- An RHIA defines information governance (IG) for a hospital's leadership. Which description best captures what IG provides to the organization?
- An accountability framework and decision rights that direct the management of information across its entire lifecycle to support the organization's goals
- A software product that automatically encrypts all electronic health records at rest and in transit
- A clinical coding methodology used to assign diagnosis and procedure codes for billing
- A staffing model that determines how many health information technicians a department must employ
Correct answer: An accountability framework and decision rights that direct the management of information across its entire lifecycle to support the organization's goals
Information governance is an accountability framework and set of decision rights that direct how information is managed across its entire lifecycle to meet the organization's goals. It is an enterprise-wide strategic discipline, not a single encryption product, a coding method, or a staffing formula.
- A health system distinguishes information governance from data governance when chartering a new program. Which statement correctly describes the relationship between the two?
- Data governance is the broader enterprise framework, and information governance is a narrow subset focused only on paper records
- Information governance and data governance are identical terms with no meaningful distinction
- Data governance applies only to financial data while information governance applies only to clinical data
- Information governance is the broader enterprise framework, and data governance is a component focused on managing data as an asset within it
Correct answer: Information governance is the broader enterprise framework, and data governance is a component focused on managing data as an asset within it
Data governance is a subcomponent operating within the broader enterprise framework of information governance. Information governance addresses information as a whole across its lifecycle, while data governance focuses specifically on managing data assets, so the two are neither identical nor reversed in scope.
- AHIMA's Information Governance Adoption Model (IGAM) is being used to assess an organization's maturity. What is the primary purpose of such a maturity model?
- To evaluate the organization's current IG capabilities and provide a roadmap for advancing them over time
- To assign ICD-10-CM codes to inpatient encounters more accurately
- To calculate the case mix index for the prior fiscal year
- To determine which employees should receive annual performance bonuses
Correct answer: To evaluate the organization's current IG capabilities and provide a roadmap for advancing them over time
An information governance maturity model evaluates an organization's current capabilities across IG competencies and provides a roadmap for advancing them over time. It is an assessment and planning tool, not a coding, statistical, or compensation mechanism.
- A data dictionary is being implemented across a hospital's electronic systems. What is the central purpose of a data dictionary?
- To store the actual patient clinical results and physician notes for a given encounter
- To encrypt patient identifiers before they are transmitted to external partners
- To generate the patient's itemized bill at the time of discharge
- To provide a centralized, standardized definition of each data element, including its meaning, format, and permissible values
Correct answer: To provide a centralized, standardized definition of each data element, including its meaning, format, and permissible values
A data dictionary provides centralized, standardized definitions of data elements, documenting each element's meaning, format, and allowable values so data is interpreted consistently. It defines and describes data; it does not itself hold the clinical content, encrypt identifiers, or produce bills.
- While reviewing a data dictionary, an RHIA notices that the field 'admission_date' lacks any documented format. According to data dictionary standards, what should be specified for this element?
- A defined data type and format, such as a date in YYYY-MM-DD form, so the element is captured consistently
- The name of the admitting physician who entered the most recent record
- The total number of patients admitted during the prior calendar year
- A list of insurance payers accepted by the admitting department
Correct answer: A defined data type and format, such as a date in YYYY-MM-DD form, so the element is captured consistently
A data dictionary entry must specify the element's data type and format, such as a standardized date format, to ensure consistent capture and interpretation. The admitting physician's name, an annual admission count, or a payer list are data values or unrelated content, not the definition of the element itself.
- An organization wants its data dictionary to reduce inconsistent values entered for the 'race' field across departments. Which data dictionary feature most directly addresses this?
- Defining a controlled set of permissible values for the field so only approved entries are allowed
- Increasing the maximum character length allowed in the free-text comments field
- Adding more user accounts so additional staff can edit the dictionary
- Archiving older records to a separate long-term storage server
Correct answer: Defining a controlled set of permissible values for the field so only approved entries are allowed
Specifying a controlled set of permissible (allowable) values for a field constrains entries to approved options, directly reducing inconsistency. Expanding free-text length, adding editors, or archiving old records does not standardize the values entered into the field.
- An RHIA leads a project to standardize data definitions enterprise-wide. Why is maintaining a single shared data dictionary preferable to allowing each department to define elements independently?
- It eliminates the need for any clinical documentation by providers
- It promotes consistent meaning and interoperability of data across systems and departments
- It guarantees that no unauthorized user can ever access the records
- It automatically increases reimbursement received from payers
Correct answer: It promotes consistent meaning and interoperability of data across systems and departments
A single shared data dictionary ensures data elements carry consistent meaning across systems and departments, supporting interoperability and reliable aggregation. It does not remove the need for documentation, serve as an access-control mechanism, or raise reimbursement.
- During a data dictionary audit, two systems define 'discharge disposition' with different sets of codes. What is the most appropriate governance action?
- Reconcile the systems to a single standardized definition and value set in the enterprise data dictionary
- Delete the field from both systems to avoid the conflict
- Allow both definitions to remain so each system keeps its preferred values
- Convert the field to free text in both systems
Correct answer: Reconcile the systems to a single standardized definition and value set in the enterprise data dictionary
The correct governance action is to reconcile both systems to one standardized definition and value set in the enterprise data dictionary so the element means the same thing everywhere. Deleting the field, keeping conflicting definitions, or switching to free text would all worsen data consistency.
- Data integrity is a primary concern when an RHIA evaluates health data. Which definition best describes data integrity?
- The speed at which a database returns the results of a query
- The assurance that data is accurate, complete, consistent, and unaltered throughout its lifecycle
- The total physical storage capacity available on the server
- The number of authorized users permitted to view a record
Correct answer: The assurance that data is accurate, complete, consistent, and unaltered throughout its lifecycle
Data integrity is the assurance that data remains accurate, complete, consistent, and unaltered from creation through its lifecycle. Query speed, storage capacity, and user counts describe performance or access factors, not the trustworthiness of the data itself.
- An RHIA discovers that a copy-and-paste practice in the EHR is propagating outdated clinical information into new notes. Which dimension of data integrity is most directly threatened?
- Storage redundancy, because the data is saved in multiple physical locations
- Network latency, because the records take longer to retrieve
- Color contrast, because the display is harder to read
- Accuracy, because the documented information no longer reflects the patient's current condition
Correct answer: Accuracy, because the documented information no longer reflects the patient's current condition
Propagating outdated information through copy-and-paste undermines accuracy, since the note no longer reflects the patient's current condition. Storage redundancy, network latency, and display contrast are unrelated to whether the documented data is truthful and current.
- To protect data integrity in an electronic health record, an organization implements audit logs that record every change to a record. How do audit logs support integrity?
- They prevent the database from ever reaching its maximum storage limit
- They create a traceable history showing who altered data and when, allowing unauthorized or erroneous changes to be detected
- They translate clinical narratives into ICD-10-CM codes automatically
- They schedule staff shifts in the health information department
Correct answer: They create a traceable history showing who altered data and when, allowing unauthorized or erroneous changes to be detected
Audit logs support integrity by creating a traceable record of who changed data and when, enabling detection of unauthorized or erroneous alterations. They are not a storage-capacity control, a coding tool, or a scheduling system.
- An RHIA reviews two databases that should contain the same patient demographic values but show conflicting birth dates. Which data integrity problem does this illustrate?
- Excessive data encryption, because the values are scrambled
- Insufficient screen resolution, because the values display poorly
- Lack of data consistency, because the same element holds different values across systems
- Overstaffing, because too many people accessed the field
Correct answer: Lack of data consistency, because the same element holds different values across systems
Conflicting birth dates for the same patient across systems illustrate a data consistency problem, a core element of data integrity, because the same data element holds different values in different places. Encryption, display resolution, and staffing are not the issue.
- An organization adopts an enterprise edit-check rule that rejects a recorded weight of 2,000 pounds for an adult patient. Which data integrity safeguard does this represent?
- A retention schedule that determines how long the record is kept
- A disclosure log that tracks who received the information
- A reimbursement formula that calculates the expected payment
- A validation control that enforces plausible ranges to keep data accurate at the point of entry
Correct answer: A validation control that enforces plausible ranges to keep data accurate at the point of entry
Rejecting an implausible value enforces a validation control that keeps data accurate at the point of entry, supporting data integrity. A retention schedule, disclosure log, and reimbursement formula address record lifespan, access tracking, and payment rather than entry accuracy.
- AHIMA's Data Quality Management Model identifies four functions or domains in which data quality should be ensured. Which set correctly names them?
- Application, collection, warehousing, and analysis
- Encryption, transmission, deletion, and recovery
- Billing, coding, auditing, and appeals
- Recruiting, training, scheduling, and evaluating
Correct answer: Application, collection, warehousing, and analysis
AHIMA's Data Quality Management Model defines four functions: application, collection, warehousing, and analysis, each a point where data quality must be managed. The other lists describe security operations, revenue activities, and human resource tasks rather than the model's functions.
- In AHIMA's Data Quality Management Model, the 'collection' function focuses on what aspect of data quality?
- Disposing of records once their retention period has expired
- Negotiating contracts with external business partners
- Ensuring data quality at the point where data elements are captured or gathered
- Setting the annual operating budget for the department
Correct answer: Ensuring data quality at the point where data elements are captured or gathered
The collection function in the Data Quality Management Model addresses quality at the point where data is captured or gathered, emphasizing accurate, complete entry. Record disposal, contracting, and budgeting fall outside this function of the model.
- An RHIA applies the Data Quality Management Model's 'warehousing' function. Which activity best fits this function?
- Choosing which data elements clinicians will document at the bedside
- Presenting findings to the board in a quarterly meeting
- Maintaining the accuracy and security of data while it is stored for later retrieval and use
- Interviewing candidates for an open coding position
Correct answer: Maintaining the accuracy and security of data while it is stored for later retrieval and use
The warehousing function concerns maintaining data accuracy and security while it is stored so it remains usable when retrieved. Selecting elements to document relates to application or collection, while board presentations and interviewing are not warehousing activities.
- Under the AHIMA Data Quality Management Model, the 'analysis' function is concerned with which goal?
- Determining the physical location where servers are housed
- Assigning user passwords for system access
- Drafting the organization's mission statement
- Translating stored data into meaningful information that supports decisions
Correct answer: Translating stored data into meaningful information that supports decisions
The analysis function focuses on transforming stored data into meaningful information that supports decision-making. Server location, password assignment, and mission-statement drafting are operational or strategic tasks outside the model's analysis function.
- AHIMA's data quality characteristics include completeness. An RHIA finds that 15 percent of records are missing the documented chief complaint. Which data quality characteristic is deficient?
- Timeliness, because the data was recorded too late
- Completeness, because required data elements are absent from the records
- Currency, because the data is outdated
- Precision, because the values have too few decimal places
Correct answer: Completeness, because required data elements are absent from the records
Missing required elements such as a chief complaint reflect a deficiency in completeness, the characteristic concerning whether all needed data is present. Timeliness, currency, and precision address when data is captured, how current it is, and its level of detail rather than its presence.
- A data quality review shows that lab results are consistently entered four hours after they are available. Which data quality characteristic is most directly affected?
- Timeliness, because the data is not recorded within an acceptable timeframe
- Granularity, because the data lacks sufficient detail
- Relevancy, because the data does not pertain to the patient
- Accessibility, because authorized users cannot reach the data
Correct answer: Timeliness, because the data is not recorded within an acceptable timeframe
A lag between availability and entry affects timeliness, the characteristic concerning whether data is recorded within an acceptable timeframe. Granularity, relevancy, and accessibility concern level of detail, pertinence, and ease of authorized retrieval, none of which describe a delay in recording.
- An RHIA evaluates whether captured data is detailed enough to distinguish a left-sided from a right-sided procedure. Which data quality characteristic is being assessed?
- Granularity, because it concerns the level of detail captured in the data
- Consistency, because it concerns whether values agree across systems
- Timeliness, because it concerns how quickly data is recorded
- Relevancy, because it concerns whether data is needed at all
Correct answer: Granularity, because it concerns the level of detail captured in the data
Whether data captures enough detail, such as laterality, reflects granularity, the level of detail in the data. Consistency, timeliness, and relevancy address agreement across systems, recording speed, and pertinence rather than detail.
- The Uniform Hospital Discharge Data Set (UHDDS) was established to accomplish what purpose?
- To set the encryption standard for transmitting claims to payers
- To standardize the minimum data collected on inpatient hospital discharges so it can be compared across facilities
- To determine which physicians are credentialed to admit patients
- To calculate employee turnover rates in the HIM department
Correct answer: To standardize the minimum data collected on inpatient hospital discharges so it can be compared across facilities
The UHDDS standardizes a minimum core set of data elements collected for inpatient hospital discharges so information is comparable across facilities. It is a standardized data set, not an encryption standard, a credentialing process, or a workforce metric.
- Under UHDDS definitions, the principal diagnosis is defined as which of the following?
- The first diagnosis the physician suspects on arrival before any testing
- The diagnosis that yields the highest possible reimbursement
- The condition established after study to be chiefly responsible for the patient's admission to the hospital
- The diagnosis the patient reports most frequently in prior visits
Correct answer: The condition established after study to be chiefly responsible for the patient's admission to the hospital
UHDDS defines the principal diagnosis as the condition established after study to be chiefly responsible for the patient's admission. It is not the initial suspicion before testing, the highest-paying diagnosis, or the most frequently reported prior condition.
- An RHIA standardizes inpatient data capture using UHDDS elements. Which item is a recognized UHDDS data element?
- The brand of imaging equipment used
- The number of parking spaces at the facility
- The dietary preferences of the attending physician
- Patient's expected source of payment
Correct answer: Patient's expected source of payment
Expected source of payment is a recognized UHDDS data element captured for inpatient discharges. Imaging equipment brand, parking capacity, and a physician's dietary preferences are not part of the standardized discharge data set.
- UHDDS defines 'other diagnoses' (secondary diagnoses) as conditions that affect patient care in which way?
- Conditions that were ruled out and never affected the patient
- Conditions documented only after the patient was discharged home
- Conditions that coexist at admission or develop later and affect treatment received or length of stay
- Conditions reported by family members but not evaluated clinically
Correct answer: Conditions that coexist at admission or develop later and affect treatment received or length of stay
UHDDS defines other diagnoses as conditions that coexist at admission or develop during the stay and affect the treatment received or the length of stay. Ruled-out conditions, post-discharge-only documentation, and unevaluated family reports do not meet this definition.
- Standardized data sets such as UHDDS contribute to information governance primarily because they do what?
- Replace the need for any organizational privacy policies
- Enable consistent, comparable data collection that supports reliable aggregation and reporting across organizations
- Eliminate the requirement to retain health records
- Automatically detect security breaches in real time
Correct answer: Enable consistent, comparable data collection that supports reliable aggregation and reporting across organizations
Standardized data sets like UHDDS enable consistent, comparable data collection, which supports reliable aggregation and reporting across organizations, a core IG aim. They do not replace privacy policies, remove retention requirements, or function as breach-detection tools.
- An organization's IG steering committee assigns a 'data steward' to a clinical data domain. What is the data steward's primary responsibility?
- To ensure the quality, definition, and appropriate use of data within an assigned domain on behalf of the organization
- To personally perform all clinical documentation for that domain
- To own the data as personal property and sell it externally
- To approve every employee's vacation request in the department
Correct answer: To ensure the quality, definition, and appropriate use of data within an assigned domain on behalf of the organization
A data steward is responsible for ensuring the quality, consistent definition, and appropriate use of data within an assigned domain on the organization's behalf. Stewards do not perform clinical documentation themselves, own data personally, or handle staff vacation approvals.
- An RHIA explains why information should be governed across its entire lifecycle rather than only at creation. Which statement best supports lifecycle-based governance?
- Information requires consistent management from creation through use, storage, and eventual disposition to remain trustworthy and compliant
- Information only needs oversight at the moment it is first entered into a system
- Once data is stored it can never change, so later governance is unnecessary
- Governance ends as soon as a record is shared with another department
Correct answer: Information requires consistent management from creation through use, storage, and eventual disposition to remain trustworthy and compliant
Lifecycle governance is needed because information must be managed consistently from creation through use, storage, and disposition to stay trustworthy and compliant. Data continues to change and be used after entry, so oversight cannot stop at creation or at the moment of sharing.
- A hospital adopts an information governance program. Which outcome is a recognized benefit of effective IG?
- Permanent elimination of the need to back up any data
- More trustworthy data that improves decision-making and reduces organizational risk
- A guarantee that no employee will ever leave the organization
- Automatic doubling of patient volume each year
Correct answer: More trustworthy data that improves decision-making and reduces organizational risk
Effective information governance yields more trustworthy data, which improves decision-making and reduces organizational risk. It does not eliminate the need for backups, ensure staff retention, or guarantee growth in patient volume.
- An RHIA is asked to identify the foundational principle that should drive an information governance program. Which option best reflects that foundation?
- Treating information as a disposable byproduct with no ongoing value
- Treating information as a strategic organizational asset that must be managed and protected accordingly
- Restricting information management solely to the billing office
- Managing only paper records and ignoring all electronic data
Correct answer: Treating information as a strategic organizational asset that must be managed and protected accordingly
The foundation of information governance is treating information as a strategic organizational asset that must be managed and protected. Viewing information as disposable, confining its management to billing, or excluding electronic data all contradict the principle that information has enterprise value.
- During a governance review, an RHIA finds that the same patient appears under two different medical record numbers within a single system. Which data integrity concept is most directly compromised at the data-element level?
- Encryption, because the identifier is not scrambled
- Latency, because the lookup takes too long
- Uniqueness, because a single entity should be represented by one and only one identifier
- Granularity, because the identifier has too few digits
Correct answer: Uniqueness, because a single entity should be represented by one and only one identifier
One patient holding two identifiers compromises uniqueness, the principle that a single entity should be represented by exactly one identifier. Encryption, latency, and granularity concern protection, retrieval speed, and detail rather than whether each entity is represented once.
- An RHIA wants to verify that all required fields on an intake form are populated before a record is finalized. Which data quality dimension does this control primarily protect?
- Timeliness, because the data must be entered quickly
- Relevancy, because only pertinent data should be collected
- Completeness, because every required data element must be present
- Consistency, because values must match across systems
Correct answer: Completeness, because every required data element must be present
Requiring all mandatory fields to be populated protects completeness, the dimension ensuring every needed element is present. Timeliness, relevancy, and consistency address speed, pertinence, and cross-system agreement rather than the presence of required elements.
- A health information manager defines 'metadata' for the IG program. Which description is most accurate?
- Data that describes other data, such as the source, format, and timestamp of a record element
- The actual diagnosis and treatment narrative documented by the provider
- A patient's signed consent to receive treatment
- The reimbursement amount expected from the payer
Correct answer: Data that describes other data, such as the source, format, and timestamp of a record element
Metadata is data that describes other data, including details such as the source, format, and timestamp of a record element. It is descriptive information about the data, not the clinical narrative, a consent form, or a payment figure.
- An RHIA standardizes data definitions so that an analytics team and a clinical team interpret 'encounter' the same way. Which problem does a shared data dictionary definition most directly prevent?
- Network downtime affecting system availability
- Insufficient physical storage for archived records
- Ambiguity, where different users interpret the same data element inconsistently
- A shortage of trained coding staff
Correct answer: Ambiguity, where different users interpret the same data element inconsistently
A shared definition prevents ambiguity, where different users interpret the same element inconsistently, by fixing one agreed meaning. Network downtime, storage shortages, and staffing gaps are operational issues unrelated to defining the meaning of a data element.
- An RHIA evaluates the integrity of a data set before it is used for a quality report. Which step best supports the integrity of the data prior to reporting?
- Deleting any records that would lower the reported performance scores
- Encrypting the report so only executives can read it
- Validating the data for accuracy and completeness and reconciling any anomalies before analysis
- Adding free-text commentary fields to every record
Correct answer: Validating the data for accuracy and completeness and reconciling any anomalies before analysis
Validating data for accuracy and completeness and reconciling anomalies before analysis directly supports integrity and produces trustworthy reporting. Deleting unflattering records corrupts integrity, while encryption and adding free-text fields address access and structure rather than the data's trustworthiness.
- An information governance program defines who may create, modify, or retire a data element definition. This assignment of authority is best described as which IG component?
- Decision rights, which specify who has the authority to make particular information decisions
- A retention schedule, which specifies how long records are kept
- A disclosure accounting, which lists who received information
- A reimbursement model, which specifies how payment is calculated
Correct answer: Decision rights, which specify who has the authority to make particular information decisions
Specifying who may make particular information decisions defines decision rights, a core component of information governance. A retention schedule, disclosure accounting, and reimbursement model concern record lifespan, access tracking, and payment rather than who holds decision authority.
- An RHIA standardizes 'sex/gender' value sets in the enterprise data dictionary to align with a recognized national standard. Why is aligning to recognized standards advantageous for governance?
