Module 10 Test 1: Health Information Privacy and Security (RHIA version) Flashcards
The patient has the right to agree or object to disclosure of protected health information when
disclosing information to a family member who is directly involved in the patient’s care.
disclosing information to patient’s or covered entities’ minister.
disclosing information to patient’s attorney.
disclosing information to a family member who is not directly involved in the care.
disclosing information to a family member who is directly involved in the patient’s care
You are a nurse who works on 3West during the day shift. One day, you had to work the night shift because they were shorthanded. However, you were unable to access the EHR. Identify the type of access control being used.
user-based
either user- or role-based
context-based
role-based
context-based
The breach was identified on October 10, 20XX. The investigation was completed on October 15, 20XX. The patient must be notified within
60 days from October 15.
30 days from October 15.
60 days from October 10.
30 days from October 10.
60 days from October 10.
A record destruction program should include
the method of destruction.
requirement of daily destruction.
the name of the supervisor of the person destroying the records.
citing the laws followed.
the method of destruction.
Before we can go any further with our risk analysis, we need to determine what systems/information need to be protected. This step is known as
control analysis.
system characterization.
vulnerability.
risk determination.
system characterization.
The admissions clerk asks why he has to check the patient’s driver’s license to ensure that this is the correct patient. Educate the admissions clerk.
The is meeting the HIPAA requirement of access control.
This meets the HIPAA requirement of authorization.
This meets the HIPAA requirement of authentication.
This meets the HIPAA requirement of verification.
This meets the HIPAA requirement of verification.
You are defining the designated record set for South Beach Healthcare Center. Identify the information that will be included in the designated record set.
information compiled for use in civil hearing
psychotherapy notes
discharge summary
quality reports
discharge summary
Regulation controlling the use of information blocking refers to
electronic health information.
electronic financial information.
third-party claim forms.
paper patient records.
electronic health information.
IoMT include
malicious software.
ransomware.
firewall.
wearable devices.
wearable devices.
According to the HIPAA privacy rule, protected health information includes
only electronic individually identifiable health information.
individually identifiable health information in any format stored by a health care provider or business associate.
non-individually identifiable health information in any format stored by a health care provider.
only paper individually identifiable health information.
individually identifiable health information in any format stored by a health care provider or business associate.
The administrator states that he should not have to participate in privacy and security training as he does not use PHI. Determine the appropriate response.
“Did you read the privacy rules?”
“All employees are required to participate in the training, including top administration.”
“I will record that in my files so that we will not bother you again on this issue.”
“You are correct. There is no reason for you to participate in the training.”
“All employees are required to participate in the training, including top administration.”
The Covered Entity hired a company to test the informaton system’s security. This is known as
penetration testing.
data loss prevention.
intrusion detection systems.
intrusion prevention systems.
penetration testing.
Identify the type of health records that the patient cannot have access to.
A mental health assessment
Psychotherapy notes
Alcohol and drug records
AIDS records
Psychotherapy notes
Identify the true statement regarding healthcare provider’s use of mobile devices.
A specific procedure must be followed for reporting and addressing a lost device.
ePHI should always be stored on mobile devices.
Mobile devices are exempt from encryption.
Devices should only be owned by the covered entity.
A specific procedure must be followed for reporting and addressing a lost device.
The data center containing the computer upon which the electronic health record is located was flooded. As a result, the EHR is inoperable. Identify the type of security that failed.
administrative
network
physical
transmission
physical
HIPAA Privacy Rule provides patients with the ability to request an amendment to their health record, to access their health record and other
required standards.
patient rights.
preemptions.
addressable requirements.
patient rights.
You have been given the responsibility of destroying the PHI contained in the information system’s old server before it is trashed. Recommend an appropriate destruction method.
crushing
degaussing
incineration
overwriting data
degaussing
The Fair and Accurate Credit Transactions Act works to reduce
privacy breaches.
identity theft.
the number of invalid authorizations.
security breaches.
identity theft.
Differentiate between identity matching and identity management.
Identity matching is identifying who has chosen to participate in an HIE. Identity management is identifying the correct person in the MPI.
Identity management is proving that the user is who they say they are. Identity matching is identifying the correct person in the MPI.
Identity matching is proving that the patient is who they say they are. Identity matching is identifying who has chosen to participate in an HIE.
Identity matching is proving that the patient is who they say they are. Identity management is identifying the correct person in the MPI.
Identity management is proving that the user is who they say they are. Identity matching is identifying the correct person in the MPI.
You have been asked if digital signatures utilize encryption. Your response should be
No, but electronic signatures utilize encryption.
No, encryption is not a part of digital signatures.
Yes, digital signature utilizes encryption.
No, but digitized signatures utilize encryption.
Yes, digital signature utilizes encryption.
Identify the process of identifying potential privacy violations.
risk assessment
risk aversion
risk management
business continuity planning
risk assessment
Identify the true statement regarding information blocking.
Patients are required to follow the information blocking regulations.
There are exceptions to the information blocking rules.
There are no exceptions to the information blocking rule.
Information blocking applies only to healthcare organizations.
There are exceptions to the information blocking rules.
Identify the business associate.
bulk food service provider
security guards
release of information company
childbirth class instructor
release of information company
John is a 45-year-old male who is mentally disabled. Identify who can authorize release of his health record.
John
legal guardian
executive of his will
John’s sister
legal guardian
The information system has just notified you that someone has attempted to access the information system inappropriately. This process is known as
intrusion detection.
cryptography.
integrity.
intrusion protocol.
intrusion detection.
It has been decided that the coders will have access to all e-PHI in the EHR but they will not be able to add or edit data. This process is known as
information system activity review.
incidental disclosure.
workforce clearance procedure.
limited data set.
workforce clearance procedure.
