RHIA Domain 2 Practice Test
Questions with Revised Answers
New Update
A federal confidentiality statute specifically addresses confidentiality of health
information about ________ patients.
a. Developmentally disabled
b. Elderly
c. Drug and alcohol recovery
d. Cancer - Answer-Correct Answer: C
The Confidentiality of Alcohol and Drug Abuse Patient Records Rule is a federal rule
that applies to information created for patients treated in a federally assisted drug or
alcohol abuse program and specifically protects the identity, diagnosis, prognosis, or
treatment of these patients. The rule generally prohibits redisclosure of health
information related to this treatment except as needed in a medical emergency or when
authorized by an appropriate court order or the patient's authorization (Rinehart-
Thompson 2020, 66).
The confidentiality of incident reports is generally protected in cases when the report is
filed in:
a. The nursing notes
b. The patient's health record
c. The physician's progress notes
d. The hospital risk manager's office - Answer-Correct Answer: D
Because incident reports contain facts, hospitals strive to protect their confidentiality. To
ensure incident report confidentiality, no copies should be made and the original must
not be filed in the health record nor removed from the files in the department
responsible for maintaining them, typically risk management or QI. Also no reference to
the completion of an incident report should be made in the health record. Such a
reference would likely render the incident report discoverable because it is mentioned in
a document that is discoverable in legal proceedings (Rinehart-Thompson 2020, 68-69).
Which one of the following has access to personally identifiable data without
authorization or subpoena?
a. Law enforcement in a criminal case
b. The patient's attorney
c. Public health departments for disease reporting purposes
d. Workers' compensation for disability claim settlement - Answer-Correct Answer: C
No authorization is needed to use or disclose PHI for public health activities. Some
health records contain information that is important to the public welfare. Such
,information must be reported to the state's public health service to ensure public safety
(Brinda and Watters 2020, 325).
An original goal of HIPAA Administrative Simplification was to standardize:
a. Privacy notices given to patients
b. The electronic transmission of health data
c. Disclosure of information for treatment purposes
d. The definition of PHI - Answer-Correct Answer: B
A significant part of the administrative simplification process is the creation of standards
for the electronic transmission of data (Rinehart-Thompson 2017d, 207).
The privacy officer was conducting training for new employees and posed the following
question to the trainees to help them understand the rule regarding protected health
information (PHI): "Which of the following is an element that makes information 'PHI'
under the HIPAA Privacy Rule?"
a. Identifies an attending physician
b. Specifies the insurance provider for the patient
c. Contained within a personnel file
d. Relates to one's health condition - Answer-Correct Answer: D
The key to defining PHI is that it requires the information to either identify an individual
or provide a reasonable basis to believe the person could be identified from the
information given. In this situation, the information relates to a patient's health condition
and could identify the patient (Rinehart-Thompson 2017d, 214).
What is the first consideration in determining how long records must be retained?
a. The amount of space allocated for record filing
b. The number of records
c. The most stringent law or regulation in the state
d. The cost of filing space - Answer-Correct Answer: C
State laws, CMS regulations and other federal regulations, accreditation standards, and
facility policies and procedures must also be reviewed when establishing a retention
schedule. The HIM professional must adhere to the strictest time limit if the
recommended retention period varies among different laws and regulations (Reynolds
and Morey 2020, 135).
The technology, along with the policies and procedures for its use, that protects and
controls access to ePHI are:
a. Administrative safeguards
b. Technical safeguards
c. Physical safeguards
d. Integrity controls - Answer-Correct Answer: B
The Security Rule defines technical safeguards as the technology and the policy and
procedures for its use that protect ePHI and controls access to it. A covered entity must
determine which security measures and technologies are reasonable and appropriate
for implementation (Biedermann and Dolezel 2017, 393).
,Which of the following is considered a two-factor authentication system?
a. User ID and password
b. User ID and voice scan
c. Password and swipe card
d. Password and PIN - Answer-Correct Answer: C
The three methods of two-factor authentication are something you know, such as a
password or PIN; something you have, such as an ATM card, token, or swipe/smart
card; and something you are, such as a biometric fingerprint, voice scan, iris, or retinal
scan (Sayles and Kavanaugh- Burke 2018, 230).