- It removes the need to document the element in any record
- It guarantees the field can never be left blank by any user
- It automatically increases the granularity of unrelated fields
- It improves interoperability and comparability of data with external systems and reporting requirements
Correct answer: It improves interoperability and comparability of data with external systems and reporting requirements
Aligning value sets to recognized standards improves interoperability and comparability of data with external systems and reporting requirements. It does not eliminate documentation, prevent blank entries on its own, or change the granularity of unrelated fields.
- A facility's data governance subcommittee reports to the broader information governance council. Which statement best describes how these structures should relate?
- Data governance should operate independently with no connection to enterprise strategy
- Data governance activities should align with and roll up into the enterprise information governance strategy
- Information governance should be limited to whatever the data subcommittee decides
- The two structures should compete to set conflicting policies
Correct answer: Data governance activities should align with and roll up into the enterprise information governance strategy
Data governance activities should align with and roll up into the enterprise information governance strategy so the organization speaks with one voice on information. Operating independently, subordinating IG to a single subcommittee, or setting competing policies would undermine coherent governance.
- An RHIA assesses whether a coded data element truly represents the clinical event it is meant to capture. Which data quality characteristic is being evaluated?
- Accuracy, because the value must correctly reflect the real-world event it represents
- Accessibility, because the value must be reachable by authorized users
- Timeliness, because the value must be recorded promptly
- Granularity, because the value must include enough detail
Correct answer: Accuracy, because the value must correctly reflect the real-world event it represents
Whether a value correctly reflects the real-world event it represents is a matter of accuracy. Accessibility, timeliness, and granularity concern reachability, recording speed, and level of detail rather than correctness of representation.
- An IG program establishes that data definitions, once approved, follow a formal change-control process before they can be altered. What governance benefit does this provide?
- It prevents the organization from ever updating outdated definitions
- It eliminates the need for a data dictionary altogether
- It transfers ownership of the data to individual employees
- It preserves consistency and traceability of definitions so changes are deliberate and documented
Correct answer: It preserves consistency and traceability of definitions so changes are deliberate and documented
A formal change-control process preserves consistency and traceability, ensuring definition changes are deliberate and documented. It does not freeze definitions permanently, remove the need for a data dictionary, or hand data ownership to individuals.
- An RHIA must ensure that aggregated discharge statistics submitted to a state agency are comparable to other hospitals' submissions. Which governance practice most directly enables this comparability?
- Allowing each unit to invent its own discharge data elements
- Collecting the underlying elements according to a standardized data set such as UHDDS
- Encrypting the statistics before submission
- Limiting the report to a single patient at a time
Correct answer: Collecting the underlying elements according to a standardized data set such as UHDDS
Collecting underlying elements per a standardized data set such as UHDDS makes aggregated statistics comparable across hospitals. Letting units invent their own elements destroys comparability, while encryption and single-patient limits address security and scope rather than standardization.
- An RHIA identifies that free-text entry in a critical field is producing wide variation that hampers analysis. Which data governance remedy best improves the integrity and usability of this field?
- Hiding the field from all reports so the variation is not visible
- Replacing free text with a standardized, structured value set defined in the data dictionary
- Allowing even more free-text characters per entry
- Removing the field from the audit log
Correct answer: Replacing free text with a standardized, structured value set defined in the data dictionary
Replacing free text with a standardized, structured value set defined in the data dictionary reduces variation and improves both integrity and analytic usability. Hiding the field, expanding free text, or removing audit logging would conceal or worsen the problem rather than solve it.
- An RHIA explains that information governance requires accountability at the organizational level. Which arrangement best demonstrates IG accountability?
- Leaving each individual user to govern information however they personally prefer
- Assigning all information decisions to an outside vendor with no oversight
- Treating governance as a one-time project that ends after launch
- Executive sponsorship and a chartered council with defined roles and responsibilities for managing information
Correct answer: Executive sponsorship and a chartered council with defined roles and responsibilities for managing information
IG accountability is demonstrated by executive sponsorship and a chartered council with defined roles and responsibilities for managing information enterprise-wide. Leaving decisions to individuals, fully outsourcing without oversight, or treating governance as a one-time project all fail to establish ongoing organizational accountability.
- An RHIA finds that nightly batch loads occasionally truncate long text values, silently dropping characters. Which data integrity risk does this create?
- Improved timeliness, because shorter values load faster
- Better security, because less data is exposed
- Loss of accuracy and completeness, because the stored value no longer matches the original captured value
- Increased relevancy, because only the start of each value remains
Correct answer: Loss of accuracy and completeness, because the stored value no longer matches the original captured value
Silent truncation creates a loss of accuracy and completeness because the stored value no longer matches what was originally captured. It does not legitimately improve timeliness, enhance security, or increase relevancy; those framings ignore that the data is now wrong.
- An RHIA distinguishes 'data' from 'information' when designing governance policies. Which statement is most accurate?
- Information is raw and unprocessed, while data is always fully analyzed
- Data and information both refer only to printed paper documents
- Information exists only in databases, while data exists only on paper
- Data are raw facts, and information is data that has been processed and given context to be meaningful
Correct answer: Data are raw facts, and information is data that has been processed and given context to be meaningful
Data are raw facts, and information is data that has been processed and placed in context to become meaningful. The reverse framing, the paper-only definition, and the database-versus-paper split all misstate the relationship.
- A governance audit reveals that the data dictionary has not been updated even though several new fields were added to the EHR. What is the most appropriate corrective action?
- Remove the new fields from the EHR so the dictionary stays unchanged
- Update the data dictionary to define the new fields and keep it synchronized with the systems it documents
- Mark the data dictionary as obsolete and stop maintaining it
- Restrict the data dictionary so no one can view it
Correct answer: Update the data dictionary to define the new fields and keep it synchronized with the systems it documents
The corrective action is to update the data dictionary to define the new fields and keep it synchronized with the systems it documents. Removing functional fields, abandoning the dictionary, or restricting all access would degrade governance rather than restore it.
- An RHIA wants to measure data quality objectively over time. Which approach best operationalizes the Data Quality Management Model in practice?
- Relying on staff intuition without any defined measures
- Defining data quality metrics for characteristics like completeness and accuracy and monitoring them across the model's functions
- Measuring quality only after a serious error has already occurred
- Tracking only the volume of records, regardless of their quality
Correct answer: Defining data quality metrics for characteristics like completeness and accuracy and monitoring them across the model's functions
Operationalizing the model means defining data quality metrics for characteristics such as completeness and accuracy and monitoring them across the model's functions. Intuition alone, measuring only after errors, or counting record volume without assessing quality do not provide objective, ongoing measurement.
- Under UHDDS, which item is captured as a standardized demographic data element for inpatient discharges?
- The attending physician's home address
- The brand of the hospital's electronic record system
- Patient's date of birth
- The number of beds licensed at the facility
Correct answer: Patient's date of birth
Date of birth is a standardized UHDDS demographic data element captured for inpatient discharges. A physician's home address, the EHR brand, and licensed bed count are not patient-level discharge data elements in the standard set.
- An RHIA establishes that retired or superseded data definitions should be archived rather than deleted from the data dictionary's history. What is the main governance rationale?
- Archiving definitions automatically corrects all past data-entry errors
- Keeping old definitions increases current reimbursement
- Retaining history removes the need for any access controls
- Preserving definition history supports traceability and correct interpretation of historical data
Correct answer: Preserving definition history supports traceability and correct interpretation of historical data
Preserving definition history supports traceability and the correct interpretation of historical data captured under prior definitions. It does not retroactively fix entry errors, raise reimbursement, or eliminate the need for access controls.
- An RHIA notices that a 'date of service' field is sometimes recorded in MM/DD/YYYY and other times in DD/MM/YYYY, causing misinterpretation. Which data integrity dimension does standardizing the format most directly protect?
- Confidentiality, because the dates should be hidden from users
- Throughput, because more records can be processed per second
- Consistency, because the element should be represented in one uniform format wherever it appears
- Redundancy, because the dates are stored in multiple places
Correct answer: Consistency, because the element should be represented in one uniform format wherever it appears
Standardizing the format protects consistency, ensuring the element is represented uniformly wherever it appears so values are not misread. Confidentiality, throughput, and redundancy address secrecy, processing speed, and duplication rather than uniform representation.
- An RHIA presents the business case for information governance to executives. Which argument best connects IG to organizational value?
- Information governance is purely a regulatory burden with no operational upside
- IG mainly benefits the IT vendor rather than the organization
- Well-governed information reduces risk, improves data reliability, and enables better strategic and clinical decisions
- IG is only relevant to facilities that still use paper records
Correct answer: Well-governed information reduces risk, improves data reliability, and enables better strategic and clinical decisions
The strongest business case is that well-governed information reduces risk, improves data reliability, and supports better strategic and clinical decisions. Framing IG as a pure burden, a vendor benefit, or a paper-only concern understates its enterprise value.
- A data quality audit finds that a registry includes patients who do not meet its inclusion criteria. Which data quality characteristic is most directly violated?
- Relevancy, because the included data does not pertain to the registry's intended population
- Granularity, because the data lacks sufficient detail
- Timeliness, because the data was entered late
- Uniqueness, because patients appear more than once
Correct answer: Relevancy, because the included data does not pertain to the registry's intended population
Including patients who do not meet inclusion criteria violates relevancy, the characteristic concerning whether data pertains to its intended purpose. Granularity, timeliness, and uniqueness address detail, recording speed, and duplication rather than pertinence.
- An RHIA designs a governance policy specifying that each critical data element have an identified owner accountable for its quality. What is the primary purpose of assigning data ownership?
- To allow that owner to keep the data private from the organization
- To shift all documentation duties to a single person
- To establish clear accountability for the definition, quality, and appropriate use of each data element
- To remove the data from any standardized definition
Correct answer: To establish clear accountability for the definition, quality, and appropriate use of each data element
Assigning data ownership establishes clear accountability for the definition, quality, and appropriate use of each element. It is not a means to privatize organizational data, consolidate documentation duties, or exempt the element from standardized definitions.
- An RHIA must ensure that a new analytics platform interprets the 'admit_source' field identically to the source EHR. Which governance artifact should be the authoritative reference for this interpretation?
- The patient's signed authorization form
- The facility's annual operating budget
- The vendor's marketing brochure
- The enterprise data dictionary, which holds the standardized definition and permissible values for the field
Correct answer: The enterprise data dictionary, which holds the standardized definition and permissible values for the field
The enterprise data dictionary is the authoritative reference for the standardized definition and permissible values of a field, ensuring consistent interpretation across platforms. An authorization form, operating budget, and marketing brochure do not define data elements.
- An organization wants its IG program to address both structured database fields and unstructured documents like scanned reports. Which statement reflects the correct scope of information governance?
- IG applies only to structured fields stored in relational databases
- IG applies to information in all forms and formats across the enterprise, structured and unstructured alike
- IG applies only to scanned paper documents
- IG applies only to data that is actively being billed
Correct answer: IG applies to information in all forms and formats across the enterprise, structured and unstructured alike
Information governance applies to information in all forms and formats across the enterprise, covering both structured fields and unstructured documents. Limiting IG to structured data, scanned paper, or billable data alone misstates its enterprise-wide scope.
- An RHIA reconciles a situation where one stored value contradicts what should be a derived value (for example, a calculated age that conflicts with the recorded birth date and encounter date). Which integrity practice resolves this?
- Encrypting both values so the contradiction is hidden
- Deleting the encounter date to remove the conflict
- Storing the values in two different databases
- Applying logical validation rules so related data elements remain internally consistent with one another
Correct answer: Applying logical validation rules so related data elements remain internally consistent with one another
Applying logical validation rules keeps related elements internally consistent, resolving contradictions such as an age that disagrees with the birth and encounter dates. Hiding the conflict through encryption, deleting a needed element, or splitting storage does not restore consistency.
- An RHIA chairs an information governance council and must decide which framework principle governs how long different categories of information are kept and when they are disposed of within the IG lifecycle. Which principle is this?
- Minimum necessary principle, limiting the amount of information disclosed to outsiders
- Retention and disposition principle, addressing how long information is kept and how it is appropriately destroyed
- Reimbursement integrity principle, ensuring claims match documentation
- Credentialing principle, verifying provider qualifications
Correct answer: Retention and disposition principle, addressing how long information is kept and how it is appropriately destroyed
The retention and disposition principle within information governance addresses how long each category of information is kept and how it is appropriately destroyed across the lifecycle. The minimum necessary, reimbursement integrity, and credentialing concepts address disclosure limits, claims accuracy, and provider qualification rather than lifecycle retention.
- During a data quality initiative, an RHIA must choose where in AHIMA's Data Quality Management Model to intervene when errors originate from clinicians entering data incorrectly at the bedside. Which function should the intervention target?
- Warehousing, because that is where stored data is secured
- Analysis, because that is where data becomes information
- Disposition, because that is where data is destroyed
- Collection, because that is where the data is captured and the errors are introduced
Correct answer: Collection, because that is where the data is captured and the errors are introduced
Errors introduced at the point of capture should be addressed in the collection function, where data is gathered. Warehousing, analysis, and disposition address stored data, transformation into information, and destruction rather than the point of entry where the errors arise.
- An RHIA evaluates a proposal to let a downstream system store its own separate copy of the master data definitions instead of referencing the enterprise data dictionary. From a governance standpoint, what is the chief risk of this approach?
- The copies can drift apart over time, producing inconsistent definitions and undermining data integrity
- The enterprise data dictionary will load reports faster as a result
- The downstream system will automatically gain stronger encryption
- The organization will be required to retain records for a longer period
Correct answer: The copies can drift apart over time, producing inconsistent definitions and undermining data integrity
Maintaining separate copies of master definitions risks drift, where the copies diverge over time and create inconsistent definitions that undermine data integrity. Faster reporting, stronger encryption, and longer retention are not consequences of duplicating definitions.
- Under the HIPAA Privacy Rule, which of the following best describes the rule's central purpose?
- It requires every hospital to adopt a single nationwide electronic health record platform
- It sets national standards to protect individuals' protected health information held by covered entities and their business associates
- It establishes the federal coding guidelines used to assign diagnosis and procedure codes
- It mandates the staffing ratios that health information departments must maintain
Correct answer: It sets national standards to protect individuals' protected health information held by covered entities and their business associates
The HIPAA Privacy Rule establishes national standards governing how covered entities and their business associates may use and disclose protected health information. It is a privacy-protection regulation, not an EHR-platform mandate, a coding guideline, or a staffing standard.
- A clinic mails a patient's lab results to the wrong address. Which HIPAA regulation most directly governs whether this incident is reportable?
- The CMS Conditions of Participation
- The ICD-10-CM Official Guidelines for Coding and Reporting
- The Outpatient Prospective Payment System rules
- The Breach Notification Rule
Correct answer: The Breach Notification Rule
The Breach Notification Rule governs when an impermissible use or disclosure of unsecured protected health information must be reported to individuals, the Secretary of HHS, and in some cases the media. Conditions of Participation, coding guidelines, and outpatient payment rules do not address breach reporting.
- An RHIA must determine whether a vendor is a HIPAA business associate. Which scenario most clearly creates a business associate relationship?
- A janitorial crew that empties trash cans in patient-care areas without accessing records
- A patient's adult child who picks up discharge paperwork at the front desk
- A pharmaceutical sales representative who delivers product samples to a clinic
- A transcription company that creates and processes protected health information on behalf of the hospital
Correct answer: A transcription company that creates and processes protected health information on behalf of the hospital
A transcription company that creates, receives, maintains, or transmits protected health information on a covered entity's behalf is a business associate. Janitorial staff without record access, a patient's family member, and a sales representative delivering samples do not perform functions involving PHI on the entity's behalf, so they are not business associates.
- Which document must a covered entity and its business associate execute before the business associate may handle protected health information?
- A notice of privacy practices
- An accounting of disclosures log
- A business associate agreement
- A data use agreement for a limited data set only
Correct answer: A business associate agreement
A business associate agreement is the contract that establishes the permitted uses and safeguards a business associate must apply to protected health information. The notice of privacy practices is patient-facing, an accounting of disclosures is a tracking record, and a data use agreement applies specifically to limited data sets rather than general business associate functions.
- The minimum necessary standard under HIPAA requires a covered entity to do which of the following?
- Disclose the entire medical record whenever any portion is requested for efficiency
- Obtain patient authorization before any treatment-related use of records
- Limit the protected health information used, disclosed, or requested to the least amount needed to accomplish the intended purpose
- Retain protected health information for a minimum of ten years in all cases
Correct answer: Limit the protected health information used, disclosed, or requested to the least amount needed to accomplish the intended purpose
The minimum necessary standard directs covered entities to limit protected health information to the least amount required to achieve the purpose of the use, disclosure, or request. It does not call for disclosing entire records by default, does not require authorization for treatment uses, and is unrelated to retention periods.
- To which type of disclosure does the HIPAA minimum necessary standard NOT apply?
- Disclosures of an entire chart to a marketing vendor
- Routine internal access by billing staff to patient accounts
- Disclosures to a public health authority for reporting
- Disclosures to a provider for treatment of the patient
Correct answer: Disclosures to a provider for treatment of the patient
The minimum necessary standard does not apply to disclosures to a health care provider for treatment, because treatment often requires complete clinical information. Marketing disclosures, internal billing access, and public health reporting remain subject to minimum necessary limits.
- A release of information (ROI) specialist receives a request for a patient's records. What is the correct first step in the ROI workflow?
- Verify the identity of the requester and the validity of the authorization or legal basis for the request
- Immediately copy and mail the complete record to the requester
- Enter the diagnosis codes for the encounter into the billing system
- Delete the original record once a copy has been made
Correct answer: Verify the identity of the requester and the validity of the authorization or legal basis for the request
The correct first step is verifying the requester's identity and confirming a valid authorization or legal basis before any protected health information is released. Releasing records before verification, coding the encounter, and deleting originals are not appropriate initial ROI actions.
- Which set of elements must a valid HIPAA authorization for release of protected health information contain?
- Only the patient's name and the date of the request
- The patient's diagnosis codes and the assigned MS-DRG
- A specific description of the information, the persons authorized to disclose and receive it, the purpose, an expiration, and the patient's signature and date
- A statement that the information may never be revoked once signed
Correct answer: A specific description of the information, the persons authorized to disclose and receive it, the purpose, an expiration, and the patient's signature and date
A valid authorization must include a specific description of the information, who may disclose and receive it, the purpose, an expiration date or event, and the individual's signature and date. A name and date alone are insufficient, diagnosis codes are not required elements, and authorizations are in fact revocable, so a no-revocation statement would be improper.
- A patient submits a written request to obtain a copy of their own medical records. Within how many days must a covered entity generally act on the request under the HIPAA right of access?
- 7 days, with no extensions allowed
- 30 days, with one 30-day extension permitted if the individual is notified
- 90 days, with two extensions permitted
- 180 days, matching the breach notification timeline
Correct answer: 30 days, with one 30-day extension permitted if the individual is notified
Under the HIPAA right of access, a covered entity must generally act on an access request within 30 days, with one 30-day extension allowed if the individual is notified of the delay and reason. The other timeframes do not reflect the access-rule requirement.
- Which document is a covered entity required to provide so that patients understand how their protected health information may be used and disclosed and what their privacy rights are?
- The business associate agreement
- The charge description master
- The data dictionary
- The notice of privacy practices
Correct answer: The notice of privacy practices
The notice of privacy practices informs patients how their protected health information may be used and disclosed and describes their privacy rights. A business associate agreement is a vendor contract, the charge description master is a billing file, and the data dictionary standardizes data definitions.
- Which category of disclosures may a covered entity make without obtaining patient authorization?
- Disclosures to a life insurer for underwriting a new policy
- Disclosures to an employer for an employment decision
- Disclosures for the sale of protected health information
- Disclosures for treatment, payment, and health care operations
Correct answer: Disclosures for treatment, payment, and health care operations
Disclosures for treatment, payment, and health care operations are permitted without patient authorization. Disclosures for insurance underwriting, employment decisions, and the sale of protected health information generally require a valid authorization.
- Which of the following is a defining characteristic of protected health information under HIPAA?
- Individually identifiable health information created or received by a covered entity and transmitted or maintained in any form
- Only health information stored in an electronic health record system
- Only the financial portion of a patient's billing account
- De-identified statistical data used for public reporting
Correct answer: Individually identifiable health information created or received by a covered entity and transmitted or maintained in any form
Protected health information is individually identifiable health information created or received by a covered entity and held or transmitted in any form, whether electronic, paper, or oral. It is not limited to electronic records or billing data, and de-identified data is specifically excluded from the definition.
- An RHIA evaluates a data file and must distinguish protected health information from personally identifiable information. Which statement best captures the distinction?
- PHI and PII are interchangeable terms with identical legal definitions
- PII applies only to electronic data while PHI applies only to paper records
- PHI excludes names and dates while PII includes them
- PHI is individually identifiable information tied to health care held by a covered entity, while PII is any data that can identify a person regardless of health context
Correct answer: PHI is individually identifiable information tied to health care held by a covered entity, while PII is any data that can identify a person regardless of health context
Protected health information is individually identifiable information connected to health care and held by a covered entity or business associate, whereas personally identifiable information is broader and refers to any data that can identify an individual outside a health context. The terms are not interchangeable, neither is limited by media type, and both can include identifiers such as names and dates.
