Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
100 Cards in this Set
- Front
- Back
|
As Chief Privacy Officer for Premier Medical Center, you are responsible for which of the following?
A. backing up data B. developing a plan for reporting privacy complaints C. writing policies on protecting hardware D. writing policies on encryption standards |
B. developing a plan for reporting privacy complaints
|
|
|
Which of the following situations violate a patient's privacy?
A. The hospital sends patients who are scheduled for deliveries information on free childbirth classes. B. The physician on the quality improvement committee reviews medical records for potential quality problems. C. The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples. D. The hospital uses aggregate data to determine whether or not to add a new operating room suite. |
C. The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples.
The release of childbirth information is acceptable because it is related to the reason for admission. The mass mailing of samples violates giving out confidential information to outside agencies. |
|
|
The patient has the right to control access to his or her health information. This is known as
A. security. B. confidentiality. C. privacy. D. disclosure. |
C. privacy.
|
|
|
Mary processed a request for information and mailed it out last week. Today, the requestor, an attorney, called and said that all of the requested information was not provided. Mary pulls the documentation, including the authorization and what was sent. She believes that she sent everything that was required based on what was requested. She confirms this with her supervisor. The requestor still believes that some extra documentation is required. Given the above information, which of the following statements is true?
A. Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule. B. Mary is required to release the extra documentation because the requestor knows what is needed. C. Mary is required to release the extra documentation because, in the customer service program for the facility, the customer is always right. D. Mary is not required to release the additional information because her administrator agrees with her. |
A. Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule.
|
|
|
Mountain Hospital has discovered a security breach. Someone hacked into the system and viewed 50 medical records. According to ARRA, what is the responsibility of the covered entity?
A. ARRA does not address this issue. B. All individuals must be notified within 30 days. C. All individuals must be notified within 60 days. D. ARRA requires oral notification. |
C. All individuals must be notified within 60 days.
|
|
|
Physical safeguards include
1. tools to monitor access 2. tools to control access to computer systems 3. fire protection 4. tools preventing unauthorized access to data A. 1 and 2 only B. 1 and 3 only C. 2 and 3 only D. 2 and 4 only |
C. 2 and 3 only
|
|
|
You are reviewing your privacy and security policies, procedures, training program, and so on, and comparing them to the HIPAA and ARRA regulations. You are conducting a
A. policy assessment. B. risk assessment. C. compliance audit. D. risk management. |
B. risk assessment.
|
|
|
Which of the following can be released without consent or authorization?
A. summary of patient care B. de-identified health information C. personal health information D. protected health information |
B. de-identified health information
|
|
|
Kyle, the HIM Director, has received a request to amend a patient's medical record. The appropriate action for him to take is
A. make the modification because you have received the request. B. file the request in the chart to document the disagreement with the information contained in the medical record. C. route the request to the physician who wrote the note in question to determine appropriateness of the amendment. D. return the notice to the patient because amendments are not allowe |
C. route the request to the physician who wrote the note in question to determine appropriateness of the amendment.
The person who recorded the documentation in question should be the one who authorizes the change. While these references may not explicitly state this, it does state that the form should have a place for the provider's signature and comments |
|
|
An employee in the admission department took the patient's name, Social Security number, and other information and used it to get a charge card in the patient's name. This is an example of
A. identity theft. B. mitigation. C. disclosure. D. release of information |
A. identity theft.
|
|
|
A patient has submitted an authorization to release information to a physician office for continued care. The release of information clerk wants to limit the information provided because of the minimum necessary rule. What should the supervisor tell the clerk?
A. Good call. B. The patient is an exception to the minimum necessary rule, so process the request as written. C. The minimum necessary rule was eliminated with ARRA. D. The minimum necessary rule only applies to attorneys. |
B. The patient is an exception to the minimum necessary rule, so process the request as written.
|
|
|
Patricia is processing a request for medical records. The record contains an operative note and a discharge summary from another hospital. The records are going to another physician for patient care. What should Patricia do?
