Compliance with Access, Use and Disclosure of Health Information
Studied by 0 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/81
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
82 Terms
The legal health record for disclosure consists of:
a. Any and all protected health information collected or used by a healthcare entity when delivering care
b. Only the protected health information requested by an attorney for a legal proceeding
c. The data, documents, reports, and information that comprise the formal business records of any healthcare entity that are to be utilized during legal proceedings
d. All of the data and information included in the HIPAA designated record set
c. The data, documents, reports, and information that comprise the formal business records of any healthcare entity that are to be utilized during legal proceedings
A secure method of communication between the healthcare provider and the patient is:
a. Personal health record
b. E-mail
c. Patient portal
d. Online health information
C. patient portal
Based on which of the following concepts can a clinic requesting health records for one of its patients be reasonably assured that the correct patient information will be sent?
a. Verification
b. Confirmation
c. Authentication
d. Certification
A. verification
In the state of California, healthcare organizations must provide patients a copy of their medical record within 15 days of the request, whereas HIPAA requires organizations to provide records within 30 days of the request. This is example of state law being in relation to federal law.
a. Stringent
b. Contrary
c. Standardized
d. Conflicting
A. stringent
Recently, a healthcare organization has noticed an increase in the number of whooping cough cases in children under 5 years old. The healthcare organization reports the information to the state department of health. Which of the following statements is most applicable to the disclosure of this information?
a. The healthcare organization violated HIPAA because it didn't get authorization prior to the disclosure.
b. The healthcare organization did not violate HIPAA because it can disclose information to anyone as it sees fit.
c. The healthcare organization did not violate HIPAA because the disclosure impacted the public health of everyone.
d. The healthcare organization violated HIPAA because it did not get authorization from the state department of health prior to the disclosure.
c. The healthcare organization did not violate HIPAA because the disclosure impacted the public health of everyone.
The _ requires organizations to implement policies and procedures to safeguard the facility and equipment from unauthorized access, tampering, and theft.
a. Contingency plan
b. Security Rule
c. Media and device controls
d. Emergency mode operations plan
b. Security Rule
Following a data breach with less than 500 impacted, how long does a covered entity have to provide notification of the breach to the secretary of the Department of Health and Human Services?
a. Immediately after determination of the data breach
b. Within 30 days
c. Within 60 days
d. 60 days after the end of the calendar year in which the breach occurred
d. 60 days after the end of the calendar year in which the breach occurred
Barbara requested a copy of her PHI from her physician office on August 31. It is now October 10 and she has not heard anything from the physician office. Which of the following statements is correct?
a. This is not a HIPAA violation because the physician's office has 60 days to respond.
b. This is not a HIPAA violation because Barbara does not have a right to her information.
c. This is a HIPAA violation because the physician's office did not respond within 30 days.
d. This is a HIPAA violation because the physician's office did not respond within 15 days.
c. This is a HIPAA violation because the physician's office did not respond within 30 days.
Sara Anderson presented to the HIM department upset that her health information was sent to the state department of health. The HIM director explained to Sara that this information is part of their mandatory legal reporting requirements even though the information in her health record is owned by:
a. The healthcare facility
b. Sara's physician
c. Sara, the patient
d. The state
c. Sara, the patient
Gladys, a 90-year-old patient, calls the HIM department and tells the HIM professional that her daughter Joan will be in to pick up a copy of her records to take to her specialist. Which of the following is required for the HIM professional to comply with this request?
a. Nothing is required Gladys has provided her consent over the phone.
b. Gladys must provide a written authorization.
c. Gladys must repeat her request so that it can be verbally recorded.
d. Joan must sign an authorization when she presents to the facility.
b. Gladys must provide a written authorization.
A physician is conducting a research study on the medication compliance of diabetic patients. The facility's consent-for-treatment form includes authorization for the use and disclosure of PHI for research, so the physician wants to begin the study. Why is this not acceptable?
a. The Privacy Rule prohibits compound authorizations.
b. Research does not require an authorization.
c. The physician must call the participants of the study first.
d. HIPAA prohibits the use and disclosure of information for research.
a. The Privacy Rule prohibits compound authorizations.
