Download HCCA CHC Exam Study Guide: Healthcare Compliance & Ethics (2024-2025) and more Exams Public Health in PDF only on Docsity!
HCCA - CHC Study Questions (MASTER FLASHCARDS) EXAM 2024-
QUESTIONS AND CORRECT VERIFIED ANSWERS /100% PASS SOLUTION /
ALREADY GRADED A+
What is the maximum amount of money an employer can charge for personal protective equipment (PPE)?
a. $5 per pay
b. $10 per pay
c. Free of charge for the first year of employment
d. Free of charge - answer>>d. Free of charge
PPE will need to be provided to your employees at no expense to them.
Note: practice question from AAPC CPCO Ch
Which serves as a reference source of information about personnel policies and procedures? a. Nursing Handbook
b. Personnel Policy Manual
c. Physician Desk Reference
d. Material Safety Data Sheets - answer>>b. Personnel Policy Manual
Personnel policy manuals should be designed to serve as a reference source of information about personnel policies and procedures.
Note: practice question from AAPC CPCO Ch
Which is the underlying principal of the Equal Employment Opportunity law?
a. This law requires all persons to be entitled to equal employment opportunity regardless of race, religion, or national origin.
b. This law requires all minorities to be entitled to equal employment opportunity regardless of race, color, religion, sex, national origin, age, disability, or any other characteristic protected by law.
c. This law requires all persons to be entitled to equal employment opportunity regardless of race, color, religion, sex, national origin, age, disability, or any other characteristic protected by law.
d. This law requires all persons be entitled to equal employment opportunity regardless of sex, age, or disability. - answer>>c. This law requires all persons to be entitled to equal employment opportunity regardless of race, color, religion, sex, national origin, age, disability, or any other characteristic protected by law.
It is important for a compliance officer to understand that all persons are legally entitled to equal employment regardless of their race, color, religion, sex, national origin, age, disability, or any other characteristic protected by law.
Failure to abide by the Equal Employment Opportunity law can bring forth lawsuits based on unlawful discrimination.
Note: practice question from AAPC CPCO Ch
If a referred patient to your practice has hearing deficit and needs an appointment, what steps should your practice take when scheduling?
a. Ask the patient to bring an interpreter with them to the visit.
b. Kindly explain to the patient that he or she can't be seen because the practice doesn't have the ability to communicate with the hearing impaired.
c. Schedule the appointment a few days ahead and make arrangements for an interpreter.
d. Schedule the appointment, advise the patient of the charge for the interpreter, and ask how he or she will pay for the services. - answer>>c. Schedule the appointment a few days ahead to make arrangements for an interpreter.
The ADA requires businesses to take steps necessary to communicate effectively with patients with vision, hearing, and speech disabilities.
Note: practice question from AAPC CPCO Ch
If a patient walks into your practice with a leashed dog, what should you do?
a. Advise the patient that animals are not allowed inside the practice.
b. Ask the patient if the dog is a service animal.
c. Ask the patient if the dog is a service animal and, if the patient states yes, allow the animal on the premises.
d. Ask the patient for the dog's ID tag indicating that it is a service animal. - answer>>c. Ask the patient if the dog is a service animal and, if the patient states yes, allow the animal on the premises.
There should be a clear policy about service animals to help ensure staff is aware of its obligation to allow access to patients with service animals. https://www.ada.gov/service_animals_2010.htm
Note: practice question from AAPC CPCO Ch
What key item(s) can protect a medical practice from harassment liability? a. Keys to the office
b. Management plans
c. Physical safeguards
a. The issue was self-reported and repaid, no additional testing required
b. Continue to monitor this issue for future billings
c. Test a few years back and risk making additional payments
d. There is not enough information provided to make a sound decision - answer>>b. Continue to monitor this issue for future billings
A probe sample may be used in which of the following scenarios:
a. When determining accuracy of processes or compliance with specific laws, regulation or policies
b. When a process has been identified as broken.
c. When learning about the characteristics of the population under review.
d. A, B and C. - answer>>d. A, B and C.
