ModuleAHPREP-CBCS
CBCS — Certified Billing and Coding Specialist (NHA)
Prepare for CBCS — Certified Billing and Coding Specialist (NHA) with practice questions covering 53 topics. Build your knowledge, track your progress, and study effectively with AH Prep.
What’s in it.
6 units- Unit 01
Unit 1: Healthcare System and Settings
Access: Free tier246 questions · 6 topics - Unit 02
Unit 2: Medical Terminology for Coding
Access: Premium325 questions · 10 topics - Unit 03
Unit 3: ICD-10-CM Diagnosis Coding
Access: Premium142 questions · 9 topics - Unit 04
Unit 4: CPT Procedural Coding
Access: Premium313 questions · 9 topics - Unit 05
Unit 5: HCPCS Level II Coding
Access: Premium269 questions · 10 topics - Unit 06
Unit 6: Insurance and Claims Processing
Access: Premium400 questions · 9 topics
Sample questions
3 of manyA few questions from this module, with the answer and a full explanation. The complete bank is available when you start practising.
What is the HIPAA-required electronic transaction standard for dental claims?
- ANSI X12 837D (Dental) is the HIPAA-required electronic transaction for submitting dental claimsCorrect answer
- ANSI X12 837I (Institutional) is required for dental facility claims such as oral surgery performed in a hospital
- ANSI X12 837P (Professional) is used for all dental claims because dental providers are classified as professional providers under HIPAA
- ANSI X12 835 is the electronic standard for dental claim submission as well as remittance advice
ExplanationHIPAA designates the ANSI X12 837D as the electronic claim transaction for dental services. The '837D' distinction identifies it as the dental-specific format, separate from the 837P (professional/physician claims) and 837I (institutional/facility claims). The electronic 837D is the equivalent of the paper ADA J430D form. The key takeaway: 837D = HIPAA electronic dental claim; 837P = professional medical claim; 837I = institutional/facility claim.
When a claim is denied by the payer after adjudication, what is the appropriate next step?
- Resubmit the claim immediately as a new original claim without reviewing the denial reason.
- Review the denial reason (CARC code on the ERA), determine whether the denial is correctable or appealable, then either correct and resubmit (if a coding/data error) or file a formal appeal (if the denial is clinically or contractually inappropriate).Correct answer
- Report the denial to CMS within 5 business days, as all payer denials must be logged in the federal denial registry.
- Convert the denied claim to a self-pay balance and apply any applicable contractual adjustment automatically.
ExplanationWhen a claim is denied after adjudication, the biller should: (1) review the Claim Adjustment Reason Code (CARC) on the ERA to understand why the payer denied the claim; (2) determine the appropriate response — if the denial is due to a correctable error (wrong code, missing modifier), correct and resubmit; if the denial is clinically or contractually inappropriate, file a formal appeal within the payer's timely filing window; (3) document the denial and action taken in the billing system. Denials are not final; most are reversible with the correct response. The key takeaway: denied claim = review CARC code, then appeal or correct and resubmit based on denial reason.
After a ransomware attack, a hospital's systems are encrypted and patient records are inaccessible for 72 hours before being restored from backup. The hospital conducts a four-factor risk assessment and concludes the data was never accessed or exfiltrated by the attacker. Must the hospital issue breach notifications?
- No notification is required because ransomware attacks are classified as security incidents, not breaches, under HIPAA.
- Notification is required only if the attacker demanded and received a ransom payment.
- HHS guidance states that ransomware encrypting ePHI is presumed a breach because an unauthorized party accessed the data; notification is required unless the four-factor risk assessment shows low probability of PHI compromise.Correct answer
- Notification is required only if the outage lasted more than 24 hours, causing a disruption to patient care.
ExplanationHHS OCR issued guidance in 2016 (Ransomware and HIPAA) stating that ransomware that encrypts ePHI is an unauthorized acquisition of PHI and therefore likely constitutes a breach. The ePHI was 'accessed' by the malicious software (an unauthorized actor). The covered entity must conduct a four-factor risk assessment; if it cannot establish low probability of compromise, notification is required. Restoration from backup does not negate the breach because the unauthorized acquisition already occurred. Key takeaway: Ransomware is presumed a HIPAA breach — successful restoration from backup does not retroactively eliminate the breach; notification is required unless the four-factor analysis shows low probability of compromise.