Deck 1: Certified HIPAA Professional (CHP)

A) Effective date
B) CPT-4
C) CDT
D) ICD-9-CM
E) Enrollment date

A) A covered entity must use the applicable code set that is valid at the time the transaction is initiated.
B) April 14, 2003 is the compliance date for implementation of the National Provider Identifier.
C) CMS is responsible for updating the CPT-4 code sets.
D) An organization that assigns NPIs is referred to as National Provider for Identifiers.
E) HHS assigns the Employer Identification Number (EIN), which has been selected as the National Provider Identifier for Health Care.

A) Contingency Plan
B) Evaluation
C) Security Management Procedures
D) Facility Access Control
E) Security Incident Procedures

A) Security Incident Procedures
B) Assigned Security Responsibility
C) Security Management Process
D) Access Control
E) Facility Access Control

A) A covered entity must mitigate, to the extent practicable, any harmful effect that it becomes aware of from the use or disclosure of PHI in violation of its policies and procedures or HIPAA regulations.
B) A covered must not in any way intimidate, retaliate, or discriminate against any individual or other entity, which tiles a compliant.
C) A covered entity may not require individuals to waive their rights as a condition for treatments payment, enrollment in a health plan, or eligibility for benefits.
D) A covered entity must retain the documents required by the regulations for a period of six years.
E) A covered entity must change its policies and procedures to comply with HIPAA regulations no later than three years after the change in law.

A) ICD-9-CM. Volumes 1 and 2
B) CPT-4
C) CDT
D) ICD-9-CM, Volume 3
E) HCPCS

A) Security incident Procedures
B) Integrity
C) Person or Entity Authentication
D) Assigned Security Responsibility
E) Business Associate Contracts and other Arrangements

A) Security rule.
B) Privacy rule.
C) Covered entity rule.
D) Electronic Transactions and Code Sets rule.
E) Electronic Signature Rule

A) Audit Control
B) integrity
C) Access Control
D) Person or Entity Authentication
E) Transmission Security

A) lCD-SCM, Volumes 1 and 2
B) CPT-4
C) CDT
D) lCD-SCM, Volume 3
E) NDC

A) The CPT-4 code set is maintained by the American Medical Association (AMA).
B) A covered entity must use the applicable medical code set that is valid at the time the health care is delivered.
C) The National Provider Identifier (NPI) will be assigned by the National Provider System (NPS).
D) The Centers for Medicare and Medicaid Services is responsible for updating the HCPCS code set.
E) The National Provider Identifier (NPI) will be assigned to health plans.

A) 270.
B) 820.
C) 837.
D) 277.
E) 278.

A) Access Control
B) Security Incident Procedures
C) information Access Management
D) Workforce Security
E) Security Management Process

A) Covered entities must reasonably safeguard PHI, including oral communications, from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule.
B) Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of de-Identified data.
C) Covered entities are prohibited from marketing through oral communications.
D) The Privacy Rule requires covered entities to document any information, including oral communications, which is used or disclosed for TPO purposes.
E) The Privacy Rule will often require major structural changes, such as soundproof rooms and encryption of telephone systems, to provide the "reasonable safeguards" of oral communications required by the regulations.

A) Must obtain the signature of the patient before disclosing PHI to another provider.
B) Must contact a relative of the patient before disclosing PHI to another provider.
C) May use their best judgment in order to provide appropriate treatment.
D) May use PHI but may not disclose it to another provider
E) Must inform the patient about the Notice of Privacy Practices before delivering treatment.

A) National Provider Identifier (NPI)
B) Social Security Number (SSN)
C) National Health Plan Identifier (PlanID)
D) National Employer Identifier for Health Care (EIN)
E) National Health Identifier for Individuals (NI-UI)

A) Country of birth
B) Telephone number
C) Information on past 3 employers
D) Patient credit reports
E) Smart card-based digital signatures

A) Termination Procedures
B) Automatic Logoff
C) Emergency Access Procedure
D) Contingency Operations
E) Response and Reporting

A) Technology specific
B) State of the art
C) Non-Comprehensive
D) Revolutionary
E) Scalable

A) Report to the covered entity any security incident of which it becomes aware.
B) Ensure the complete safety of all electronic protected health information.
C) Compensate the covered entity for penalties incurred because of the business associate's security incidents.
D) Register as a business associate with HHS.
E) Submit to periodic audits by HHS of critical systems containing electronic protected health information.

