CCA EXAM DOMAIN 6 CONFIDENTIALITY AND PRIVACY
1. According to the HIPAA privacy rule, protected health information includes-
: individually identifiable health information in any format stored by a health care provider or business
associate.
Individually identifiable health information in any format stored by a health care provider or business
associate. PHI includes all individually identified health infor- mation, regardless of format. ePHI,
however, includes only electronic PHI. Incorrect answers:
1) non-individually identifiable health information in any format stored by a health care provider. 2)
Only electronic individually identifiable health information. 3) Only paper individually identifiable
health information.
2. The patient has the right to agree or object to disclosure of protected health information when:
disclosing information to a family member who is directly involved in the patient's care.
There are two circumstances when patients have the right to agree or object
to disclosure of protected health information. This includes facility directory and disclosing information
to family member who is directly involved in care.
3. Which of the following would be deleted in the process of de-identification of protected patient
information?: Date of birth
Patient identifiers include patient's full name, date of birth, social security number, contact information
such as address and phone numbers, name and contact in- formation of the next of kin, emergency
contact information, and other personal information deemed necessary for health care delivery
operations (e.g., employer information and insurance information).
The facility NPI number—National Provider Identifier Number—is a 10-digit numer- ical identifier
that identifies an individual provider or a health care entity.
Principal diagnosis code establishes medical necessity for procedures provided to the patient.
Place of service codes are two-digit codes placed on health care professional claims to indicate the
setting in which a service was provided
4. John is a 45-year-old male who is mentally disabled. Identify who can authorize release
, CCA EXAM DOMAIN 6 CONFIDENTIALITY AND PRIVACY
of his health record.: legal guardian
Even though John is of age, he is mentally incompetent and therefore requires a guardian to sign the
release. John's sister could only sign the authorization if she was his legal guardian. The executive of
his will only applies if John is deceased.
5. A document requirement of health organizations pursuant to HIPAA legis- lation, that
informs patient how a covered entity intends to use and disclose protected health information is
called: Notice of Privacy Practices (NPP) Notice of Privacy Practices is a requirement of HIPAA's
Privacy Rule. None of the other documents are related to HIPAA.
, CCA EXAM DOMAIN 6 CONFIDENTIALITY AND PRIVACY
6. A covered entity must adopt reasonable and appropriate policies and pro- cedures to comply
with the provisions of the Security Rule. A covered entity must maintain, until years after
the later of the date of their creation or last effective date, written security policies and
procedures and written records of required actions, activities or assessments.: 6
HIPAA Policies and Procedures and Documentation Requirements
A covered entity must adopt reasonable and appropriate policies and procedures to comply with the
provisions of the Security Rule. A covered entity must maintain, until six years after the later of the
date of their creation or last effective date, written security policies and procedures and written records
of required actions, activities or assessments.
Updates. A covered entity must periodically review and update its documentation in response to
environmental or organizational changes that affect the security of electronic protected health
information (e-PHI).
7. Which of the following is an example of a physical safeguard?: Locking offices and file
cabinets containing PHI
Physical Safeguards are physical measures, policies, and procedures to protect a covered entity's
electronic information systems and related buildings and equipment from natural and environmental
hazards, and unauthorized intrusion.
Some examples of physical safeguards are the following:
Controlling building access with a photo-identification/swipe card system. Locking offices
and file cabinets containing PHI.
Turning computer screens displaying PHI away from public view. Minimizing the amount of
PHI on desktops.
Shredding unneeded documents containing PHI.
Audit controls and effective security safeguards are part of normal operational management processes
to mitigate, control, and minimize risks that can negatively impact business operations and expose
sensitive data.
Dual authentication is a security safeguard—combination would be a username and password
1. According to the HIPAA privacy rule, protected health information includes-
: individually identifiable health information in any format stored by a health care provider or business
associate.
Individually identifiable health information in any format stored by a health care provider or business
associate. PHI includes all individually identified health infor- mation, regardless of format. ePHI,
however, includes only electronic PHI. Incorrect answers:
1) non-individually identifiable health information in any format stored by a health care provider. 2)
Only electronic individually identifiable health information. 3) Only paper individually identifiable
health information.
2. The patient has the right to agree or object to disclosure of protected health information when:
disclosing information to a family member who is directly involved in the patient's care.
There are two circumstances when patients have the right to agree or object
to disclosure of protected health information. This includes facility directory and disclosing information
to family member who is directly involved in care.
3. Which of the following would be deleted in the process of de-identification of protected patient
information?: Date of birth
Patient identifiers include patient's full name, date of birth, social security number, contact information
such as address and phone numbers, name and contact in- formation of the next of kin, emergency
contact information, and other personal information deemed necessary for health care delivery
operations (e.g., employer information and insurance information).
The facility NPI number—National Provider Identifier Number—is a 10-digit numer- ical identifier
that identifies an individual provider or a health care entity.
Principal diagnosis code establishes medical necessity for procedures provided to the patient.
Place of service codes are two-digit codes placed on health care professional claims to indicate the
setting in which a service was provided
4. John is a 45-year-old male who is mentally disabled. Identify who can authorize release
, CCA EXAM DOMAIN 6 CONFIDENTIALITY AND PRIVACY
of his health record.: legal guardian
Even though John is of age, he is mentally incompetent and therefore requires a guardian to sign the
release. John's sister could only sign the authorization if she was his legal guardian. The executive of
his will only applies if John is deceased.
5. A document requirement of health organizations pursuant to HIPAA legis- lation, that
informs patient how a covered entity intends to use and disclose protected health information is
called: Notice of Privacy Practices (NPP) Notice of Privacy Practices is a requirement of HIPAA's
Privacy Rule. None of the other documents are related to HIPAA.
, CCA EXAM DOMAIN 6 CONFIDENTIALITY AND PRIVACY
6. A covered entity must adopt reasonable and appropriate policies and pro- cedures to comply
with the provisions of the Security Rule. A covered entity must maintain, until years after
the later of the date of their creation or last effective date, written security policies and
procedures and written records of required actions, activities or assessments.: 6
HIPAA Policies and Procedures and Documentation Requirements
A covered entity must adopt reasonable and appropriate policies and procedures to comply with the
provisions of the Security Rule. A covered entity must maintain, until six years after the later of the
date of their creation or last effective date, written security policies and procedures and written records
of required actions, activities or assessments.
Updates. A covered entity must periodically review and update its documentation in response to
environmental or organizational changes that affect the security of electronic protected health
information (e-PHI).
7. Which of the following is an example of a physical safeguard?: Locking offices and file
cabinets containing PHI
Physical Safeguards are physical measures, policies, and procedures to protect a covered entity's
electronic information systems and related buildings and equipment from natural and environmental
hazards, and unauthorized intrusion.
Some examples of physical safeguards are the following:
Controlling building access with a photo-identification/swipe card system. Locking offices
and file cabinets containing PHI.
Turning computer screens displaying PHI away from public view. Minimizing the amount of
PHI on desktops.
Shredding unneeded documents containing PHI.
Audit controls and effective security safeguards are part of normal operational management processes
to mitigate, control, and minimize risks that can negatively impact business operations and expose
sensitive data.
Dual authentication is a security safeguard—combination would be a username and password