Mary Smith has gone to her doctor to discuss her current medical condition. What is the legal term that best describes the type of communication that has occurred between Mary and her physician?
a. Closed communication
b. Open communication
c. Private communication
d. Privileged communication
d. Privileged communication
Community Hospital wants to provide transcription services for office notes of the private patients of physicians. All of these physicians have medical staff privileges at the hospital. This will provide an essential service to the physicians and additional revenue for the hospital. In preparing to launch this service the HIM director is asked whether a business associate agreement is necessary. Which of the following should the hospital HIM director advise to comply with HIPAA regulations?
a. Each physician practice should obtain a business associate agreement with the hospital.
b. The hospital should obtain a business associate agreement with each physician practice.
c. Because the physicians all have medical staff privileges, no business associate agreement is necessary.
d. Because the physicians are part of an Organized Health Care Arrangement (OHCA) with the hospital no business associate agreement is necessary.
a. Each physician practice should obtain a business associate agreement with the hospital.
Which of the following is a mechanism that records and examines activity in information systems?
a. eSignature laws
b. Security audits
c. Minimum necessary rules
d. Access controls
b. Security audits
A patient requests copies of her medical records in an electronic format. The hospital maintains a portion of the designated record set in a paper format and a portion of the designated record set in an electronic format. How should the hospital respond?
a. Provide the records in paper format only
b. Scan the paper documents so that all records can be sent electronically
c. Provide the patient with both paper and electronic copies of the record
d. Inform the patient that PHI cannot be sent electronically
c. Provide the patient with both paper and electronic copies of the record
The HIM manager typically can testify about which of the following when a party in a legal proceeding is attempting to admit a health record as evidence?
a. The care provided to the patient
b. Identification of the record as the one subpoenaed
c. The qualifications of the treating physician
d. Identification of the standard of care used to treat the patient
b. Identification of the record as the one subpoenaed
If a healthcare provider is accused of breaching the privacy and confidentiality of a patient, what resource may a patient rely on to substantiate the provider's responsibility for keeping health information private?
a. Professional Code of Ethics
b. Federal Code of Fair Practice
c. Federal Code of Silence
d. State Code of Fair Practice
a. Professional Code of Ethics
Which professional has the responsibility of determining when an individual or entity has the right to access healthcare information in a hospital setting?
a. Physicians
b. Nurses
c. Health information management professionals
d. Hospital administrators
c. Health information management professionals
A Hospital is terminating its business associate relationship with a medical transcription company. The transcription company has no need for identifiable information that was obtained during business with the hospital. The CFO of the hospital believes to be HIPAA compliant all that is necessary is for termination to be in a formal letter signed by the CEO. In this case, how should the director of HIM advise the CFO?
a. Confirm formal letter of termination meets HIPAA requirements and no further action is required
b. Confirm formal letter of termination meets HIPAA requirements and no further action is required except that the termination notice needs to be retained for seven years
c. Confirm formal letter of termination is required and the transcription company must provide the hospital with a certification that all PHI in its possession has been destroyed or returned
d. Inform the CFO that BAA cannot be terminated
c. Confirm formal letter of termination is required and the transcription company must provide the hospital with a certification that all PHI in its possession has been destroyed or returned
Emma is getting ready to begin kindergarten. Her school is requesting her immunization records as required by state law. Per HIPAA, Emma's pediatrician may:
a. Not disclose this PHI without the authorization of Emma's parent
b. Disclose this information because it is not PHI
c. Disclose this PHI with verbal permission from Emma's parent
d. Not disclose this PHI because it is an exception to the public health activity authorization exception
c. Disclose this PHI with verbal permission from Emma's parent
Ensuring that data have been accessed or modified only by those authorized to do so is a function of:
a. Data integrity
b. Data quality
c. Data granularity
d. Logging functions
a. Data integrity
The privacy officer was conducting training for new employees and posed the following question to the trainees to help them understand the rule regarding breach notification: "If a breach occurs, which of the following must be provided to the individual whose PHI has been breached?"