A) Annual Audits
B) Claims Management
C) Salary disbursement to the workforce having direct treatment relationships.
D) Life Insurance underwriting
E) Cash given to the pharmacist for the purchase of an over-the-counter drug medicine

A) Transmitted to a business associate for payment purposes only.
B) Stored on a smart card only by the patient.
C) Created or received by a credit company that provided a personal loan for surgical procedures.
D) Created or received by a health care clearinghouse for claim processing.
E) Requires the use of biometrics for access to records.

A) A covered entity must apply disciplinary sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity.
B) A covered entity need not train all members of its workforce whose functions are materially affected by a change in policy or procedure.
C) A covered entity must designate, and document, a contact person responsible for receiving acknowledgements of Notice of Privacy Practice.
D) A covered entity may require individuals to waive their rights.
E) A covered entity must provide maximum safeguards for PHI from any intentional or unintentional use or disclosure that is in violation of the regulations and to limit incidental uses and disclosures made pursuant to permitted or required use or disclosure.

A) Risk Analysis
B) Access Control and Validation Procedures
C) Integrity Controls
D) Access Authorization
E) Termination Procedures

A) Security incident Procedures
B) Response and Reporting
C) Assigned Security Responsibility
D) Termination Procedures
E) Facility Access Controls

A) As a response to a health care claim status request.
B) As a health care claim payment advice.
C) Electronic funds transfer.
D) As a request for health care claims status.
E) Request for the psychotherapy notes of a patient.

A) $50O0 in fines.
B) $5000 in fines and six months in prison.
C) An annual cap of $5000 in fines.
D) A fine of up to $50000 if they wrongfully disclose PHI.
E) Six months in prison.

A) Optionally, they might develop a mechanism of accounting for all disclosures of PHI for purposes other than TPO.
B) They must redesign their offices, workspaces, and storage systems to afford maximum protection to PHI from intentional and unintentional use and disclosure.
C) They must develop methods for disclosing only the minimum amount of protected information necessary to accomplish any intended purpose.
D) They must obtain a "top secret" security clearance for all member of their workforce.
E) They must identify business associates that need to use PHI to accomplish their function and develop authorization forms to allow PHI to be shared with these business associates.

A) Loop
B) Enumerator
C) Identifier
D) Data segment
E) Code set

A) Eligibility (2701271)
B) Premium Payment (2O)
C) Unsolicited Claim Status (277)
D) Remittance Advice (35)
E) Functional Acknowledgment (997)

A) ICD-9-CM, Volumes 1 and 2
B) CPT-4
C) CDT
D) ICD-9-CM, Volume 3
E) NDC

A) lcD-9-cM, Volumes 1 and 2
B) CPT-4
C) CDT
D) ICD-9-CM, Volume 3
E) HCPCS

A) Provide the individual with a Notice of Privacy Practices that describes the use of PHI.
B) Obtain a written authorization for each and every TPO event.
C) Obtain a written authorization for any disclosure or use of PHI other than for the purposes of TPO.
D) Provide access to the PHI that it maintains to the individual and make reasonable efforts to correct possible errors when requested by the individual.
E) Establish procedures to receive complaints relating to the handling of PHI.

A) The authorization has been revoked by the physician
B) The patient remains a citizen of the United States
C) The information is under the control of HHS
D) The information is in the possession of a covered entity
E) The information is not also available on paper forms

A) Access control
B) Security Management Process
C) Facility Access Controls
D) Workstation Use
E) Device and Media Controls

A) Creation and modification of health information during and after an emergency.
B) Integrity of health information during and after an emergency.
C) Accountability of health information during and after an emergency.
D) Vulnerability of health information during and after an emergency.
E) Non-repudiation of the entity.

A) Requires PKI for the provider and the patient.
B) Is electronically stored information about an individual's lifetime health status and health care.
C) Is another name for an HMO.
D) Identifies all non-profit organizations.
E) Is a person or an entity that on behalf of the covered entity performs or assists in the performance of a function or activity involving the use or disclosure of health-related information.

A) No - This would be considered an allowed "routine disclosure between the doctor and his business partner.
B) Yes - There is no exception to the requirement for an authorization prior to disclosure, no matter how well intentioned or documented.
C) Yes - a delivery service is not considered a covered entity.
D) Yes - to be a "routine disclosure" all the parties must have their own Privacy Officer as mandated by l-IIPAA.
E) Yes - this is not considered a part of "treatment", which is one of the valid exceptions to the Privacy Rule.

A) Security Management Process
B) Device and Media Controls
C) information Access Management
D) Facility Access Controls
E) Workstation Security

A) A list of authorized entities, together with their access rights.
B) Corroborating your identity
C) The prevention of an unauthorized use of a resource.
D) Proving that nothing regarding your identity has been altered.
E) Being unable to deny you took part in a transaction.

