RHIA Domain 2 Questions
When a healthcare entity destroys health records after the acceptable retention period has been
met, a certificate of destruction is created. How long must the healthcare entity maintain the
certificate of destruction?
a. 2 years
b. 5 years
c. 10 years
d. Permanently - CORRECT ANSWER Correct Answer: D
Appropriate documentation of health record destruction must be maintained permanently no
matter how the process is carried out. This documentation usually takes the form of a certificate of
destruction (Fahrenholz 2017b, 108).
.
Of the following, what is the most likely to happen to a patient's health record when his or her
physician leaves an office practice?
a. It will be sent to the state department of health.
b. It will be sent to outside storage.
c. It will be destroyed.
d. It will be retained by the practice. - CORRECT ANSWER Correct Answer: D
In physician practices, patients are informed of their option to transfer their records to another
provider. The majority of complete contracts specify that health records are owned by the provider
group (Rinehart-Thompson 2017c, 199-200).
.
The legal health record for disclosure consists of:
a. Any and all protected health information collected or used by a healthcare entity when delivering
care
b. Only the protected health information requested by an attorney for a legal proceeding
c. The data, documents, reports, and information that comprise the formal business records of any
healthcare entity that are to be utilized during legal proceedings
d. All of the data and information included in the HIPAA designated record set - CORRECT ANSWER
Correct Answer: C
,The concept of legal health records (LHRs) was created to describe the data, documents, reports,
and information that comprise the formal business records of any healthcare organization that are
to be utilized during legal proceedings (Biedermann and Dolezel 2017, 424).
According to the Medicare Conditions of Participation, how long must health records be retained?
a. 2 years
b. 5 years
c. 10 years
d. Permanently - CORRECT ANSWER Correct Answer: B
A health record must be maintained for every individual evaluated or treated in the hospital. Health
records must be retained in their original or legally reproduced form for a period of at least 5 years
(Fahrenholz 2017b, 106).
A secure method of communication between the healthcare provider and the patient is:
a. Personal health record
b. E-mail
c. Patient portal
d. Online health information - CORRECT ANSWER Correct Answer: C
A secure patient portal does allow for the communication between the provider and the patient and
is not just a site for patients to access information. This is part of the effort to engage patients in
their care (Biedermann and Dolezel 2017, 458).
Jan Carlson is the HIM manager at Community Hospital, and she is designing a health record
retention policy for the facility. Which legal source should she use to determine how long medical
records should be retained by the facility?
a. AHIMA record retention guidelines
b. State law
c. County or city codes
d. Joint Commission accreditation standards - CORRECT ANSWER Correct Answer: B
AHIMA provides professional guidelines, but it is not a legal source (option a). Option c does not
dictate health record retention. Option d (Joint Commission) defers to state law (option b). Note that
state law may or may not dictate retention periods, but it is the best option among those presented
(Rinehart-Thompson 2020, 60).
,Based on which of the following concepts can a clinic requesting health records for one of its
patients be reasonably assured that the correct patient information will be sent?
a. Verification
b. Confirmation
c. Authentication
d. Certification - CORRECT ANSWER Correct Answer: A
Policies and procedures created by the covered entity or business associate to manage the use and
disclosures of PHI should address the process for patient identification, including verification of the
individual or personal representatives (Brinda and Watters 2020, 327).
In the state of California, healthcare organizations must provide patients a copy of their medical
record within 15 days of the request, whereas HIPAA requires organizations to provide records
within 30 days of the request. This is example of state law being ________ in relation to federal law.
a. Stringent
b. Contrary
c. Standardized
d. Conflicting - CORRECT ANSWER Correct Answer: A
Under HIPAA, state law is considered more stringent if the law prohibits or restricts use or disclosure
in circumstances under which such use or disclosure would be permitted under federal law (Brinda
and Watters 2020, 330).
