Test 4 Flashcards
The HIPAA privacy rule __________.
a. Protects only medical information that is not already specifically protected by state law
b. Supersedes all state laws that conflict with it
c. Is federal common law
d. Sets a minimum (floor) of privacy requirements
Sets a minimum (floor) of privacy requirements
Phi refers to __________ health information
a. Private
b. Protected
c. Previous
d. Preliminary
Protected
Debbie, an HIM professional, was recently hired as the privacy officer at a large physician practice. She observes the following practices. Which is a violation of the HIPAA privacy rule?
A) Dr. Graham recommends a medication to a patient with asthma.
B) Dr. Herman gives a patient a pen with the name of a pharmaceutical company on it.
C) Dr. Martin recommends acupuncture to a patient.
D) Dr. Lawson gives names of asthma patients to a pharmaceutical company.
Dr. Lawson gives names of asthma patients to a pharmaceutical company.
Although HIPAA is not the first piece of federal privacy legislation, it is more expansive than the Federal Privacy Act of 1974, which applied privacy rules to __________.
a. Veterans’ records
b. Medicare and Medicaid records
c. Federal agencies
d. Non-profit hospitals
Federal agencies
Mercy Hospital personnel need to review the medical records of Katie Grace for utilization review purposes (#1). They will also be sending her records to her physician for continuity of care (#2). As they pertain to Mercy Hospital, these two functions are:
a. Use (#1) and disclosure (#2)
b. Request (#1) and disclosure (#2)
c. Disclosure (#1) and use (#2)
d. None of the above
Use (#1) and disclosure (#2)
The privacy rule resides in:
A) Title I of HIPAA.
B) Title I of the Federal Privacy Act.
C) Title II of HIPAA.
D) Title II of the Federal Privacy Act.
Title II of HIPAA.
Medical information loses PHI status and is no longer protected by the HIPAA privacy rule when it:
A) becomes an oral communication.
B) is de-identified.
C) is used for TPO.
D) is individually identifiable.
is de-identified.
Champion Hospital retains Hall, Hall and Hall, a law firm, to perform all of its legal work, including representation during medical malpractice lawsuits. Which of the following statement(s) is/are correct?
A) The law firm is not a business associate because it is a legal, not a medical, organization.
B) The law firm is a business associate because it performs activities on behalf of the hospital.
C) The law firm is a business associate because it uses or discloses individually identifiable health information on behalf of the hospital.
D) The law firm is not a business associate because the privacy rule prohibits it from using individually identifiable information.
E) a and d
The law firm is a business associate because it uses or discloses individually identifiable health information on behalf of the hospital.
Which of the following statements is true? A HIPAA authorization __________.
a. May never be revoked.
b. May be revoked as long as it is in writing.
c. May be revoked verbally or in writing.
d. May be revoked, but the revocation doesn’t take effect for 60 days.
May be revoked as long as it is in writing.
Which of the following is a public interest and benefit exception to the authorization requirement?
A) payment
B) PHI regarding victims of domestic violence
C) information requested by a patient s attorney
D) treatment
PHI regarding victims of domestic violence
Which of the following disclosures provides an individual with the opportunity to agree?
A) facility directory
B) treatment, payment and operations
C) regarding Workers Compensation
D) information regarding decedents
facility directory
The Health Information Technology for Economic and Clinical Health (HITECH) Act has affected HIPAA in which of the following ways?
a. Definition of PHI has changed
b. Consequences to business associate have become greater
c. Number of covered entity categories has increased
d. HITECH did not make any changes to HIPAA
Consequences to business associate have become greater
Per the HIPAA privacy rule, a hybrid entity is defined as one that
a. serves both self-pay patients and insured patients
b. performs both covered and non-covered functions under the privacy rule
c. educates students and provides medical services to those students as well
d. Is both a healthcare provider and healthcare insurer
performs both covered and non-covered functions under the privacy rule
Dr. Blake is selling his practice to Dr. Walton. If he sells patient information as part of the sale of the practice, he is __________.
a. Violating HIPAA
b. Not violating HIPAA.
c. Not violating HIPAA as long as he sells only patient demographic information
d. Violating HIPAA unless he obtains authorization from each patient
Not violating HIPAA
Of the following options, a sign-in sheet at a physician’s office is best described as __________.
a. Authorization
b. Treatment
c. Incidental disclosure
d. Marketing
Incidental disclosure
Shirley Denton has written to request an amendment to her PHI from Bon Voyage Hospital, stating that incorrect information is present on the document in question. The document is an incident report from Bon Voyage Hospital, which was erroneously placed in Ms. Denton s health record. The covered entity declines to grant her request based on which privacy rule provision?
