Test 4

Question 1

The HIPAA privacy rule __________.

a. Protects only medical information that is not already specifically protected by state law
b. Supersedes all state laws that conflict with it
c. Is federal common law
d. Sets a minimum (floor) of privacy requirements

Answer 1

Sets a minimum (floor) of privacy requirements

Question 2

Phi refers to __________ health information

a. Private
b. Protected
c. Previous
d. Preliminary

Answer 2

Protected

Question 3

Debbie, an HIM professional, was recently hired as the privacy officer at a large physician practice. She observes the following practices. Which is a violation of the HIPAA privacy rule?

A) Dr. Graham recommends a medication to a patient with asthma.
B) Dr. Herman gives a patient a pen with the name of a pharmaceutical company on it.
C) Dr. Martin recommends acupuncture to a patient.

D) Dr. Lawson gives names of asthma patients to a pharmaceutical company.

Answer 3

Dr. Lawson gives names of asthma patients to a pharmaceutical company.

Question 4

Although HIPAA is not the first piece of federal privacy legislation, it is more expansive than the Federal Privacy Act of 1974, which applied privacy rules to __________.

a. Veterans’ records
b. Medicare and Medicaid records
c. Federal agencies
d. Non-profit hospitals

Answer 4

Federal agencies

Question 5

Mercy Hospital personnel need to review the medical records of Katie Grace for utilization review purposes (#1). They will also be sending her records to her physician for continuity of care (#2). As they pertain to Mercy Hospital, these two functions are:

a. Use (#1) and disclosure (#2)
b. Request (#1) and disclosure (#2)
c. Disclosure (#1) and use (#2)
d. None of the above

Answer 5

Use (#1) and disclosure (#2)

Question 6

The privacy rule resides in:

A) Title I of HIPAA.
B) Title I of the Federal Privacy Act.

C) Title II of HIPAA.

D) Title II of the Federal Privacy Act.

Answer 6

Title II of HIPAA.

Question 7

Medical information loses PHI status and is no longer protected by the HIPAA privacy rule when it:

A) becomes an oral communication.

B) is de-identified.

C) is used for TPO.

D) is individually identifiable.

Answer 7

is de-identified.

Question 8

Champion Hospital retains Hall, Hall and Hall, a law firm, to perform all of its legal work, including representation during medical malpractice lawsuits. Which of the following statement(s) is/are correct?

A) The law firm is not a business associate because it is a legal, not a medical, organization.

B) The law firm is a business associate because it performs activities on behalf of the hospital.

C) The law firm is a business associate because it uses or discloses individually identifiable health information on behalf of the hospital.

D) The law firm is not a business associate because the privacy rule prohibits it from using individually identifiable information.

E) a and d

Answer 8

The law firm is a business associate because it uses or discloses individually identifiable health information on behalf of the hospital.

Question 9

Which of the following statements is true? A HIPAA authorization __________.

a. May never be revoked.
b. May be revoked as long as it is in writing.
c. May be revoked verbally or in writing.
d. May be revoked, but the revocation doesn’t take effect for 60 days.

Answer 9

May be revoked as long as it is in writing.

Question 10

Which of the following is a public interest and benefit exception to the authorization requirement?

A) payment

B) PHI regarding victims of domestic violence

C) information requested by a patient s attorney

D) treatment

Answer 10

PHI regarding victims of domestic violence

Question 11

Which of the following disclosures provides an individual with the opportunity to agree?