A. Notify the requestor that redisclosure is illegal and so he must get the operative and discharge summary records from the original source hospital. B. Include the documents from the other hospital. C. Redisclose when necessary for patient care. D. Redisclose when allowed by law. |
B. Include the documents from the other hospital
|
|
|
Before a user is allowed to access protected health information, the system confirms that the patient is who he or she says they are. This is known as
A. access control. B. notification. C. authorization. D. authentication. |
D. authentication.
|
|
|
Contingency planning includes which of the following processes?
A. data quality B. systems analysis C. disaster planning D. hiring practices |
C. disaster planning
|
|
|
Which of the following disclosures would require patient authorization?
A. law enforcement activities B. workers' compensation C. release to patient's attorney D. public health activities |
C. release to patient's attorney |
|
|
Your department was unable to provide a patient with a copy of his record within the 30-day limitation. What should you do?
A. Call the patient and apologize. B. Call the patient and let him know that you will need a 30-day extension. C. Write the patient and tell him that you will need a 30-day extension. D. Both write and call the patient to tell him you need a 30-day extension. |
C. Write the patient and tell him that you will need a 30-day extension. |
|
|
I have been asked if I want to be in the directory. The admission clerk explains that if I am in the directory,
A. my friends and family can find out my room number. B. my condition can be discussed with any caller in detail. C. my condition can be released to the news media. D. my condition can be released to hospital staff only. |
A. my friends and family can find out my room number. |
|
|
Which of the following techniques would a facility employ for access control?
1. automatic logoff 2. authentication 3. integrity controls 4. unique user identification A. 1 and 4 B. 1 and 2 only C. 2 and 4 only D. 3 and 4 only |
A. 1 and 4 |
|
|
Which of the following statements is true about the Privacy Act of 1974?
A. It applies to all organizations that maintain health care data in any form. B. It applies to all health care organizations. C. It applies to the federal government. D. It applies to federal government except for the Veterans Health Administration. |
C. It applies to the federal government. |
|
|
Which of the following statements is true about a requested restriction?
A. ARRA mandates that a CE must comply with a requested restriction. B. ARRA states that a CE does not have to agree to a requested restriction. C. ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions. D. ARRA does not address restrictions to PHI. |
C. ARRA mandates that a CE must comply with a requested restriction unless it meets one of the exceptions |
|
|
Which of the following is an example of administrative safeguards under the security rule?
A. encryption B. monitoring the computer access activity of the user C. assigning unique identifiers D. monitoring traffic on the network |
B. monitoring the computer access activity of the user |
|
|
Someone accessed the covered entity's electronic health record and sold the information that was accessed. This person is known as which of the following?
A. malware B. a virus C. a hacker D. a cracker |
D. a cracker
|
|
|
Intentional threats to security could include
A. a natural disaster (flood). B. equipment failure (software failure). C. human error (data entry error). D. data theft (unauthorized downloading of files). |
D. data theft (unauthorized downloading of files).
|
|
|
Which of the following would be a business associate?
A. release of information company B. bulk food service provider C. childbirth class instructor D. security force |
A. release of information company |
|
|
Which of the following statements demonstrates a violation of protected health information?
A. “Can you help me find Mary Smith's record?” B. A member of the physician's office staff calls centralized scheduling and says, “Dr. Smith wants to perform a bunionectomy on Mary Jones next Tuesday.” C. “Mary, at work yesterday I saw that Susan had a hysterectomy.” D. Dr. Jones tells a nurse on the floor to give Ms. Brown Demerol for her pain. |
C. “Mary, at work yesterday I saw that Susan had a hysterectomy.” |
|
|
Mark, a patient of Schnering Hospital, has asked for an electronic copy of his medical record to go to his physician. According to ARRA, what is the CE's obligation to Mark?
A. None, as this is prohibited by HIPAA. B. None, as this is prohibited by ARRA. C. Mark has a right to an electronic copy, but it has to go to him, not a third party. D. Mark has a right to an electronic copy or to have it sent to someone else. |
D. Mark has a right to an electronic copy or to have it sent to someone else. |
|
|
Margot looked up PHI on her ex-sister-in-law. A routine audit discovered the violation. Which statement is true under ARRA?
