Module 10 Test 1: Health Information Privacy and Security (RHIA version)

Question 1

The patient has the right to agree or object to disclosure of protected health information when

disclosing information to a family member who is directly involved in the patient’s care.

disclosing information to patient’s or covered entities’ minister.

disclosing information to patient’s attorney.

disclosing information to a family member who is not directly involved in the care.

Answer 1

disclosing information to a family member who is directly involved in the patient’s care

Question 2

You are a nurse who works on 3West during the day shift. One day, you had to work the night shift because they were shorthanded. However, you were unable to access the EHR. Identify the type of access control being used.

user-based

either user- or role-based

context-based

role-based

Answer 2

context-based

Question 3

The breach was identified on October 10, 20XX. The investigation was completed on October 15, 20XX. The patient must be notified within

60 days from October 15.

30 days from October 15.

60 days from October 10.

30 days from October 10.

Answer 3

60 days from October 10.

Question 4

A record destruction program should include

the method of destruction.

requirement of daily destruction.

the name of the supervisor of the person destroying the records.

citing the laws followed.

Answer 4

the method of destruction.

Question 5

Before we can go any further with our risk analysis, we need to determine what systems/information need to be protected. This step is known as

control analysis.

system characterization.

vulnerability.

risk determination.

Answer 5

system characterization.

Question 6

The admissions clerk asks why he has to check the patient’s driver’s license to ensure that this is the correct patient. Educate the admissions clerk.

The is meeting the HIPAA requirement of access control.

This meets the HIPAA requirement of authorization.

This meets the HIPAA requirement of authentication.

This meets the HIPAA requirement of verification.

Answer 6

This meets the HIPAA requirement of verification.

Question 7

You are defining the designated record set for South Beach Healthcare Center. Identify the information that will be included in the designated record set.

information compiled for use in civil hearing

psychotherapy notes

discharge summary

quality reports

Answer 7

discharge summary

Question 8

Regulation controlling the use of information blocking refers to

electronic health information.

electronic financial information.

third-party claim forms.

paper patient records.

Answer 8

electronic health information.

Question 9

IoMT include

malicious software.

ransomware.

firewall.

wearable devices.

Answer 9

wearable devices.

Question 10

According to the HIPAA privacy rule, protected health information includes

only electronic individually identifiable health information.

individually identifiable health information in any format stored by a health care provider or business associate.

non-individually identifiable health information in any format stored by a health care provider.

only paper individually identifiable health information.

Answer 10

individually identifiable health information in any format stored by a health care provider or business associate.

Question 11

The administrator states that he should not have to participate in privacy and security training as he does not use PHI. Determine the appropriate response.

“Did you read the privacy rules?”

“All employees are required to participate in the training, including top administration.”

“I will record that in my files so that we will not bother you again on this issue.”

“You are correct. There is no reason for you to participate in the training.”

Answer 11

“All employees are required to participate in the training, including top administration.”

Question 12

The Covered Entity hired a company to test the informaton system’s security. This is known as

penetration testing.

data loss prevention.

intrusion detection systems.

intrusion prevention systems.

Answer 12

penetration testing.

Question 13

Identify the type of health records that the patient cannot have access to.

A mental health assessment

Psychotherapy notes

Alcohol and drug records

AIDS records

Answer 13

Psychotherapy notes

Question 14

Identify the true statement regarding healthcare provider’s use of mobile devices.

A specific procedure must be followed for reporting and addressing a lost device.

ePHI should always be stored on mobile devices.

Mobile devices are exempt from encryption.

Devices should only be owned by the covered entity.

Answer 14

A specific procedure must be followed for reporting and addressing a lost device.

Question 15

The data center containing the computer upon which the electronic health record is located was flooded. As a result, the EHR is inoperable. Identify the type of security that failed.

administrative

network

physical

transmission

Answer 15

physical

Question 16

HIPAA Privacy Rule provides patients with the ability to request an amendment to their health record, to access their health record and other

required standards.

patient rights.

preemptions.

addressable requirements.

Answer 16

patient rights.

Question 17

You have been given the responsibility of destroying the PHI contained in the information system’s old server before it is trashed. Recommend an appropriate destruction method.

crushing

degaussing

incineration

overwriting data

Answer 17

degaussing

Question 18

The Fair and Accurate Credit Transactions Act works to reduce

privacy breaches.

identity theft.

the number of invalid authorizations.

security breaches.