A) facility directory

B) treatment, payment and operations

C) regarding Workers Compensation

D) information regarding decedents

Answer 11

facility directory

Question 12

The Health Information Technology for Economic and Clinical Health (HITECH) Act has affected HIPAA in which of the following ways?

a. Definition of PHI has changed
b. Consequences to business associate have become greater
c. Number of covered entity categories has increased
d. HITECH did not make any changes to HIPAA

Answer 12

Consequences to business associate have become greater

Question 13

Per the HIPAA privacy rule, a hybrid entity is defined as one that

a. serves both self-pay patients and insured patients
b. performs both covered and non-covered functions under the privacy rule
c. educates students and provides medical services to those students as well
d. Is both a healthcare provider and healthcare insurer

Answer 13

performs both covered and non-covered functions under the privacy rule

Question 14

Dr. Blake is selling his practice to Dr. Walton. If he sells patient information as part of the sale of the practice, he is __________.

a. Violating HIPAA
b. Not violating HIPAA.
c. Not violating HIPAA as long as he sells only patient demographic information
d. Violating HIPAA unless he obtains authorization from each patient

Answer 14

Not violating HIPAA

Question 15

Of the following options, a sign-in sheet at a physician’s office is best described as __________.

a. Authorization
b. Treatment
c. Incidental disclosure
d. Marketing

Answer 15

Incidental disclosure

Question 16

Shirley Denton has written to request an amendment to her PHI from Bon Voyage Hospital, stating that incorrect information is present on the document in question. The document is an incident report from Bon Voyage Hospital, which was erroneously placed in Ms. Denton s health record. The covered entity declines to grant her request based on which privacy rule provision?

A) It was not created by the covered entity.

B) It is not part of the designated record set.

C) Both a and b.

D) None. The covered entity must grant her request.

Answer 16

It is not part of the designated record set.

Question 17

Jack Mitchell, a patient in Ross Hospital, is being treated for gallstones. He has not opted out of the facility directory. Callers who request information about him may be given:

A) no information due to the highly sensitive nature of his illness.

B) admission date and location in the facility.

C) general condition and acknowledgement of admission.

D) location in the facility and diagnosis.

Answer 17

General condition and acknowledgement of admission.

Question 18

The privacy rule generally requires documentation related to its requirements to be retained for _______.

A) 3 years.

B) 5 years.

C) 6 years.

D) 10 years.

Answer 18

6 years

Question 19

Breach notification requirements apply to _______.

A) HIPAA covered entities.

B) HIPAA covered entities and their BAs.

C) non-HIPAA covered entities and BA.

D) all of the above

Answer 19

all of the above

Question 20

A physician practice was warned last year by auditors that its disposal of paper records (dumping them in bins without shredding or deidentifying them) violated HIPAA, but it did nothing to correct the problem. When the records were found in a city dumpster, an anonymous caller notified the Office for Civil Rights (OCR). An investigation by OCR confirmed that the practice had been warned about the violations. What level of violation is OCR likely to assess in this situation?

a. Unknowing
b. Reasonable cause
c. Willful neglect, corrected within 30 days of discovery
d. Willful negclect, uncorrected

Answer 20

Willful negclect, uncorrected

Question 21

A waived authorization for a research study may be granted by ________.

a. A researcher in the research study
b. An Institutional Review Board
c. The CEO of a covered entity that is providing PHI
d. The office of civil rights

Answer 21

An Institutional Review Board

Question 22

Which of the following is an example of mitigation?

a. Breach notification
b. Apology
c. Payment of a bill for financial loss resulting from an infraction
d. All of these are examples of mitigation

Answer 22

All of these are examples of mitigation

Question 23

The May 31, 2011 proposed rule introduced the concept of a(n) _________.

a. Access report
b. Accounting of disclosures
c. Penalty of HIPAA violations resulting from malicious behavior
d. Limitation on records of the deceased as PHI

Answer 23

Access report

Question 24

Which of the following can the HIM department require of a patient who is requesting an amendment to her PHI?

a. Submit the request in writing
b. Attend a meeting
c. Payment of nominal fee to address the cost of reviewing the request
d. There is no requirements

Answer 24

Submit the request in writing

Question 25

Where can patients find complete descriptions of how the PHI is used in a healthcare facility?

a. Notice of privacy practices
b. Medical staff rules and regulations
c. Governing board bylaws
d. HIM policies and procedures