A. Margot cannot be prosecuted since she is not a covered entity. B. Margot cannot be prosecuted since she is not a covered entity or business associate. C. Margot cannot be prosecuted since she did not sell the PHI. D. Margot can be prosecuted. |
D. Margot can be prosecuted. |
|
|
You are defining the designated record set for South Beach Healthcare Center. Which of the following would be included?
A. quality reports B. psychotherapy notes C. discharge summary D. information compiled for use in civil hearing |
C. discharge summary |
|
|
You have been asked to provide examples of technical security measures. Which of the following would you include in your list of examples?
A. locked doors B. automatic logout C. minimum necessary D. training |
B. automatic logout |
|
|
Which security measure utilizes fingerprints or retina scans?
A. audit trail B. biometrics C. authentication D. encryption |
B. biometrics |
|
|
Ms. Thomas was a patient at your facility. She has been told that there are some records that she cannot have access to. These records are most likely
A. psychotherapy notes. B. alcohol and drug records. C. AIDS records. D. mental health assessment. |
A. psychotherapy notes. |
|
|
Your organization is sending confidential patient information across the Internet using technology that will transform the original data into unintelligible code that can be re-created by authorized users. This technique is called
A. a firewall. B. validity processing. C. a call-back process. D. data encryption. |
D. data encryption. |
|
|
When patients are able to obtain a copy of their health record, this is an example of which of the following?
A. a required standard B. an addressable requirement C. a patient right D. a preemption |
C. a patient right |
|
|
Which of the following should the record destruction program include?
A. the method of destruction B. the name of the supervisor of the person destroying the records C. citing the laws followed D. requirement of daily destruction |
A. the method of destruction |
|
|
You are looking for potential problems and violations of the privacy rule. What is this security management process called?
A. risk management B. risk assessment C. risk aversion D. business continuity planning |
B. risk assessment |
|
|
The administrator states that he should not have to participate in privacy and security training as he does not use PHI. How should you respond?
A. “All employees are required to participate in the training, including top administration.” B. “I will record that in my files.” C. “Did you read the privacy rules?” D. “You are correct. There is no reason for you to participate in the training.” |
A. “All employees are required to participate in the training, including top administration.” |
|
|
The surgeon comes out to speak to a patient's family. He tells them that the patient came through the surgery fine. The mass was benign and they could see the patient in an hour. He talks low so that the other people in the waiting room will not hear but someone walked by and heard. This is called a(n)
A. privacy breach. B. violation of policy. C. incidental disclosure. D. privacy incident. |
C. incidental disclosure. |
|
|
The HIPAA security rule does not require specific technologies to be used but rather provides direction on the outcome. The term used to describe this philosophy is
A. technology free. B. technology neutral. C. administrative rules. D. generic technology. |
B. technology neutral. |
|
|
A mechanism to ensure that PHI has not been altered or destroyed inappropriately has been established. This process is called
A. entity authentication. B. audit controls. C. access control. D. integrity. |
D. integrity. |
|
|
America LTD. has developed a PHR. According to ARRA, the health information that they store is
A. not protected. B. protected. C. mandated to be de-identified. D. subject to security, but not privacy, requirements. |
B. protected. |
|
|
The hospital has received a request for an amendment. How long does the facility have in order to accept or deny the request?
A. 30 days B. 60 days C. 14 days D. 10 days |
B. 60 days The request must be acted on within 60 days after receipt; however, the response may be extended once by 30 days, with a written statement with reason and response date. |
|
|
You work for a 60-bed hospital in a rural community. You are conducting research on what you need to do to comply with HIPAA. You are afraid that you will have to implement all of the steps that your friend at a 900-bed teaching hospital is implementing at his facility. You continue reading and learn that you only have to implement what is prudent and reasonable for your facility. This is called
A. scalable. B. risk assessment. C. technology neutral. D. access control. |
A. scalable. |
|
|
Barbara, a nurse, has been flagged for review because she logged in to the EHR in the evening when she usually works the day shift. Why should this conduct be reviewed?
