Domain 2 RHIA Study Questions And Answers| GRADED A
The legal health record for disclosure consists of:
a. Any and all protected health information data collected or used by a healthcare entity when
delivering care
b. Only the protected health information requested by an attorney for a legal proceeding
c. The data, documents, reports, and information that comprise the formal business records of
any healthcare entity that are to be utilized during legal proceedings
d. All of the data and information included in the HIPAA Designated Record Set Correct
Answer: c. The data, documents, reports, and information that comprise the formal business
records of any healthcare entity that are to be utilized during legal proceedings
The concept of legal health records was created to describe the data, documents, reports, and
information that comprise the formal business record(s) of any healthcare organization that are to
be utilized during legal proceedings. Understanding legal health records requires knowledge of
not only what comprises business records used as legal health records, but also the processes as
well as the physical and electronic systems used to manage these records
John is the privacy officer at General Hospital and conducts audit trail checks as part of his job
duties. What does an audit trail check for?
a. Loss of data
b. Presence of a virus
c. Successful completion of a backup
d. Unauthorized access to a system Correct Answer: d. Unauthorized access to a system
An audit trail is a chronological set of computerized records that provides evidence of a
computer system utilization (log-ins and log-outs, file accesses) used to determine security
violations
A professional basketball player from the local team was admitted to your facility for a
procedure. During this patient's hospital stay, access logs may need to be checked daily in order
to determine:
a. Whether access by employees is appropriate
b. If the patient is satisfied with their stay
c. If it is necessary to order prescriptions for the patient
d. Whether the care to the patient meets quality standards Correct Answer: a. Whether access by
employees is appropriate
In order to maintain patient privacy, certain audits may need to be completed daily. If a
highprofile patient is currently in a facility, for example, access logs may need to be checked
daily to determine whether all access to this patient's information by the workforce is appropriate
An outpatient laboratory routinely mails the results of health screening exams to its patients. The
lab has received numerous complaints from patients who have received another patient's health
information. Even though multiple complaints have been received, no change in process has
,occurred because the error rate is low in comparison to the volume of mail that is processed daily
for the lab. How should the Privacy Officer for this healthcare entity respond to this situation?
a. Determine why the lab results are being sent to incorrect patients and train the laboratory staff
on the HIPAA Privacy Rule
b. Fire the responsible employees
c. Do nothing, as these types of errors occur in every healthcare entity
d. Retrain the entire hospital entity because these types of errors could result in a huge fine from
the Office of Inspector General Correct Answer: a. Determine why the lab results are being sent
to incorrect patients and train the laboratory staff on the HIPAA Privacy Rule
This situation must be corrected. The privacy officer should complete a process flow and identify
the areas where a breakdown in the process is resulting in a complaint of mailing the report to the
wrong patient. It is important for the covered entity to take as many precautions as possible to
ensure compliance by its workforce. Training is necessary in this situation to mitigate this type of
error
Anywhere Hospital's coding staff will be working remotely. The entity wants to ensure that they
are complying with the HIPAA Security Rule. What type of network uses a private tunnel
through the Internet as a transport medium that will allow the transmission of ePHI to occur
between the coder and the facility securely?
a. Intranet
b. Local area network
c. Virtual private network
d. Wide area network Correct Answer: c. Virtual private network
Virtual private network (VPN) uses a secure tunnel through a public network, usually the
Internet, to connect remote sites or users. Security procedures include firewalls, encryption, and
server authentication
Mary Smith has gone to her doctor to discuss her current medical condition. What is the legal
term that best describes the type of communication that has occurred between Mary and her
physician?
a. Closed communication
b. Open communication
c. Private communication
d. Privileged communication Correct Answer: d. Privileged communication
Privileged communication is a legal concept designed to protect the confidentiality between two
parties and is usually delineated by state law
An individual designated as an inpatient coder may have access to an electronic medical record
in order to code the record. Under what access security mechanism is the coder allowed access to
the system?
a. Context-based
b. Role-based
c. Situation-based
,d. User-based Correct Answer: b. Role-based
Role-based access control (RBAC) is a control system in which access decisions are based on the
roles of individual users as part of an organization (
Which of the following statements about a firewall is false?
a. It is a system or combination of systems that supports an access control policy between two
networks.
b. The most common place to find a firewall is between the healthcare entity's internal network
and the Internet.
c. Firewalls are effective for preventing all types of attacks on a healthcare system.
d. A firewall can limit internal users from accessing various portions of the Internet. Correct
Answer: c. Firewalls are effective for preventing all types of attacks on a healthcare system.
