Cybersecurity protects information systems against: a. Humans b. Threats that exploit a system's vulnerabilities c. Viruses d. Spam and phishing attempts
A firewall protects against the unauthorized transmission of ePHI between two computers within an internal network. a. True b. False
b. false
Data recovery should not include obtaining copies of records from entities that received records from the organization. a. True b. False
b. false
Large, medium, and small covered entities must all implement the HIPAA Security rule requirements in the same way. a. True b. False
b. false
Public key infrastructure is a less secure method of encryption because the key that decodes the information is transmitted with the data. a. True b. False
b. false
Ransomware is disseminated by viruses only. a. True b. False
b. false
The data backup plan is focused only on the electronic health record. a. True b. False
b. false
Cookies: a. Are based on trickery b. Identify a user's computer to a website c. Are a type of virus d. Are installed by information security experts to stop malicious incoming traffic
b. identify a users computer to a website
Ransomware resembles scareware, but it is different because: a. Its threat is fictitious b. Its threat is real c. There is no threat d. It employs social engineering
b. its threat is real
The MIPS composite performance score is based in part on: a. Ethical decision making b. HIPAA compliance c. Advancing care information d. Staffing levels
c. Advancing care information
A computer virus is unable to replicate itself a. True b. False
b. false
The HIPAA Security Rule is flexible. This means: a. A variety of different security measures may be used b. It applies to entities of any size c. It does not prescribe certain technologies d. Its standards are impossible to achieve
a. A variety of different security measures may be used
Changes to HIPAA are included in: a. HITECH b. Medicare Conditions of Participation c. Privacy Act of 1974 d. Child Abuse Prevention and Treatment Act
a. HITECH
Mary is a self-employed transcriptionist who transcribes physician office progress notes for several physician practices. Each document she transcribes is identified by the patient's name and medical record number. Mary: a. Is a business associate of the physician practices b. Is only a business associate of the physician practices that initiated business associate agreements c. Does not meet the definition of a business associate d. Is not legally liable for HIPAA violations she commits without a business associate agreement
a. Is a business associate of the physician practices
Deidentified information is: a. Not protected by HIPAA b. Always protected by HIPAA c. Protected by HIPAA only when it is used for research d. Protected by HIPAA only when it is used for vital statistics
a. Not protected by HIPAA
. A university with a medical center is a hybrid entity under HIPAA a. True b. False
a. True
Covered entities consist only of healthcare providers, health plans, and healthcare clearinghouses. a. True b. False
a. True
Use is the handling of PHI that is internal to a covered entity or BA. a. True b. False.
a. True
Weaknesses in Wi-Fi networks can be exploited by attackers to compromises a mobile phone user's personal information. a. True b. False
a. True
OCR has discretion to pursue corrective action without assessing penalties for which type of HIPAA violation? a. Unknowing or did not know b. Reasonable cause c. Willful neglect, corrected d. Willful neglect, uncorrected e. None of the above
a. Unknowing or did not know
General Hospital's health record department delivers a group of patient records to the quality improvement department for its monthly review. This constitutes: a. Use b. Disclosure c. A HIPAA violation d. None of the above
a. Use
Dr. Connor is able to access patient records remotely, even from less secure networks, by utilizing a secure tunnel to access the hospital's computer system. Based on these facts, Dr. Connor is utilizing: a. A virtual private network b. A firewall c. A public cloud d. Drive-by downloading
a. a virtual private network
Audit controls: a. Examine and record activity in systems with ePHI b. Assess data integrity c. Authenticate user identities d. Are a substitute for password management
a. examine and record activity in systems with ePHI
Which of the following characteristics describes a worm? a. It does not require human interaction to spread b. It is not a virus c. It is not a type of malware d. It appears to perform one action while actually performing a different action
a. it does not require human interaction to spread
Which approach to risk determination assigns values to the likelihood and effect of a particular threat? a. Qualitative b. Determinative c. Quantitative d. Reciprocal
a. qualitative
Which of the following is not a red flag category? a. Rejected credit card transactions b. Alerts and notifications c. Suspicious documents d. Suspicious personally identifying information
a. rejected credit card transactions
. A patient portal is often hosted and controlled by a provider or payer a. True b. False
a. true
. Per HIPAA, breach notification is one method by which an organization can mitigate a breach. a. True b. False
a. true
. Per the Red Flags Rule, creditors must develop and implement written identity theft programs in an effort to identify, detect, and respond to red flags. a. True b. False.
