click below
click below
Normal Size Small Size show me how
HIT 112 Module 3
Question | Answer |
---|---|
Medical records are the property of the provider of care and are maintained for the benefit of the patient. | True |
Ownership resides with the organization or professional rendering treatment. | True |
enacted to safeguard individual privacy from the misuse of federal records and to give individuals access to records concerning themselves that are maintained by federal agencies. | The Privacy Act of 1974 |
The patient owns the content of the medical record. | True |
Some categories of patients do not have rights to their information | True |
Patients have a legally enforceable interest in the information contained in their medical records and, therefore, have a right to access their records. | True |
Parties who can request medical information | Insurance carriers processing claims Medical researchers Educators Government agencies |
Privacy exceptions | Criminal investigations Psychiatric records Medicaid fraud Substance abuse |
When handling medical records, professionals must recognize that intentional alteration, falsification, or destruction to avoid liability for medical negligence is generally sufficient to show actual malice. | True |
Punitive damages may be awarded whether or not the act of altering, falsifying, or destroying records directly causes compensable harm. | True |
Altered records can create a presumption of negligence. | True |
Perhaps the simplest but one of the most potentially dangerous problems with medical records is illegible entries. | True |
a system whereby nurses did not record qualitative observations for each of the day's shifts, but made such notes only when necessary to chronicle important changes in a patient's condition | charting by exception |
Privileged communications statues do not protect from discovery the records maintained in the ordinary course of doing business and rendering inpatient care. | True |
The identity of peer-review committee members and individuals who may have given information to such committees is not always considered privileged. | True |
protects health insurance coverage for workers and their families when they change or lose their jobs | Title I of HIPAA |
requires the establishment of national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers | Title II of HIPAA |
3 segments of security safeguards for HIPAA compliance | Administrative Physical Technical |
the process of facilitating the flow of information within and among departments and caregivers | information management |
The medical record is the most important document in a malpractice action. | True |
Release of information without the patient's authorization is permissible in which of the following circumstances: | Release to state worker's comp agencies |
A signed consent for ROI dated 12/1/2011 is received with a request for the chart from the patient's admission 12/5/2011. Indicate the appropriate response from the options below: | Request another authorization that is dated after the discharge date |
The minimum record retention for patient's who are adults discharged from acute care facilities is: | 11 years after discharge |
Which of the following is a breach of confidentiality? | Staff members discussing patients in the elevator |
Which of the following is true of the notice of privacy practices? | It must be provided to every individual at the first time of contact or service with the CE |
Which of the following statements about the directory of patients maintained by a CE is true? | Individuals must be given an opportunity to restrict or deny permission to place information about them in the directory. |
What does the abbreviation PHI stand for? | Protected Health Information |
Under HIPAA rules, when an individual asks to see his or her own health information a CE... | Can deny access to psychotherapy notes |
Which of the following statements is true in regard to responding to requests from individuals for access to their PHI? | A cost-based fee may be charged for making a copy of PHI |
Privacy can be defined as the _____ | Right of an individual to be left alone |
Confidentiality can be defined as the _____ | Limitation of the use and disclosure of private information |
One HIM committee suggests using the copying fee established by the state. Another committee member feels that HIPAA will not allow for copying fees. What input should the HIM director provide? | Base charges on the cost of labor and supplies for copying and postage if copies are mailed |
She states that because the doctor documented her name as her brother’s caregiver that HIPAA regulations apply and that she may receive copies her brother’s medical record. In this case, how should the HIM department proceed? | Refuse the request |
When the RHIT goes to retrieve the patient’s medical records, it is discovered that the records being subpoenaed have been purged in accordance with state retention laws. In this situation, how should the HIM department respond to the subpoena? | Submit a certification of destruction in response to the subpoena |
The issue of “portability” deals with protecting healthcare coverage for employees who change jobs and allowing them to carry their existing plans with them to new jobs. | True |
The privacy and data security portions of the Health Insurance Portability and Accountability Act (HIPAA) go into effect ____________________. | in April, 2003 |
The proliferation of computers in medicine has _______________________. | created new dangers for breaches of confidentiality |
The set of rules that provide administrative simplification by standardizing the codes and formats used for the exchange of medical data is referred to as _______________________. | electronic transaction standard |
In general, information about a patient can be shared _________________________. | only when it is not related to treatment |
Data security issues that must be addressed by HIPAA implementation teams include: | all of the above |
The single most important key to administrative simplification is standardizing throughout the healthcare system a set of transaction standards and code sets. | True |
