RHIA Domain 2 Test with Complete
Solutions Graded A+
Notice of Privacy Practices (NPP) - Answer-give to patients to inform them of all
possible ways their PHI will be used and disclosed, also about their privacy rights
Consent - Answer-authorizes the providers to use PHI the way they described in the
NPP, not consent to treatment
Authorization - Answer-document that gives CE permission to use PHI for specific
purposes or disclose the PHI to a third party/other, patient agreement to a specific
disclosure, must be written in plain language and copy provided to individual
CE HAS 30 days to respond and disclose the info from the auth date received
Auth General Rule - Answer-do not need authorization for any use/disclosure
permitted/required by the privacy rule, but usually need authorizations for other
information use, disclosure than TPO, to specific people, etc.
REQUIRED by privacy rule for:
certain disclosures not otherwise permitted without auth, psychotherapy notes,
marketing, sale of PHI
Minimum Necessary Standard - Answer-requires CE/BA to try to make the info they
send to be only what is necessary with no extra PHI/other info about the patient
disclosed, still accomplishes the purpose of the use, disclosure, request
When auth is not needed PUBLIC BENEFITS - Answer-to BAs, required by law/gov,
public health/reporting, abuse/neglect/violence victims, audits/inspections/etc., law
enforcement, judicial, organ donation, research purposes, military, workers comp
BAA - Answer-Business Associate Agreement, contracts between CE and BA that
establish permitted/required uses and disclosures of PHI by the BA
EX: attorney providing legal services with PHI, need BAA
consultant providing services to facility, need BAA
How long do you retain auths - Answer-6 years
Exceptions to auth - Answer-to individual, to BA/CE, TPO, incidental use/disclosure,
public benefit (12 things listed up there), limited data for research
Opportunity to agree/object to auth - Answer-facility directories, notification
, Research/auth - Answer-newer updates to try to limit sharing but also give enough info
that can provide quality care/treatments, for effective research to occur, compound auth,
use and disclose of PHI may exist in same form for research only
auth may not be required, but IRB should be involved in process
Right to Access - Answer-individuals right to access/obtain the copy of the their info
from the DRS, 30 day response time, now CEs with EHRs must make PHI available
electronically/transmit if possible
EXCEPTIONS: psychotherapy notes requires special auth, dangerous to life/person,
info not created by CE
Right to Request Amendment - Answer-request the amendment of something in DRS,
60 day response time, 30 day extension (1), if denied must give reason and explain
right to disagree, rebuttal/complain to HHS
Right to Accounting of Disclosures - Answer-CEs must keep a history of when/to whom
disclosures were made for 6 YEARS, other than TPO, to indiv, with auth, but 12
gov/benefit reasons are INCLUDED in accounting
get one free accounting annually, within 60 days of request, BAs must respond to
requests directly to them
Right to Request Restrictions - Answer-individuals can request to restrict the use and
disclosure for TPO and to others in family, CE is not required to agree but if they do
must document agreement, ARRA/HITECH must agree if involved w healthplan/out of
pocket, can be terminated by agreement of parties or notification
Right to Confidential Communications - Answer-can request to accommodate to specific
types/locations of communications to avoid others receiving info, usually with sensitive
info or dont want a certain person receiving, can deny if too burdensome
Right to Complain - Answer-NPP should explain this right, ability to complain to
HHS/Office of Civil Rights/CE if want to, if written complaint have 180 days to send to
HHS
Marketing - Answer-any communication about a service that encourages people to use
it, AUTH is required for this, services covered for health benefits don't count, face to
face not required auth, CE providing promotional gifts of nominal value, ARRA HITECH
increases patient control
Fundraising - Answer-NPP should define that PHI could be used for fundraising
purposes, usually auth not needed, if for benefit of CE, have right to OPT OUT, ARRA
HITECH increased this
Types of Hospitals - Answer-for profit: able to use profits to put back into the
organization, management, investors, etc.
