Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
A series of multiple-choice questions and answers related to hipaa compliance. It covers various aspects of hipaa regulations, including patient privacy, security, and breach notification. The questions and answers provide insights into the key principles and practices of hipaa compliance, making it a valuable resource for individuals seeking to understand and apply hipaa regulations.
Typology: Exams
1 / 13
[Date]
A business associate has contacted an organization's privacy officer to alert him that some of the patient information that they hold in relation to the BAA may have been breached. An employee took a laptop that contained patient information from several vendors and misplaced it at an airport. They are not 100% sure that information from the organization was on the laptop. Which of the following is the MOST appropriate response by the privacy officer? A. Rely on the business associate to conduct any needed notifications. B. Notify each individual whose PHI
[Date] has been possibly disclosed. C. Determine if the breach involved more than 500 individuals. D. Assure that all notifications occur no later than 90 days after discovery. - ANSC. Determine if the breach involved more than 500 individuals. A new privacy officer is reviewing an organization's current policy on patient requests for amendments. Which of the following is the MOST critical to the evaluation process? A. effective and revision dates of the policy B. accurate description of the regulatory requirements C. nature of complaints related to the policy
[Date] D. description of the form letters used to respond to requests – ANS B. accurate description of the regulatory requirements A physician employee is working at a satellite office on Tuesday. On Monday, he takes a laptop home so he can go straight to the satellite office the next morning. What is the best practice to secure the laptop overnight? a. Lock it in the trunk of the car b. Cover it up with something and lock it inside the car c. Leave it in the car, but pull inside the garage d. Take it inside and keep it in a secure location – ANS d. Take it inside and keep it in a secure location A physician office employee sees her neighbor at the office. It is acceptable for the employee to mention to another friend that she saw the patient at the doctor's office, as long as the employee did not mention why the patient was there. a. True b. False – ANS b. False A staff member needs to leave a HIPAA compliant message on a voicemail or with someone else. Which of the following is not an acceptable practice when contacting patients via phone?
[Date] a. Following the minimum necessary standard when leaving a message with whoever answers the phone b. Leaving detailed PHI on a voicemail without having the patient's permission c. Leaving the minimum amount of information needed: name, number, and practice or physician name d. Leaving a detailed message, if the patient has given permission to do so - ANSb. Leaving detailed PHI on a voicemail without having the patient's permission As part of due diligence on Business Associates, a privacy officer would be MOST concerned with confirming that they conduct: A. criminal background checks. B. credit history checks. C. provider credentialing checks. D. health screening checks. - ANSA. criminal background checks. Before faxing PHI or confidential information, which of the following should an employee do? Select all that apply. a. Use a fax cover sheet with approved confidentiality statement
[Date] b. Confirm the fax number before sending c. Send the minimum information necessary d. Use any cover sheet as long as it contains the organization's name and contact information - ANSa. Use a fax cover sheet with approved confidentiality statement b. Confirm the fax number before sending c. Send the minimum information necessary Data breach response training is required by which of the following regulations? A. HITECH B. GLBA C. FMLA D. Privacy Act - ANSA. HITECH During an internal investigation, it is discovered that the Institutional Review Board (IRB) has not been reviewing the informed consents or authorizations
[Date] completed by research subjects. Which of the following should a privacy officer do FIRST? A. Report the issue to OHRP. B. Report the issue to the OCR. C. Contact legal counsel. D. Contact the provost. - ANSC. Contact legal counsel. HIPAA rules and regulations cover what kind of information? a. All personal health information in any format, for any person b. Protected health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral c. Diagnoses and procedure information d. All health information for persons who have insurance - ANSb. Protected health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral HIPAA rules do not require providers to grant patient access to which of the following types of information? a. Accounting disclosures
[Date] b. Office visit documentation c. Psychotherapy notes d. Medication list - ANSc. Psychotherapy notes One of the administrative safeguard standards under the Security Rule deals with information access management. One of the basic rules of access management is: a. Information users should be authorized to access only the information they need to do their jobs b. Information users should never be allowed to discuss protected health information c. Patients are routinely questioned about their need to access medical records d. Only clinical personnel should have access to medical records - ANSa. Information users should be authorized to access only the information they need to do their jobs Sign-in sheets include protected health information. However, they may be used without violating privacy rules for this reason: a. Patient name is not protected health information b. The sign-in sheet is used for health care operations and is considered an incidental disclosure c. The patient name is usually not legible