A) Establish a business partner relationship with the other provider.
B) Obtain a signed authorization from the patient to cover the disclosure.
C) Make a copy of the signed Notice available to the other provider
D) Obtain the patients signature on the second providers Notice of Privacy Practices.
E) Do nothing more - the Notice of Privacy Practices covers treatment activities.

A) Eligibility (270/271).
B) Premium Payment (820).
C) Unsolicited Claim Status (277).
D) Remittance Advice (835).
E) Functional Acknowledgment (997).

A) Security Awareness and Training
B) Security Management Process
C) Access Control
D) Assigned Security Responsibility
E) Security incident Procedures

A) NPF
B) NPS
C) CDT
D) ICD-9-CM, Volume 3
E) UPIN

A) The date on which any automatic extension occurs.
B) Covered entity's signature.
C) A statement that federal privacy laws still protect the information after it is disclosed.
D) A statement that the individual has no right to revoke the authorization.
E) The date signed.

A) Verbally request a consent and offer a copy of the Notice of Privacy Practices.
B) Verbally request specific authorization for the PHI.
C) Do nothing more.
D) Obtain the signature of the patient on their Notice of Privacy Practices.
E) Not respond to the request without an authorization from the primary physician.

A) 277
B) 276
C) 271
D) 820
E) 270

A) Premium Payment.
B) Health Care Claim.
C) First Report of Injury.
D) Health Plan Enrollment and Dis-enrollment.
E) Coordination of Benefits.

A) Contingency Plan
B) Facility Security Plan
C) Emergency Mode Operation Plan
D) Accountability
E) Device and Media Controls

A) P1<1 requirements for hospitals and health care providers.
B) Encryption algorithms that must be supported by hospitals and health care providers.
C) Fraud and abuse in the health care system and ways to eliminate the same.
D) Guaranteed health insurance coverage to workers and their families when they change employers.
E) The use of strong authentication technology that must be supported by hospitals and health care providers.

A) Eligibility (270/271)
B) Premium Payment (B20)
C) Claim Status Notification (277)
D) Remittance Advice (35)
E) Functional Acknowledgment (997)

A) Is required for all Business Associate Contracts
B) Must always be associated with a valid authorization
C) Must be signed before providing treatment to a patient.
D) Must be associated with a valid Business Associate Contract
E) Must describe the individual's rights under the Privacy Rule.

A) Is another name for the Security Ruling.
B) Requires the use of biometrics for access to records.
C) Is electronically stored information about an individual's health status and health care.
D) Identifies all hospitals and health care organizations.
E) Requires a PK1 for the provider and the patient.

A) Request that the patient sign the lab's Notice of Privacy Practices.
B) Do nothing more - the activity is covered by the doctor's Notice of Privacy Practices.
C) Obtain a specific authorization from the patient.
D) Obtain a specific authorization from the doctor.
E) Verify that the doctor's Notice of Privacy Practices has not expired.

A) Situations where the marketing is for a drug or treatment could improve the health of that individual.
B) Situations where the patient has already signed the covered entity's Notice of Privacy Practices.
C) A face-to-face encounter with the sales person of a company that provides drug samples.
D) A communication involving a promotional gift of nominal value.
E) The situation where the patient has signed the Notice of Privacy Practices of the marketer.

A) Security incident Procedures
B) information Access Management
C) Security Awareness and Training
D) Workforce Security
E) Security Management Process

A) Device and Media Controls
B) Access Controls
C) Transmission Security
D) Integrity
E) Audit Controls

A) Indefinitely, because the life of a signed authorization is indefinite
B) Six (6) years from the time it expires.
C) For as long as the patient's records are kept.
D) Until it is specifically revoked by the individual.
E) Ten (10) years from the date it was signed.

A) Limited to the minimum necessary to accomplish the intended purpose.
B) Left to the professional judgment and discretion of the requestor.
C) Controlled totally by the requestor's pre-existing authorization document.
D) Governed by industry "best practices" regarding use.
E) Left in force for eighteen (18) years.

A) The Notice must be signed before a State authorized notary.
B) Direct Treatment Providers must make a good faith effort to obtain patient's written acknowledgement of Notice of Privacy Practices.
C) Organizations may not have a "layered" Notice - a short, summary Notice preceding the more detailed Notice.
D) Authorization forms are mandatory for the Notice to be valid.
E) An individual must sign an authorization before a state authorized notary.

