RHIA Domain 2 Study Guide Questions
with Answers
Which of the following are technologies and methodologies for rendering protected
health information unusable, unreadable, or indecipherable to unauthorized individuals
as a method to prevent a breach of PHI?
a. Encryption and destruction
b. Recovery and encryption
c. Destruction and redundancy
d. Interoperability and recovery - Answer-Correct Answer: A
Encryption and destruction are the technologies and methodologies for rendering
protected health information unusable, unreadable, or indecipherable to authorized
individuals in order to prevent a potential breach of PHI (Biedermann and Dolezel 2017,
401).
The hospital's public relations department in conjunction with the local high school is
holding a job shadowing day. The purpose of this event is to allow high school seniors
an opportunity to observe the various jobs in the hospital and to help the students with
career planning. The public relations department asks for input on this event from the
standpoint of HIPAA compliance. In this case, what should the HIM department advise?
a. Job shadowing is allowed by HIPAA under the provision of allowing students and
trainees to practice.
b. Job shadowing should be limited to areas in which the likelihood of exposure to PHI
is very limited, such as administrative areas.
c. Job shadowing is allowed by HIPAA under the provision of volunteers.
d. Job shadowing is specifically prohibited by HIPAA. - Answer-Correct Answer: B
Job shadowing should be limited to areas where the likelihood of exposure to PHI is
very limited, such as in administrative areas. There is a provision in the Privacy Rule
that permits students and trainees to practice and improve their skills in the healthcare
environment; however, the context of this provision appears to imply that the students
are already enrolled in a healthcare field of study and that they are under the
supervision of the covered entity. Most covered entities require students to be trained
on confidentiality and other requirements of the Privacy Rule, and job shadowing
activities do not appear to apply in this exception (Thomason 2013, 41).
A hospital releases information to an insurance company with proper authorization by
the patient. The insurance company forwards the information to a medical data
clearinghouse. This process is referred to as:
a. Admissibility
b. Civil release
c. Privileging process
d. Redisclosure - Answer-Correct Answer: D
,Redisclosure of health information is of significant concern to the healthcare industry.
As such, the HIM professional must be alerted to state and federal statutes addressing
this issue. A consent obtained by a hospital pursuant to the Privacy Rule in 45 CFR
164.506(a)(5) does not permit another hospital, healthcare provider, or clearinghouse to
use or disclose information. However, the authorization content required in the Privacy
Rule in 45 CFR 164.508(c)(1) must include a statement that the information disclosed
pursuant to the authorization may be disclosed by the recipient and thus is no longer
protected (Rinehart-Thompson 2017d, 231-232).
When a patient revokes authorization for release of information after a healthcare entity
has already released the information, the healthcare entity in this case:
a. May be prosecuted for invasion of privacy
b. Has become subject to civil action
c. Has violated the security regulations of HIPAA
d. Is protected by the Privacy Act - Answer-Correct Answer: D
One of the specifications found within the consent for use and disclosure of information
should state that the individual has the right to revoke the consent in writing, except to
the extent that the covered entity has already taken action based on the consent. In this
situation, the facility acted in good faith based on the prior authorization and therefore
the release is covered under the Privacy Act (Rinehart-Thompson 2017d, 223).
Generally, policies addressing the confidentiality of quality improvement (QI) committee
data (minutes, actions, and so forth) state that this kind of data is:
a. Protected from disclosure
b. Subject to release with patient authorization
c. Generally available to interested parties
d. May not be reviewed or released to external reviewers such as the Joint Commission
- Answer-Correct Answer: A
Outcomes of quality improvement studies may be used to evaluate a physician's
application for continued medical staff membership and privileges to practice. These
studies are usually conducted as part of the hospital's QI activities. These review
activities are considered confidential and protected from disclosure (Shaw and Carter
2019, 392-393).
An employer has contacted the HIM department and requested health information on
one of his employees. Of the options listed here, what is the best course of action?
a. Provide the information requested
b. Refer the request to the attending physician
c. Request the employee's written authorization for release of information
d. Request the employer's written authorization for release of the employee's
information - Answer-Correct Answer: C
Employers who may or may not be HIPAA-covered healthcare organizations may
request patient information for a number of reasons, including family medical leave
certification, return to work certification for work-related injuries, and information for
company physicians. Patient authorization is required for such disclosures, except in
some states the patient's employer, employer's insurer, and employer's and employee's
,attorneys do not need patient authorization to obtain health information for workers'
compensation purposes (Brodnik 2017b, 345).
