Download Certified Healthcare Privacy and Security (CHPS) Exam Preparation and more Exams Nursing in PDF only on Docsity!
CERTIFIED HEALTHCARE PRIVACY
AND SECURITY (CHPS) EXAM
PREPARATION UPDATED 2024 - 2025
A+ GRADED
Certified Healthcare Privacy and
Security (CHPS) Exam Preparation
Updated 2024
- A patient has requested three accounting-of-disclosures reports in the past month. Which of the following statements is true regarding the accounting of disclosure? - Correct Answer - The CE is allowed to charge a reasonable, cost-based fee for the second and third request for accounting disclosures and must inform the patient prior.
- In the final HIPAA Omnibus Rule of 2013, which of the following was added to the regulations regarding patient access? - Correct Answer - A patient has a right to receive his or her designated record set electronically, if maintained electronically.
- If a state requires that all medical records are disclosed within 15 days from the request, and HIPAA requires for disclosures to be completed within 30 days from the request,
- What was the compliance date for all covered entities and business associates to bring all of the grandfathered business associate agreements into compliance with the final Omnibus Rule of 2013? - Correct Answer - September 23, 2014
- The HIPAA Security Rule allows flexibility with implementation based on reasonableness and appropriateness safeguards. This means that covered entities can - Correct Answer - implement based on organizational assessment
- What group was granted authority to bring civil actions against healthcare organizations and business associates based on alleged HIPAA violations? - Correct Answer - State attorney general
- To place a patient in a facility directory, a covered entity - Correct Answer - must obtain the patient's verbal agreement.
- The Privacy Rule permits charging patients for labor and supply costs associated with copying health records. Hospital is located in a state where state law allows charging a patients a $100 search fee associated with locating records that have been requested. - Correct Answer - The Privacy Rule will preempt state law in this situation.
- What does it mean to state the regulation in the HIPAA Security Rule is addressable? - Correct Answer - The organization can implement an alternate safeguard of equivalent protections.
- A healthcare provider that provided a copy of an individual's medical record to a nursing home that the patient will be transferred to is an example of using protected health information for what purpose? - Correct Answer - Treatment
- A payment from a drug company to a covered entity to promote a new medication for treatment of acne is referred to as - Correct Answer - direct.
example of what type of disclosure? - Correct Answer - Incidental
- Which of the following is the only scenario where breach notification can be delayed past the 60-day notification requirement? - Correct Answer - When law enforcement requests a delay due to open criminal investigation.
- During a recent change in a computer system's access, an organization determined that they were going to create role-based access defined on the need for each job type within the organization. This is an example of application of which of the following: - Correct Answer - Minimum necessary
- An organization just finished updating the minimum necessary policy and procedure. The new policy took effect on February 12, 2016. How long do they have to maintain the previous version of the policy? - Correct Answer - February 12, 2020
- Which of the following is considered a patient's right under the HIPAA Privacy Rule? - Correct Answer - Accounting of disclosure (AOD)
- How long does a covered entity have to respond to an accounting of disclosure request? - Correct Answer - 30 days with one 30 day extension.
- Authorizations are required for all disclosures except - Correct Answer - Treatment, payment, and healthcare operations
- Which of the following terms refers to the direct or indirect payment from a third party whose product or service is being described by the covered entity? - Correct Answer - Financial remuneration
- A health plan uses a month's worth of diagnosis codes from member;s bills submitted to evaluate new services that can be created to support health-plan member education.
- If a request to a health plan is made for alternative locations of confidential communication with an insured individual due to concerns with endangerment to the individual, the health plan must - Correct Answer - permit and accommodate reasonable requests for confidential communication.
- A covered entity provided training to their workforce in an all-staff meeting on October 11, 2020. The privacy officer has a copy of the presentation along with all the individuals present. What is the earliest date the privacy officer can destroy the training documentation? - Correct Answer - After 6 years.
- Which of the following does a covered entity need to include in HIPAA education as they are considered part of the workforce? - Correct Answer - Health information student intern
- An authorization for disclosure is signed and received by a healthcare organization on December 14, 2020. Upon review of the request for disclosure, the date of the signature
is missing? What should the CE do? - Correct Answer - Deny the request and ask the individual to complete the the date of signature.
