Domain 2 - Compliance with Use and Disclosures of PHI

Question 1

Documentation including the date of action, method of action, description of the disposed record series of numbers or items, service date, a statement that the records were eliminated in the normal course of business, and the signatures of the individuals supervising and witnessing the process must be included in this:

A - Authorization
B - Certificate of destruction
C - Informed consent
D - Continuity of care record

Answer 1

B - Certificate of destruction

Question 2

When defining the legal health record in a healthcare entity, it is best practice to establish a policy statement of the legal health record as well as a:

A - Case-mix index
B - Master patient index
C - Health record matrix
D - Retention schedule

Answer 2

C - Health record matrix

Question 3

A subpoena duces tecum compels the recipient to:

A - Serve on a jury
B - Answer a complaint
C - Testify at a trial
D - Bring records to a legal proceeding

Answer 3

D - Bring records to a legal proceeding

Question 4

A researcher’s informed consent form stated that the patients’ information would be anonymous. Later, in the application form for Institutional Review Board (IRB) approval, the researcher described a coding system to track respondents and non-respondents. The IRB returned the application to the researcher with the stipulation that the informed consent must be changed. What raised the red flag?

A - The description of the use of a coding system to track respondents and non-respondents
B - The application form for the IRB approval
C - The researcher’s informed consent form
D - The description of the use of a coding system to track respondents

Answer 4

A - The description of the use of a coding system to track respondents and non-respondents

Question 5

Sally is the HIM director at Memorial Hospital and has been asked to compose a record retention policy for the hospital. What should be her first consideration in determining how long paper and electronic records must be retained?

A - The amount of space allocated for record filing and server set up
B - The number of paper records currently filed and the number of electronic files added on a daily basis
C - the most stringent law or regulation in the state, CMS, and accrediting body guidelines and standards
D - The cost of filing space and equipment

Answer 5

C - the most stringent law or regulation in the state, CMS, and accrediting body guidelines and standards

Question 6

Dr. Hansen saw a patient in his office with measles. He directed his office staff to call the local department of health to report this case of measles. The office manager called right away and completed the report as instructed. Which of the following provides the correct analysis of the actions taken by Dr. Hansen’s office?

A - Dr. Hansen’s office followed protocol and reported this care of measles correctly.
B - Dr. Hansen’s office did not need to report this case to the local health department
C - Dr. Hansen’s office should have mailed a letter to the local health department to report this case
D - Dr. Hansen’s office should have reported the case to the local hospital and not the health department

Answer 6

A - Dr. Hansen’s office followed protocol and reported this care of measles correctly.

Question 7

What is the implication regarding the confidentiality of incident reports in a legal proceeding when a staff member documents in the health record that an incident report was completed about a specific incident?

A - There is no impact
B - The person making the entry in the health record may not be called as a witness in trial
C - The incident report likely becomes discoverable because it is mentioned in a discoverable document
D - The incident report cannot be discovered even though it is mentioned in a discoverable document

Answer 7

C - The incident report likely becomes discoverable because it is mentioned in a discoverable document

Question 8

The legal health record for disclosure consists of:

A - Any any all protected health information data collected or used by a healthcare entity when delivering care
B - Only the protected health information collected by an attorney for a legal proceeding
C - The data, documents, reports, and information that comprise the formal business records of any healthcare entity that are to be utilized during legal proceedings
D - All of the data and information included in the HIPAA Designated Record Set

Answer 8

C - The data, documents, reports, and information that comprise the formal business records of any healthcare entity that are to be utilized during legal proceedings

Question 9

John is the privacy officer at General Hospital and conducts audit log checks as part of his job duties. What does an audit log check for?

