RHIA 2022 Domain 2, Practice Exam Questions – COMPLETE SOLUTION

Document Content and Description Below

RHIA 2022 Domain 2, Practice Exam Questions – COMPLETE SOLUTION A visitor walks through the work area and picks up a flash drive from an employee's desk. What security controls should have been i... mplemented to prevent this security breach? a. Device and media controls b. Facility access controls c. Workstation use controls d. Workstation security controls - ✔✔Correct Answer: B Facility access controls include establishing safeguards to prohibit the physical hardware and computer system itself from unauthorized access while ensuring that proper authorized access is allowed (Reynolds and Brodnik 2017a, 275-276). Which of the following is true regarding the development of health record destruction policies? a. All applicable laws must be considered. b. The organization must find a way not to destroy any health records. c. Health records involved in pending or ongoing litigation may be destroyed. d. Only state laws must be considered. - ✔✔Correct Answer: A Not all information must be kept forever. Just as the HIM professional must consider multiple factors when determining retention, many factors must also be taken into consideration with regard to health record destruction. These include applicable federal and state statutes and regulations; accreditation standards; pending or ongoing litigation; storage capabilities; and cost (Reynolds and Morey 2020, 135- 136). Which of the following allows a patient to access all or part of the health record that is maintained by the provider? a. Clinical decision support b. Digital dictation c. Patient portal d. WebMD - ✔✔Correct Answer: CThe patient portal allows a patient to access all or part of the health record that is maintained by the patient's provider (Amatayakul 2017, 15). Burning, shredding, pulping, and pulverizing are all acceptable methods in which process? a. Deidentification of electronic documents b. Destruction of paper-based health records c. Deidentification of records stored on microfilm d. Destruction of computer-based health records - ✔✔Correct Answer: B The destruction of patient-identifiable clinical documentation should be carried in accordance with relevant federal and state regulations as well as organizational policy. Health records related to open investigations, audits, or court cases should not be destroyed for any reason. Paper-based health records can be destroyed using any of the following methods: burning, shredding, pulping, or pulverizing (Fahrenholz 2017b, 107). Today, Janet Kim had her first appointment with a new dentist. She was not presented with a Notice of Privacy Practices. Is this acceptable? a. No, a dentist is a healthcare clearinghouse, which is a covered entity under HIPAA. b. Yes, a dentist is not a covered entity per the HIPAA Privacy Rule. c. No, it is a violation of the HIPAA Privacy Rule. d. Yes, the Notice of Privacy Practices is not required. - ✔✔Correct Answer: C The Privacy Rule introduced the standard that individuals should be informed of how covered entities use or disclose protected health information (PHI). This notice must be provided to an individual at his or her first contact with the covered entity (Rinehart-Thompson 2017d, 219). Champion Hospital retains Hall and Hall, a law firm, to perform all of its legal work, including representation during medical malpractice lawsuits. Which of the following statements is correct? a. The law firm is not a business associate because it is a legal, not a medical, organization. b. The law firm is a business associate because it performs activities on behalf of the hospital. c. The law firm is not a business associate because the privacy rule prohibits it from using individually identifiable information. d. The law firm is not a business associate because it is a medical, not a legal, organization. - ✔✔Correct Answer: BThe law firm of Hall and Hall is a business associate of Champion Hospital because it performs activities on behalf of the hospital and uses and discloses individually identifiable information. A business associate is a person or organization other than a member of a covered entity's workforce that performs functions or activities on behalf of or affecting a covered entity that involve the use or disclosure of individually identifiable health information (45 CFR 160.103(1); Rinehart-Thompson 2017d, 211). Copies of personal health records (PHRs) are considered part of the legal health record when: a. Consulted by the provider to gain information on a consumer's health history b. Used by the healthcare entity to provide treatment c. Used by the provider to obtain information on a consumer's prescription history d. Used by the healthcare entity to determine a consumer's DNR status - ✔✔Correct Answer: B Only when copies of the personal health record (PHR) are used for treatment can they be considered part of the facilities' legal health record; however, the PHR does not replace the legal health record (Fahrenholz 2017d, 32-34). Which of the following is the systematic process of identifying security measures to afford protections based on a healthcare entity's specific environment? a. Gap analysis b. Operations review c. Readiness assessment d. Risk analysis - ✔✔Correct Answer: D Risk analysis is a systematic process of identifying security measures to afford protections given an organization's specific environment, including where the measures are located, what level of automation they have, how sensitive the information is that needs protection, what remediation will cost, and many other factors (Brinda and Watters 2020, 332). Under the HIPAA privacy standard, which of the following types of protected health information (PHI) must be specifically identified in an authorization? a. History and physical reports b. Operative reports c. Consultation reports d. Psychotherapy notes - ✔✔Correct Answer: DThe distinction of psychotherapy notes is important due to HIPAA requirements that these notes may not be released unless specifically identified in an authorization (Rinehart-Thompson 2017d, 222). The security devices situated between the routers of a private network and a public network to protect the private network from unauthorized users are called: a. Audit trails b. Passwords c. Firewalls d. Encryptors - ✔✔Correct Answer: C Firewalls are hardware and software security devices situated between the routers of a private and public network. They are designed to protect computer networks from