. The business office copied the remittance advice (RA) notice the organization received from the insurance company but failed to delete or remove the PHI for 10 other patients listed on the same RA. This is an example of:

Security breach A security breach of PHI has occurred in this scenario because business office provided the patient with not only her information on the remittance advice, but also that of 10 other patients

The role of the HIM professional in medical identity theft protection programs includes all of the following except:

Send all issues related to medical identity theft to the in-house attorney Medical identity theft is distinguished from other types of identity theft because it creates negative consequences to both the victim's financial status and health information. The HIM professional should ensure safeguards are in place to protect PHI and provide resources to assist victims of medical identity theft. It is important to balance patient privacy protection with disclosure of medical identity theft to victims

Which of the following types of information include areas like genetics, adoption, and drug use that require special attention?

Sensitive information All health information must be protected; however, there is some information that requires special attention because it is considered sensitive health information such as genetic, adoptive, drug, alcohol, sexual health, and behavioral information. This type of information not only has strict rules and regulations, but also providers an ethical gray area when it comes to releasing and providing records

From an evidentiary standpoint, incident reports:

Should not be placed in a patient's health record Incident reports involving patient care are not created to treat the patient, but rather to provide a basis for investigating the incident. From an evidentiary standpoint, incident reports should not be placed in a patient's health record, nor should the record refer to an incident report

A hospital employee destroyed a health record so that its contents—which would be damaging to the employee—could not be used at trial. In legal terms, the employee's action constitutes:

Spoliation Spoliation is a legal concept applicable to both paper and electronic records. When evidence is destroyed that relates to a current or pending civil or criminal proceeding, it is reasonable to infer that the party had a consciousness of guilt or another motive to avoid the evidence

Which step of risk analysis identifies information assets that need protection?

System characterization The first step of risk analysis is system characterization. It focuses on what the organization possesses by identifying which information assets need protection. The assets may be identified either because they are critical to business operations (for example, the data itself, such as e-PHI) or because critical data is processed and stored on the system (such as hardware)

Which of the following can be used to discover current risk or focused areas of compliance?

The OIG workplan The OIG workplan should be reviewed each year. This document provides insight into the directions the OIG is taking, as well as highlights hot areas of compliance

When a staff member documents in the health record that an incident report was completed about a specific incident, in a legal proceeding how is the confidentiality of the incident report affected?

The incident report likely becomes discoverable because it is mentioned in a discoverable document. Hospitals strive to keep incident reports confidential, and in some states, incident reports are protected under statutes protecting quality improvement studies and activities. Incident reports themselves should not be considered a part of the health record. Because the staff member mentioned in the record that an incident report was completed, it will likely be discoverable as the health record is already a discoverable document

Each healthcare organization must identify and prioritize which processes and outcomes (in other words, which types of data) are important to monitor. This data collection should be based on the scope of care and services they provide and:

Their mission Each healthcare organization must identify and prioritize which processes and outcomes are important to monitor on the basis of its mission and the scope of care and services it provides

Why is it essential for members of the compliance team to be involved in the entire EHR implementation process?

To monitor cut and paste documentation Because of compliance concerns, such as cutting and pasting documentation in the EHR, it is essential to ensure that a member of the compliance team is involved in the entire EHR implementation process, as well as the part of the process involving clinical documentation practice

Our computer system just notified us that Mary Burchfield has just looked up another patient with the same last name. This notification is called a(n):

Trigger The security audit process should include triggers that identify the need for a closer inspection. These trigger events cannot be used as the sole basis of the review, but they can significantly reduce the amount of reviews performed. An example of a trigger is when a user has same last name as patient

Medical identity theft includes which of the following:

Using another person's name to obtain durable medical equipment Medical identity theft is a crime that challenges healthcare organizations and the health information profession. A type of healthcare fraud that includes both financial fraud and identity theft, it involves either (a) the inappropriate or unauthorized misrepresentation of one's identity (for example, the use of one's name and Social Security number) to obtain medical services or goods, or (b) the falsifying of claims for medical services in an attempt to obtain money

Quality Improvement Organizations perform medical peer review of Medicare and Medicaid claims through a review of which of the following?

