Domain 2 Access, Disclosure, Privacy, And Security Flashcards
1
Q
- A hospital HIM department wants to move five years of health records to a remote storage location. The records will be stored in boxes and will be filed on open shelves at the remote location. Which of the following should be done so that record location Can be easily identified in the remote storage area?
A. Provide a unique identifier for each box and prepare a log of the records that is cross indexed by box identifier
B. Prepare a sequential list of all records sent to remote storage
C. Provide a unique box identifier and list the records by health record number on the outside of each box
D. File the records in terminal digit order in each box
A
A. Provide a unique identifier for each box and prepare a log of the records that is cross indexed by box identifier
2
Q
38. A dietary department donated its old microcomputer to a school. Some old patient data were still on the computer. What controls would have minimized this security breach? A. Access controls B. Device and media controls C. Facility access controls D. Workstation controls
A
B. Device and media controls
3
Q
- Which of the following would be part of the release of information system?
A. Letter asking for additional information on a patient previously treated at the hospital
B. Letter notifying the individual that the authorization was invalid
C. Letter notifying the physician that he has a delinquent health records
D. Letter asking the physician to clarify primary diagnosis
A
B. Letter notifying the individual that the authorization was invalid
4
Q
40. A coding compliance manager is reviewing a tool that identifies when a user logs in and out, what he or she does, and more. What is the manager reviewing? A. Audit trail B. Facility access control C. Forensics D. Security management plan
A
A. Audit trail
5
Q
41. Which of the following should be considered first when establishing health record retention policies? A. State retention requirements B. Accreditation standards C. AHIMA’s retention guidelines D. Federal requirements
A
A. State retention requirements
6
Q
42. A hospital is planning on allowing coding professionals to work at home. The hospital is in the process of identifying strategies to minimize the security risks associated with this practice. Which of the following would be best to ensure that data breaches are minimized when the home computer is unattended? A. User name and password B. Automatic session terminations C. Cable locks C. Encryption
A
B. Automatic session terminations
7
Q
43. The three elements of a security program are ensuring data availability, protection and: A. Suitability B. Integrity C. Flexibility D. Robustness
A
B. Integrity
8
Q
- Community hospital is planning implementation of various elements of the EHR in the next six months. Physicians have requested the ability to access the EHR from their offices and from home. What advice should the HIM director provide?
A. HIPAA regulations do not allow this type of access
B. This access would be covered under the release of PHI for treatment purposes and poses no security or confidentiality threats.
C. Access can be permitted providing that appropriate safeguards are put in place to protect against threats to security
D. Access can be permitted because the physicians are on the medical staff of the hospital and are covered by HIPAA as employees
A
C. Access can be permitted providing that appropriate safeguards are put in place to protect against threats to security
9
Q
45. What is the term used most often to describe the individual within an organization who is responsible for protecting health information in conjunction with the court system? A. Administrator of records B. Custodian of records C. Director of records C. Supervisor of records
A
B. Custodian of records
10
Q
- A hospital HIM department receives a subpoena duces recumbent for records of a former patient. When the health record technician goes to retrieve the patient’s records, it is discovered that the records being subpoenaed have been purged in accordance with the state retention laws. In this situation, how should the HIM department respond to the subpoena?
A. Inform defense and plaintiff lawyers that the records no longer exist
B. Submit a certification of destruction in response to the subpoena
C. Refuse the subpoena since no records exist
D. Contact the clerk of the court and explain the situation
A
B. Submit a certification of destruction in response to the subpoena
11
Q
47. A home health agency plans to implement a computer system whereby its nurses document home care services on a laptop computer taken to the patient’s home. The laptops will connect to the agency’s computer network. The agency is in the process of identifying strategies to minimize the risks associated with the practice. Which of the following would be the best practice to protect laptop and network data from a virus introduced from an external device? A. Biometrics B. Encryption C. Personal firewall software D. Session terminations
A
C. Personal firewall software
12
Q
48. A subpoena duces recumbent compels the recipient to: A. Serve on a jury B. Answer a complaint C. Testify at trial D. Bring records to a legal proceeding
A
D. Bring records to a legal proceeding
13
Q
- Which of the following is a core ethical obligation of health information professionals?
A. Coding diseases and operations
B. Protecting patients privacy and confidential communications
C. Transcribing health reports
D. Performant quantitative analysis on record content
A
B. Protecting patients privacy and confidential communications
14
Q
50. Which of the following ethical principles is being followed when a health information management professional ensures that patient information is only released to those who have a legal right to access it? A. Autonomy B. Beneficence C. Justice D. Nonmaleficence
A
B. Beneficence
15
Q
51. An individual’s right to control access to his or her personal information is known as: A. Security B. Confidentiality C. Privacy D. Access control
A
C. Privacy
16
Q
- Community hospital wants to provide transcription services for office notes of the private patients of physicians. All of these physicians have medical staff privileges at the hospital. This will provide an essential service to the physicians as well as provide additional revenue for the hospital. In preparing to launch this service, the HIM director is asked whether a business associate agreement is necessary. Which of the following should the hospital HIM director advise in order to comply with HIPAA regulations?
A. Each physician practice should obtain a business associate agreement with the hospital
B. The hospital should obtain a business associate agreement with each physician practice.
C. Because the physicians all have medical staff privileges, no business associate agreement is necessary
D. Because the physicians are part of an organized health care arrangement with the hospital, no business associate agreement is necessary.
A
A. Each physician practice should obtain a business associate agreement with the hospital
17
Q
53. Removing health records of patients who have not been treated at the facility for a specific period of time from the storage area is called: A. Purging records B. Assembling records C. Logging records C. Cycling records
A
A. Purging records
18
Q
54. Which of the following refers to guarding against improper information modification or destruction? A. Confidentiality B. Integrity C. Privacy D. Security
A
B. Integrity
19
Q
- Spoliation can be defined as which of the following?
A. It is required after a legal hold is imposed
B. It is the negligent destruction or changing of information
C. It is destroying, changing, or hiding evidence intentionally
D. It can only be performed on records that are involved in a court proceeding
A
C. It is destroying, changing, or hiding evidence intentionally
20
Q
56. Which of the following would be considered a security vulnerability? A. Lack of laptop encryption B. Workforce employees C. Tornado D. Electrical outage
A
A. Lack of laptop encryption
21
Q
- When an individual requests a copy of the PHI or agrees to accept summary or explanatory information, the covered entity may:
A. Impose a reasonable cost-based fee
B. Not charge the individual
C. Impose any fee authorized by state statute
D. Charge only for the cost of the pater on which the information is printed
A
A. Impose a reasonable cost-based fee
22
Q
- Release of birth and death information to public health authorities:
A. Is prohibited without patient consent
B. Is prohibited without patient authorization
C. Is public interest and benefit disclosure that does not require patient authorization
D. Requires both patient consent and authorization
A
C. Is public interest and benefit disclosure that does not require patient authorization
23
Q
- Which of the following is a characteristic of breach notification?
A. It is only required when 500 or more individuals are affected
B. It applies to both secured and unsecured PHI
C. It applies when one person’s PHI is breached
D. It only applies when 20 or more individuals are affected
A
C. It applies when one person’s PHI is breached
24
Q
- With regard to training in PHI policies and procedures:
A. Every member of the covered entity’s workforce must be trained
B. Only individuals employed by the covered entity must be trained
C. Training only needs to occur when there are material changes to the policies and procedures
C. Documentation of training is not required
A
A. Every member of the covered entity’s workforce must be trained