a. The facility's notice of privacy practices
b. An authorization to release the individual's PHI
c. The types of unsecured PHI that were involved
d. A promise to never do it again
c. The types of unsecured PHI that were involved
Community Hospital is planning implementation of various elements of the EHR in the next six months. Physicians have requested the ability to access the EHR from their offices and from home. What advice should the HIM director provide?
a. HIPAA regulations do not allow this type of access.
b. This access would be covered under the release of PHI for treatment purposes and poses no security or confidentiality threats.
c. Access can be permitted providing that appropriate safeguards are put in place to protect against threats to security.
d. Access cannot be permitted because the physicians would not be accessing information for treatment purposes.
c. Access can be permitted providing that appropriate safeguards are put in place to protect against threats to security.
The Medical Record Committee is reviewing the privacy policies for a large outpatient clinic. One of the members of the committee remarks that he feels that the clinic's practice of calling out a patient's full name in the waiting room is not in compliance with HIPAA regulations and that only the patient's first name should be used. Other committee members disagree with this assessment. What should the HIM director advise the committee?
a. HIPAA does not allow a patient's name to be announced in a waiting room.
b. There is no violation of HIPAA in announcing a patient's name, but the committee may want to consider implementing practices that might reduce this practice.
c. HIPAA allows only the use of the patient's first name.
d. HIPAA requires that patients be given numbers and that only the number be announced.
b. There is no violation of HIPAA in announcing a patient's name, but the committee may want to consider implementing practices that might reduce this practice.
Which of the following is a kind of technology that focuses on data security?
a. Clinical decision support
b. Bitmapped data
c. Firewalls
d. Smart cards
c. Firewalls
Mr. Martin has asked his physician's office to review a copy of his PHI. His request must be responded to no later than after the request was made.
a. 90 days
b. 60 days
c. 30 days
d. 6 weeks
c. 30 days
A hospital currently includes the patient's social security number in the electronic version of the health record. The hospital risk manager has identified this as a potential identity breach risk and wants the information removed. The physicians and others in the hospital are not cooperating, saying they need the information for identification and other purposes. Given this situation, what should the HIM director suggest?
a. Avoid displaying the number on any document, screen, or data collection field
b. Allow the information in both electronic and paper forms since a variety of people need this data
c. Require employees to sign confidentiality agreements if they have access to social security numbers
d. Contact legal counsel for advice
a. Avoid displaying the number on any document, screen, or data collection field
The Privacy Rule establishes that a patient has the right of access to inspect and obtain a copy of his or her PHI:
a. For as long as it is maintained
b. For six years
c. Forever
d. For 12 months
a. For as long as it is maintained
Under the HIPAA Security Rule, these types of safeguards have to do with protecting the environment:
a. Administrative
b. Physical
c. Security
d. Technical
b. Physical
Which of the following is not an identifier under the Privacy Rule?
a. Visa account 2773 985 0468
b. Vehicle license plate BZ LITYR
c. Age 75
d. Street address 265 Cherry Valley Road
c. Age 75
One of the four general requirements a covered entity must adhere to in order to be in compliance with the HIPAA Security Rule is to:
a. Ensure the confidentiality, integrity, and addressability of ePHI
b. Ensure the confidentiality, integrity, and accuracy of ePHI
c. Ensure the confidentiality, integrity, and availability of ePHI
d. Ensure the confidentiality, integrity, and accountability of ePHI
c. Ensure the confidentiality, integrity, and availability of ePHI
In Medical Center Hospital's clinical information system, nurses may write nursing notes and may read all parts of the patient health record for patients on the unit in which they work. This type of authorized use is called:
a. Password limitation
b. Security clearance
c. Role-based access
d. User grouping
c. Role-based access
Which of the following controls external access to a network?
