RHIA PREP EXAM QUESTIONS WITH
VERIFIED SOLUTIONS
Which national database was created to collect information on the legal actions (both
civil and criminal) taken against licensed healthcare providers? - ANSWER-National
Practitioner Data Bank
The National Practitioner Data Bank was created to collect information on the legal
actions (both civil and criminal) taken against licensed healthcare providers (Shaw and
Carter 2015, 346-347).
Community Hospital is discussing restricting the access that physicians have to
electronic clinical records. The medical record committee is divided on how to approach
this issue. Some committee members maintain that all information should be available;
whereas, others maintain that HIPAA restricts access. The HIM director is part of the
committee. Which of the following statements should the director advise to the
committee? - ANSWER-The "minimum necessary" concept does not apply to
disclosures made for treatment purposes, but the healthcare entity must define what
physicians need as part of their treatment role.
The HIPAA Privacy Rule concept of "minimum necessary" does not apply to disclosures
made for treatment purposes. However, the covered entity must define, within the
organization, what information physicians need as part of their treatment role (Rinehart-
Thompson 2017d, 234).
If a data breach caused by willful neglect is corrected within 30 days from the date of
the covered entity or business associate becoming aware of it, what level of violation of
the HIPAA Omnibus Rule is this breach? - ANSWER-Tier 3
The Omnibus Rule created a new fine structure for civil monetary penalties based on a
four-tier system for HIPAA violations. Tiers 3 and 4 are based on violations that have
been determined to be due to willful neglect. In this situation, because the breach was
corrected within 30 days from the date of discovery it would fall into Tier 3. If it wasn't
corrected, it would be a Tier 4 violation (Brinda and Watters 2016, 311-132).
HIPAA was designed to accomplish all of the following except: - ANSWER-Designate
HIM professionals as privacy officers
The implementation of the Health Insurance Portability and Accountability Act (HIPAA)
Privacy Rule in 2003 established a consistent set of privacy and security rules. These
,rules, designed to protect the privacy of patients, also attempted to simplify the sharing
of health information for legitimate purposes. For example, before implementation of
HIPAA, a healthcare provider who needed access to a health record maintained by
another provider usually could not directly request the information. The former provider
required the patient's written authorization to release information to the current provider.
In many cases, the patient or the patient's legal representative had to facilitate the
transfer of medical information to a current healthcare provider. Under federal privacy
regulations, the healthcare provider can directly request protected medical information,
and a written authorization from the patient is not required when the information is used
for treatment purposes. The privacy rule states that protected health information used
for treatment, payment, or healthcare operations does not require patient authorization
to allow providers access, use, or disclosure. However, only the minimum necessary
information needed to satisfy the specified purpose can be used or disclosed. The
release of information for purposes unrelated to treatment, payment, or healthcare
operations still requires the patient's written authorization (Fahrenholz 2013a, 27).
Which of the following is considered a two-factor authentication system? - ANSWER-
Password and swipe card
The three methods of two-factor authentication are something you know, such as a
password or PIN; something you have, such as an ATM card, token, or swipe/smart
card; and something you are, such as a biometric fingerprint, voice scan, iris, or retinal
scan (Sayles and Trawick 2014, 219).
An employee forgot his user ID badge at home and uses another employee's badge to
access the computer system. What controls should have been in place to minimize this
security breach? - ANSWER-Workforce security awareness training
A strategy included in a good security program is an employee security awareness
program. Employees are often responsible for threats to data security. Consequently,
employee awareness is a particularly important tool in reducing security breaches
(Reynolds and Brodnik 2017a, 274).
Per HITECH, an accounting of disclosures must include disclosures made during the
previous: - ANSWER-3 Years
The Health Information Technology for Economic and Clinical Health Act (HITECH)
shortened the time frame for an accounting of disclosures. Previously, an accounting
had to include disclosures made during the previous six years. This has been shortened
to disclosures made during the previous three years (Rinehart-Thompson 2013, 153).
