AHIMA ROI Microcredential Study, Exams of Advanced Education

AHIMA ROI Microcredential Study

Typology: Exams

2024/2025

Available from 10/31/2025

studyclass
studyclass 🇺🇸

1

(1)

28K documents

1 / 21

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
AHIMA ROI Microcredential Study
Security Rule - correct answer ✔✔ establishes national standards to protect
individuals' electronic personal health information that is created, received,
used, or maintained by a covered entity
What is another name for the Security Rule? - correct answer ✔✔ The
Security Standards for the Protection of Electronic Protected Health
Information
Who enforces the Security Rule? - correct answer ✔✔ the Office for Civil
Rights (OCR)
Who does the Security Rule apply to? - correct answer ✔✔ health plans,
health care clearinghouses, and to any health care provider who transmits HI
in electronic form in connection with a transaction for which the Secretary of
HHS has adopted standards under HIPAA (the CEs) and to their BAs
Administrative Safeguards provision in the Security Rule - correct answer ✔✔
requires covered entities to perform risk analysis as part of their security
management processes
Administrative safeguard examples - correct answer ✔✔ security
management process, security personnel, information access management,
workforce training and management, and evaluation
Physical safeguard examples - correct answer ✔✔ facility access and control,
and workstation and device security
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15

Partial preview of the text

Download AHIMA ROI Microcredential Study and more Exams Advanced Education in PDF only on Docsity!

AHIMA ROI Microcredential Study

Security Rule - correct answer ✔✔ establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity What is another name for the Security Rule? - correct answer ✔✔ The Security Standards for the Protection of Electronic Protected Health Information Who enforces the Security Rule? - correct answer ✔✔ the Office for Civil Rights (OCR) Who does the Security Rule apply to? - correct answer ✔✔ health plans, health care clearinghouses, and to any health care provider who transmits HI in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the CEs) and to their BAs Administrative Safeguards provision in the Security Rule - correct answer ✔✔ requires covered entities to perform risk analysis as part of their security management processes Administrative safeguard examples - correct answer ✔✔ security management process, security personnel, information access management, workforce training and management, and evaluation Physical safeguard examples - correct answer ✔✔ facility access and control, and workstation and device security

Technical safeguard examples - correct answer ✔✔ access control, audit controls, integrity controls, and transmission security Minimum Necessary standard - correct answer ✔✔ practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function Can an entire medical record be disclosed? - correct answer ✔✔ A CE may not use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose Final Omnibus Rule - correct answer ✔✔ implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under HIPAA The four final rules of the Omnibus Rule - correct answer ✔✔ modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the HITECH Act, and certain other modifications to improve the Rules adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil penalty structure provided by the HITECH Act Breach Notification for Unsecured PHI under the HITECH Act, which replaces the breach notification rule's ''harm'' threshold with a more objective standard modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes

release confidential records until the provisions of both HIPAA and state law have been satisfied (judge order or written, compliant authorization) Quash period - correct answer ✔✔ time frame between the issue date of the subpoena and when the records are due to be produced, allows the opposing counsel to object to the records being fulfilled Risk management - correct answer ✔✔ includes the implementation of security measures to reduce risk to reasonable and appropriate levels to, among other things, ensure the confidentiality, availability and integrity of ePHI, protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, and protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required under the HIPAA Privacy Rule State versus Federal regulations - correct answer ✔✔ Always choose the most stringent of the two between state and federal regulations regarding to releasing medical records 21st Century Cures Act (21CCA) - correct answer ✔✔ ade sharing electronic health information the expected norm in health care by authorizing the Secretary of HHS to identify reasonable and necessary activities that do not constitute information blocking ONC Cures Act Proposed Rule - correct answer ✔✔ a request for information regarding potential disincentives for health care providers that have committed information blocking and asked whether modifying disincentives already available under existing Department programs and regulations would provide for more effective deterrence ONC Cures Act Final Rule - correct answer ✔✔ finalized 8 definitions that are necessary to implement the statutory information blocking provision, including definitions related to the four classes of individuals and entities

covered by the statutory information blocking provision: health care providers, health IT developers, health IT networks, and health IT exchanges Officer of Inspector General (OIG) - correct answer ✔✔ has authority to investigate claims of possible information blocking across all types of actors: health care providers, health information networks and health information exchanges, and health IT developers of certified health IT 8 exceptions to information blocking - correct answer ✔✔ preventing harm exception privacy exception security exception infeasibility exception HIT performance exception content and manner exception fees exception licensing exception Preventing Harm exception - correct answer ✔✔ an actor engages in reasonable and necessary practices in order to prevent harm to a patient/another person, provided certain conditions are met

