Chapter 10: Fundamentals of Law for Health - The HIPAA Security Rule

Electronic protected health information (ePHI)

Under HIPAA, all individually identifiable information that is created or received electronically by a healthcare provider or any other entity subject to HIPAA requirements

The HIPAA Security Rule requires that passwords a. be updated every 90 days. b. be updated by organizational policy. c. be updated every time there is a breach. d. be updated every 60 days.

be updated by organizational policy.

Non-compliance with the HIPAA Security Rule can lead to: a. civil penalties up to $25,000 per person per year. b. criminal penalties up to $250,000 and 10 years in prison. c. both a and b. d. neither a nor b.

both a and b

The HIPAA "Security Awareness and Training" administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except. a. disaster recovery plan b. log-in monitoring c. password management d. security reminders

disaster recovery plan

Which of the following statements is false about the Security Officer? He/she: a. is generally the individual within the healthcare organization responsible for overseeing the information security program. b. holds a required full-time position under HIPAA Security Rule. c. generally reports to an upper level administrator within the healthcare organization. d. is given the authority to effectively manage the security program, apply sanctions and influence employees

holds a required full-time position under HIPAA Security Rule.

With addressable standards, the covered entity may do all but which of the following? a. implement the standard as written b. implement an alternative standard c. ignore the standard since it is addressable d. determine the risk of not implementing is negligible

ignore the standard since it is addressable

Health Insurance Portability and Accountability Act (HIPAA) of 1996

A law enacted by Congress on August 21st, 1996, governing various aspects of health information; federal legislation enacted to provide continuity of health coverage, control fraud and abuse in healthcare, reduce healthcare costs, and guarantee the security and privacy of health information.

Confidentiality

A legal and ethical concept that establishes the healthcare provider's responsibility for protecting health records and other personal and private information from unauthorized use or disclosure. The Security Rule defines as 'data or information that is not made available or disclosed to unauthorized persons or porcesses

Business associate (BA)

A person or organization other than a member of covered entity's workforce that performs functions or activities on behalf of or affecting a covered entity that involve the use or disclosure of individually identifiable health information.

Automatic log-off

A security procedure that causes a computer session to end after a predetermined period of inactivity, such as 10 minutes.

Physical safeguards

A set of four standards defined by the HIPAA Security Rule: facility access controls, workstation use, workstation security, and device and media controls.

The purpose of the implementation specifications of the HIPAA Security Rule is to provide A. protection of patient information B. instruction for implementation of standards C. guidance for security training and education D. sample policies and procedures for compliance

instruction for implementation of standards

Administrative safeguards

A set of nine standards defined by the HIPAA Security Rule: security management functions, assigned security responsibility, workforce security, information access management, security awareness and training, security incident reporting, contingency plan, evaluation, and business associate contracts and other arrangements.

Encryption

A technique used to ensure that data transferred from one location on a network to another are secure from eavesdropping or interception.

The VP of Finance wants to consider sending all of the medical transcriptionists home to work. What security issues should be included in the risk analysis? a. Access of data by unauthorized persons b. Storage of data on remote devices c. Transmission risks when reporting data d. Potential for new regulations

Access of data by unauthorized persons

The HIPAA Security Rule applies to which of the following covered entities? a. Hospital that bills Medicare b. Physician electronic billing company c. BlueCross health insurance plan d. a and c e. b and c f. All of the above g. None of the above

All of the above

Security officer or chief security officer

An individual responsible for overseeing privacy policies and procedure May report to the CIO

The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of what type of security control? a. Audit log b. Access Control c. Auto-Authentication d. Override Function

Audit log

The Security Rule requires CEs to ensure the integrity and legality of patient information.

False

Health Information Technology for Economic and Clinical Health (HITECH)

Federal legislation that was passed as a portion of the American Recovery and Reinvestment Act; contains changes to the HIPAA Privacy Rule.

The HIPAA Security Rule contains what provision about encryption? a. It is required for all ePHI. b. It is required based on CMS guidance. c. It is required based on organizational policy. d. It is not required for small providers.

It is required based on organizational policy

The enforcement agency for the security rule is a. Office of the Inspector General b. Centers for Medicare and Medicaid Services c. Office of Civil Rights d. Office of Management and Budget

Office of Civil Rights

Which of the following statements about HIPAA training is false? a. Privacy and Security training should be separated. b. Different levels of training are needed depending on an employee's position in the organization. c. All employees in a health care organization need HIPAA training. d. Training is required under the HIPAA Security Rule.

