HIM 370/HIM 370 Quizzes with Answers

HIM 370 Quizzes (CO 1) Which is not a major purpose of HIPAA administration simplification? Protect the use of patient information. Control the inappropriate use of patient information. Improve the efficiency and effectiveness of healthcare. Allow unlimited use of patient information. (CO 2) Which of the following is the most apparent difference between the privacy rule and the security rule? The security rule will cost more to implement. The privacy rule applies to international locations. The security rule applies only to electronic PHI, and the privacy rule applies to PHI in any form. The security rule contains very specific technology requirements and vendor specifications, and the privacy rule contains only broad requirements specifications. (CO 1) HIPAA was created to increase consumer control over healthcare records. improve the security of healthcare information. facilitate the portability of health insurance. All of the above None of the above (CO 1) What does HIPAA stand for? Healthcare Information Privacy and Assurance Act Health Insurance Portability and Accountability Act Healthcare Insurance Portability and Accountability Act Health Information Privacy and Protection Act Health Insurance Privacy and Accountability Act (CO 2) The purpose of NPP for PHI is to notify individuals of their services. notify facilities of their services. notify individuals specifying their information use and disclosure practices. notify facilities specifying their information use and disclosure practices. None of the above (CO 2) Access to records can be denied under which circumstances? The records are all electronic. The records are psychology notes. The records could cause harm to individuals or others. The records are located in storage. Access is never denied. (CO 2) Which of the following best describes what use of PHI means? The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within a covered entity The release, transfer, provision of access to, or divulging of information outside the entity holding the information The utilization of health information to assist with investigations related to public health issues The sharing, utilization, or examination of individually identifiable health information with a third party (CO 2) The privacy rule safeguards PHI by which of the following? Giving individuals the right to correct mistakes Telling patients how their information will be used Limiting the use and disclosure of information All of the above None of the above (CO 1) Security rule compliance is only possible with which of the following? A large HIPAA compliance budget Outside help from HIPAA experts A complete copy of the security policy in hand An appropriate risk analysis being performed on your information systems (CO 2) Which can a CE charge an individual when providing a copy of his or her PHI? The total amount of time it takes to gather all information charged at the current federal minimum hourly wage Postage costs only Postage, copying, preparing a summary, and the time involved with gathering all this information Postage, copying, and the costs directly involved with preparing a requested summary of PHI, if applicable Which of the policies listed below is required by the Health Insurance Portability and Accountability Act (HIPAA)? Strategic Planning Policy Notice of Privacy Practice Policy Clinical Documentation Policy Medical Staff Policy Which rule expanded the NPP requirements to include provisions designed to provide individual with a better understanding? Freedom of Information Act HHS Acquistion Regulation Omnibus Final Rule Fraud Prevention Detection A rehabilitation center contacted the Center for Medicare and Medicare Services (CMS) to report fraud. Patient information is captured in the report. Which of the following is true? This is a violation of patient right. The disclosure is not a violation of HIPAA if the information was provided in good faith. CMS must notify the patient immediately after receiving the report. An authorization signed by the patient would be needed. Which of the following does HIPAA allow? Releasing patient information to an attorney without a valid authorization. Allows a spouse to pick up medication for the patient. Requiring a healthcare organization to amend a patient's medical record at the patient's request. Allowing a business associate to have access to any and all PHI. Which statement about the Notice of Privacy Practices (NPP) is correct? No answer text provided. All prospective patients must receive a NPP. All patients except rehabilitation patients must be given a notice of privacy practices. All patients with the exception of an inmate must be given a NPP. As the Chief Privacy Officer, what would be one reason you would conduct a risk assessment? To learn about medical staff practices. To follow up on a patient complaint. to terminate a staff who causes problems To prevent breach of confidentiality In an environmental risk assessment what would be included in the assessment? authentication practices confirming up-to-date virus software single sign-on technology The condition and location of water pipes in an organization A covered entity must have a relationship with a business associate must accept Medicaid all healthcare providers includes healthcare provider, health plan or clearinghouse who transmit health information Which document is subject to the HIPAA security rule? scanned discharge summary stored on an external hard drive Paper medical record a fax received from an external organization A copy of a lab report A risk analysis will help you determine which of the following: quality reports worker's compensation technical and operational risk a preemption (CO 4) Access controls are, fundamentally, which kind of mechanism? Technology Security Legal Administrative All of the above (CO 4) A gap and risk analysis should be continuous in order to identify patient safety changes. identify major organizational changes. identify major technology changes. Both B and C All of the above (CO 4) Is it possible for a CE to come to the conclusion that his or her PHI is not at risk whatsoever? Yes, if they already had the proper safeguards in place No Perhaps once the risk analysis is complete None of the above (CO 4) A HIPAA privacy rule gap analysis will help an organization determine which of the following? How PHI will be impacted if a threat occurs Where the PHI is stored and transmitted Compliance requirements