Scenarios Flashcards

1
Q

The privacy officer for a hospital has updated the Notice of Privacy Practices to reflect a material change because the previous notice did not have a description that individuals have the right to amend their Protected Health Information. This deficiency was noticed when a third party came to the hospital and did a walk thru to assess the organization’s current state of compliance with the HIPAA Privacy and Security Rules. The third party review team identified that the notice did not have the required information to let individuals know of their right to amend PHI. What is the BEST course of action that reflects the regulator requirements within HIPAA of what the privacy officer should now do given that the notice has been corrected?
A. Make arrangements to have copies of the new NPP mailed to all patients seen within the last year at the hospital
B. Make arrangements to have the new notice distributed to new patients that come to the hospital
C. Post a copy of the new notice on the hospital’s internal intranet so that all employees can see the updated version of the notice
D. Meet with legal to discuss how to best self-disclose to the OCR that the hospital was in violation of the NPP requirements and has since corrected the deficiency

A

B. Make arrangements to have the new notice distributed to new patients that come to the hospital

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The Smith family has two children attending State University (State U). Child 1 is 19 years old and Child 2 is 22 years old. Because of the income level of the Smith family and that both Child 1 and Child 2 are claimed as dependents on the federal tax return of Mr. and Mrs. Smith, both children were able to get grants to attend State U and live on campus. Child 1 is doing very well and often shares information about her grades and progress with her parents. Child 2 is not doing so well and rarely shares any information about her grades her progress with her parents. Mr. and Mrs. Smith are concerned and contact State U and ask for information about Child’s 2 grades. Child 2’s parents do not have a consent from Child 2 to obtain information about Child’s 2 grades. Which of the following is correct?

A. The school may release the grade information if it has consent from Child 1.
B. The school may release the grade information if it does not have consent from Child 1.
C. Both A and B
D. Neither A nor B

A

D. Neither A nor B

Child 1 and 2 are dependents for tax purposes; the school does not need consent from the children.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A workforce member is using Word 2016 to compile a list of patients and their PHI to send to a private insurance payer. The workforce member password protects the Word document and sends it using the CE’s email system. The CE’s email server has software that detects attachments and flags the outgoing software for review by IT. the IT person contacts the workforce member about the email and asks if any PHI included in the email or its attachment was sent in an encrypted manner. The workforce member shares that a password was used to save the document that contained PHI. The IT worker is required to report any outgoing emails that are sent when any associated PHI either in the body, subject, or attachments of the email are not encrypted. Will the IT worker need to report the incident?
A. Yes
B. No

A

B. No

because PHI in password protected document was encrypted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A privacy official is asked to approve a transfer form that would have the patient’s SS# on the top of the page to read as “ABC12345679” to go with a patient from the privacy officer’s facility to another facility when a patient is transferred. The nursing leadership at the facility is insisting that they “have to have” the patient’s SS# when making transfer arrangements from one facility to another. The BEST course of action for the privacy officer to take is:
A. Ask the nursing leadership to update the policy on transfers to include that social security numbers must be included on transfer paperwork.
B. Have the appropriate forms updated/revised/edited so that they can now accommodate the social security numbers.
C. Confirm with nursing any regulations or other requirements that state social security numbers must be included on transfer forms
D. Contact the legal department.

A

C. Confirm with nursing any regulations or other requirements that state social security numbers must be included on transfer forms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When an investigator presents to a facility with a search warrant, the FIRST things an employee should do is:
A. verify the credentials of the investigator.
B. request a copy of the search warrant.
C. call the compliance professional.
D. notify the Chairperson of the BOD

A

A- verify the credentials of the investigator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Home health coverage criteria include the beneficiary must
A. have been hospitalized within the past 72 hours and under the care of a physician.
B. be currently enrolled in a Medicare managed care plan and have a condition needing skilled services.
C. require the services of a skilled nurse and not be able to leave place of residence.
D. be homebound, require skilled services and be under the care of a physician.