HIPAA-defined code sets that serve as the standards for all electronic data interchange include all but which of the following: | ID ANSI |
One good rule to prevent unauthorized access to computer data is to ________________. | black the screen or turn off the computer when you leave it |
You can reveal information needed for medical research if _____________________. | the patient authorizes it |
The general privacy rule now is that patients must be notified of the institution’s privacy policies, and healthcare workers must always obtain a written acknowledgment of this. | false |
In a hospital, the obligation to maintain confidentiality applies to ________________. | all medical and personal information |
If you are sending patient information via e-mail, security is best maintained with __________________. | all of the above |
One exception to confidentiality is _______________________. | a gunshot wound |
HIPAA overrides all state laws that define and regulate patient privacy. | false |
Anyone caught selling private health care information can be fined up to _____________ and sentenced to up to ________________ in prison. | $250,000; 10 years |
HIPAA mandates the creation of a unique identifier code for every patient. | false |
Facilities will no longer be able to post ____________ anyplace where visitors might see them. This includes door tags and whiteboards at the nurses’ station that are in public view. | patient's full name |
There must now be a system in place to records the name of every person who views a patient’s record. | True |
There must now be a system in place to records the name of every person who views a patient’s record. | using a number tag system |
Covered entity | CE |
You must have all elements in the ROI to be HIPAA compliant. | True |
Expiration date of the authorization A statement of the individual's right to revoke the authorization A specific description of the information to be used or disclosed The name or other specific identification of the person making the request | Core elements of an authorization |
Checks anything; covered entity | clearinghouse |
What does TPO stand for? | Treatment, payment and health care operations |
written permission to use and disclose PHI for treatment, payment, and health care operations. | patient consent |
a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than TPO, or to disclose PHI to a 3rd party specified by the individual. | patient authorization |
a health care provider that is trained and licensed to provide health care services, and that transmits the identified standard transactions electronically. | legal entity |
The HIPAA privacy rule protect health information that is _____ _____ to an individual. | individually identifiable |
Covered entities may use PHI for the purposes of treatment, payment, and health care operations without obtaining an individual's authorization. | True |
This HIPAA privacy rule requires covered entities to limit disclosures of PHI to the _____ _____ to carry out the intended purpose. | minimum necessary |
The "minimum necessary" requirements do not apply to disclosures that are required by law. | True |
In what instances may a covered entity use and disclose PHI without obtaining a written authorization or allowing an individual to object? | Disclosures for law enforcement purposes Disclosures about victims of abuse, neglect, or domestic violence Treatment, payment, and operations Uses and disclosures required by law Uses and disclosures about decedents Uses and disclosures for research |
a document that must contain a description of the types of uses and disclosures that are permitted for the purposes of treatment, payment, and health care operations; defines policy and procedures for HIPAA | Notice of Privacy Practices |
Information regarding uses and disclosures of PHI Clarification of an individual's privacy rights The covered entity's responsibilities under HIPAA The effective date of the notice | The Notice of Privacy Practices must be written in plain language and include the following: |
If a health care provider, who is a covered entity, maintains a physical service delivery site, it is required to post a complete copy of the Notice of Privacy Practices in a clear and prominent location. | True |
Covered entities must retain copies of past Notices of Privacy Practices for 6 years. | True |
How quickly must covered entities respond to an individual's request for access to their PHI? | Within 30 days of receiving the request if the information is maintained and accessible on-site, or within 60 days otherwise. |
How quickly must covered entities respond to an individual's request to amend their PHI? | The covered entity must act within 60 days of the request, with a possible 30-day extension similar to that described for access to PHI. |
How much time does the covered entity have to provide the accounting of disclosures? | The covered entity must act on the request for an account of disclosure within 60 days with a possible 30-day extension |
What information must be included in the accounting of disclosures of PHI? | The CE must provide a written account of each specific disclosure that includes the date of the disclosure, the person to whom the information was disclosed, and a brief description of the disclosed information. |
governs health care organizations operated by the federal government; grants citizens the right to find out what information was collected, see and have a copy of that information, correct or amend that information, exercise limited control | The Privacy Act of 1974 |
protects the confidentiality of all information related to diagnosis, treatment or eduction related to alcohol or drug abuse | 42 C.F.R. 482.24 (b) (3) |
The regulations concerning confidentiality vary depending on the type of health care facility. | True |
protects the confidentiality of records concerning AIDS and other communicable diseases | GS 130A-143 |
Providers shall predominantly display the rights patients have regarding confidentiality of their health care information. | Right to be informed of their rights |
Relevant patient information may only be disclosed to or used in the patient care situations, paying physicians, hospitals, and others who provide health care services to the patient, conducting quality assurance activities or outcome assessments | Right to privacy |