a. Access controls
b. Alarms
c. Encryption
d. Firewall
D. firewall
Brittany is a new health information department employee. She is trained on the special procedures that must be followed prior to disclosure of health information that is deemed to be highly sensitive. Brittany knows that highly sensitive information receives special protections because it pertains to conditions that:
a. Are generally fatal
b. Are untreatable
c. Are highly contagious
d. Have a stigma or sensitivity associated with them
d. Have a stigma or sensitivity associated with them
If a patient has health insurance but pays in full for a healthcare service and asks that the information be kept private, under HIPAA the covered entity must:
a. Release the information to the health insurance provider
b. Get special patient consent to release the information
c. Comply with the patient's request and keep the information private
d. Request permission from HHS to release the information
c. Comply with the patient's request and keep the information private
Identifying appropriate users of specific information is a function of:
a. Access control
b. Nosology
c. Data modeling
d. Workflow modeling
a. Access control
A visitor sign-in sheet to a computer area is an example of what type of control?
a. Administrative
b. Audit
c. Facility access
d. Workstation
c. Facility access
Which of the following is an administrative safeguard action?
a. Facility access control
b. Documentation retention guidelines
c. Maintenance record
d. Media reuse
b. Documentation retention guidelines
Susan is completing her required high school community service hours by serving as a volunteer at the local hospital. Relative to the hospital, Susan is a(n):
a. Business associate
b. Employee
c. Workforce member
d. Covered entity
c. Workforce member
What is the legal term used to define the protection of health information in a patient-provider relationship?
a. Access
b. Confidentiality
c. Privacy
d. Security
b. Confidentiality
Mary Jones has been declared legally incompetent by the court. Mrs. Jones's sister has been appointed her legal guardian. Her sister requested a copy of Mrs. Jones's health records. Of the options listed here, what is the best course of action?
a. Comply with the sister's request but first request documentation from the sister that she is Mary Jones's legal guardian
b. Provide the information as requested by the sister
c. Require that Mary Jones authorize the release of her health information to the sister
d. Refer the sister to Mary Jones's doctor
a. Comply with the sister's request but first request documentation from the sister that she is Mary Jones's legal guardian
Caitlin has been experiencing abdominal pain. Removal of her gallbladder was recommended. Who is responsible to obtain Caitlin's informed consent?
a. The anesthesiologist who will be administering general anesthesia
b. The surgical nurse who will assist during surgery
c. The physician who will be performing the surgery
d. The administrator in the surgery department
c. The physician who will be performing the surgery
Health Insurance Portability and Accountability Act's Privacy Rule states that " used for the purposes of treatment, payment, or healthcare operations does not require patient authorization to allow providers access, use, or disclosure." However, only the information needed to satisfy the specified purpose can be used or disclosed.
a. Demographic information, minimum necessary
b. Protected health information, minimum necessary
c. Protected health information, diagnostic
d. Demographic information, diagnostic
a. Demographic information, minimum necessary
The HIM manager received notification that a user accessed the PHI of a patient with the same last name as the user. This is an example of a(n):
a. Encryption
b. Trigger flag
c. Transmission security
d. Redundancy
b. Trigger flag
Which of the following is a direct command that requires an individual or a representative of a healthcare entity to appear in court or to present an object to the court?
a. Judicial decision
b. Subpoena
c. Credential
d. Regulation
b. Subpoena
Kay Denton wrote to Mercy Hospital requesting an amendment to her PHI. She states that her record incorrectly lists her weight at 180 lbs. instead of her actual 150 lbs., and amending it would look better on her record. The information is present on a copy of a history and physical that General Hospital sent to Mercy Hospital. Mercy Hospital may decline to grant her request based on which privacy rule provision?
a. Individuals do not have the right to make amendment requests.
b. The history and physical was not created by Mercy Hospital.
c. A history and physical is not part of the designated record set.
d. Mercy Hospital must grant her request.
b. The history and physical was not created by Mercy Hospital.