A

D- be homebound, require skilled services and be under the care of a physician.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
Which of the following have been identified as high risk areas by the OIG: 1) duplicate billing; 2) 15 minute interval billing; 3) billing for medically unnecessary service; 4) pay and per visit reimbursement mechanism?
A.	1 and 3 only
B.	2 and 4 only
C.	2, 4, and 5 only
D.	2, 3, and 4 only
A

A- 1 and 3 only.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Organizations have the opportunity to reduce their culpability in accordance with the Federal Sentencing Guidelines by
A. establishing mandatory audits.
B. effectively dealing with any offense after it has occurred.
C. developing a codes of conduct and educating senior management.
D. voluntarily disclosing overpayments

A

B. effectively dealing with any offense after it has occurred.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Compliance audits indicate a five-year trend of decreasing numbers of compliance issues. The compliance professional is considering whether the auditing program needs to be continued because there is also a robust monitoring program in place. Which of the following is the MOST compelling reason to continue the auditing program?
A. Audits are part of an effective compliance program.
B. Necessary compliance training cannot be identified without auditing.
C. It helps the Board of Directors understand the compliance program.
D. Staff cannot recognize compliance issues without auditing.

A

A- Audits are part of an effective compliance program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A provider receives a request from the Social Security Administration for PHI relating to a person’s application for benefits. Which of the following is the correct method of release?
A. Since it is to a federal agency, an authorization from the patient is not needed, so PHI can be released.
B. The provider should review the PHI and make a decision on the minimum necessary and release.
C. The provider should notify the patient and obtain a signed authorization prior to release.
D. Release the information because the patient signed a consent for treatment.

A

C- The provider should notify the patient and obtain a signed authorization prior to release.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A hospital is newly acquired by a health plan who’s Compliance Officer recently retired, therefore, is in need of a Compliance Professional. What characteristics should the board look for in hiring a Compliance Professional?
A. Someone that possesses an MBA and/or JD
B. Someone that has managed a compliance program for 10+ years
C. Someone that healthcare experience (i.e., RN, MD, etc.)
D. Someone that has strong interpersonal skills, good listener and is discrete

A

D. Someone that has strong interpersonal skills, good listener and is discrete

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A patient has authorized that we disclose all of his health records relating to his recent treatment in our alcoholic rehabilitation center. We have received records from the patient’s previous encounters. Can we redisclose these records along with our records?

A

No. The patient should be referred back to the healthcare provider that originated the health records unless any part of the record was used in providing treatment or making a decision about the patient because then it becomes a part of the facility’s DRS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A hospital is newly acquired by a health plan who’s Compliance Officer recently retired, therefore, is in need of a Compliance Professional. What characteristics should the board look for in hiring a Compliance Professional?

A. Someone that possesses an MBA and/or JD
B. Someone that has managed a compliance program for 10+ years
C. Someone that healthcare experience (i.e., RN, MD, etc.)
D. Someone that has strong interpersonal skills, good listener and is discrete

A

D. Someone that has strong interpersonal skills, good listener and is discrete

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A patient who has private insurance requests access to his records by submitting an Access to PHI form to the hospital and indicates he is requesting a hardcopy of all paperwork associated with his visit to the Emergency Department for chest pain on 1/1/19 be sent to his primary care physician (PCP). The records are sent on 1/10/19.

On 1/17/19, the patient has his appointment with the PCP who suggests that the patient visit a specialist, a cardiologist. On 1/24/19, The patient visits a cardiologist as suggested by the PCP. The patient informs the cardiologist that the patient is going to pay for all services out of pocket and requests that the cardiologist does not submit any PHI to his insurance plan. The cardiologist is agreeable so long as all services are paid in full at the time when the patient leaves the office. The patient asks if he can make three monthly payments to pay for services.

The cardiologist contacts YOU, the designated privacy official and asks if the HIPAA regulations prohibit the cardiologist from requiring that all services be paid in full at the time the patient leaves the office.