Validity of hospital diagnosis and procedure coding data completeness The responsibilities of the quality improvement organizations include reviewing health records to confirm the validity of hospital diagnosis and procedure coding data completeness

Mary's PHI has been breached. She must be informed of all of the following except:

Who committed the breach Individuals who are notified that their PHI has been breached must be given a description of what occurred (including date of breach and date that breach was discovered); the types of unsecured PHI that were involved (such as name, Social Security number, date of birth, home address, account number); steps that the individual may take to protect himself or herself; what the entity is doing to investigate, mitigate, and prevent future occurrences; and contact information for the individual to ask questions and receive updates

City Hospital submitted 175 claims where they unbundled laboratory charges. They were overpaid by $75 on each claim. What is the fine for City Hospital?

$39,375 Unbundling is the practice of using multiple codes to bill for the various individual steps in a single procedure rather than using a single code that includes all of the steps of the comprehensive procedure code. In this situation, the penalty is the overpayment of the $75 for all 175 claims overpaid as well as 3 times the total amount of the overpayment (175 × $75 = $13,125 then; $13,125 × 3 = $39,375)

Which of the following situations is considered a breach of PHI?

A patient's attorney is sent records not authorized by that patient There are three exceptions to a breach. All of these answers fall into one of these categories with the exception of the records sent to the patient's attorney. He does not work for the covered entity and an authorization is required

Which of the following is the principal goal of internal auditing programs for billing and coding?

Protect providers from sanctions or fines Ongoing evaluation is critical to successful coding and billing for third-party payer reimbursement. In the past, the goal of internal audit programs was to increase revenues for the provider. Today, the goal is to protect providers from sanctions or fines. Healthcare organizations can implement monitoring programs by conducting regular, periodic audits

If a patient receives a ________ from a healthcare organization it indicated that the patient's protected health information was involved in a data breach.

Receipt of Breach Notice If a patient receives a Receipt of Breach Notice from a healthcare organization it indicates that the patient's protected health information was involved in a data breach

The overutilization or inappropriate utilization of services and misuse of resources, typically not a criminal or intentional act is called which of the following?

Waste Waste is the overutilization or inappropriate utilization of services and misuse of resources, and typically is not a criminal or intentional act. Waste includes practice like over prescribing and ordering tests inappropriately

How many identifiers must be removed for a data to be considered deidentified under the Safe Harbor Method?

18 The safe harbor method of deidentification requires the removal of 18 specific identifiers from the protect health information

HIPAA requires a covered entity to establish policy to ensure that protected health information could not identify a specific individual. One method used to meet this deidentification standard is the expert determination model. The expert determination model requires these four steps: 1. Determine the statistical and scientific method to be used to determine the risk of reidentification 2. Analyze and assess the risk to the deidentified data 3. The expert applies the method to the deidentified data 4. The facility should choose the expert for the deidentification analysis What is the correct order in which these steps should be performed?

4, 1, 3, 2 The process for expert determination of de-identification has four recommended steps that include: Step 1: The facility should choose the expert for the deidentification analysis; Step 2: Determine the statistical and scientific method to be used to determine the risk of reidentification; Step 3: The expert applies the method to the deidentified data; and Step 4: Analyze and assess the risk to the deidentified data

Per the HITECH breach notification requirements, what is the threshold for the immediate notification of each individual?

500 individuals affected All individuals whose information has been breached must be notified without unreasonable delay, and not more than 60 days, by first-class mail or a faster method (such as telephone) if there is the potential for imminent misuse. If 500 or more individuals are affected, they must be individually notified immediately and media outlets must be used as a notification mechanism as well. The Secretary of HHS must specifically be notified of the breach

HIPAA requires that data security policies and procedures be maintained for a minimum of:

6 years from date of creation or the date when last in effect, whichever is later Covered entities must maintain their security policies and procedures in written form. This includes formats that may be electronic. Any actions, assessments, or activities of the HIPAA Security Rule also must be documented in a written format. Documentation must be retained for six years from the date of its creation or the date when it last was in effect, whichever is later

A group practice has hired an HIT as its chief compliance officer. The current compliance program includes written standards of conduct and policies, and procedures that address specific areas of potential fraud. It also has audits in place to monitor compliance. Which of the following should the compliance officer also ensure are in place?

A hotline to receive complaints and adoption of procedures to protect whistleblowers from retaliation The OIG has outlined seven elements as the minimum necessary for a comprehensive compliance program. One of the seven elements is the maintenance of a process, such as a hotline, to receive complaints and the adoption of procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation

The goal of coding compliance programs is to prevent:

Accusations of fraud and abuse The government and other third-party payers are concerned about potential fraud and abuse in claims processing. Therefore, ensuring that bills and claims are accurate and correctly presented is an important focus of healthcare compliance

Per the Fair and Accurate Credit Transactions Act (FACTA), which of the following is not a red flag category?