- What does the HIPAA accounting of disclosures provision require a covered entity to do?
- List every internal access to a patient's record by clinical staff
- Disclose the salaries of employees who handle records
- Provide, on request, a record of certain disclosures of protected health information made outside treatment, payment, and operations
- Maintain a public registry of all patients treated at the facility
Correct answer: Provide, on request, a record of certain disclosures of protected health information made outside treatment, payment, and operations
An accounting of disclosures gives individuals, on request, a record of certain disclosures of their protected health information made for purposes other than treatment, payment, and operations. It does not track routine internal clinical access, employee salaries, or maintain a public patient registry.
- Which method satisfies the HIPAA Safe Harbor approach to de-identifying protected health information?
- Replacing patient names with their medical record numbers only
- Encrypting the file while retaining all identifiers in plaintext metadata
- Removing 18 specified identifiers and having no actual knowledge that the remaining data could identify an individual
- Aggregating data into groups of at least five patients without removing identifiers
Correct answer: Removing 18 specified identifiers and having no actual knowledge that the remaining data could identify an individual
The Safe Harbor method requires removing 18 specified identifiers and having no actual knowledge that the remaining information could be used to identify an individual. Swapping names for medical record numbers, encrypting while keeping identifiers, and small-cell aggregation without identifier removal do not meet the Safe Harbor standard.
- The HIPAA Security Rule applies specifically to which form of protected health information?
- Oral protected health information only
- Paper records stored in locked cabinets
- Electronic protected health information
- De-identified research datasets
Correct answer: Electronic protected health information
The HIPAA Security Rule governs electronic protected health information and requires administrative, physical, and technical safeguards to protect it. It does not specifically target oral or paper information, which fall under the Privacy Rule, and de-identified data is outside HIPAA's scope.
- The HIPAA Security Rule organizes its required protections into which three categories of safeguards?
- Financial, clinical, and operational safeguards
- Administrative, physical, and technical safeguards
- Federal, state, and local safeguards
- Preventive, detective, and corrective safeguards
Correct answer: Administrative, physical, and technical safeguards
The Security Rule requires administrative, physical, and technical safeguards to protect electronic protected health information. The other groupings are not how the Security Rule classifies its required protections.
- A hospital's privacy officer is asked which entities are directly required to comply with HIPAA as covered entities. Which group correctly identifies covered entities?
- Health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with covered transactions
- All employers that offer wellness programs to employees
- Any company that stores customer data in the cloud
- Marketing firms that purchase consumer mailing lists
Correct answer: Health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with covered transactions
Covered entities are health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with HIPAA-covered transactions. Employers, general cloud-storage companies, and consumer marketing firms are not covered entities by virtue of those activities alone.
- An impermissible disclosure of unsecured protected health information affects 750 individuals. Under the Breach Notification Rule, what additional notification is triggered beyond notifying the affected individuals?
- No further notification is required because fewer than 1,000 people are affected
- Immediate notification to every patient the facility has ever treated
- Notification only to the facility's billing department
- Notification to prominent media outlets serving the affected area, because the breach affects more than 500 residents of a state or jurisdiction
Correct answer: Notification to prominent media outlets serving the affected area, because the breach affects more than 500 residents of a state or jurisdiction
When a breach of unsecured protected health information affects more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving that area in addition to notifying the individuals and HHS. The other options misstate the threshold or the parties who must be notified.
- Within what timeframe must individuals be notified following discovery of a breach of unsecured protected health information?
- Within 24 hours of discovery in all cases
- Without unreasonable delay and no later than 60 days after discovery of the breach
- Within 30 days only if more than 500 individuals are affected
- Within one year of the calendar year in which the breach occurred
Correct answer: Without unreasonable delay and no later than 60 days after discovery of the breach
Individual breach notifications must be made without unreasonable delay and no later than 60 calendar days after discovery of the breach. A 24-hour rule, a 30-day conditional rule, and a one-year window do not reflect the Breach Notification Rule's individual-notice timing.
- A patient asks the health information department to amend information they believe is inaccurate in their record. Under HIPAA, what right is the patient exercising?
- The right to an accounting of disclosures
- The right to revoke a business associate agreement
- The right to receive the notice of privacy practices
- The right to request an amendment of protected health information
Correct answer: The right to request an amendment of protected health information
The patient is exercising the HIPAA right to request an amendment of protected health information they believe is inaccurate or incomplete. An accounting of disclosures, revoking a vendor contract, and receiving the privacy notice are distinct rights or documents.
- A covered entity wants to use patient records for its own quality improvement studies. Under HIPAA, this use falls under which permitted category that does not require authorization?
- Marketing
- Health care operations
- Sale of protected health information
- Research without any privacy protections
Correct answer: Health care operations
Quality improvement and quality assessment activities are part of health care operations, which is a permitted use that does not require patient authorization. Marketing and the sale of PHI generally require authorization, and research is subject to specific privacy protections rather than none.
- Which scenario represents a permissible disclosure of protected health information without patient authorization for payment purposes?
- Selling a list of patient diagnoses to a pharmaceutical company
- Posting patient account balances on the facility's public website
- Submitting a claim with necessary clinical information to the patient's health plan for reimbursement
- Sharing a patient's full record with a coworker out of curiosity
Correct answer: Submitting a claim with necessary clinical information to the patient's health plan for reimbursement
Submitting a claim with the clinical information needed for the health plan to reimburse care is a permitted payment disclosure that does not require authorization. Selling diagnoses, posting balances publicly, and curiosity-driven access are impermissible uses or disclosures.
- A research team requests a data set that excludes direct identifiers but retains dates of service and patient ZIP codes. What is this data set called under HIPAA, and what is required to disclose it?
- Fully de-identified data, which may be disclosed to anyone without restriction
- Protected health information that may never be disclosed for research
- A limited data set, which may be disclosed for research, public health, or operations under a data use agreement
- A designated record set that must be amended before disclosure
Correct answer: A limited data set, which may be disclosed for research, public health, or operations under a data use agreement
A limited data set excludes most direct identifiers but may retain elements like dates and ZIP codes, and it may be disclosed for research, public health, or operations under a data use agreement. It is not fully de-identified, it is not categorically barred from research, and it is not a designated record set.
- Which of the following is one of the 18 identifiers that must be removed under the HIPAA Safe Harbor de-identification method?
- The patient's blood type
- The name of the attending physician's specialty
- The hospital's tax identification number
- All elements of dates (except year) directly related to an individual, such as admission and discharge dates
Correct answer: All elements of dates (except year) directly related to an individual, such as admission and discharge dates
All elements of dates except the year that are directly related to an individual, such as birth, admission, and discharge dates, are among the 18 Safe Harbor identifiers that must be removed. Blood type, a physician's specialty, and the facility's tax identification number are not on the list of individual identifiers requiring removal.
- An RHIA is asked to verify that a vendor's business associate agreement is complete. Which provision must the agreement include?
- A requirement that the business associate use appropriate safeguards and report breaches and impermissible uses to the covered entity
- A guarantee that the business associate will never be audited
- A clause transferring all HIPAA liability solely to the patient
- A provision allowing the business associate to sell the data freely
Correct answer: A requirement that the business associate use appropriate safeguards and report breaches and impermissible uses to the covered entity
A business associate agreement must require the business associate to use appropriate safeguards and to report breaches and impermissible uses or disclosures to the covered entity. Promising no audits, shifting liability to patients, or permitting free data sale would all violate HIPAA requirements.
- Under the HIPAA Security Rule, which is an example of a technical safeguard?
- A locked door to the data center
- A workforce sanction policy for privacy violations
- A sign-in sheet at the records department front desk
- Access controls that allow only authorized users to view electronic protected health information
Correct answer: Access controls that allow only authorized users to view electronic protected health information
Access controls limiting which authorized users can view electronic protected health information are a technical safeguard. A locked data-center door is a physical safeguard, a sanction policy is an administrative safeguard, and a sign-in sheet is a physical or administrative control, not a technical one.
- Under the HIPAA Security Rule, which is an example of an administrative safeguard?
- Installing automatic logoff on workstations
- Positioning monitors so screens are not visible to the public
- Encrypting data transmitted across a network
- Conducting a periodic risk analysis of threats to electronic protected health information
Correct answer: Conducting a periodic risk analysis of threats to electronic protected health information
Conducting a periodic risk analysis is an administrative safeguard under the Security Rule. Automatic logoff and encryption are technical safeguards, and positioning monitors away from public view is a physical safeguard.
- A covered entity must respond to a patient who requests restrictions on disclosure of their records. Under HIPAA, when must the entity agree to a requested restriction?
- Whenever any patient asks for any restriction for any reason
- When the patient pays out of pocket in full and requests that the information not be disclosed to a health plan
- Only when the request is made by the patient's attorney
- Never, because restrictions are entirely at the entity's discretion
Correct answer: When the patient pays out of pocket in full and requests that the information not be disclosed to a health plan
A covered entity must agree to a requested restriction when an individual pays out of pocket in full for a service and asks that the information about that service not be disclosed to a health plan. Entities are otherwise generally not required to agree to every restriction, the request need not come from an attorney, and restrictions are not entirely discretionary in that out-of-pocket situation.
- A nurse accesses the electronic record of a celebrity patient she is not treating, simply to read about the admission. How should this be classified under HIPAA?
- A permitted treatment use because the nurse is a clinician
- An impermissible use of protected health information that violates the minimum necessary standard and may require breach evaluation
- A permitted health care operations activity
- An accounting of disclosures entry that requires no further action
Correct answer: An impermissible use of protected health information that violates the minimum necessary standard and may require breach evaluation
Accessing a patient's record without a treatment, payment, or operations purpose is an impermissible use that violates the minimum necessary standard and may trigger a breach evaluation. Being a clinician does not authorize access to patients one is not treating, and curiosity-driven access is neither a permitted operation nor a routine accounting entry.
- Which of the following identifiers, standing alone in a health data file, makes the information protected health information rather than de-identified data?
- The patient's full nine-digit Social Security number
- The year of service with no other identifiers
- The state in which care was provided
- The general age range of 40 to 49
Correct answer: The patient's full nine-digit Social Security number
A full Social Security number is one of the 18 HIPAA identifiers, so its presence makes the data individually identifiable protected health information. Year alone, state, and a broad age range are not among the direct identifiers that would, by themselves, render data identifiable under Safe Harbor.
- An ROI specialist receives a subpoena, not accompanied by a court order, requesting a patient's records. What is the appropriate action under HIPAA?
- Release the full record immediately because any subpoena compels disclosure
- Ignore the subpoena entirely because HIPAA prohibits all legal disclosures
- Disclose the record only to the patient's employer
- Disclose only if satisfactory assurances are received that the patient was notified or a protective order was sought, or obtain a valid authorization
Correct answer: Disclose only if satisfactory assurances are received that the patient was notified or a protective order was sought, or obtain a valid authorization
For a subpoena not accompanied by a court order, HIPAA permits disclosure only when satisfactory assurances show the patient was notified or that a qualified protective order was sought, or when a valid authorization is obtained. A subpoena alone does not automatically compel release, HIPAA does not bar all legal disclosures, and the employer is not the appropriate recipient.
- A patient revokes a previously signed authorization to disclose records to a third party. How does HIPAA treat actions taken before the revocation?
- The revocation is effective going forward but does not undo disclosures already made in reliance on the authorization
- The revocation requires the recipient to destroy all copies already lawfully disclosed
- Authorizations cannot be revoked once signed
- The revocation automatically deletes the patient's entire record
Correct answer: The revocation is effective going forward but does not undo disclosures already made in reliance on the authorization
A patient may revoke an authorization in writing, and the revocation applies prospectively without invalidating disclosures already made in reliance on the prior authorization. Recipients are not required to retrieve and destroy lawfully disclosed copies, authorizations are revocable, and revocation does not delete the underlying record.
- Which use of protected health information generally requires a patient's written authorization?
- Sharing information with a consulting physician for the patient's treatment
- Submitting a claim to the patient's insurer for payment
- Using patient information for marketing communications that involve payment from a third party
- Reviewing records internally for a quality improvement project
Correct answer: Using patient information for marketing communications that involve payment from a third party
Marketing communications, particularly those involving payment from a third party, generally require written authorization. Treatment consultations, claims submission for payment, and internal quality improvement fall under treatment, payment, and operations and do not require authorization.
- A facility maintains the set of records it uses to make decisions about an individual. Under HIPAA, what is this called, and why does it matter for access?
- The designated record set, which defines the scope of records a patient may access and request to amend
- The charge description master, which lists billable items
- The accounting of disclosures, which lists who received the data
- The data dictionary, which standardizes field definitions
Correct answer: The designated record set, which defines the scope of records a patient may access and request to amend
The designated record set is the group of records a covered entity uses to make decisions about individuals, and it defines the scope of what patients may access and request to amend. The charge description master, accounting of disclosures, and data dictionary serve billing, tracking, and data-definition purposes rather than defining access scope.
- Which statement accurately describes the relationship between the HIPAA Privacy Rule and more stringent state privacy laws?
- More stringent state laws that provide greater privacy protection are generally not preempted by HIPAA
- HIPAA always preempts every state privacy law without exception
- State laws automatically replace HIPAA for all covered entities
- HIPAA applies only when no state privacy law exists
Correct answer: More stringent state laws that provide greater privacy protection are generally not preempted by HIPAA
HIPAA sets a federal floor, and more stringent state laws that offer greater privacy protection are generally not preempted. HIPAA does not preempt every state law, state laws do not wholesale replace HIPAA, and HIPAA applies regardless of whether a state law exists.
- A privacy officer is calculating the breach risk assessment factors after an impermissible disclosure. Which factor is part of the required four-factor risk assessment?
- The total annual revenue of the covered entity
- The number of years the facility has been accredited
- The nature and extent of the protected health information involved, including the types of identifiers
- The market share of the facility in its region
Correct answer: The nature and extent of the protected health information involved, including the types of identifiers
The four-factor breach risk assessment includes the nature and extent of the protected health information involved, the unauthorized person who used or received it, whether the PHI was actually acquired or viewed, and the extent to which risk has been mitigated. Revenue, accreditation tenure, and market share are not part of the assessment.
- Under HIPAA, when may a covered entity disclose protected health information to a public health authority without patient authorization?
- For purposes such as reporting communicable diseases as authorized by law
- To help the public health authority market a new vaccine product
- To allow the authority to sell the data to researchers
- Only after the patient signs a marketing authorization
Correct answer: For purposes such as reporting communicable diseases as authorized by law
HIPAA permits disclosures to a public health authority, without authorization, for activities such as disease reporting and surveillance authorized by law. Marketing support, data sale, and requiring a marketing authorization are not the basis for permitted public health disclosures.
- Which of the following best distinguishes a use from a disclosure of protected health information under HIPAA?
- A use occurs within the entity that holds the information, while a disclosure releases it outside that entity
- A use applies only to electronic data and a disclosure only to paper
- A use requires authorization and a disclosure never does
- A use is always impermissible and a disclosure is always permitted
Correct answer: A use occurs within the entity that holds the information, while a disclosure releases it outside that entity
A use is the sharing or handling of protected health information within the entity that maintains it, while a disclosure is the release of that information to an outside party. The distinction does not depend on media type, neither term is defined by authorization status, and neither is inherently impermissible or permitted.
- An RHIA reviews whether a verbal discussion of a patient's condition in a semi-private room is a HIPAA violation. Which concept best applies?
- All oral disclosures are strictly prohibited under HIPAA
- Incidental disclosures are permitted if reasonable safeguards and minimum necessary practices are in place
- Oral information is never considered protected health information
- The Security Rule governs all verbal conversations about patients
Correct answer: Incidental disclosures are permitted if reasonable safeguards and minimum necessary practices are in place
HIPAA permits incidental disclosures that occur as a byproduct of permitted activities, provided reasonable safeguards and minimum necessary practices are applied. Oral disclosures are not strictly prohibited, oral information can be protected health information, and the Security Rule applies to electronic PHI rather than verbal conversations.
- A covered entity wants to confirm it has met its obligation to inform patients of their privacy rights at the first delivery of service. Which action satisfies this?
- Posting the charge description master in the waiting room
- Filing a breach report with HHS
- Providing the notice of privacy practices and making a good-faith effort to obtain written acknowledgment of receipt
- Executing a business associate agreement with every patient
Correct answer: Providing the notice of privacy practices and making a good-faith effort to obtain written acknowledgment of receipt
Providing the notice of privacy practices and making a good-faith effort to obtain a written acknowledgment of receipt satisfies the notice obligation at first service delivery. Posting a billing file, filing a breach report, or signing business associate agreements with patients do not meet this requirement.
- A health plan is also a covered entity. Which HIPAA-permitted disclosure may it make to another covered entity without authorization?
- Disclosure for the recipient entity's payment activities related to the same individual
- Disclosure to support the recipient's consumer marketing campaign
- Disclosure to sell the individual's records to a data broker
- Disclosure to an employer for hiring decisions
Correct answer: Disclosure for the recipient entity's payment activities related to the same individual
A covered entity may disclose protected health information to another covered entity for that entity's payment activities concerning the same individual without authorization. Marketing campaigns, data sale, and employer hiring disclosures are not permitted without authorization.
- Which statement correctly describes how the HITECH Act affected business associates' HIPAA obligations?
- It made business associates directly liable for compliance with certain HIPAA Security and Privacy Rule provisions
- It exempted business associates from all HIPAA requirements
- It eliminated the need for business associate agreements
- It limited HIPAA enforcement to covered entities only
Correct answer: It made business associates directly liable for compliance with certain HIPAA Security and Privacy Rule provisions
The HITECH Act made business associates directly liable for compliance with certain HIPAA Security Rule provisions and parts of the Privacy Rule. It did not exempt them from HIPAA, eliminate business associate agreements, or restrict enforcement solely to covered entities.
- A patient requests an accounting of disclosures. For what time period may they request this accounting under HIPAA?
- For disclosures made during the past 30 days only
- For disclosures made during the six years prior to the date of the request
- For the entire history of the facility regardless of dates
- For the next six years following the request
Correct answer: For disclosures made during the six years prior to the date of the request
Individuals may request an accounting of disclosures covering the six years prior to the date of the request. A 30-day window, an unlimited historical period, and a forward-looking period do not reflect the accounting-of-disclosures timeframe.
- Which of the following disclosures must be included in a HIPAA accounting of disclosures?
- A disclosure of protected health information to a public health authority for disease surveillance
- A disclosure to another provider for the patient's treatment
- A disclosure to the patient of their own information
- A disclosure for the facility's billing of the patient's insurer
Correct answer: A disclosure of protected health information to a public health authority for disease surveillance
Disclosures to a public health authority for surveillance must be included in an accounting of disclosures because they fall outside treatment, payment, and operations. Treatment disclosures, disclosures to the individual, and payment disclosures are generally excluded from the accounting requirement.
- An organization determines whether expert determination is an acceptable way to de-identify a dataset. What does the expert determination method require?
- Any staff member removes the patient's name and signs a form
- A qualified person applies statistical and scientific principles to determine the risk of re-identification is very small and documents that determination
- The dataset is encrypted and the key is stored separately
- The data is aggregated by calendar year only
Correct answer: A qualified person applies statistical and scientific principles to determine the risk of re-identification is very small and documents that determination
Expert determination requires a person with appropriate statistical and scientific knowledge to determine, and document, that the risk of re-identifying individuals is very small. Removing a name alone, encryption, and aggregation by year do not satisfy the expert determination standard.
- A facility wants to assign role-based access so staff see only the information their jobs require. Which HIPAA principle does this implement?
- The breach notification rule
- The minimum necessary standard applied through role-based access controls
- The accounting of disclosures requirement
- The notice of privacy practices obligation
Correct answer: The minimum necessary standard applied through role-based access controls
Role-based access that limits staff to the information needed for their jobs implements the minimum necessary standard. Breach notification, accounting of disclosures, and the privacy notice address reporting, tracking, and patient communication rather than access scoping.
- Which scenario is an example of a permitted disclosure to a personal representative under HIPAA?
- Disclosing an adult patient's records to a neighbor who asks about the patient
- Disclosing records to a coworker who shares the patient's last name
- Disclosing a minor child's relevant records to a parent who is the child's legal guardian
- Disclosing records to a reporter investigating a story
Correct answer: Disclosing a minor child's relevant records to a parent who is the child's legal guardian
A parent who is the legal guardian of a minor generally acts as the personal representative and may receive the child's relevant protected health information. A neighbor, an unrelated coworker, and a reporter are not personal representatives and are not entitled to the records without authorization.
- An RHIA is asked which HIPAA rule requires a covered entity to designate a privacy official responsible for developing and implementing privacy policies. Which rule imposes this requirement?
