RHIT Domain 2

A secretary in the Nursing Office was recently hospitalized with ketoacidosis. She comes to the HIM department and requests to review her health record. Of the options here, what is the best course of action? a. Allow her to review her record after obtaining authorization from her. b. Refer the patient to her physician for the information. c. Tell her to go through her supervisor for the information. d. Tell her that hospital employees cannot access their own medical records.

a Review of records by the patient is permitted after the authorization for use and disclosure is verified

Which of the following statements about the directory of patients maintained by a covered entity is true? a. Individuals must be given an opportunity to restrict or deny permission to place information about them in the directory. b. Individuals must provide a written authorization before information about them can be placed in the directory. c. The directory may contain only identifying information such as the patient's name and birth date. d. The directory may contain private information as long as it is kept confidential.

a. A patient has the opportunity to agree or disagree with being placed in a patient directory. They must be given the opportunity to determine if they want to be placed in the directory or not, but it does not need to be in writing

Which of the following is not true about the Notice of Privacy Practices? a. It must include at least two examples of how information is used for both treatment and operations. b. It must include a description of the right to request restrictions on certain uses and disclosures. c. It must explain the patient's right to inspect and copy PHI. d. It must include a description of the patient's right to amend PHI.

a. AHIMA outlines the requirements for the content of the notice of privacy practices. One requirement is that a description (including at least one example) is to be given of the types of uses and disclosures the covered entity is permitted to make for treatment, payment, and healthcare operations

The legal health record (LHR) is a(n): a. Defined subset of all patient-specific data created or accumulated by a healthcare provider that may be released to third parties in response to a legally permissible request for patient information b. Entire set of information created or accumulated by a healthcare provider that may be released to third parties in response to a legally permissible request for patient information c. Set of patient-specific data created or accumulated by a healthcare provider that is defined to be legal by the local, state, or federal authorities d. Set of patient-specific data that is defined to be legal by state or federal statute and that is legally permissible to provide in response to requests for patient information

a. Defined subset of all patient-specific data created or accumulated by a healthcare provider that may be released to third parties in response to a legally permissible request for patient information

The record custodian typically can testify about which of the following when a party in a legal proceeding is attempting to admit a health record as evidence? a. Identification of the record as the one subpoenaed b. The care provided to the patient c. The qualifications of the treating physician d. Identification of the standard of care used to treat the patient

a. identification of the record as the one subpoenaed

With regard to training in PHI policies and procedures: a. Every member of the covered entity's workforce must be trained b. Only individuals employed by the covered entity must be trained c. Training only needs to occur when there are material changes to the policies and procedures d. Documentation of training is not required

a. Every member of the covered entity's workforce must be trained in PHI policies and procedures to maintain the privacy of patient information, uphold individual rights guaranteed by the Privacy Rule, and report alleged breaches and other Privacy Rule violations

When an individual requests a copy of the PHI or agrees to accept summary or explanatory information, the covered entity may: a. Impose a reasonable cost-based fee b. Not charge the individual c. Impose any fee authorized by state statute d. Charge only for the cost of the paper on which the information is printed

a. HIPAA allows a reasonable cost-based fee when the individual requests a copy of PHI or agrees to accept summary or explanatory information

Which of the following statements represents an example of nonmaleficence? a. HITs must ensure that patient-identifiable information is not released to unauthorized parties. b. HITs must apply rules fairly and consistently to every case. c. HITs must ensure that patient-identifiable information is released to the parties who need it to provide services to their patients. d. HITs must ensure that patients themselves, and not other parties, are authorizing access to the patients' individual health information.

a. HITs must ensure that patient-identifiable information is not released to unauthorized parties.