The Compliance Officer is working with the Compliance Committee to develop goals of a review from a compliance perspective. What is the first thing that should be done?
a. Conduct a probe audit on claims
b. Take a "snapshot" to develop a baseline to assess the current state of compliance
c. Conduct a contemporaneous review
d. Conduct a concurrent audit - answer>>b. Take a "snapshot" to develop a baseline to assess the current state of compliance
Fill in the blank:
You are about to perform an internal assessment in Compliance, the FIRST step is to conduct a _____ audit in order to outline the current operational standards and how those are met, and help you identify real and potential weaknesses. The overall outcome of this audit will offer
________ regarding necessary remedial action. - answer>>baseline/snapshot; recommendations
The claims department needs to determine the initial baseline view of a particular billing practice to represent the beginning of a review process. What type of audit should be conducted?
a. A probe audit
b. Retrospective Audit
c. A contemporaneous review
d. Retroactive audit - answer>>c. A contemporaneous review
What are the effective elements for monitoring and auditing?
A. You have an auditing plan and methodology
B. Your program has gone beyond process audits, proactive and reactive audits
C. You have included an auditing strategy and results reporting
D. Corrective Action and verification
E. All of the above - answer>>E. All of the above
TRUE or FALSE: As a CO, you are tasked with identifying risk. Knowing some document reviews may never apply to your organization, should you review Special Advisory Bulletins? - answer>>TRUE
The benefits of conducting a Controlled Self-Assessment are:
A. Increases the scope and targets audit work
B. Increases awareness and targets audit work
C. Frees internal audit resources and increases the scope
D. Motivates personnel, targets audit work, and increases awareness
E. Both C and D - answer>>E. Both C and D
Your are tasked with creating a risk assessment team. What are the keys to your success?
A. Select team members based on skills and experience and knowledge of risk areas and make sure they know why they were selected
B. Utilize risk assessment tools
C. Develop team ground rules and the risk assessment process
D. Both A and B
E. Both A and C
F. A, B, and C - answer>>F. A, B, and C
The professional association dedicated to helping health care compliance professionals, through education, networking opportunities and other resources, create an ethical environment within their organizations and meet all legal and regulatory requirements related to Medicare reimbursement - answer>>Health Care Compliance Association (HCCA)
Any information, oral or recorded, in any form of medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearing house; and (2) related to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual - answer>>Health Information
Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the covered entity is under the direct control of such entity, whether or not they are paid by the covered entity - answer>>Privacy Rule - workforce
What are the three main EMTALA responsibilities to hospitals and ED physicians when a patient arrives to emergency department? - answer>>EMTALA/Patient anti-dumping statute 42 UCS 1395dd, requires that all Medicare participating hospitals with an ED department:
- Provide patient Medical Screening Examination (MSE) regardless of insurance to determine if emergency medical condition exists,
- Stabilize any patients with an emergency medical condition, and
- Transfer or accept appropriate patients as needed (transferring a patient without copies of the medical record, including imaging, is an EMTALA violation)
What subpart in Part 164 deals with Privacy - answer>>Subpart E (Hint: Privacy....Privac-E)
Subpart D (Hint: "D"arn it! We have a breach!)
Subpart C (Hint: "C"-curity)
What subpart in Part 164 deals with Breach Notifications - answer>>Subpart D (Hint: "D"arn it! We have a breach!)
What subpart in the HIPAA 45 CFR 164 deals with Security - answer>>Subpart C (Hint: "C"-curity)
Subpart D (Hint: "D"arn it! We have a breach!)
Subpart E (Hint: Privacy....Privacy-E) https://www.law.cornell.edu/cfr/text/45/part-
What is the difference between HIPAA Privacy and Security? - answer>>Privacy - covers all forms of PHI (ePHI, written, oral).
Security - covers ePHI only
What are the 3 components that make up security? - answer>>Security CIA:
Confidentiality
Integrity
Availability
What's wrong with this statement, "We need to identify if this breach is reportable?" - answer>>All breaches are reportable
What is a Breach? - answer>>The access, acquisition, use, or disclosure of protected health information in a manner not permitted under subpart E (Privac-E Rules) which compromises the security or privacy of PHI.