metadata, e-mails, hospital or physician web-sites, blogs, online transactions, word processing documents, electronically stored photos, and recorded messages Notice of Privacy Practices - correct answer ✔✔ document explaining How the covered entity may use and disclose PHI about an individual What is included in the notice of privacy practices? - correct answer ✔✔ The individual's rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity The covered entity's legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information Whom individuals can contact for further information about the covered entity's privacy policies Designated record set (DRS) - correct answer ✔✔ medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals Discharge summary - correct answer ✔✔ Comprehensive outline of patient's entire hospital stay; includes condition at time of admission, admitting diagnosis, test results, treatments and patient's response, final diagnosis, and follow-up plans History & Physical - correct answer ✔✔ written or dictated by admitting physician; details patient's history, results of physician's examination, initial diagnoses, and physician's plan of treatment

Progress notes - correct answer ✔✔ chronological statements about the patient's response to treatment during stay Consent Forms - correct answer ✔✔ exact details of treatment patient received and shows patient understanding of treatment Consultations - correct answer ✔✔ A professional caregiver giving formal advice to another caregiver Operative report - correct answer ✔✔ Report from surgeon detailing an operation; includes pre- and postoperative diagnosis, specific details of surgical procedure itself, and how patient tolerated procedure Orders - correct answer ✔✔ list of the procedures, medicines, therapies, and other prescriptions for a patient Deficiencies in an EMR - correct answer ✔✔ include lack of signatures, missing/incomplete/illegible orders, missing pages, missing or incorrect dates, incorrect/missing codes, failure to document procedures, etc. 6 Individual Patient Rights - correct answer ✔✔ Access/obtain copy of own PHI (HITECH makes change) Request amendment of PHI Accounting of disclosures (HITECH makes changes) Request restrictions on uses/disclosures of PHI (HITECH makes changes) Request confidential communications Complain about alleged HIPAA violations

When is special authorization needed for the ROI of sensitive information? - correct answer ✔✔ In cases of records that contain pieces of sensitive information (behavioral health, alcohol/drug abuse, genetic and adoption information, STIs/STDs), special authorization is needed to prevent any harm or damage that the release of this information may cause to the patients How can patients or their representatives gain access to information? - correct answer ✔✔ Patients that are mentally competent and over the age of maturity, as well as their representatives, can gain access to the patient's medical information by submitting an appropriate request An individual's personal representative has the right to access PHI about the individual in a designated record set upon request, consistent with the scope of such representation and meeting the requirements A CE may require individuals to request access through a written request, and may offer individuals the option of using electronic means (e.g., e-mail, secure web portal) as well Personal representative - correct answer ✔✔ stands in the shoes of the individual and has the ability to act for the individual and exercise the individual's rights A personal representative may also authorize disclosures of the individual's protected health information When do you provide a certificate of destruction? - correct answer ✔✔ If record retention period is over and record has been destroyed appropriately Required elements for accounting of disclosures - correct answer ✔✔ The date of the disclosure

the name (and address, if known) of the entity or person who received the protected health information a brief description of the information disclosed a brief statement of the purpose of the disclosure (or a copy of the written request for the disclosure) How long are accounting for disclosures able to be released? - correct answer ✔✔ Up to 6 years leading up to the request date How many days do facilities have to respond to a record access request? - correct answer ✔✔ 30 days Primary system - correct answer ✔✔ what is used in the facility to retrieve information Secondary system - correct answer ✔✔ areas outside of the initial originating system, such as patient information/data that came from another source or department in order to gather all data to perform a release What is the maximum fee charge that can be charged for electronic records?

  • correct answer ✔✔ $6. TPO meaning - correct answer ✔✔ treatment, payment, healthcare operations

outright asking the patient with the opportunity for them to agree or object for incidental use/disclosure public interest or benefit for a limited data set in the purpose of research or public health do not require patient authorization Example of government organizations that interact with ROI functions - correct answer ✔✔ CMS or FEMA Internal Audit - correct answer ✔✔ conducted by an internal auditor within the organization and look to uncover areas that need improvement, and can help organizations better understand how to manage an external audit by making any necessary adjustments (If an organization is looking to analyze the quality of patient records for an internal audit, they would need to request medical records in order to do so) External Audit - correct answer ✔✔ External audits are conducted by an external auditor outside of the organization (If an organization is looking to analyze the accuracy of their billing records and financial statements, they may need to conduct an external audit to see where these numbers came from... meaning that would need to request medical records to check for coding and claim accuracy)

