RHIT EXAM 2025/2026 GRADED A+ QUESTIONS
AND ANSWERS 100% CORRECT
A hospital HIM department receives a subpoena duces tecum for records of a former patient. When
the health record technician goes to retrieve the patient's health records, it is discovered that the
records being subpoenaed have been purged in accordance with the state retention laws. In this
situation, how should the HIM department respond to the subpoena? - Submit a certification of
destruction in response to the subpoena
Which of the following definitions best describes the concept of confidentiality? - The expectation
that personal information shared by an individual with a healthcare provider during the course of
care will be used only for its intended purpose
Which of the following is not an identifier under the Privacy Rule? - Age 75
Mrs. Bolton is an angry patient who resents her physicians "bossing her around." She refuses to take
a portion of the medications the nurses bring to her pursuant to physician orders and is verbally
abusive to the patient care assistants. Of the following options, the most appropriate way to
document Mrs. Bolton's behavior in the patient medical record is: - Noncompliant and hostile toward
staff
Which of the following is a core ethical obligation of health information professionals? - Protecting
patients' privacy and confidential communications
An employee accesses PHI on a computer system that does not relate to her job functions. What
security mechanism should have been implemented to minimize this security breach? - Access
controls
The HIM supervisor suspects that a departmental employee is accessing the EHR for personal
reasons, but has no specific data to support this suspicion. In this case, what should the supervisor
do? - Ask the security officer for audit trail data to confirm or disprove the suspicion.
A hospital is planning on allowing coding professionals to work at home. The hospital is in the
process of identifying strategies to minimize the security risks associated with this practice. Which of
the following would be best to ensure that data breaches are minimized when the home computer is
unattended? - Automatic session terminations
, Which of the following statements is true regarding HIPAA security? - Institutions are allowed
flexibility in the way they implement HIPAA standards.
Community Hospital is discussing restricting the access that physicians have to electronic health
records. The medical record committee is divided on how to approach this issue. Some committee
members maintain that all information should be available, whereas others maintain that HIPAA
restricts access. The HIM director is part of the committee. Which of the following should the
director advise the committee? - The "minimum necessary" concept does not apply to disclosures
made for treatment purposes, but the organization must define what physicians need as part of their
treatment role.
Central City Clinic has requested that Ghent Hospital send its hospital records for Susan Hall's most
recent admission to the clinic for her follow-up appointment. Which of the following statements is
true? - The Privacy Rule's minimum necessary requirement does not apply.
The HIPAA Security Awareness and Training administrative safeguard requires all of the following
addressable implementation programs for an entity's workforce except: - Disaster recovery plan
Jeremy Lykins was required to undergo a physical exam prior to becoming employed by San
Fernando Hospital. Jeremy's medical information is: - Not protected by the Privacy Rule because it is
part of a personnel record
Community Hospital is terminating its business associate relationship with a medical transcription
company. The transcription company has no further need for any identifiable information that it may
have obtained in the course of its business with the hospital. The CFO of the hospital believes that to
be HIPAA compliant, all that is necessary is for the termination to be in a formal letter signed by the
CEO. In this case, how should the director of HIM advise the CFO? - Confirm that a formal letter of
termination is required and that the transcription company must provide the hospital with a
certification that all PHI that it had in its possession has been destroyed or returned.
Lane Hospital has a contract with Ready-Clean, a local company, to come into the hospital to pick up
all of the facility's linens for off-site laundering. Ready-Clean is: - Not a business associate because it
does not use or disclose individually identifiable health information
Which of the following individuals may authorize release of information? - married 15-year-old father
An audit log is an example of: - Metadata
AND ANSWERS 100% CORRECT
A hospital HIM department receives a subpoena duces tecum for records of a former patient. When
the health record technician goes to retrieve the patient's health records, it is discovered that the
records being subpoenaed have been purged in accordance with the state retention laws. In this
situation, how should the HIM department respond to the subpoena? - Submit a certification of
destruction in response to the subpoena
Which of the following definitions best describes the concept of confidentiality? - The expectation
that personal information shared by an individual with a healthcare provider during the course of
care will be used only for its intended purpose
Which of the following is not an identifier under the Privacy Rule? - Age 75
Mrs. Bolton is an angry patient who resents her physicians "bossing her around." She refuses to take
a portion of the medications the nurses bring to her pursuant to physician orders and is verbally
abusive to the patient care assistants. Of the following options, the most appropriate way to
document Mrs. Bolton's behavior in the patient medical record is: - Noncompliant and hostile toward
staff
Which of the following is a core ethical obligation of health information professionals? - Protecting
patients' privacy and confidential communications
An employee accesses PHI on a computer system that does not relate to her job functions. What
security mechanism should have been implemented to minimize this security breach? - Access
controls
The HIM supervisor suspects that a departmental employee is accessing the EHR for personal
reasons, but has no specific data to support this suspicion. In this case, what should the supervisor
do? - Ask the security officer for audit trail data to confirm or disprove the suspicion.
A hospital is planning on allowing coding professionals to work at home. The hospital is in the
process of identifying strategies to minimize the security risks associated with this practice. Which of
the following would be best to ensure that data breaches are minimized when the home computer is
unattended? - Automatic session terminations
, Which of the following statements is true regarding HIPAA security? - Institutions are allowed
flexibility in the way they implement HIPAA standards.
Community Hospital is discussing restricting the access that physicians have to electronic health
records. The medical record committee is divided on how to approach this issue. Some committee
members maintain that all information should be available, whereas others maintain that HIPAA
restricts access. The HIM director is part of the committee. Which of the following should the
director advise the committee? - The "minimum necessary" concept does not apply to disclosures
made for treatment purposes, but the organization must define what physicians need as part of their
treatment role.
Central City Clinic has requested that Ghent Hospital send its hospital records for Susan Hall's most
recent admission to the clinic for her follow-up appointment. Which of the following statements is
true? - The Privacy Rule's minimum necessary requirement does not apply.
The HIPAA Security Awareness and Training administrative safeguard requires all of the following
addressable implementation programs for an entity's workforce except: - Disaster recovery plan
Jeremy Lykins was required to undergo a physical exam prior to becoming employed by San
Fernando Hospital. Jeremy's medical information is: - Not protected by the Privacy Rule because it is
part of a personnel record
Community Hospital is terminating its business associate relationship with a medical transcription
company. The transcription company has no further need for any identifiable information that it may
have obtained in the course of its business with the hospital. The CFO of the hospital believes that to
be HIPAA compliant, all that is necessary is for the termination to be in a formal letter signed by the
CEO. In this case, how should the director of HIM advise the CFO? - Confirm that a formal letter of
termination is required and that the transcription company must provide the hospital with a
certification that all PHI that it had in its possession has been destroyed or returned.
Lane Hospital has a contract with Ready-Clean, a local company, to come into the hospital to pick up
all of the facility's linens for off-site laundering. Ready-Clean is: - Not a business associate because it
does not use or disclose individually identifiable health information
Which of the following individuals may authorize release of information? - married 15-year-old father
An audit log is an example of: - Metadata