A. This is a privacy violation. B. This needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time. C. This is not a violation since Barbara, as a nurse, has full access to data in the EHR. D. No action is required. |
B. This needs to be investigated before a decision is made because there may be a legitimate reason why she logged in at this time |
|
|
Alisa has trouble remembering her password. She is trying to come up with a solution that will help her remember. Which one of the following would be the BEST practice?
A. using the word “password” for her password B. using her daughter's name for her password C. writing the complex password on the last page of her calendar D. creating a password that utilizes a combination of letters and numbers |
D. creating a password that utilizes a combination of letters and numbers |
|
|
Which statement is true about when a family member can be provided with PHI?
A. The patient's mother can always receive PHI on their child. B. The family member lives out of town and cannot come to the facility to check on the patient. C. The family member is a health care professional. D. The family member is directly involved in the patient's care. |
D. The family member is directly involved in the patient's care. |
|
|
HIPAA states that release to a coroner is allowed. State law says that the coroner must provide a subpoena. Which of the following is a correct statement?
A. Follow the HIPAA requirement since it is a federal law. B. Follow the state law since it is stricter. C. You can follow either the state law or the HIPAA rule. D. You must request a ruling from a judge. |
B. Follow the state law since it is stricter. |
|
|
The computer system containing the electronic health record was located in a room that was flooded. As a result, the system is inoperable. Which of the following would be implemented?
A. SWOT analysis B. information systems strategic planning C. request for proposal D. business continuity processes |
D. business continuity processes |
|
|
You have been given the responsibility of destroying the PHI contained in the system's old server before it is trashed. What destruction method do you recommend?
A. crushing B. overwriting data C. degaussing D. incineration |
C. degaussing |
|
|
You are walking around the facility to identify any privacy and security issues. You walk onto the 6W nursing unit and from the desk where you are standing you are able to watch the nurse entering confidential patient information. How can you best improve the privacy of the patient's health information?
A. Ask the nurse to type the data on another computer. B. Turn the computer screen so that the public cannot see it. C. Give the nurse additional training. D. None of the above. |
B. Turn the computer screen so that the public cannot see it. |
|
|
In conducting an environmental risk assessment, which of the following would be considered in the assessment?
A. placement of water pipes in the facility B. verifying that virus checking software is in place C. use of single sign-on technology D. authentication |
A. placement of water pipes in the facility |
|
|
Which of the following documents is subject to the HIPAA security rule?
A. document faxed to the facility B. copy of discharge summary C. paper medical record D. scanned operative report stored on CD |
D. scanned operative report stored on CD
|
|
|
A hacker recently accessed our database. We are trying to determine how the hacker got through the firewall and exactly what was accessed. The process used to gather this evidence is called
A. forensics. B. mitigation. C. security event. D. incident. |
A. forensics.
|
|
|
As Chief Privacy Officer, you have been asked why you are conducting a risk assessment. Which reason would you give?
A. to get rid of problem staff B. to change organizational culture C. to prevent breach of confidentiality D. none of the above |
C. to prevent breach of confidentiality
|
|
|
Which of the following situations would require authorization before disclosing PHI?
A. releasing information to the Bureau of Disability Determination B. health oversight activity C. workers' compensation D. public health activities |
A. releasing information to the Bureau of Disability Determination
|
|
|
A covered entity
A. is exempt from the HIPAA privacy and security rules. B. includes all health care providers. C. includes health care providers who perform specified actions electronically. D. must utilize business associates. |
C. includes health care providers who perform specified actions electronically.
|
|
|
Which of the following is an example of a security incident?
A. Temporary employees were not given individual passwords. B. An employee took home a laptop with unsecured PHI. C. A handheld device was left unattended on the crash cart in the hall for 10 minutes. D. A hacker accessed PHI from off site. |
D. A hacker accessed PHI from off site.
|
|
|
Protected health information includes
A. only electronic individually identifiable health information. B. only paper individually identifiable health information. C. individually identifiable health information in any format stored by a health care provider. D. individually identifiable health information in any format stored by a health care provider or business associate. |
D. individually identifiable health information in any format stored by a health care provider or business associate.
|
|
|
The HIM director received an e-mail from the technology support services department about her e-mail being full and asking for her password. The director contacted tech support and it was confirmed that their department did not send this e-mail. This is an example of what type of malware?