A) A covered entity must change its policies and procedures to comply with HIPAA regulations, standards, and implementation specifications.
B) A covered entity must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the regulations.
C) A covered entity must provide a process for individuals to make complaints concerning privacy issues.
D) A covered entity must document all complaints received regarding privacy issues.
E) The Privacy Rule requires that the covered entity has a documented security policy.

A) $1 000000 per person per violation of a single standard for a calendar year
B) $10 per person per violation of a single standard for a calendar year.
C) $25000 per person per violation of a single standard for a calendar year.
D) $2,500 per person per violation of a single standard for a calendar year.
E) $1000 per person per violation of a single standard for a calendar year.

A) Workstation Use
B) Workstation Security
C) Sanction Policy
D) Termination Procedures
E) Facility Security Plan

A) Integrity Controls
B) Access Control and Validation Procedures
C) Emergency Mode Operation Plan
D) Response and Reporting
E) Risk Analysis

A) Accountants
B) Hospital employees
C) A covered entity's internal IT department
D) CEO of the covered entity
E) The covered entity's billing service department

A) Is another name for the Security Ruling.
B) Requires the use of biometrics for access to records.
C) Is electronically stored information about an individual's health status and health care.
D) Identifies all hospitals and health care organizations.
E) Requires a P1<1 for the provider and the patient.

A) Title I
B) Title II
C) Title Ill
D) Title W
E) Title V

A) A person who acts on behalf of a non-covered entity.
B) A person whose function may involve claims processing, administration, data analysis or practice management with access to PHI.
C) A person who is a member of the covered entity's workforce.
D) A clearinghouse.
E) A person that performs or assists in the performance of a function or activity that involves the use or disclosure of de-identified health information.

A) A covered entity must have and apply sanction against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity.
B) A covered entity does not need to train all members of its workforce whose functions are affected by a change in policy or procedure.
C) A covered entity must designate, and document, a privacy officer, and a HIPAA compliance officer,
D) A covered entity may require individuals to waive their rights.
E) A covered entity must require the individual to sign the Notice of Privacy Practices prior to delivering any treatment related service.

A) Business Associate Contract
B) Response and Reporting
C) Emergency Access Procedure
D) Sanction policy
E) Risk Management

A) Person or Entity Authentication
B) Technical Safeguards
C) Administrative Safeguards
D) Physical Safeguards
E) Transmission Security

A) De-identified information is IIHI that has had all individually (patient) identifiable information removed.
B) DII may be used only with the authorization of the individual.
C) DII remains PHI.
D) The only approved method of de-identification is to have a person with "appropriate knowledge and experience" tie-identify the IIHI.
E) All PHI use and disclosure requirements do not apply to re-identified DII.

A) Access Control
B) Audit Controls
C) Authorization Controls
D) Data Authentication
E) Person or Entity Authentication

A) Loop
B) Enumerator
C) Identifier
D) Data segment
E) Code set

A) October 16, 2003 - small health plans to begin testing without ASCA extension
B) October 16, 2004 - full compliance deadline for small health plans
C) April 16, 2004 - small health plans to begin testing with ASCA extension
D) April 16, 2003 - deadline to begin testing with ASCA extension
E) April 14, 2003; deadline to begin testing with ASCA extension.

A) Covered entities that violate the standards or implementation specifications will be subjected to civil penalties of up to $100 per violation except that the total amount imposed on any one person in each calendar year may not exceed $25,000 for violations of one requirement.
B) Criminal penalties for non-compliance are fines up to $65,000 and one year in prison for each requirement or prohibition violated.
C) Criminal penalties for willful violation are fines up to $60,000 and one year in prison for each requirement or prohibition violated.
D) Criminal penalties for violations committed under "false pretenses are fines up to $100,000 and five years in prison for each requirement or prohibition violated.
E) Criminal penalties for violations committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm are fines up to $250,000 and ten years in prison for each requirement or prohibition violated.

A) If the notice must state that the covered entity reserves the right to disclose PHI without obtaining the individuals authorization.
B) The notice must prominently include an expiration date.
C) The notice must describe every potential use of PHI.
D) The notice must describe an individual's rights under the rule such as to inspect, copy and amend PHI and to obtain an accounting of disclosures of PHI.
E) The notice must clearly identify that the covered entity is in compliance with HIPAA regulations as of April 16, 2003.

A) 'Use" refers to the release, transfer, or divulging of IIHI between various covered entities.
B) "Use" refers to adding, modifying and deleting the PHI by other covered entities.
C) "Use" refers to utilizing, examining, or analyzing IIHI within the covered entity
D) "Use" refers to the movement of de-identified information within an organization.
E) "Use" refers to the movement of information outside the entity holding the information.

A) 270
B) 836
C) 278
D) 820
E) 834