Answer 18

identity theft.

Question 19

Differentiate between identity matching and identity management.

Identity matching is identifying who has chosen to participate in an HIE. Identity management is identifying the correct person in the MPI.

Identity management is proving that the user is who they say they are. Identity matching is identifying the correct person in the MPI.

Identity matching is proving that the patient is who they say they are. Identity matching is identifying who has chosen to participate in an HIE.

Identity matching is proving that the patient is who they say they are. Identity management is identifying the correct person in the MPI.

Answer 19

Identity management is proving that the user is who they say they are. Identity matching is identifying the correct person in the MPI.

Question 20

You have been asked if digital signatures utilize encryption. Your response should be

No, but electronic signatures utilize encryption.

No, encryption is not a part of digital signatures.

Yes, digital signature utilizes encryption.

No, but digitized signatures utilize encryption.

Answer 20

Yes, digital signature utilizes encryption.

Question 21

Identify the process of identifying potential privacy violations.

risk assessment

risk aversion

risk management

business continuity planning

Answer 21

risk assessment

Question 22

Identify the true statement regarding information blocking.

Patients are required to follow the information blocking regulations.

There are exceptions to the information blocking rules.

There are no exceptions to the information blocking rule.

Information blocking applies only to healthcare organizations.

Answer 22

There are exceptions to the information blocking rules.

Question 23

Identify the business associate.

bulk food service provider

security guards

release of information company

childbirth class instructor

Answer 23

release of information company

Question 24

John is a 45-year-old male who is mentally disabled. Identify who can authorize release of his health record.

John

legal guardian

executive of his will

John’s sister

Answer 24

legal guardian

Question 25

The information system has just notified you that someone has attempted to access the information system inappropriately. This process is known as

intrusion detection.

cryptography.

integrity.

intrusion protocol.

Answer 25

intrusion detection.

Question 26

It has been decided that the coders will have access to all e-PHI in the EHR but they will not be able to add or edit data. This process is known as

information system activity review.

incidental disclosure.

workforce clearance procedure.

limited data set.

Answer 26

workforce clearance procedure.

Question 27

When logging into an information system, you are instructed to enter a string of characters. These characters appear distorted onscreen, however. Identify this type of access control.

two-factor authentication

CAPTCHA

token

biometrics

Answer 27

CAPTCHA

Question 28

Identify the true statement regarding mobile device security.

Users of mobile devices should sign an acknowledge of the rules related to them.

Data should be stored on the mobile device.

Mobile devices should not utilize encryption unless required by state law.

Mobile devices are the only devices that should be used by a CE.

Answer 28

Users of mobile devices should sign an acknowledge of the rules related to them.

Question 29

The police came to the HIM department today and asked that a patient’s right to an accounting of disclosure be suspended for two months. Identify the proper response.

“I’m sorry, Officer, but we can only do this for one month.”

“Certainly, Officer. We will take care of that right now.”

“Certainly, Officer. We will be glad to do that as soon as we have the request in writing.”

“I’m sorry, Officer, but privacy regulations do not allow us to do this.”

Answer 29

“Certainly, Officer. We will be glad to do that as soon as we have the request in writing.”

Question 30

The expert determination method is a method of

de-identification.

disclosure.

criticality assessment.

emergency mode operation plan.

Answer 30

de-identification.

Question 31

The process for ensuring that the user is who they say is known as

person authentication.

intrusion prevention.

account lockout.

safeguard.

Answer 31

person authentication

Question 32

Identify the purpose of the notice of privacy practices.

report incidents to the OIG.

notify the patient of uses of PHI.

notify researchers of allowable data use.

notify the patient of audits.

Answer 32

notify the patient of uses of PHI

Question 33

The information systems department was performing their routine destruction of data. Unfortunately, they accidentally deleted a health record that is involved in a medical malpractice case. This unintentional destruction of evidence is called

a security event.

spoliation.

forensics.

mitigation.

Answer 33

spoliation.

Question 34

A patient was denied access to their PHI. They asked for an appeal of the decision and were allowed the appeal. Identify why the patient might have been denied.

Patient is an inmate and release may cause safety concern.

The CE is exempt from CLIA.

Another person may be harmed by the release.

Patient is part of research and has agreed to a temporary suspension of his rights.