Which of the following is a "public interest and benefit" exception to the authorization
requirement?
a. Payment
b. PHI regarding victims of domestic violence
c. Information requested by a patient's attorney
d. Treatment - Answer-Correct Answer: B
Pursuant to the Privacy Rule, the hospital may disclose health information to law
enforcement officials without authorization for law enforcement purposes for certain
situations, including situations involving a crime victim. Disclosure is made in response
to law enforcement officials' request for such information about an individual who is, or
is suspected to be, a victim of a crime (Brinda and Watters 2020, 325).
Which of the following statements is true in regard to training in protected health
information (PHI) policies and procedures?
a. Every member of the covered entity's workforce must be trained.
b. Only individuals employed by the covered entity must be trained.
c. Training only needs to occur when there are material changes to the policies and
procedures.
d. Documentation of training is not required. - Answer-Correct Answer: A
Training in HIPAA policies and procedures regarding PHI is required for all workforce
members to carry out their job functions appropriately. The training should be ongoing
and documented for each employee (Biedermann and Dolezel 2017, 371).
Under the Privacy Rule, which of the following must be included in a patient accounting
of disclosures?
a. State-mandated report of a sexually transmitted disease
b. Disclosure pursuant to a patient's signed authorization
c. Disclosure necessary to meet national security or intelligence requirements
d. Disclosure for payment purposes - Answer-Correct Answer: A
Legislation gives a patient the right to obtain an accounting of disclosures of PHI made
by the covered entity in the six years or less prior to the request date. Mandatory public
health reporting is not considered part of a covered entities' operations. As a result,
these disclosures must be included in an accounting of disclosures (Rinehart-Thompson
2017e, 247-248).
, Debbie, an HIM professional, was recently hired as the privacy officer at a large
physician practice. She observes the following practices. Which is a violation of the
HIPAA Privacy Rule?
a. Dr. Graham recommends a medication to a patient with asthma.
b. Dr. Herman gives a patient a pen with the name of a pharmaceutical company on it.
c. Dr. Martin recommends acupuncture to a patient.
d. Dr. Lawson gives names of asthma patients to a pharmaceutical company. - Answer-
Correct Answer: D
PHI may not be used or disclosed by a covered entity unless the individual who is the
subject of the information authorizes the use or disclosure in writing or the Privacy Rule
requires or permits such use or disclosure without the individual's authorization. In this
situation, Dr. Lawson is a covered entity and thus releasing the names of his asthma
patients to a pharmaceutical company requires the patients' authorization (Rinehart-
Thompson 2017d, 225).
The Administrative Simplification portion of Title II of HIPAA addresses which of the
following?
a. Creating standardized forms for release of information throughout the industry
b. Computer memory requirements for health plans maintaining patient health
information
c. Security regulations for personal health records
d. Uniform standards for transactions and code sets - Answer-Correct Answer: D
Title II of HIPAA is the most relevant title to the management of health information,
containing provisions relating to the prevention of healthcare fraud and abuse and
medical liability reform, as well as administrative simplification. The Privacy Rule derives
from the administrative simplification provision of Title II along with the HIPAA security
regulations, transactions and code set standardization requirements, unique national
provider identifiers, and the enforcement rule (Rinehart-Thompson 2017d, 207).
The HIPAA Privacy Rule permits charging patients for labor and supply costs
associated with copying health records. Mercy Hospital is located in a state where state
law allows charging patients a $100 search fee associated with locating records that
have been requested. Which of the following statements is true when applied to this
scenario?
a. State law will not be preempted in this situation.
b. The Privacy Rule will preempt state law in this situation.
c. The Privacy Rule never preempts existing state law.
d. The Privacy Rule always preempts existing state law. - Answer-Correct Answer: B
If a fee is assessed for a request, the fee schedule must be consulted and an invoice
prepared. The fee schedule should be regularly reviewed for compliance with the
HIPAA Privacy Rule and applicable state laws. A system should be developed to
determine situations in which fees are not assessed, when prepayment is required, and
to implement collection procedures for delinquent payments following record disclosure
(Brodnik 2017b, 372-373).