A. phishing B. spyware C. denial of service D. virus |
A. phishing
|
|
|
You have been asked to create a presentation on intentional and unintentional threats. Which of the following should be included in the list of threats you cite?
A. hard drive failures B. data deleted by accident C. data loss due to electrical failures D. a patient's Social Security number being used for credit card applications |
D. a patient's Social Security number being used for credit card applications
|
|
|
The supervisors have decided to give nursing staff access to the EHR. They can add notes, view, and print. This is an example of what?
A. the termination process B. an information system activity review C. spoliation D. a workforce clearance procedure |
D. a workforce clearance procedure
|
|
|
The information systems department was performing their routine destruction of data that they do every year. Unfortunately, they accidently deleted a record that is involved in a medical malpractice case. This unintentional destruction of evidence is called
A. mitigation. B. spoliation. C. forensics. D. a security event. |
B. spoliation.
|
|
|
Mark is an HIM employee who utilizes six different information systems as part of his job. Each of these has a different password. In order to keep up with the password for each system, Mark has written them all on paper and taped it to the back of his wife's picture on his desk. What technology could be used to eliminate this problem for Mark and other employees in the same situation?
A. role-based access B. user-based access C. SSO D. DAC |
C. SSO
|
|
|
Cindy, Tiffany, and LaShaundra are all nurses at Sandyshore Health Care. They all have access to the same functions in the information system. It is likely that this facility is using
A. user-based access. B. role-based access. C. DAC. D. MAC. |
B. role-based access.
|
|
|
You will be choosing the type of encryption to be used for the new EHR. What are your choices?
A. symmetric and conventional B. asymmetric and public key C. symmetric and asymmetric D. public key and integrity |
C. symmetric and asymmetric
|
|
|
You have been given some information that includes the patient's account number. Which statement is true?
A. This is de-identified information because the patient's name and social security are not included in the data. B. This is not de-identified information, because it is possible to identify the patient. C. These data are individually identified data. D. These data are a limited data set. |
B. This is not de-identified information, because it is possible to identify the patient.
|
|
|
Which of the following is an example of a trigger that might be used to reduce auditing?
A. A patient has not signed their notice of privacy practices. B. A patient and user have the same last name. C. A nurse is caring for a patient and reviews the patient's record. D. The patient is a Medicare patient. |
B. A patient and user have the same last name.
|
|
|
Bob submitted his resignation from Coastal Hospital. His last day is today. He should no longer have access to the EHR and other systems as of 5:00 PM today. The removal of his privileges is known as
A. terminating access. B. isolating access. C. password management. D. sanction policy. |
A. terminating access.
|
|
|
The company's policy states that audit logs, access reports, and security incident reports should be reviewed daily. This review is known as
A. a data criticality analysis. B. a workforce clearinghouse. C. an information system activity review. D. a risk analysis. |
C. an information system activity review.
|
|
|
If an authorization is missing a Social Security number, can it be valid?
A. yes B. no C. only if the patient is a minor D. only if the patient is an adult |
A. yes
|
|
|
If the patient has agreed to be in the directory, which of the following statements would be true?
A. The patient has given up the right to privacy. B. The patient's condition can be described in detail with family members but not others. C. The patient's condition can be described in general terms like “good” and “fair.” D. The number of visitors is limited to people on the approved visitor list. |
C. The patient's condition can be described in general terms like “good” and “fair.”
|
|
|
Your system just crashed. Fortunately, you have established a site that holds computer processors but not data. This site can be converted to meet our needs quickly. This is a
A. hot site. B. cold site. C. redundant site. D. backup site. |
B. cold site.
|
|
|
The purpose of the notice of privacy practices is to
A. notify the patient of uses of PHI. B. notify the patient of audits. C. report incidents to the OIG. D. notify researchers of allowable data use. |
A. notify the patient of uses of PHI.
|
|
|
You have been asked what should be done with the notice of privacy practice acknowledgment when the patient had been discharged before it was signed. Your response is to
A. shred it. B. try to get it signed, and if not, to document the action taken. C. keep trying to get the document signed until you succeed, even if you must go to the patient's home. D. File the blank form in the chart. |
B. try to get it signed, and if not, to document the action taken.
|
|
|
Our Web site was attacked by malware that overloaded it. What type of malware was this?