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A hospital medical staff office is conducting its monthly review of the Excluded Parties List System (EPLS). The compliance officer is called by the manager of the medical staff office and informed that Dr. Smith, a surgeon who took call 5 times last month for the Emergency Department, was excluded on a date prior to those dates when the surgeon took call. In other words, the effective date of the exclusion involving the surgeon was 4/1/2019 and the surgeon took call and provided surgical services to patients in the ED on 4/13/19, 4/20/19, and 4/27/2019. What is the NEXT action the compliance officer should do?

a. Contact the ED and make sure that the involved surgeon is removed from taking any more on call shifts.
b. Have the medical office check if the surgeon is listed on other exclusion lists.
c. Contact legal counsel to alert of the need to pay back reimbursement received for services provided by an excluded individual.
d. Hold all surgical service related bills associated with the ED so that none are released to any payers which may involve this surgeon.

A

b. Have the medical office check if the surgeon is listed on other exclusion lists.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

On Day 1, a health plan has sent out 1000 letters to its members which contain PHI on each respective member. On Day 5, the health plan gets 10 envelopes back where the recipients have written or indicated that the addressee is no longer at the address. These envelopes show that they have been opened. On day 10, the health plan gets 15 more letters, 5 are returned unopened with a sticker from the post office that the addressee is no at the address on the envelope and no forwarding information is available. Finally, on day 30, a batch of 20 letters, all opened with a handwritten notation that the addressee is no longer at the address is received. The privacy officer provides a report at the next board meeting on Day 50. What would be the MOST correct statement for the privacy officer to report.
A. The mailing of the letters is allowable as it falls under health care operations and that no breach is involved as what happened represents one of the exceptions related to the definition of a breach.
B. This process of mailing out letters has resulted in breaches and this has triggered the breach notification requirements.
C. Because the letters were returned, there is no need to take any additional action.
D. Risk assessments of the incident have concluded that no breaches occurred.

A

B. This process of mailing out letters has resulted in breaches and this has triggered the breach notification requirements.

17
Q

A compliance professional has confirmed that an employee had inappropriately looked in a medical record of a nationally known VIP and had sold the information to a tabloid. What should the compliance professional do NEXT?

    a. Provide privacy training 
    b. Notify the OCR 
    c. Interview involved staff 
    d. Notify legal counsel
A

d. Notify legal counsel

18
Q

An employee notifies the compliance professional that a co-worker in the billing office is waiving insurance co-payments for friends and family members covered by Medicare. The employee also says that he has told the supervisor, but the problem has not been addressed. Which of the following is the MOST appropriate course of action for the compliance professional?

a. Contact the supervisor to inform her what the employee has said
b. Direct the CFO to conduct an investigation
c. Review co-payment waivers to independently substantiate the allegation
d. Direct the supervisor to conduct an investigation

A

c. Review co-payment waivers to independently substantiate the allegation

19
Q

A privacy officer is informed by an employee who was analyzing how many patients were seen in the ED of the hospital that the employee lost a thumb drive with an unencrypted file containing dates related to patient visits in the ED. The thumb drive included an Excel file that listed a column titled “Admit Date and Time” and another column titled “Discharge Date and time” No other information was on the thumb drive and the Excel file name was simply “Dates” and the workbook was titled “Sheet1”. There is no metadata on the Excel file to identify the source or author of the file. The employee mentioned that there were dates in the file that related to about 1,200 patients. Upon the receipt of this information, the NEXT step for the privacy officer to do is to:
A. Take steps to identify the 1,200 patients whose dates were on the lost thumb drive
B. Report the incident using the OCR website within 60 days
C. Contact the Legal Department
D. Conduct a risk assessment

A

D. Conduct a risk assessment

20
Q

Hospital A is treating a patient who arrived in the ED by ambulance seeking emergency medical care related to chest pain. Hospital A is known for being on of the best hospitals for treating patients with chest pain. The patient is taken to the treatment area to be hooked up to a monitor as part of the early stages of having a medical screening exam. The patient tells the staff that he wants to be transported to Hospital B. The staff doesn’t know what to do and calls you, the compliance officer, to help out. Your BEST suggestion to the staff given the choices below is:
A. Inform the staff that they can suggest to the patient for the patient to leave the ED and go to Hospital B’s ED.
B. Inform the staff that the patient cannot be transferred because Hospital A has the capacity and capability to provide the required stabilizing treatment and to identify if the patient has an emergent medical condition.
C. Inform the staff to arrange to have the patient transported to Hospital B according to hospital policy to include sending copies of whatever medical records on what has been done so far go with the patient.
D. Inform the staff that if two physicians agree that the patient can be treated at Hospital A, tell the patient that he cannot be transferred.