As important as firewalls are to the overall security of health information systems, they cannot
protect a system from all types of attacks
A dietary department donated its old microcomputer to a school. Some old patient data were still
on the microcomputer. What controls would have minimized this security breach?
a. Access controls
b. Device and media controls
c. Facility access controls
d. Workstation controls Correct Answer: b. Device and media controls
HIPAA requires the implementation of policies and procedures for the removal of hardware and
electronic media that contain ePHI into and out of a facility. There are four implementation
specifications within this standard: disposal, media reuse, accountability, and data backup and
storage. In this case the organization did not follow policies for the removal of hardware and
electronic media
he Privacy Rule generally requires documentation related to its requirements to be retained:
a. 3 years
b. 5 years
c. 6 years
d. 10 years Correct Answer: c. 6 years
The Privacy Rule uses six years as the period for which Privacy Rule-related documents must be
retained. The six-year time frame refers to the latter of the following: the date the document was
created or the last effective date of the document. Such documents include policies and
procedures, the notice of privacy practices (NPP), complaint dispositions, and other actions,
activities, and designations that must be documented per Privacy Rule requirements
Mrs. Davis is preparing to undergo hernia repair surgery at Deaconess Hospital. Select the best
statement of the following options.
a. An employee from the hospital's surgery department should obtain Mrs. Davis' informed
consent.
, b. The surgeon should obtain Mrs. Davis' informed consent.
c. It does not matter who obtains Mrs. Davis' informed consent as long as it is documented in her
medical record.
d. Informed consent is not necessary because this is not major surgery. Correct Answer: b. The
surgeon should obtain Mrs. Davis' informed consent.
When obtaining consent for surgery, the surgeon is the healthcare provider who would discuss
the consent for treatment with the patient. The basic elements of an informed surgical consent
should include the purpose of the proposed procedure, any risks associated with the procedure,
and if noninvasive treatment alternatives might be considered
Which legal doctrine was established by the Darling v. Charleston Community Hospital case of
1965?
a. Hospital-physician negligence
b. Clinical negligence
c. Physician-patient negligence
d. Corporate negligence Correct Answer: d. Corporate negligence
Corporate negligence is a legal doctrine that was established by a judicial decision handed down
in the 1965 court case Darling v. Charleston Community Hospital. The court in this case ruled
specifically that hospital governing boards have a duty to institute a means to evaluate and
council medical staff who personally perform services on a patient that results in harm due to
unreasonable risk. Hospitals may be held liable when a member of the medical staff fails to meet
established standards of patient care
Which national database was created to collect information on the legal actions (both civil and
criminal) taken against licensed healthcare providers?
a. Healthcare Insurance Data Bank
b. Medicare Protection Database
c. National Practitioner Data Bank
d. Healthcare Safety Database Correct Answer: c. National Practitioner Data Bank
The National Practitioner Data Bank was created to collect information on the legal actions (both
civil and criminal) taken against licensed healthcare providers
Sally Mitchell was treated for kidney stones at Graham Hospital last year. She now wants to
review her medical record in person. She has requested to review it by herself in a closed room.
a. Failure to accommodate her wishes will be a violation under the HIPAA Privacy Rule.
b. Sally owns the information in her record, so she must be granted her request.
c. Sally's request does not have to be granted because the hospital is responsible for the integrity
of the medical record.
d. Patients should never be given access to their actual medical records. Correct Answer: c.
Sally's request does not have to be granted because the hospital is responsible for the integrity of
the medical record.
