HIPAA – Flashcard
Unlock all answers in this set
Unlock answersquestion
HIPAA
answer
Public Law 104-191. The Health Insurance Portability and Accountability Act of 1996 Purpose: To improve portability and continuity of health insurance coverage in the group and individual markets. To combat waste, fraud, and abuse in health insurance and healthcare delivery. To promote the use of medical savings accounts To improve access to long-term care services and coverage To simplify the administration of health insurance.
question
Title 1
answer
Insurance Portability. Healthcare access, portability, and renewability.
question
Title 2
answer
Fraud and Abuse Medical Liability Reform; Administrative simplification Preventing healthcare fraud and abuse, ADMINISTRATIVE SIMPLIFICATION, Medical liability reform.
question
Title 3
answer
Tax Related Health Provisions
question
Title 4
answer
Application and Enforcement of Group Health Plan Requirements.
question
Title 5
answer
Revenue Off-sets
question
Code Sets
answer
Standardized numeric or alphanumeric descriptions of things like provider location, diagnosis, procedure, medical concepts or terms, or types of transactions being sent between healthcare entities electronically HIPAA codes must be utilized by covered entities.
question
Data Element
answer
Each detail of a visit to a provider such as patient name, address, date of service, location, and other information captured for record keeping and future evaluation, treatment, billing, and reporting purposes.
question
Dental Codes (CDT)
answer
Standards set by the American Dental Association to identify procedures done by dentists in their offices published as the Code on Dental Procedures and Nomenclature.
question
ICD10
answer
A code group which can be assigned to diagnosis and procedures. The list is called the International Classification of Diseases, Ninth Revision, Clinical Modification, and is created and maintained by National Center for Health Statistics (NCHS) and the Center for Medicare and Medicaid Service (CMS).
question
National Employer Identifier (EIN)
answer
An employer identification number originally created by the IRS for tax purposes and subsequently adopted as the national standard to designate companies providing employee healthcare coverage for HIPAA purposes.
question
Electronic Data Interchange (EDI)
answer
The generic standards for exchanging business data electronically on which the rules and guidelines for HIPAA Transactions are based. EDI is more universal in scope than just providing guidance for the healthcare industry.
question
Healthcare Financing Administration Procedure Coding System (HCPCS)
answer
The Healthcare Financing Administration has undergone a name change and is now known as the Centers for Medicare and Medicaid Services (CMS). CMS and HHS update and distribute this code set to be used for things not identified in other approved lists.
question
National Drug Code (NDC)
answer
These codes are created and maintained by the FDA and allow standardized identification of drugs.
question
National Health Identifier for Individuals (NHI)
answer
Still has not been implemented due to privacy concerns.
question
National Health Plan Identifier (HPID)
answer
A proposed unique identifier for health plans and other payers of healthcare claims not formally proposed or defined at this time.
question
National Council for Prescription Drug Programs (NCPDP)
answer
Used for retail pharmacy transactions. Retail pharmacies are the only healthcare entities which use a different set of transmission standards (not codes). The two NCPDP formats which health plans must accept are Telecommunications Standard Format Version 5.1 and Batch Standard Version 1.0.
question
National Plan and Provider Enumeration System (NPPES)
answer
A plan within the HIPAA legislation to allow a third party contractor or contractors to create, verify, and assign NPI numbers, and to maintain the National Provider System and the National Provider File Database.
question
National Provider Identifier (NPI)
answer
The unique identifier for healthcare providers used for HIPAA compliance.
question
Patient Event
answer
A patient visit; the collective service or services included in this particular, unique interaction between this patient and this provider.
question
Place of Service Code (POS)
answer
A code, maintained by the Center for Medicare and Medicaid Services (CMS) which shows the payer the location type in which the patient service was rendered. A two digit series of numbers represents the place category.
question
Physician's Office Codes (CPT)
answer
Services performed in physician's offices are coded from a list called Current Procedural Terminology created by the American Medical Association.
question
Segment
answer
The renaming of the collective codes and data elements (data content) when repackaged within a transaction bundle or envelope.
question
Transactions
answer
These are the actual exchanges of electronic data between two healthcare parties.
question
Transactions and Code Sets
answer
Also called the Standard for Electronic Transactions. These are the rules and guidelines which show the healthcare industry how to exchange electronic data. Compliance is mandatory for all health plans, health clearinghouses, and health providers who receive or submit any health information electronically.
question
Addressable
answer
Security Rule Implementation specifications which offer flexibility on if and how they may be utilized to support their corresponding standard.
