Instructions: Print this exam worksheet. Return to the course page using the link below. Read the course material. Enter your answers on this worksheet. Return to the course page and click the link 'Take Test.' Transfer your answers.

Quantum Units Education®

HIPAA: Secure Electronic Health Records

Chapter 1: Why do Privacy and Security Matter?

1. Poor privacy and security practices heighten the vulnerability of patient information in your health information system, increasing the risk of successful cyber-attack.

A. True

B. False

2. To help cultivate patients’ trust, the social worker should:

A. Maintain accurate information in patients’ records.

B. Make sure patients have a way to request electronic access to their medical record and know how to do so.

C. Carefully handle patients’ health information to protect their privacy.

D. All of the above.

3. Which of the following is responsible for taking the steps needed to protect the confidentiality, integrity, and availability of health information in health care provider’s EHR?

A. The health care provider’s practice.

B. The EHR developer.

C. Both (A) and (B).

D. None of the above.

Chapter 2: Your Practice and the HIPAA Rules

4. Individual identifiable health information is information, including demographic information, that relates to:

A. The individual’s past, present, or future physical or mental health or condition.

B. The provision of health care to the individual.

C. The past, present, or future payment for the provision of health care to the individual.

D. All of the above.

5. The HIPAA Rules apply to individually identifiable health information in the health care provider’s practice’s employment records and in records covered by the Family Education Rights and Privacy Act.

A. True

B. False

6. When a CE discloses PHI to health plans for payment, there is a BA relationship because the health plan is performing a function for the CE.

A. True

B. False

7. A CE can be the BA of another CE when it performs the functions or activities for the CE.

A. True

B. False

8. An attending physician and a hospital have a BA relationship as they share PHI to treat their mutual patients.

A. True

B. False

9. The Notice of Privacy Practices must include all of the following, except:

A. A description of the ways in which the CE may use and disclose PHI.

B. A statement listing the other health care providers and health plans that have access to the individual’s PHI.

C. A statement of the CE’s duties to protect privacy, provide an NPP, and abide by the terms of the current notice.

D. A description of the individuals’ rights, including the right to complain to the U.S. Department of Health and Human Services and to the CE if they believe their privacy rights have been violated.

10. A CE cannot disclose which of the following without an individual’s written authorization?

A. PHI about the patient as necessary for treatment, payment, and health care operations purposes.

B. PHI for the treatment activities of another health care provider.

C. Uses and disclosures of psychotherapy notes kept by a provider.

D. All of the above must have written authorization for disclosure.

11. Health information of an individual that has been deceased for more than _____ is not PHI and therefore not subject to the Privacy Rule use and disclosure standards.

A. 50 years

B. 20 years

C. 7 years

D. 1 year

12. All of the following are actions that do not require patient authorization, except for:

A. Public health reporting activities

B. Licensing of PHI

C. Reasonable and cost-based remuneration for research

D. A payment made to a BA for services the BA supplied

13. Removing the identifiers specified in the Privacy Rule, in and of itself, makes information de-identified.

A. True

B. False

Chapter 3: Understanding Patients' Health Information Rights

14. Patients have the right to inspect and receive a copy of their PHI in a designated record set, which includes information about them in the CE’s medical and billing records.

A. True

B. False

15. The CE is required to provide an accounting of disclosure for the _____ years prior to the date on which the accounting was requested.

A. 2

B. 4

C. 6

D. 8

16. If a patient, or another person on behalf of the individual, has fully paid out-of-pocket for a service or item and also requests that the PHI not be disclosed to his/her health plan, the CE cannot disclose the PHI to a health plan for payment or health care operations.

A. True

B. False

Chapter 4: Understanding Electronic Health Records, the HIPAA Security Rule, and Cybersecurity

17. Performing a security risk analysis that identifies and analyzes risks to ePHI and then implementing security measures to reduce the identified risks is a central requirement for which type of safeguard?

A. Administrative safeguards

B. Physical safeguards

C. Organizational safeguards

D. Policies and procedures safeguards

18. Cybersecurity is needed:

A. If the EHR is locally installed in the CE’s office.

B. If the EHR is accessed over the Internet from a cloud service provider.

C. Both (A) and (B).

D. None of the above.

Chapter 6: Sample Seven-Step Approach for Implementing a Security Management Process

19. The first comprehensive security risk analysis should:

A. Identify where ePHI exists in the practice and how it is created, received, maintained, and transmitted, including in the EHR.

B. Identify potential threats and vulnerabilities to ePHI.

C. Identify risks and their associated levels.

D. All of the above.

20. Use of CEHRT means that the practice is “HIPAA compliant.”

A. True

B. False

21. Patients can request copies of and access to their PHI in paper or electronic format, including from the EHR.  Meaningful Use Core Objectives indicate that such ePHI held in the EHR should be made available to patients, upon request, within _____ business days of it being available to the provider.

A. 2

B. 4

C. 10

D. 30

Chapter 7: Breach Notification, HIPAA Enforcement, and Other Laws and Requirements

22. When a breach of unsecured PHI occurs, the Rules require the CE to notify which of the following?

A. The affected individuals

B. The Secretary of HHS

C. The media if the breach affects more than 500 individuals

D. All of the above

Copyright © 2022 Quantum Units Education

Visit us at!