Authorization management involves:
a. The process used to protect the reliability of a database
b. Limiting user access to a database
c. Allowing unlimited use of the database
d. Developing definitions for database elements
b. Limiting user access to a database
Per HITECH, an accounting of disclosures must include disclosures made during the previous:
a. 10 years
b. 6 years
c. 3 years
d. 1 year
c. 3 years
In the case of behavioral healthcare information, a healthcare provider may disclose health information on a patient without the patient's authorization in which of the following situations?
a. Court order, duty to warn, and involuntary commitment proceedings
b. Duty to warn, release of psychotherapy notes, and court order
c. Involuntary commitment proceedings, court order, and substance abuse treatment records
d. Release of psychotherapy notes, substance abuse treatment records, and duty to warn
a. Court order, duty to warn, and involuntary commitment proceedings
An employee received an email that he thought was from the information technology department. He provided his personal information at the sender's request. The employee was tricked by:
a. Phishing
b. Ransomware
c. Virus
d. Bot
a. Phishing
Hospital has a procedure that allows patients to decide if they want to be in the directory. Directory information includes patient name, hospital location and condition. Patient information in the directory is used to inform callers who know the patient's name. Some patients requested to be in the directory but information is released to people the patient provides. A committee is considering changing the policy to accommodate these patients. What advice should the HIM director provide?
a. Approve the requests because it is a patient right under HIPAA
b. Deny requests because screening of calls is difficult to manage and information given in error would be a HIPPA violation
c. Develop 2 different types of directories—1 for provision of all information and 1 for provision of information to selected friends and family of the patient
d. Deny these requests and seek approval from the Office of Civil Rights
b. Deny requests because screening of calls is difficult to manage and information given in error would be a HIPPA violation
A competent adult female has a diagnosis of ovarian cancer and while on the operating table suffers a stroke and is in a coma. Her son would like to access her health records from a clinic she recently visited for pain in her right arm. The patient is married and lives with her husband and two grown children. According to the Uniform Health Care Decisions Act (UHCDA), who is the logical person to request and sign an authorization to access the woman's health records from the clinic?
a. Adult child making request
b. Oldest adult child
c. Patient
d. Spouse
d. Spouse
The baby of a mother who is 15 years old was recently discharged from the hospital. The mother is seeking access to the baby's health record. Who must sign the authorization for release of the baby's health record?
a. Both mother and father of the baby
b. Maternal grandfather of the baby
c. Maternal grandmother of the baby
d. Mother of the baby
d. Mother of the baby
The outpatient clinic of a large hospital is reviewing its patient sign-in procedures. The registration clerks say it is essential that they know if the patient has health insurance and the reason for the patient's visit. The clerks maintain that having this information on a sign-in sheet will make their jobs more efficient and reduce patient waiting time in the waiting room. What should the HIM director advise in this case?
a. To be HIPAA compliant, sign-in sheets should contain the minimal information necessary such as patient name.
b. Patient name, insurance status, and diagnoses are permitted by HIPAA.
c. Patient name, insurance status, and reason for visit would be considered incidental disclosures if another patient saw this information.
d. Any communication overheard by another patient is considered an incidental disclosure.
a. To be HIPAA compliant, sign-in sheets should contain the minimal information necessary such as patient name.
The Latin phrase meaning "let the master answer" that puts responsibility for negligent actions of employees on the employer is called:
a. Res ipsa locquitor
b. Res judicata
c. Respondeat superior
d. Restitutio in integrum
c. Respondeat superior
Employees in the hospital business office may have legitimate access to patient health information without patient authorization based on what HIPAA standard or principle?
a. Minimum necessary
b. Compound authorization
c. Accounting of disclosures
d. Preemption
a. Minimum necessary
Per the HITECH breach notification requirements, which of the following is the threshold in which the media and the Secretary of Health and Human Services should be notified of the breach?
a. more than 1,000 individuals affected
b. more than 500 individuals affected
c. more than 250 individuals affected
d. Any number of individuals affected requires notification
b. more than 500 individuals affected
Dr. Williams is on the medical staff of Sutter Hospital, and he has asked to see the health record of his wife, who was recently hospitalized. Dr. Jones was the patient's physician. Of the options listed here, which is the best course of action?