The legal health record for disclosure consists of:
a. Any and all protected health information data collected or used by a healthcare entity when
delivering care
b. Only the protected health information requested by an attorney for a legal proceeding
c. The data, documents, reports, and information that comprise the formal business records of
any healthcare entity that are to be utilized during legal proceedings
d. All of the data and information included in the HIPAA Designated Record Set Correct
Answer: c. The data, documents, reports, and information that comprise the formal business
records of any healthcare entity that are to be utilized during legal proceedings
The concept of legal health records was created to describe the data, documents, reports, and
information that comprise the formal business record(s) of any healthcare organization that are to
be utilized during legal proceedings. Understanding legal health records requires knowledge of
not only what comprises business records used as legal health records, but also the processes as
well as the physical and electronic systems used to manage these records
John is the privacy officer at General Hospital and conducts audit trail checks as part of his job
duties. What does an audit trail check for?
a. Loss of data
b. Presence of a virus
c. Successful completion of a backup
d. Unauthorized access to a system Correct Answer: d. Unauthorized access to a system
An audit trail is a chronological set of computerized records that provides evidence of a
computer system utilization (log-ins and log-outs, file accesses) used to determine security
violations
A professional basketball player from the local team was admitted to your facility for a
procedure. During this patient's hospital stay, access logs may need to be checked daily in order
to determine:
a. Whether access by employees is appropriate
b. If the patient is satisfied with their stay
c. If it is necessary to order prescriptions for the patient
d. Whether the care to the patient meets quality standards Correct Answer: a. Whether access by
employees is appropriate
In order to maintain patient privacy, certain audits may need to be completed daily. If a
highprofile patient is currently in a facility, for example, access logs may need to be checked
daily to determine whether all access to this patient's information by the workforce is appropriate
An outpatient laboratory routinely mails the results of health screening exams to its patients. The
lab has received numerous complaints from patients who have received another patient's health
information. Even though multiple complaints have been received, no change in process has
,occurred because the error rate is low in comparison to the volume of mail that is processed daily
for the lab. How should the Privacy Officer for this healthcare entity respond to this situation?
a. Determine why the lab results are being sent to incorrect patients and train the laboratory staff
on the HIPAA Privacy Rule
b. Fire the responsible employees
c. Do nothing, as these types of errors occur in every healthcare entity
d. Retrain the entire hospital entity because these types of errors could result in a huge fine from
the Office of Inspector General Correct Answer: a. Determine why the lab results are being sent
to incorrect patients and train the laboratory staff on the HIPAA Privacy Rule
This situation must be corrected. The privacy officer should complete a process flow and identify
the areas where a breakdown in the process is resulting in a complaint of mailing the report to the
wrong patient. It is important for the covered entity to take as many precautions as possible to
ensure compliance by its workforce. Training is necessary in this situation to mitigate this type of
error
Anywhere Hospital's coding staff will be working remotely. The entity wants to ensure that they
are complying with the HIPAA Security Rule. What type of network uses a private tunnel
through the Internet as a transport medium that will allow the transmission of ePHI to occur
between the coder and the facility securely?
a. Intranet
b. Local area network
c. Virtual private network
d. Wide area network Correct Answer: c. Virtual private network
Virtual private network (VPN) uses a secure tunnel through a public network, usually the
Internet, to connect remote sites or users. Security procedures include firewalls, encryption, and
server authentication
Mary Smith has gone to her doctor to discuss her current medical condition. What is the legal
term that best describes the type of communication that has occurred between Mary and her
physician?
a. Closed communication
b. Open communication
c. Private communication
d. Privileged communication Correct Answer: d. Privileged communication
Privileged communication is a legal concept designed to protect the confidentiality between two
parties and is usually delineated by state law
An individual designated as an inpatient coder may have access to an electronic medical record
in order to code the record. Under what access security mechanism is the coder allowed access to
the system?
a. Context-based
b. Role-based
c. Situation-based
,d. User-based Correct Answer: b. Role-based
Role-based access control (RBAC) is a control system in which access decisions are based on the
roles of individual users as part of an organization (
Which of the following statements about a firewall is false?
a. It is a system or combination of systems that supports an access control policy between two
networks.
b. The most common place to find a firewall is between the healthcare entity's internal network
and the Internet.
c. Firewalls are effective for preventing all types of attacks on a healthcare system.
d. A firewall can limit internal users from accessing various portions of the Internet. Correct
Answer: c. Firewalls are effective for preventing all types of attacks on a healthcare system.
