RHIT Domain :RHIT:RHIT Package Deal: RHIT Domain 2:RHIT
Domain 3
The process of releasing health record documentation originally created by a different provider is called:
a. Privileged communication
b. Subpoena
c. Jurisdiction
d. Redisclosure - ANSWER:d
The process of releasing health record documentation originally created by a different provider is called
redisclosure. Federal and state regulations provide specific redisclosure guidelines; however, when in
doubt, follow the same principles as the release and disclosure guidelines for other types of health
record information (Fahrenholz 2013a, 104).
When data has been lost in an EHR, which action is taken to remedy this problem?
a. Build a firewall
b. Data recovery
c. Review the audit trail
d. Develop data integrity plan - ANSWER:b
Data recovery is the process of recouping lost data or reconciling conflicting data after the system fails.
These data may be from events that occurred while the system was down or from backed-up data
(Sayles and Trawick 2014, 213).
Central City Clinic has requested that Ghent Hospital send its hospital records for Susan Hall's most
recent admission to the clinic for her follow-up appointment. Which of the following statements is true?
a. The Privacy Rule requires that Susan Hall complete a written authorization.
b. The hospital may send only the discharge summary, history and physical, and operative report.
c. The Privacy Rule's minimum necessary requirement does not apply.
d. This "public interest and benefit" disclosure does not require the patient's authorization. - ANSWER:c
There are certain circumstances where the minimum necessary requirement does not apply, such as to
healthcare providers for treatment; to the individual or his personal representative; pursuant to the
individual's authorization to the secretary of the HHS for investigations, compliance review, or
,enforcement; as required by law; or to meet other Privacy Rule compliance requirements (164.502(b)(2);
Rinehart-Thompson 2017c, 234).
Under the HIPAA Privacy rule, which of the following statements is true?
a. An authorization must contain an expiration date or event.
b. A consent for use and disclosure of information must be obtained from every patient.
c. An authorization must be obtained for uses and disclosures for treatment, payment, and operations.
d. A notice of privacy practices must give 10 examples of a use or disclosure for healthcare operations. -
ANSWER:a
In order for an authorization to be valid, it must contain an expiration date or event that relates to the
individual or the purpose of the use or disclosure (Rinehart-Thompson 2016b, 245-246).
A hospital is planning on allowing coding professionals to work at home. The hospital is in the process of
identifying strategies to minimize the security risks associated with this practice. Which of the following
would be best to ensure that data breaches are minimized when the home computer is unattended?
a. User name and password
b. Automatic session terminations
c. Cable locks
d. Encryption - ANSWER:b
In the HIPAA Security Rule, one of the technical safeguards standards is access control. This includes
automatic log-off, which ensures processes that terminate an electronic session after a predetermined
time of inactivity (Reynolds and Brodnik 2017, 277).
Who owns the health record?
a. Patient
b. Provider who generated the information
c. Insurance company who paid for the care recorded in the record
d. No one - ANSWER:b
Ownership of the health record has traditionally been granted to the provider who generates the record
(Brodnik 2017a, 9).
Which of the following is true regarding the development of health record destruction policies?
a. All applicable laws must be considered
,b. The organization must find a way not to destroy any health records
c. Health records involved in pending or ongoing litigation may be destroyed
d. Only state laws must be considered - ANSWER:a
Not all information must be kept forever. Just as the HIM professional must consider multiple factors
when determining retention, many factors must also be taken into consideration with regard to health
record destruction. These include applicable federal and state statutes and regulations; accreditation
standards; pending or ongoing litigation; storage capabilities; and cost (Rinehart-Thompson 2016a, 208).
What is the biggest threat to the security of healthcare data?
a. Natural disasters
b. Fires
c. Employees
d. Equipment malfunctions - ANSWER:c
Employees are the biggest threat to the security of healthcare data. Whether it is disgruntled employees
destroying computer hardware, snooping employees accessing information without authorization to do
so, or employees accessing information for fraudulent purposes, employees are a real threat to data
security (Rinehart-Thompson 2016c, 256).
Which of the following is not true about the Notice of Privacy Practices?
a. It must include at least two examples of how information is used for both treatment and operations.
b. It must include a description of the right to request restrictions on certain uses and disclosures.
c. It must explain the patient's right to inspect and copy PHI.
d. It must include a description of the patient's right to amend PHI. - ANSWER:a
AHIMA outlines the requirements for the content of the notice of privacy practices. One requirement is
that a description (including at least one example) is to be given of the types of uses and disclosures the
covered entity is permitted to make for treatment, payment, and healthcare operations (Rinehart-
Thompson 2016b, 230-231).
