RHIT - Registered Health Information Technician HIPAA Privacy and Security Questions and Answers

Question 1

A hospital discovers that an unencrypted laptop containing the protected health information (PHI) of 600 patients was stolen. After a risk assessment, it is determined there is a significant risk of harm to the individuals. According to the HIPAA Breach Notification Rule, which of the following actions is required?

Accepted Answer

Notify the affected individuals without unreasonable delay, notify the Secretary of HHS, and notify prominent media outlets.

Answer

For breaches affecting 500 or more individuals, HIPAA requires the covered entity to notify the affected individuals without unreasonable delay (and no later than 60 days), the Secretary of HHS without unreasonable delay, and prominent media outlets serving the state or jurisdiction.

Question 2

A health information technician is creating a new user account for a recently hired coder. The technician grants the coder access to view patient records, assign codes, and query physicians, but restricts access to financial and billing systems. This practice is an example of which HIPAA Security Rule concept?

Accepted Answer

Role-based access control (RBAC)

Answer

Role-based access control (RBAC) is an access control method where permissions are assigned based on a user's job function. This aligns with the HIPAA 'minimum necessary' standard, which requires that access to PHI is limited to only what is needed to perform a specific job.

Question 3

A patient submits a formal written request for a copy of their medical records on March 1st. Under the HIPAA Privacy Rule's right of access, what is the latest date by which the covered entity must provide the records or a written explanation for a delay?

Accepted Answer

March 31st

Answer

The HIPAA Privacy Rule requires covered entities to act on an individual's request for access to their PHI no later than 30 calendar days after the receipt of the request. A one-time 30-day extension is permissible if the entity provides the individual with a written statement of the reasons for the delay within the initial 30-day period.

Question 4

Which of the following activities is considered a healthcare 'operation' under HIPAA, allowing for the use and disclosure of PHI without patient authorization?

Accepted Answer

Conducting internal quality assessment and improvement activities

Answer

Healthcare operations are administrative, financial, legal, and quality improvement activities of a covered entity necessary to run its business. Quality assessment and improvement are explicitly listed as healthcare operations under HIPAA, for which separate patient authorization is not required. The other options typically require specific patient authorization.

Question 5

Which of the following is an example of a TECHNICAL safeguard required by the HIPAA Security Rule?

Accepted Answer

Using unique user IDs and automatic log-off procedures for computer systems.

Answer

Technical safeguards are the technology and related policies used to protect and control access to ePHI. Unique user IDs, access controls, and automatic log-offs are technology-based measures. Security training and workstation use policies are administrative safeguards, while positioning monitors is a physical safeguard.

RHIT - Registered Health Information Technician Practice Test

RHIT - Registered Health Information Technician Practice Test

RHIT - Registered Health Information Technician HIPAA Privacy and Security Questions and Answers