An electronic health record risk analysis is useful to: a. Identify security threats b. Identify which employees should have access to data c. Establish password controls d. Establish audit controls

a. Identifying security threats or risks

An audit log is an example of: a. Metadata b. Encryption c. Admissibility d. Data integrity

a. Metadata

The admissions director maintains that a notice of privacy practices must be provided to the patient on each admission. How should the HIM director respond? a. Notice of privacy practices is required on the first provision of service. b. Notice of privacy practices is required every time the patient is provided service. c. Notice of privacy practices is only required for inpatient admissions. d. Notice of privacy practices is required on the first inpatient admission but for every outpatient encounter.

a. Notice of privacy practices is required on the first provision of service

An individual designated as an inpatient coder may have access to an electronic health record to code the record. Under what access security mechanism is the coder allowed access to the system? a. Role based b. User based c. Context based d. Situation based

a. Role-based

Which of the following is true regarding the development of health record destruction policies? a. All applicable laws must be considered b. The organization must find a way not to destroy any health records c. Health records involved in pending or ongoing litigation may be destroyed d. Only state laws must be considered

a. These include applicable federal and state statutes and regulations; accreditation standards; pending or ongoing litigation; storage capabilities; and cost (Rinehart-Thompson 2016a, 208).

As the corporate director of HIM services and enterprise privacy officer, you are asked to review a patient's health record in preparation for a legal proceeding for a malpractice case. The lawsuit was brought by the patient 72 days after the procedure. Health information contains a summary of two procedures that were dictated 95 days after the procedure. The physician in question has a longstanding history of being lackadaisical with record completion practices. Previous concerns regarding this physician's record maintenance practices had been reported to the facility's Credentialing Committee. Is this information admissible in court? a. This information could be rejected because the physician dictated the procedure note after the malpractice suit was filed. b. This information will be admissible in court because it is part of the patient's health record. c. This information could be rejected because it is not relevant to the malpractice case. d. This information will be rejected because the patient did not authorize its release.

a. This information could be rejected because the physician dictated the procedure note after the malpractice suit was filed.

Within the context of electronic health records, protecting data privacy means defending or safeguarding: a. Access to information b. Data availability c. Health record quality d. System implementation

a. access to information

Which of the following is not an identifier under the Privacy Rule? a. Age 75 b. Vehicle license plate BZ LITYR c. Street address 265 Cherry Valley Road d. Visa account 2773 985 0468

a. age 75

Which of the following is an example of a business associate? a. Contract coder b. Environmental services department c. Hospital security officer d. Employee with access to e-PHI

a. contract coder

The HIPAA Security Awareness and Training administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except: a. Disaster recovery plan b. Log-in monitoring c. Password management d. Security reminders

a. disaster recovery plan

Mary's PHI was breached by her physician office when it was disclosed in error to another patient. Which of the following breach notification statements is correct regarding the physician office's required action? a. It must report the breach to HHS within 60 days after the end of the calendar year in which the breach occurred b. It must report the breach to HHS within 60 days of the breach c. It must notify all local media outlets and HHS immediately d. It is not required to take any action since the breach affected only one person

a. it must be reported to HHS within 60 days after the end of the calendar year

Under the HIPAA Privacy rule, which of the following statements is true? a. An authorization must contain an expiration date or event. b. A consent for use and disclosure of information must be obtained from every patient. c. An authorization must be obtained for uses and disclosures for treatment, payment, and operations. d. A notice of privacy practices must give 10 examples of a use or disclosure for healthcare operations.

a. it must contain an expiration date or event that relates to the individual or the purpose of the use or disclosure

Which of the following would be considered a security vulnerability? a. Lack of laptop encryption b. Workforce employees c. Tornado d. Electrical outage

a. lack of encryption for the laptop

If a patient wants to amend his or her health record, the covered entity may require the individual to: a. Make an amendment request in writing and provide a rationale for the amendment. b. Ask the attending physician for his or her permission to amend their record. c. Require the patient to wait 30 days before their request will be considered and processed. d. Provide a court order requesting the amendment.

a. make an amendment request in writing and provide a rationale for their amendment request