An account held by a person who is over 80 years old The federal Fair and Accurate Credit Transactions Act (FACTA) requires financial institutions and creditors to develop and implement written identity theft programs that identify, detect, and respond to red flags that may signal the presence of identity theft. There are five categories of red flags that are used as triggers to alert the organization to a potential identity theft (16 CFR Part 681). The categories are: Alerts, notifications, or warnings from a consumer reporting agency; Suspicious documents; Suspicious personally identifying information such as a suspicious address; Unusual use of, or suspicious activity relating to, a covered account; Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account

Calling out patient names in a physician's office is:

An incidental disclosure Calling out patients' names in a physician office is an incidental disclosure because it occurs as part of office operations. It is permitted as long as the information disclosed is the minimum necessary

The coding staff should be updated at least ________ on compliance requirements.

Annually It is imperative that all staff be trained in compliance policies, procedures, and standards of conduct as it applies to their position in the organization. This training should occur, at a minimum, in their initial orientation training and on an annual basis

Community hospital is looking for ways to increase physician referrals. One board member suggested that they offer local physician $100 for every patient referred to the hospital for care. If the hospital goes ahead with the board member's suggestion, what statute is the hospital violating?

Anti-Kickback Statute The Anti-Kickback Statute dictates that physicians cannot receive money or other benefits for referring patients to a healthcare facility. In this example, a hospital cannot give a physician $100 for every patient referred to the hospital for care

Which of the following is a good question for a supervisor of coding to ask when evaluating potential fraud or abuse risk areas in the coding area?

Are the assigned codes supported by the health record documentation? Codes are used to determine reimbursement, therefore code assignment is critical. Assigning the incorrect codes with the intent of receiving more money is fraudulent. The coding supervisor should regularly compare assigned codes to health record documentation to ensure compliance

The organization that you work for just concluded an investigation of a USB thumb drive that was lost and contained a file with the information of 765 patients on it, including name, address, telephone number, and social security number. As the privacy officer, you are required to manage the notification process for the data breach. All of the following would need to be notified of this data breach within 60 days of the discovery except:

Attending physicians of the patients All individuals whose information has been breached must be notified without unreasonable delay, and not more than 60 days, by first-class mail or a faster method such as by telephone if there is the potential for imminent misuse. If 500 or more individuals are affected they must be individually notified immediately and media outlets must be used as a notification mechanism as well. The Secretary of HHS must specifically be notified of the breach. The attending physicians of the patients do not need to be notified of the breach

Using data mining, an RAC makes a claim determination at the system-level without a human review of the health record. This type of review is called:

Automated review RACs conduct three types of audits: automated reviews, semi-automated reviews, and complex reviews. An automated review occurs when an RAC makes a claim determination at the system level without a human review of the health record, such as data mining. Errors found must be clearly non-covered services or incorrect applications of coding rules and must be supported by Medicare policy, approved article, or coding guidance

A visitor to the hospital looks at the screen of the admitting clerk's computer workstation when she leaves her desk to copy some admitting documents. What security mechanism would best have minimized this security breach?

Automatic logoff controls Provisions must also be made to protect workstations that are more exposed to the public. For example, locking devices can be used to prevent removal of computer equipment and other devices. Automatic logouts can be used to prevent access by unauthorized

Which of the following is an example of a common form of healthcare fraud and abuse?

Billing for services not furnished to patients Healthcare fraud is defined as an intentional representation that an individual knows to be false or does not believe to be true and makes, knowing that the representation could result in some unauthorized benefit to himself or herself or some other person. An example of fraud is billing for a service that was not furnished. The other three options are acceptable practices for healthcare organizations to use to effectively manage their revenue cycles

Which of the following is an investigational technique that facilitates the identification of the various factors that contribute to a problem?

Cause-and-effect diagram A cause-and-effect diagram is an investigational technique that facilitates the identification of the various factors that contribute to a problem

In developing an internal coding audit review program, which of the following would be risk areas that should be targeted for audit?

