HSRT TEST PREP EXAM SCRIPT 2026 FULL
SOLUTION SET
◉ Which of the following statements is true regarding HIPAA
security?
a. All institutions must implement the same security measures.
b. Institutions are allowed flexibility in the way they implement
HIPAA standards.
c. All institutions must implement all HIPAA specifications.
d. A security risk assessment must be performed every year..
Answer: b. Institutions are allowed flexibility in the way they
implement HIPAA standards.
HIPAA allows a covered entity to adopt security protection measures
that are appropriate for its organization as long as they meet the
minimum HIPAA security standards. Security protections in a large
medical facility will be more complex than those implemented in a
small group practice.
◉ Access to health records based on protected health information
within a healthcare facility should be limited to employees who have
a:
,a. Legitimate need for access
b. Password to access the EHR
c. Report development program
d. Signed confidentiality agreement. Answer: a. Legitimate need for
access
The access controls standard requires implementation of technical
procedures to control or limit access to health information. The
procedures would be executed through some type of software
program. This requirement ensures that individuals are given
authorization to access only the data they need to perform their
respective jobs.
◉ The release of information function requires the HIM professional
to have knowledge of:
a. Clinical coding principles
b. Database development
c. Federal and state confidentiality laws
d. Human resource management. Answer: c. Federal and state
confidentiality laws
Release of information (ROI) is the process of providing PHI access
to individuals or entities that are deemed to be authorized to either
,receive or review it. Protecting the security and privacy of patient
information is one of a healthcare organization's top priorities, and
the HIM department is usually responsible for determining
appropriate access to and ROI from patient health records.
Knowledge of state and federal confidentiality laws is critical to the
ROI function.
◉ When data has been lost in an EHR, which action is taken to
remedy this problem?
a. Build a firewall
b. Data recovery
c. Review the audit trail
d. Develop data integrity plan. Answer: b. Data recovery
Data recovery is the process of recouping lost data or reconciling
conflicting data after the system fails. These data may be from events
that occurred while the system was down or from backed-up data.
◉ Community Hospital is terminating its business associate
relationship with a medical transcription company. The
transcription company has no further need for any identifiable
information that it may have obtained in the course of its business
with the hospital. The CFO of the hospital believes that to be HIPAA
compliant, all that is necessary is for the termination to be in a
, formal letter signed by the CEO. In this case, how should the director
of HIM advise the CFO?
a. Determine that a formal letter of termination meets HIPAA
requirements and no further action is required
b. Confirm that a formal letter of termination meets HIPAA
requirements and no further action is required except that the
termination notice needs to be retained for seven years
c. Confirm that a formal letter of termination is required and that the
transcription company must provide the hospital with a certification
that all PHI that it had in i. Answer: c. Confirm that a formal letter of
termination is required and that the transcription company must
provide the hospital with a certification that all PHI that it had in its
possession has been destroyed or returned
The HIPAA Privacy Rule requires the covered entity to have business
associate agreements in place with each business associate. This
agreement must always include provisions regarding destruction or
return of protected health information (PHI) upon termination of a
business associate's services. Upon notice of the termination, the
covered entity needs to contact the business associate and
determine if the entity still retains any protected health information
from, or created for, the covered entity. The PHI must be destroyed,
returned to the covered entity, or transferred to another business
associate. Once the PHI is transferred or destroyed, it is
recommended that the covered entity obtain a certification from the
SOLUTION SET
◉ Which of the following statements is true regarding HIPAA
security?
a. All institutions must implement the same security measures.
b. Institutions are allowed flexibility in the way they implement
HIPAA standards.
c. All institutions must implement all HIPAA specifications.
d. A security risk assessment must be performed every year..
Answer: b. Institutions are allowed flexibility in the way they
implement HIPAA standards.
HIPAA allows a covered entity to adopt security protection measures
that are appropriate for its organization as long as they meet the
minimum HIPAA security standards. Security protections in a large
medical facility will be more complex than those implemented in a
small group practice.
◉ Access to health records based on protected health information
within a healthcare facility should be limited to employees who have
a:
,a. Legitimate need for access
b. Password to access the EHR
c. Report development program
d. Signed confidentiality agreement. Answer: a. Legitimate need for
access
The access controls standard requires implementation of technical
procedures to control or limit access to health information. The
procedures would be executed through some type of software
program. This requirement ensures that individuals are given
authorization to access only the data they need to perform their
respective jobs.
◉ The release of information function requires the HIM professional
to have knowledge of:
a. Clinical coding principles
b. Database development
c. Federal and state confidentiality laws
d. Human resource management. Answer: c. Federal and state
confidentiality laws
Release of information (ROI) is the process of providing PHI access
to individuals or entities that are deemed to be authorized to either
,receive or review it. Protecting the security and privacy of patient
information is one of a healthcare organization's top priorities, and
the HIM department is usually responsible for determining
appropriate access to and ROI from patient health records.
Knowledge of state and federal confidentiality laws is critical to the
ROI function.
◉ When data has been lost in an EHR, which action is taken to
remedy this problem?
a. Build a firewall
b. Data recovery
c. Review the audit trail
d. Develop data integrity plan. Answer: b. Data recovery
Data recovery is the process of recouping lost data or reconciling
conflicting data after the system fails. These data may be from events
that occurred while the system was down or from backed-up data.
◉ Community Hospital is terminating its business associate
relationship with a medical transcription company. The
transcription company has no further need for any identifiable
information that it may have obtained in the course of its business
with the hospital. The CFO of the hospital believes that to be HIPAA
compliant, all that is necessary is for the termination to be in a
, formal letter signed by the CEO. In this case, how should the director
of HIM advise the CFO?
a. Determine that a formal letter of termination meets HIPAA
requirements and no further action is required
b. Confirm that a formal letter of termination meets HIPAA
requirements and no further action is required except that the
termination notice needs to be retained for seven years
c. Confirm that a formal letter of termination is required and that the
transcription company must provide the hospital with a certification
that all PHI that it had in i. Answer: c. Confirm that a formal letter of
termination is required and that the transcription company must
provide the hospital with a certification that all PHI that it had in its
possession has been destroyed or returned
The HIPAA Privacy Rule requires the covered entity to have business
associate agreements in place with each business associate. This
agreement must always include provisions regarding destruction or
return of protected health information (PHI) upon termination of a
business associate's services. Upon notice of the termination, the
covered entity needs to contact the business associate and
determine if the entity still retains any protected health information
from, or created for, the covered entity. The PHI must be destroyed,
returned to the covered entity, or transferred to another business
associate. Once the PHI is transferred or destroyed, it is
recommended that the covered entity obtain a certification from the