Community Hospital is discussing restricting the access that physicians have to electronic health records.
The medical record committee is divided on how to approach this issue. Some committee members
maintain that all information should be available, whereas others maintain that HIPAA restricts access.
The HIM director is part of the committee. Which of the following should the director advise the
committee?
, a. HIPAA restricts the access of physicians to all information.
b. The "minimum necessary" concept does not apply to disclosures made for treatment purposes;
therefore, physician access should not be restricted.
c. The "minimum necessary" concept does not apply to disclosures made for treatment purposes, but
the organization must define what physicians need as part of their treatment role.
d. The "minimum necessary" concept applies only to attending physicians, and therefore, restriction of
access must be implem - ANSWER:c
The HIPAA Privacy Rule concept of "minimum necessary" does not apply to disclosures made for
treatment purposes. However, the covered entity must define, within the organization, what information
physicians need as part of their treatment role (Thomason 2013, 5).
Burning, shredding, pulping, and pulverizing are all acceptable methods in which process?
a. Deidentification of electronic documents
b. Destruction of paper-based health records
c. Deidentification of records stored on microfilm
d. Destruction of computer-based health records - ANSWER:b
Because of cost and space limitations, permanently storing paper and microfilm-based health record
documents is not an option for most hospitals. Acceptable destruction methods for paper documents
include burning, shredding, pulping, and pulverizing (Fahrenholz 2013a, 111).
Mary's PHI was breached by her physician office when it was disclosed in error to another patient. Which
of the following breach notification statements is correct regarding the physician office's required
action?
a. It must report the breach to HHS within 60 days after the end of the calendar year in which the breach
occurred
b. It must report the breach to HHS within 60 days of the breach
c. It must notify all local media outlets and HHS immediately
d. It is not required to take any action since the breach affected only one person - ANSWER:a
Since this breach applies to one patient, it must be reported to HHS within 60 days after the end of the
calendar year (Rinehart-Thompson 2016b, 240).
To ensure relevancy, an organization's security policies and procedures should be reviewed at least:
a. Once every six months
Domain 3
The process of releasing health record documentation originally created by a different provider is called:
a. Privileged communication
b. Subpoena
c. Jurisdiction
d. Redisclosure - ANSWER:d
The process of releasing health record documentation originally created by a different provider is called
redisclosure. Federal and state regulations provide specific redisclosure guidelines; however, when in
doubt, follow the same principles as the release and disclosure guidelines for other types of health
record information (Fahrenholz 2013a, 104).
When data has been lost in an EHR, which action is taken to remedy this problem?
a. Build a firewall
b. Data recovery
c. Review the audit trail
d. Develop data integrity plan - ANSWER:b
Data recovery is the process of recouping lost data or reconciling conflicting data after the system fails.
These data may be from events that occurred while the system was down or from backed-up data
(Sayles and Trawick 2014, 213).
Central City Clinic has requested that Ghent Hospital send its hospital records for Susan Hall's most
recent admission to the clinic for her follow-up appointment. Which of the following statements is true?
a. The Privacy Rule requires that Susan Hall complete a written authorization.
b. The hospital may send only the discharge summary, history and physical, and operative report.
c. The Privacy Rule's minimum necessary requirement does not apply.
d. This "public interest and benefit" disclosure does not require the patient's authorization. - ANSWER:c
There are certain circumstances where the minimum necessary requirement does not apply, such as to
healthcare providers for treatment; to the individual or his personal representative; pursuant to the
individual's authorization to the secretary of the HHS for investigations, compliance review, or
,enforcement; as required by law; or to meet other Privacy Rule compliance requirements (164.502(b)(2);
Rinehart-Thompson 2017c, 234).
Under the HIPAA Privacy rule, which of the following statements is true?
a. An authorization must contain an expiration date or event.
b. A consent for use and disclosure of information must be obtained from every patient.
c. An authorization must be obtained for uses and disclosures for treatment, payment, and operations.
d. A notice of privacy practices must give 10 examples of a use or disclosure for healthcare operations. -
ANSWER:a
In order for an authorization to be valid, it must contain an expiration date or event that relates to the
individual or the purpose of the use or disclosure (Rinehart-Thompson 2016b, 245-246).