A) It was not created by the covered entity.
B) It is not part of the designated record set.
C) Both a and b.
D) None. The covered entity must grant her request.
It is not part of the designated record set.
Jack Mitchell, a patient in Ross Hospital, is being treated for gallstones. He has not opted out of the facility directory. Callers who request information about him may be given:
A) no information due to the highly sensitive nature of his illness.
B) admission date and location in the facility.
C) general condition and acknowledgement of admission.
D) location in the facility and diagnosis.
General condition and acknowledgement of admission.
The privacy rule generally requires documentation related to its requirements to be retained for _______.
A) 3 years.
B) 5 years.
C) 6 years.
D) 10 years.
6 years
Breach notification requirements apply to _______.
A) HIPAA covered entities.
B) HIPAA covered entities and their BAs.
C) non-HIPAA covered entities and BA.
D) all of the above
all of the above
A physician practice was warned last year by auditors that its disposal of paper records (dumping them in bins without shredding or deidentifying them) violated HIPAA, but it did nothing to correct the problem. When the records were found in a city dumpster, an anonymous caller notified the Office for Civil Rights (OCR). An investigation by OCR confirmed that the practice had been warned about the violations. What level of violation is OCR likely to assess in this situation?
a. Unknowing
b. Reasonable cause
c. Willful neglect, corrected within 30 days of discovery
d. Willful negclect, uncorrected
Willful negclect, uncorrected
A waived authorization for a research study may be granted by ________.
a. A researcher in the research study
b. An Institutional Review Board
c. The CEO of a covered entity that is providing PHI
d. The office of civil rights
An Institutional Review Board
Which of the following is an example of mitigation?
a. Breach notification
b. Apology
c. Payment of a bill for financial loss resulting from an infraction
d. All of these are examples of mitigation
All of these are examples of mitigation
The May 31, 2011 proposed rule introduced the concept of a(n) _________.
a. Access report
b. Accounting of disclosures
c. Penalty of HIPAA violations resulting from malicious behavior
d. Limitation on records of the deceased as PHI
Access report
Which of the following can the HIM department require of a patient who is requesting an amendment to her PHI?
a. Submit the request in writing
b. Attend a meeting
c. Payment of nominal fee to address the cost of reviewing the request
d. There is no requirements
Submit the request in writing
Where can patients find complete descriptions of how the PHI is used in a healthcare facility?
a. Notice of privacy practices
b. Medical staff rules and regulations
c. Governing board bylaws
d. HIM policies and procedures
Notice of privacy practices
With proper written authorization from a patient, Houston Hospital obtains a copy of the patient’s health record from Austin Hospital. Houston Hospital then releases the information from Austin Hospital to Dallas Hospital. What is this practice called?
a. Redisclosure
b. Release of information
c. Voir dire
d. Ad testificandum
Redisclosure
Sally Mitchell was treated for kidney stones at Graham Hospital last year. She now wishes to review her medical record in person. She has requested to review them by herself in a closed room. Which of the following is true?
a. Failure to accommodate her wishes will be a violation of the HIPAA privacy rule.
b. Sally owns the information in her record, so she must be granted her request.
c. Sally’s request does not have to be granted because the hospital is responsible for the integrity of the medical record.
d. Patients should never be given access to their actual medical records.
Sally’s request does not have to be granted because the hospital is responsible for the integrity of the medical record.
Kyle likes to request frequent accounting of disclosure reports from all of his providers so he knows where his PHI is being disseminated.
a. Each covered entity must provide the first accounting within a 12-month period at no cost
b. Each covered entity must provide the first accounting within a 12-month period for no greater than $10
c. Only one provider must provide the first accounting within a 12-month period at no cost; the others may charge a cost-based fee
d. Every covered entity must provide all accounting of disclosure reports at no cost
Each covered entity must provide the first accounting within a 12-month period at no cost
Terry has requested that all written communications from his cardiologist’s office be sent to his work address instead of his home address. The cardiology practice__________.
a. Must honor this confidential communication request if it is deemed reasonable
b. Is not required to honor any confidential communication requests of this nature
c. Is not required to honor this restriction request
d. Must honor this restriction request as long as it is submitted in writing
Must honor this confidential communication request if it is deemed reasonable
Restriction requests__________.
