Data Privacy and
Confidentiality
VERIFIED 100%
SOLUTIONS
Which of the following is true of the Health Insurance Portability and Accountability Act
... [Show More]
(HIPAA)?
a. Provides a federal floor for healthcare privacy
b. Duplicates state laws
c. Does not need to be followed if it is not feasible to do so
d. Duplicates Joint Commission standards - ANSWER a. Provides a federal floor for
healthcare privacy
Under the HIPAA Privacy Rule, an impermissible use or disclosure should be presumed
to be a breach unless the covered entity or business associate demonstrates that the
probability the PHI has been compromised is __________.
a. High
b. Moderate
c. Low
d. Non-existent - ANSWER c. Low
Under the HIPAA Privacy Rule, which of the following is a covered entity category?
a. Business associate
b. Healthcare clearinghouse
c. Physician office
d. Document disposal company - ANSWER b. Healthcare clearinghouse
Under usual circumstances, a covered entity must act on a patient's request to review or
copy his or her health information within what time frame?
a. 10 days
b. 20 days
c. 30 days
d. 60 days - ANSWER c. 30 days
The HIPAA Privacy Rule requires that covered entities limit use, access, and disclosure
of PHI to the least amount necessary to accomplish the intended purpose. What
concept is this?
a. Minimum necessary
b. Notice of privacy practice
c. Authorization
d. Consent - ANSWER a. Minimum necessary
Which of the following should be included in a covered entity's notice of privacy
practices?
a. Description with one example of disclosures made for treatment purposes
b. Description of one other purposes for which a covered entity is permitted or required
to disclose PHI without consent or authorization
c. Statement of the healthcare organization's rights
d. Patient's signature and e-mail address - ANSWER a. Description with one example of
disclosures made for treatment purposes
Which of the following is true of the notice of privacy practices?
a. It must be made available at the corporate headquarters
b. It must be posted in a prominent place
c. Its content cannot be changed
d. It cannot be posted on the website - ANSWER b. It must be posted in a prominent
place
Which of the following statements is true?
a. An authorization must contain an expiration date or event
b. A consent for use and disclosure of information must be obtained from every patient.
c. An authorization must be obtained for uses and disclosures for treatment, payment,
and operations.
d. A notice of privacy practices must give ten examples of a use or disclosure for
healthcare operations. - ANSWER c. An authorization must be obtained for uses and
disclosures for treatment, payment, and operations.
In which of the following instances must patient authorization be obtained prior to
disclosure?
a. To an insurance company for payment
b. To the patient's attorney
c. To public health authorities as required by law
d. To another provider for treatment - ANSWER a. To an insurance company for
payment
Which of the following is true about a facility's patient directory?
a. A written authorization from the patient is required before any information about the
patient is placed in a facility directory.
b. Only the patient's name may be placed in a facility directory.
c. The covered entity must inform the individual of the information to be included in the
facility directory.
d. Because this is considered a normal hospital operation, an individual may not prohibit
his or her inclusion in the directory - ANSWER c. The covered entity must inform the
individual of the information to be included in the facility directory.
Which of the following statements about a business associate agreement is true?
a. It allows the business associate to use or disclose PHI for any purpose.
b. It allows the business associate to maintain PHI indefinitely after termination of the
contract.
c. It allows the business associate to use or disclose PHI in limited ways.
d. It requires the business associate to make available records relating to PHI use and
disclosure to the HHS. - ANSWER c. It allows the business associate to use or disclose
PHI in limited ways.
How many days does a covered entity have to respond to an individual's request for
access to his or her PHI when the PHI is stored offsite?
a. 10 days beyond the original requirement
b. 30 days
c. 60 days
d. 90 days - ANSWER c. 60 days
Which of the following statements is true of the notice of privacy practices?
a. It gives the covered entity permission to use information for treatment purposes.
b. It must be provided to every individual at the first time of contact or service with the
covered entity.
c. It must be provided to the individual by the covered entity within 10 days after receipt
of treatment or service.
d. It serves the same purpose as the authorization. - ANSWER b. It must be provided to
every individual at the first time of contact or service with the covered entity.
Which of the following statements about a facility directory of patients is true?
a. Disclosures from the directory need not be included in an accounting of disclosures.
b. Individuals must provide a written authorization before information can be placed in
the directory.
c. The directory must contain only the patient's name and birth date.
d. The directory may contain diagnostic information as long as it is kept confidential. -
ANSWER b. Individuals must provide a written authorization before information can be
placed in the directory.
In which of the following situations can PHI be disclosed without authorization, as long
as there was an opportunity for the individual to agree or object? [Show Less]