question
Administrative Safeguards
answer
Actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect EPHI, and to manage the conduct of your workforce in relation to that protection.
question
Administrative Simplification
answer
A portion of Title 1 of the HIPAA Legislation which strives, among other things, to safeguard Protected Health Information and to set standards for electronic information capture, storage, and transmission. Title 2 Subtitle F of HIPAA - Gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require use of national identification systems for health care patients, providers, payers (or plans) and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information.
question
American National Standards Institute (ANSI)
answer
A volunteer organization chosen by HHS to accredit private Standards Development Organizations (SDOs). The SDOs create the actual rules and guidelines for communication between health care industry individuals and organizations which must be implemented for HIPAA compliance.
question
Availability
answer
Having the information resources you try to access obtainable when you want and need them.
question
Biometric Technology
answer
Techniques for determining "who you are" authentication in order to control access to equipment and areas containing PHI.
question
Business Associates
answer
A person or organization that performs a function or activity on behalf of a covered entity, but it not part of the covered entity's workforce. This individual or company needs to have access to PHI in order to perform a function for the covered entity.
question
Compliance Date
answer
The deadline for covered entities to get their business practices and systems into line with the requirements mandated by the HIPAA legislations.
question
Conduits
answer
Organizations which pass along PHI, but ordinariily do not have access or know what they are exchanging, such as the U.S. Postal Service, UPS, or FedEx.
question
Confidentiality
answer
Preventing unauthorized disclosure of information
question
Contingency planning
answer
Creating and documenting the formal plans and processes you use to analyze and inventory the electronic data in your organization, and how you plan to protect and restore that data in the event of an emergency, disaster, or theft.
question
Covered Entities
answer
Health Plans, Health Care Clearinghouses, and Health Care Providers who must comply with HIPAA regulations and standards because they transmit health information in electronic form in connection with HIPAA covered transactions.
question
Decryption
answer
The process of unlocking or revealing a hidden message which has been encrypted.
question
De-identified Information
answer
Patient Identifiable Information with all of the identifying details removed so that it can no longer be linked to any specific person.
question
Disgnated Record Set
answer
PHI laden audiotapes, videotapes, CDs, DVDs, or other means of capture, which must be protected as part of the patient's medical record.
question
Device and Media Control
answer
Protecting PHI by careful inventory, tracking, and cleaning of electronic equipment and media whether it is being used or being discarded.
question
Diagnostic and Procedure Codes (ICD-9-CM)
answer
A code group which can be assigned to diagnosis and procedures. The list is called the International Classification of Diseases, Ninth Revision, Clinical Modification, and is created and maintained by Nation Center for Health Statistics (NCHS) and the Centers for Medicare and Medicaid Services (CMS).
question
Direct Treatment
answer
A provider who is in control of a patient's treatment.
question
Disclosing PHI
answer
Transmitting PHI outside the covered entity. Some disclosures are allowed by the Privacy Rule; some are disallowed.
question
Encryption
answer
The process of hiding the meaning of a message through the use of an algorithm (technique of encoding).
question
EPHI
answer
Electronic Protected Health Information
question
Facility Access Control
answer
Physically securing buildings and sensitive internal locations against unauthorized access.
question
FDCPA
answer
Fair Debt Collection Practices Act which regulates the activities of those who regularly collect debts from others. This law has ramifications for those collecting medical care debts as a business associate.
question
Final Rule
answer
Makes business associates and their subcontractors of covered entities directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules as stated in the Proposed Rule.
question
Financial Institutions
answer
Organizations which may process consumer-related transactions, but would not ordinarily be able to read and know the details of the electronic flow passing through their systems. Examples are: banks, credit card companies, and electronic clearinghouses.
question
GINA
answer
HIPAA Privacy Rule to increase privacy protections for genetic information as required by the Gentic Information Nondiscrimination Act of 2008 (GINA). Insurance organizations cannot use DNA information to determine health care coverage or employment.
question
HHS
answer
Department of Health and Human Services
question
HIPAA
answer
An acronym used as the "short title" of the bill, Public Law 104-191. The full version is Health Insurance Portability and Accountability Act of 1996.
question
Health Care Clearinghouse
answer
Organizations which process health care transactions for providers and insurers. These companies translate HIPAA standard transaction formats for entities currently processing in nonstandard format.
question
Health Care Provider
answer
A person or entity who is trained and licensed to give, bill, and be paid for health care services, and performs electronic tranactions in the process of doing so.