Privacy and Security training should be separated.

Security

Refers to protecting information from loss, unauthorized access, or misuse, along with protecting its confidentiality

The HIPAA Security Rule contains the following safeguards except a. technical b. administrative c. physical d. reliability

Reliability

Technical safeguards

Security measures that are based on technology rather than on administration or physical security, including access control, unique user identification, automatic log-off, and encryption and decryption.

The goal of the Security Rule is to ensure that patient information is protected from unauthorized access, alteration, deletion, and transmission.

True

According to the HIPAA Security Rule, how should a covered entity instruct a physician who needs a new smart phone and her current smart phone contains ePHI? a. Keep her old smart phone. b. Turn in her old smart phone. c. Recycle the old smart phone by giving it to a charity. d. Do what she wants since IT is too busy with other projects.

Turn in her old smart phone.

Compliance

1. The process of establishing an organizational culture that promotes the prevention, detection, and resolution of instances of conduct that do not conform to federal, state, or private payer health care program requirements or the health care organizations ethical and business policies. 2. The act of adhering to official requirements

The Security Rule contains encryption specifications that all CEs must comply.

False

The Security Rule contains provision that CEs can ignore.

False

The Security Rule is completely technical and requires computer programmers to address.

False

What are the primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule? a. The Privacy Rule applies to all forms of patients' PHI, whether electronic, written, or oral, but the Security Rule covers only electronic PHI. b. The Security Rule provides for far more comprehensive security requirements than the Privacy Rule and includes a level of detail not provided in the Privacy Rule. c. Both a and b. d. Neither a nor b; there are no distinctions.

Both a and b

Copying data onto tapes and storing the tapes at a distant location is an example of a. Data Backup b. Data Mapping c. Data Recovery d. Data Storage for Recovery

Data Backup

The admissions department is getting some new computers from the surgery department. The director is so excited to get the new computers that he does not contact IT and installs the computers over the weekend in admissions. Since the computers were not checked for the presence of ePHI, the admissions director has violated with provision of the HIPAA Security Rule? a. Access Controls b. Device and Media Controls c. Emergency Access Procedure d. Contingency Operations

Device and Media Controls

What term is also used to denote the HIPAA requirement of Contingency Planning? a. Data Backup b. Data Recovery c. Disaster Planning d. Emergency Mode of Operation

Emergency Mode of Operation

CEs can decide to comply with only the Privacy Rule and don't have to comply with the Security Rule.

False

CMS is the enforcement agency for the Security Rule.

False

Only healthcare providers are required to comply with the Security Rule.

False

The Conditions of Participation restrict payment to providers who are not compliant with the Security Rule.

False

The Security Rule contains both required and addressable standards.

True

Person or entity authentication

The corroboration that an entity is the one claimed; the computer reads a predetermined set of criteria to determine whether the user is who he or she claims to be

Integrity

The state of being whole or unimpaired The security rule defines as: Data or information that has been altered or destroyed in an unauthorized manner

A nurse administrator who does not typically take call gets called in over the weekend to staff the emergency department. She does not have access to enter notes since this is not a part of her typical role. In order to meet the intent of the HIPAA Security Rule, the hospital policy should include a. a requirement for her to attend training before accessing ePHI. b. a provision to allow her to share a password with another nurse. c. a provision to allow her emergency access to the system. d. a restriction on her ability to access ePHI.

a provision to allow her emergency access to the system.

Some of the best steps that workers can take to comply with the HIPAA security rule include ensuring a. the security of mobile devices b. all employees receive appropriate training c. that employees don't ever use email d. that employees secure their workplace

all employees receive appropriate training

If a HIPAA Security Rule implementation specifications is addressable, this means that a. the covered entity does not have to show that the specification has been met b. an alternative may be implemented c. the specification must be implemented as written d. none of the above

an alternative may be implemented

Home health nurses at a covered entity want to use laptop computers to record patient notes. The director of nursing asks for guidance about whether or not this is a HIPAA violation. The most appropriate response from the Security Officer is that they a. need to sign business associate contracts before they get a laptop b. need additional training as remote workers c. need to wait and come back to the office and record the notes d. cannot have laptops since it is a security risk

need additional training as remote workers

The HIPAA Security Rule requires that the covered entity a. eliminate all threats to ePHI b. hire a security consultant c. protect ePHI from reasonably anticipated threats d. protect ePHI at all costs

protect ePHI from reasonably anticipated threats