- The Breach Notification Rule
- The ICD-10 Official Guidelines
- The HIPAA Privacy Rule
- The Outpatient Prospective Payment System rule
Correct answer: The HIPAA Privacy Rule
The HIPAA Privacy Rule requires covered entities to designate a privacy official responsible for developing and implementing privacy policies and procedures. The Breach Notification Rule, coding guidelines, and outpatient payment rules do not impose this requirement.
- Under the HIPAA Security Rule, what distinguishes a required implementation specification from an addressable one?
- A required specification must be implemented as stated, while an addressable one must be assessed and implemented, or an equivalent measure adopted, based on what is reasonable and appropriate
- An addressable specification may always be ignored entirely
- A required specification applies only to small providers
- An addressable specification applies only to business associates
Correct answer: A required specification must be implemented as stated, while an addressable one must be assessed and implemented, or an equivalent measure adopted, based on what is reasonable and appropriate
A required implementation specification must be implemented as written, while an addressable specification must be assessed for reasonableness and either implemented, replaced with an equivalent measure, or documented as not reasonable. Addressable specifications cannot simply be ignored, and neither type is limited to small providers or only to business associates.
- Which is an example of a physical safeguard under the HIPAA Security Rule?
- Facility access controls that limit physical entry to areas housing electronic systems with protected health information
- Unique user identification for system logins
- A documented contingency plan for emergencies
- Audit controls that record system activity
Correct answer: Facility access controls that limit physical entry to areas housing electronic systems with protected health information
Facility access controls limiting physical entry to areas with electronic protected health information are a physical safeguard. Unique user identification and audit controls are technical safeguards, and a contingency plan is an administrative safeguard.
- A covered entity discovers that a laptop containing encrypted protected health information was stolen, and the encryption meets HHS specifications. How does this affect breach notification obligations?
- It is automatically a reportable breach regardless of encryption
- It requires media notification within 24 hours
- It requires notification only to the device manufacturer
- Because the data was encrypted to the required standard, it is considered secured and the loss is generally not a reportable breach
Correct answer: Because the data was encrypted to the required standard, it is considered secured and the loss is generally not a reportable breach
Protected health information encrypted according to HHS specifications is considered secured, so its loss generally does not trigger breach notification. Encryption to that standard removes the automatic reporting obligation, and the 24-hour media notice and manufacturer notification options misstate the rule.
- A research study seeks to use identifiable protected health information without patient authorization. Which mechanism may permit this under HIPAA?
- A signed notice of privacy practices from each patient
- A waiver of authorization granted by an Institutional Review Board or Privacy Board
- A business associate agreement with the research sponsor
- An accounting of disclosures filed with HHS
Correct answer: A waiver of authorization granted by an Institutional Review Board or Privacy Board
An Institutional Review Board or Privacy Board may grant a waiver of authorization that permits the use or disclosure of identifiable protected health information for research under specified conditions. The privacy notice, a business associate agreement, and an accounting of disclosures do not authorize unauthorized research use.
- A patient asks to receive communications about appointments only by a personal email rather than a home phone. Under HIPAA, how must the covered entity respond?
- It may refuse all such requests as administratively burdensome
- It must accommodate reasonable requests for confidential communications by alternative means or at alternative locations
- It must obtain a court order before changing the contact method
- It must file a breach report before accommodating the request
Correct answer: It must accommodate reasonable requests for confidential communications by alternative means or at alternative locations
Covered entities must accommodate reasonable requests by individuals to receive confidential communications by alternative means or at alternative locations. They cannot categorically refuse such requests, and no court order or breach report is required to honor them.
- Which best describes the role of the HHS Office for Civil Rights with respect to HIPAA?
- It assigns MS-DRGs for inpatient reimbursement
- It publishes the CPT code set each year
- It enforces the HIPAA Privacy, Security, and Breach Notification Rules and investigates complaints
- It accredits hospitals for Medicare participation
Correct answer: It enforces the HIPAA Privacy, Security, and Breach Notification Rules and investigates complaints
The HHS Office for Civil Rights enforces the HIPAA Privacy, Security, and Breach Notification Rules and investigates complaints of noncompliance. Assigning MS-DRGs, publishing CPT codes, and accrediting hospitals are functions of other entities.
- An RHIA must classify the severity tier of a HIPAA civil monetary penalty. Which factor most influences the penalty tier?
- The number of beds in the facility
- The patient's diagnosis severity
- The level of culpability, ranging from lack of knowledge to willful neglect
- The geographic region of the facility
Correct answer: The level of culpability, ranging from lack of knowledge to willful neglect
HIPAA civil monetary penalty tiers are based primarily on the level of culpability, from a violation the entity did not know about to willful neglect. Bed count, patient diagnosis severity, and geographic region do not determine the penalty tier.
- A covered entity's workforce member discloses PHI in a manner not permitted by the Privacy Rule. What must the entity's policies require regarding this workforce member?
- Immediate public disclosure of the employee's identity
- Termination in every case regardless of circumstances
- Application of appropriate sanctions consistent with the entity's sanction policy
- A mandatory reduction in the patient's bill
Correct answer: Application of appropriate sanctions consistent with the entity's sanction policy
Covered entities must have and apply appropriate sanctions for workforce members who violate privacy policies, consistent with the entity's sanction policy. HIPAA does not require publicizing the employee's identity, automatic termination in all cases, or adjusting the patient's bill.
- Which scenario correctly applies the minimum necessary standard to an internal request for records?
- A billing analyst requests the entire lifetime chart for every patient to be thorough
- A billing analyst requests psychotherapy notes to verify an office-visit charge
- A billing analyst requests only the encounter and charge data needed to process a claim rather than the full clinical chart
- A billing analyst requests records of patients unrelated to the claim
Correct answer: A billing analyst requests only the encounter and charge data needed to process a claim rather than the full clinical chart
Requesting only the encounter and charge data needed to process a claim correctly applies the minimum necessary standard. Pulling entire lifetime charts, accessing psychotherapy notes unrelated to the task, and requesting unrelated patients' records exceed the minimum necessary.
- A covered entity uses a cloud storage provider to maintain electronic protected health information. Under HIPAA, what is the cloud provider's status, even if it cannot view the encrypted data?
- A business associate, because it maintains protected health information on the covered entity's behalf
- Not subject to HIPAA because the data is encrypted
- A covered entity in its own right
- A personal representative of the patients
Correct answer: A business associate, because it maintains protected health information on the covered entity's behalf
A cloud storage provider that maintains protected health information on a covered entity's behalf is a business associate, even if it cannot view encrypted content. Encryption does not exempt it from HIPAA, it is not itself a covered entity, and it is not a personal representative.
- When must a covered entity update and redistribute its notice of privacy practices?
- Every time a single patient is admitted
- When there is a material change to its privacy practices, by revising the notice and making it available
- Only when ownership of the facility changes
- Never, because the notice is fixed once published
Correct answer: When there is a material change to its privacy practices, by revising the notice and making it available
A covered entity must revise and make available its notice of privacy practices whenever there is a material change to its privacy practices. Updates are not tied to each admission or solely to ownership changes, and the notice is not permanently fixed.
- Which element is a covered entity's notice of privacy practices required to describe?
- The facility's annual operating budget
- The individual's rights, including the right to access and request amendments, and how to file a complaint
- The salaries of the privacy and security officers
- The list of all current business associates by name
Correct answer: The individual's rights, including the right to access and request amendments, and how to file a complaint
The notice of privacy practices must describe individuals' rights, including access and amendment rights, and how to file a complaint with the entity and HHS. It does not include budgets, officer salaries, or a roster of business associates.
- A covered entity receives an authorization that combines a research authorization with other unrelated authorizations on one form. When is such a compound authorization generally prohibited?
- When it conditions treatment, payment, enrollment, or eligibility on signing, except where permitted
- Whenever more than one purpose is listed
- Whenever the patient is over the age of 65
- Whenever the authorization is provided electronically
Correct answer: When it conditions treatment, payment, enrollment, or eligibility on signing, except where permitted
An authorization generally may not condition treatment, payment, enrollment, or eligibility on the individual signing it, except in limited permitted situations. Listing multiple purposes, the patient's age, and electronic format do not by themselves make an authorization prohibited.
- An RHIA evaluates whether information shared verbally during a care conference is protected. Which statement is correct under HIPAA?
- Oral protected health information is covered by the Privacy Rule and must be safeguarded
- Only written information qualifies as protected health information
- Verbal information is governed solely by the Security Rule
- Care-conference discussions are exempt from HIPAA entirely
Correct answer: Oral protected health information is covered by the Privacy Rule and must be safeguarded
The Privacy Rule covers protected health information in all forms, including oral information, which must be safeguarded. Protected health information is not limited to written form, oral information is not governed solely by the Security Rule, and care conferences are not exempt from HIPAA.
- A patient is denied access to a portion of their record. Under HIPAA, which denial is reviewable by a licensed health care professional?
- A denial because the request was submitted on a Monday
- A denial because the patient owes an unpaid bill
- A denial because the staff member was busy that day
- A denial based on a determination that access is reasonably likely to endanger the life or physical safety of the individual or another person
Correct answer: A denial based on a determination that access is reasonably likely to endanger the life or physical safety of the individual or another person
A denial based on a reasonable likelihood of endangering the life or physical safety of the individual or another person is a reviewable ground that a licensed health care professional must evaluate. The day of the week, an unpaid bill, and staff workload are not valid bases for denying access.
- An RHIA determines the appropriate fee a covered entity may charge a patient for a copy of their records under the HIPAA right of access. Which fee approach is permitted?
- A per-page retrieval search fee for locating the record
- A reasonable, cost-based fee that covers labor for copying, supplies, and postage
- Any fee the facility chooses to set for profit
- A fee equal to the cost of the patient's most recent visit
Correct answer: A reasonable, cost-based fee that covers labor for copying, supplies, and postage
Under the HIPAA right of access, a covered entity may charge only a reasonable, cost-based fee that covers labor for copying, supplies, and postage. It may not charge search and retrieval fees, set arbitrary profit-driven fees, or tie the fee to the cost of a prior visit.
- Which scenario constitutes a HIPAA disclosure rather than a use of protected health information?
- A nurse reviews a patient's chart on the inpatient unit during treatment
- A coder within the hospital accesses the record to assign codes
- A privacy officer audits internal access logs within the facility
- A hospital sends a patient's discharge summary to an outside primary care physician's office
Correct answer: A hospital sends a patient's discharge summary to an outside primary care physician's office
Sending a discharge summary to an outside physician's office releases information beyond the entity, making it a disclosure. A nurse reviewing a chart, a coder assigning codes, and a privacy officer auditing logs all occur within the entity and are uses.
- A covered entity wants to share a limited data set with a researcher. What must accompany this disclosure under HIPAA?
- A full patient authorization signed for each individual
- A breach notification to HHS
- A data use agreement that restricts the recipient's use and re-disclosure of the limited data set
- A new notice of privacy practices for each researcher
Correct answer: A data use agreement that restricts the recipient's use and re-disclosure of the limited data set
A limited data set may be disclosed for research, public health, or operations under a data use agreement that limits the recipient's use and re-disclosure. Individual authorizations, breach notifications, and new privacy notices are not the required mechanism for limited data set disclosures.
- An RHIA is asked to identify which patient information requires the most stringent protections and often additional state-law consent before disclosure. Which category fits this description?
- Routine outpatient visit summaries
- Substance use disorder treatment records and certain mental health information
- General immunization dates
- Standard demographic admission data
Correct answer: Substance use disorder treatment records and certain mental health information
Substance use disorder treatment records and certain mental health information typically receive heightened protection and may require specific consent under federal and state law beyond general HIPAA rules. Routine visit summaries, immunization dates, and demographic data do not carry these extra restrictions.
- A covered entity's facility directory lists patients by name and room. Under HIPAA, how may this information be handled?
- It may be disclosed to those who ask for the patient by name, unless the patient has objected or opted out
- It must be posted publicly in the hospital lobby
- It may never be shared with anyone outside the care team
- It requires a signed authorization from every visitor
Correct answer: It may be disclosed to those who ask for the patient by name, unless the patient has objected or opted out
Facility directory information may be disclosed to people who ask for the patient by name unless the patient has objected or opted out after being given the opportunity. It is not posted publicly, it is not categorically barred from all outside parties, and visitors do not sign authorizations to receive it.
- Which is the most accurate description of how the minimum necessary standard interacts with a patient's own request for their records?
- The standard requires withholding most of the record from the patient
- The standard requires the patient to justify each page requested
- The minimum necessary standard does not apply to disclosures made to the individual who is the subject of the information
- The standard limits the patient to a summary rather than the full record
Correct answer: The minimum necessary standard does not apply to disclosures made to the individual who is the subject of the information
The minimum necessary standard does not apply to disclosures made to the individual who is the subject of the protected health information. Patients are not subject to minimum necessary limits on their own records, need not justify each page, and are entitled to the records rather than only a summary.
- A business associate engages a subcontractor that will handle protected health information. What must the business associate do under HIPAA?
- Transfer all of its own HIPAA obligations to the subcontractor permanently
- Notify each patient individually about the subcontractor
- Obtain a court order before using a subcontractor
- Obtain satisfactory assurances, through a written agreement, that the subcontractor will safeguard the protected health information
Correct answer: Obtain satisfactory assurances, through a written agreement, that the subcontractor will safeguard the protected health information
A business associate must obtain satisfactory assurances, generally through a written agreement, that any subcontractor handling protected health information will appropriately safeguard it. It cannot simply offload all obligations, and individual patient notice or a court order is not required to use a subcontractor.
- An RHIA reviews a request to disclose PHI to law enforcement. Which disclosure is permitted without authorization under HIPAA?
- Disclosing the entire psychiatric record to any officer who asks informally
- Disclosing limited information in response to a law enforcement official's request to identify or locate a suspect, as permitted by the rule
- Disclosing all patients' records to law enforcement for general screening
- Selling patient information to a law enforcement database vendor
Correct answer: Disclosing limited information in response to a law enforcement official's request to identify or locate a suspect, as permitted by the rule
HIPAA permits disclosing limited identifying or locating information to law enforcement under specified conditions without authorization. Releasing entire psychiatric records on informal request, disclosing all patients' records for general screening, and selling data to a vendor are not permitted.
- A covered entity must establish that disclosures to a health plan for the plan's quality assessment activities are permitted. Under what condition is this disclosure allowed without authorization?
- Only when the patient signs a new authorization for each quality study
- When both entities have a relationship with the individual and the disclosure is for the recipient's health care operations and is a permitted operations category
- Only when the disclosure is sold to the plan
- Never, because operations disclosures between entities are prohibited
Correct answer: When both entities have a relationship with the individual and the disclosure is for the recipient's health care operations and is a permitted operations category
A covered entity may disclose protected health information to another covered entity for the recipient's health care operations when both have a relationship with the individual and the disclosure falls within permitted operations categories such as quality assessment. New authorizations, sale of the data, and a blanket prohibition do not describe this permitted disclosure.
- Which statement best describes the purpose of an accounting of disclosures from the patient's perspective?
- It guarantees the patient a refund for any disclosure made
- It lets patients learn about certain disclosures of their PHI that were made without their authorization for purposes beyond treatment, payment, and operations
- It provides patients a list of every clinician who treated them
- It serves as the patient's authorization for future disclosures
Correct answer: It lets patients learn about certain disclosures of their PHI that were made without their authorization for purposes beyond treatment, payment, and operations
An accounting of disclosures lets patients learn about certain disclosures of their protected health information made without authorization for purposes outside treatment, payment, and operations. It is not a refund mechanism, a treatment roster, or an authorization for future disclosures.
- A privacy officer must decide whether to report a disclosure of three patients' names and appointment times sent to the wrong fax number. What is the appropriate first analytic step?
- Conduct a breach risk assessment to determine the probability that the PHI was compromised
- Immediately notify national media outlets
- Delete all records of the incident to avoid liability
- Wait one year before taking any action
Correct answer: Conduct a breach risk assessment to determine the probability that the PHI was compromised
The appropriate first step is conducting a breach risk assessment to determine the probability that the protected health information was compromised, which guides notification obligations. National media notice is reserved for large breaches, destroying records would be improper, and delaying a year violates notification timelines.
- An RHIA classifies a vendor that only transmits data and does not access it, such as a conduit. How does HIPAA generally treat such a conduit?
- Any entity touching data transmission is always a business associate
- A conduit must sign a notice of privacy practices with each patient
- A conduit is automatically a covered entity
- The conduit exception means an entity that merely transports data without routine access is generally not a business associate
Correct answer: The conduit exception means an entity that merely transports data without routine access is generally not a business associate
Under the conduit exception, an entity that merely transports protected health information without accessing it other than on a random or infrequent basis, such as the postal service or an internet provider, is generally not a business associate. Not every transmitter is a business associate, a conduit does not sign patient notices, and it is not a covered entity.
- A covered entity wants to text appointment reminders to patients. Under HIPAA, which consideration applies?
- All text messaging to patients is strictly prohibited by HIPAA
- Texting requires a signed business associate agreement with the patient
- Reminders must be accounted for in the accounting of disclosures
- Appointment reminders are a permitted communication, but reasonable safeguards should be applied to limit exposure of PHI
Correct answer: Appointment reminders are a permitted communication, but reasonable safeguards should be applied to limit exposure of PHI
Appointment reminders are a permitted treatment-related communication, and covered entities should apply reasonable safeguards to limit exposed protected health information. Texting is not categorically prohibited, patients do not sign business associate agreements, and reminders are not tracked in an accounting of disclosures.
- Which scenario would most likely qualify as an exception that is NOT a reportable breach under the Breach Notification Rule?
- A hacker exfiltrating unencrypted records to an external server
- Mailing records to the wrong patient who reads them
- Posting patient information on a public social media page
- An unintentional, good-faith access by a workforce member acting within their authority, with no further impermissible use
Correct answer: An unintentional, good-faith access by a workforce member acting within their authority, with no further impermissible use
An unintentional, good-faith access by a workforce member acting within their authority, with no further impermissible use or disclosure, is an exception that is not a reportable breach. A hacker exfiltration, misdirected mail viewed by the wrong person, and public posting are impermissible disclosures that would likely be reportable.
- An RHIA is configuring the health information system to capture who viewed each patient record and when. Which HIPAA Security Rule safeguard does this implement?
- Facility access controls limiting building entry
- A business associate agreement with software vendors
- Audit controls that record and examine activity in systems containing electronic protected health information
- The minimum necessary standard for paper records
Correct answer: Audit controls that record and examine activity in systems containing electronic protected health information
Capturing who viewed each record and when implements audit controls, a technical safeguard that records and examines activity in systems with electronic protected health information. Facility access controls are physical, business associate agreements are contracts, and minimum necessary for paper records is unrelated to this logging function.
- An RHIA defines the electronic health record (EHR) for a new informatics committee. Which description best captures what an EHR is?
- A longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting
- A single-page printed summary of a patient's most recent visit kept at the bedside
- A billing ledger that tracks only the charges associated with a patient account
- A standalone scheduling tool that books appointments without storing clinical data
Correct answer: A longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting
The electronic health record is a longitudinal electronic record of patient health information generated across one or more encounters in any care setting. It is far more than a printed visit summary, a billing ledger, or a scheduling tool, because it integrates clinical information over time.
- An RHIA distinguishes an electronic health record (EHR) from an electronic medical record (EMR) for clinical leadership. Which statement best captures the difference?
- An EMR is shareable across organizations while an EHR is confined to a single practice
- An EHR is designed to be shared across organizations and follows the patient, while an EMR is generally confined to a single organization
- An EMR and an EHR are identical terms with no meaningful distinction
- An EHR contains only imaging studies while an EMR contains only progress notes
Correct answer: An EHR is designed to be shared across organizations and follows the patient, while an EMR is generally confined to a single organization
An EHR is designed to be shared across organizations and follow the patient over time, whereas an EMR is generally limited to a single organization's internal record. The reversed framing, the claim of no distinction, and the imaging-versus-notes split all misstate the difference.
- An RHIA supports go-live for a new EHR and many end users struggle to locate the order-entry function. Which support activity most directly addresses this problem?
- Recalculating the facility's case mix index for the prior quarter
- Renegotiating the business associate agreement with the software vendor
- Providing targeted at-the-elbow training and workflow guidance to help end users navigate the order-entry function
- Increasing the physical storage capacity of the database server
Correct answer: Providing targeted at-the-elbow training and workflow guidance to help end users navigate the order-entry function
Targeted at-the-elbow training and workflow guidance directly help end users learn to navigate the order-entry function during go-live. Recalculating case mix index, renegotiating a vendor contract, and adding storage do not resolve users' difficulty finding a feature.
- During an EHR implementation, an RHIA establishes a help desk to log and resolve clinician-reported issues. What is the primary purpose of this end-user support structure?
- To assign ICD-10-CM diagnosis codes for inpatient encounters
- To draft the organization's notice of privacy practices
- To determine how long records must be retained before destruction
- To capture, triage, and resolve user-reported problems so adoption and productivity are sustained
Correct answer: To capture, triage, and resolve user-reported problems so adoption and productivity are sustained
An EHR help desk captures, triages, and resolves user-reported problems, which sustains adoption and productivity after go-live. Coding encounters, setting retention periods, and drafting privacy notices are unrelated to supporting end users of the system.