question
Health Plan
answer
An insurance plan that provides or pays the cost of medical care.
question
HIPAA Security Officer
answer
A formally designated person in the organization who is responsible for guiding HIPAA compliance and maintenance.
question
Hybrid Covered Entities
answer
Companies who provide both health care and non-health care related services, and are entitled to separate those business processes, if they wish, so that not all of their transactions and records fall under Privacy Rule regulations.
question
Implementation Specifications
answer
Detailed instructions for adopting a particular security rule standard.
question
Indirect Treatment
answer
Situations in which treatment is given or services are performed for the benefit of the patient, but under the control of another primary Provider.
question
Information Access Control
answer
Creating and documenting who has the right to see, use, and transmit PHI, and how you keep all others from gaining access.
question
Integrity
answer
The trustworthiness of information resources. This includes data integrity (that the PHI has not been changed) and source integrity (that the data originated where you thought it had) and the data has been transmitted and preserved without corruption.
question
Marketing
answer
Defined in the Privacy Rule as a communication about a product or service that encourages the recipients of the communication to purchase the product or service.
question
"Minimum Necessary" Standard
answer
The gauge by which covered entities evaluate how much PHI to disclose in circumstances where they have some leeway.
question
Non-Routine Disclosure
answer
Releasing Protected Health Information *PHI in special situations which are listed as allowable by the Privacy Rule. These need to be tracked in an accounting of disclosures.
question
Notice of Privacy Pracitices
answer
A form to be given to patients or customers by a covered entity which clearly states how the organization addresses HIPAA regulations.
question
OCR
answer
Office for Civil Rights
question
OHCA
answer
An Organized Health Care Arrangement, which is a group that is entitled to agree in a collective way as to how they handle and share PHI among themselves and provide a joint Notice of Privacy Practices to their patients.
question
Oral PHI
answer
Spoken communications which include Patient Health Information and which must be protected under the Privacy Rule.
question
Participant
answer
An employee or former employee who is or may be eligible to receive a benefit of any type from an employee benefit plan, or whose beneficiaries may be eligible to receive any of the benefits.
question
Patient Rights
answer
A list of rights granted to the individual by the Privacy Rule to give patients access to and control of their own medical records
question
Payer
answer
In health care, an entity that assumes the risk of paying for medical treatments. This can be an uninsured patient, a self-insured employer, a health plan, or an HMO.
question
Personal Representative
answer
Someone who is legally entitled to act on the behalf of a patient who cannot represent himself.
question
PHI
answer
Protected Health Information, which consists of items within a medical record which could be used to link it to an individual patient.
question
Physical Safeguards
answer
A series of Security Rule requirements which are meant to protect a covered entity's electronic information systems from unauthorized physical access to PHI.
question
PII
answer
Patient Identifiable Information such as name, address, phone number, social security number, etc., which can isolate exactly which individual has received or been billed for health care treatment.
question
Privacy Rule
answer
Health care legislation that set national standards for the protection of certain patient information
question
Probability
answer
The likelihood that a risk event will happen.
question
Psychotherapy Notes
answer
The official record created by a mental health professional in a therapy session, which is specifically separated from the rest of the medical record under the Privacy Rule regulations.
question
"Reasonable and Appropriate"
answer
This is the phrase covered entities can use to determine if their HIPAA compliance initiatives are appropriate for their size and type of organization.
question
"Reasonable Reliance"
answer
A privacy Rule term allowing covered entities to provide PHI to certain sources, knowing they can rely on the judgment of the requester to only ask for the "minimum necessary."
question
"Required"
answer
Mandatory Security Rule implementation specifications which must be implemented by all covered entities for HIPAA compliance.
question
Risk Analysis
answer
A written comparison of the differences between your organization's policies and the way you do business and the Implementation Specifications outlined in the Security Rule.
question
Routine Disclosure
answer
Using PHI for the acceptable purposes outlined in the Privacy Rule.
question
Sanctions
answer
Corporate punishments for employees for unlawful disclosure of PHI.
question
Security Rule
answer
Health care legislation to set national standards for the security of electronic health care information.
question
Small Health Plan
answer
A health plan with annual receipts of $5 million or less.
question
Staff Training
answer
Educating current and future employees on all aspects of HIPAA compliance, including Privacy and Security.
question
Standards
answer
A set of guidelines by which organizations can judge their attempts to make their electronic systems secure.
question
Using PHI
answer
Routine, legal circulation of PHI for treatment, payment, or health care operations.