A hospital is planning on allowing coding professionals to work at home. The hospital is in the process of
identifying strategies to minimize the security risks associated with this practice. Which of the following
would be best to ensure that data breaches are minimized when the home computer is unattended?
a. User name and password
b. Automatic session terminations
c. Cable locks
d. Encryption - ANSWER:b
In the HIPAA Security Rule, one of the technical safeguards standards is access control. This includes
automatic log-off, which ensures processes that terminate an electronic session after a predetermined
time of inactivity (Reynolds and Brodnik 2017, 277).
Who owns the health record?
a. Patient
b. Provider who generated the information
c. Insurance company who paid for the care recorded in the record
d. No one - ANSWER:b
Ownership of the health record has traditionally been granted to the provider who generates the record
(Brodnik 2017a, 9).
Which of the following is true regarding the development of health record destruction policies?
a. All applicable laws must be considered
,b. The organization must find a way not to destroy any health records
c. Health records involved in pending or ongoing litigation may be destroyed
d. Only state laws must be considered - ANSWER:a
Not all information must be kept forever. Just as the HIM professional must consider multiple factors
when determining retention, many factors must also be taken into consideration with regard to health
record destruction. These include applicable federal and state statutes and regulations; accreditation
standards; pending or ongoing litigation; storage capabilities; and cost (Rinehart-Thompson 2016a, 208).
What is the biggest threat to the security of healthcare data?
a. Natural disasters
b. Fires
c. Employees
d. Equipment malfunctions - ANSWER:c
Employees are the biggest threat to the security of healthcare data. Whether it is disgruntled employees
destroying computer hardware, snooping employees accessing information without authorization to do
so, or employees accessing information for fraudulent purposes, employees are a real threat to data
security (Rinehart-Thompson 2016c, 256).
Which of the following is not true about the Notice of Privacy Practices?
a. It must include at least two examples of how information is used for both treatment and operations.
b. It must include a description of the right to request restrictions on certain uses and disclosures.
c. It must explain the patient's right to inspect and copy PHI.
d. It must include a description of the patient's right to amend PHI. - ANSWER:a
AHIMA outlines the requirements for the content of the notice of privacy practices. One requirement is
that a description (including at least one example) is to be given of the types of uses and disclosures the
covered entity is permitted to make for treatment, payment, and healthcare operations (Rinehart-
Thompson 2016b, 230-231).
Community Hospital is discussing restricting the access that physicians have to electronic health records.
The medical record committee is divided on how to approach this issue. Some committee members
maintain that all information should be available, whereas others maintain that HIPAA restricts access.
The HIM director is part of the committee. Which of the following should the director advise the
committee?
, a. HIPAA restricts the access of physicians to all information.
b. The "minimum necessary" concept does not apply to disclosures made for treatment purposes;
therefore, physician access should not be restricted.
c. The "minimum necessary" concept does not apply to disclosures made for treatment purposes, but
the organization must define what physicians need as part of their treatment role.
d. The "minimum necessary" concept applies only to attending physicians, and therefore, restriction of
access must be implem - ANSWER:c
The HIPAA Privacy Rule concept of "minimum necessary" does not apply to disclosures made for
treatment purposes. However, the covered entity must define, within the organization, what information
physicians need as part of their treatment role (Thomason 2013, 5).
Burning, shredding, pulping, and pulverizing are all acceptable methods in which process?
a. Deidentification of electronic documents
b. Destruction of paper-based health records
c. Deidentification of records stored on microfilm
d. Destruction of computer-based health records - ANSWER:b
Because of cost and space limitations, permanently storing paper and microfilm-based health record
documents is not an option for most hospitals. Acceptable destruction methods for paper documents
include burning, shredding, pulping, and pulverizing (Fahrenholz 2013a, 111).
Mary's PHI was breached by her physician office when it was disclosed in error to another patient. Which
of the following breach notification statements is correct regarding the physician office's required
action?
a. It must report the breach to HHS within 60 days after the end of the calendar year in which the breach
occurred
b. It must report the breach to HHS within 60 days of the breach
c. It must notify all local media outlets and HHS immediately
d. It is not required to take any action since the breach affected only one person - ANSWER:a
Since this breach applies to one patient, it must be reported to HHS within 60 days after the end of the
calendar year (Rinehart-Thompson 2016b, 240).
To ensure relevancy, an organization's security policies and procedures should be reviewed at least:
a. Once every six months