The HIPAA methods titled Expert Determination and Safe Harbor are ways in which the
following can be achieved legally. - ANSWER-Deidentification
Expert Determination and Safe Harbor are Office of Civil Rights sanctioned HIPAA
Privacy Rule deidentification methods. Deidentified information neither identifies nor
, provides a reasonable basis to identify an individual. There are two ways to deidentify
information. (1) A formal determination is made by a qualified statistician. (2) The
removal of specified identifiers of the individual and of the individual's relatives,
household members, and employers is required, and is adequate only if the covered
entity has no actual knowledge that the remaining information could be used to identify
the individual (OCR 2012; Biedermann and Dolezel 2017, 359-361).
Identifying appropriate users of specific information is a function of: - ANSWER-Access
control
An EHR can provide highly effective access controls to meet the HIPAA Privacy Rule
minimum necessary standard requirements. Role-based access controls are used
where only specific classes of persons may access protected health information.
Context-based access controls add the dimensions that control not only class of
persons but specific categories of information and under specific conditions for which
access is permitted (Amatayakul 2017, 376-377).
Covered entities must retain documentation of their security policies for at least: -
ANSWER-Covered entities must retain documentation of their security policies for at
least:
The maintenance of policies and procedures implemented to comply with the Security
Rule must be retained for six years from the date of its creation or the date when it was
last in effect, whichever is later (Reynolds and Brodnik 2017a, 278-279).
The Privacy Rule generally requires documentation related to its requirements to be
retained: - ANSWER-6 Years
The Privacy Rule uses six years as the period for which Privacy Rule-related
documents must be retained. The six-year time frame refers to the latter of the
following: the date the document was created or the last effective date of the document.
Such documents include policies and procedures, the notice of privacy practices (NPP),
complaint dispositions, and other actions, activities, and designations that must be
documented per Privacy Rule requirements (Rinehart-Thompson 2017e, 257).
Community Hospital is discussing restricting the access that physicians have to
electronic clinical records. The medical record committee is divided on how to approach
this issue. Some committee members maintain that all information should be available;
whereas, others maintain that HIPAA restricts access. The HIM director is part of the
committee. Which of the following statements should the director advise to the
committee? - ANSWER-The "minimum necessary" concept does not apply to
disclosures made for treatment purposes, but the healthcare entity must define what
physicians need as part of their treatment role.
The HIPAA Privacy Rule concept of "minimum necessary" does not apply to disclosures
made for treatment purposes. However, the covered entity must define, within the
VERIFIED SOLUTIONS
Which national database was created to collect information on the legal actions (both
civil and criminal) taken against licensed healthcare providers? - ANSWER-National
Practitioner Data Bank
The National Practitioner Data Bank was created to collect information on the legal
actions (both civil and criminal) taken against licensed healthcare providers (Shaw and
Carter 2015, 346-347).
Community Hospital is discussing restricting the access that physicians have to
electronic clinical records. The medical record committee is divided on how to approach
this issue. Some committee members maintain that all information should be available;
whereas, others maintain that HIPAA restricts access. The HIM director is part of the
committee. Which of the following statements should the director advise to the
committee? - ANSWER-The "minimum necessary" concept does not apply to
disclosures made for treatment purposes, but the healthcare entity must define what
physicians need as part of their treatment role.
The HIPAA Privacy Rule concept of "minimum necessary" does not apply to disclosures
made for treatment purposes. However, the covered entity must define, within the
organization, what information physicians need as part of their treatment role (Rinehart-
Thompson 2017d, 234).
If a data breach caused by willful neglect is corrected within 30 days from the date of
the covered entity or business associate becoming aware of it, what level of violation of
the HIPAA Omnibus Rule is this breach? - ANSWER-Tier 3
The Omnibus Rule created a new fine structure for civil monetary penalties based on a
four-tier system for HIPAA violations. Tiers 3 and 4 are based on violations that have
been determined to be due to willful neglect. In this situation, because the breach was
corrected within 30 days from the date of discovery it would fall into Tier 3. If it wasn't
corrected, it would be a Tier 4 violation (Brinda and Watters 2016, 311-132).
HIPAA was designed to accomplish all of the following except: - ANSWER-Designate
HIM professionals as privacy officers
The implementation of the Health Insurance Portability and Accountability Act (HIPAA)
Privacy Rule in 2003 established a consistent set of privacy and security rules. These
,rules, designed to protect the privacy of patients, also attempted to simplify the sharing
of health information for legitimate purposes. For example, before implementation of
HIPAA, a healthcare provider who needed access to a health record maintained by
another provider usually could not directly request the information. The former provider
required the patient's written authorization to release information to the current provider.