A

A. Inform the staff that they can suggest to the patient for the patient to leave the ED and go to Hospital B’s ED.
B. Inform the staff that the patient cannot be transferred because Hospital A has the capacity and capability to provide the required stabilizing treatment and to identify if the patient has an emergent medical condition.
C. Inform the staff to arrange to have the patient transported to Hospital B according to hospital policy to include sending copies of whatever medical records on what has been done so far go with the patient.
D. Inform the staff that if two physicians agree that the patient can be treated at Hospital A, tell the patient that he cannot be transferred.

21
Q

Patient A received a letter from Hospital B that Patient A’s PHI was involved in a breach due to a letter properly addressed to Patient A but due to an error by the US mail, ended up in the wrong mailbox. The unintended recipient did report receipt of the letter and did admit to opening and reading the PHI for Patient A.

Patient A wants to make sure he/she has a record of this breach and any other information about it on file so Patient A contacts Hospital B and requests an Accounting of Disclosures. Hospital B’s medical record department provides an Accounting of Disclosures report to Patient A and it is blank in that no disclosures are listed. Patient A contacts Hospital B and is connected to you the privacy official and asks why the breach isn’t listed in the Accounting of Disclosures report. While Patient A is on the phone, you are able to get a copy of the Accounting of Disclosures that was sent to Patient A from the EHR system where you also see a copy of the breach letter.

The BEST answer for you to give Patient A is: (remember…there might be a “better” answer you come up with…but you only have the four listed below as your options)

A. Inform Patient A that given the patient’s receipt of the breach notification letter from Hospital B about the disclosure, Patient A was provided a notice of the disclosure and therefore, this particular disclosure would not appear on an Accounting of Disclosures.
B. Inform Patient A that it appears that the disclosure related to the breach was not on the Accounting of Disclosures and that it should be listed. You will look into why it was not listed and then have a corrected copy sent to Patient A.
C. Inform Patient A that since the letter containing the PHI was addressed correctly, this was a permissible disclosure done for treatment related purposes and therefore would not appear on an Accounting of Disclosures. The breach occurred when the unintended recipient read the letter and that is why Patient A received the breach letter because the recipient read a properly addressed letter not intended for the recipient.
D. Inform Patient A that now looking into this matter more closely, you realize that the breach notification letter was sent in error because given that the letter was addressed correctly, there can be no breach. You also share that because the letter was sent for treatment purposes, this would not appear on an Accounting of Disclosures.

A

A. Inform Patient A that given the patient’s receipt of the breach notification letter from Hospital B about the disclosure, Patient A was provided a notice of the disclosure and therefore, this particular disclosure would not appear on an Accounting of Disclosures.
B. Inform Patient A that it appears that the disclosure related to the breach was not on the Accounting of Disclosures and that it should be listed. You will look into why it was not listed and then have a corrected copy sent to Patient A.
C. Inform Patient A that since the letter containing the PHI was addressed correctly, this was a permissible disclosure done for treatment related purposes and therefore would not appear on an Accounting of Disclosures. The breach occurred when the unintended recipient read the letter and that is why Patient A received the breach letter because the recipient read a properly addressed letter not intended for the recipient.
D. Inform Patient A that now looking into this matter more closely, you realize that the breach notification letter was sent in error because given that the letter was addressed correctly, there can be no breach. You also share that because the letter was sent for treatment purposes, this would not appear on an Accounting of Disclosures.

