RHIT Domain 2
The process of releasing health record documentation originally created by a different provider is called
redisclosure. Federal and state regulations provide specific redisclosure guidelines; however, when in
doubt, follow the same principles as the release and disclosure guidelines for other types of health
record information (Fahrenholz 2013a, 104). - correct answer The process of releasing
health record documentation originally created by a different provider is called:
a. Privileged communication
b. Subpoena
c. Jurisdiction
d. Redisclosure
b
Data recovery is the process of recouping lost data or reconciling conflicting data after the system fails.
These data may be from events that occurred while the system was down or from backed-up data
(Sayles and Trawick 2014, 213). - correct answer When data has been lost in an EHR,
which action is taken to remedy this problem?
a. Build a firewall
b. Data recovery
c. Review the audit trail
d. Develop data integrity plan
c
There are certain circumstances where the minimum necessary requirement does not apply, such as to
healthcare providers for treatment; to the individual or his personal representative; pursuant to the
individual's authorization to the secretary of the HHS for investigations, compliance review, or
enforcement; as required by law; or to meet other Privacy Rule compliance requirements (164.502(b)
(2); Rinehart-Thompson 2017c, 234). - correct answer Central City Clinic has requested
,that Ghent Hospital send its hospital records for Susan Hall's most recent admission to the clinic for her
follow-up appointment. Which of the following statements is true?
a. The Privacy Rule requires that Susan Hall complete a written authorization.
b. The hospital may send only the discharge summary, history and physical, and operative report.
c. The Privacy Rule's minimum necessary requirement does not apply.
d. This "public interest and benefit" disclosure does not require the patient's authorization.
a
In order for an authorization to be valid, it must contain an expiration date or event that relates to the
individual or the purpose of the use or disclosure (Rinehart-Thompson 2016b, 245-246). - correct answer
Under the HIPAA Privacy rule, which of the following statements is true?
a. An authorization must contain an expiration date or event.
b. A consent for use and disclosure of information must be obtained from every patient.
c. An authorization must be obtained for uses and disclosures for treatment, payment, and operations.
d. A notice of privacy practices must give 10 examples of a use or disclosure for healthcare operations.
b
In the HIPAA Security Rule, one of the technical safeguards standards is access control. This includes
automatic log-off, which ensures processes that terminate an electronic session after a predetermined
time of inactivity (Reynolds and Brodnik 2017, 277). - correct answer A hospital is
planning on allowing coding professionals to work at home. The hospital is in the process of identifying
strategies to minimize the security risks associated with this practice. Which of the following would be
best to ensure that data breaches are minimized when the home computer is unattended?
a. User name and password
b. Automatic session terminations
c. Cable locks
d. Encryption
b
,Ownership of the health record has traditionally been granted to the provider who generates the record
(Brodnik 2017a, 9). - correct answer Who owns the health record?
a. Patient
b. Provider who generated the information
c. Insurance company who paid for the care recorded in the record
d. No one
a
Not all information must be kept forever. Just as the HIM professional must consider multiple factors
when determining retention, many factors must also be taken into consideration with regard to health
record destruction. These include applicable federal and state statutes and regulations; accreditation
standards; pending or ongoing litigation; storage capabilities; and cost (Rinehart-Thompson 2016a, 208).
- correct answer Which of the following is true regarding the development of health
record destruction policies?
a. All applicable laws must be considered
b. The organization must find a way not to destroy any health records
c. Health records involved in pending or ongoing litigation may be destroyed
d. Only state laws must be considered
c
Employees are the biggest threat to the security of healthcare data. Whether it is disgruntled employees
destroying computer hardware, snooping employees accessing information without authorization to do
so, or employees accessing information for fraudulent purposes, employees are a real threat to data
security (Rinehart-Thompson 2016c, 256). - correct answer What is the biggest threat to
the security of healthcare data?
a. Natural disasters
b. Fires
c. Employees
d. Equipment malfunctions
, a
AHIMA outlines the requirements for the content of the notice of privacy practices. One requirement is
that a description (including at least one example) is to be given of the types of uses and disclosures the
covered entity is permitted to make for treatment, payment, and healthcare operations (Rinehart-
Thompson 2016b, 230-231). - correct answer Which of the following is not true about
the Notice of Privacy Practices?
a. It must include at least two examples of how information is used for both treatment and operations.
b. It must include a description of the right to request restrictions on certain uses and disclosures.
c. It must explain the patient's right to inspect and copy PHI.
d. It must include a description of the patient's right to amend PHI.
c
The HIPAA Privacy Rule concept of "minimum necessary" does not apply to disclosures made for
treatment purposes. However, the covered entity must define, within the organization, what
information physicians need as part of their treatment role (Thomason 2013, 5). - correct answer
Community Hospital is discussing restricting the access that physicians have to electronic health records.
The medical record committee is divided on how to approach this issue. Some committee members
maintain that all information should be available, whereas others maintain that HIPAA restricts access.
The HIM director is part of the committee. Which of the following should the director advise the
committee?
a. HIPAA restricts the access of physicians to all information.
b. The "minimum necessary" concept does not apply to disclosures made for treatment purposes;
therefore, physician access should not be restricted.
c. The "minimum necessary" concept does not apply to disclosures made for treatment purposes, but
the organization must define what physicians need as part of their treatment role.
d. The "minimum necessary" concept applies only to attending physicians, and therefore, restriction of
access must be implemented.
b
Because of cost and space limitations, permanently storing paper and microfilm-based health record
documents is not an option for most hospitals. Acceptable destruction methods for paper documents
The process of releasing health record documentation originally created by a different provider is called
redisclosure. Federal and state regulations provide specific redisclosure guidelines; however, when in
doubt, follow the same principles as the release and disclosure guidelines for other types of health
record information (Fahrenholz 2013a, 104). - correct answer The process of releasing
health record documentation originally created by a different provider is called:
a. Privileged communication
b. Subpoena
c. Jurisdiction
d. Redisclosure
b
Data recovery is the process of recouping lost data or reconciling conflicting data after the system fails.