patients are entitled to know what information the organization has about them and are entitled to review that information. | Right to review information |
The patient can limit disclosure of identifiable health information by deciding not to utilize any health insurance or other third party payment plan for the service. | Right to restrict disclosure |
The individuals, organizations, and government agencies that have authority to access and have actually gained access to specific information identified with the patient should be accurately logged by the provider and kept for a minimum of 6 years. | Right to notification of disclosure of information |
Individuals, organizations, and government agencies that have authority to access PHI will be required to make that request in writing before actually gaining access to PHI. | Right to protection of information released to 3rd parties |
Patient records should be protected from unauthorized modification and destruction | Right to integrity and availability |
statements made to attorneys, priests, physicians, spouses, or others in a legally recognized position of trust | privileged communications |
1. Physician/patient 2. Nurse/patient 3. Therapist/Client 4. HMO enrollee | privileged communications |
should be governed by the applicable regulations for the specific type of health care provider | General Release of Information |
usually unauthorized; transferred from another institution; they are improper and a facility could be in trouble federally | Redisclosure |
Statement has to be released with Drug and Alcohol Abuse records. | True |
An individual's authorization is required for disclosures of PHI for purposes not otherwise permitted or required under state or federal law. | True |
Before disclosing a patient's record, a provider should determine whether disclosure is expressly allowed by state or federal law. | True |
1. The individual must have the authority and competence to give consent. 2. HIPAA generally articulates more specific requirements and controls what constitutes a valid authorization 3. Authorization should become a permanent part of the medical record | Quick references to Consents and Authorizations |
Authorization must be by the patient or, if the patient is deceased, by 1. the administrator of the patient's estate or 2. the patient's next of kin if the estate is not administered | Physician-patient privilege statute |
If no valid POA has been designated, the next of kin may authorize ROI in the following order: | 1. Spouse 2. Adult children 3. Parents 4. Adult siblings |
If a spouse is legally separated from the patient, he or she is no longer considered next of kin. | True |
Not all general POAs permit the attorney-in-fact to make health care decisions for the patient, so HIM professionals and clinical staff should carefully review the POA to determine the scope of authority granted to the attorney-of-fact. | True |
may access medical records of the parents of the minor children they represent unless the records they request to access contain information related to the treatment of drug or alcohol abuse | Guardian ad Litem |
1. The parent, guardian or loco parentis cannot be located or contacted 2. The identity of the minor is unkown 3. Where a delay would result in an effort to contact the parent 4. Parents refuse to give consent endangering the minor. | Situations where a physician may treat a minor without consent |
If a minor is adopted, the biological parents' right are terminated, and the biological parents may not access the minor child's medical records unless by court order or consent of the adoptive parents. | True |
No information that reasonably could be expected to lead directly to the identification of an adoptee, an adoptive parent, adoptee's birth parents, or an adoptee's birth siblings or grandparents may be released except under court order for cause. | True |
An individual may revoke an authorization at any time; must be in writing | True |
When revocation of an authorization has been obtained, the health care provider should place the revocation in a prominent place in the individual's medical record. | True |
Accrediting/Licensing Agencies Audit Purposes Birth Defects Monitoring Program Central Cancer Registry Criminal Defendants Commitment Proceedings Emergencies Funeral Homes Health Care Facility Staff Health Oversight activities Law Enforcement | Situations in which authorizations are not required |
patient information can only be disclosed to law enforcement without a court order or patient consent when a specific statute authorizes the disclosure, and then only to the extent permitted by the statute | Law enforcement |
Because NC law requires peer review in hospitals by physicians and federal law requires peer review in nursing homes by physicians, it is implied that disclosure can be made to the persons legitimately involved in such peer review process | True |
Whenever non-identifying information is used for aggregated statistical data, it is no longer considered to be privileged or confidential information | True |
Students may have access to confidential information whenever the student is involved in the care and treatment of a patient or for educations and research purposes | True |
Information may be released, consistent with applicable law and standards of ethical conduct, if the organization, in good faith, believes that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a per | True |
A health care provider may release any information that a competent, adult patient authorizes in writing to be disclosed. | True |
HIPAA requires that access can only be denied if release of the information at that time to the patient creates a risk of danger. | True |
A patient should be told the type of information to be included in a hospital directory and given the opportunity to object to all or part of the information. | True |
Executor of the estate trumps the next of kin. | True |
A patient's access to medical records may be restricted by the patient's attending physician. | True |
A patient's request for access to records should be in writing, such as a signed authorization for release of information form or other request form. | True |