A patient requests copies of her medical records in an electronic format. The hospital does not maintain all of the designated records in an electronic format. How should the hospital respond? a. Provide the records in paper format only b. Scan the paper documents so that all records can be sent electronically c. Provide the patient with both paper and electronic copies of the record d. Inform the patient that PHI cannot be sent electronically

a. provide the records in paper format only

Which of the following definitions best describes the concept of confidentiality? a. The expectation that personal information shared by an individual with a healthcare provider during the course of care will be used only for its intended purpose b. The protection of healthcare information from damage, loss, and unauthorized alteration c. The right of individuals to control access to their personal health information d. The expectation that only individuals with the appropriate authority will be allowed to access healthcare information

a. the expectation that the personal information shared by an individual with a healthcare provider during the course of care will be used only for its intended purpose

An audit trail may be used to detect which of the following? a. Unauthorized access to a system b. Loss of data c. Presence of a virus d. Successful completion of a backup

a. unauthorized access to a system

Which of the following individuals may authorize release of information? a. An 86-year-old patient with a diagnosis of advanced dementia b. A married 15-year-old father c. A 15-year-old minor d. The parents of an 18-year-old student

b. a married 15-year-old father

Which of the following ethical principles is being followed when a health information management professional ensures that patient information is only released to those who have a legal right to access it? a. Autonomy b. Beneficence c. Justice d. Nonmaleficence

b. Beneficence

Which of the following are policies and procedures required by HIPAA that address the management of computer resources and security? a. Access controls b. Administrative safeguards c. Audit safeguards d. Role-based controls

b. Administrative safeguards

To ensure relevancy, an organization's security policies and procedures should be reviewed at least: a. Once every six months b. Once a year c. Every two years d. Every five years

b. All data security policies and procedures should be reviewed and evaluated annually to make sure they are up-to-date and still relevant to the organization

What is the legal term used to define the protection of health information in a patient-provider relationship? a. Access b. Confidentiality c. Privacy d. Security

b. Confidentiality

The protection measures and tools for safeguarding information and information systems is a definition of: a. Confidentiality b. Data security c. Informational privacy d. Informational access control

b. Data security

A hospital is planning on allowing coding professionals to work at home. The hospital is in the process of identifying strategies to minimize the security risks associated with this practice. Which of the following would be best to ensure that data breaches are minimized when the home computer is unattended? a. User name and password b. Automatic session terminations c. Cable locks d. Encryption

b. In the HIPAA Security Rule, one of the technical safeguards standards is access control. This includes automatic log-off, which ensures processes that terminate an electronic session after a predetermined time of inactivity

Which of the following statements is true regarding HIPAA security? a. All institutions must implement the same security measures. b. Institutions are allowed flexibility in the way they implement HIPAA standards. c. All institutions must implement all HIPAA specifications. d. A security risk assessment must be performed every year.

b. Institutions are allowed flexibility in the way they implement HIPAA standards.

Jeremy Lykins was required to undergo a physical exam prior to becoming employed by San Fernando Hospital. Jeremy's medical information is: a. Protected by the Privacy Rule because it is individually identifiable b. Not protected by the Privacy Rule because it is part of a personnel record c. Protected by the Privacy Rule because it contains his physical exam results d. Protected by the Privacy Rule because it is in the custody of a covered entity

b. Not protected by the Privacy Rule because it is part of a personnel record

To comply with HIPAA regulations, a hospital would make its membership in an HIE known to its patients through which of the following? a. Press release b. Notice of Privacy Practices c. Consent form d. Website notice

b. Notice of Privacy Practices

Which of the following are security safeguards that protect equipment, media, and facilities? a. Administrative controls b. Physical safeguards c. Audit controls d. Role based safeguards

b. Physical safeguards

A hospital HIM department receives a subpoena duces tecum for records of a former patient. When the health record technician goes to retrieve the patient's health records, it is discovered that the records being subpoenaed have been purged in accordance with the state retention laws. In this situation, how should the HIM department respond to the subpoena? a. Inform defense and plaintiff lawyers that the records no longer exist b. Submit a certification of destruction in response to the subpoena c. Refuse the subpoena since no records exist d. Contact the clerk of the court and explain the situation