a. Refer Dr. Williams to Dr. Jones and release the record if Dr. Jones agrees
b. Inform Dr. Williams that he cannot access his wife's health information unless she authorizes access through a written release of information
c. Request that Dr. Williams ask the hospital administrator for approval to access his wife's record
d. Inform Dr. Williams that he may review his wife's health record in the presence of the privacy officer
b. Inform Dr. Williams that he cannot access his wife's health information unless she authorizes access through a written release of information
Which of the following are technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals as a method to prevent a breach of PHI?
a. Encryption and destruction
b. Recovery and encryption
c. Destruction and redundancy
d. Interoperability and recovery
a. Encryption and destruction
The hospital's public relations department in conjunction with the local high school is holding a job shadowing day. The purpose of this event is to allow high school seniors an opportunity to observe the various jobs in the hospital and to help the students with career planning. The public relations department asks for input on this event from the standpoint of HIPAA compliance. In this case, what should the HIM department advise?
a. Job shadowing is allowed by HIPAA under the provision of allowing students and trainees to practice.
b. Job shadowing should be limited to areas in which the likelihood of exposure to PHI is very limited, such as administrative areas.
c. Job shadowing is allowed by HIPAA under the provision of volunteers.
d. Job shadowing is specifically prohibited by HIPAA.
b. Job shadowing should be limited to areas in which the likelihood of exposure to PHI is very limited, such as administrative areas.
A hospital releases information to an insurance company with proper authorization by the patient. The insurance company forwards the information to a medical data clearinghouse. This process is referred to as:
a. Admissibility
b. Civil release
c. Privileging process
d. Redisclosure
d. Redisclosure
When a patient revokes authorization for release of information after a healthcare entity has already released the information, the healthcare entity in this case:
a. May be prosecuted for invasion of privacy
b. Has become subject to civil action
c. Has violated the security regulations of HIPAA
d. Is protected by the Privacy Act
d. Is protected by the Privacy Act
Generally, policies addressing the confidentiality of quality improvement (QI) committee data (minutes, actions, and so forth) state that this kind of data is:
a. Protected from disclosure
b. Subject to release with patient authorization
c. Generally available to interested parties
d. May not be reviewed or released to external reviewers such as the Joint Commission
a. Protected from disclosure
An employer has contacted the HIM department and requested health information on one of his employees. Of the options listed here, what is the best course of action?
a. Provide the information requested
b. Refer the request to the attending physician
c. Request the employee's written authorization for release of information
d. Request the employer's written authorization for release of the employee's information
c. Request the employee's written authorization for release of information
Under the HIPAA Privacy Rule, a hospital may disclose health information without authorization or subpoena in which of the following cases?
a. The patient has been involved in a crime that may result in death.
b. The patient has celebrity status and requires protection.
c. The father of a 22-year-old is requesting the records.
d. An attorney requests records.
a. The patient has been involved in a crime that may result in death.
Covered entities must retain documentation of their security policies for at least:
a. Five years
b. Five years from the date of origination
c. Six years from the date when last in effect
d. Six years from the date of the last incident
c. Six years from the date when last in effect
Under HIPAA, when is the patient's written authorization required to release his or her healthcare information?
a. For purposes related to treatment
b. For purposes related to payment
c. For administrative healthcare operations
d. For any purpose unrelated to treatment, payment, or healthcare operations
d. For any purpose unrelated to treatment, payment, or healthcare operations
Notices of privacy practices must be available at the site where the individual is treated and:
a. Must be posted next to the entrance
b. Must be posted in a prominent place where it is reasonable to expect that patients will read them
c. May be posted anywhere at the site
d. Do not have to be posted at the site
b. Must be posted in a prominent place where it is reasonable to expect that patients will read them
The HIM director has been asked to secure the record of patient John Smith due to impending ligation in a legal hold. The concept of legal hold requires:
a. Special, tracked handling of patient records involved in litigation to ensure no changes can be made
b. Attorneys for healthcare entities to stop all activity with records involved in litigation
c. All records involved in litigation to be printed and held in a locked cabinet
d. To not allow further documentation to occur in any record involved in litigation
a. Special, tracked handling of patient records involved in litigation to ensure no changes can be made
Regarding an individual's right of access to their own PHI, per HIPAA, a covered entity:
a. Must act on the request within 90 days
b. May extend its response by 60 days if it gives the reasons for the delay
c. May require individuals to make their requests in writing
d. Does not have limits regarding what it can charge individuals for copies of their health records
c. May require individuals to make their requests in writing
Central City Clinic has requested that Ghent Hospital send its hospital records from Susan Hall's most recent admission to the clinic for her follow-up appointment. Which of the following statements is true?