Answer 25

Notice of privacy practices

Question 26

With proper written authorization from a patient, Houston Hospital obtains a copy of the patient’s health record from Austin Hospital. Houston Hospital then releases the information from Austin Hospital to Dallas Hospital. What is this practice called?

a. Redisclosure
b. Release of information
c. Voir dire
d. Ad testificandum

Answer 26

Redisclosure

Question 27

Sally Mitchell was treated for kidney stones at Graham Hospital last year. She now wishes to review her medical record in person. She has requested to review them by herself in a closed room. Which of the following is true?

a. Failure to accommodate her wishes will be a violation of the HIPAA privacy rule.
b. Sally owns the information in her record, so she must be granted her request.
c. Sally’s request does not have to be granted because the hospital is responsible for the integrity of the medical record.
d. Patients should never be given access to their actual medical records.

Answer 27

Sally’s request does not have to be granted because the hospital is responsible for the integrity of the medical record.

Question 28

Kyle likes to request frequent accounting of disclosure reports from all of his providers so he knows where his PHI is being disseminated.

a. Each covered entity must provide the first accounting within a 12-month period at no cost
b. Each covered entity must provide the first accounting within a 12-month period for no greater than $10
c. Only one provider must provide the first accounting within a 12-month period at no cost; the others may charge a cost-based fee
d. Every covered entity must provide all accounting of disclosure reports at no cost

Answer 28

Each covered entity must provide the first accounting within a 12-month period at no cost

Question 29

Terry has requested that all written communications from his cardiologist’s office be sent to his work address instead of his home address. The cardiology practice__________.

a. Must honor this confidential communication request if it is deemed reasonable
b. Is not required to honor any confidential communication requests of this nature
c. Is not required to honor this restriction request
d. Must honor this restriction request as long as it is submitted in writing

Answer 29

Must honor this confidential communication request if it is deemed reasonable

Question 30

Restriction requests__________.

a. Must always be honored
b. Can always be refused
c. Must be followed if disclosure would be to a health plan for payment and the PHI pertains to a service or item paid for in full by someone other than the health plan
d. Must be followed if an individual wants only certain persons to be given information about the individual that is contained in the facility directory

Answer 30

Must be followed if disclosure would be to a health plan for payment and the PHI pertains to a service or item paid for in full by someone other than the health plan

Question 31

HealthPartners has been the target of a network server hacking incident. 300 patients were affected. HealthPartners__________.

a. Is not required to report this to the affected patients because there were fewer than 500
b. Must inform the patients of what occurred; the type of PHI involved; and what steps HealthPartners is taking to prevent future hacking incidents
c. Is required to publish a list of the 300 patients who were affected
d. Must inform the patients of what occurred; the type of PHI involved; what steps HealthPartners is taking to prevent future hacking incidents; and the names of the other affected patients

Answer 31

Must inform the patients of what occurred; the type of PHI involved; and what steps HealthPartners is taking to prevent future hacking incidents

Question 32

If federal and state law conflict, federal law will generally supersede state law under the legal doctrine of__________.

a. Negligence
b. Restrictions
c. Preemption
d. Stare decisis

Answer 32

Preemption

Question 33

In the event of a HIPAA breach, how long does the facility have to notify each individual of the breach?

a. 30 days
b. 60 days
c. 90 days
d. 120 days

Answer 33

60 days

Question 34

The notice of privacy practices must inform individuals of their right to complain to whom?

A. The covered entity
B. The department of health and human services
C. Any employee of the facility
D. All of the above

Answer 34

All of the above

Question 35

Which rule requires covered entities to assign a unique name and/or number for identifying and tracking user identity?

a. Privacy rule
b. Security Rule
c. Administration rule
d. None of the above

Answer 35

Security Rule

Question 36

Nipa was admitted to a Houston Community Hospital for gallbladder removal. Which of the following information about her is considered confidential?

