RHIT Domain 2 Exam Questions
with Correct Answers
To comply with HIPAA regulations, a hospital would make its membership in an HIE
known to its patients through which of the following?
a. Press release
b. Notice of Privacy Practices
c. Consent form
d. Website notice - Answer-b
The Privacy Rule introduced the standard that individuals should be informed how
covered entities use or disclose protected health information (PHI). Section 164.520
requires that, except for certain variations or exceptions for health plans and
correctional facilities, an individual has the right to a notice explaining how his or her
PHI will be used and disclosed. This is the notice of privacy practices (Rinehart-
Thompson 2016b, 230-231).
Which of the following is an organization's planned response to protect its information in
the case of a natural disaster?
a. Administrative controls
b. Contingency plan
c. Audit trail
d. Physical controls - Answer-b
Disaster planning occurs through a contingency plan—a set of procedures, documented
by the organization to be followed when responding to emergencies. It encompasses
what an organization and its personnel need to do both during and after events that limit
or prevent access to facilities and patient information (Rinehart-Thompson 2016c, 267).
Release of birth and death information to public health authorities:
a. Is prohibited without patient consent
b. Is prohibited without patient authorization
c. Is a public interest and benefit disclosure that does not require patient authorization
d. Requires both patient consent and authorization - Answer-c
There are circumstances where PHI can be used or disclosed without the individual's
authorization and without granting the individual the opportunity to agree or object.
Some of these circumstances include preventing or controlling diseases, injuries, and
disabilities, and reporting disease, injury, and vital events such as births and deaths
(Rinehart-Thompson 2016b, 235).
,A hospital HIM department receives a subpoena duces tecum for records of a former
patient. When the health record technician goes to retrieve the patient's health records,
it is discovered that the records being subpoenaed have been purged in accordance
with the state retention laws. In this situation, how should the HIM department respond
to the subpoena?
a. Inform defense and plaintiff lawyers that the records no longer exist
b. Submit a certification of destruction in response to the subpoena
c. Refuse the subpoena since no records exist
d. Contact the clerk of the court and explain the situation - Answer-b
If the paper health record is destroyed, the imaging record would be the legal health
record. This may not be the case if the paper record is retained. State laws typically
view the original health record as the legal record when it is available. Those who
choose to destroy the original health record may do so within weeks, months, or years
of scanning. If the record was destroyed according to guidelines for destruction and no
scanned record exists, the certificate of destruction should be presented in lieu of the
record (Rinehart-Thompson 2017b, 199-200).
A subpoena duces tecum compels the recipient to:
a. Serve on a jury
b. Answer a complaint
c. Testify at trial
d. Bring records to a legal proceeding - Answer-d
A subpoena duces tecum instructs the recipient to bring documents and other records
with himself or herself to a deposition or to court (Rinehart-Thompson 2017a, 59).
What resource should be consulted in terms of who may authorize access, use, or
disclose the health records of minors?
a. HIPAA because it has strict rules regarding minors
b. Hospital attorneys because they know the rules of the hospital
c. State law because HIPAA defers to state laws on matters related to minors
d. Federal law because HIPAA overrides state laws on matters related to minors -
Answer-c
Because HIPAA defers to state laws on the issue of minors, applicable state laws
should be consulted regarding appropriate authorization. In general, the age of maturity
is 18 years or older. This is the legal recognition that an individual is considered
responsible for, and has control over, his or her actions (Klaver 2017b, 160).
A patient requests copies of her medical records in an electronic format. The hospital
does not maintain all of the designated records in an electronic format. How should the
hospital respond?
a. Provide the records in paper format only
b. Scan the paper documents so that all records can be sent electronically
c. Provide the patient with both paper and electronic copies of the record
,d. Inform the patient that PHI cannot be sent electronically - Answer-a
The process of releasing health record documentation originally created by a different
provider is called:
a. Privileged communication
b. Subpoena
c. Jurisdiction
d. Redisclosure - Answer-d
The process of releasing health record documentation originally created by a different
provider is called redisclosure. Federal and state regulations provide specific
redisclosure guidelines; however, when in doubt, follow the same principles as the
release and disclosure guidelines for other types of health record information
(Fahrenholz 2013a, 104).
When data has been lost in an EHR, which action is taken to remedy this problem?
a. Build a firewall
b. Data recovery
c. Review the audit trail
d. Develop data integrity plan - Answer-b
Data recovery is the process of recouping lost data or reconciling conflicting data after
the system fails. These data may be from events that occurred while the system was
down or from backed-up data (Sayles and Trawick 2014, 213).
Central City Clinic has requested that Ghent Hospital send its hospital records for
Susan Hall's most recent admission to the clinic for her follow-up appointment. Which of
the following statements is true?
a. The Privacy Rule requires that Susan Hall complete a written authorization.
b. The hospital may send only the discharge summary, history and physical, and
operative report.
c. The Privacy Rule's minimum necessary requirement does not apply.
d. This "public interest and benefit" disclosure does not require the patient's
authorization. - Answer-c
There are certain circumstances where the minimum necessary requirement does not
apply, such as to healthcare providers for treatment; to the individual or his personal
representative; pursuant to the individual's authorization to the secretary of the HHS for
investigations, compliance review, or enforcement; as required by law; or to meet other
Privacy Rule compliance requirements (164.502(b)(2); Rinehart-Thompson 2017c, 234).
Under the HIPAA Privacy rule, which of the following statements is true?
a. An authorization must contain an expiration date or event.
b. A consent for use and disclosure of information must be obtained from every patient.
c. An authorization must be obtained for uses and disclosures for treatment, payment,
and operations.
, d. A notice of privacy practices must give 10 examples of a use or disclosure for
healthcare operations. - Answer-a
In order for an authorization to be valid, it must contain an expiration date or event that
relates to the individual or the purpose of the use or disclosure (Rinehart-Thompson
2016b, 245-246).
A hospital is planning on allowing coding professionals to work at home. The hospital is
in the process of identifying strategies to minimize the security risks associated with this
practice. Which of the following would be best to ensure that data breaches are
minimized when the home computer is unattended?
a. User name and password
b. Automatic session terminations
c. Cable locks
d. Encryption - Answer-b
In the HIPAA Security Rule, one of the technical safeguards standards is access
control. This includes automatic log-off, which ensures processes that terminate an
electronic session after a predetermined time of inactivity (Reynolds and Brodnik 2017,
277).
Who owns the health record?
a. Patient
b. Provider who generated the information
c. Insurance company who paid for the care recorded in the record
d. No one - Answer-b
Ownership of the health record has traditionally been granted to the provider who
generates the record (Brodnik 2017a, 9).
Which of the following is true regarding the development of health record destruction
policies?
a. All applicable laws must be considered
b. The organization must find a way not to destroy any health records
c. Health records involved in pending or ongoing litigation may be destroyed
d. Only state laws must be considered - Answer-a
Not all information must be kept forever. Just as the HIM professional must consider
multiple factors when determining retention, many factors must also be taken into
consideration with regard to health record destruction. These include applicable federal
and state statutes and regulations; accreditation standards; pending or ongoing
litigation; storage capabilities; and cost (Rinehart-Thompson 2016a, 208).
What is the biggest threat to the security of healthcare data?
a. Natural disasters
b. Fires