a. The Privacy Rule requires that Susan Hall complete a written authorization.
b. The hospital may send only discharge summary, history, and physical and operative report.
c. The Privacy Rule's minimum necessary requirement does not apply.
d. This "public interest and benefit" disclosure does not require the patient's authorization.
c. The Privacy Rule's minimum necessary requirement does not apply.
A federal confidentiality statute specifically addresses confidentiality of health information about patients.
a. Developmentally disabled
b. Elderly
c. Drug and alcohol recovery
d. Cancer
c. Drug and alcohol recovery
The confidentiality of incident reports is generally protected in cases when the report is filed in:
a. The nursing notes
b. The patient's health record
c. The physician's progress notes
d. The hospital risk manager's office
d. The hospital risk manager's office
Which one of the following has access to personally identifiable data without authorization or subpoena?
a. Law enforcement in a criminal case
b. The patient's attorney
c. Public health departments for disease reporting purposes
d. Workers' compensation for disability claim settlement
c. Public health departments for disease reporting purposes
An original goal of HIPAA Administrative Simplification was to standardize:
a. Privacy notices given to patients
b. The electronic transmission of health data
c. Disclosure of information for treatment purposes
d. The definition of PHI
b. The electronic transmission of health data
The privacy officer was conducting training for new employees and posed the following question to the trainees to help them understand the rule regarding protected health information (PHI): "Which of the following is an element that makes information 'PHI' under the HIPAA Privacy Rule?"
a. Identifies an attending physician
b. Specifies the insurance provider for the patient
c. Contained within a personnel file
d. Relates to one's health condition
d. Relates to one's health condition
A nurse administrator who is not typically on call to cover staffing shortages gets called in over the weekend to staff the emergency department. She does not have access to enter notes since this is not a part of her typical role. In order to meet the intent of the HIPAA Security Rule, the hospital policy should include a:
a. Requirement for her to attend training before accessing ePHI
b. Provision for another nurse to share his or her password with the nurse administrator
c. Provision to allow her emergency access to the system
d. Restriction on her ability to access ePHI
c. Provision to allow her emergency access to the system
The Breach Notification Rule requires covered entities to establish a process for investigating whether a breach has occurred and which of the following?
a. Establish a new position for a Privacy Officer
b. Notify affected individuals when a breach occurs
c. Establish a policy on minimum necessary
d. Notify the primary care physicians of all patients of the breach
b. Notify affected individuals when a breach occurs
Which of the following is considered a two-factor authentication system?
a. User ID and password
b. User ID and voice scan
c. Password and swipe card
d. Password and PIN
c. Password and swipe card
Which of the following is a "public interest and benefit" exception to the authorization requirement?
a. Payment
b. PHI regarding victims of domestic violence
c. Information requested by a patient's attorney
d. Treatment
b. PHI regarding victims of domestic violence
Which of the following statements is true in regard to training in protected health information (PHI) policies and procedures?
a. Every member of the covered entity's workforce must be trained.
b. Only individuals employed by the covered entity must be trained.
c. Training only needs to occur when there are material changes to the policies and procedures.
d. Documentation of training is not required.
a. Every member of the covered entity's workforce must be trained.
Under the Privacy Rule, which of the following must be included in a patient accounting of disclosures?
a. State-mandated report of a sexually transmitted disease
b. Disclosure pursuant to a patient's signed authorization
c. Disclosure necessary to meet national security or intelligence requirements
d. Disclosure for payment purposes
a. State-mandated report of a sexually transmitted disease