What are the four impermissibles (HIPAA breach)? - answer>>Access
Acquisition
Use
Disclosure
What is HIPAA LoProCo? - answer>>Low Probability that the data has been Compromised (LoProCo)
Breach is assumed unless covered entity can demonstrate _____ - answer>>LoProCo
When does the 60 day "clock" begin for breach notifications? - answer>>When the "impermissible" is discovered by the Covered Entity
When is the deadline for reporting breaches to the Secretary - answer>>For breaches affecting 500 or more: 60 days from discovery.
For breaches affecting less than 500: any time, but no later than 60 days from the end of the calendar year the breach was discovered.
What is the record retention period for HIPAA related work product? - answer>>6 years
Breach Notification under ARRA, what is this? - answer>>ARRA (Amer. Recovery Reinvestment Act). Breach notification was passed as part of ARRA of 2009, requiring covered entities to promptly notified affected individuals of a breach (when and how you notifiy a PHI breach has occurred)
The Social Security Act Section 1128C(a), as established by the ___ ___ ___ and ___ Act, created the Health Care Fraud and Abuse Control Program, a far reaching program to combat fraud and abuse in health care, including both public and private health plans - answer>>Health Insurance Portability and Accountability (HIPAA)
The two instances PHI does not require authorization: - answer>>1 - directly to patient 2 - to government or HHS for investigation of alleged privacy violation
Permissions and Required under the HIPAA rule are NOT the same thing. Explain - answer>>"Permissions" can still be denied, and "Required" is mandatory
What is the timeframe requirement to train new employees about HIPAA? - answer>>"within a reasonable period of time after the person joins the covered entity's workforce"
A covered entity may use or disclose PHI for TPO...what does TPO stand for - answer>>Treatment Payment
Health Care Operations
What rights of an individual must be contained in the Notice of Privacy Practices (NPP)? - answer>>The right to request restrictions on certain uses and disclosures of PHI
The right to receive confidential communications of PHI
The right to inspect and copy PHI
The right to amend PHI
The right to receive an accounting of disclosures of PHI
The right of an individual to obtain a paper copy of the notice from the covered entity upon request.
True or False - An individual has the right to access all of the PHI within his or her Designated Record Set (DRS)" - answer>>FALSE - The HIPAA rules do identify instances when a covered entity may deny access.
Covered entities participating in an Organized Health Care Arrangement are permitted to
A. act as a single covered entity
B. utilize a single notice of privacy practices
C. share psychotherapy notes
D. operate as a hybrid entity - answer>>B. utilize a single notice of privacy practices
What is Unsecured PHI? - answer>>PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance
What is De-identified PHI? - answer>>Health information that does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual.
How long is PHI protected after the person's death? - answer>>50 years
How many identifiers are listed in the HIPAA Privacy Rules? - answer>>
PHI or protected health information that is collected by an individual or received by a covered entity can be used or disclosed by these four areas. Name them - answer>>1- TPO (Tx, Pymt, Healthcare Operations)
2- public interest/public crisis or emergency
3-with an opportunity to object (i.e. spouse picking up Rx)
4-authorization, permission granted
Covered Entity includes: - answer>>• Health plan (payers)
- Health care clearinghouse (process health information into standard data elements on behalf of the CE)
- Health care provider who transmits any health info in electronic form
What is a Health Care Clearinghouse? - answer>>Entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.
Which of the three rules in Part 164 apply to PHI in all of its formats? - answer>>Part E (Privacy) applies to PHI in all of its formats
BONUS: also Part D since breaches can involve PHI in all of its formats as well
Remember:
Part E - Privacy (Hint: Privacy....Privacy-E)
Part C - Security (Hint: "C"-curity)
Part D - Breach Notification (Hint: "D"arn it! We have a breach!)
When can you use or disclose PHI?