question
Workstation Security
answer
Configuring equipment so that only the employees who have clearance to use it in the administration of their daily work can access PHI.
question
Workstation Use
answer
Setting out clear, written guidelines for each piece of equipment that can access PHI and what level of access is allowed on that equipment.
question
Title 2 of the HIPAA Legislation deals with: A. Revenue Offsets. B. Tax-Related Health Provisions C. Preventing Health Care fraud and abuse; Administrative Simplification, and Medical Liability reform. D. Health care access, portability, and renewability. E. Application and Enforcement of group health plan requirements.
answer
C
question
Which of the following statements about HIPAA health care transaction flow is FALSE? A. Providers can initiate bills in various formats. B. Health care clearinghouses can translate bills into electronic formats acceptable to health plans. C. All electronic formats should be compatible. D. HIPAA requires that all providers, payers, and health care clearinghouses comply with the new transaction standards. E. Health plans cannot reject bills on the grounds of their format if they comply with HIPAA standards.
answer
D
question
Which of the following statements about the intent of HIPAA legislation is TRUE? A. Although the initial investment in compliance could be sizable, ultimately there could be considerable savings from streamlined business processes. B. Although paper forms were cheaper, the intent was to eliminate them completely. C. By moving to electronic formats to capture, store, and exchange patient data, patient privacy would be guaranteed. D. Small Providers were to be grandfathered, and not required to comply to electronic formats. E. Streamlining processes would save money by eliminating the need to use third-party clearinghouses.
answer
A
question
Health Care Providers might include: A. hospitals, family practitioners, insurance companies, drug plans, orthodontists. B. physicians, health plans, employers, physical therapists. C. Physicians, clinics, health care clearinghouses, pharmacies, acupuncturists. D. Medical device companies, insurance supplements, physicians, multi-level health organizations E. Laboratories, dentists, psychiatrists, hospitals, pharmacies
answer
E
question
A business Associate contract should include verbiage stating that the business associate assumes the responsibility to safeguard the information from misuse. The other two vital inclusions are that the business associate must: A. Use PHI only for treatment, payment, or healthcare operations TPO and comply with the covered entities obligation to allow its use for limited disclosures. B. Use PHI only for the purpose for which it was shared by the covered entity and comply with the covered entity's obligation to provide individuals with access to their health information and a history of certain disclosures. C. Be sure the covered entity is in compliance with the electronic transmission standards and use PHI only for the purpose for which it was shared. D. Be sure that all health care clearinghouses are business associates and using PHI for TPO purposes. E. Comply with the covered entity's obligation to provide individuals with access to their health information and a history of certain disclosures and accept all electronically transmitted information.
answer
B
question
The original largest criminal penalty fine is: A. $250 B $250,000 C. $25,000 D. $25 E. $2.50
answer
B
question
Which statement about business associates is TRUE prior to the HITECH Act? A. The are not covered entities and have no threat of civil penalties levied by HHS resulting from non-compliance to HIPAA standards. However, they are held accountable based on BACs. B. The are covered entities and have the same threat of civil and criminal penalties as any other covered entity from non-compliance to HIPAA standards. C. they are protected from civil litigation through their signed business associate contracts with covered entities. D. They are short-lived entities that will be driven from the market place by the new HIPAA standards. E. They cannot legally be monitored by HHS or by the covered entity that employs them.
answer
A
question
When state and federal laws conflict, the best practice is to: A. Follow the federal laws, as they override state laws. B. Follow the state laws, as they override federal laws. Follow the county laws, as they override state and federal laws. D. Follow the HIPAA laws, as they override all other laws. E. Follow the stricter of the two standards to be safe.
answer
E
question
Which statment is TRUE regarding the compliance date of the Privacy Rule? A. The original privacy rule compliance date has passed, but the revised privacy rule date has not yet come. B. All of the compliance dates have passed and every type of covered entity should be actively involved in implementation if they are not already compliant. C. Compliance dates for all covered entities except small health plans have passed. D. Since not all portions of the original HIPAA legislation standards are complete, there has been a 2 year extension on compliance. E. The deadline for privacy rule compliance is April 21, 2006.
answer
B
question
Which of the following is NOT a purpose of HIPAA? A. To promote the use of medical savings accounts. To simplify the administration of health insurance. To improve access to long-term care services and coverage. D. To eliminate the use of paper record keeping. E. To improve portability and continuity of health insurance coverage in the group and individual markets.