These data may be from events that occurred while the system was down or from backed-up data
(Sayles and Trawick 2014, 213). - correct answer When data has been lost in an EHR,
which action is taken to remedy this problem?
a. Build a firewall
b. Data recovery
c. Review the audit trail
d. Develop data integrity plan
c
There are certain circumstances where the minimum necessary requirement does not apply, such as to
healthcare providers for treatment; to the individual or his personal representative; pursuant to the
individual's authorization to the secretary of the HHS for investigations, compliance review, or
enforcement; as required by law; or to meet other Privacy Rule compliance requirements (164.502(b)
(2); Rinehart-Thompson 2017c, 234). - correct answer Central City Clinic has requested
,that Ghent Hospital send its hospital records for Susan Hall's most recent admission to the clinic for her
follow-up appointment. Which of the following statements is true?
a. The Privacy Rule requires that Susan Hall complete a written authorization.
b. The hospital may send only the discharge summary, history and physical, and operative report.
c. The Privacy Rule's minimum necessary requirement does not apply.
d. This "public interest and benefit" disclosure does not require the patient's authorization.
a
In order for an authorization to be valid, it must contain an expiration date or event that relates to the
individual or the purpose of the use or disclosure (Rinehart-Thompson 2016b, 245-246). - correct answer
Under the HIPAA Privacy rule, which of the following statements is true?
a. An authorization must contain an expiration date or event.
b. A consent for use and disclosure of information must be obtained from every patient.
c. An authorization must be obtained for uses and disclosures for treatment, payment, and operations.
d. A notice of privacy practices must give 10 examples of a use or disclosure for healthcare operations.
b
In the HIPAA Security Rule, one of the technical safeguards standards is access control. This includes
automatic log-off, which ensures processes that terminate an electronic session after a predetermined
time of inactivity (Reynolds and Brodnik 2017, 277). - correct answer A hospital is
planning on allowing coding professionals to work at home. The hospital is in the process of identifying
strategies to minimize the security risks associated with this practice. Which of the following would be
best to ensure that data breaches are minimized when the home computer is unattended?
a. User name and password
b. Automatic session terminations
c. Cable locks
d. Encryption
b
,Ownership of the health record has traditionally been granted to the provider who generates the record
(Brodnik 2017a, 9). - correct answer Who owns the health record?
a. Patient
b. Provider who generated the information
c. Insurance company who paid for the care recorded in the record
d. No one
a
Not all information must be kept forever. Just as the HIM professional must consider multiple factors
when determining retention, many factors must also be taken into consideration with regard to health
record destruction. These include applicable federal and state statutes and regulations; accreditation
standards; pending or ongoing litigation; storage capabilities; and cost (Rinehart-Thompson 2016a, 208).
- correct answer Which of the following is true regarding the development of health
record destruction policies?
a. All applicable laws must be considered
b. The organization must find a way not to destroy any health records
c. Health records involved in pending or ongoing litigation may be destroyed
d. Only state laws must be considered
c
Employees are the biggest threat to the security of healthcare data. Whether it is disgruntled employees
destroying computer hardware, snooping employees accessing information without authorization to do
so, or employees accessing information for fraudulent purposes, employees are a real threat to data
security (Rinehart-Thompson 2016c, 256). - correct answer What is the biggest threat to
the security of healthcare data?
a. Natural disasters
b. Fires
c. Employees
d. Equipment malfunctions
, a
AHIMA outlines the requirements for the content of the notice of privacy practices. One requirement is
that a description (including at least one example) is to be given of the types of uses and disclosures the
covered entity is permitted to make for treatment, payment, and healthcare operations (Rinehart-
Thompson 2016b, 230-231). - correct answer Which of the following is not true about
the Notice of Privacy Practices?
a. It must include at least two examples of how information is used for both treatment and operations.
b. It must include a description of the right to request restrictions on certain uses and disclosures.
c. It must explain the patient's right to inspect and copy PHI.
d. It must include a description of the patient's right to amend PHI.
c
The HIPAA Privacy Rule concept of "minimum necessary" does not apply to disclosures made for
treatment purposes. However, the covered entity must define, within the organization, what
information physicians need as part of their treatment role (Thomason 2013, 5). - correct answer
Community Hospital is discussing restricting the access that physicians have to electronic health records.
The medical record committee is divided on how to approach this issue. Some committee members
maintain that all information should be available, whereas others maintain that HIPAA restricts access.
The HIM director is part of the committee. Which of the following should the director advise the
committee?
a. HIPAA restricts the access of physicians to all information.
b. The "minimum necessary" concept does not apply to disclosures made for treatment purposes;
therefore, physician access should not be restricted.
c. The "minimum necessary" concept does not apply to disclosures made for treatment purposes, but
the organization must define what physicians need as part of their treatment role.
d. The "minimum necessary" concept applies only to attending physicians, and therefore, restriction of
access must be implemented.
b
Because of cost and space limitations, permanently storing paper and microfilm-based health record
documents is not an option for most hospitals. Acceptable destruction methods for paper documents