Answer 34

Another person may be harmed by the release

Question 35

A hacker recently accessed our database. We are trying to determine how the hacker got through the firewall and exactly what was accessed. The process used to gather this evidence is called

a security event.

security.

mitigation.

forensics.

Answer 35

forensics.

Question 36

Identify an example of a HIPAA patient right.

The patient can ask a patient advocate to sit in on all appointments at the healthcare organization

The patient can discuss financial arrangements with business office staff.

The patient can ask to be contacted at an alternative site.

The patient can review his bill.

Answer 36

The patient can ask to be contacted at an alternative site.

Question 37

The surgeon comes out to speak to a patient’s family. She tells them that the patient came through the surgery fine. The mass was benign and they could see the patient in an hour. She talks low so that the other people in the waiting room will not hear, but someone walked by and heard. This is called a(n)

violation of policy.

privacy breach.

incidental disclosure.

privacy incident.

Answer 37

incidental disclosure.

Question 38

The covered entity is conducting an audit to ensure that they are meeting privacy and security standards. They must be conducting a(n)

process audit.

product audit.

external audit.

system audit.

Answer 38

process audit

Question 39

Identify the inappropriate use of PHI.

“Mary, at work yesterday I saw that Susan had a hysterectomy.”

“Can you help me find Mary Smith’s health record?”

Dr. Jones tells a nurse on the floor to give Ms. Brown Demerol for her pain.

A member of the physician’s office staff calls centralized scheduling and says, “Dr. Smith wants to perform a bunionectomy on Mary Jones next Tuesday.”

Answer 39

“Mary, at work yesterday I saw that Susan had a hysterectomy.”

Question 40

Identify the exception to the information blocking rule.

A substantial fee is required prior to release of the requested information.

Protecting patient’s privacy.

Providing readily available information.

There is not an exception to the rule.

Answer 40

Protecting patient’s privacy.

Question 41

The patient has requested an amendment to her health record. The covered entity, after review with the physician, has decided to deny the request. According to HIPAA, the patient must be notified within

60 days.

30 days.

45 days.

90 days.

Answer 41

60 days

Question 42

Identify a method used in business continuity planning.

facility access control

triggers

audit trail

hot site

Answer 42

hot site

Question 43

In order to be secure, data has to be

unreadable, unusable, and indecipherable.

indecipherable only.

unreadable only.

unusable only.

Answer 43

unreadable, unusable, and indecipherable

Question 44

Identify when the covered entity has to notify CMS immediately.

when 500 or more patients are impacted

when 250 or more patients are impacted

when 200 or more patients are impacted

when 100 or more patients are impacted

Answer 44

when 500 or more patients are impacted

Question 45

Identify the true statement regarding public key encryption.

The digital certificate shows that the keys are encrypted.

The sending computer uses the public key.

Public key encryption requires both computers to have the same key.

Public key encryption uses a private and public key.

Answer 45

Public key encryption uses a private and public key.

Question 46

Determining how likely a threat is to occur is known as

risk determination.

impact analysis.

control recommendation.

control analysis.

Answer 46

risk determination

Question 47

Critique this statement: A business associate has the right to use a health care organization information beyond the scope of their agreement with the health care organization

This is a false statement because it is prohibited by the HIPAA Privacy Rule.

This is a true statement as long as they have patient consent.

This is a false statement because the HIPAA Privacy Rule states that to use it in their own business, they must have the health care organization approval.

This is a true statement because business associates can use the information for their main source of business as long as the patient’s privacy is protected.

Answer 47

This is a false statement because it is prohibited by the HIPAA Privacy Rule

Question 48

Identify an example of two-factor authentication.

fingerprint and retinal scan

token and smart card

password and token

username and password

Answer 48

password and token

Question 49

Educate the HIM staff on the designated record set.

It includes only demographic information.

It contains only billing information.

It contains only clinical information.

It contains both clinical and billing information.

Answer 49

It contains both clinical and billing information

Question 50

HIPAA states that release of PHI to a coroner is allowed. State law says that the coroner must provide a subpoena. Identify the true statement regarding this situation.

You must request a ruling from a judge.

Follow the state law since it is stricter.

Follow the HIPAA requirement since it is a federal law.

You can follow either the state law or the HIPAA rule.

Answer 50

Follow the state law since it is stricter.