a. Must always be honored
b. Can always be refused
c. Must be followed if disclosure would be to a health plan for payment and the PHI pertains to a service or item paid for in full by someone other than the health plan
d. Must be followed if an individual wants only certain persons to be given information about the individual that is contained in the facility directory
Must be followed if disclosure would be to a health plan for payment and the PHI pertains to a service or item paid for in full by someone other than the health plan
HealthPartners has been the target of a network server hacking incident. 300 patients were affected. HealthPartners__________.
a. Is not required to report this to the affected patients because there were fewer than 500
b. Must inform the patients of what occurred; the type of PHI involved; and what steps HealthPartners is taking to prevent future hacking incidents
c. Is required to publish a list of the 300 patients who were affected
d. Must inform the patients of what occurred; the type of PHI involved; what steps HealthPartners is taking to prevent future hacking incidents; and the names of the other affected patients
Must inform the patients of what occurred; the type of PHI involved; and what steps HealthPartners is taking to prevent future hacking incidents
If federal and state law conflict, federal law will generally supersede state law under the legal doctrine of__________.
a. Negligence
b. Restrictions
c. Preemption
d. Stare decisis
Preemption
In the event of a HIPAA breach, how long does the facility have to notify each individual of the breach?
a. 30 days
b. 60 days
c. 90 days
d. 120 days
60 days
The notice of privacy practices must inform individuals of their right to complain to whom?
A. The covered entity
B. The department of health and human services
C. Any employee of the facility
D. All of the above
All of the above
Which rule requires covered entities to assign a unique name and/or number for identifying and tracking user identity?
a. Privacy rule
b. Security Rule
c. Administration rule
d. None of the above
Security Rule
Nipa was admitted to a Houston Community Hospital for gallbladder removal. Which of the following information about her is considered confidential?
A: Previous history and treatment of a concussion
B: All information is considered confidential
C: Address upon admission
D: Date of birth
All information is considered confidential
Steve has submitted a written authorization to request a copy of his medical chart. However, Steve’s psychiatrist has determined that access to his PHI might endanger his life or safety. What should the covered entity do concerning the request?
A: Release requested information to Steve
B: Release requested information to Steve’s legal guardian
C: Provide an appeals process to Steve for the denial
D: Confirm the psychiatrist decision and deny the request
Provide an appeals process to Steve for the denial
In regard to a patient’s request for his PHI, which of the following statements is true?
A: A cost-based fee may be charged for making a copy of the PHI.
B: A cost-based fee may be charged for personnel expenses.
C: A cost-based fee may be charged for making a copy of the PHI.
D: No fee may be charged for PHI.
A cost-based fee may be charged for making a copy of the PHI.
Jennifer submits a written request to Houston Hospital for a copy of her PHI on August 19. The information is stored offsite. By what date must the covered entity comply?
A: September 30
B: August 29
C: September 19
D: October 18
October 18
Steve submits a written request to Houston Hospital for a copy of his PHI on August 19. By what date must the covered entity comply?
a. August 29
b. September 3
c. September 8
d. September 18
September 18
The minimum necessary standard refers to the healthcare provider’s effort to _____.
a. Invoice third-party payers for the least reasonable amount associated with care provided to the patient
b. Limit patient-specific health information released to that which is needed to accomplish the intended purpose only
c. Mimimalize the risk of negligence that would result in becoming involved in a malpractice lawsuit
d. Provide the patient with the minimum amount of procedures and medications to maintain reasonable insurance costs
Limit patient-specific health information released to that which is needed to accomplish the intended purpose only
An authorization for use or disclosure of patient-specific health information that has been combined with any other document is called a(n) _____ authorization.
a. Admissibility
c. Certiorari
b. Beneficence
d. Compound
Compound
The HIPAA security rule requires that the covered entity ________.
a. Eliminate all threats to ePHI
b. Hire a security consultant
c. Protect ePHI from reasonably anticipated threats
d. Protect ePHI at all costs
Protect ePHI from reasonably anticipated threats
The HIPAA Security Rule allows flexibility in implementation based on reasonableness and appropriateness. What does the covered entity use to make these determinations?
a. Size of the covered entity
b. Security capabilities of the covered entity’s system
c. Costs of security measures
d. All of the above
All of the above
The HIPAA security rule allows flexibility in implementation based on reasonableness and appropriateness. This means that covered entities can:
A) ignore addressable standards.
