RHIA Domain 2 Compliance with Uses
and Disclosures of PHI
Which process requires the verification of the educational qualifications, licensure status, and
other experience of healthcare professionals who have applied for the privilege of practicing
within a healthcare facility?
a. Deemed status
b. Judicial decision
c. Subpoena
d. Credentialing d. Credentialing
Ensuring that data have been accessed or modified only by those authorized to do so is a
function of:
a. Data integrity
b. Data quality
c. Data granularity
d. Logging functions a. Data integrity
Where can you find guidelines for the retention and destruction of healthcare information?
a. Institute of Medicine
b. Municipal regulations
c. HIPAA
d. Accreditation standards d. Accreditation standards
Community Hospital is planning implementation of various elements of the EHR in the next six
months. physicians have requested the ability to access the EHR from their offices and from
home. What advice should the HIM director provide?
a. HIPAA regulations do not allow this type of access.
b. This access would be covered under the release of PHI for treatment purposes and pose no
security or confidentiality threats.
1|Page
,c. Access can be permitted providing that appropriate safeguards are put in place to protect
against threats to security.
d. Access cannot be permitted because the physicians would not be accessing information for
treatment purposes. c. Access can be permitted providing that appropriate safeguards are put
in place to protect against threats to security.
The Medical Record Committee is reviewing the privacy policies for a large outpatient clinic.
One of the members of the committee remarks that he feels that the clinic's practice of calling
out a patient's full name in the waiting room is not in compliance with HIPAA regulations and
that only the patient's first name should be used. Other committee members disagree with this
assessment. What should the HIM director advise the committee?
a. HIPAA does not allow a patient's name to be announced in a waiting room.
b. There is no violation of HIPAA in announcing a patient's name, but the committee may want
to consider implementing practices that might reduce this practice.
c. HIPAA allows only the use of the patient's first name.
d. HIPAA requires that patients be given numbers and that only the number be announced.
b. There is no violation of HIPAA in announcing a patient's name, but the committee may
want to consider implementing practices that might reduce this practice.
Which of the following is a kind of technology that focuses on data security?
a. Clinical decision support
b. Bitmapped data
c. Firewalls
d. Smart cards c. Firewalls
Mr. Martin has asked his physician's office to review a copy of his PHI. His request must be
responded to no later than _________ after the request is made.
a. 90 days
b. 60 days
c. 30 days
d. 6 weeks c. 30 days
A hospital currently includes the patient's social security number in the electronic version of the
health record. The hospital risk manager has identified that as a potential identity breach risk
2|Page
,and wants the information removed. The physicians and others in the hospital are not
cooperating, saying they need the information for identification and other purposes. Given this
situation, what should the HIM director suggest?
a. Avoid displaying the number on any document, screen, or data collection field
b. Allow the information in both electronic and paper forms since a variety of people need this
data
c. Require employees to sign confidentiality agreements if they have access to social security
numbers
d. Contact legal counsel for advice a. Avoid displaying the number on any document, screen,
or data collection field
The Privacy Rule establishes that a patient has the right of access to inspect and obtain a copy
of his or her PHI:
a. For as long as it is maintained
b. For six years
c. Forever
d. For 12 months a. For as long as it is maintained
Under the HIPAA Security Rule, these types of safeguards have to do with protecting the
environment:
a. Administrative
b. Physical
c. Security
d. Technical b. Physical
Which of the following is not an identifier under the Privacy Rule?
a. Visa account 2773 985 0468
b. Vehicle license plate BZ LITYR
c. Age 75
d. Street address 265 Cherry Valley Road c. Age 75
3|Page
, One of the four general requirements a covered entity must adhere to for compliance with the
HIPAA Security Rule is to:
a. Ensure the confidentiality, integrity, and addressability of ePHI
b. Ensure the confidentiality, integrity, and accuracy of ePHI
c. Ensure the confidentiality, integrity, and availability of ePHI
d. Ensure the confidentiality, integrity, and accountability of ePHI c. Ensure the confidentiality,
integrity, and availability of ePHI
In Medical Center Hospital's clinical information system, nurses may write nursing notes and
may read all parts of the patient health record for patients on the unit in which they work. This
type of authorized use is called:
a. Password limitation
b. Security clearance
c. Role-based access
d. User grouping c. Role-based access
Which of the following controls external access to a network?
a. Access controls
b. Alarms
c. Encryption
d. Firewall d. Firewall
Which of the following data management domains would be responsible for establishing
standards for data retention and storage?