Recently, a healthcare organization has noticed an increase in the number of whooping cough cases
in children under 5 years old. The healthcare organization reports the information to the state
department of health. Which of the following statements is most applicable to the disclosure of this
information?
a. The healthcare organization violated HIPAA because it didn't get authorization prior to the
disclosure.
b. The healthcare organization did not violate HIPAA because it can disclose information to anyone
as it sees fit.
c. The healthcare organization did not violate HIPAA because the disclosure impacted the public
health of everyone.
d. The healthcare organization violated HIPAA because it did not get authorization from the state
department of health prior to the disclosure. - CORRECT ANSWER Correct Answer: C
Covered entities (healthcare organizations) are allowed to disclose protected health information for
public health reporting purposes without an authorization or consent from the patient or family
members. Since the whooping cough outbreak is a public health issue, it can be reported without
authorization (Brinda and Watters 2020, 325).
, The _____ requires organizations to implement policies and procedures to safeguard the facility and
equipment from unauthorized access, tampering, and theft.
a. Contingency plan
b. Security Rule
c. Media and device controls
d. Emergency mode operations plan - CORRECT ANSWER Correct Answer: B
The Security Rule operationalizes the Privacy Rule and requires administrative safeguards such as
policies and procedures to protect physical entities like information systems, buildings, and
equipment (Brinda and Watters 2020, 319).
Jill has been asked to revise the health record retention policy for her organization. In particular,
administration believes the current policy does not properly reflect the length of time that the
records of minors should be retained. In conducting her research, Jill refers to the AHIMA best
practices for record retention. Based on her research, which of the following should she recommend
regarding retention of the health records of minors?
a. 10 years plus statute of limitations
b. 20 years plus statute of limitations
c. Age of majority plus statute of limitations
d. Do not address them separately; they should conform to the same retention period as all other
records in the organization - CORRECT ANSWER Correct Answer: C
The statute of limitations for minors, which is generally those who are younger than 18 years of age,
may exceed the time for when health records are ordinarily retained. Whereas a minor may file a
lawsuit on his or her own behalf upon reaching the age of majority, the statute of limitations does
not being to run until the minor reaches the age of majority (Rinehart-Thompson 2017c, 195).
Following a data breach with less than 500 impacted, how long does a covered entity have to
provide notification of the breach to the secretary of the Department of Health and Human
Services?
a. Immediately after determination of the data breach
b. Within 30 days
c. Within 60 days
d. 60 days after the end of the calendar year in which the breach occurred - CORRECT ANSWER
Correct Answer: D
When a healthcare entity destroys health records after the acceptable retention period has been
met, a certificate of destruction is created. How long must the healthcare entity maintain the
certificate of destruction?
a. 2 years
b. 5 years
c. 10 years
d. Permanently - CORRECT ANSWER Correct Answer: D
Appropriate documentation of health record destruction must be maintained permanently no
matter how the process is carried out. This documentation usually takes the form of a certificate of
destruction (Fahrenholz 2017b, 108).
.
Of the following, what is the most likely to happen to a patient's health record when his or her
physician leaves an office practice?
a. It will be sent to the state department of health.
b. It will be sent to outside storage.
c. It will be destroyed.
d. It will be retained by the practice. - CORRECT ANSWER Correct Answer: D
In physician practices, patients are informed of their option to transfer their records to another
provider. The majority of complete contracts specify that health records are owned by the provider
group (Rinehart-Thompson 2017c, 199-200).
.
The legal health record for disclosure consists of:
a. Any and all protected health information collected or used by a healthcare entity when delivering
care
b. Only the protected health information requested by an attorney for a legal proceeding
c. The data, documents, reports, and information that comprise the formal business records of any
healthcare entity that are to be utilized during legal proceedings
d. All of the data and information included in the HIPAA designated record set - CORRECT ANSWER
Correct Answer: C
,The concept of legal health records (LHRs) was created to describe the data, documents, reports,
and information that comprise the formal business records of any healthcare organization that are
to be utilized during legal proceedings (Biedermann and Dolezel 2017, 424).
According to the Medicare Conditions of Participation, how long must health records be retained?
a. 2 years
b. 5 years
c. 10 years
d. Permanently - CORRECT ANSWER Correct Answer: B
A health record must be maintained for every individual evaluated or treated in the hospital. Health
records must be retained in their original or legally reproduced form for a period of at least 5 years
(Fahrenholz 2017b, 106).
A secure method of communication between the healthcare provider and the patient is:
a. Personal health record
b. E-mail
c. Patient portal
d. Online health information - CORRECT ANSWER Correct Answer: C
A secure patient portal does allow for the communication between the provider and the patient and
is not just a site for patients to access information. This is part of the effort to engage patients in
their care (Biedermann and Dolezel 2017, 458).