b. Submit a certification of destruction in response to the subpoena

Which of the following laws created the HITECH act? a. Health Insurance Portability and Accountability Act b. American Recovery and Reinvestment Act c. Consolidated Omnibus Budget Reconciliation Act d. Healthcare Quality Improvement Act

b. The American Recovery and Reinvestment Act of 2009

Which of the following provide the objective and scope for the HIPAA Security Rule as a whole? a. Administrative provisions b. General rules c. Physical safeguards d. Technical safeguards

b. The General Rules provide the objective and scope for the HIPAA Security Rule as a whole. They specify that covered entities must develop a security program that includes a range of security safeguards that protect individually identifiable health information maintained or transmitted in electronic form

The Medical Record Committee is reviewing the privacy policies for a large outpatient clinic. One of the members of the committee remarks that he feels that the clinic's practice of calling out a patient's full name in the waiting room is not in compliance with HIPAA regulations and that only the patient's first name should be used. Other committee members disagree with this assessment. What should the HIM director advise the committee? a. HIPAA does not allow a patient's name to be announced in a waiting room. b. There is no violation of HIPAA in announcing a patient's name, but the committee may want to consider implementing a change that might reduce this practice. c. HIPAA allows only the use of the patient's first name. d. HIPAA requires that patients be given numbers and only the number be announced.

b. There is no violation of HIPAA in announcing a patient's name, but the committee may want to consider implementing a change that might reduce this practice.

Jennifer's widowed mother is elderly and often confused. She has asked Jennifer to accompany her to the physician office visits because she often forgets to tell the physician vital information. Under the Privacy Rule, the release of her mother's PHI to Jennifer is: a. Never allowed b. Allowed when the information is directly relevant to Jennifer's involvement in her mother's care or treatment c. Allowed only if Jennifer's mother is declared incompetent by a court of law d. Any family member is always allowed access to PHI

b. allowed when the information is directly relevant to Jennifer's involvement in her mother's care or treatment

Under HIPAA rules, when an individual asks to see his or her own health information, a covered entity: a. Must always provide access b. Can deny access to psychotherapy notes c. Can demand that the individual pay to see his or her record d. Can always deny access

b. can deny access to psychotherapy notes

Which of the following is an organization's planned response to protect its information in the case of a natural disaster and is an administrative safeguard that includes policies and procedures for responding to emergencies or failures in systems that contain e-PHI? a. Administrative controls b. Contingency plan c. Audit trail d. Physical controls

b. contingency plan

What is the term used most often to describe the individual within an organization who is responsible for protecting health information in conjunction with the court system? a. Administrator of records b. Custodian of records c. Director of records d. Supervisor of records

b. custodian of records

Burning, shredding, pulping, and pulverizing are all acceptable methods in which process? a. Deidentification of electronic documents b. Destruction of paper-based health records c. Deidentification of records stored on microfilm d. Destruction of computer-based health records

b. destruction of paper-based health records

What does the term access control mean? a. Identifying the greatest security risks b. Identifying which data employees should have a right to use c. Implementing safeguards that protect physical media d. Restricting access to computer rooms and facilities

b. identify which employees should have access to what data

The three elements of a security program are ensuring data availability, protection, and: a. Suitability b. Integrity c. Flexibility d. Robustness

b. integrity

Which of the following statements is not true about a business associate agreement? a. It prohibits the business associate from using or disclosing PHI for any purpose other than that described in the contract with the covered entity. b. It allows the business associate to maintain PHI indefinitely. c. It prohibits the business associate from using or disclosing PHI in any way that would violate the HIPAA Privacy Rule. d. It requires the business associate to make available all of its books and records relating to PHI use and disclosure to the Department of Health and Human Services or its agents.