A - Loss of data
B - Presence of a virus
C - Successful completion of a backup
D - Unauthorized access to a system

Answer 9

D - Unauthorized access to a system

Question 10

A professional basketball player from the local team was admitted to your facility for a procedure. During this patient’s hospital stay, access logs may need to be checked daily in order to determine:

A - Whether access by employees is appropriate
B - If the patient is satisfied with their stay
C - If it is necessary to order prescriptions for the patient
D - Whether the care to the patient meets quality standards

Answer 10

A - Whether access by employees is appropriate

Question 11

An outpatient laboratory routinely mails the results of health screening exams to its patients. The lab has received numerous complaints from patient who have received another patient’s health information. Even though multiple complaints have been received, no change in process has occurred because the error rate is low in comparison to the volume of mail that is processed daily for the lab. How should the Privacy Officer for this healthcare entity respond to the situation?

A - Determine why the lab results are being sent to incorrect patients and train the laboratory staff on the HIPAA Privacy Rule
B - Fire the responsible employees
C - Do nothing, as these types of errors occur in every healthcare entity
D - Retrain the entire hospital entity because these types of errors could result in a huge fine from the Office of Inspector General

Answer 11

A - Determine why the lab results are being sent to incorrect patients and train the laboratory staff on the HIPAA Privacy Rule

Question 12

Anywhere Hospital’s coding staff will be working remotely. The entity wants to ensure that they are complying with the HIPAA Security Rule. What types of network uses a private tunnel through the Internet as a transport medium that will allow the transmission of ePHI to occur between the coder and the facility securely?

A - Intranet
B - Local area network
C - Virtual private network
D - Wide area network

Answer 12

C - Virtual private network

Question 13

Mary Smith has gone to her doctor to discuss her current medical condition. What is the legal term that best describes the type of communication that has occurred between Mary and her physician?

A - Closed communication
B - Open communication
C - Private communication
D - Privileged communication

Answer 13

D - Privileged communication

Question 14

An individual designated as an inpatient coder may have access to an electronic medical record in order to code the record. Under what access security mechanism is the coder allowed access to the system?

A - Context-based
B - Role-based
C - Situation-based
D - User-based

Answer 14

B - Role-based

Question 15

A healthcare organization must have a firewall in place to protect their health information system. Which of the following statement about a firewall is false?

A - It is a system or combination of systems that supports an access control policy between two networks.
B - The most common place to find a firewall is between the healthcare entity’s internal network and the Internet.
C - Firewalls are effective for preventing all types of attacks on a healthcare system.
D - A firewall can limit internal users from accessing various portions of the Internet.

Answer 15

C - Firewalls are effective for preventing all types of attacks on a healthcare system.

Question 16

A dietary department donated its old microcomputer to a school. Some old patient data were still on the microcomputer. What controls would have minimized this security breach?

A - Access controls
B - Device and media controls
C - Facility access controls
D - Workstation controls

Answer 16

B - Device and media controls

Question 17

The Privacy Rule generally required documentation related to its requirements to be retained:

A - 3 years
B - 5 years
C - 6 years
D - 10 years

Answer 17

C - 6 years

Question 18

Mrs. Davis is preparing to undergo hernia repair surgery at Deaconess Hospital. Select the best statement of the following options.

A - An employee from the hospital’s surgery department should obtain Mrs. Davis’ informed consent.
B - The surgeon should obtain Mrs. Davis’ informed consent.
C - It does not matter who obtains Mrs. Davis’ informed consent as long as it is documented in her medical record.
D - Informed consent is not necessary because this is not major surgery.

Answer 18

B - The surgeon should obtain Mrs. Davis’ informed consent.

Question 19

Which legal doctrine was established by the Darling v. Charleston Community Hospital case of 1965?

A - Hospital-physician negligence
B - Clinical negligence
C - Physician-patient negligence
D - Corporate negligence

Answer 19

D - Corporate negligence

Question 20

Which national database was created to collect information on the legal actions (both civil and criminal) taken against licensed healthcare providers?

A - Healthcare Insurance Data Bank
B - Medicare Protection Database
C - National Practitioner Data Bank
D - Healthcare Safety Database

Answer 20

D - Healthcare Safety Database

Question 21

Sally Mitchell was treated for kidney stones at Graham Hospital last year. She now wants to review her medical record in person. She has requested to review it by herself in a closed room.