- A patient requested a restriction of his/her health information to a former provider as there is no longer a patient/provider relationship between the two. How long does the CE have to respond to the request for the restriction? - Correct Answer - Set by the organizational policy.
- During an office visit, a patient overhears a conversation between the provider and another patient in the room next door as the walls are very thin and it is easy to hear the conversation between visit rooms. Both doors are of the patient rooms are close during the time of the disclosure. This is an example of a(n) - Correct Answer - Incidental disclosure
- The date September 23, 2013 represents what? - Correct Answer - The compliance date of the HIPAA Omnibus Rule
request? - Correct Answer - 30 days, with one 30 day extension.
- When distributing the NOPP, the following individual does not have rights to receive a cop of the NOPP. - Correct Answer - Inmate
- To which requirement under the HIPAA Privacy Rule do the following exceptions apply: 1) to carry out treatment, payment and healthcare operations, 2) to individuals of protected health information and about them, and 3) incident to use or disclose otherwise permitted or required? - Correct Answer - Accounting of disclosure
- Which of he following organizations is able to request a temporary suspension in the individual's right to access an accounting of disclosures? - Correct Answer - Law enforcement
- Which of the following has to be included in an accounting of disclosures? - Correct Answer - Disclosures for mandated state reporting
- During an investigation into a criminal complaint, a law enforcement officer called the HIPAA privacy officer and requested that the organization suspend the rights of a patient to know where his/her health information was being sent. How long is this temporary suspension of rights to an AOD valid? - Correct Answer - 30 days
- When designing a HIPAA privacy and security training program, a CE should create a training program that educates all - Correct Answer - workforce members.
- A covered entity just implemented a new policy and procedure for use and disclosure of protected health information. Which of the following should the organization do to make sure the policy and procedure is effective? - Correct Answer - Conduct an ongoing evaluation of the adherence to the policy and procedure
Answer - treat the request as a revocation and remove the patient from all fundraising from the organization
- When creating a report for an organization's foundation for fundraising purposes, the CE can provide which of the following information on the report without an authorization? - Correct Answer - Treating physician
- Barb is completing her required high school community service hours by serving as a volunteer at the local hospital. Bard is a - Correct Answer - workforce member
- When deidentifying a data set, the year from date of birth can be left in the data set except when the patient is over_________ years old - Correct Answer - 89
- Which document can be used to request the use of disclosure of health information in a research study and also is combined with other types of written permissions and authorizations for the same study? - Correct Answer - Compound authorization
- Which document from the Institutional Review Board (IRB) allows fro a covered entity to use or disclose protected health information with an authorization? - Correct Answer - Waiver
- A waiver for research to use protected health information without authorization for the patient needs to be approved by - Correct Answer - a privacy board or the Institutional Review Board (IRB)
- A research company uses a data set that has 16 data elements removed and signs a data agreement; this is referring to the use of - Correct Answer - limited data set
- What two identifiers are part of a limited data set and deidentified information? - Correct Answer - Geographic subdivision and elements of date
- If a heal insurance company is making a communication to a member promoting a vehicle insurance
- If a covered entity denies a request for an amendment of protected health information, what is one of the reasons that a covered entity may deny the request? - Correct Answer - The information is not part of the organization's designated record set.
- Which of the following would be considered an exception under the marketing and would not need an authorization for disclosure for marketing? - Correct Answer - Providing refill reminders to a patient on a specific drug.
- If a covered entity denies a request for an amendment of protected health information, the request for the amendment and denial letter must be - Correct Answer - linked to specific protected health information subject to request and appropriately disclosed.
- Documentation of an alarm system being used, locking of the organization's doors, and video surveillance cameras
used within the organization can be found within the facility - Correct Answer - security plan
- Some of the requirements of which document include describing the permitted and required uses and disclosures of PHI, prohibiting an organization from further using or disclosing information, requiring appropriate safeguards be implemented, requiring assurances from subcontractors for protections of PHI, conducting a risk analysis, and having risk management program? - Correct Answer - Business associate agreement
- Business associates must comply with the following requirements under HIPAA: - Correct Answer - All of the HIPAA Security Rule and parts of the HIPAA Privacy Rule
- The right to access, copy, request restrictions, and complain is all described in what document? - Correct Answer - Notice of Privacy Practices (NOPP)