b. it allows the business associate to maintain PHI indefinitely

When served with a court order directing the release of health records, an individual: a. May ignore it b. Must comply with it c. Must request patient authorization before disclosing the records d. May determine whether or not to comply with it

b. it must be complied with

Mrs. Bolton is an angry patient who resents her physicians "bossing her around." She refuses to take a portion of the medications the nurses bring to her pursuant to physician orders and is verbally abusive to the patient care assistants. Of the following options, the most appropriate way to document Mrs. Bolton's behavior in the patient medical record is: a. Mean b. Noncompliant and hostile toward staff c. Belligerent and out of line d. A pain in the neck

b. noncompliant and hostile toward staff

Which of the following is a core ethical obligation of health information professionals? a. Coding diseases and operations b. Protecting patients' privacy and confidential communications c. Transcribing health reports d. Performing quantitative analysis on record content

b. protect patient privacy and confidential information and communication

Which of the following is true about health information retention? a. Retention depends only on accreditation requirements b. Retention periods differ among healthcare facilities c. The operational needs of a healthcare facility cannot be considered d. Retention periods are frequently shorter for health information about minors

b. retention periods differ among healthcare facilities

Who owns the health record? a. Patient b. Provider who generated the information c. Insurance company who paid for the care recorded in the record d. No one

b. the provider who generates the record

Community Hospital is discussing restricting the access that physicians have to electronic health records. The medical record committee is divided on how to approach this issue. Some committee members maintain that all information should be available, whereas others maintain that HIPAA restricts access. The HIM director is part of the committee. Which of the following should the director advise the committee? a. HIPAA restricts the access of physicians to all information. b. The "minimum necessary" concept does not apply to disclosures made for treatment purposes; therefore, physician access should not be restricted. c. The "minimum necessary" concept does not apply to disclosures made for treatment purposes, but the organization must define what physicians need as part of their treatment role. d. The "minimum necessary" concept applies only to attending physicians, and therefore, restriction of access must be implemented.

c. "minimum necessary" does not apply to disclosures made for treatment purposes.

To comply with HIPAA, under usual circumstances, a covered entity must act on a patient's request to review or copy his or her health information within ________ days. a. 10 b. 20 c. 30 d. 60

c. 30

Under HIPAA regulations, how many days does a covered entity have to respond to an individual's request for access to his or her PHI when the PHI is stored off-site? a. 10 days beyond the original requirement b. 30 days c. 60 days d. 90 days

c. 60 days

Community Hospital is planning implementation of various elements of the EHR in the next six months. Physicians have requested the ability to access the EHR from their offices and from home. What advice should the HIM director provide? a. HIPAA regulations do not allow this type of access. b. This access would be covered under the release of PHI for treatment purposes and poses no security or confidentiality threats. c. Access can be permitted providing that appropriate safeguards are put in place to protect against threats to security. d. Access can be permitted because the physicians are on the medical staff of the hospital and are covered by HIPAA as employees.

c. Access can be permitted providing that appropriate safeguards are put in place to protect against threats to security.

St. Joseph's Hospital has a psychiatric service on the sixth floor of the hospital. A 31-year-old male has come to the HIM department and requested to see a copy of his medical record. He indicated he was a patient of Dr. Schmidt, a psychiatrist, and that he was on the sixth floor of St. Joseph's for the last two months. These records are not psychotherapy notes. Of the options here, what is the best course of action? a. Prohibit the patient from accessing his record, as it contains psychiatric diagnoses that may greatly upset him. b. Allow the patient to access his record. c. Allow the patient to access his record if, after contacting his physician, his physician does not think it will be harmful to the patient. d. Deny access because HIPAA prevents patients from reviewing their psychiatric records.

c. Allow the patient to access his record if, after contacting his physician, his physician does not think it will be harmful to the patient.