answer
D
question
Which statement about electronic transaction flow is FALSE? A. A provider may continue to prepare a bill in a non-HIPAA compliant format. B. A health plan receiving a paper transaction may reject the claim because it does not allow paper submissions. C. A health plan receiving an electronic transaction using HIPAA standards must accept that submission. D. A health plan receiving an electronic transaction using HIPAA standards must pay that bill. E. Currently, health plans may reject submissions sent in incompatible format.s
answer
D
question
Which of the following is NOT potential cost which may be incurred during compliance implementation? A. Incurring telecommunication expansion costs. B. Training IT staff on new programming languages C. Reducing paper document and addendum postal costs. D. Changing business practices and retraining staff to accommodate electronic documents and attachments. E. Software and server upgrades to maintain electronic records.
answer
C
question
Which of the following is NOT a valid part of a test to determine if a company should be considered a business associate? A. Do they use treatment payment, or healthcare operations (TPO) as a part of their job description? B. They have a BA in place. C. Do they use PHI as a part of their job description? D. Are they performing a covered function on our behalf? E. Are they a member of our workforce?
answer
A
question
Patient Safety Organizations and Health Information Exchanges: A. Have to also comply with the Payment Care Industry (PCI) regulations under the final rule. B. Are categorized as Business Associates under the final rule. C. Are subcontractors of BA D. Are not included in the Final Rule E. All of the above.
answer
B
question
PHI stands for: A. Personal Health Information B. Patient Health Identifier C. Protected Health Information D. Provider Health Identity. E. Private Health Identification
answer
C
question
Which of the following statements regarding the privacy rule is TRUE? A. Only patient care information should be protected from disclosure. B. All government agencies are allowed to access electronic PHI. C. All individually Identifiable Health information must be kept from Routine disclosure. D. All PHI in paper, oral, and electronic formats must be protected. E. PHI for research can be shared within one corporate entity, but not disclosed outside the network.
answer
D
question
Which statement most correctly defines de-identified information? A. information from which all patient identifiable information has been removed. B. Information which is to be protected in paper and electronic formats only. C. Information which has been coded for research purposes, and therefore can be disclosed. D. information which can be used in routine disclosures to other covered entities. E. Information from which the patient's name and address have been removed.
answer
A
question
Which statement about limited data sets is FALSE? A. Limited data sets released between government agencies must sign a memorandum of understanding before information is released. B. Limited data sets have a specific list of obvious identifiers removed, but not all need to be removed. C. A limited data set agreement must be in place before information is released. D. A limited data set can be used for research, public health, and health care operations. E. A re-identification code is used to allow the researcher to contact subjects if their health is at stake.
answer
E
question
Which of the following is NOT an allowable use of PHI? A. Supplying PHI to the hospital billing department for insurance purposes. B. Supplying PHI to a court when receiving legal request documents. C. Supplying PHI to a patient's doctor who is not a surgeon. D. Storing PHI in a hospital database after the patient has been released. E. Sending PHI to the X-Ray department of the hospital along with the patient escort.
answer
B
question
Which of the following is NOT disclosure of PHI? A. Sending a new doctor the patient's past medical records. B. Sending a retail pharmacy a patient's prescription. C. Sending PHI to the hospital scheduling team, who are not physicians. D. Supplying PHI to a Judge who sends legal request documents. E. Sending PHI to the patient's health plan for payment purposes.
answer
C
question
Which statement regarding covered entities' authorized use of PHI as routine disclosure is FALSE? A. Can be used for training medical staff, quality control, and for accreditation application purposes. B. Can be used for training administrative staff, purposes of limited marketing, and for submitting insurance claims. C. Can be used for treatment of insured patients, payment for services, and organizationally beneficial use. D. Can be used for traditional medical services, requesting health plan payments, and storing patient records. E. Can be used for treatment of patients, payment for services, and health care operations use.
answer
C
question
Which of the following are the four main types of disclosures? A. Incidental, emergency, legal, and third-party. B. non-routine, third-party, insurance, and operations. C. Hospital, pharmacy, laboratory, and physician. D. routine, non-routine, incidental, and mandatory E. limited, allowable, authorized, mandatory.
answer
D
question
Which of the following is NOT a provision from the patient rights? A. If you believe your rights are being denied or your health information isn't being protected, you can file a complaint with your provider, health insurer, or with the government. B. You may decide if you want to give your permission before your health information may be used or shared for certain purposes, such as marketing. C. You may ask to see and get a copy of your health records. D. You may have amendments added to your health information. E. You may ask for a report every time your health information is shared.