A. When the patient has authorized, in writing, its release.
B. For the treatment of a patient, if that is part of my job.
C. For obtaining payment for services, if that is part of my job.
D. All of the answers. - answer>>D. All of the answers.
d. All of the answers. - answer>>b. Log you co-worker off and re-login under your own User-ID and password.
What does HIPAA do?
A. Protects the privacy and security of a patient's health information.
B. Prevents health care fraud and abuse.
C. Provides for electronic and physical security of a patient's health information.
D. All of the answers. - answer>>D. All of the answers.
What is PHI (Protected Health Information)?
a. Information that can be used to identify a patient.
b. Covered transactions performed electronically (eligibility, enrollment, health care claims, payment, etc.)
c. Information about a past or present mental or physical condition of a patient.
d. All of the answers. - answer>>d. All of the answers.
Re: HIPAA
Describe what to do with a "required" implementation specification - answer>>Implement the specification as presented
Re: HIPAA
Describe what to do with an "addressable" implementation specification - answer>>Implement as presented, or if not reasonable and appropriate implement an equivalent alternative measure.
The HIPAA Security Rule requires covered entities to:
a. Maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic protected health information (e-PHI).
b. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
c. Identify and protect against reasonably anticipated threats to the security or integrity of the information.
d. Protect against reasonably anticipated, impermissible uses or disclosures.
c. Ensure compliance by their workforce.
e. all the answers - answer>>e. all the answers
A covered entity must designate a ___________________ who is responsible for developing and implementing its security policies and procedures.
a. physician
b. security official
c. police officer
d. custodian - answer>>b. security official
True or False:
The HIPAA Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access). - answer>>TRUE
-professionals/security/laws-regulations/index.html
A covered entity may disclose protected health information (PHI) without a patient's written permission for:
a. Treatment purposes
b. Payment
c. Health care operations activities
d. All of the above - answer>>d. All of the above (a covered entity may use or disclose PHI for TPO)
A covered entity must obtain the patient's written authorization for any use or disclosure of protected health information (PHI) in which circumstances?
a. Marketing activities
b. Research
c. PHI sales and licensing
d. Information sharing needed for treatment
e. A and C only
f. All of the above - answer>>e. A and C only
Ref. Permitted Uses and Disclosures section - https://www.hhs.gov/hipaa/forprofessionals/privacy/laws-regulations/index.html
privacy-standards/index.html
Examples of proper disposal methods of protected health information (PHI) may include:
a. tossing into the trashcan or recycle bin.
b. clearing (using software or hardware products to overwrite media with non-sensitive data).
c. purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains).
d. destroying (disintegration, pulverization, melting, incinerating, or shredding). e. B and D
f. B, C and D - answer>>f. B, C and D.
Depending on the circumstances, appropriate methods for removing ePHI from electronic media prior to reuse or disposal may be by clearing (using software or hardware products to overwrite media with non- sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media. If circumstances warrant the destruction of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media. Covered entities may contract with business associates to perform these services for them. Ref. https://www.hhs.gov/hipaa/for- professionals/faq/disposal-of-protectedhealth-information/index.html
True or False:
The Privacy Rule generally requires covered entities to take reasonable steps to limit uses, disclosures, or requests (if the request is to another covered entity) of protected health information (PHI) to the minimum necessary to accomplish the intended purpose, known as the minimum necessary standard. - answer>>TRUE
Ref. Minimum Necessary Requirement 45 CFR 164.502(b), 164.514(d)
True or False:
A health care provider or other covered entity must obtain permission from a patient prior to notifying public health authorities of the occurrence of a reportable disease. - answer>>FALSE
The HIPAA Privacy Rule permits covered entities to disclose protected health information without authorization for specified public health purposes. OCR has issues guidance on how to disclose protected health information (PHI) for the public health activities of a public health authority (PHA).Ref. https://www.hhs.gov/hipaa/for-professionals/special-topics/publichealth/index.html
True or False:
The HIPAA Privacy Rule does not restrict pharmacists to give advice about over-the-counter medicines to customers. - answer>>TRUE
Ref. https://www.hhs.gov/hipaa/for-professionals/faq/treatment-disclosures/index.html or See 45 CFR 164.502(a)(1)(i).