1. Patient's name 2. Patient's residence and location in the hospital 3. A general statement of the patient's condition (fair, stable, critical) 4. The patient's religious affiliation | Information that may be listed in the hospital directory with the patient's permission |
A person authorized under State law to act on behalf of the individual in making health care decisions is the individual's _____ _____ | personal representative |
NC statutes are much more stringent than HIPAA regarding the persons to whom PHI may be released, and the situations in which such releases are appropriate. | True |
Spouse Any son, daughter or stepson or stepdaughter Any parent or stepparent Any brother, sister, or half-brother or half-sister | The order for the next of kin |
If a spouse is legally separated from the patient, he or she is no longer considered next of kin. | True |
Any confidential, PHI that the patient has not authorized to be disclosed PHI, if the law enforcement official only has an arrest warrant Any confidential PHI outside the specific scope of a court order or court-issued subpoena Details of the patient's | Health care providers may not release the following information to law enforcement, absent a statute that permits or requires disclosure to law enforcement |
If ROI is not covered under the TPO you must have a signed authorization. | True |
What is re-disclosure? | When information from one facility is made available to another facility outside the health network without written authorization from the patient. i.e. A Novant Health facility to High Point Regional. |
Give an example of an improper re-disclosure of information. | A patient goes to Lexington Memorial and then is transferred to Cone Health System. The paperwork generated at Lexington Memorial goes with the patient, but it is not actually authorized in writing by the patient for access from Lexington Memorial to Cone |
Remembering your ROI handout, and the items listed as what is required for a valid authorization, list the items below that determine if an authorization is HIPAA compliant. | Name of the patient requesting the information Date the information was requested Reason for the request and what information will be released Notice of Privacy Practices in regards to release of information |
A minor who is legally free from parental control is: | emancipated |
Who may consent to release medical information for a deceased patient? | either a or b |
If Mrs. Gray is a legally competent adult, who may have access to her medical record without her express written permission? | her attending physician |
A written authorization from the patient releasing copies of their medical records is required by all of the following EXCEPT? | The hospital attorney for the facility where the patient is treated |
If Mrs. Gray is a competent, married 17-year old, who would sign a consent for her surgery? | Mrs. Gray, the patient |
In which of the following cases would the patient’s consent or a court order be required to release medical information? | when the information is alcohol or drug related |
HIPAA requires that certain CE’s provide every patient a Notice of Privacy Practices that set forth all of the following EXCEPT: | CE’s provide every patient with its annual business report |
When a person makes a request for his/her records in person, the ROI clerk should _______ in order to establish safeguards for the security and confidentiality of the patient’s information: | ask the requestor for identification and the request in writing |
Dr. Knowitall comes to your department to review his neighbors record. Sensing that you are about to refuse him, he interrupts and says, “I am a doctor on staff at this hospital and I have every right to review any record I see fit. Now hand it over!” You | you may review the record if you are the attending physician or you have a valid request signed by the patient |
As a general rule, a person making a mandatory report in good faith and under statutory command is: | protected from liability claims |
The wife of a deceased patient enters the medical record department to requests her husbands’ records. She brings with her a POA, which was signed two months prior to the patients’ death. The record reveals that the son is shown to be the executor of the | Refuse to release records to her since the son is listed as executor of the estate on the chart. |
The HIPAA privacy rule covers information in which of the following forms? | all of the above |
Nurse Leahy came to the medical record department requesting to see the medical record on Susie Sickly. You: | none of the above |
A valid authorization for the disclosure of PHI should not be: | dated prior to discharge |
The mother of a physician on your facility’s medical staff was recently admitted to your hospital under the care of another surgeon. The physician now wishes to review his mother’s record. | You can let the physician review his mothers record only with a signed authorization from his mother. |
A former patient requests by telephone that a copy of her health record be sent to her new physician in another city. | You obtain an authorization from the patient and then send the information. |
A former patient who was treated as an inpatient approximately 2 years ago has filed a lawsuit against your facility. Your facility’s legal counsel has asked to review the patients’ health record. | You do not need an authorization to let him review the records. |
In general, information about a patient can be shared _________________________. | only when it is not related to treatment |
One good rule to prevent unauthorized access to computer data is to ________________. | black the screen or turn off the computer when you leave it |
If you are sending patient information via e-mail, security is best maintained with __________________. | all of the above |
One exception to confidentiality is _______________________. | a gunshot wound |
Facilities will no longer be able to post ____________ anyplace where visitors might see them. This includes door tags and whiteboards at the nurses’ station that are in public view. | patient’s full names |