A: Previous history and treatment of a concussion
B: All information is considered confidential
C: Address upon admission
D: Date of birth

Answer 36

All information is considered confidential

Question 37

Steve has submitted a written authorization to request a copy of his medical chart. However, Steve’s psychiatrist has determined that access to his PHI might endanger his life or safety. What should the covered entity do concerning the request?

A: Release requested information to Steve
B: Release requested information to Steve’s legal guardian
C: Provide an appeals process to Steve for the denial
D: Confirm the psychiatrist decision and deny the request

Answer 37

Provide an appeals process to Steve for the denial

Question 38

In regard to a patient’s request for his PHI, which of the following statements is true?

A: A cost-based fee may be charged for making a copy of the PHI.
B: A cost-based fee may be charged for personnel expenses.
C: A cost-based fee may be charged for making a copy of the PHI.
D: No fee may be charged for PHI.

Answer 38

A cost-based fee may be charged for making a copy of the PHI.

Question 39

Jennifer submits a written request to Houston Hospital for a copy of her PHI on August 19. The information is stored offsite. By what date must the covered entity comply?

A: September 30
B: August 29
C: September 19
D: October 18

Answer 39

October 18

Question 40

Steve submits a written request to Houston Hospital for a copy of his PHI on August 19. By what date must the covered entity comply?

a. August 29
b. September 3
c. September 8
d. September 18

Answer 40

September 18

Question 41

The minimum necessary standard refers to the healthcare provider’s effort to _____.​

a. Invoice third-party payers for the least reasonable amount associated with care provided to the patient
b. Limit patient-specific health information released to that which is needed to accomplish the intended purpose only
c. Mimimalize the risk of negligence that would result in becoming involved in a malpractice lawsuit
d. Provide the patient with the minimum amount of procedures and medications to maintain reasonable insurance costs

Answer 41

Limit patient-specific health information released to that which is needed to accomplish the intended purpose only

Question 42

An authorization for use or disclosure of patient-specific health information that has been combined with any other document is called a(n) _____ authorization.

a. Admissibility
c. Certiorari
b. Beneficence
d. Compound

Answer 42

Compound

Question 43

The HIPAA security rule requires that the covered entity ________.

a. Eliminate all threats to ePHI
b. Hire a security consultant
c. Protect ePHI from reasonably anticipated threats
d. Protect ePHI at all costs

Answer 43

Protect ePHI from reasonably anticipated threats

Question 44

The HIPAA Security Rule allows flexibility in implementation based on reasonableness and appropriateness. What does the covered entity use to make these determinations?

a. Size of the covered entity
b. Security capabilities of the covered entity’s system
c. Costs of security measures
d. All of the above

Answer 44

All of the above

Question 45

The HIPAA security rule allows flexibility in implementation based on reasonableness and appropriateness. This means that covered entities can:

A) ignore addressable standards.

B) implement only required standards.

C) implement based on organizational assessment.

D) mitigate standards with a clearinghouse.

Answer 45

implement based on organizational assessment

Question 46

Which of the term does the security rule use to define data or information that has not been altered or destroyed in an unauthorized manner?

A) applicability

B) security

C) integrity

D) confidentiality

Answer 46

integrity

Question 47

The security rule s five sections includes all of the following except:

A) administrative safeguards.

B) physical safeguards.

C) organizational requirements.

D) encryption requirements.

Answer 47

encryption requirements

Question 48

Security awareness training programs requires the implementation of awareness and training of all workforce members and should include________.

A) periodic security reminders.

B) malicious software.

C) contingency plans.

D) response reporting.

Answer 48

periodic security reminders

Question 49

All of the following are security rule physical safeguards standards except:

A) facility access controls.

B) contingency planning.

C) workstation security.

D) device and media controls.

Answer 49

contingency planning

Question 50

Fred resigned from his position at University Hospital. According to the HIPAA security rule, his access to the electronic health record system should be terminated:

A) one week after resignation date.