A. phishing B. virus C. denial of service D. spyware |
C. denial of service
|
|
|
Mabel is a volunteer at a hospital. She works at the information desk. A visitor comes to the desk and says that he wants to know what room John Brown is in. What should Mabel do?
A. Look the patient up and give the room number to the visitor. B. Look the patient up to see if John has agreed to be in the directory. If he has, then give the room number to the visitor. C. Look the patient up to see if the patient signed a notice of privacy practice. If so, then give the visitor the room number. D. Look the patient up in the system to determine if the patient has agreed to TPO usage and then give the room number to the visitor if he had. |
B. Look the patient up to see if John has agreed to be in the directory. If he has, then give the room number to the visitor.
|
|
|
Which of the following is a true statement about symmetric encryption?
A. Symmetric encryption uses a private and public key. B. Symmetric encryption is also known as secure socket layer. C. Symmetric encryption assigns a public key to data. D. Symmetric encryption assigns a secret key to data. |
D. Symmetric encryption assigns a secret key to data.
|
|
|
The facility had a security breach. The breach was identified on October 10, 2013. The investigation was completed on October 15, 2013. What is the deadline that the notification must be completed?
A. 60 days from October 10 B. 60 days from October 15 C. 30 days from October 10 D. 30 days from October 15 |
A. 60 days from October 10
|
|
|
Miles has asked you to explain the rights he has via HIPAA privacy standards. Which of the following is one of his HIPAA-given rights?
A. He can review his bill. B. He can ask to be contacted at an alternative site. C. He can discuss financial arrangements with business office staff. D. He can ask a patient advocate to sit in on all appointments at the facility. |
B. He can ask to be contacted at an alternative site.
|
|
|
The following is a sentence from the notice of privacy practices. What problem do you identify?The party of the first part vows to mitigate breaches should a security incident occur.
A. None, because that is the responsibility of a covered entity. B. None, because that is the responsibility of a business associate. C. It is not the responsibility of a covered entity. D. It is not written in plain English. |
D. It is not written in plain English.
The Notice of Privacy must be written in plain English so that it can be understood. |
|
|
HIPAA workforce security requires
A. a criminal background check. B. a two-factor authentication. C. that access to PHI be appropriate. D. the use of card keys. |
C. that access to PHI be appropriate.
|
|
|
To prevent our network from going down, we have duplicated much of our hardware and cables. This duplication is called
A. emergency mode plan. B. redundancy. C. contingency plan. D. business continuity planning. |
B. redundancy.
|
|
|
Richard has asked to view his medical record. How long does the facility have to provide this record to him?
A. 30 days B. 60 days C. 14 days D. 10 days |
A. 30 days
|
|
|
A patient authorizes Park Hospital to send a copy of a discharge summary for the latest hospitalization to Flowers Hospital. The hospital uses the discharge summary in the patient's care and files it in the medical record. When Flowers Hospital receives a request for records, a copy of Park Hospital's discharge summary is sent. This is an example of
A. a privacy violation. B. redisclosure. C. satisfactory assurance. D. inappropriate release. |
B. redisclosure.
|
|
|
You have to decide which type of firewall you want to use in your facility. Which of the following is one of your options?
A. packet filter B. secure socket layer C. CCOW D. denial of service |
B. secure socket layer
|
|
|
A data use agreement is required when
A. a complaint has been filed. B. a limited data set is used. C. a notice of disclosure is requested. D. information is provided to a business associate. |
B. a limited data set is used.
|
|
|
What type of digital signature uses encryption?
A. digitized signature B. electronic signature C. digital signature D. encryption is not a part of digital signatures |
C. digital signature
|
|
|
The police came to the HIM Department today and asked that a patient's right to an accounting of disclosure be suspended for two months. What is the proper response to this request?