B) implement only required standards.
C) implement based on organizational assessment.
D) mitigate standards with a clearinghouse.
implement based on organizational assessment
Which of the term does the security rule use to define data or information that has not been altered or destroyed in an unauthorized manner?
A) applicability
B) security
C) integrity
D) confidentiality
integrity
The security rule s five sections includes all of the following except:
A) administrative safeguards.
B) physical safeguards.
C) organizational requirements.
D) encryption requirements.
encryption requirements
Security awareness training programs requires the implementation of awareness and training of all workforce members and should include________.
A) periodic security reminders.
B) malicious software.
C) contingency plans.
D) response reporting.
periodic security reminders
All of the following are security rule physical safeguards standards except:
A) facility access controls.
B) contingency planning.
C) workstation security.
D) device and media controls.
contingency planning
Fred resigned from his position at University Hospital. According to the HIPAA security rule, his access to the electronic health record system should be terminated:
A) one week after resignation date.
B) 30 days after resignation date.
C) promptly upon resignation.
D) never; because he resigned and was not terminated, continued access presents little risk to the hospital.
promptly upon resignation.
A subcontractor of a business associate may:
A) always transmit ePHI on the business associate s behalf.
B) transmit ePHI on the business associate s behalf if it provides satisfactory assurances that the information will be appropriately safeguarded.
C) never transmit ePHI on the business associate s behalf.
D) transmit ePHI on the business associate s behalf as long as it has an operational need to do so.
transmit ePHI on the business associate s behalf if it provides satisfactory assurances that the information will be appropriately safeguarded.
The best source for obtaining primary information on addressing the HIPAA security rule would be which of the following sources?
A) Journal of AHIMA
B) security consultants
C) AHIMA annual meeting
D) Department of HHS
Department of HHS
The workforce security administrative safeguard requires policies and procedures that:
A) ensure appropriate ePHI access by workforce members.
B) prevent access to ePHI by workforce members who should not have access.
C) both a and b.
D) neither a nor b.
both a and b.
A security procedure that causes a computer session to end after a predetermined period of inactivity is an
a. Audit trial
b. Termination of access
c. Automatic log-off
d. Acess control
Automatic log-off
The purpose of the implementation specifications of the HIPAA Security Rule is to provide _______.
A. protection of patient information
B. instruction for implementation of standards
C. guidance for security training and education
D. sample policies and procedures for compliance
instruction for implementation of standards
One of the four general requirements a covered entity must adhere to for compliance with the HIPAA Security Rule is to ensure the confidentiality, integrity and _______ of ePHI.
A. addressability
B. accuracy
C. availability
D. accountability
availability
The HIPAA Security Rule applies to which of the following covered entities?
A. Hospital that bills Medicare
B. Physician electronic billing company
C. BlueCross health insurance plan
D. All of the above
All of the above
Non-compliance with the HIPAA Security Rule can lead to _______.
A. Civil penalties
B. Criminal penalties
C. Both a and b
D. A maximum annual penalty of $1 million
Both a and b
Copying data onto tapes and storing the tapes at a distant location is an example of ______.
a. Data Backup
b. Data Mapping
c. Data Recovery
d. Data Storage for Recovery
Data Backup
The capture of data by a hospital’s data security system that shows multiple invalid attempts to access the patients’ database is an example of what type of security control?
a. Audit trail
b. Access Control
c. Auto-Authentication
d. Override function
Audit trail
The HIPAA Security Rule contains the following safeguards except ______.
a. technical
b. administrative
c. physical
d. reliability
Reliability
The enforcement agency for the security rule is _________.
a. Office of the Inspector General
b. Centers for Medicare and Medicaid Services
c. Office of Civil Rights
d. Office of Management and Budget
Office of Civil Rights
With addressable standards, the covered entity may do all but which of the following?
a. implement the standard as written
b. implement an alternative standard
c. ignore the standard since it is addressable
d. determine the risk of not implementing is negligible
ignore the standard since it is addressable
A nurse administrator who does not typically take call gets called in over the weekend to staff the emergency department. She does not have access to enter notes since this is not a part of her typical role. In order to meet the intent of the HIPAA Security Rule, the hospital policy should include _______.
a. a requirement for her to attend training before accessing ePHI.
b. a provision to allow her to share a password with another nurse.
c. a provision to allow her emergency access to the system.
d. a restriction on her ability to access ePHI.
A provision to allow her emergency access to the system.