- An RHIA must present three years of monthly readmission rates to the quality committee in a way that makes the upward trend immediately obvious. Which data visualization is most appropriate?
- A line graph plotting the readmission rate over time
- A pie chart showing the proportion of readmissions in a single month
- A data dictionary listing the definition of the readmission field
- A scatter of unlabeled raw values with no axes
Correct answer: A line graph plotting the readmission rate over time
A line graph plotting the readmission rate over time makes a trend across months immediately visible, which is the goal. A single-month pie chart shows proportions rather than change over time, a data dictionary defines fields, and unlabeled raw values do not communicate a trend.
- An RHIA wants to show how a hospital's total operating expenses are divided among departments for a single fiscal year. Which visualization best communicates parts of a whole?
- A line graph tracking expenses across multiple years
- A pie chart showing each department's share of total expenses
- A control chart monitoring process variation over time
- A histogram of patient ages
Correct answer: A pie chart showing each department's share of total expenses
A pie chart effectively communicates parts of a whole, such as each department's share of total expenses in one year. A line graph shows change over time, a control chart monitors process variation, and a histogram displays a frequency distribution rather than proportions.
- An RHIA selects a chart to display the frequency distribution of patient lengths of stay grouped into ranges. Which visualization is most appropriate?
- A line graph of daily census
- A pie chart showing the proportion of male and female patients
- A histogram showing the count of stays falling within each length-of-stay interval
- A flowchart of the discharge process
Correct answer: A histogram showing the count of stays falling within each length-of-stay interval
A histogram displays the frequency distribution of a continuous variable grouped into intervals, making it ideal for length-of-stay ranges. A pie chart shows categorical proportions, a line graph shows change over time, and a flowchart depicts a process rather than a distribution.
- A dashboard designer asks an RHIA why a single key performance indicator should use a gauge or large numeric display rather than a dense table. What is the best rationale?
- A table is always more accurate than any visual element
- A gauge automatically corrects errors in the source data
- Visuals eliminate the need to define the underlying data element
- A focused visual lets decision-makers grasp the metric's status at a glance, supporting faster action
Correct answer: A focused visual lets decision-makers grasp the metric's status at a glance, supporting faster action
A focused visual such as a gauge lets decision-makers grasp a metric's status at a glance, supporting faster action, which is the purpose of data visualization for decision-making. Tables are not inherently more accurate, visuals do not replace data definitions, and a gauge does not correct source-data errors.
- An RHIA produces a quarterly trend report on emergency department wait times for hospital leadership. What is the primary value of a trend report in healthcare analytics?
- It reveals patterns and changes over time so leaders can make informed decisions and target improvements
- It encrypts the wait-time data before transmission to payers
- It assigns CPT codes to each emergency department visit
- It determines the retention schedule for the underlying records
Correct answer: It reveals patterns and changes over time so leaders can make informed decisions and target improvements
A trend report reveals patterns and changes over time, enabling leaders to make informed decisions and target improvements. Encrypting data, assigning CPT codes, and setting retention schedules are not the analytic purpose of trend reporting.
- An RHIA distinguishes descriptive analytics from predictive analytics for a data governance briefing. Which statement is accurate?
- Descriptive analytics forecasts future events while predictive analytics summarizes the past
- Descriptive analytics summarizes what has happened, while predictive analytics uses data to forecast what is likely to happen
- Both terms refer only to manual chart abstraction
- Predictive analytics applies only to financial data and descriptive only to clinical data
Correct answer: Descriptive analytics summarizes what has happened, while predictive analytics uses data to forecast what is likely to happen
Descriptive analytics summarizes what has already happened, while predictive analytics uses data to forecast what is likely to happen. The reversed definition, the chart-abstraction claim, and the financial-versus-clinical split are incorrect.
- An RHIA analyzes a year of monthly coding-productivity numbers and notices values rising in some months and falling in others without a steady direction. To describe the central level of productivity for the year, which measure is most appropriate?
- The retention period for the productivity reports
- The data type assigned to the productivity field
- A measure of central tendency such as the mean of the monthly values
- The number of coders employed in December
Correct answer: A measure of central tendency such as the mean of the monthly values
A measure of central tendency such as the mean summarizes the typical or central level of the monthly productivity values. A field's data type, a retention period, and a headcount do not describe the center of a distribution.
- Which of the following measures is a measure of central tendency used in healthcare statistics?
- The range of the data set
- The interquartile range of the values
- The standard deviation of the values
- The mean, or arithmetic average, of the values
Correct answer: The mean, or arithmetic average, of the values
The mean, or arithmetic average, is a measure of central tendency. The range, standard deviation, and interquartile range are measures of dispersion that describe spread rather than the center of the data.
- An RHIA computes the median length of stay for five discharged patients with stays of 2, 3, 4, 9, and 22 days. What is the median?
- 4 days
- 8 days
- 9 days
- 22 days
Correct answer: 4 days
The median is the middle value of an ordered data set, and for 2, 3, 4, 9, and 22 the middle value is 4 days. Eight days reflects the mean, 9 is the fourth value, and 22 is the maximum, none of which is the median.
- A length-of-stay data set is strongly skewed by a few very long stays. Which measure of central tendency best represents the typical patient stay in this situation?
- The mean, because it uses every value
- The median, because it is resistant to the influence of extreme outliers
- The mode, because it counts the most frequent value
- The range, because it spans the data
Correct answer: The median, because it is resistant to the influence of extreme outliers
The median best represents the typical value in a skewed distribution because it is resistant to the influence of extreme outliers. The mean is pulled toward the long stays, the mode reflects only the most frequent value, and the range is a measure of spread rather than center.
- An RHIA reviews the number of complications coded per case and finds the value 0 appears more often than any other. Which descriptive statistic does this represent?
- The median, the middle value
- The mean, the arithmetic average
- The mode, the most frequently occurring value
- The variance, a measure of spread
Correct answer: The mode, the most frequently occurring value
The most frequently occurring value in a data set is the mode, so a value of 0 appearing most often is the mode. The mean is the average, the median is the middle value, and the variance measures dispersion.
- An RHIA calculates the mean turnaround time for six transcription jobs taking 10, 12, 14, 16, 18, and 20 minutes. What is the mean?
- 14 minutes
- 18 minutes
- 16 minutes
- 15 minutes
Correct answer: 15 minutes
The mean is the sum of the values divided by the count, and 10+12+14+16+18+20=90, divided by 6 jobs equals 690=15 minutes. The other values do not equal the arithmetic average of the six times.
- An RHIA must report a single number describing how spread out individual chart-completion times are around their average. Which statistic provides this?
- The standard deviation of the completion times
- The median of the completion times
- The mode of the completion times
- The principal diagnosis of the encounters
Correct answer: The standard deviation of the completion times
The standard deviation describes how far individual values typically spread around their mean, making it the measure of dispersion needed here. The mode and median describe central or frequent values, and the principal diagnosis is a clinical data element, not a measure of spread.
- Two departments report the same mean monthly volume, but Department A has a much larger standard deviation than Department B. What does this indicate?
- Department A processed fewer total cases than Department B
- Department A's monthly volumes vary more widely around the mean than Department B's
- Department A's mean is incorrect
- Department B has more outliers than Department A
Correct answer: Department A's monthly volumes vary more widely around the mean than Department B's
A larger standard deviation with the same mean indicates Department A's monthly volumes vary more widely around that mean than Department B's. Equal means say nothing about total cases, do not imply a calculation error, and the larger spread is in Department A, not Department B.
- In a normal (bell-shaped) distribution of patient wait times, approximately what percentage of values fall within one standard deviation of the mean?
- About 50 percent
- About 95 percent
- About 68 percent
- About 99 percent
Correct answer: About 68 percent
In a normal distribution, approximately 68 percent of values fall within one standard deviation of the mean. About 95 percent fall within two standard deviations and about 99.7 percent within three, while 50 percent describes the median split rather than one standard deviation.
- An RHIA examines a data set in which every monthly value is identical. What is the standard deviation of this data set?
- Undefined for identical values
- One, by default for any data set
- Equal to the mean of the values
- Zero, because there is no variation among the values
Correct answer: Zero, because there is no variation among the values
When every value is identical there is no dispersion, so the standard deviation is zero. It is not a default of one, it is not equal to the mean, and it is well defined rather than undefined for constant data.
- An RHIA studies whether longer documentation turnaround time is associated with higher claim denial rates and finds that as turnaround time increases, denial rates also tend to increase. Which type of relationship does this describe?
- A positive correlation between the two variables
- A negative correlation between the two variables
- No correlation between the two variables
- A causal proof that turnaround time creates denials
Correct answer: A positive correlation between the two variables
When two variables tend to increase together, they have a positive correlation. A negative correlation would mean one rises as the other falls, no correlation would mean no consistent pattern, and correlation alone does not prove causation.
- An RHIA reports that two analytics measures have a correlation coefficient of -0.85. How should this be interpreted?
- A weak positive relationship between the measures
- A strong negative relationship, where one measure tends to decrease as the other increases
- No relationship at all between the measures
- A perfect positive relationship between the measures
Correct answer: A strong negative relationship, where one measure tends to decrease as the other increases
A correlation coefficient of -0.85 indicates a strong negative relationship, where one variable tends to decrease as the other increases. It is not weak, it is not the absence of a relationship, and the negative sign rules out a positive relationship.
- An analyst concludes that because two variables are highly correlated, one must be causing the other. Why is this conclusion flawed?
- Correlation coefficients cannot exceed 0.5
- A high correlation guarantees the two variables are unrelated
- Correlation measures the strength of association but does not establish that one variable causes the other
- Correlation can only be measured for clinical, not financial, data
Correct answer: Correlation measures the strength of association but does not establish that one variable causes the other
Correlation measures the strength of an association but does not establish causation, since a third factor or coincidence could explain the relationship. Coefficients can exceed 0.5, high correlation does not mean the variables are unrelated, and correlation is not limited to clinical data.
- Which value range is possible for a correlation coefficient (r)?
- Between 0 and 100
- Any positive number with no upper limit
- Between 1 and 10
- Between -1 and +1 inclusive
Correct answer: Between -1 and +1 inclusive
A correlation coefficient ranges from -1 to +1 inclusive, where the extremes indicate perfect negative or positive linear relationships and 0 indicates none. The 0-to-100, 1-to-10, and unbounded-positive ranges are incorrect.
- An RHIA designs a relational database to store patient and encounter data. What is the fundamental structure used to hold data in a relational database?
- Tables composed of rows and columns
- Free-text documents with no defined structure
- A single continuous spreadsheet cell
- Audio files indexed by timestamp
Correct answer: Tables composed of rows and columns
A relational database organizes data into tables made up of rows (records) and columns (fields). It does not rely on unstructured free text, a single cell, or audio files as its fundamental storage structure.
- In a relational database, an RHIA normalizes the design to reduce redundant storage of the same data. What is the primary purpose of normalization?
- To encrypt every field in the database
- To organize data to minimize redundancy and reduce anomalies during insert, update, and delete operations
- To increase the number of duplicate rows for backup
- To convert all tables into a single flat file
Correct answer: To organize data to minimize redundancy and reduce anomalies during insert, update, and delete operations
Normalization organizes data to minimize redundancy and reduce insert, update, and delete anomalies. It is not an encryption technique, it does not intentionally create duplicates, and it separates data into related tables rather than collapsing everything into one flat file.
- An RHIA designs two tables, Patient and Encounter, that must be linked so each encounter belongs to a patient. Which relational design feature establishes this link?
- Storing the entire patient demographic record inside every encounter row
- Removing all keys so the tables can merge freely
- A relationship implemented by placing the patient's key as a reference in the encounter table
- Converting both tables to unstructured notes
Correct answer: A relationship implemented by placing the patient's key as a reference in the encounter table
A relationship between the tables is implemented by placing the patient's key as a reference in the encounter table so each encounter is tied to a patient. Duplicating the full demographic record, removing keys, or converting to unstructured notes would defeat relational design.
- In a relational database table, what does a primary key do?
- It records who last viewed the table
- It encrypts the contents of the table
- It stores the table's backup copy
- It uniquely identifies each row (record) in the table
Correct answer: It uniquely identifies each row (record) in the table
A primary key uniquely identifies each row in a table, ensuring no two records share the same key value. It does not encrypt data, store backups, or log viewers.
- An RHIA reviews a database where the Encounter table contains a column that references the patient_id from the Patient table. What is this referencing column called?
- A foreign key
- A primary key
- A data dictionary
- A surrogate index
Correct answer: A foreign key
A column in one table that references the primary key of another table is a foreign key, which enforces the relationship between the tables. It is not the primary key of its own table, a data dictionary, or merely an index.
- Why is a primary key required to contain unique, non-null values in every row?
- Because it determines the physical color of the table display
- Because it must reliably and unambiguously identify each individual record
- Because it sets the encryption strength of the database
- Because it controls how long the data is retained
Correct answer: Because it must reliably and unambiguously identify each individual record
A primary key must be unique and non-null so it can reliably and unambiguously identify each individual record. It has nothing to do with display color, encryption strength, or retention length.
- An RHIA needs to retrieve all patient records from a database where the discharge status equals 'expired'. Which type of statement accomplishes this?
- A data use agreement
- A retention schedule entry
- A SQL SELECT statement with a WHERE clause filtering on discharge status
- A breach notification report
Correct answer: A SQL SELECT statement with a WHERE clause filtering on discharge status
A SQL SELECT statement with a WHERE clause filters and retrieves rows meeting a condition, such as discharge status equal to 'expired'. A retention schedule, data use agreement, and breach report are governance or compliance documents, not data-retrieval commands.
- In a SQL query, which clause is used to restrict the rows returned to those meeting a specified condition?
- The SELECT clause
- The ORDER BY clause
- The FROM clause
- The WHERE clause
Correct answer: The WHERE clause
The WHERE clause restricts the rows returned to those meeting a specified condition. SELECT specifies which columns to return, FROM names the source table, and ORDER BY sorts the results rather than filtering them.
- An RHIA wants a SQL query to combine matching rows from a Patient table and an Encounter table based on a shared key. Which SQL operation accomplishes this?
- A JOIN that links the two tables on the shared key
- A DROP that deletes one of the tables
- A GRANT that assigns user permissions
- A BACKUP that copies the database
Correct answer: A JOIN that links the two tables on the shared key
A JOIN combines matching rows from two tables based on a shared key, such as linking patients to their encounters. DROP deletes objects, GRANT assigns permissions, and BACKUP copies data rather than combining tables in a query.
- Which SQL function would an RHIA use to count the number of encounter records returned by a query?
- The DELETE statement
- The COUNT aggregate function
- The CREATE TABLE statement
- The WHERE clause alone
Correct answer: The COUNT aggregate function
The COUNT aggregate function returns the number of records, making it the correct choice for counting encounter rows. DELETE removes rows, CREATE TABLE builds a new table, and the WHERE clause filters rows but does not by itself count them.
- An RHIA explains a data warehouse to a new analyst. Which description best defines a healthcare data warehouse?
- A locked room where paper charts are physically stored
- The live transaction system that clinicians use to enter orders in real time
- A central repository that integrates data from multiple source systems and is organized to support analysis and reporting
- A single patient's chart printed for a court request
Correct answer: A central repository that integrates data from multiple source systems and is organized to support analysis and reporting
A data warehouse is a central repository that integrates data from multiple source systems and is structured to support analysis and reporting. It is distinct from the live transactional system, a physical paper-storage room, or a single printed chart.
- Why is a separate data warehouse typically used for analytics rather than running large analytical queries directly against the live EHR transaction database?
- Because the warehouse encrypts data that the EHR cannot
- Because warehouses are required by the minimum necessary standard
- Because the EHR cannot store any historical data
- Because heavy analytical queries can degrade the performance of the live system needed for patient care, and the warehouse is optimized for analysis
Correct answer: Because heavy analytical queries can degrade the performance of the live system needed for patient care, and the warehouse is optimized for analysis
A separate data warehouse is used because heavy analytical queries can slow the live system clinicians rely on, and the warehouse is optimized for analysis across integrated, historical data. Encryption capability, an inability of the EHR to store history, and the minimum necessary standard are not the reasons.
- Before data is loaded into a data warehouse, it is commonly extracted, transformed, and loaded. What does the 'transform' step primarily accomplish?
- It cleanses and standardizes data from different sources into a consistent format for the warehouse
- It deletes the source systems after loading
- It encrypts the warehouse against intrusion
- It assigns ICD-10-CM codes to each record
Correct answer: It cleanses and standardizes data from different sources into a consistent format for the warehouse
The transform step cleanses and standardizes data from disparate sources into a consistent format suitable for the warehouse. It does not delete source systems, serve as an encryption step, or perform diagnosis coding.
- An RHIA applies data mining techniques to a large healthcare data set. What is the primary goal of data mining?
- To physically destroy outdated records on a schedule
- To discover previously unknown patterns, relationships, and trends within large data sets
- To draft the organization's strategic plan
- To verify that each clinician holds a current license
Correct answer: To discover previously unknown patterns, relationships, and trends within large data sets
Data mining aims to discover previously unknown patterns, relationships, and trends within large data sets to support knowledge discovery. Destroying records, drafting a strategic plan, and verifying licensure are unrelated to mining data for hidden patterns.
- A hospital uses data mining to identify combinations of factors associated with hospital-acquired infections. Which best describes how data mining supports this effort?
- It guarantees that no infections will occur in the future
- It replaces the need for clinical care of infected patients
- It detects patterns and associations across many variables that may not be obvious through simple review
- It encrypts the infection data for transmission
Correct answer: It detects patterns and associations across many variables that may not be obvious through simple review
Data mining detects patterns and associations across many variables that may not be apparent through simple manual review, helping target infection-control efforts. It does not guarantee zero infections, replace clinical care, or function as an encryption process.
- An RHIA defines healthcare interoperability for a planning committee. Which description is most accurate?
- The encryption of records at rest within one system
- The practice of storing all data on a single isolated server
- The requirement that every facility use identical hardware
- The ability of different information systems to exchange data and use the exchanged information
Correct answer: The ability of different information systems to exchange data and use the exchanged information
Interoperability is the ability of different information systems and devices to exchange data and meaningfully use the exchanged information. It is not data isolation, identical hardware, or encryption within a single system.
- A regional health information exchange (HIE) allows hospitals and clinics to share patient data. What is the primary purpose of an HIE?
- To enable the electronic sharing of health information among organizations to support coordinated patient care
- To assign relative weights to inpatient cases
- To set the operating budget for member facilities
- To accredit hospitals for participation in Medicare
Correct answer: To enable the electronic sharing of health information among organizations to support coordinated patient care
A health information exchange enables the electronic sharing of health information among organizations to support coordinated, continuous patient care. Assigning relative weights, setting budgets, and accrediting hospitals are not the function of an HIE.
- An RHIA explains why semantic interoperability is harder to achieve than basic data transmission. Which statement best captures the distinction?
- Semantic interoperability means sending a file successfully, regardless of its meaning
- Semantic interoperability ensures that exchanged data is interpreted with the same meaning by the receiving system, not merely transmitted
- Semantic interoperability applies only to paper records
- Semantic interoperability is identical to physically connecting two servers
Correct answer: Semantic interoperability ensures that exchanged data is interpreted with the same meaning by the receiving system, not merely transmitted
Semantic interoperability ensures that exchanged data carries the same meaning to the receiving system, which is harder than simply transmitting a file. It is more than successful transmission, it is not limited to paper, and it goes beyond physically connecting servers.
- An RHIA evaluates standards that support the electronic exchange of clinical and administrative data between systems. Which is a widely used messaging standard for this purpose?
- MS-DRG, an inpatient payment grouping
- UHDDS, a minimum inpatient discharge data set
- HL7, a standard for exchanging clinical and administrative health data between systems
- The notice of privacy practices
Correct answer: HL7, a standard for exchanging clinical and administrative health data between systems
HL7 is a widely used standard for exchanging clinical and administrative health data between systems. UHDDS is a discharge data set, MS-DRG is an inpatient payment grouping, and the notice of privacy practices is a privacy document, none of which are messaging standards.
- An RHIA reviews a modern interoperability standard from HL7 that uses web-based resources and APIs to exchange discrete health data elements. Which standard is being described?
- The charge description master
- ICD-10-PCS
- The case mix index
- FHIR (Fast Healthcare Interoperability Resources)
Correct answer: FHIR (Fast Healthcare Interoperability Resources)
FHIR (Fast Healthcare Interoperability Resources) is the HL7 standard that uses web-based resources and APIs to exchange discrete health data elements. ICD-10-PCS is a procedure coding system, case mix index is a reimbursement metric, and the charge description master is a billing file.
- When an HL7 message is exchanged between a laboratory system and an EHR, what does the message primarily enable?