B) 30 days after resignation date.

C) promptly upon resignation.

D) never; because he resigned and was not terminated, continued access presents little risk to the hospital.

Answer 50

promptly upon resignation.

Question 51

A subcontractor of a business associate may:

A) always transmit ePHI on the business associate s behalf.

B) transmit ePHI on the business associate s behalf if it provides satisfactory assurances that the information will be appropriately safeguarded.

C) never transmit ePHI on the business associate s behalf.

D) transmit ePHI on the business associate s behalf as long as it has an operational need to do so.

Answer 51

transmit ePHI on the business associate s behalf if it provides satisfactory assurances that the information will be appropriately safeguarded.

Question 52

The best source for obtaining primary information on addressing the HIPAA security rule would be which of the following sources?

A) Journal of AHIMA

B) security consultants

C) AHIMA annual meeting

D) Department of HHS

Answer 52

Department of HHS

Question 53

The workforce security administrative safeguard requires policies and procedures that:

A) ensure appropriate ePHI access by workforce members.

B) prevent access to ePHI by workforce members who should not have access.

C) both a and b.

D) neither a nor b.

Answer 53

both a and b.

Question 54

A security procedure that causes a computer session to end after a predetermined period of inactivity is an

a. Audit trial
b. Termination of access
c. Automatic log-off
d. Acess control

Answer 54

Automatic log-off

Question 55

The purpose of the implementation specifications of the HIPAA Security Rule is to provide _______.

A. protection of patient information
B. instruction for implementation of standards
C. guidance for security training and education
D. sample policies and procedures for compliance

Answer 55

instruction for implementation of standards

Question 56

One of the four general requirements a covered entity must adhere to for compliance with the HIPAA Security Rule is to ensure the confidentiality, integrity and _______ of ePHI.

A. addressability
B. accuracy
C. availability
D. accountability

Answer 56

availability

Question 57

The HIPAA Security Rule applies to which of the following covered entities?

A. Hospital that bills Medicare
B. Physician electronic billing company
C. BlueCross health insurance plan
D. All of the above

Answer 57

All of the above

Question 58

Non-compliance with the HIPAA Security Rule can lead to _______.

A. Civil penalties
B. Criminal penalties
C. Both a and b
D. A maximum annual penalty of $1 million

Answer 58

Both a and b

Question 59

Copying data onto tapes and storing the tapes at a distant location is an example of ______.

a. Data Backup
b. Data Mapping
c. Data Recovery
d. Data Storage for Recovery

Answer 59

Data Backup

Question 60

The capture of data by a hospital’s data security system that shows multiple invalid attempts to access the patients’ database is an example of what type of security control?

a. Audit trail
b. Access Control
c. Auto-Authentication
d. Override function

Answer 60

Audit trail

Question 61

The HIPAA Security Rule contains the following safeguards except ______.

a. technical
b. administrative
c. physical
d. reliability

Answer 61

Reliability

Question 62

The enforcement agency for the security rule is _________.

a. Office of the Inspector General
b. Centers for Medicare and Medicaid Services
c. Office of Civil Rights
d. Office of Management and Budget

Answer 62

Office of Civil Rights

Question 63

With addressable standards, the covered entity may do all but which of the following?

a. implement the standard as written
b. implement an alternative standard
c. ignore the standard since it is addressable
d. determine the risk of not implementing is negligible

Answer 63

ignore the standard since it is addressable

Question 64

A nurse administrator who does not typically take call gets called in over the weekend to staff the emergency department. She does not have access to enter notes since this is not a part of her typical role. In order to meet the intent of the HIPAA Security Rule, the hospital policy should include _______.

a. a requirement for her to attend training before accessing ePHI.
b. a provision to allow her to share a password with another nurse.
c. a provision to allow her emergency access to the system.
d. a restriction on her ability to access ePHI.

Answer 64

A provision to allow her emergency access to the system.