a. Data architecture management
b. Metadata management
c. Data life cycle management
d. Master data management c. Data life cycle management
HIPAA was designed to accomplish all of the following except:
a. Designate HIM professionals as privacy officers
4|Page
and Disclosures of PHI
Which process requires the verification of the educational qualifications, licensure status, and
other experience of healthcare professionals who have applied for the privilege of practicing
within a healthcare facility?
a. Deemed status
b. Judicial decision
c. Subpoena
d. Credentialing d. Credentialing
Ensuring that data have been accessed or modified only by those authorized to do so is a
function of:
a. Data integrity
b. Data quality
c. Data granularity
d. Logging functions a. Data integrity
Where can you find guidelines for the retention and destruction of healthcare information?
a. Institute of Medicine
b. Municipal regulations
c. HIPAA
d. Accreditation standards d. Accreditation standards
Community Hospital is planning implementation of various elements of the EHR in the next six
months. physicians have requested the ability to access the EHR from their offices and from
home. What advice should the HIM director provide?
a. HIPAA regulations do not allow this type of access.
b. This access would be covered under the release of PHI for treatment purposes and pose no
security or confidentiality threats.
1|Page
,c. Access can be permitted providing that appropriate safeguards are put in place to protect
against threats to security.
d. Access cannot be permitted because the physicians would not be accessing information for
treatment purposes. c. Access can be permitted providing that appropriate safeguards are put
in place to protect against threats to security.
The Medical Record Committee is reviewing the privacy policies for a large outpatient clinic.
One of the members of the committee remarks that he feels that the clinic's practice of calling
out a patient's full name in the waiting room is not in compliance with HIPAA regulations and
that only the patient's first name should be used. Other committee members disagree with this
assessment. What should the HIM director advise the committee?
a. HIPAA does not allow a patient's name to be announced in a waiting room.
b. There is no violation of HIPAA in announcing a patient's name, but the committee may want
to consider implementing practices that might reduce this practice.
c. HIPAA allows only the use of the patient's first name.
d. HIPAA requires that patients be given numbers and that only the number be announced.
b. There is no violation of HIPAA in announcing a patient's name, but the committee may
want to consider implementing practices that might reduce this practice.
Which of the following is a kind of technology that focuses on data security?
a. Clinical decision support
b. Bitmapped data
c. Firewalls
d. Smart cards c. Firewalls
Mr. Martin has asked his physician's office to review a copy of his PHI. His request must be
responded to no later than _________ after the request is made.
a. 90 days
b. 60 days
c. 30 days
d. 6 weeks c. 30 days
A hospital currently includes the patient's social security number in the electronic version of the
health record. The hospital risk manager has identified that as a potential identity breach risk
2|Page
,and wants the information removed. The physicians and others in the hospital are not
cooperating, saying they need the information for identification and other purposes. Given this
situation, what should the HIM director suggest?
a. Avoid displaying the number on any document, screen, or data collection field
b. Allow the information in both electronic and paper forms since a variety of people need this
data
c. Require employees to sign confidentiality agreements if they have access to social security
numbers
d. Contact legal counsel for advice a. Avoid displaying the number on any document, screen,
or data collection field
The Privacy Rule establishes that a patient has the right of access to inspect and obtain a copy
of his or her PHI:
a. For as long as it is maintained
b. For six years
c. Forever
d. For 12 months a. For as long as it is maintained
Under the HIPAA Security Rule, these types of safeguards have to do with protecting the
environment:
a. Administrative
b. Physical
c. Security
d. Technical b. Physical
Which of the following is not an identifier under the Privacy Rule?
a. Visa account 2773 985 0468
b. Vehicle license plate BZ LITYR
c. Age 75
d. Street address 265 Cherry Valley Road c. Age 75
3|Page
, One of the four general requirements a covered entity must adhere to for compliance with the
HIPAA Security Rule is to:
a. Ensure the confidentiality, integrity, and addressability of ePHI
b. Ensure the confidentiality, integrity, and accuracy of ePHI
c. Ensure the confidentiality, integrity, and availability of ePHI
d. Ensure the confidentiality, integrity, and accountability of ePHI c. Ensure the confidentiality,
integrity, and availability of ePHI
In Medical Center Hospital's clinical information system, nurses may write nursing notes and
may read all parts of the patient health record for patients on the unit in which they work. This
type of authorized use is called:
a. Password limitation
b. Security clearance
c. Role-based access
d. User grouping c. Role-based access
Which of the following controls external access to a network?
a. Access controls
b. Alarms
c. Encryption
d. Firewall d. Firewall
Which of the following data management domains would be responsible for establishing
standards for data retention and storage?
a. Data architecture management
b. Metadata management
c. Data life cycle management
d. Master data management c. Data life cycle management
HIPAA was designed to accomplish all of the following except:
a. Designate HIM professionals as privacy officers
4|Page