When logging into an information system, you are instructed to enter a string of characters. These characters appear distorted onscreen, however. Identify this type of access control.
two-factor authentication
CAPTCHA
token
biometrics
CAPTCHA
Identify the true statement regarding mobile device security.
Users of mobile devices should sign an acknowledge of the rules related to them.
Data should be stored on the mobile device.
Mobile devices should not utilize encryption unless required by state law.
Mobile devices are the only devices that should be used by a CE.
Users of mobile devices should sign an acknowledge of the rules related to them.
The police came to the HIM department today and asked that a patient’s right to an accounting of disclosure be suspended for two months. Identify the proper response.
“I’m sorry, Officer, but we can only do this for one month.”
“Certainly, Officer. We will take care of that right now.”
“Certainly, Officer. We will be glad to do that as soon as we have the request in writing.”
“I’m sorry, Officer, but privacy regulations do not allow us to do this.”
“Certainly, Officer. We will be glad to do that as soon as we have the request in writing.”
The expert determination method is a method of
de-identification.
disclosure.
criticality assessment.
emergency mode operation plan.
de-identification.
The process for ensuring that the user is who they say is known as
person authentication.
intrusion prevention.
account lockout.
safeguard.
person authentication
Identify the purpose of the notice of privacy practices.
report incidents to the OIG.
notify the patient of uses of PHI.
notify researchers of allowable data use.
notify the patient of audits.
notify the patient of uses of PHI
The information systems department was performing their routine destruction of data. Unfortunately, they accidentally deleted a health record that is involved in a medical malpractice case. This unintentional destruction of evidence is called
a security event.
spoliation.
forensics.
mitigation.
spoliation.
A patient was denied access to their PHI. They asked for an appeal of the decision and were allowed the appeal. Identify why the patient might have been denied.
Patient is an inmate and release may cause safety concern.
The CE is exempt from CLIA.
Another person may be harmed by the release.
Patient is part of research and has agreed to a temporary suspension of his rights.
Another person may be harmed by the release
A hacker recently accessed our database. We are trying to determine how the hacker got through the firewall and exactly what was accessed. The process used to gather this evidence is called
a security event.
security.
mitigation.
forensics.
forensics.
Identify an example of a HIPAA patient right.
The patient can ask a patient advocate to sit in on all appointments at the healthcare organization
The patient can discuss financial arrangements with business office staff.
The patient can ask to be contacted at an alternative site.
The patient can review his bill.
The patient can ask to be contacted at an alternative site.
The surgeon comes out to speak to a patient’s family. She tells them that the patient came through the surgery fine. The mass was benign and they could see the patient in an hour. She talks low so that the other people in the waiting room will not hear, but someone walked by and heard. This is called a(n)
violation of policy.
privacy breach.
incidental disclosure.
privacy incident.
incidental disclosure.
The covered entity is conducting an audit to ensure that they are meeting privacy and security standards. They must be conducting a(n)
process audit.
product audit.
external audit.
system audit.
process audit
Identify the inappropriate use of PHI.
“Mary, at work yesterday I saw that Susan had a hysterectomy.”
“Can you help me find Mary Smith’s health record?”
Dr. Jones tells a nurse on the floor to give Ms. Brown Demerol for her pain.
A member of the physician’s office staff calls centralized scheduling and says, “Dr. Smith wants to perform a bunionectomy on Mary Jones next Tuesday.”
“Mary, at work yesterday I saw that Susan had a hysterectomy.”
Identify the exception to the information blocking rule.
A substantial fee is required prior to release of the requested information.
Protecting patient’s privacy.
Providing readily available information.
There is not an exception to the rule.
Protecting patient’s privacy.
The patient has requested an amendment to her health record. The covered entity, after review with the physician, has decided to deny the request. According to HIPAA, the patient must be notified within
60 days.
30 days.
45 days.
90 days.
60 days
Identify a method used in business continuity planning.
facility access control
triggers
audit trail
hot site
hot site
In order to be secure, data has to be
unreadable, unusable, and indecipherable.
indecipherable only.
unreadable only.
unusable only.
unreadable, unusable, and indecipherable
Identify when the covered entity has to notify CMS immediately.
when 500 or more patients are impacted
when 250 or more patients are impacted
when 200 or more patients are impacted
when 100 or more patients are impacted
when 500 or more patients are impacted
Identify the true statement regarding public key encryption.
The digital certificate shows that the keys are encrypted.
The sending computer uses the public key.
Public key encryption requires both computers to have the same key.
Public key encryption uses a private and public key.
Public key encryption uses a private and public key.
Determining how likely a threat is to occur is known as
risk determination.
impact analysis.
control recommendation.
control analysis.
risk determination
Critique this statement: A business associate has the right to use a health care organization information beyond the scope of their agreement with the health care organization
This is a false statement because it is prohibited by the HIPAA Privacy Rule.
This is a true statement as long as they have patient consent.
This is a false statement because the HIPAA Privacy Rule states that to use it in their own business, they must have the health care organization approval.
This is a true statement because business associates can use the information for their main source of business as long as the patient’s privacy is protected.
This is a false statement because it is prohibited by the HIPAA Privacy Rule
Identify an example of two-factor authentication.
fingerprint and retinal scan
token and smart card
password and token
username and password
password and token
Educate the HIM staff on the designated record set.
It includes only demographic information.
It contains only billing information.
It contains only clinical information.
It contains both clinical and billing information.
It contains both clinical and billing information
HIPAA states that release of PHI to a coroner is allowed. State law says that the coroner must provide a subpoena. Identify the true statement regarding this situation.
You must request a ruling from a judge.
Follow the state law since it is stricter.
Follow the HIPAA requirement since it is a federal law.
You can follow either the state law or the HIPAA rule.
Follow the state law since it is stricter.