A health care provider wants to disclose protected health information (PHI) about a student to a school nurse or physician. Does the HIPAA Privacy Rule allow this?
Yes. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about students to school nurses, physicians, or other health care providers for treatment purposes, without the authorization of the student or student's parent.
OR
No. The HIPAA Privacy Rule mandates parental consent in this case. - answer>>Yes!
Ref. https://www.hhs.gov/hipaa/for-professionals/faq/ferpa-and-hipaa/index.html
True or False:
Covered entities, such as physician's offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. - answer>>TRUE
The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii).Ref. https://www.hhs.gov/hipaa/forprofessionals/faq/199/may-health-care-providers- use-sign-in-sheets/index.html
True or False:
The HIPAA Privacy Rule applies to all forms of patients' protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. - answer>>TRUE
https://www.hhs.gov/hipaa/for-professionals/faq/2010/does-the-security-rule-apply-towritten-and- oral-communications/index.html
Security standards that involve the automated processes used to protect data and control access to data, such as using encrypted and decrypted data, are called:
a. Administrative safeguards
c. Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs).
d. Must report the breach to the Office of Civil Rights (OCR) as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.
e. All of the above - answer>>e. All of the above
Ref. https://www.hhs.gov/sites/default/files/cyber-attack-checklist-06-2017.pdf
In determining the amount of any civil money penalty for violations of HIPAA, the following factors are considered:
a.The nature and extent of the violation.
b. The nature and extent of the harm resulting from the violation.
c. The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity or business associate.
d. The financial condition of the covered entity or business associate.
e. Such other matters as justice may require.
e. All of the above - answer>>e. All of the above
Ref. https://www.law.cornell.edu/cfr/text/45/160.
What defines and limits the circumstances in which an individual's PHI may be used or disclosed by covered entities?
a. Constitution
b. First Amendment
c. OIG
d. Privacy Rule - answer>>d. Privacy Rule
Note: practice question from AAPC CPCO Ch
PHI may be disclosed without the patient's authorization for ___________________.
a. Death, operations, and birth certificates
b. Treatment, pictures, and operations
c. Injections, shots, and research
d. Treatment, payment, and operations - answer>>d. Treatment, payment, and operations (TPO).
PHI can be disclosed to another entity for treatment purposes; for quality or competency assurance activities; or fraud and abuse detection and compliance activities if both entities have or had a professional relationship with the patient and the PHI pertains to the relationship. Note: practice question from AAPC CPCO Ch
When can patients instruct their provider not to share information about their treatment with their health plan?
a. Never, patients must disclose all information to their health plan.
b. Only if the patient tells the secretary when scheduling an appointment that their information should not be given to their health plan.
c. If, when scheduling an appointment, the patient indicates that they are paying cash for the visit and do not want their information to be given to the health plan.
d. Never, because the health plan has a contract with the provider. - answer>>c. If, when scheduling an appointment, the patient indicates that they are paying cash for the visit and do not want their information to be given to the health plan.
Remember: Patients also have the right to request restrictions on the use and disclosure of their PHI to carry out treatment, payment, and healthcare operations. These requests do not have to be agreed to by the covered entity, except when a patient pays by cash, which allows the patient to instruct the provider not to share information about their treatment with the health plan.
Note: practice question from AAPC CPCO Ch
Are there certain rules for PHI disclosure in cases of an emergency?
a. No, especially if the patient is not able to provide consent.
b. No, there is not a separation of emergency treatment.
c. Yes, PHI can be released for emergency treatment.
d. No, PHI cannot ever be disclosed without patient consent. - answer>>c. Yes, PHI can be released for emergency treatment.
Note: practice question from AAPC CPCO Ch
Some of the largest breaches reported to HHS involved ________________.
a. Business associates
b. Doctors
c. Legal departments
d. Nurses or other ancillary staff - answer>>a. Business associates.