- Structured transmission of data, such as lab results, in a standardized format both systems can process
- Automatic destruction of the laboratory's records
- Assignment of a relative weight to the encounter
- Physical delivery of paper reports to the unit
Correct answer: Structured transmission of data, such as lab results, in a standardized format both systems can process
An HL7 message enables structured transmission of data, such as lab results, in a standardized format that both the sending and receiving systems can process. It does not destroy records, assign relative weights, or physically deliver paper.
- An EHR alerts a prescriber that a newly ordered medication interacts with a drug the patient already takes. Which informatics functionality does this represent?
- A data warehouse extract for retrospective analysis
- Clinical decision support that delivers a relevant alert at the point of care
- A release of information workflow
- A retention and destruction schedule
Correct answer: Clinical decision support that delivers a relevant alert at the point of care
An interaction alert delivered to the prescriber at the point of care is clinical decision support, which provides relevant guidance during care. A data warehouse extract, a release-of-information workflow, and a retention schedule do not deliver real-time clinical alerts.
- An RHIA explains the goal of clinical decision support (CDS) to a quality committee. Which statement best captures its purpose?
- To assign HCPCS codes to supplies automatically
- To set the annual capital budget for the department
- To provide clinicians with relevant, knowledge-based information at appropriate times to improve care decisions
- To physically store imaging studies offsite
Correct answer: To provide clinicians with relevant, knowledge-based information at appropriate times to improve care decisions
Clinical decision support provides clinicians with relevant, knowledge-based information at appropriate times to improve care decisions. Setting budgets, assigning supply codes, and storing images offsite are not the purpose of CDS.
- An RHIA reviews a clinical decision support configuration that produces so many low-value pop-up alerts that clinicians begin dismissing them without reading. What problem does this illustrate?
- A failure of the retention schedule
- A data normalization error in the database
- A violation of the minimum necessary standard
- Alert fatigue, where excessive or low-value alerts reduce clinician responsiveness
Correct answer: Alert fatigue, where excessive or low-value alerts reduce clinician responsiveness
Excessive or low-value alerts that lead clinicians to dismiss them illustrate alert fatigue, a known CDS design challenge. It is not a database normalization error, a minimum necessary violation, or a retention-schedule failure.
- An RHIA conducts a clinical documentation integrity (CDI) review using a focused audit tool. What is the primary objective of such documentation auditing?
- To ensure clinical documentation is complete, accurate, and supports the care and codes captured
- To calculate the standard deviation of patient ages
- To negotiate payer contracts
- To design the relational database schema
Correct answer: To ensure clinical documentation is complete, accurate, and supports the care and codes captured
Documentation auditing for clinical documentation integrity ensures that documentation is complete, accurate, and supports the care delivered and the codes captured. Calculating statistics, negotiating contracts, and designing schemas are separate activities.
- During a documentation audit, an RHIA finds a record where the discharge summary lists a diagnosis that is never supported elsewhere in the documentation. What is the most appropriate next step?
- Immediately delete the discharge summary
- Initiate a query or follow the documentation integrity process to clarify and reconcile the discrepancy
- Recalculate the facility's case mix index
- Issue a new notice of privacy practices
Correct answer: Initiate a query or follow the documentation integrity process to clarify and reconcile the discrepancy
When documentation is inconsistent, the appropriate step is to initiate a query or follow the documentation integrity process to clarify and reconcile the discrepancy. Deleting the summary, recalculating case mix index, and reissuing a privacy notice do not resolve the documentation conflict.
- An RHIA explains how natural language processing (NLP) is applied in healthcare informatics. Which description is most accurate?
- A reimbursement formula for outpatient services
- A method for physically shredding paper records
- Technology that interprets and extracts meaning from unstructured clinical text such as narrative notes
- A standard for the minimum data collected on discharges
Correct answer: Technology that interprets and extracts meaning from unstructured clinical text such as narrative notes
Natural language processing interprets and extracts meaning from unstructured clinical text, such as narrative notes, turning free text into usable data. It is not a shredding method, a reimbursement formula, or a discharge data-set standard.
- A facility implements computer-assisted coding that uses natural language processing to suggest codes from documentation. How does NLP support this function?
- By assigning user passwords to the coding staff
- By encrypting the documentation before it is read
- By setting the retention period for the records
- By analyzing the narrative documentation and proposing candidate codes for coder review
Correct answer: By analyzing the narrative documentation and proposing candidate codes for coder review
In computer-assisted coding, NLP analyzes narrative documentation and proposes candidate codes that a coder then reviews and validates. It does not encrypt documentation, set retention periods, or assign passwords.
- An RHIA evaluates a proposed EHR system and must confirm it supports structured data entry rather than only free text. Why does structured data entry matter for analytics?
- Structured data is easier to aggregate, query, and analyze consistently than free text
- Structured data eliminates the need for any clinical documentation
- Structured data automatically increases reimbursement
- Structured data removes the need for user training
Correct answer: Structured data is easier to aggregate, query, and analyze consistently than free text
Structured data is easier to aggregate, query, and analyze consistently than free text, which is why it is valued for analytics. It does not remove the need for documentation, raise reimbursement, or eliminate training needs.
- An RHIA leads readiness activities before an EHR go-live, including workflow analysis, testing, and staff training. What is the main goal of this implementation planning?
- To assign MS-DRGs to all prior admissions
- To prepare the organization, workflows, and users so the new system can be adopted successfully and safely
- To draft a data use agreement with researchers
- To calculate the correlation between two variables
Correct answer: To prepare the organization, workflows, and users so the new system can be adopted successfully and safely
EHR implementation planning prepares the organization, workflows, and users so the system can be adopted successfully and safely. Assigning MS-DRGs, drafting data use agreements, and calculating correlations are not the purpose of implementation planning.
- An RHIA must choose a visualization that compares average lengths of stay across five different service lines for a single reporting period. Which chart is most appropriate?
- A flowchart of the admission process
- A single gauge showing one overall number
- A bar chart comparing the average length of stay for each service line
- A data dictionary entry for the length-of-stay field
Correct answer: A bar chart comparing the average length of stay for each service line
A bar chart is well suited to comparing a measure such as average length of stay across distinct categories like service lines. A single gauge shows one value, a flowchart depicts a process, and a data dictionary entry defines a field rather than comparing values.
- An RHIA prepares an analytics report and must avoid a misleading chart. Which practice best supports honest data visualization for decision-making?
- Choosing colors that hide unfavorable results
- Truncating the axis to make small differences look dramatic
- Removing axis labels to simplify the chart
- Starting a bar chart's value axis at zero so the magnitude of differences is not exaggerated
Correct answer: Starting a bar chart's value axis at zero so the magnitude of differences is not exaggerated
Starting a bar chart's value axis at zero prevents exaggerating the magnitude of differences, supporting an honest representation. Truncating the axis, removing labels, and hiding unfavorable results all mislead the audience.
- An RHIA reports that the mean and median of a data set are nearly equal. What does this most likely indicate about the distribution?
- The distribution is approximately symmetric, with little skew
- The distribution is strongly skewed to the right
- The data set contains no values
- The standard deviation must be zero
Correct answer: The distribution is approximately symmetric, with little skew
When the mean and median are nearly equal, the distribution is approximately symmetric with little skew. Strong skew would pull the mean away from the median, near-equality does not imply an empty data set, and it does not require a zero standard deviation.
- An RHIA must describe the dispersion of a data set using a measure expressed in the same units as the original data. Which statistic meets this requirement?
- The variance, which is in squared units
- The standard deviation, which is in the same units as the data
- The mode, which identifies the most frequent value
- The correlation coefficient, which is unitless
Correct answer: The standard deviation, which is in the same units as the data
The standard deviation expresses dispersion in the same units as the original data, unlike the variance, which is in squared units. The mode identifies a frequent value rather than spread, and the correlation coefficient is a unitless measure of association.
- An RHIA plots two variables on a scatter diagram and the points fall closely along an upward-sloping straight line. What does this pattern suggest about their correlation?
- No correlation at all
- A strong negative linear correlation
- A strong positive linear correlation
- A perfectly random relationship
Correct answer: A strong positive linear correlation
Points falling closely along an upward-sloping line on a scatter diagram suggest a strong positive linear correlation. A downward slope would indicate negative correlation, a shapeless cloud would indicate no correlation, and a random relationship would not align along a line.
- An RHIA designs a relational table and must select the best candidate for a primary key in a Patient table. Which choice is most appropriate?
- The patient's diagnosis, which can change and repeat
- The patient's first name, which may repeat across patients
- The patient's city of residence, which many patients share
- A system-generated unique patient identifier that is guaranteed unique and not null
Correct answer: A system-generated unique patient identifier that is guaranteed unique and not null
A system-generated unique patient identifier that is guaranteed unique and never null is the best primary key because it reliably identifies each record. First name, city, and diagnosis can repeat or change, so they cannot uniquely identify rows.
- An RHIA must explain referential integrity in a relational database. Which statement best describes it?
- A foreign key value must match an existing primary key value in the referenced table or be null
- Every column must be encrypted before storage
- All tables must contain the same number of rows
- Each record must be retained for at least ten years
Correct answer: A foreign key value must match an existing primary key value in the referenced table or be null
Referential integrity requires that a foreign key value match an existing primary key in the referenced table or be null, keeping relationships valid. It is not an encryption requirement, a rule about equal row counts, or a retention mandate.
- An RHIA writes a SQL query and wants the results sorted by discharge date from earliest to latest. Which clause accomplishes this?
- WHERE discharge_date exists
- ORDER BY discharge_date ascending
- DELETE FROM discharge_date
- GROUP BY patient_name only
Correct answer: ORDER BY discharge_date ascending
The ORDER BY clause with ascending order sorts results by discharge date from earliest to latest. WHERE filters rows, DELETE removes rows, and GROUP BY aggregates rows rather than simply sorting them.
- An RHIA explains why a data warehouse often stores historical snapshots of data over many years. What analytic benefit does retaining historical data provide?
- It satisfies the patient's right to amend records
- It guarantees that the live EHR runs faster
- It enables trend analysis and comparison of measures across time periods
- It replaces the need for a data dictionary
Correct answer: It enables trend analysis and comparison of measures across time periods
Storing historical snapshots enables trend analysis and comparison of measures across time periods, a core warehouse benefit. It does not directly speed the live EHR, satisfy amendment rights, or replace a data dictionary.
- An RHIA evaluates a data mining model that found an association between two variables that turns out to be coincidental and not meaningful. What does this risk illustrate?
- That data mining replaces the need for any analyst judgment
- That data mining always produces causal proof
- That data mining encrypts the data automatically
- The need to validate mined patterns, since data mining can surface spurious associations
Correct answer: The need to validate mined patterns, since data mining can surface spurious associations
A coincidental association illustrates the need to validate mined patterns, because data mining can surface spurious relationships that are not meaningful. It does not provide causal proof, perform encryption, or eliminate the need for analyst judgment.
- An RHIA supports adoption of standardized clinical terminologies to improve interoperability. Why do shared terminologies aid the meaningful exchange of data between systems?
- They give the same clinical concept a consistent representation so receiving systems interpret it correctly
- They eliminate the need for any network connection
- They automatically raise reimbursement for each encounter
- They remove the requirement to document care
Correct answer: They give the same clinical concept a consistent representation so receiving systems interpret it correctly
Shared standardized terminologies give the same clinical concept a consistent representation, so a receiving system can interpret exchanged data correctly, advancing semantic interoperability. They do not remove the need for connectivity, raise reimbursement, or eliminate documentation.
- An RHIA reviews how an HL7 interface engine functions between disparate systems. What is its primary role?
- To assign diagnosis codes to encounters
- To route and translate messages between systems so they can communicate despite differing formats
- To calculate descriptive statistics for reports
- To store paper records in a secure room
Correct answer: To route and translate messages between systems so they can communicate despite differing formats
An HL7 interface engine routes and translates messages between systems so they can communicate despite differing formats, enabling integration. Assigning codes, calculating statistics, and storing paper are not its role.
- An RHIA configures a clinical decision support reminder that prompts clinicians when a diabetic patient is due for a recommended screening. Which type of CDS intervention is this?
- A retention schedule notification
- A data warehouse extract for billing
- A preventive care reminder based on patient data and clinical rules
- An accounting of disclosures entry
Correct answer: A preventive care reminder based on patient data and clinical rules
A prompt that a diabetic patient is due for a recommended screening is a preventive care reminder, a form of clinical decision support driven by patient data and clinical rules. It is not a billing extract, a retention notification, or a disclosure-accounting entry.
- An RHIA designs a documentation audit program and must decide how to select records for review. Which approach best supports a statistically meaningful audit?
- Reviewing only records with the highest reimbursement
- Reviewing only records the coders volunteer as their best work
- Auditing a single record chosen at random once a year
- Drawing a representative sample of records using a defined sampling methodology
Correct answer: Drawing a representative sample of records using a defined sampling methodology
Drawing a representative sample using a defined sampling methodology supports a statistically meaningful audit whose findings can be generalized. Self-selected best work, a single annual record, and only high-reimbursement records all bias the audit.
- An RHIA assesses how natural language processing differs from simple keyword search of clinical notes. Which statement is most accurate?
- NLP interprets context and meaning, allowing it to handle negation and synonyms that simple keyword search cannot
- NLP only counts how many words appear in a note
- NLP is identical to a keyword search with no added capability
- NLP can analyze only numeric fields, not text
Correct answer: NLP interprets context and meaning, allowing it to handle negation and synonyms that simple keyword search cannot
NLP interprets context and meaning, enabling it to handle negation and synonyms that a simple keyword search misses. It does more than count words, it is not identical to keyword search, and it specifically processes text rather than only numbers.
- An RHIA must report the typical staffing level across a year and chooses the appropriate average given that the monthly values are roughly symmetric with no extreme outliers. Which measure of central tendency is most suitable?
- The mode, because only the most frequent value matters
- The mean, because it uses all values and the data lacks extreme outliers
- The range, because it spans the data
- The standard deviation, because it measures spread
Correct answer: The mean, because it uses all values and the data lacks extreme outliers
For roughly symmetric data without extreme outliers, the mean is the most suitable measure of central tendency because it uses all values effectively. The mode reflects only the most frequent value, while the range and standard deviation measure spread rather than the center.
- An RHIA needs to translate raw data from the warehouse into an interactive display that lets executives filter results and drill into details. Which informatics output best meets this need?
- A SQL DELETE statement
- A single static printed page with no controls
- An interactive dashboard with filtering and drill-down capabilities
- A signed authorization form
Correct answer: An interactive dashboard with filtering and drill-down capabilities
An interactive dashboard with filtering and drill-down capabilities lets executives explore results and reach decisions, fulfilling the data-visualization purpose. A static page lacks interactivity, a DELETE statement removes data, and an authorization form is a privacy document.
- An RHIA must explain why an EHR's audit trail of clinician activity is valuable for analytics and informatics oversight, beyond its security role. Which use is most relevant to informatics?
- Drafting the business associate agreement
- Calculating the case mix index for billing
- Setting the operating budget for the department
- Analyzing system usage patterns to understand workflow and improve EHR adoption
Correct answer: Analyzing system usage patterns to understand workflow and improve EHR adoption
Analyzing audit-trail usage patterns helps informatics teams understand workflow and improve EHR adoption, an analytic use beyond security. Calculating case mix index, setting budgets, and drafting vendor agreements are not informatics uses of usage data.
- When an RHIA reports a facility's case mix index, what unit best describes the resulting value?
- A dollar amount per discharge
- A percentage of total claims paid
- A unitless average relative weight
- A count of inpatient beds
Correct answer: A unitless average relative weight
Case mix index is a unitless average relative weight, because MS-DRG relative weights are themselves unitless ratios benchmarked to an overall average of 1.0. It is not expressed in dollars, as a percentage of claims, or as a bed count.
- A coding manager notices the medical case mix index dropped sharply in one month while surgical volume was unchanged. Which explanation is the most plausible revenue-integrity concern to investigate first?
- The chargemaster prices were lowered that month
- Patient satisfaction scores declined
- The record retention schedule was shortened
- A coding backlog left high-weighted surgical cases uncoded and excluded from the reported CMI
Correct answer: A coding backlog left high-weighted surgical cases uncoded and excluded from the reported CMI
The most plausible concern is that a coding backlog left high-weighted surgical cases uncoded, so they were excluded from the discharges feeding the reported CMI, deflating the average. Chargemaster pricing, satisfaction scores, and retention schedules do not affect the relative weights that determine CMI.
- To compute the case mix index for a defined patient cohort, which step must an analyst perform after summing the cohort's relative weights?
- Multiply the sum by the hospital base rate
- Divide the sum by the number of cases in the cohort
- Subtract the number of denied claims
- Add the average length of stay
Correct answer: Divide the sum by the number of cases in the cohort
After summing the relative weights, the analyst divides that sum by the number of cases in the cohort to obtain the case mix index. Multiplying by the base rate yields total payment rather than CMI, and denial counts or length of stay are not part of the calculation.
- Two service lines each treated 40 inpatients. Cardiology's summed relative weight was 96.0 and orthopedics' was 72.0. Which service line has the higher case mix index, and what is it?
- Orthopedics, 1.80
- Both are equal at 1.00
- Cardiology, 96.0
- Cardiology, 2.40
Correct answer: Cardiology, 2.40
Cardiology has the higher case mix index at 2.40, because 96.0 ÷ 40 = 2.40, while orthopedics is 72.0 ÷ 40 = 1.80. The higher average relative weight reflects a more resource-intensive cardiology case mix; the summed weight itself is not the CMI.
- Under the inpatient prospective payment system, how is the base Medicare payment for an inpatient case generally determined?
- By multiplying the MS-DRG relative weight by the hospital's payment base rate
- By summing every chargemaster line item on the account
- By the patient's number of inpatient days only
- By the total of all CPT modifiers appended
Correct answer: By multiplying the MS-DRG relative weight by the hospital's payment base rate
The base inpatient payment is generally the MS-DRG relative weight multiplied by the hospital's payment base rate, which is then adjusted for factors such as wage index and outliers. It is not the sum of chargemaster items, a per-day amount, or a total of modifiers.
- A coder is unsure whether a documented secondary condition qualifies as a major complication or comorbidity. Why does this distinction matter for MS-DRG relative weighting?
- Only an MCC, not a CC, can ever increase the relative weight in any DRG family
- An MCC generally shifts the case to a higher-weighted tier than a CC within the same base DRG
- CCs and MCCs are interchangeable and never affect the weight
- The distinction affects only outpatient APC payment
Correct answer: An MCC generally shifts the case to a higher-weighted tier than a CC within the same base DRG
An MCC generally shifts the case to a higher-weighted severity tier than a CC within the same base DRG family, increasing payment more than a CC would. CCs can also raise the weight in many families, the two are not interchangeable, and severity tiering is an inpatient MS-DRG feature, not an APC one.
- Which of the following is the broadest mutually exclusive category that MS-DRGs are organized under, based on body system or etiology?
- Ambulatory Payment Classifications
- Revenue codes
- National Drug Codes
- Major Diagnostic Categories (MDCs)
Correct answer: Major Diagnostic Categories (MDCs)
MS-DRGs are organized under Major Diagnostic Categories (MDCs), which group conditions by body system or etiology before further refinement into individual DRGs. APCs are an outpatient construct, revenue codes identify cost centers, and National Drug Codes identify drugs, none of which is the organizing structure for DRGs.
- A hospital administrator asks why the DRG-based payment for a case did not change even though the patient's total charges were unusually high. What feature of the DRG payment model explains this?
- DRG payment always equals the sum of submitted charges
- DRG payment is a fixed prospective amount per group, independent of individual charges except for designated outlier cases
- DRG payment is negotiated patient by patient
- DRG payment is based only on the discharge disposition
Correct answer: DRG payment is a fixed prospective amount per group, independent of individual charges except for designated outlier cases
DRG payment is a fixed prospective amount tied to the assigned group, so it does not rise with individual charges except when a case qualifies as a high-cost outlier. It is not the sum of charges, a per-patient negotiation, or set solely by discharge disposition.
- An RHIA explains that the original DRG concept was created chiefly to address which healthcare financing problem?
- Patients lacking access to a notice of privacy practices
- Hospitals retaining records for too short a time
- Uncontrolled cost growth under retrospective cost-based hospital reimbursement
- Coders lacking access to clinical terminologies
Correct answer: Uncontrolled cost growth under retrospective cost-based hospital reimbursement
DRGs were created chiefly to control cost growth under retrospective cost-based reimbursement by paying a predetermined amount per case type. The concept did not arise to solve privacy-notice access, record retention duration, or terminology availability.
- In which order do the core stages of the healthcare revenue cycle generally occur?
- Claim submission, registration, charge capture, payment posting
- Payment posting, coding, registration, prior authorization
- Denial appeals, registration, coding, scheduling
- Pre-registration and registration, charge capture and coding, claim submission, payment and collections
Correct answer: Pre-registration and registration, charge capture and coding, claim submission, payment and collections
The revenue cycle generally flows from pre-registration and registration, through charge capture and coding, to claim submission, and finally payment and collections. The other sequences place back-end functions such as payment posting or appeals before the front-end and middle stages, which is incorrect.