answer
E
question
Which of the following statements about consent forms is FALSE? A. The final privacy rule states that getting consent for TPO is optional. B. Best practices suggest that you should get written consent for all uses and disclosures of PHI C. If you get written consent for TPO, you are opening your organization to unnecessary legal liabilities. D. Some uses and disclosures, other than TPO, may require patient consent forms be signed due to other state or Federal Laws. E. If you get written consent for TPO, the patient also has the right to revoke these privileges.
answer
B
question
Alerting your patients/customers as to how you are addressing HIPAA regulations in your place of business is called a: A. Notice of privacy practices. B. Accounting of disclosures. C. Authorization for release of PHI D. Patient authorization form E. consent to release PHI
answer
A
question
Which of the following is NOT a good guideline to follow in communicating privacy practices to your patients/customers? A. Display the complaint process information on your document. B. Display the individual's rights on your document. C. Use alternate languages and methods in addition to English. D. Display specific wording stating your right to change privacy practices in the future. E. Omit specific wording for activities from the list for activities which you may wish to add in the future.
answer
E
question
Which statement is CORRECT regarding the responsibilities of alerting patients/customers to privacy practices? A. Web-based companies are exempt from the delivery of HIPAA privacy information. B. Corporations who have both a brick and mortar and an internet presence only need to alert patients/customers to privacy practices in one location. C. Organized Health Care Arrangements must see that each participant in the group gives a patient/customer mandated privacy information. D. Electronic companies are not free from the directive to provide notice of privacy practices to customers. E. Automated emails with privacy practices sent to new registrants to a web site constitute illegal marketing and violate the privacy rule.
answer
D
question
Business Associates: A. Are not included in the final rule B. Must follow GINA guidelines due to the final rule. C. Are not required the use of BAAs. D. Will not be required to comply until September 26, 2015 E. Include the banking and mortgage companies.
answer
B
question
Which of these are kept separated from the rest of an individual's medical record? A. Minor child treatment. B. Caregiver treatment. C. Psychotherapy notes. D. Abuse notes. E. Personal representative comments.
answer
C
question
Fair Debt Collection Practices for BAs means: A. Information received from one covered entity cannot be used to collect for another covered entity because for the BAC. B. Information received by a collection agency cannot be used to collect health care debt. C. Information can be used by a third party collection agency only for TPO. D. Third party collection agencies may not receive PHI. Non-covered entities and covered entities may not share a collection agency in order to protect PHI.
answer
A
question
The purpose of HIPAA transactions and code set standards is to: A. Increase health plan profits by reducing health care profits. B. Allow the transfer of insurance plans from job to job. C. Eliminate the use of paper medical records. D. Protect the transportability of the individual's private treatment. E. Simplify the processes and decrease the costs associated with health care services.
answer
E
question
Electronic transaction codes are three digit numbers which tell the receiver: A. Which kinds of services can be covered by the health plan and how the data elements can be formatted. B. What kinds of information the data content will contain and the reason it is being sent. C. What kinds of formats this data can be stored in and which entity should receive it. D. Which entity should initiate this type of transaction and what treatments it covers. E. Who can create additional code sets in this pre-defined pattern and how to record them.
answer
B
question
Another set of two-digit codes, POS codes, show: A. The type of physician who sent the statement, such as a family doctor, dentist, or chiropractor. B. The type of patient who received the service, such as an outpatient, an emergency room, or a psychiatric patient. C. The type of place in which the service was provided, such as a school, office, or home. D. The type of privacy which must be provided, such as paper, oral, or electronic. E. The type of procedure performed, such as acupuncture, laboratory test, or inpatient exam.
answer
C
question
Typhoid fever, bubonic plague, and mumps meningitis are examples of four or five digit codes called: A. Diagnostic and procedure codes found in the international classification of diseases, ninth revision, clinical modification (ICD-9-CM). B. Diagnostic and practices codes found in the international classification of diseases, ninth revision, clinical modification. C. Detail and prevention classes found in the CMS third edition. D. Which identity should initiate this type of transaction and what treatments it covers. E. Who can create additional code sets in this pre-defined pattern and how to record them.
answer
A
question
Which of the following are found in a "transaction set"? A. Inside address, salutation, body, closing B. Segment, data, code, envelope C. header, greeting, content, footer D. header, code, data content, trailer E. Transaction code, sender, data element, recipient.