A - Failure to accommodate her wishes will be a violation under the HIPAA Privacy Rule
B - Sally owns the information in her record, so she may be granted her request
C - Sally’s request does not have to be granted because the hospital is responsible for the integrity of the medical record
D - Patients should never be given access to their actual medical record

Answer 21

C - Sally’s request does not have to be granted because the hospital is responsible for the integrity of the medical record

Question 22

Conducting an inventory of the facility’s records, determining the format and location of record storage, assigning each record a time period for preservation, and destroying records that are no longer needed are all components of a:

A - Case-mix index
B - Master patient index
C - Health record matrix
D - Retention program

Answer 22

D - Retention program

Question 23

Linda Wallace is being admitted to the hospital. She is presented with a Notice of Privacy Practices. In the Notice, it is explained to her that her PHI will be used and disclosed for treatment, payment, and operations (TPO) purposes. Linda states that she does not want her PHI used for those purposes. Of the options listed here, what is the best course of action?

A - The hospital must honor her wishes and not use her PHI for TPO
B - The hospital may decline to treat Linda because of her refusal
C - The hospital is not required to honor her wishes in this situation, as the Notice of Privacy Practices is information only
D - The hospital is not required to honor her wishes for treatment purposes but must honor them for payment and operations purposes.

Answer 23

C - The hospital is not required to honor her wishes in this situation, as the Notice of Privacy Practices is information only

Question 24

When a patient collapses upon arrival at the entrance to an emergency department, what type of treatment authorization is in effect?

A - Emergency consent
B - Expressed consent
C - Informed consent
D - Implied consent

Answer 24

D - Implied consent

Question 25

Jack Mitchell, a patient in Ross Hospital, is being treated for gallstones. He has not opted out of the facility directory. Callers who request information about him may be given:

A - No information due to the highly sensitive nature of his illness.
B - Admission date and location in the facility.
C - General condition and acknowledgement of admission.
D - Location in the facility and diagnosis.

Answer 25

C - General condition and acknowledgement of admission.

Question 26

Training of staff on security practices at a healthcare organization is an example of this type of access safeguard, which is people-focused in nature:

A - Technical
B - Administrative
C - Physical
D - Addressable

Answer 26

B - Administrative

Question 27

The federal law that directed the Secretary of Health and Human Services (HHS) to develop healthcare standards governing electronic claims, national identifiers, the protection of privacy, and the assurance of the security of health information is the:

A - Medicare Act
B - Prospective Payment Act
C - Health Insurance Portability and Accountability Act
D - Social Security Act

Answer 27

C - Health Insurance Portability and Accountability Act

Question 28

Which of the following conditions would most likely fall into the category of notifiable diseases as defined by the National Notifiable Diseases Surveillance System?

A - Diabetes mellitus
B - Coronary artery disease
C - Fracture of major bones
D - HIV infection

Answer 28

D - HIV infection

Question 29

The “custodian of health records” refers to the individual within a healthcare entity who is responsible for which of the following actions?

A - Determining alternative treatment for the patient
B - Preparing physicians to testify
C - Testifying to the authenticity of records
D - Testifying regarding the care of the patient

Answer 29

C - Testifying to the authenticity of records

Question 30

Dr. Smith, a member of the medical staff, asks to see the medical records of his adult daughter who was hospitalized in your institution for a tonsillectomy at age 16. The daughter is now 25. Dr. Jones was the patient’s physician. Of the options listed here, what is the best course of action?