- An RHIA is asked which revenue cycle key performance indicator best signals how long it takes to convert services into cash. Which metric is most appropriate?
- Days in accounts receivable
- Record retention compliance rate
- Number of privacy notices distributed
- Average inpatient bed count
Correct answer: Days in accounts receivable
Days in accounts receivable best signals how long it takes to convert delivered services into cash, measuring the average time outstanding before payment. Retention compliance, privacy-notice counts, and bed count do not measure revenue collection speed.
- Who is typically responsible for maintaining and reviewing the charge description master across hospital departments?
- Only the privacy officer
- Only individual bedside nurses
- A multidisciplinary CDM team including HIM, finance, compliance, and clinical departments
- Only the external payer
Correct answer: A multidisciplinary CDM team including HIM, finance, compliance, and clinical departments
CDM maintenance is typically the responsibility of a multidisciplinary team spanning HIM, finance, compliance, and clinical departments, because accurate charge entries require both coding and operational input. It is not owned solely by the privacy officer, bedside nurses, or the payer.
- Which data element in a charge description master line item is used to identify the hospital cost center, such as pharmacy or radiology, on the UB-04 claim?
- The patient's date of birth
- The revenue code
- The MS-DRG relative weight
- The notice of privacy practices version
Correct answer: The revenue code
The revenue code identifies the hospital cost center, such as pharmacy or radiology, on the UB-04 claim and is a core CDM data element. A date of birth, a relative weight, and a privacy-notice version are not used to identify the cost center.
- An RHIA discovers duplicate CDM entries for the same service with two different charge amounts. What is the most significant risk this creates?
- A breach of protected health information
- An automatic loss of accreditation
- An extension of the legal record retention period
- Inconsistent and potentially noncompliant pricing that can trigger billing errors and audit exposure
Correct answer: Inconsistent and potentially noncompliant pricing that can trigger billing errors and audit exposure
Duplicate CDM entries for the same service create inconsistent, potentially noncompliant pricing that can produce billing errors and audit exposure, since the same service may be charged at different rates. This is a charge-integrity issue, not a privacy breach, an automatic accreditation loss, or a retention change.
- Under OPPS, when several minor services are provided during one outpatient encounter, the payment for some items is 'packaged.' What does packaging mean?
- Each item is paid at full billed charges
- Payment for the minor items is bundled into the payment for the primary service rather than paid separately
- The items are excluded from the claim entirely
- The items are reassigned to an inpatient DRG
Correct answer: Payment for the minor items is bundled into the payment for the primary service rather than paid separately
Packaging under OPPS means payment for certain minor or ancillary items is bundled into the payment for the primary service rather than paid separately. It does not mean full-charge payment, removal from the claim, or reassignment to an inpatient DRG.
- A hospital outpatient claim reports a procedure assigned to a separately payable APC plus several packaged items. How is the encounter most likely reimbursed under OPPS?
- The full billed charges for every line item
- An inpatient DRG payment
- No payment because outpatient claims are not covered
- A single APC payment that already accounts for the packaged items
Correct answer: A single APC payment that already accounts for the packaged items
The encounter is most likely reimbursed through a single APC payment for the separately payable procedure that already accounts for the packaged ancillary items. It is not paid at full billed charges, through an inpatient DRG, or denied outright as uncovered.
- Which federal entity establishes and updates the rules governing the Medicare outpatient prospective payment system?
- The Joint Commission
- The Centers for Medicare & Medicaid Services (CMS)
- The American Hospital Association
- The hospital's local privacy board
Correct answer: The Centers for Medicare & Medicaid Services (CMS)
CMS establishes and updates the rules governing OPPS, including APC assignments and payment rates, through annual rulemaking. The Joint Commission accredits, the American Hospital Association is a trade association, and a local privacy board does not set Medicare payment policy.
- An RHIA reviews an OPPS claim where a drug's status indicator marks it as paid under a special drug methodology. What does the status indicator primarily communicate?
- The patient's secondary insurance plan
- The record's destruction date
- The payment method and policy that apply to that specific service line
- The coder's productivity rate
Correct answer: The payment method and policy that apply to that specific service line
An OPPS status indicator primarily communicates the payment method and policy that apply to a specific service line, such as separate payment, packaging, or a special drug methodology. It does not identify secondary insurance, a destruction date, or coder productivity.
- Besides hospital outpatient departments, which other Medicare setting uses a prospective payment system distinct from IPPS and OPPS?
- Skilled nursing facilities, which use their own PPS
- Retail pharmacies, which use OPPS
- Physician offices, which use MS-DRGs
- Ambulance suppliers, which use IPPS
Correct answer: Skilled nursing facilities, which use their own PPS
Skilled nursing facilities are reimbursed under their own prospective payment system distinct from IPPS and OPPS. Retail pharmacies do not bill under OPPS, physician offices do not use MS-DRGs, and ambulance suppliers are not paid under IPPS.
- What is the defining contrast between a prospective payment system and a retrospective fee-for-service model?
- A PPS always pays more than fee-for-service for the same case
- Fee-for-service uses DRGs and PPS uses billed charges
- A PPS sets the payment amount before care using predefined classifications, while fee-for-service pays after care based on services rendered
- Both determine payment only after a record is destroyed
Correct answer: A PPS sets the payment amount before care using predefined classifications, while fee-for-service pays after care based on services rendered
The defining contrast is that a PPS sets payment before care using predefined classifications such as DRGs or APCs, whereas fee-for-service pays after care based on the services rendered. A PPS does not inherently pay more, the methodologies are reversed in the second option, and neither depends on record destruction.
- An analyst evaluates whether a payment model rewards efficiency. Under which model does a provider bear the financial risk if actual costs exceed the predetermined rate for a case?
- A pure retrospective cost-reimbursement system
- A charge-based billed-amount system
- An uncapped per-diem system
- A prospective payment system
Correct answer: A prospective payment system
Under a prospective payment system the provider bears the financial risk when actual costs exceed the fixed predetermined rate, which creates the efficiency incentive. Retrospective cost reimbursement, charge-based billing, and uncapped per-diem models shift more of that risk back to the payer.
- Which annual reference governs ICD-10-CM code additions, deletions, and revisions in the United States?
- The hospital's internal CDM committee minutes
- The annual ICD-10-CM code set updates released by CMS and the NCHS
- The Current Procedural Terminology editorial panel
- The OPPS status indicator list
Correct answer: The annual ICD-10-CM code set updates released by CMS and the NCHS
ICD-10-CM additions, deletions, and revisions are governed by the annual code set updates released by CMS and the National Center for Health Statistics (NCHS). The CDM committee, the CPT editorial panel, and OPPS status indicators do not control ICD-10-CM diagnosis code maintenance.
- A coder reviews an outpatient record documenting a definitive diagnosis and several signs and symptoms that are integral to that diagnosis. Under ICD-10-CM guidelines, how should the integral signs and symptoms be coded?
- They must always be coded in addition to the diagnosis
- They should not be separately coded when routinely associated with the confirmed condition
- They replace the principal diagnosis
- They are coded only on inpatient claims
Correct answer: They should not be separately coded when routinely associated with the confirmed condition
Under ICD-10-CM guidelines, signs and symptoms that are integral to a confirmed diagnosis are not separately coded. They are neither always added, a substitute for the diagnosis, nor restricted to inpatient claims.
- A coder must select an ICD-10-CM code to the highest level of specificity available. What is the consequence of submitting a truncated or unspecified code when a more specific one is documented?
- The code automatically converts to ICD-10-PCS
- The patient's retention schedule is shortened
- The claim may be rejected or denied for lack of coding specificity
- The chargemaster price is increased
Correct answer: The claim may be rejected or denied for lack of coding specificity
Submitting a truncated or unspecified code when documentation supports greater specificity can cause the claim to be rejected or denied for lack of coding specificity. The code does not convert to a procedure system, alter retention, or change chargemaster pricing.
- In the ICD-10-PCS Medical and Surgical section, which character position identifies the root operation, such as excision or resection?
- The first character
- The seventh character
- There is no character for root operation
- The third character
Correct answer: The third character
In the ICD-10-PCS Medical and Surgical section, the third character identifies the root operation, such as excision or resection. The first character designates the section, the seventh designates the qualifier, and root operation is indeed represented in the code structure.
- A coder must assign an ICD-10-PCS code for a procedure where the objective was to cut out a portion of the gallbladder. Which concept must the coder correctly identify to build the code?
- The objective of the procedure, which determines the root operation character
- The patient's insurance plan
- The hospital's bed count
- The applicable APC status indicator
Correct answer: The objective of the procedure, which determines the root operation character
To build an ICD-10-PCS code the coder must identify the objective of the procedure, which determines the root operation character. Insurance plan, bed count, and APC status indicators do not drive ICD-10-PCS root operation selection.
- Why is ICD-10-PCS described as a multiaxial, expandable coding system?
- It uses only two fixed characters that never change
- It assigns codes by listing chargemaster prices
- Each of its seven characters represents an independent axis of classification that can be combined to build new codes
- It is identical in structure to ICD-10-CM
Correct answer: Each of its seven characters represents an independent axis of classification that can be combined to build new codes
ICD-10-PCS is multiaxial and expandable because each of its seven characters represents an independent axis of classification that combine to build precise, new codes as needed. It is not two fixed characters, a price list, or structurally identical to the diagnosis system ICD-10-CM.
- Which organization maintains the CPT code set and convenes the editorial panel that updates it?
- The Centers for Disease Control and Prevention
- The American Medical Association
- The Joint Commission
- The Social Security Administration
Correct answer: The American Medical Association
The American Medical Association maintains the CPT code set and convenes the CPT Editorial Panel that updates it. The CDC, the Joint Commission, and the Social Security Administration do not maintain CPT.
- Which of the following is reported using a CPT Category I evaluation and management code?
- A durable medical equipment wheelchair
- An inpatient surgical procedure reported on the UB-04 with ICD-10-PCS
- A principal diagnosis of pneumonia
- An office visit for an established patient
Correct answer: An office visit for an established patient
An office visit for an established patient is reported with a CPT Category I evaluation and management code. Durable medical equipment uses HCPCS Level II, inpatient procedures use ICD-10-PCS, and a diagnosis uses ICD-10-CM, none of which is a CPT E/M service.
- A coder reviews documentation for a surgery and an unrelated, separately identifiable evaluation and management service performed on the same day by the same physician. Which CPT modifier is appropriate to report the E/M service so both are payable?
- Modifier 25
- Modifier 59
- Modifier 50
- Modifier 76
Correct answer: Modifier 25
Modifier 25 reports a significant, separately identifiable E/M service by the same physician on the same day as a procedure, allowing both to be payable when documented. Modifier 59 reports a distinct procedural service, modifier 50 reports a bilateral procedure, and modifier 76 reports a repeat procedure, none of which fits a separately identifiable E/M.
- How is HCPCS Level I distinguished from HCPCS Level II?
- Level I covers supplies and Level II covers diagnoses
- Level I is for inpatient and Level II is for retention scheduling
- Level I consists of the CPT codes, while Level II covers items and services not in CPT, such as supplies and drugs
- Both levels report only ICD-10-CM diagnoses
Correct answer: Level I consists of the CPT codes, while Level II covers items and services not in CPT, such as supplies and drugs
HCPCS Level I consists of the CPT codes, while HCPCS Level II covers items and services not represented in CPT, such as supplies, drugs, and durable medical equipment. The other options misassign diagnoses, retention, or inpatient scope to these levels.
- A clinic administers an injectable medication and must report the specific drug and dosage for reimbursement. Which code set most appropriately captures the drug itself?
- ICD-10-PCS
- HCPCS Level II J-codes
- MS-DRG codes
- SNOMED CT identifiers
Correct answer: HCPCS Level II J-codes
The injectable drug is most appropriately reported with HCPCS Level II J-codes, which are designated for drugs and biologicals administered other than by the oral route. ICD-10-PCS reports inpatient procedures, MS-DRGs group inpatient stays, and SNOMED CT is a clinical terminology, not a billing code for the drug.
- A coder appends a HCPCS Level II modifier such as RT or LT to a procedure. What information does this type of modifier convey?
- The patient's primary insurance carrier
- The hospital's accreditation status
- Anatomical or laterality detail about where the service was performed
- The record's legal hold status
Correct answer: Anatomical or laterality detail about where the service was performed
HCPCS Level II modifiers such as RT and LT convey anatomical or laterality detail, indicating the right or left side where a service was performed. They do not report insurance carrier, accreditation status, or legal hold status.
- An RHIA establishes a target coding accuracy rate as part of a compliance program. Which approach best supports ongoing coding compliance?
- Auditing coders only after a payer denies a claim
- Routine prospective and retrospective coding audits with feedback and education
- Reviewing only claims that have already been paid
- Disabling all coding edits to speed throughput
Correct answer: Routine prospective and retrospective coding audits with feedback and education
Ongoing coding compliance is best supported by routine prospective and retrospective audits paired with feedback and education, which catch and correct errors continuously. Auditing only after denials, reviewing only paid claims, or disabling edits weakens compliance rather than strengthening it.
- A coding validation review reveals that documentation supports a higher-severity DRG than was originally assigned, lowering the deserved payment. What is this error called, and what is the compliant response?
- Upcoding; leave it because it reduces audit risk
- Unbundling; refer it to the privacy officer
- Down-coding; correct the assignment to reflect documentation and rebill appropriately
- Benchmarking; record it as a positive variance
Correct answer: Down-coding; correct the assignment to reflect documentation and rebill appropriately
Assigning a lower-severity code than documentation supports is down-coding, and the compliant response is to correct the assignment to reflect the documentation and rebill appropriately. It is not upcoding, unbundling, or benchmarking, and accuracy, not artificially low coding, is the compliance goal.
- A CDI specialist must write a query about a possible diagnosis suggested by clinical indicators. Which query practice keeps the program compliant?
- Directing the provider to document the diagnosis that yields the highest payment
- Offering only the single highest-weighted diagnosis as a choice
- Promising the provider a bonus for documenting a particular condition
- Phrasing the query neutrally and presenting clinical indicators without leading the provider to a specific answer
Correct answer: Phrasing the query neutrally and presenting clinical indicators without leading the provider to a specific answer
A compliant query is phrased neutrally and presents the clinical indicators without leading the provider toward a specific, payment-favorable answer. Directing toward the highest-paying diagnosis, offering only one weighted choice, or tying documentation to a bonus would make the query non-compliant.
- How does an effective CDI program most directly influence a hospital's reported case mix index?
- By prompting accurate, complete documentation that supports correctly assigned, appropriately weighted DRGs
- By raising chargemaster prices across all departments
- By shortening the record retention period
- By limiting patient access to records
Correct answer: By prompting accurate, complete documentation that supports correctly assigned, appropriately weighted DRGs
An effective CDI program influences case mix index by prompting accurate, complete documentation that supports correctly assigned and appropriately weighted DRGs, so the reported CMI reflects true patient complexity. It does not work through chargemaster pricing, retention changes, or limiting patient access.
- Which payment arrangement is an example of value-based reimbursement?
- Paying full billed charges for each separate service
- A pure per-procedure fee with no quality measurement
- A bundled payment that holds a provider accountable for cost and quality across an episode of care
- Reimbursing every line item on the chargemaster individually
Correct answer: A bundled payment that holds a provider accountable for cost and quality across an episode of care
A bundled payment that holds a provider accountable for cost and quality across an episode of care is an example of value-based reimbursement. Paying full charges, a pure per-procedure fee, or itemized chargemaster reimbursement are volume-based fee-for-service approaches.
- Under a value-based purchasing program tied to quality outcomes, why is accurate present-on-admission coding especially important to the revenue team?
- It determines the chargemaster's revenue codes
- It distinguishes hospital-acquired conditions from those present on arrival, affecting quality scores and payment adjustments
- It sets the record's destruction date
- It changes which terminology the coder uses
Correct answer: It distinguishes hospital-acquired conditions from those present on arrival, affecting quality scores and payment adjustments
Accurate present-on-admission coding distinguishes hospital-acquired conditions from those present on arrival, which directly affects quality scores and value-based payment adjustments. It does not determine revenue codes, set destruction dates, or change the coder's terminology.
- An RHIA reviews claims data and finds a pattern of services billed but with no supporting documentation in the record. Under fraud and abuse principles, how is billing for services not rendered classified?
- As an acceptable estimate of expected care
- As a routine coding clarification
- As fraudulent billing that must be reported and corrected under the compliance program
- As a privacy-rule disclosure issue
Correct answer: As fraudulent billing that must be reported and corrected under the compliance program
Billing for services not rendered is fraudulent billing that must be reported and corrected under the compliance program. It is never an acceptable estimate, a routine clarification, or a privacy-rule disclosure matter.
- Which government office is primarily responsible for combating fraud, waste, and abuse in HHS programs and publishes annual work plans that guide healthcare compliance focus areas?
- The Joint Commission
- The Federal Communications Commission
- The Office of Inspector General (OIG)
- The hospital's HIM department
Correct answer: The Office of Inspector General (OIG)
The Office of Inspector General (OIG) is primarily responsible for combating fraud, waste, and abuse in HHS programs and publishes annual work plans that guide compliance priorities. The Joint Commission accredits, the FCC regulates communications, and an HIM department is not the federal enforcement body.
- A recovery audit contractor identifies a complex-review overpayment and the hospital believes the documentation fully supports the original claim. What is the hospital's appropriate recourse?
- Pursue the formal Medicare appeals process to challenge the finding
- Immediately destroy the disputed records
- Resubmit the same claim without changes
- Refer the matter to the patient for resolution
Correct answer: Pursue the formal Medicare appeals process to challenge the finding
When a hospital believes documentation supports the original claim, the appropriate recourse to a RAC overpayment finding is to pursue the formal Medicare appeals process. Destroying records is illegal, resubmitting an unchanged claim does not address the finding, and patients do not resolve RAC determinations.
- What distinguishes a recovery audit contractor's role from that of a clinical accreditation surveyor?
- A RAC accredits the hospital while a surveyor recovers payments
- A RAC focuses on identifying improper Medicare payments, while an accreditation surveyor evaluates compliance with quality and safety standards
- Both perform identical payment-recovery functions
- A RAC sets chargemaster prices and a surveyor approves claims
Correct answer: A RAC focuses on identifying improper Medicare payments, while an accreditation surveyor evaluates compliance with quality and safety standards
A RAC focuses on identifying and recovering improper Medicare payments, whereas an accreditation surveyor evaluates compliance with quality and safety standards. The roles are not reversed, not identical, and neither sets chargemaster prices or approves claims.
- A denials analyst categorizes denials to target improvement efforts. Why is distinguishing a 'hard' denial from a 'soft' denial important?
- Hard denials result in permanently lost revenue unless appealed, while soft denials can often be corrected and resubmitted for payment
- Hard denials are always paid automatically
- Soft denials can never be recovered
- The distinction only affects the record retention schedule
Correct answer: Hard denials result in permanently lost revenue unless appealed, while soft denials can often be corrected and resubmitted for payment
Distinguishing the two matters because a hard denial represents permanently lost revenue unless successfully appealed, while a soft denial can often be corrected and resubmitted for payment. Hard denials are not auto-paid, soft denials are recoverable, and the distinction is about revenue recovery, not retention.
- A claim is rejected at the clearinghouse before reaching the payer because of a missing data element. How does a rejection differ from a denial?
- A rejection means the payer reviewed and refused payment, while a denial never enters the payer's system
- A rejection occurs before the claim is accepted into the payer's system and can be corrected and resubmitted, while a denial is a payer's decision not to pay an accepted claim
- Rejections and denials are identical and handled the same way
- A rejection requires a formal appeal and a denial does not
Correct answer: A rejection occurs before the claim is accepted into the payer's system and can be corrected and resubmitted, while a denial is a payer's decision not to pay an accepted claim
A rejection occurs before the claim is accepted into the payer's system, so it can be corrected and resubmitted, whereas a denial is the payer's decision not to pay a claim it has accepted and adjudicated. The first option reverses the definitions, the two are not identical, and a denial, not a rejection, typically requires a formal appeal.
- What is the central function of claim scrubbing software applied before claims are transmitted to payers?
- To permanently delete any claim containing an error
- To automatically detect coding, formatting, and missing-data errors so they can be corrected prior to submission
- To disclose protected health information to research partners
- To establish staff productivity benchmarks
Correct answer: To automatically detect coding, formatting, and missing-data errors so they can be corrected prior to submission
Claim scrubbing software automatically detects coding, formatting, and missing-data errors so they can be corrected before transmission, reducing downstream rejections and denials. It does not delete claims, disclose PHI, or set productivity benchmarks.
- A claim scrubber applies an edit that flags a procedure code as not payable without a supporting diagnosis that establishes medical necessity. Which type of edit is this?