As important as firewalls are to the overall security of health information systems, they cannot
protect a system from all types of attacks
A dietary department donated its old microcomputer to a school. Some old patient data were still
on the microcomputer. What controls would have minimized this security breach?
a. Access controls
b. Device and media controls
c. Facility access controls
d. Workstation controls Correct Answer: b. Device and media controls
HIPAA requires the implementation of policies and procedures for the removal of hardware and
electronic media that contain ePHI into and out of a facility. There are four implementation
specifications within this standard: disposal, media reuse, accountability, and data backup and
storage. In this case the organization did not follow policies for the removal of hardware and
electronic media
he Privacy Rule generally requires documentation related to its requirements to be retained:
a. 3 years
b. 5 years
c. 6 years
d. 10 years Correct Answer: c. 6 years
The Privacy Rule uses six years as the period for which Privacy Rule-related documents must be
retained. The six-year time frame refers to the latter of the following: the date the document was
created or the last effective date of the document. Such documents include policies and
procedures, the notice of privacy practices (NPP), complaint dispositions, and other actions,
activities, and designations that must be documented per Privacy Rule requirements
Mrs. Davis is preparing to undergo hernia repair surgery at Deaconess Hospital. Select the best
statement of the following options.
a. An employee from the hospital's surgery department should obtain Mrs. Davis' informed
consent.
, b. The surgeon should obtain Mrs. Davis' informed consent.
c. It does not matter who obtains Mrs. Davis' informed consent as long as it is documented in her
medical record.
d. Informed consent is not necessary because this is not major surgery. Correct Answer: b. The
surgeon should obtain Mrs. Davis' informed consent.
When obtaining consent for surgery, the surgeon is the healthcare provider who would discuss
the consent for treatment with the patient. The basic elements of an informed surgical consent
should include the purpose of the proposed procedure, any risks associated with the procedure,
and if noninvasive treatment alternatives might be considered
Which legal doctrine was established by the Darling v. Charleston Community Hospital case of
1965?
a. Hospital-physician negligence
b. Clinical negligence
c. Physician-patient negligence
d. Corporate negligence Correct Answer: d. Corporate negligence
Corporate negligence is a legal doctrine that was established by a judicial decision handed down
in the 1965 court case Darling v. Charleston Community Hospital. The court in this case ruled
specifically that hospital governing boards have a duty to institute a means to evaluate and
council medical staff who personally perform services on a patient that results in harm due to
unreasonable risk. Hospitals may be held liable when a member of the medical staff fails to meet
established standards of patient care
Which national database was created to collect information on the legal actions (both civil and
criminal) taken against licensed healthcare providers?
a. Healthcare Insurance Data Bank
b. Medicare Protection Database
c. National Practitioner Data Bank
d. Healthcare Safety Database Correct Answer: c. National Practitioner Data Bank
The National Practitioner Data Bank was created to collect information on the legal actions (both
civil and criminal) taken against licensed healthcare providers
Sally Mitchell was treated for kidney stones at Graham Hospital last year. She now wants to
review her medical record in person. She has requested to review it by herself in a closed room.
a. Failure to accommodate her wishes will be a violation under the HIPAA Privacy Rule.
b. Sally owns the information in her record, so she must be granted her request.
c. Sally's request does not have to be granted because the hospital is responsible for the integrity
of the medical record.
d. Patients should never be given access to their actual medical records. Correct Answer: c.
Sally's request does not have to be granted because the hospital is responsible for the integrity of
the medical record.