A - Allow Dr. Smith to see the records because he was the daughter’s guardian at the time of the tonsillectomy
B - Call the hospital administrator for authorization to release the record to Dr. Smith since he is on the medical staff
C - Inform Dr. Smith that he cannot see his daughter’s health record without her signed authorization allowing him to access the record
D - Refer Dr. Smith to Dr. Jones and release the record if Dr. Jones agrees

Answer 30

C - Inform Dr. Smith that he cannot see his daughter’s health record without her signed authorization allowing him to access the record

Question 31

St. Joseph’s Hospital has a psychiatric service on the sixth floor. A 31-year-old male came to the HIM department and requested to see a copy of his health record. He told the clerk he was a patient of Dr. Schmidt, a psychiatrist, and had been on the sixth floor of St. Joseph’s for the last two months. These records are not psychotherapy notes. The best course of action for you to take as the HIM director is:

A - Prohibit the patient from accessing his record as it contains psychiatric diagnoses that may greatly upset him.
B - Allow the patient to access his record.
C - Allow the patient to access his record if, after contacting his physician, his physician does not feel it would be harmful to the patient.
D - Deny access because HIPAA prevents patients from reviewing their psychiatric records.

Answer 31

C - Allow the patient to access his record if, after contacting his physician, his physician does not feel it would be harmful to the patient.

Question 32

You are a member of the hospital’s Health Information Management Committee. The committee has created a HIPAA-compliant authorization form. Which of the following items does the Privacy Rule require for the form?

A - Signature of the patient’s attending physician
B - Identification of the patient’s next of kin
C - Identification of the person or entity authorized to receive PHI
D - Patient’s insurance information

Answer 32

C - Identification of the person or entity authorized to receive PHI

Question 33

Which of the following would be considered an identifier under the Privacy Rule?

A - Gender
B - Vehicle license plate
C - Blood pressure reading
D - Temperature

Answer 33

B - Vehicle license plate

Question 34

A hospital’s health information department receives a subpoena duces tecum for records of a former patient. When the health record professional goes to retrieve the patient’s medical record, it is discovered that the records being subpoenaed have been purged in accordance with the state retention laws. In this situation, how should the HIM department respond to the subpoena?

A - Inform defense and plaintiff lawyers that the records no longer exist
B - Submit a certification of destruction in response to the subpoena
C - Refuse the subpoena since no records exist
D - Contact the clerk of the court and explain the situation

Answer 34

B - Submit a certification of destruction in response to the subpoena

Question 35

An HIM professional violates privacy protection under the HIPAA Privacy Rule when he or she releases ____ without specific authorization from the patient(s) or patient representative(s).

A - A list of newborns to the local newspaper for publication in the birth announcements section
B - Data about cancer patients to the state health department cancer surveillance program
C - Birth information to the country registrar
D - Information about patients with sexually transmitted infections to the country health department

Answer 35

A - A list of newborns to the local newspaper for publication in the birth announcements section

Question 36

What is the implication regarding the confidentiality of incident reports in a legal proceeding when a staff member documents in the health record that an incident report was completed about a specific incident?

A - There is no impact.
B - The person making entry in the health record may not be called as a witness in trial.
C - The incident report likely becomes discoverable because it is mentioned in the discoverable document.
D - The incident report cannot be discovered even though it is mentioned in a discoverable document.

Answer 36

C - The incident report likely becomes discoverable because it is mentioned in the discoverable document.

Question 37

A hospital receives a valid request from a patient for copies of her medical records. The HIM clerk who is preparing the records removes copies of the patient’s records from another hospital where the patient was previously treated. According to HIPAA regulations, was this action correct?

A - Yes, HIPAA only requires that current records be produced from the patient.
B - Yes, this is hospital policy over which HIPAA has no control.
C - No, the records from the previous hospital are considered to be included in the designated record set and should be given to the patient.
D - No, the records from the previous hospital are not included in the designated record set but should be released anyway.

Answer 37

C - No, the records from the previous hospital are considered to be included in the designated record set and should be given to the patient.

Question 38

The Kids’ Foundation, a foundation related to Children’s Hospital, is mailing fundraising information to the families of all patients who have been treated at Children’s in the past three years. Based on facts given:

A - Children’s Hospital violated the Privacy Rule by giving information to the foundation.
B - Children’s Hospital must have notified the patients or patients’ guardians of this disclosure in the Notice of Privacy Practices.
C - The Kids’ Foundation cannot solicit donations from patients’ families under any circumstances.
D - The Kid’s Foundation must request authorization from each patient or patient guardian to mail the fundraising information out to their families.