Community Hospital is terminating its business associate relationship with a medical transcription company. The transcription company has no further need for any identifiable information that it may have obtained in the course of its business with the hospital. The CFO of the hospital believes that to be HIPAA compliant, all that is necessary is for the termination to be in a formal letter signed by the CEO. In this case, how should the director of HIM advise the CFO? a. Determine that a formal letter of termination meets HIPAA requirements and no further action is required. b. Confirm that a formal letter of termination meets HIPAA requirements and no further action is required except that the termination notice needs to be retained for seven years. c. Confirm that a formal letter of termination is required and that the transcription company must provide the hospital with a certification that all PHI that it had in its possession has been destroyed or returned. d. Inform the CFO that business associate agreements cannot be terminated.

c. Confirm that a formal letter of termination is required and that the transcription company must provide the hospital with a certification that all PHI that it had in its possession has been destroyed or returned.

What is the biggest threat to the security of healthcare data? a. Natural disasters b. Fires c. Employees d. Equipment malfunctions

c. Employees

The function used to provide access controls, authentication, and audit logging in an HIE is: a. Patient identification b. Record location service c. Identity management d. Consent management

c. Identity management

Which of the following is an example of data security? a. Contingency planning b. Fire protection c. Automatic logoff after inactivity d. Card key for access to data center

c. If a workstation is inactive for a period of time specified by the organization, it should log itself off automatically

Release of birth and death information to public health authorities: a. Is prohibited without patient consent b. Is prohibited without patient authorization c. Is a public interest and benefit disclosure that does not require patient authorization d. Requires both patient consent and authorization

c. Is a public interest and benefit disclosure that does not require patient authorization

Sally has requested an accounting of PHI disclosures from Community Hospital. Which of the following must be included in an accounting of disclosures to comply with this request? a. PHI related to treatment, payment, and operations b. PHI provided to meet national security or intelligence requirements c. PHI sent to a physician who has not treated Sally d. PHI released to Sally's attorney upon her request

c. PHI sent to a physician who has not treated Sally

Placing locks on computer room doors is considered what type of security control? a. Access control b. Workstation control c. Physical safeguard d. Security breach

c. Physical safeguards

Which of the following has access to personally identifiable data without authorization or subpoena? a. Insurance company for life insurance eligibility b. The patient's attorney c. Public health department for disease reporting purposes d. Workers' compensation for disability claim settlement

c. Public health department for disease reporting purposes

The release of information function requires the HIM professional to have knowledge of: a. Clinical coding principles b. Database development c. Federal and state confidentiality laws d. Human resource management

c. federal and state confidentiality laws

A health information technician receives a subpoena ad testificandum. To respond to the subpoena, which of the following should the technician do? a. Review the subpoena to determine what documents must be produced b. Review the subpoena and notify the hospital administrator c. Review the subpoena and appear at the time and place supplied to give testimony d. Review the subpoena and alert the hospital's risk management department

c. Review the subpoena and appear at the time and place supplied to give testimony

During user acceptance testing of a new EHR system, physicians are complaining that they have to use multiple log-on screens to access all the system modules. For example, they have to use one log-on for CPOE and another log-on to view laboratory results. One physician suggests having a single sign-on that would provide access to all the EHR system components. However, the hospital administrator thinks that one log-on would be a security issue. What information should the HIM director provide? a. Single sign-on is not supported by HIPAA security measures. b. Single sign-on is discouraged by the Joint Commission. c. Single sign-on is less frustrating for the end user and can provide better security. d. Single sign-on is not possible given today's technology.

c. Single sign-on is less frustrating for the end user and can provide better security.

What resource should be consulted in terms of who may authorize access, use, or disclose the health records of minors? a. HIPAA because it has strict rules regarding minors b. Hospital attorneys because they know the rules of the hospital c. State law because HIPAA defers to state laws on matters related to minors d. Federal law because HIPAA overrides state laws on matters related to minors

c. State law because HIPAA defers to state laws on matters related to minors

Central City Clinic has requested that Ghent Hospital send its hospital records for Susan Hall's most recent admission to the clinic for her follow-up appointment. Which of the following statements is true? a. The Privacy Rule requires that Susan Hall complete a written authorization. b. The hospital may send only the discharge summary, history and physical, and operative report. c. The Privacy Rule's minimum necessary requirement does not apply. d. This "public interest and benefit" disclosure does not require the patient's authorization.