Solutions Graded A+
Notice of Privacy Practices (NPP) - Answer-give to patients to inform them of all
possible ways their PHI will be used and disclosed, also about their privacy rights
Consent - Answer-authorizes the providers to use PHI the way they described in the
NPP, not consent to treatment
Authorization - Answer-document that gives CE permission to use PHI for specific
purposes or disclose the PHI to a third party/other, patient agreement to a specific
disclosure, must be written in plain language and copy provided to individual
CE HAS 30 days to respond and disclose the info from the auth date received
Auth General Rule - Answer-do not need authorization for any use/disclosure
permitted/required by the privacy rule, but usually need authorizations for other
information use, disclosure than TPO, to specific people, etc.
REQUIRED by privacy rule for:
certain disclosures not otherwise permitted without auth, psychotherapy notes,
marketing, sale of PHI
Minimum Necessary Standard - Answer-requires CE/BA to try to make the info they
send to be only what is necessary with no extra PHI/other info about the patient
disclosed, still accomplishes the purpose of the use, disclosure, request
When auth is not needed PUBLIC BENEFITS - Answer-to BAs, required by law/gov,
public health/reporting, abuse/neglect/violence victims, audits/inspections/etc., law
enforcement, judicial, organ donation, research purposes, military, workers comp
BAA - Answer-Business Associate Agreement, contracts between CE and BA that
establish permitted/required uses and disclosures of PHI by the BA
EX: attorney providing legal services with PHI, need BAA
consultant providing services to facility, need BAA
How long do you retain auths - Answer-6 years
Exceptions to auth - Answer-to individual, to BA/CE, TPO, incidental use/disclosure,
public benefit (12 things listed up there), limited data for research
Opportunity to agree/object to auth - Answer-facility directories, notification
, Research/auth - Answer-newer updates to try to limit sharing but also give enough info
that can provide quality care/treatments, for effective research to occur, compound auth,
use and disclose of PHI may exist in same form for research only
auth may not be required, but IRB should be involved in process
Right to Access - Answer-individuals right to access/obtain the copy of the their info
from the DRS, 30 day response time, now CEs with EHRs must make PHI available
electronically/transmit if possible
EXCEPTIONS: psychotherapy notes requires special auth, dangerous to life/person,
info not created by CE
Right to Request Amendment - Answer-request the amendment of something in DRS,
60 day response time, 30 day extension (1), if denied must give reason and explain
right to disagree, rebuttal/complain to HHS
Right to Accounting of Disclosures - Answer-CEs must keep a history of when/to whom
disclosures were made for 6 YEARS, other than TPO, to indiv, with auth, but 12
gov/benefit reasons are INCLUDED in accounting
get one free accounting annually, within 60 days of request, BAs must respond to
requests directly to them
Right to Request Restrictions - Answer-individuals can request to restrict the use and
disclosure for TPO and to others in family, CE is not required to agree but if they do
must document agreement, ARRA/HITECH must agree if involved w healthplan/out of
pocket, can be terminated by agreement of parties or notification
Right to Confidential Communications - Answer-can request to accommodate to specific
types/locations of communications to avoid others receiving info, usually with sensitive
info or dont want a certain person receiving, can deny if too burdensome
Right to Complain - Answer-NPP should explain this right, ability to complain to
HHS/Office of Civil Rights/CE if want to, if written complaint have 180 days to send to
HHS
Marketing - Answer-any communication about a service that encourages people to use
it, AUTH is required for this, services covered for health benefits don't count, face to
face not required auth, CE providing promotional gifts of nominal value, ARRA HITECH
increases patient control
Fundraising - Answer-NPP should define that PHI could be used for fundraising
purposes, usually auth not needed, if for benefit of CE, have right to OPT OUT, ARRA
HITECH increased this
Types of Hospitals - Answer-for profit: able to use profits to put back into the
organization, management, investors, etc.