answer
D
question
ANSI ASCX12N standards are used for all transactions except: A. NPI for national transactions B. NCPDP for retail pharmacy transactions C. EIN for employer transactions D. NDC for non-retail transactions E. PII for provider interaction transactions.
answer
B
question
Which of the following statements about NPI is TRUE? A. NPI is an 8-digit number with a check digit in the last position to help detect keying errors. B. National Provider Identifier numbers are applied for through CMS. C. After May 23, 2010, all health care providers will need the new number to send transactions to other health care groups. D. Third party clearinghouses cannot construct programs to translate UPINs to NPIs. E. All providers using NPI will make billing and payments easier and more accurate.
answer
E
question
Which of the following is NOT a task assigned to the NPI Enumerator? A. Process physician NPI number applications. B. Give out NPI numbers. C. Monitor NPI compliance. D. Operate a customer support center. E. Manage support operations.
answer
C
question
Which of the following did HHS adopt to be the NEI (National Employer Identifier)? A. EIN B. NPI C. HPID D. NHI E. DIN
answer
A
question
Which statement about the NHI (National Health Identifier for Individuals) is TRUE? A. The NHI was to bring together all medical records for a single name. B. The monetary savings to be gained with NHI use overshadows concers about misues. C. A common denominator for continuity of care and record keeping would be of li9mited value to health care entities. D. The NHI has been suspended indefinitely, due to privacy violation concerns. E. The compliance Date for NHI is May 17, 2011
answer
D
question
Your organization needs to comply to the HIPAA Transaction Standards and Code Sets if: A. Your company is a health plan or provider who receives the transaction AND the secretary of HHS has exempted this transaction code. B. Your company is a covered entity, initiates the transaction, AND the secretary of HHS has devised a standard for the type of transaction you are transmitting. C. Your company receives electronic data and passes it on to other government agencies. D. The secretary of CMS has devised a standard for the type of transaction you are transmitting, and the organization who receives it is a covered entity or a business associate. E. Your organization uses only paper records, but sends them to covered entities and business associates AND the secretary of NCHS has devised a standard for the type of transaction you are transmitting.
answer
B
question
What are the three classifications that are included in the term "covered entity"? A. Doctors, dentists, and psychiatrists B. health care laboratories, insurance plans, and employers C. third party clearing houses, supplemental insurance and business associates D. Business associates, large hospital chains, and emergency facilities E. Health care providers, health plans, and health care clearinghouses.
answer
E
question
Which of the following would be the most likely to need to comply with HIPAA requirements. A. A cosmetic surgeon whose clients do not file insurance claims. B. A retail chain that enrolls its own employees in an insurance plan. C. An oncologist who works for a health care hospital chain. D. A small town doctor who only accepts cash E. A company manufacturing a health related product.
answer
C
question
Which of the following is NOT a legitimate coding list: A. CMS for clinical nurse specialists B. NDC for Retail prescription drugs C. CDT for Dentist Office Services D. CPT for physician's office services E. HCPCS for other services
answer
A
question
Which statement regarding the national provider file database is FALSE? A. A holder of an NPI has a 30 day window to send in a data update after any changes occur to the database information they originally submitted. B. The database is created and maintained by the department of health and human services. C. application and update information sent to the enumerator is added to the database. D. As of February 2006, more than 216000 individuals and organizations had applied for an NPI E. Fox Systems now Cognosante LLC is responsible for assigning, creating, and maintaining the NPI numbers in NPPES.
answer
B
question
The four parts of the "HIPAA puzzle" are: A. Electronic transactions, PHI, oral transactions, and paper transactions. B. Transaction and code sets, identifiers, the privacy rule, and security rule. C. Transaction and code sets, national drug codes, Dental codes, and place of service codes. D. HIPAA, NPI, National Provider database, and ANSII E. Privacy rule, security rule, standards and implementation specifications.
answer
B
question
Which answer shows the relationship between implementation specifications, safeguards, and standards? A. Standards make up safeguards which are the same thing as Implementation Specifications. B. Safeguards are implementation specifications which make up standards. C. Complete safeguards to meet implementation specifications, then you will comply with standards. D. Meeting standards is done by installing safeguards, and ultimately fulfilling implementation specifications E. Safeguards are composed of standards, which are reached by complying with implementation specifications.
answer
E
question
Due to the wide range of size and organizational complexities of the groups who need to comply with security rules, implementation specifications are divided into two categories: A. Required or addressable B. mandatory or required. C. scalable or addressable. D. reasonable or scalable E. Mandatory or appropriate.