c. There are certain circumstances where the minimum necessary requirement does not apply, such as to healthcare providers for treatment

Written business associate agreements are required with: a. Any company where work is outsourced b. Any outside company that handles electronic data c. Any outside company that handles electronic PHI d. Every outside company

c. any outside company that handles electronic PHI

Which of the following security controls are built into a computer software program? a. Physical safeguards b. Administration safeguards c. Application safeguards d. Media safeguards

c. application safeguards

The HIM supervisor suspects that a departmental employee is accessing the EHR for personal reasons, but has no specific data to support this suspicion. In this case, what should the supervisor do? a. Confront the employee. b. Send out a memorandum to all department employees reminding them of the hospital policy on Internet use. c. Ask the security officer for audit trail data to confirm or disprove the suspicion. d. Transfer the employee to another job that does not require computer usage.

c. ask the security officer for audit trail data to conform or disprove the suspicion

On review of the audit trail for an EHR system, the HIM director discovers that a departmental employee who has authorized access to patient records is printing far more records than the average user. In this case, what should the supervisor do? a. Reprimand the employee b. Fire the employee c. Determine what information was printed and why d. Revoke the employee's access privileges

c. determine what information was printed and why

Spoliation can be defined as which of the following? a. It is required after a legal hold is imposed b. It is the negligent destruction or changing of information c. It is destroying, changing, or hiding evidence intentionally d. It can only be performed on records that are involved in a court proceeding

c. it is destroying, changing, or hiding evidence intentionally

Which of the following is an example of a physical safeguard that should be provided for in a data security program? a. Using password protection b. Prohibiting the sharing of passwords c. Locking computer rooms d. Annual employee training

c. locking computer rooms

Which of the following is not true of Notices of Privacy Practices? a. Must be made available at the site where the individual is treated b. Must be posted in a prominent place c. Must contain content that may not be changed d. Must be prominently posted on the covered entity's website when the entity has one

c. must contain content that may not be changed

Which of the following is considered a two-factor authentication system? a. User ID with a password b. User ID with voice scan c. Password and swipe card d. Password and PIN

c. password and swipe card

A secure method of communication between the healthcare provider and the patient is a(n): a. Personal health record b. E-mail c. Patient portal d. Online health information

c. patient portal

A home health agency plans to implement a computer system whereby its nurses document home care services on a laptop computer taken to the patient's home. The laptops will connect to the agency's computer network. The agency is in the process of identifying strategies to minimize the risks associated with the practice. Which of the following would be the best practice to protect laptop and network data from a virus introduced from an external device? a. Biometrics b. Encryption c. Personal firewall software d. Session terminations

c. personal firewall software

The right of an individual to keep personal health information from being disclosed to anyone is a definition of: a. Confidentiality b. Integrity c. Privacy d. Security

c. privacy

The sister of a patient requests the HIM department to release copies of her brother's health record to her. She states that because the doctor documented her name as her brother's caregiver that HIPAA regulations apply and that she may receive copies of her brother's health record. In this case, how should the HIM department proceed? a. Provide the copies as requested since the sister was a caregiver. b. Provide only copies of the reports where the sister's name is mentioned. c. Refuse the request. d. Refer the individual to legal counsel.

c. refuse the request

What type of health record policy dictates how long individual health records must remain available for authorized use? a. Disclosure policies b. Legal policies c. Retention policies d. Redisclosure policies

c. retention policies

Which of the following technologies would reduce the risk that information is not accessible during a server crash? a. RAID b. Storage area network c. Server redundancy d. Tape or disk backup

c. server redundancy

Which document directs an individual to bring originals or copies of records to court? a. Summons b. Subpoena c. Subpoena duces tecum d. Deposition

c. subpoena duces tecum

Under HIPAA, which of the following is not named as a covered entity? a. Attending physician b. Healthcare clearinghouse c. Health plan d. Outsourced transcription company

d. An outsourced transcription company and vendor would be business associates of a covered entity (CE)