22
Q

Patient A presents to the Emergency Department for Hospital A and is complaining of chest pain. Patient A’s has vitals taken and then is placed in the exam area where a doctor begins conducting the Medical Screening Exam (MSE). After diagnostics are completed and test results are reviewed by the doctor, the doctor tells Patient A that the medical decision is that the patient’s chest pain is due to indigestion and that the patient is not experiencing any type of emergent condition. Patient A is told that he/she will be given a prescription for medications to manage the indigestion and that the nurse will arrive in a few minutes to complete Patient A’s discharge. Before the discharge is completed, Patient A demands that under the EMTALA regulations, the Patient has the right to request to be transferred to another hospital because the Patient believe his/her symptoms are related to a much more serious situation or condition. The ED staff contact you about the patient’s request to be transferred. Your BEST response is:

A. Since the discharge process is not complete, explain to the staff that it should make arrangements to transfer the patient to another hospital as this is required by EMTALA.
B. Have the staff inform the patient that no transfer will be arranged as the EMTALA requirements have been met and to continue to move forward with the discharge process.
C. Tell the staff not to discharge the patient and ask that another physician be assigned to the patient and that another work up of the patient be done to address the ongoing concerns of the patient about his/her condition.
D. Contact Security and ask an officer to be on stand by in the ED in case this patient begins to pose a safety risk to the staff.

A

B. Have the staff inform the patient that no transfer will be arranged as the EMTALA requirements have been met and to continue to move forward with the discharge process.

23
Q

Which of the choices below lists the three types of safeguards in order of which has the most standards, from most to least:
A. Physical, Administrative, Technical
B. Technical, Physical, Administrative
C. Administrative, Technical, Physical

A

C. Administrative, Technical, Physical

24
Q

Each of the Standards in the Security Matrix has at least one implementation specification.
A. True
B. False

A

B. False

25
Q

All implementation specifications listed in the Security Matrix in the Security Rule are shown as either Required (R) or Addressable (A).
A. True
B. False

A

B. False

26
Q

The Compliance Professional at a hospital (I know…everything seems to be focused in the hospital setting…but that’s what people tell me about the exam, so let’s get used to it for exam taking purposes) receives an anonymous call on the hotline. The caller states that he or she has evidence that the hospital has received within the last 90 days, over $1 million in over payments from Medicare because of inappropriate/incorrect coded claims which for whatever reasons are not getting denied when the claims are processed. The BEST course of action for the Compliance Professional to take is to:

A. Contact legal because the organization is in receipt of over payments and the hospital is already over the 60 day time frame required by the Affordable Care Act to repay these over payments.
B. Meet with the coding and billing department management team and discuss the reported allegation and what steps can be taken to substantiate the allegation.
C. Contact the hospital’s Board leadership and request a meeting to discuss the situation of over payments..
D. Halt all outgoing Medicare claims until further notice to prevent any additional over payments.

A

B. Meet with the coding and billing department management team and discuss the reported allegation and what steps can be taken to substantiate the allegation.

27
Q

A covered entity must have a policy and procedure to address the final disposition of ePHI
A. True
B. False

A

A. True

28
Q

A covered entity must have a policy and procedure to maintain a record of the movement of hardware and electronic media.
A. True
B. False

A

A. True

29
Q

An employee has contacted you, the compliance professional, that the employee reported an issue last week on the hotline and now the employee’s supervisor has cut the employee’s hours significantly and to date the employee has never had any hours cut. Also, the employee is the only member of the department whose hours were cut after you confirmed with HR that the employee’s hours were indeed changed. HR also shared that that there was nothing on file as to why this employee’s hours were cut or that HR was aware of any direction given to managers on the need to cut hours within any department.
Which of the 17 sections?

A

Element 4- non-Retaliation

30
Q
Dr. X agreed to serve as the Medical Director of Home Health Agency, HHA, for which he was paid a sum substantially above the fair market value for his services. In return, Dr. X routinely referred his Medicare and Medicaid patients to HHA for home health services. This is an example of a violation of:
A. False Claims Act
B. Anti-Kickback Statute
C. Civil Monetary Penalties Law
D. Fraud, Waste, and Abuse Statute
A

B. Anti-Kickback Statute

31
Q
Which of the following is used to assist employees in carrying out daily responsibilities within an appropriate legal standard?
A. Legal Transcript
B. Code of Conduct
C. Mission Statement
D. Vision Statement
A

B. Code of Conduct

32
Q

The compliance officer has completed the non-retaliation policy and it has been officially implemented. The next stem would be to:
A. Investigate all reports of violations
B. Post the information publicly on the internet
C. Make the information available to hospital employees
D. Revise it annually

A

C. Make the information available to hospital employees