In many cases, the patient or the patient's legal representative had to facilitate the
transfer of medical information to a current healthcare provider. Under federal privacy
regulations, the healthcare provider can directly request protected medical information,
and a written authorization from the patient is not required when the information is used
for treatment purposes. The privacy rule states that protected health information used
for treatment, payment, or healthcare operations does not require patient authorization
to allow providers access, use, or disclosure. However, only the minimum necessary
information needed to satisfy the specified purpose can be used or disclosed. The
release of information for purposes unrelated to treatment, payment, or healthcare
operations still requires the patient's written authorization (Fahrenholz 2013a, 27).
Which of the following is considered a two-factor authentication system? - ANSWER-
Password and swipe card
The three methods of two-factor authentication are something you know, such as a
password or PIN; something you have, such as an ATM card, token, or swipe/smart
card; and something you are, such as a biometric fingerprint, voice scan, iris, or retinal
scan (Sayles and Trawick 2014, 219).
An employee forgot his user ID badge at home and uses another employee's badge to
access the computer system. What controls should have been in place to minimize this
security breach? - ANSWER-Workforce security awareness training
A strategy included in a good security program is an employee security awareness
program. Employees are often responsible for threats to data security. Consequently,
employee awareness is a particularly important tool in reducing security breaches
(Reynolds and Brodnik 2017a, 274).
Per HITECH, an accounting of disclosures must include disclosures made during the
previous: - ANSWER-3 Years
The Health Information Technology for Economic and Clinical Health Act (HITECH)
shortened the time frame for an accounting of disclosures. Previously, an accounting
had to include disclosures made during the previous six years. This has been shortened
to disclosures made during the previous three years (Rinehart-Thompson 2013, 153).
The HIPAA methods titled Expert Determination and Safe Harbor are ways in which the
following can be achieved legally. - ANSWER-Deidentification
Expert Determination and Safe Harbor are Office of Civil Rights sanctioned HIPAA
Privacy Rule deidentification methods. Deidentified information neither identifies nor
, provides a reasonable basis to identify an individual. There are two ways to deidentify
information. (1) A formal determination is made by a qualified statistician. (2) The
removal of specified identifiers of the individual and of the individual's relatives,
household members, and employers is required, and is adequate only if the covered
entity has no actual knowledge that the remaining information could be used to identify
the individual (OCR 2012; Biedermann and Dolezel 2017, 359-361).
Identifying appropriate users of specific information is a function of: - ANSWER-Access
control
An EHR can provide highly effective access controls to meet the HIPAA Privacy Rule
minimum necessary standard requirements. Role-based access controls are used
where only specific classes of persons may access protected health information.
Context-based access controls add the dimensions that control not only class of
persons but specific categories of information and under specific conditions for which
access is permitted (Amatayakul 2017, 376-377).
Covered entities must retain documentation of their security policies for at least: -
ANSWER-Covered entities must retain documentation of their security policies for at
least:
The maintenance of policies and procedures implemented to comply with the Security
Rule must be retained for six years from the date of its creation or the date when it was
last in effect, whichever is later (Reynolds and Brodnik 2017a, 278-279).
The Privacy Rule generally requires documentation related to its requirements to be
retained: - ANSWER-6 Years
The Privacy Rule uses six years as the period for which Privacy Rule-related
documents must be retained. The six-year time frame refers to the latter of the
following: the date the document was created or the last effective date of the document.
Such documents include policies and procedures, the notice of privacy practices (NPP),
complaint dispositions, and other actions, activities, and designations that must be
documented per Privacy Rule requirements (Rinehart-Thompson 2017e, 257).
Community Hospital is discussing restricting the access that physicians have to
electronic clinical records. The medical record committee is divided on how to approach
this issue. Some committee members maintain that all information should be available;
whereas, others maintain that HIPAA restricts access. The HIM director is part of the
committee. Which of the following statements should the director advise to the
committee? - ANSWER-The "minimum necessary" concept does not apply to
disclosures made for treatment purposes, but the healthcare entity must define what
physicians need as part of their treatment role.
The HIPAA Privacy Rule concept of "minimum necessary" does not apply to disclosures
made for treatment purposes. However, the covered entity must define, within the