- A record retention edit
- A privacy disclosure edit
- A medical necessity edit comparing procedure and diagnosis codes
- A staffing productivity edit
Correct answer: A medical necessity edit comparing procedure and diagnosis codes
An edit that flags a procedure as not payable without a supporting diagnosis is a medical necessity edit, which compares procedure and diagnosis codes against coverage policies. It is not a retention edit, a privacy disclosure edit, or a staffing productivity edit.
- A health information manager wants to reduce variation and defects in the chart-deletion workflow by following a structured, data-driven methodology built on the Define, Measure, Analyze, Improve, and Control phases. Which performance-improvement approach is being described?
- Workflow charting
- Failure mode and effects analysis
- Balanced scorecard
- Six Sigma
Correct answer: Six Sigma
The approach described is Six Sigma. Six Sigma is a data-driven methodology aimed at reducing process variation and defects, and its core improvement framework is DMAIC: Define, Measure, Analyze, Improve, and Control. The other tools do not use the DMAIC structure.
- In a Six Sigma project to reduce coding errors, an HIM director must select a metric that captures how often the coding process produces a defect per opportunity. Which Six Sigma concept directly measures the quality level of a process by counting defects per million opportunities?
- Span of control
- Process sigma level (defects per million opportunities)
- Case mix index
- Turnover rate
Correct answer: Process sigma level (defects per million opportunities)
The correct metric is the process sigma level expressed as defects per million opportunities. Six Sigma quantifies quality by counting defects per million opportunities, with a higher sigma level meaning fewer defects. Span of control, turnover rate, and case mix index measure other things entirely.
- An HIM manager is choosing between two improvement methodologies. The team wants to focus primarily on eliminating non-value-added steps and waste from the release-of-information process to make it flow more efficiently. Which methodology best matches this goal?
- Six Sigma defect-reduction
- Hoshin budgeting
- Lean process improvement
- Critical path scheduling
Correct answer: Lean process improvement
The best match is Lean process improvement. Lean focuses on identifying and eliminating waste, or non-value-added activities, to improve process flow and efficiency. Six Sigma centers on reducing variation and defects, while the other options are not improvement methodologies of this type.
- During a Lean review of the scanning workflow, a team maps every step a document passes through and classifies each as value-added or non-value-added so waste can be removed. Which Lean tool is the team using?
- Value stream map
- Gantt chart
- Organizational chart
- Control chart
Correct answer: Value stream map
The team is using a value stream map. In Lean, a value stream map diagrams each step in a process and distinguishes value-added from non-value-added activities so waste can be targeted for elimination. A control chart tracks variation, and the other charts serve scheduling or structure purposes.
- An HIM department adopts a continuous-improvement cycle in which staff Plan a small test of a change, Do the change on a limited scale, Study the results, and Act on what they learned before spreading or revising the change. Which cycle is being applied?
- ROI workflow
- SWOT analysis
- PDSA cycle
- Span of control
Correct answer: PDSA cycle
The cycle being applied is the PDSA cycle. PDSA stands for Plan, Do, Study, Act, an iterative continuous-improvement model used to test and refine changes on a small scale before full implementation. SWOT analysis and the other options are not iterative improvement cycles.
- A quality team has completed the 'Plan' and 'Do' steps of a PDSA cycle to shorten chart-completion time. They have collected pilot data and now must compare the results against their prediction before deciding what to do next. Which step are they entering?
Correct answer: Study
They are entering the Study step. In the PDSA cycle, after planning and doing the pilot, the Study phase analyzes the collected data and compares results to the original prediction. The Act phase that follows decides whether to adopt, adapt, or abandon the change.
- After a serious patient-identification error reaches the wrong record, an HIM leader convenes a team to dig past the immediate mistake and identify the underlying system failures that allowed it to happen. Which analytical technique is being used?
- Root cause analysis
- Cost-benefit analysis
- Trend forecasting
- Job analysis
Correct answer: Root cause analysis
The technique is root cause analysis. Root cause analysis is a structured method that looks beyond the immediate error to identify the fundamental system and process failures that allowed an adverse event to occur, so corrective actions address true causes. The other options analyze costs, trends, or jobs rather than event causation.
- A root cause analysis team keeps asking 'why' a duplicate medical record was created, repeatedly questioning each answer until they reach a system-level cause. Which root cause analysis tool are they using?
- Pareto chart
- The Five Whys
- Histogram
- Scatter diagram
Correct answer: The Five Whys
They are using the Five Whys. This root cause analysis tool involves repeatedly asking 'why' about each successive answer to drill from the surface symptom down to the underlying systemic cause. A Pareto chart, histogram, and scatter diagram display data but do not iteratively question causation.
- A root cause analysis facilitator wants a visual diagram that organizes potential causes of a coding-backlog problem into categories such as people, process, equipment, and materials. Which tool best fits this need?
- Decision matrix
- Fishbone (Ishikawa) diagram
- Run chart
- Flowchart
Correct answer: Fishbone (Ishikawa) diagram
The best fit is the fishbone, or Ishikawa, diagram. It is a cause-and-effect diagram used in root cause analysis to organize possible causes of a problem into major categories such as people, process, equipment, and materials. A run chart shows trends over time and the other tools serve different purposes.
- An HIM director supervises seven team leads who each report directly to her. The number of subordinates reporting directly to a single manager is best described by which management concept?
- Unity of direction
- Chain of command
- Span of control
- Delegation of authority
Correct answer: Span of control
This is span of control. Span of control refers to the number of subordinates or direct reports that one manager supervises. Chain of command describes reporting lines from top to bottom, and the other options describe direction and delegation rather than the count of direct reports.
- A newly merged HIM department flattens its structure so each manager now supervises 15 employees instead of 6. Which is the most likely organizational effect of this wider span of control?
- An automatic increase in employee turnover
- A legally required change to the chain of command
- More management layers and tighter individual oversight
- Fewer management layers and reduced supervisory overhead
Correct answer: Fewer management layers and reduced supervisory overhead
The most likely effect is fewer management layers and reduced supervisory overhead. A wider span of control means each manager oversees more employees, which flattens the organization and lowers supervisory costs, though it can reduce the closeness of oversight. It does not automatically raise turnover or legally mandate chain-of-command changes.
- An HIM coding unit needs the equivalent of one full-time position to handle additional volume. Two part-time coders each work 20 hours per week, and a standard full-time schedule is 40 hours per week. How many full-time equivalents (FTEs) do these two part-time coders represent?
- 1.0 FTE
- 4.0 FTE
- 2.0 FTE
- 0.5 FTE
Correct answer: 1.0 FTE
The two coders represent 1.0 FTE. An FTE is calculated by dividing total hours worked by the standard full-time hours; here 20+20=40 hours divided by a 40-hour full-time week equals 4040=1.0 FTE. Counting them as 2.0 would ignore that each works only half time.
- An HIM manager must staff a release-of-information desk that requires 8,320 productive hours per year. If one full-time equivalent provides 2,080 productive hours per year, approximately how many FTEs are required to cover the workload?
- 8 FTEs
- 4 FTEs
- 16 FTEs
- 2 FTEs
Correct answer: 4 FTEs
Approximately 4 FTEs are required. FTE staffing need is calculated by dividing the total required productive hours by the productive hours one FTE provides: 2,0808,320=4. Choosing 2 or 8 would misdivide the required hours.
- An HIM director is preparing financial plans for next year. She needs to budget for routine day-to-day costs such as staff salaries, office supplies, and software maintenance fees. Which type of budget covers these recurring operational expenses?
- Capital budget
- Master patient index
- Cash flow statement
- Operating budget
Correct answer: Operating budget
These recurring costs belong in the operating budget. An operating budget covers the routine day-to-day expenses of running a department, such as salaries, supplies, and ongoing service fees. A capital budget instead covers large, long-lived asset purchases, and the other options are not budgets.
- An HIM department plans to purchase a new $250,000 enterprise document-imaging system expected to be used for ten years. Into which budget should this large, long-lived asset acquisition be placed?
- Operating budget
- Petty cash fund
- Payroll budget
- Capital budget
Correct answer: Capital budget
This belongs in the capital budget. A capital budget funds the acquisition of major, long-lived assets such as equipment and systems that exceed a set cost threshold and provide value over multiple years. An operating budget covers recurring expenses, not large one-time asset purchases.
- An HIM manager establishes that coders are expected to assign codes for 24 inpatient records per day as a baseline against which actual output will be measured. What has the manager defined?
- A productivity standard
- A notice of privacy practices
- A span of control
- A capital budget
Correct answer: A productivity standard
The manager has defined a productivity standard. A productivity standard sets the expected quantity of work, such as records coded per day, that serves as a baseline for monitoring and evaluating staff performance. The other options address budgets, supervision counts, and privacy notices.
- A transcription supervisor monitors output and finds that staff routinely produce only 70 percent of the established productivity standard. Which management action most directly addresses a productivity-monitoring finding like this?
- Investigate causes such as system downtime or training gaps and adjust workflow or expectations
- Reassign the work to the privacy office
- Immediately raise the productivity standard for all staff
- Eliminate the productivity standard entirely
Correct answer: Investigate causes such as system downtime or training gaps and adjust workflow or expectations
The appropriate action is to investigate causes such as system downtime or training gaps and adjust workflow or expectations. Productivity monitoring is meant to surface gaps so a manager can analyze why output trails the standard and intervene, not to arbitrarily raise standards, abandon measurement, or shift work to an unrelated office.
- An HIM director compares her department's coding accuracy rate and turnaround time against published rates from top-performing peer hospitals to identify performance gaps and best practices. What management technique is she using?
- Job analysis
- Capital budgeting
- Benchmarking
- Delegation
Correct answer: Benchmarking
She is using benchmarking. Benchmarking compares an organization's performance metrics against those of peers or recognized best-in-class performers to identify gaps and adopt best practices. Job analysis, capital budgeting, and delegation address staffing, finances, and authority rather than comparative performance.
- An HIM department measures its current discharge-not-final-billed days against an industry standard published by a professional association before setting improvement targets. This use of an external comparison standard is an example of which type of benchmarking?
- External (competitive or industry) benchmarking
- Retrospective coding review
- Internal benchmarking
- Capital budgeting
Correct answer: External (competitive or industry) benchmarking
This is external, or industry, benchmarking. Comparing performance against standards or metrics from outside the organization, such as industry or peer data, is external benchmarking. Internal benchmarking compares units within the same organization, and the other options are not benchmarking at all.
- An HIM director is leading the transition from paper records to a new electronic health record. To address staff resistance, she communicates the vision, involves employees early, provides training, and reinforces new behaviors. Which leadership discipline is she practicing?
- Coding compliance
- Change management
- Records retention
- Span of control
Correct answer: Change management
She is practicing change management. Change management is the structured approach to guiding people and organizations through transitions, using communication, involvement, training, and reinforcement to overcome resistance and sustain adoption. The other options address retention, coding, and supervision rather than managing organizational change.
- During a major EHR rollout, employees express anxiety and resistance to abandoning familiar paper workflows. According to change management principles, which leadership action is most effective at reducing this resistance?
- Discipline employees who voice concerns
- Withhold information until the change is complete
- Implement the change with no advance notice
- Communicate clearly and involve staff in planning the change
Correct answer: Communicate clearly and involve staff in planning the change
The most effective action is to communicate clearly and involve staff in planning the change. Change management research shows that transparent communication and employee participation build buy-in and reduce resistance. Withholding information, punishing concerns, or surprising staff tends to increase fear and resistance.
- An HIM leader develops a five-year plan that defines the department's mission, sets long-term goals aligned with the organization's vision, and identifies initiatives to achieve them. Which management process is this?
- Release of information
- Root cause analysis
- Strategic planning
- Operational scheduling
Correct answer: Strategic planning
This is strategic planning. Strategic planning is the long-range process of defining mission and vision, setting multi-year goals, and identifying initiatives that align the department with the broader organization's direction. Operational scheduling, root cause analysis, and release of information are narrower or unrelated processes.
- While developing a strategic plan, an HIM director assesses the department's internal strengths and weaknesses alongside external opportunities and threats. Which analysis tool is she applying?
- SWOT analysis
- Fishbone diagram
- Pareto analysis
- FTE calculation
Correct answer: SWOT analysis
She is applying a SWOT analysis. SWOT examines internal Strengths and Weaknesses together with external Opportunities and Threats and is a standard tool in strategic planning. A fishbone diagram supports root cause analysis, FTE calculation addresses staffing, and Pareto analysis prioritizes problems.
- An HIM department launches an ongoing program to systematically measure, assess, and improve the quality of its coding, documentation, and service processes over time. Which organizational function is this program?
- Performance and quality improvement
- Span of control
- Capital budgeting
- Accounting of disclosures
Correct answer: Performance and quality improvement
This program is performance and quality improvement. Performance and quality improvement is the continuous organizational function of measuring, assessing, and improving processes and outcomes over time. Capital budgeting, span of control, and accounting of disclosures address finance, supervision, and privacy tracking instead.
- A quality improvement team studying release-of-information turnaround wants to display where the most common delay reasons cluster so they can focus on the vital few causes. Which performance-improvement tool best supports this prioritization?
- Notice of privacy practices
- Pareto chart
- Job description
- Chain of command
Correct answer: Pareto chart
The best tool is a Pareto chart. A Pareto chart ranks problem categories by frequency to highlight the vital few causes that account for most of the issue, supporting prioritized quality improvement. The other options are a privacy document, a staffing document, and a reporting-structure concept.
- An HIM department needs a written document that lists the duties, responsibilities, required qualifications, and reporting relationships for a coding specialist position. Which human resources document serves this purpose?
- Capital budget
- Performance benchmark
- Job description
- Notice of privacy practices
Correct answer: Job description
The document is a job description. A job description formally lists a position's duties, responsibilities, required qualifications, and reporting relationships and is a core human resources tool for hiring and evaluation. The other options serve privacy, financial, and comparative-performance purposes.
- Before writing a new job description for an HIM data analyst, a manager systematically collects information about the tasks, knowledge, and skills the role actually requires. What is this information-gathering process called?
- Onboarding
- Benchmarking
- Job analysis
- Performance appraisal
Correct answer: Job analysis
This process is job analysis. Job analysis is the systematic study of a position's tasks, responsibilities, and required knowledge and skills, and its findings form the basis for writing an accurate job description. Performance appraisal evaluates existing employees, while benchmarking and onboarding serve other functions.
- An HIM manager must ensure a job description complies with employment law by listing only the genuine duties of the role and the qualifications truly needed to perform it. Failing to keep a job description accurate and job-related most directly increases the organization's risk of which problem?
- A breach of protected health information
- An invalid release-of-information authorization
- Miscalculation of the case mix index
- Discrimination claims based on unjustified hiring requirements
Correct answer: Discrimination claims based on unjustified hiring requirements
The most direct risk is discrimination claims based on unjustified hiring requirements. Job descriptions that list qualifications not genuinely required for the role can screen out protected groups without business justification, exposing the employer to discrimination liability. PHI breaches, case mix index errors, and ROI authorization issues are unrelated to job description accuracy.
- An HIM department oversees recruiting, hiring, performance appraisal, compensation, and employee relations for its staff. These activities collectively fall under which management function?
- Human resources management
- Information governance
- Clinical documentation improvement
- Revenue cycle management
Correct answer: Human resources management
These activities fall under human resources management. Human resources management encompasses recruiting, hiring, performance appraisal, compensation, and employee relations. Revenue cycle management, information governance, and clinical documentation improvement address billing, data governance, and documentation rather than personnel functions.
- An HIM manager conducts an annual, documented review of each coder's accuracy, productivity, and professional conduct, then uses it to set development goals. Which human resources activity is being performed?
- Job analysis
- Strategic planning
- Capital budgeting
- Performance appraisal
Correct answer: Performance appraisal
The activity is a performance appraisal. A performance appraisal is the periodic, documented evaluation of an employee's job performance that supports feedback, goal-setting, and development decisions. Job analysis studies the position itself, while strategic planning and capital budgeting address organizational direction and major purchases.
- A newly hired HIM coder participates in a structured orientation program covering organizational policies, the EHR system, and departmental coding workflows before working independently. Which human resources and development activity is this?
- Root cause analysis
- Onboarding and orientation
- Capital budgeting
- Performance benchmarking
Correct answer: Onboarding and orientation
This is onboarding and orientation. Onboarding, including new-employee orientation, is a training and development activity that introduces new staff to organizational policies, systems, and workflows so they can become productive. Benchmarking, budgeting, and root cause analysis serve unrelated purposes.
- After ICD-10-CM coding guidelines are updated, an HIM director arranges instructor-led sessions and competency checks so coders can apply the new rules correctly. This effort to build current job skills in existing staff is best categorized as which function?
- Recruitment
- Accreditation survey
- Training and development
- Capital budgeting
Correct answer: Training and development
This effort is training and development. Training and development builds the knowledge and skills of current employees so they can perform their jobs effectively, including keeping pace with updated coding guidelines. Recruitment brings in new staff, and the other options address finances and accreditation.
- A hospital is preparing for a voluntary survey by a nationally recognized body whose accreditation can confer deemed status for Medicare participation and which evaluates compliance with standards through periodic on-site reviews. Which accrediting organization is most likely described?
- The Joint Commission
- The AHIMA House of Delegates
- The Office for Civil Rights
- The Recovery Audit Contractor
Correct answer: The Joint Commission
The organization described is The Joint Commission. The Joint Commission is a widely recognized accrediting body that conducts periodic on-site surveys and whose accreditation can confer deemed status for Medicare participation. The other entities perform claims audits, enforce HIPAA, or govern AHIMA, not hospital accreditation.
- As an HIM director prepares for an upcoming accreditation survey, which activity most directly supports demonstrating compliance with the accrediting body's health-record standards?
- Negotiating a business associate agreement
- Mapping a relational database schema
- Conducting record reviews to verify documentation timeliness, completeness, and authentication
- Recalculating the case mix index
Correct answer: Conducting record reviews to verify documentation timeliness, completeness, and authentication
The most directly supportive activity is conducting record reviews to verify documentation timeliness, completeness, and authentication. Accreditation surveys assess whether health records meet documentation standards, so ongoing record reviews demonstrate compliance. Case mix calculation, contract negotiation, and database mapping address other domains.
- A hospital that participates in Medicare must comply with federal health and safety standards, including specific medical-record requirements, in order to receive reimbursement. These mandatory federal standards are known as what?
- The HIPAA Privacy Rule
- The AHIMA Code of Ethics
- The Joint Commission standards
- CMS Conditions of Participation
Correct answer: CMS Conditions of Participation
These are the CMS Conditions of Participation. The Conditions of Participation are federal health and safety standards, including medical-record requirements, that hospitals must meet to participate in and be reimbursed by Medicare. The HIPAA Privacy Rule governs PHI, the AHIMA Code of Ethics guides professionals, and Joint Commission standards are accreditation requirements.
- An HIM manager must ensure that every inpatient record contains a completed history and physical, signed within the timeframe set by federal participation rules, to keep the facility eligible for Medicare payment. Which regulatory requirement drives this documentation timeframe?
- The minimum necessary standard
- The CMS Conditions of Participation
- The ICD-10-PCS guidelines
- The OPPS payment indicators
Correct answer: The CMS Conditions of Participation
The driving requirement is the CMS Conditions of Participation. These federal rules specify medical-record content and timeliness standards, such as completion and authentication of the history and physical, that hospitals must meet to remain eligible for Medicare reimbursement. The minimum necessary standard, PCS guidelines, and OPPS indicators address privacy, procedure coding, and outpatient payment instead.
- An HIM director must decide which performance-improvement methodology to deploy for a problem characterized by long wait times and many redundant hand-offs but few outright errors. Analyzing the problem, which methodology is the most appropriate first choice and why?
- Six Sigma, because the core problem is statistical variation
- Lean, because the core problem is waste and inefficient flow rather than defect variation
- Root cause analysis, because a single sentinel event occurred
- Benchmarking, because the goal is comparison to peers
Correct answer: Lean, because the core problem is waste and inefficient flow rather than defect variation
The most appropriate first choice is Lean, because the core problem is waste and inefficient flow rather than defect variation. Lean targets non-value-added steps such as wait times and redundant hand-offs, which fits this scenario better than Six Sigma's focus on defect variation, a single-event root cause analysis, or peer benchmarking.
- An HIM director reviews monthly coder productivity reports and notices that one experienced coder consistently exceeds the standard by 30 percent while three others fall below it. Analyzing this monitoring data, what is the most appropriate management interpretation before acting?
- The productivity standard should be discarded because results vary
- The high performer should immediately set the new mandatory standard for everyone
- The low performers should be terminated based solely on the report
- The variation may reflect differences in case complexity, training, or workflow that should be investigated before judging performance
Correct answer: The variation may reflect differences in case complexity, training, or workflow that should be investigated before judging performance
The most appropriate interpretation is that the variation may reflect differences in case complexity, training, or workflow that should be investigated before judging performance. Productivity monitoring data identifies variation that a manager must analyze for root causes before taking action, rather than instantly resetting standards, terminating staff, or abandoning measurement.