HIPAA Compliance: Multiple Choice Questions and Answers, Exams of Business Systems

Download HIPAA Compliance: Multiple Choice Questions and Answers and more Exams Business Systems in PDF only on Docsity!

[Date]

CHPC EXAM NEWEST 2024-2025 ACTUAL EXAM

COMPLETE QUESTIONS AND CORRECT DETAILED

ANSWERS (VERIFIED ANSWERS). GRADED A

A business associate has contacted an organization's privacy officer to alert him that some of the patient information that they hold in relation to the BAA may have been breached. An employee took a laptop that contained patient information from several vendors and misplaced it at an airport. They are not 100% sure that information from the organization was on the laptop. Which of the following is the MOST appropriate response by the privacy officer? A. Rely on the business associate to conduct any needed notifications. B. Notify each individual whose PHI

[Date] has been possibly disclosed. C. Determine if the breach involved more than 500 individuals. D. Assure that all notifications occur no later than 90 days after discovery. - ANSC. Determine if the breach involved more than 500 individuals. A new privacy officer is reviewing an organization's current policy on patient requests for amendments. Which of the following is the MOST critical to the evaluation process? A. effective and revision dates of the policy B. accurate description of the regulatory requirements C. nature of complaints related to the policy

[Date] a. Following the minimum necessary standard when leaving a message with whoever answers the phone b. Leaving detailed PHI on a voicemail without having the patient's permission c. Leaving the minimum amount of information needed: name, number, and practice or physician name d. Leaving a detailed message, if the patient has given permission to do so - ANSb. Leaving detailed PHI on a voicemail without having the patient's permission As part of due diligence on Business Associates, a privacy officer would be MOST concerned with confirming that they conduct: A. criminal background checks. B. credit history checks. C. provider credentialing checks. D. health screening checks. - ANSA. criminal background checks. Before faxing PHI or confidential information, which of the following should an employee do? Select all that apply. a. Use a fax cover sheet with approved confidentiality statement

[Date] b. Confirm the fax number before sending c. Send the minimum information necessary d. Use any cover sheet as long as it contains the organization's name and contact information - ANSa. Use a fax cover sheet with approved confidentiality statement b. Confirm the fax number before sending c. Send the minimum information necessary Data breach response training is required by which of the following regulations? A. HITECH B. GLBA C. FMLA D. Privacy Act - ANSA. HITECH During an internal investigation, it is discovered that the Institutional Review Board (IRB) has not been reviewing the informed consents or authorizations

[Date] b. Office visit documentation c. Psychotherapy notes d. Medication list - ANSc. Psychotherapy notes One of the administrative safeguard standards under the Security Rule deals with information access management. One of the basic rules of access management is: a. Information users should be authorized to access only the information they need to do their jobs b. Information users should never be allowed to discuss protected health information c. Patients are routinely questioned about their need to access medical records d. Only clinical personnel should have access to medical records - ANSa. Information users should be authorized to access only the information they need to do their jobs Sign-in sheets include protected health information. However, they may be used without violating privacy rules for this reason: a. Patient name is not protected health information b. The sign-in sheet is used for health care operations and is considered an incidental disclosure c. The patient name is usually not legible

[Date] d. Not all persons signing the sheet are patients - ANSb. The sign-in sheet is used for health care operations and is considered an incidental disclosure The "Notice of Privacy Practices" explains the ways the practice will use patient information and describes patients' rights regarding their information. a. True b. False - ANSa. True The HIPAA security regulations apply only to protected health information in electronic form. What about the HIPAA privacy regulations? a. These also apply only to information in electronic form b. Privacy regulations apply to information being faxed c. Privacy regulations do not apply to Medicare patients d. Privacy regulations apply to both paper and electronic formatted information - ANSd. Privacy regulations apply to both paper and electronic formatted information The rights of individual patients under HIPAA rules cover their access to their information and its disclosure to others. Which of the following is not a patient right under HIPAA rules? a. To inspect and copy his or her health information b. To request changes to his or her records

[Date] What is the definition of a breach of protected health information? a. Access, use, or disclosure of PHI that compromises security or privacy of the PHI b. Inadvertent release of clinical information c. An incident in which PHI leaves the physician practice d. Theft of any equipment from a physician office or hospital - ANSa. Access, use, or disclosure of PHI that compromises security or privacy of the PHI What should an employee do when he or she suspects another employee is in violation of the privacy or security policies? a. Gather solid evidence against the person b. Confront the individual and tell the person that he or she is violating the rules c. Nothing d. Report suspicions to the office manager, privacy/security officer, or other designated person - ANSd. Report suspicions to the office manager, privacy/security officer, or other designated person When must the patient authorize the use or disclosure of health information? a. At every visit b. Only when the information will be provided to law enforcement

[Date] c. Only when used for purposes other than treatment, day-to-day operations, or to comply with a request to which the practice is legally obligated to respond d. Only in emergency situations - ANSc. Only when used for purposes other than treatment, day-to-day operations, or to comply with a request to which the practice is legally obligated to respond When using email to communicate with patient, what method out of the following is an appropriate safeguard per the Security Rule guidelines? a. Asking the patient to delete the message immediately after he or she reads it b. If a patient emails the employee first, the Rule does not apply c. Using encryption to send the email to the patient d. Only using patient's medical record number in the email not his or her name - ANSc. Using encryption to send the email to the patient Which of the following are considered protected health information under HIPAA? Select all that apply. a. Phone number b. Medical record number c. License plate number d. Email address - ANSa. Phone number b. Medical record number c. License plate number d. Email address

[Date] b. PHI may remain on the equipment c. Equipment may contain blood-borne pathogen contamination d. Once given away, the equipment cannot be tracked - ANSb. PHI may remain on the equipment Workstation security is among the physical safeguard standards. Which item below is not an appropriate practice? a. Workstations placed in a physically secure location b. Visitors should not be able to view information on computer screens c. Administrator workstations that can enable or disable security features located in secure areas d. Computer stations located in a patient waiting room - ANSd. Computer stations located in a patient waiting room