An employee access PHI on a computer system that does not relate to her job functions. What security mechanism should have been implement to minimize the security breach? | Access controls |
Ultimate responsibly for the operation of the health care organization lies with | the board of directors |
On review of the audit trail from an EHR system, the HIM director discovers that a departmental employee who has authorized access to patient records is printing far more records than the average user. In this case what should the director do? | Determine what information was printed and why |
To date the HIM department has not charged for copies of records requested by the patient. However, the policy is under review for revision. One HIM committee suggest using the copying fee established by the state. Another committee member feels that HIPA | Base charges on the cost of labor and supplies for copying and postage if copies are mailed. |
Which of the following bears the ultimate responsibility for the quality of care in a hospital? | Board of Directors |
Which of the following dictates how the medical staff operates? | Medical Staff Bylaws |
An individual who brings a lawsuit is called the | plaintiff |
Which document directs an individual to bring originals or copies of records to court? | subpoena duces tecum |
If the patient record is involved in litigation and the physician requests to make a change to that record, what should the HIM professional do? | Refer request to legal counsel. |
According to AHIMA's Position on Transmission of Health Information, the health information manager should always engage in all of the following to ensure that information is properly sent via facsimile transmission EXCEPT | to always follow up by sending the original record by mail. |
All of the following are elements of a contract EXCEPT | price/consideration. |
In general, which of the following statements is correct? | When federal and state laws conflict, valid federal laws supersede state laws. |
All of the following have laws and regulations addressing medical records EXCEPT | accrediting agencies. |
Which of the following is an example of breach of confidentiality? | staff members discussing patients in the elevator |
One of the greatest threats to the confidentiality of health data is | redisclosure of information for purposes not authorized in writing by the patient. |
A signed consent for the release of information dated December 1, 2005, is received with a request from the chart from the patient's admission of 12/5/2005. Indicate the appropriate response from the options below. | Request another authorization dated after the discharge date. |
The Privacy Rule covers the information in which of the following forms? | all the above |
Law enacted by a legislative body is a | statute |
The sister of a patient requests the HIM department to release copies of her brother's medical record to her. she states that because the doctor documented her name as her brother's caregiver that HIPAA regulations apply and that she may receive copies of | Refuse the request. |
A HIT supervisor receives a subpoena duces tecum for the records of a discharged patient. To respond to the subpoena, which of the following should the supervisor do? | Review the subpoena to determine what documents should be produced. |
Which of the following statements is TRUE in regard to responding to requests from individuals for access to their PHI? | A cost based fee may be charged for the copying of the PHI. |
Which of the following provides a complete description to patients how PHI is used in a healthcare facility? | Notice of Privacy Practices |
Which document directs an individual to bring originals or copies of records to court? | subpoena duces tecum |
Which of the following is NOT true of notices of privacy practices | they must contain content that cannot be changed |
Margaret has signed an authorization to release information regarding her ER visit for a fractured finger to her attorney. Specifically, she says to release the ER history and physical, x-rays, and any procedure notes for finger fracture. Which of the fol | x-ray of chest |
Kyle, the HIM Director, has received a request to amend a patient's medical record. The appropriate action for him to take is | route the request to the physician who wrote the note in question. |
The local newspaper has notified the hospital that they have received a computer listing of the names of patients receiving HIV treatment in your facility. What method(s) could be used to identify the source of this breach of confidentiality? | all of the above |
Which of the following is subject to the security rule? | PHI stored on a computer |
You have been asked to define privacy. Which of the following definitions would you use? | Patients have rights regarding their individually identifiable health information. |
Rachel, a nurse, can write progress notes in the patient's electronic health record. Vera, a coder, can view the progress notes but is not authorized to write a progress note. What controls this? | role-based access control (i.e: Scope) |
Which of the following situations violate a patient's privacy? | The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples. |
The admistrator states that he should not have to participate in privacy and security training. How should you respond? | All employees are required to participate in the training, including administration." |
Which of the following federal laws passed in 1996 resulted in new privacy regulations for healthcare organizations? | Health Insurance Portability and Accountability Act Correct |
Which of the following statements about the directory of patients maintained by a CE is TRUE? | Individuals must be given an opportunity to restrict or deny permission to place information about them in the directory. |
Under HIPAA rules, when an individual asks to see his or her PHI a CE | can deny access to psychotherapy notes |
The health record is the property of the . | covered entity |
The information within the health record belongs to the . | patient |
HIPAA mandates the creation of a unique identifier code for every patient. | False |
There must be a system in place to record the name of every person who views a patient’s record. | True |