CHPC Exam Study Set 1
During an internal investigation, it is
discovered that the Institutional Review
Board (IRB) has not been reviewing the
informed consents or authorizations
completed by research subjects. Which
of the following should a privacy
officer do FIRST?
A. Report the issue to OHRP.
B. Report the issue to the OCR.
C. Contact legal counsel.
D. Contact the provost. - ✔️✔️C. Contact legal counsel.
Which of the following uses of patient health information do not require the patient's
authorization?
a. Treatment, payment, health care administration
b. Marketing
c. Genetic testing and research studies
d. Release of psychotherapy notes - ✔️✔️a. Treatment, payment, health care
administration
A new privacy officer is reviewing an
organization's current policy on patient
requests for amendments. Which of
the following is the MOST critical to the
evaluation process?
A. effective and revision dates of
the policy
B. accurate description of the
regulatory requirements
C. nature of complaints related to
the policy
D. description of the form letters used
to respond to requests - ✔️✔️B. accurate description of the
regulatory requirements
As part of due diligence on Business
Associates, a privacy officer would be
MOST concerned with confirming that
, they conduct:
A. criminal background checks.
B. credit history checks.
C. provider credentialing checks.
D. health screening checks. - ✔️✔️A. criminal background checks.
Data breach response training is
required by which of the following
regulations?
A. HITECH
B. GLBA
C. FMLA
D. Privacy Act - ✔️✔️A. HITECH
A business associate has contacted
an organization's privacy officer to
alert him that some of the patient
information that they hold in relation
to the BAA may have been breached.
An employee took a laptop that
contained patient information from
several vendors and misplaced it at an
airport. They are not 100% sure that
information from the organization was
on the laptop. Which of the following is
the MOST appropriate response by the
privacy officer?
A. Rely on the business associate to
conduct any needed notifications.
B. Notify each individual whose PHI
has been possibly disclosed.
C. Determine if the breach involved
more than 500 individuals.
D. Assure that all notifications
occur no later than 90 days after
discovery. - ✔️✔️C. Determine if the breach involved
more than 500 individuals.
Which of the following are considered protected health information under HIPAA?
Select all that apply.
a. Phone number
b. Medical record number
c. License plate number
d. Email address - ✔️✔️a. Phone number b. Medical record number c. License plate
number d. Email address
During an internal investigation, it is
discovered that the Institutional Review
Board (IRB) has not been reviewing the
informed consents or authorizations
completed by research subjects. Which
of the following should a privacy
officer do FIRST?
A. Report the issue to OHRP.
B. Report the issue to the OCR.
C. Contact legal counsel.
D. Contact the provost. - ✔️✔️C. Contact legal counsel.
Which of the following uses of patient health information do not require the patient's
authorization?
a. Treatment, payment, health care administration
b. Marketing
c. Genetic testing and research studies
d. Release of psychotherapy notes - ✔️✔️a. Treatment, payment, health care
administration
A new privacy officer is reviewing an
organization's current policy on patient
requests for amendments. Which of
the following is the MOST critical to the
evaluation process?
A. effective and revision dates of
the policy
B. accurate description of the
regulatory requirements
C. nature of complaints related to
the policy
D. description of the form letters used
to respond to requests - ✔️✔️B. accurate description of the
regulatory requirements
As part of due diligence on Business
Associates, a privacy officer would be
MOST concerned with confirming that
, they conduct:
A. criminal background checks.
B. credit history checks.
C. provider credentialing checks.
D. health screening checks. - ✔️✔️A. criminal background checks.
Data breach response training is
required by which of the following
regulations?
A. HITECH
B. GLBA
C. FMLA
D. Privacy Act - ✔️✔️A. HITECH
A business associate has contacted
an organization's privacy officer to
alert him that some of the patient
information that they hold in relation
to the BAA may have been breached.
An employee took a laptop that
contained patient information from
several vendors and misplaced it at an
airport. They are not 100% sure that
information from the organization was
on the laptop. Which of the following is
the MOST appropriate response by the
privacy officer?
A. Rely on the business associate to
conduct any needed notifications.
B. Notify each individual whose PHI
has been possibly disclosed.
C. Determine if the breach involved
more than 500 individuals.
D. Assure that all notifications
occur no later than 90 days after
discovery. - ✔️✔️C. Determine if the breach involved
more than 500 individuals.
Which of the following are considered protected health information under HIPAA?
Select all that apply.
a. Phone number
b. Medical record number
c. License plate number
d. Email address - ✔️✔️a. Phone number b. Medical record number c. License plate
number d. Email address