Chargemaster description and medical necessity An auditing process identifies risk areas such as chargemaster description, medical necessity, MS-DRG coding accuracy, variations in case mix, and the like. Admission diagnosis and complaints, clinical laboratory results, and radiology orders are not risk areas that should be targeted for audit One of the elements of the auditing process is identification of risk areas. Selecting the types of cases to review is also important. Examples of various case selection possibilities include chargemaster description for accuracy

The National Patient Safety Goals (NPSGs) have effectively mandated all healthcare organizations to examine care processes that have a potential for error that can cause injury to patients. Which of the following processes are included in the NPSGs?

Check patient medicines, prevent infection, and identify patients correctly The National Patient Safety Goals (NPSGs) have effectively mandated all healthcare organizations examine care processes that have a potential for error and can cause injury to patients. The NPSGs include identifying patients correctly, improving staff communication, using medicines safely, preventing infection, checking patient medicines, preventing patients from falling, preventing bed sores, and identifying patient safety risks

Which of the following is part of qualitative analysis review?

Checking that only approved abbreviations are used Qualitative analysis is about the quality of the documentation including the use of approved abbreviations

In a typical acute-care setting, the Explanation of Benefits, Medicare Summary Notice, and Remittance Advice documents (provided by the payer) are monitored in which revenue cycle area?

Claims reconciliation and collections The last component of the revenue cycle is reconciliation and collections. The healthcare facility uses the EOB, MSN, and RA to reconcile accounts. These are monitored in the claims reconciliation and collections area of the revenue cycle

The national patient safety goals score organizations on areas that:

Commonly lead to patient injury The national patient safety goals outline for healthcare organizations the areas of organizational practice that most commonly lead to patient injury or other negative outcomes that can be prevented when staff utilize standardized procedures

Which of the following groups are included in the feedback loop between denials, management, and clinical documentation improvement (CDI) program staff?

Compliance The clinical documentation improvement (CDI) manager should coordinate a feedback loop with functional managers that involved reporting data from the department to CDI and then from CDI back to the department. The three areas for CDI best practices include operationalizing feedback loops with denials management, compliance, and HIM

The clinical documentation improvement (CDI) program must keep high-quality records of the query process for:

Compliance issues Every organization should apply the same criteria for high-quality clinical documentation to the recording of clinical documentation improvement (CDI) program activities (queries and case notes) as it does to the review of clinical documentation. Maintaining thorough query documentation is necessary for compliance purposes

What is the goal of the clinical documentation improvement (CDI) compliance review?

Compliant query generation and physician responses Clinical documentation improvement (CDI) should be part of the organizational compliance program. The goal of a CDI compliance review is to monitor compliant query generation and physician responses

Community Hospital has launched a clinical documentation improvement (CDI) initiative. Currently, clinical documentation does not always adequately reflect the severity of illness of the patient or support optimal HIM coding accuracy. Given this situation, which of the following would be the best action to validate that the new program is achieving its goals?

Conduct a retrospective review of all query opportunities for the year Facilities may design the CDI program based on several different models. Improvement work can be done with retrospective record review and queries, with concurrent record review and queries, or with concurrent coding. Staffing models may include the involvement of the CDS discussed previously or could be done by enhancing the role of the utilization review staff or case managers or a combination of these models. Retrospective review of all query opportunities for the year would help to validate the effectiveness of the new program

Sarah, a new graduate of a health information technology program, sits for the registered health information technician (RHIT) exam and fails. She does not want her employer to know she failed and tells her coworkers she passed the examination. Sarah then starts using the RHIT credential after her name in work correspondence. A coworker, Nancy, discovers that Sarah is using the RHIT credential fraudulently and notifies the supervisor, Joan. What is the responsibility of Nancy and Joan in this situation?

Contact AHIMA and report the abuse HIM professionals should be guided by the AHIMA Code of Ethics in making ethical decisions that relate to the HIM profession. In this situation, Joan and Nancy should contact AHIMA and report the abuse

A(n) ________ is imposed on providers by the OIG when fraud and abuse is discovered through an audit or self-disclosure.

Corporate Integrity Agreement A corporate integrity agreement (CIA) is essentially a compliance program imposed by the government, with substantial government oversight and outside expert involvement in the organization's compliance activities. The OIG negotiates CIAs with health care providers and other entities as part of the settlement of federal health care program investigations arising under a variety of civil false claims statutes. Providers or entities agree to the obligations, and in exchange, OIG agrees not to seek their exclusion from participation in Medicare, Medicaid, or other federal healthcare programs