to be addressed All of the above None of the above (CO 3) Which item is most appropriate to develop checklist items to determine security violations for computer log-in monitoring? Procedures for creating, changing, and safeguarding passwords Procedures for monitoring log-in attempts and reporting discrepancies Periodic security updates All of the above None of the above (CO 3) A new policy has been approved by senior management. Identify the best method for communicating the policy to employees. Post the policy on the company’s internal website. Send the policy out as an attachment to an e-mail message to all employees. Have each manager discuss the policy with all of his or her employees, letting them know how to find the policy in written or electronic format. Write an article for the company's newsletter. Send the policy out in interoffice mail. (CO 3) Access controls are fundamentally which kind of mechanisms? Legal Security Technology Administrator (CO 3) Which best describes privacy policies? They support the multiple requirements of the HIPAA privacy rule. They set boundaries for personnel activities related to PHI. They define what practices are allowed and disallowed. They direct personnel on how to handle and process PHI. All of the above (COs 3 and 7) Once a new privacy policy has been approved and communication has occurred, what should senior management do to ensure compliance? Enforce sanctions for breaking the policy. Create procedures to support the policy. Describe how to achieve compliance. All of the above None of the above (COs 3 and 4) A risk analysis is performed to determine which of the following? When and how the PHI needs to be protected How confidential the PHI needs to be Where the PHI is stored and transmitted All of the above None of the above Before a staff member is allowed to access PHI, the system confirms the identity of the staff member. This is called authentication access control system notification authorization An employee used a patient's information to secure a bank loan. This is an example of identity theft notification de-identifiation compliance Which of the follow is a set of requirements that essentially provide a framework for creating and managing an effective information infrastructure. Security Rule Privacy Rule Patient Safety Rule Freedom of Information Act When an entire system crashes, the policy and procedures defined to keep the business running is known as: business continuity plan data backup system backup back operations An intentional threat to system security could be data thef t (unauthorized accessing of data) human error system failure natural disaster (hurricane) An example of technical security measure would be automatic logout locked cabinets training screen protectors Which of the following is an example of biometric security? retina scan audit trail signature encryption Your organization is transmitting confidential PHI across the internet using technology that will convert information or data into a code to prevent unauthorized access. This conversion is called data encryption a firewall data validation data back up This system monitors network activity for suspicious activity and issues an alert when detected Intrusion Detection authentication phishing spyware Which of the following is a mobile device risk viruses frequently updated devices cost automatic shutdown (CO 9) Which of the following most accurately describes the difference between training and awareness? Training is less formal and interactive than an awareness program. Training is more formal and interactive than an awareness program. A training program is more expensive than an awareness program. An awareness program is more expensive than a training program. All of the above (CO 5) Which of the following is the most likely group to target for HIPAA privacy and security training? Customer services and call centers Personnel who have received recent promotions Third parties Trash removal contractors (CO 5) Which of the following is not an acceptable technical way to authenticate a person or entity? Password Secure token Biometric Visual recognition (CO 6) The security rule defines the data backup plan requirement as what? A plan for how you will back up your files if a security incident occurs A set of standards for how you save files on your computer Procedures to create and maintain retrievable copies of PHI The ability to save hard copies of all PHI All of the above (CO 6) What should be in place prior to responding to an incident? A disaster recovery plan and an expert team A formal response procedure and an expert team A contingency plan and an expert team None of the above (CO 6) The HIPAA security rule defines disaster recovery as maintaining a minimum level of business operations to fulfill critical operations requirements in the event of a disaster. the process in which critical programs continue critical operations or processes while operating in emergency mode. retrieving or recreating the functionality of the organization to predisaster operations. None of the above (CO 6) How frequently should plans be updated? On an annual basis When major changes occur to the system On a semiannual basis On an annual basis and when major changes occur On a semiannual basis and when major changes occur (CO 5) To address backup and storage requirements, an organization should implement procedures for removal of electronic protected health information from electronic media before the media are made available for reuse. develop policies and procedures to address the final disposition of electronic protected health information and/or hardware of electronic media. create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. determine appropriate storage requirements for the media. None of the above (CO 5) To address media use, an organization should develop policies and procedures to address the final disposition of electronic protected health information and/or hardware of electronic media. create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. implement procedures for removal of electronic protected health information from electronic media before the media are made available for reuse. determine appropriate storage requirements for the media. None of the above tech (CO 5) Training delivery should best be created based upon which of the following? The preference of your upper management The best way to achieve your objectives The time of year The number of personnel