[Date] d. Not all persons signing the sheet are patients - ANSb. The sign-in sheet is used for health care operations and is considered an incidental disclosure The "Notice of Privacy Practices" explains the ways the practice will use patient information and describes patients' rights regarding their information. a. True b. False - ANSa. True The HIPAA security regulations apply only to protected health information in electronic form. What about the HIPAA privacy regulations? a. These also apply only to information in electronic form b. Privacy regulations apply to information being faxed c. Privacy regulations do not apply to Medicare patients d. Privacy regulations apply to both paper and electronic formatted information - ANSd. Privacy regulations apply to both paper and electronic formatted information The rights of individual patients under HIPAA rules cover their access to their information and its disclosure to others. Which of the following is not a patient right under HIPAA rules? a. To inspect and copy his or her health information b. To request changes to his or her records
[Date] c. To obtain an accounting of disclosures of his or her information d. To inspect the protected health information of his or her spouse - ANSd. To inspect the protected health information of his or her spouse There are three things that a practice must do regarding communicating with the patient about privacy practices and procedures, except for one of the following: a. Give every patient a notice describing the physician office privacy practices b. Make a "good faith" effort to obtain the patient's written acknowledgment of receiving the notice c. Obtain the patient's authorization for disclosures or uses not covered by the "Notice of Privacy Practices" d. Give every patient a copy of his or her medical record - ANSd. Give every patient a copy of his or her medical record Under what circumstances are employees allowed to repeat to others PHI that is heard or seen on the job? a. Only when authorized for their job duties b. Once they have been terminated c. After a patient dies d. If they do not think the patient would mind - ANSa. Only when authorized for their job duties
[Date] What is the definition of a breach of protected health information? a. Access, use, or disclosure of PHI that compromises security or privacy of the PHI b. Inadvertent release of clinical information c. An incident in which PHI leaves the physician practice d. Theft of any equipment from a physician office or hospital - ANSa. Access, use, or disclosure of PHI that compromises security or privacy of the PHI What should an employee do when he or she suspects another employee is in violation of the privacy or security policies? a. Gather solid evidence against the person b. Confront the individual and tell the person that he or she is violating the rules c. Nothing d. Report suspicions to the office manager, privacy/security officer, or other designated person - ANSd. Report suspicions to the office manager, privacy/security officer, or other designated person When must the patient authorize the use or disclosure of health information? a. At every visit b. Only when the information will be provided to law enforcement
[Date] c. Only when used for purposes other than treatment, day-to-day operations, or to comply with a request to which the practice is legally obligated to respond d. Only in emergency situations - ANSc. Only when used for purposes other than treatment, day-to-day operations, or to comply with a request to which the practice is legally obligated to respond When using email to communicate with patient, what method out of the following is an appropriate safeguard per the Security Rule guidelines? a. Asking the patient to delete the message immediately after he or she reads it b. If a patient emails the employee first, the Rule does not apply c. Using encryption to send the email to the patient d. Only using patient's medical record number in the email not his or her name - ANSc. Using encryption to send the email to the patient Which of the following are considered protected health information under HIPAA? Select all that apply. a. Phone number b. Medical record number c. License plate number d. Email address - ANSa. Phone number b. Medical record number c. License plate number d. Email address
[Date] Which of the following phrases should employees keep in mind when deciding if they should access a patient's information? a. Since the employee works there he or she can access every patient's information b. Just a quick peek at a file will not hurt anything c. Only use what is needed to perform his or her job duties d. Thinking it is okay to look at a patient's information as long as it is not shared with anyone else - ANSc. Only use what is needed to perform his or her job duties Which of the following uses of patient health information do not require the patient's authorization? a. Treatment, payment, health care administration b. Marketing c. Genetic testing and research studies d. Release of psychotherapy notes - ANSa. Treatment, payment, health care administration Why is giving away old computer equipment used by a health care provider's office more of a security risk than just placing the equipment in the trash? a. Recipients of old computer equipment will ultimately destroy the equipment
[Date] b. PHI may remain on the equipment c. Equipment may contain blood-borne pathogen contamination d. Once given away, the equipment cannot be tracked - ANSb. PHI may remain on the equipment Workstation security is among the physical safeguard standards. Which item below is not an appropriate practice? a. Workstations placed in a physically secure location b. Visitors should not be able to view information on computer screens c. Administrator workstations that can enable or disable security features located in secure areas d. Computer stations located in a patient waiting room - ANSd. Computer stations located in a patient waiting room