Compliant authorization for ROI required elements - correct answer ✔✔ A description of the PHI The name of the person making the authorization The name of the person or organization who is authorized to receive the PHI A description of the purpose for the use or disclosure An expiration date for the authorization The signature of the person making the authorization Subpoena - correct answer ✔✔ A HIPAA-covered provider or plan may disclose information to a party issuing a subpoena only if the notification requirements of the Privacy Rule are met Court Order - correct answer ✔✔ A HIPAA-covered health care provider or health plan may share your protected health information if it has a court order... and may only disclose the information specifically described in the order Clear Communication Techniques - correct answer ✔✔ Requesting through patient portal Sending an email/mail/fax to your provider Filling out the authorization for request of information form

When can CEs disclosure PHI to law enforcement officials? - correct answer ✔✔ As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests To identify or locate a suspect, fugitive, material witness, or missing person In response to a law enforcement official's request for information about a victim or suspected victim of a crime To alert law enforcement of a person's death, if the covered entity suspects that criminal activity caused the death When a covered entity believes that protected health information is evidence of a crime that occurred on its premises By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime What is the Office for Civil Rights Responsible for? - correct answer ✔✔ enforcing the HIPAA Privacy and Security Rules Investigates complaints filed Conducts compliance reviews to determine if covered entities are in compliance Performs education and outreach to foster compliance with requirements of the Privacy and Security Rules Patient right to receive versus right to inspect - correct answer ✔✔ The Privacy Rule generally requires HIPAA CEs to to provide individuals, upon request, with access to the PHI about them in one or more DRSs maintained by or for the CE, including the right to inspect and obtain a copy

While inspecting a patient's own PHI, they are allowed to take notes and use their own resources (like a cell phone) to capture the information Patients are also able to make copies of PHI using their own resources at no fee as long as the copying is being done by the individual and not the entity What is required for a patient to inspect their records on sight? - correct answer ✔✔ the records must be located on-site, and will be provided an extension date if they are not all located on site information must already be contained in the DRS How soon must an Information Breach be reported to the secretary if affects 500+ individuals? - correct answer ✔✔ 60 calendar days from the discovery of the breach How soon must an Information Breach be reported to the secretary if affects less than 500 individuals? - correct answer ✔✔ within 60 days of the end of the calendar year in which the breach was discovered Best practices for protecting PHI - correct answer ✔✔ De-identifying PHI Implementing administrative, physical, and technical safeguards Assuring authorized recipients of a patient's information before discussing the information with them Legacy system - correct answer ✔✔ a software, technology, or process that is no longer produced, updated, or protected because of new superior technology or lack of maintenance

Four options in response to Subpoenas - correct answer ✔✔ grant the motion and quash the subpoena partially grant the motion and quash certain parts modify the subpoena to make it reasonable dismiss the motion to quash if the court finds it valid Face Sheet - correct answer ✔✔ typically the first page which contains the patient' name, address, family doctor, insurance info, diagnosis, etc Pathology report - correct answer ✔✔ An analysis of anything removed from the patient during the operation (i.e., to check for cancer). This is a transcribed report completed by the Pathology Department Inpatient (IP) admission type - correct answer ✔✔ A patient is admitted to the hospital and occupies a bed for a period of at least 48 hours or more. An admission may last for days, weeks, or months. Outpatient (OP) admission type - correct answer ✔✔ A patient received treatment or testing at the hospital but never occupies a bed. The episode of care is usually less than 24 hours at a time and can be spread out over days, weeks even months Who owns the MEDICAL RECORD? - correct answer ✔✔ the facility/organization Who owns the CONTENT in the record? - correct answer ✔✔ the patient

Preemption - correct answer ✔✔ Legal doctrine requiring compliance with federal law when federal and state law conflicts Business Associate (BA) - correct answer ✔✔ Individual or organization working on behalf of a covered entity and creating, receiving, maintaining, or transmitting protected health information Covered Entity (CE) - correct answer ✔✔ Entity transmitting any health information in electronic form, including health plans, healthcare clearinghouses, and healthcare providers Health Information Technology for Economic and Clinical Health Act (HITECH)

  • correct answer ✔✔ Legislation stimulating the adoption of EHR and supporting technology in the United States. Health Insurance Portability and Accountability Act (HIPAA) - correct answer ✔✔ Federal legislation providing continuity of health coverage, control of fraud and abuse in healthcare, and guaranteeing the security and privacy of health information Information blocking - correct answer ✔✔ Practice likely to interfere with access, exchange, or use of electronic health information, except as required by law or specified by the Secretary of Health and Human Services Legal Health Record - correct answer ✔✔ Documents and data elements included in response to legally permissible requests for patient information. How long after a patient is deceased is their PHI no longer considered identifiable? - correct answer ✔✔ 50 years