A. “I'm sorry officer, but privacy regulations do not allow us to do this.” B. “I'm sorry officer but we can only do this for one month.” C. “Certainly officer. We will take care of that right now.” D. “Certainly officer. We will be glad to do that as soon as we have the request in writing.” |
D. “Certainly officer. We will be glad to do that as soon as we have the request in writing.”
|
|
|
Which of the following set(s) is an appropriate use of the emergency access procedure?
A. A patient is crashing. The attending physician is not in the hospital, so a physician who is available helps the patient. B. One of the nurses is at lunch. The nurse covering for her needs patient information. C. The coder who usually codes the emergency room charts is out sick and the charts are left on a desk in the ER admitting area. D. A and B. |
D. A and B.
|
|
|
Today is August 30, 2013. When can the training records for the HIPAA privacy training being conducted today be destroyed?
A. August 30, 2017 B. August 30, 2018 C. August 30, 2019 D. August 30, 2020 |
C. August 30, 2019
|
|
|
We have just identified that an employee looked up his own medical record. Which of the following actions should be taken?
A. Notify his or her supervisor because this is a minor incident and therefore not subject to the incident response procedure. B. Follow the incident response procedure. C. Terminate the employee on the spot. D. Notify OCR. |
B. Follow the incident response procedure.
|
|
|
Your facility just learned that one of its business associates is out of compliance with your contract and with the privacy rule. What should your response be according to ARRA?
A. Educate the business associate and conduct an audit in 30 days. B. Educate the business associate. Request that the problem be corrected by the business associate within 60 days. C. Request that the problem be corrected by the business associate within 60 days. D. Request that the business associate correct the problem or stop doing business with the organization. |
D. Request that the business associate correct the problem or stop doing business with the organization.
|
|
|
You have been assigned the responsibility of performing an audit to confirm that all of the workforce's access is appropriate for their role in the organization. This process is called
A. risk assessment. B. information system activity review. C. workforce clearance procedure. D. information access management. |
C. workforce clearance procedure.
|
|
|
A data use agreement allows the organization receiving the data to
A. use the non-PHI data any way they want. B. use PHI data any way they want. C. use data only within the bounds of the agreement. D. conduct business for the organization. |
C. use data only within the bounds of the agreement.
|
|
|
Which of the following is subject to the HIPAA security rule?
A. x-ray films stored in radiology B. paper medical record C. faxed records D. clinical data repository |
D. clinical data repository
The security rule only applies to e-PHI. |
|
|
You work for an organization that publishes a health information management journal and provides clearinghouse services. What must you do?
A. Have the same security plan for the entire organization. B. Separate the e-PHI from the noncovered entity portion of the organization. C. Train the journal staff on HIPAA security awareness. D. Follow the same rules in all parts of the organization. |
B. Separate the e-PHI from the noncovered entity portion of the organization.
|
|
|
Robert Burchfield was recently caught accessing his wife's medical record. The system automatically notified the staff of a potential breach due to the same last name for the user and the patient. This was an example of a
A. trigger. B. biometrics. C. telephone callback procedures. D. transmission security. |
A. trigger.
|
|
|
Your facility just learned that some PHI was posted to the Internet in error. The PHI was online for 2 days before the problem was found. Unfortunately, there were people who visited the Web page during this time. Four hundred patients were impacted. Which of the following applies?
A. The media must be notified. B. Patients as well as Health and Human Services must be notified. C. Health and Human Services must be notified within 60 days. D. The media and Health and Human Services must be notified. |
B. Patients as well as Health and Human Services must be notified.
|
|
|
An organization that is a covered entity, that performs functions that are covered and noncovered by HIPAA, and that specifies the portion of the organization that will be subject to HIPAA is called a(n)
A. hybrid entity. B. affiliated covered entity. C. organized health care arrangement. D. business associate. |
A. hybrid entity.
|
|
|
The facility can release information to which of the following requesters without a patient authorization?
A. the public health department B. the nurse caring for the patient C. a court with a court order D. a business associate |
C. a court with a court order
|
|
|
Researchers can access patient information if it is
A. protected health information. B. a limited data set. C. patient specific. D. related to identity theft. |
B. a limited data set.
|