Ted and Mary are the adoptive parents of Susan, a minor. What is the best way for them to obtain a copy of Susan's operative report? a. Wait until Susan is 18 b. Present an authorization signed by the court that granted the adoption c. Present an authorization signed by Susan's natural (birth) parents d. Present an authorization that at least one of them (Ted or Mary) has signed

d. Generally, only one parent signature is required to authorize the use or disclosure of the minor's PHI

Which of the following is not an automatic control that helps preserve data confidentiality and integrity in an electronic system? a. Edit checks b. Audit trails c. Password management d. Security awareness program

d. Security awareness program

The medical record of Kathy Smith, the plaintiff, has been subpoenaed for a deposition. The plaintiff's attorney wishes to use the records as evidence to prove his client's case. In this situation, although the record constitutes hearsay, it may be used as evidence based on the: a. Admissibility exception b. Discovery exception c. Direct evidence exception d. Business records exception

d. The Business Records Exception is the rule under which a record is determined not to be hearsay if it was made at or near the time by, or from information transmitted by, a person with knowledge

The "custodian of health records" refers to the individual within an organization who is responsible for all except which of the following actions? a. Authorized to certify records b. Supervising inspection and copying of record c. Testifying to the authenticity of records d. Testifying regarding the care of the patient

d. The custodian of the health record does not have the responsibility or expertise to testify regarding the care of the patient

The director of health information services is allowed access to the health record tracking system when providing the proper log-in and password. What is this access security mechanism called? a. Context based b. Role based c. Situation based d. User-based

d. User-based

The HIPAA Privacy Rule: a. Protects only medical information that is not already specifically protected by state law b. Supersedes all state laws that conflict with it c. Is federal common law d. Sets a minimum (floor) of privacy requirements

d. a minimum amount of protection (that is, a floor) was achieved uniformly across all the states through the establishment of a consistent set of standards that affected providers, healthcare clearinghouses, and health plans

An HIT using her password can access and change data in the hospital's master patient index. A billing clerk, using his password, cannot perform the same function. Limiting the class of information and functions that can be performed by these two employees is managed by: a. Network controls b. Audit trails c. Administrative controls d. Access controls

d. access controls

A subpoena duces tecum compels the recipient to: a. Serve on a jury b. Answer a complaint c. Testify at trial d. Bring records to a legal proceeding

d. bring documents and other records with himself or herself to a deposition or to court

When a patient revokes authorization for release of information after a healthcare facility has already released the information, the facility in this case: a. May be prosecuted for invasion of privacy b. Has become subject to civil action c. Has violated the security regulations of HIPAA d. Is protected by the Privacy Act

d. is protected by the Privacy Act

A special web page that offers secure access to data is a(n): a. Internet b. Home page c. Intranet d. Portal

d. portal is a special application to provide secure remote access to specific applications

A patient requests a copy of his health records. When the request is received, the HIM clerk finds that the records are stored off-site. Which is the longest timeframe the hospital can take to remain in compliance with HIPAA regulations? a. Provide copies of the records within 15 days b. Provide copies of the records within 30 days c. Provide copies of the records within 45 days d. Provide copies of the records within 60 days

d. provide copies of the records within 60 days

The process of releasing health record documentation originally created by a different provider is called: a. Privileged communication b. Subpoena c. Jurisdiction d. Redisclosure

d. redisclosure. Federal and state regulations provide specific redisclosure guidelines; however, when in doubt, follow the same principles as the release and disclosure guidelines for other types of health record information

A competent individual has the following rights concerning his or her healthcare: a. Right to consent to treatment and the right to destroy their original health record b. Right to destroy their original health record and the right to refuse treatment c. Right to access his or her own PHI and the right to take the original record with them d. Right to consent to treatment and the right to access his or her own PHI

d. right to consent to or refuse medical treatment and the right to access his or her own PHI