answer
A
question
The three security rule safeguards form the acronym APT, which means: A. Appropriate, physical, and timely B. Addressable, personal, and technical. C. Appropriate, private, and treatable. D. Administrative, Physical, and Technical E. Active,k Pro-Active, and Timely
answer
D
question
The security rule is a business plan to secure your: A. staff, organization, and management B. electronic PHI C. Infrastructure D. Network E. Organization
answer
B
question
Which of the following is of the LEAST importance in a list of ways to insure confidentiality? A. Limiting permissions to obtain information to a need-to-know basis. B. Putting reliable authentication methods into place to identify system users. C. Using access control mechanisms to automatically control each employee's use of medical data. D. Holding computer software training classes to be sure users know how to take advantage of the entire user features to do their daily work E. Allowing disclosure privileges only to users with the training and authority to make wise, HIPAA compliant decisions.
answer
D
question
Which is the BEST definition of integrity? A. Integrity refers to the origin of information and means assuring that the information did not come from an imposter, and that the person or business that sent it encrypted it securely. B. Integrity means that data could have been altered or destroyed in an unauthorized way, either deliberately or by accident. C. Data with integrity is data which has been stored securely in an electronic format and with the code sets mandated by HIPAA. D. Integrity refers to the trustworthiness of information records that they came from the source we think and that the data has not been changed inappropriately. E. Data integrity means that the appropriate backup has been provided to reconstruct the information in the event of a security threat, hazard, or natural disaster.
answer
D
question
Which of the following situations would ordinarily NOT affect the availability of PHI? A. Unavoidable natural phenomena such as hurricanes, flooding, or fires. B. Keeping non-computerized files. C. Malfunctioning computer parts. D. Internet Service Provider problems. E. Interruption of electrical services due to power outages.
answer
B
question
Which statement about a HIPAA security officer is TRUE? A. Once you have chosen a HIPAA security officer, you are now compliant with the administrative safeguards of the security act. B. HIPAA suggests that you name a HIPAA security officer, if you want, and the earlier this person is hired the better. C. The HIPAA security officer is a dedicated information technology professional whose entire job will be centered on protecting PHI. D. Organizations who outsource their computer processing will not need to select a HIPAA security officer. E. HIPAA regulations require that you name a HIPAA security officer to oversee and enforce HIPAA.
answer
E
question
Three important administrative safeguard areas are: A. Written Documents, Written Procedures, and Backup Files. B. Disaster Recovery plan, inventoried, phi, and electronic medical records. C. Contingency planning, information access management and staff training. D. computer inventory, virus protection, and password protection. E. Controlling access to PHI, safeguard training, and contingency planning
answer
C
question
Which statement BEST describes strong passwords? A. eight or more upper and lower case characters, numbers, and symbols. B. Six or more lower case characters alternating with symbols and icons. C. Six to seven single digit number, foreign characters, and punctuation marks. D. Eight or fewer upper case characters, initials, and employee ID E. Fifteen or more smart keys, upper and lower case letters, and number signs.
answer
A
question
Which of the following sentences about termination procedures is FALSE? A. An often overlooked security area is how a company handles employees who are terminated, fired, or who leave the company. B. A process should be in place to notify the appropriate information technology administrator when a person's employment status changes. C. Immediately upon termination, all network and PC access for that employee should be terminated. D. Prior employee user IDs and passwords should be used for no longer than 72 hours, to balance continuity with security concerns. E. The HIPAA security officer should work together with other company managers to create, update, and spread the word on termination procedures.
answer
D
question
Which of the following are all physical safeguards? A. encryption, decryption, and public keys. B. Workstation use, device and media control, and facility access control. C. Passwords, oral records, and workstation security. D. Data layers, network layers, and application layers. E. Access Control, audit control, and authentication
answer
B
question
Which of the following statements about media disposal is FALSE? A. The only totally safe way to dispose of computers which have contained EPHI is to destroy the hard drive. B. Business can recoup some of their initial investment by reselling retired computers. C. Erasing all data from a hard drive by reformatting it can still leave retrievable, recoverable information on it. D. A bulk eraser, or degausser, will remove the data but may physically ruin the hard drive. E. It is necessary to protect PHI throughout the process of when a covered entity sells the equipment.
answer
A
question
Accountability is an implementation specification under: A. Technical safeguard B. Administrative safeguards C. Physical Safeguard D. Privacy Rule E. Risk Analysis
answer
C