Answer 38

B - Children’s Hospital must have notified the patients or patients’ guardians of this disclosure in the Notice of Privacy Practices.

Question 39

For which of the following situations would an audit log be useful?

A - Holding an individual patient accountable for actions
B - Reconstructing electronic events
C - Defending the corporation against an IRS audit.
D - Stopping attacks from the intranet to the Internet

Answer 39

B - Reconstructing electronic events

Question 40

A patient has the right to request a(n) ____, which describes where the covered entity has disclosed patient information for the past six years outside of treatment, payment, and healthcare operations.

A - Disclosure list
B - Designated record set
C - Amendment of medical record
D - Accounting of disclosures

Answer 40

D - Accounting of disclosures

Question 41

A hospital employee destroyed a health record so that its contents–which would be damaging to the employee–could not be used at trial. In legal terms, the employee’s action constitutes:

A - Mutilation
B - Destruction
C - Spoliation
D - Spoilage

Answer 41

C - Spoliation

Question 42

A breach occurs when unsecured protected health information is accessed or released. The Secretary of HHA and local media must be notified if this threshold of patient records breached has been met or exceeded.

A - 1,000
B - 500
C - 100
D - 10,000

Answer 42

B - 500

Question 43

The Security rule leaves the methods of conducting the security risk analysis to the discretion of the healthcare entity. The first consideration for a healthcare facility should be:

A - Its own characteristics and environment
B - The potential threats and vulnerabilities
C - The level of risk
D - An assessment of current security measures

Answer 43

A - Its own characteristics and environment

Question 44

Addressable Security Rule implementation specifications:

A - Should be implemented unless a healthcare entity determines that the specification is not reasonable and appropriate and documents their reasoning
B - Are not optional; the healthcare entity must implement them as stated in the regulation
C - Are required if legal counsel determines this to be true and they do not conflict with state law
D - Are only required to be read by healthcare entities; they do not have to be implemented

Answer 44

A - Should be implemented unless a healthcare entity determines that the specification is not reasonable and appropriate and documents their reasoning

Question 45

Protected health information this is maintained in a designated record set can be accessed by the patient or other authorized part upon request. Covered entities must respond to requests within what timeframe after receipt of the request?

A - 15 days
B - 30 days
C - 60 days
D - 90 days

Answer 45

B - 30 days

Question 46

A data breach occurred in your organization, and after the investigation it was determined that a total of 785 individuals were impacted by the data breach. What must be completed within 60 days of learning about the data breach?

A - Update the notice of privacy practices and send to all patients
B - Report the incident to the individuals impacted, local media, and the Department of Health and Human Services
C - Conduct privacy training for members of the organization
D - Document a note mentioning the data breach in each of the patients’ charts and tell the local media

Answer 46

B - Report the incident to the individuals impacted, local media, and the Department of Health and Human Services

Question 47

The HIM director has been asked to secure the record of patient John Smith due to impending litigation in a legal hold. The concept of legal hold requires:

A - Special, tracked handing of patient records involved in litigation to ensure no changes can be made
B - Attorneys for healthcare entities to stop all activity with records involved in litigation
C - All records involved in litigation to be printed and help in a locked cabinet
D - To allow further documentation to occur in any record involved in litigation

Answer 47

A - Special, tracked handing of patient records involved in litigation to ensure no changes can be made

Question 48

The Breach Notification Rule requires covered entities to establish a process for investigating whether a breach has occurred and which of the following?

A - Establish a new position for a Privacy Officer
B - Notify affected individuals when a breach occurs
C - Establish a policy on minimum necessary
D - Notify the primacy care physicians of all patients of the breach

Answer 48

B - Notify affected individuals when a breach occurs