Home / AHPREP-CBCS · CBCS — Certified Billing and Coding Specialist (NHA)

ModuleAHPREP-CBCS

CBCS — Certified Billing and Coding Specialist (NHA)

Prepare for CBCS — Certified Billing and Coding Specialist (NHA) with practice questions covering 53 topics. Build your knowledge, track your progress, and study effectively with AH Prep.

Questions
1,695
Units
6
Topics
53
Access
Free tier available

What’s in it.

6 units

Sample questions

3 of many

A few questions from this module, with the answer and a full explanation. The complete bank is available when you start practising.

  1. What is the HIPAA-required electronic transaction standard for dental claims?

    • ANSI X12 837D (Dental) is the HIPAA-required electronic transaction for submitting dental claims
      Correct answer
    • ANSI X12 837I (Institutional) is required for dental facility claims such as oral surgery performed in a hospital
    • ANSI X12 837P (Professional) is used for all dental claims because dental providers are classified as professional providers under HIPAA
    • ANSI X12 835 is the electronic standard for dental claim submission as well as remittance advice
    Explanation

    HIPAA designates the ANSI X12 837D as the electronic claim transaction for dental services. The '837D' distinction identifies it as the dental-specific format, separate from the 837P (professional/physician claims) and 837I (institutional/facility claims). The electronic 837D is the equivalent of the paper ADA J430D form. The key takeaway: 837D = HIPAA electronic dental claim; 837P = professional medical claim; 837I = institutional/facility claim.

  2. When a claim is denied by the payer after adjudication, what is the appropriate next step?

    • Resubmit the claim immediately as a new original claim without reviewing the denial reason.
    • Review the denial reason (CARC code on the ERA), determine whether the denial is correctable or appealable, then either correct and resubmit (if a coding/data error) or file a formal appeal (if the denial is clinically or contractually inappropriate).
      Correct answer
    • Report the denial to CMS within 5 business days, as all payer denials must be logged in the federal denial registry.
    • Convert the denied claim to a self-pay balance and apply any applicable contractual adjustment automatically.
    Explanation

    When a claim is denied after adjudication, the biller should: (1) review the Claim Adjustment Reason Code (CARC) on the ERA to understand why the payer denied the claim; (2) determine the appropriate response — if the denial is due to a correctable error (wrong code, missing modifier), correct and resubmit; if the denial is clinically or contractually inappropriate, file a formal appeal within the payer's timely filing window; (3) document the denial and action taken in the billing system. Denials are not final; most are reversible with the correct response. The key takeaway: denied claim = review CARC code, then appeal or correct and resubmit based on denial reason.

  3. After a ransomware attack, a hospital's systems are encrypted and patient records are inaccessible for 72 hours before being restored from backup. The hospital conducts a four-factor risk assessment and concludes the data was never accessed or exfiltrated by the attacker. Must the hospital issue breach notifications?

    • No notification is required because ransomware attacks are classified as security incidents, not breaches, under HIPAA.
    • Notification is required only if the attacker demanded and received a ransom payment.
    • HHS guidance states that ransomware encrypting ePHI is presumed a breach because an unauthorized party accessed the data; notification is required unless the four-factor risk assessment shows low probability of PHI compromise.
      Correct answer
    • Notification is required only if the outage lasted more than 24 hours, causing a disruption to patient care.
    Explanation

    HHS OCR issued guidance in 2016 (Ransomware and HIPAA) stating that ransomware that encrypts ePHI is an unauthorized acquisition of PHI and therefore likely constitutes a breach. The ePHI was 'accessed' by the malicious software (an unauthorized actor). The covered entity must conduct a four-factor risk assessment; if it cannot establish low probability of compromise, notification is required. Restoration from backup does not negate the breach because the unauthorized acquisition already occurred. Key takeaway: Ransomware is presumed a HIPAA breach — successful restoration from backup does not retroactively eliminate the breach; notification is required unless the four-factor analysis shows low probability of compromise.