unauthorized outsiders. However, they also can be used to protect entities within a single network, for example, to block laboratory technicians from getting into payroll records. Without firewalls, IT departments would have to deploy multiple-enterprise security programs that would soon become difficult to manage and maintain (Sayles and Kavanaugh-Burke 2018, 233). The Person or Entity Authentication Standard requires methods for verifying that a person is who he or she claims to be. Any of the following meets this standard except: a. Biometrics b. Smart card c. Unit level password d. Physical token - ✔✔Correct Answer: C Given that a unit level password could be used by any worker on a unit, it does not verify that a person is who they claim to be. The Person or Entity Authentication Standard seeks to ensure that organizations put methods in place to verify that users are who they claim they are. Passwords, smart cards, tokens, fobs, and biometrics are some of the many methods used in healthcare settings to confirm user identity (Biedermann and Dolezel 2017, 395). Mark Fielding, RHIA, is the new HIM director at St. Joseph's Hospital. Since it opened in 1960, this hospital has kept all health records in two rented warehouses that are located near the main hospital. The warehouse property is being sold, and the records will have to be moved to the hospital location. Before that happens, the CFO would like Mark to determine whether any of the records should be purged and destroyed. What is Mark's first step to determine if any records can be destroyed? a. Research all state and federal regulations related to record retention and develop a scheduleb. Determine how much space is available to move the records into c. Purge all records that are more than 10 years old regardless of dates of service or patient age d. Destroy the records due to their age - ✔✔Correct Answer: A The destruction of patient-identifiable clinical documentation should be carried in accordance with relevant federal and state regulations as well as organizational policy. Health records related to open investigations, audits, or court cases should not be destroyed for any reason. Paper-based health records can be destroyed using any of the following methods: burning, shredding, pulping, or pulverizing (Fahrenholz 2017b, 107). City Hospital's HIPAA committee is considering a change in policy to allow hospital employees who are also hospital patients to access their own patient information in the hospital's EHR system. A committee member notes that HIPAA provides rights to patients to view their own health information. However, another member wonders if this action might present other problems. In this situation, what suggestion should the HIM director provide? a. HIPAA requires that employees have access to their own information, so privileges should be granted to the employees to perform this function. b. HIPAA does not allow employees to have access to their own information, so the policy should not be implemented. c. Allowing employees to access their own records using their job-based access rights appears to violate HIPAA's minimum necessary requirement; therefore, allow employees to access their records through normal procedures. d. Employees are considered a special class of people under HIPAA and the policy should be implemented. - ✔✔Correct Answer: C Allowing employees of a covered entity to access their own protected health information electronically results in a situation in which the covered entity may be in compliance with parts of the HIPAA Privacy Rule, but in violation of other sections of the Privacy Rule. An ideal situation would be to establish a patient portal through which all patients may view their own records in a secure manner, and for which an employee has neither more or less rights than any other patient (Thomason 2013, 109). One of the medical staff committees at St. Vincent Hospital is responsible for reviewing cases of patients readmitted within 14 days after discharge. This review of the patients' health records is considered healthcare: a. Actions b. Operations c. Paymentd. Treatment - ✔✔Correct Answer: B The review of the health record by a medical staff committee is approved use of protected health information (PHI). The Privacy Rule provides a broad list of activities that fall under the umbrella of healthcare operations including quality assessment and improvement and case management (RinehartThompson 2017d, 216-217). What information process must the legal counsel of Smithville Hospital perform to prepare for a lawsuit against the hospital? a. Information governance b. E-Discovery c. Transparency d. Enterprise information management - ✔✔Correct Answer: B The e-discovery process includes the pretrial activities wherein participants acquire and analyze any electronic data that could be used in civil or criminal legal proceedings. Some of the aspects addressed in e-discovery include the format of the data, the location of the accumulated data, and record retention and destruction protocols (Sayles and Kavanaugh-Burke 2018, 246). If a patient has health insurance but pays in full for a healthcare service and asks that the information be kept private, under HIPAA the covered entity must: a. Release the information to the health insurance provider b. Get special patient consent to release the information c. Comply with the patient's request and keep the information private d. Request permission from HHS to release the information - ✔✔Correct Answer: C The 2013 HIPAA Omnibus Rule finalized regulations give patients the right to request that their PHI not be disclosed to a health plan if they pay out of pocket in full for the services or items. A provider who accepts the payment and provides the service is compelled to abide by this request (Rinehart-Thompson 2017d, 220-221). Jennifer's widowed mother is elderly and often confused. She has asked Jennifer to accompany her to physician office visits because she often forgets to tell the physician vital information. Under the Privacy Rule, the release of her mother's PHI to Jennifer is: a. Never allowedb. Allowed when the information is directly relevant to Jennifer's involvement in her mother's care or treatment c. Allowed only if Jennifer's mother is declared incompetent by a court of law d. Allowed access to PHI; any family member is always allowed access to PHI - ✔✔Correct Answer: B The Privacy Rule lists two circumstances where protected healt [Show More]

Last updated: 1 year ago

Preview 1 out of 18 pages