Jan Carlson is the HIM manager at Community Hospital, and she is designing a health record
retention policy for the facility. Which legal source should she use to determine how long medical
records should be retained by the facility?
a. AHIMA record retention guidelines
b. State law
c. County or city codes
d. Joint Commission accreditation standards - CORRECT ANSWER Correct Answer: B
AHIMA provides professional guidelines, but it is not a legal source (option a). Option c does not
dictate health record retention. Option d (Joint Commission) defers to state law (option b). Note that
state law may or may not dictate retention periods, but it is the best option among those presented
(Rinehart-Thompson 2020, 60).
,Based on which of the following concepts can a clinic requesting health records for one of its
patients be reasonably assured that the correct patient information will be sent?
a. Verification
b. Confirmation
c. Authentication
d. Certification - CORRECT ANSWER Correct Answer: A
Policies and procedures created by the covered entity or business associate to manage the use and
disclosures of PHI should address the process for patient identification, including verification of the
individual or personal representatives (Brinda and Watters 2020, 327).
In the state of California, healthcare organizations must provide patients a copy of their medical
record within 15 days of the request, whereas HIPAA requires organizations to provide records
within 30 days of the request. This is example of state law being ________ in relation to federal law.
a. Stringent
b. Contrary
c. Standardized
d. Conflicting - CORRECT ANSWER Correct Answer: A
Under HIPAA, state law is considered more stringent if the law prohibits or restricts use or disclosure
in circumstances under which such use or disclosure would be permitted under federal law (Brinda
and Watters 2020, 330).
Recently, a healthcare organization has noticed an increase in the number of whooping cough cases
in children under 5 years old. The healthcare organization reports the information to the state
department of health. Which of the following statements is most applicable to the disclosure of this
information?
a. The healthcare organization violated HIPAA because it didn't get authorization prior to the
disclosure.
b. The healthcare organization did not violate HIPAA because it can disclose information to anyone
as it sees fit.
c. The healthcare organization did not violate HIPAA because the disclosure impacted the public
health of everyone.
d. The healthcare organization violated HIPAA because it did not get authorization from the state
department of health prior to the disclosure. - CORRECT ANSWER Correct Answer: C
Covered entities (healthcare organizations) are allowed to disclose protected health information for
public health reporting purposes without an authorization or consent from the patient or family
members. Since the whooping cough outbreak is a public health issue, it can be reported without
authorization (Brinda and Watters 2020, 325).
, The _____ requires organizations to implement policies and procedures to safeguard the facility and
equipment from unauthorized access, tampering, and theft.
a. Contingency plan
b. Security Rule
c. Media and device controls
d. Emergency mode operations plan - CORRECT ANSWER Correct Answer: B
The Security Rule operationalizes the Privacy Rule and requires administrative safeguards such as
policies and procedures to protect physical entities like information systems, buildings, and
equipment (Brinda and Watters 2020, 319).
Jill has been asked to revise the health record retention policy for her organization. In particular,
administration believes the current policy does not properly reflect the length of time that the
records of minors should be retained. In conducting her research, Jill refers to the AHIMA best
practices for record retention. Based on her research, which of the following should she recommend
regarding retention of the health records of minors?
a. 10 years plus statute of limitations
b. 20 years plus statute of limitations
c. Age of majority plus statute of limitations
d. Do not address them separately; they should conform to the same retention period as all other
records in the organization - CORRECT ANSWER Correct Answer: C
The statute of limitations for minors, which is generally those who are younger than 18 years of age,
may exceed the time for when health records are ordinarily retained. Whereas a minor may file a
lawsuit on his or her own behalf upon reaching the age of majority, the statute of limitations does
not being to run until the minor reaches the age of majority (Rinehart-Thompson 2017c, 195).
Following a data breach with less than 500 impacted, how long does a covered entity have to
provide notification of the breach to the secretary of the Department of Health and Human
Services?
a. Immediately after determination of the data breach
b. Within 30 days
c. Within 60 days
d. 60 days after the end of the calendar year in which the breach occurred - CORRECT ANSWER
Correct Answer: D