Under the HIPAA Privacy Rule, a hospital may disclose health information without
authorization or subpoena in which of the following cases?
a. The patient has been involved in a crime that may result in death.
b. The patient has celebrity status and requires protection.
c. The father of a 22-year-old is requesting the records.
d. An attorney requests records. - Answer-Correct Answer: A
News media personnel (and others) may have an interest in obtaining information about
a public figure or celebrity who is being treated or about individuals involved in events
that have cast them in the public eye. However, the media is not exempt from the
restrictions imposed by the HIPAA facility directory requirement, and it is prudent for a
healthcare organization to exercise even greater restraint than that mandated by the
facility directory requirement with respect to the media. Parents of adult children and
attorneys also need an authorization to receive patient records. A hospital may disclose
health information to law enforcement when the suspected criminal conduct has
resulted in a death (Brodnik 2017b, 365).
Covered entities must retain documentation of their security policies for at least:
a. Five years
b. Five years from the date of origination
c. Six years from the date when last in effect
d. Six years from the date of the last incident - Answer-Correct Answer: C
The maintenance of policies and procedures implemented to comply with the Security
Rule must be retained for six years from the date of its creation or the date when it was
last in effect, whichever is later (Reynolds and Brodnik 2017a, 278-279).
Under HIPAA, when is the patient's written authorization required to release his or her
healthcare information?
a. For purposes related to treatment
b. For purposes related to payment
c. For administrative healthcare operations
d. For any purpose unrelated to treatment, payment, or healthcare operations - Answer-
Correct Answer: D
The implementation of the Health Insurance Portability and Accountability Act (HIPAA)
Privacy Rule in 2003 established a consistent set of privacy and security rules. The
Privacy Rule states that protected health information used for treatment, payment, or
healthcare operations does not require patient authorization to allow providers access,
use, or disclosure. However, only the minimum necessary information needed to satisfy
the specified purpose can be used or disclosed. The release of information for purposes
unrelated to treatment, payment, or healthcare operations still requires the patient's
written authorization (Fahrenholz 2017a, 45-46).
, When a healthcare entity destroys health records after the acceptable retention period
has been met, a certificate of destruction is created. How long must the healthcare
entity maintain the certificate of destruction?
a. 2 years
b. 5 years
c. 10 years
d. Permanently - Answer-Correct Answer: D
Appropriate documentation of health record destruction must be maintained
permanently no matter how the process is carried out. This documentation usually takes
the form of a certificate of destruction (Fahrenholz 2017b, 108).
.
Of the following, what is the most likely to happen to a patient's health record when his
or her physician leaves an office practice?
a. It will be sent to the state department of health.
b. It will be sent to outside storage.
c. It will be destroyed.
d. It will be retained by the practice. - Answer-Correct Answer: D
In physician practices, patients are informed of their option to transfer their records to
another provider. The majority of complete contracts specify that health records are
owned by the provider group (Rinehart-Thompson 2017c, 199-200).
.
The legal health record for disclosure consists of:
a. Any and all protected health information collected or used by a healthcare entity
when delivering care
b. Only the protected health information requested by an attorney for a legal proceeding
c. The data, documents, reports, and information that comprise the formal business
records of any healthcare entity that are to be utilized during legal proceedings
d. All of the data and information included in the HIPAA designated record set - Answer-
Correct Answer: C
The concept of legal health records (LHRs) was created to describe the data,
documents, reports, and information that comprise the formal business records of any
healthcare organization that are to be utilized during legal proceedings (Biedermann
and Dolezel 2017, 424).
According to the Medicare Conditions of Participation, how long must health records be
retained?
a. 2 years
b. 5 years
c. 10 years
d. Permanently - Answer-Correct Answer: B
A health record must be maintained for every individual evaluated or treated in the
hospital. Health records must be retained in their original or legally reproduced form for
a period of at least 5 years (Fahrenholz 2017b, 106).