a. true
A single threat source may exploit more than one vulnerability. a. True b. False
a. true
Denial of service occurs when an attacker takes controls of a device to render it unusable. a. True b. False
a. true
"Break the glass" functionality: a. Is prohibited by the Security Rule b. Allows access privileges in limited and necessary situations c. Can be exercised only by an organization's CEO d. Does not need to be audited after the fact for appropriateness
b. Allows access privileges in limited and necessary situations
Deeming authority means: a. That accreditation exempts an organization from legal liability for acts of negligence b. An accrediting body may survey for compliance with conditions of participation c. That accreditation validates an organization's meaningful use of its electronic health record d. None of the above
b. An accrediting body may survey for compliance with conditions of participation
Which of the following rules is most likely to be utilized for noncontroversial administrative rules? a. Interim final b. Direct final rule c. Final rule d. None of the above
b. Direct final rule
A profession's Code of Ethics has the force of law. a. True b. False
b. False
Data backup will resolve all ransomware threats. a. True b. False
b. False
The Freedom of Information Act requires disclosure of health record a. True b. False
b. False
he Freedom of Information Act (FOIA) is based on the concept of: a. State government accountability b. Federal government accountability c. Open sharing of information created by private entities d. Safeguarding personally identifiable records
b. Federal government accountability
For information to be "individually identifiable" per HIPAA, it must: a. Contain the individual's name and date of birth b. Identify the person or provide a reasonable basis to believe the person could be identified c. Contain the individual's name, date of birth, and be held or transmitted by a covered entity d. Contain the individual's diagnoses
b. Identify the person or provide a reasonable basis to believe the person could be identified
A limited data set used for research: a. Is deidentified data b. Is PHI and protected by HIPAA c. Requires authorization to be disclosed d. Requires the opportunity to agree or object
b. Is PHI and protected by HIPAA
Spyware: a. Is primarily designed to propagate multiple computers b. Is primarily designed to attach to the host computer c. Includes misleading applications d. Can only be activated on unsecured wireless networks
b. Is primarily designed to attach to the host computer
A healthcare provider: a. Is always a covered entity per HIPAA b. Must conduct certain electronic transactions for HIPAA to apply c. Is not required to follow the HIPAA Security Rule d. None of the above
b. Must conduct certain electronic transactions for HIPAA to apply
To place a patient in a facility directory, a covered entity: a. Must obtain the patient's written authorization b. Must obtain the patient's verbal agreement c. Must include the patient's admission date and address d. Does not need any type of permission from the patient
b. Must obtain the patient's verbal agreement
A hospital human resources department has custody of its employees' employment records. These employment records are: a. Covered under HIPAA b. Not covered under HIPAA c. Covered under the HIPAA Privacy Rule only d. Covered under the HIPAA Security Rule only
b. Not covered under HIPAA
Ransomware: a. Consequences can be completely eliminated by data backup protocols b. Can be a virus c. Cannot be a worm d. Affects information but not system functionality
b. can be a virus
. A covered entity must act on an accounting of disclosures request within 30 days with on 30-day extension permitted. a. True b. False
b. false
The preemption doctrine requires: a. Compliance with both federal and state law when they conflict b. Compliance with state law when federal and state law conflict c. Compliance with federal law when federal and state law conflict d. Federal law to be rewritten if it conflicts with state law
c. Compliance with federal law when federal and state law conflict
Joe is on the first month of his job in a hospital IT department when the hospital's network is flooded with traffic. It becomes unusable for users trying to access information. What has occurred is: a. A power outage b. A ransomware attack c. Denial of service d. A mobile device breach
c. Denial of service
The following is identified as the person who is the subject of PHI: a. Patient b. Consumer c. Individual d. Client e. Person
c. Individual
Fifty years is a significant period of time regarding decedents' PHI. This is because decedents' records: a. Must be destroyed 50 years after death b. Must be retained 50 years after death c. Lose their PHI status 50 years after death d. May no longer be disclosed to family members 50 years after death
c. Lose their PHI status 50 years after death
Termination procedures apply: a. Only to employees b. Only to employees who are terminated involuntarily c. When a workforce member's access level changes d. None of the above
c. When a workforce member's access level changes
Maggie uses the same password for her work e-mail account, her bank account, and her gym sign-in. The gym's network has been hacked. Because she has the same password for her other accounts, her work e-mail account has also been hacked. Repeated attacks of this nature are: a. Spam b. Drive-by downloading c. Aftershock password breaches d. Denial of service
c. aftershock password breaches
Malware has infiltrated a device provides diagnostic data on cardiac patients. Which of the following are at risk? a. Confidentiality and availability b. Confidentiality and integrity c. Integrity and patient safety d. Availability and patient safety
c. integrity and patient safety
Software creators can repair a vulnerability through a: a. Virus b. Botnet c. Patch d. Trojan horse
c. patch
Encryption is an example of which control category? a. Detective b. Deterrent c. Preventive d. Reactive e. Recovery
c. preventitive
HIPAA requires that risk analysis documentation be retained: a. 10 years b. 15 years c. 5 years d. 6 years e. HIPAA does not specify
d. 6 years
The National Committee for Quality Assurance (NCQA) is most recognized for accrediting: a. Hospitals b. Physician practices c. Outpatient surgery centers d. Managed care organizations
d. Managed care organizations
hat is the right of a patient to control disclosure of his or her own health information? a. Security b. Privilege c. Access d. Privacy
d. Privacy
. Whaling is: a. Phishing directed at a specific group of people b. Malware that targets large populations of people c. A type of malware that penetrates a firewall d. Spearphishing aimed at an organization's executive
d. Spearphishing aimed at an organization's executive
Which of the following must be included in an authorization? a. Date of the individual's most recent treatment encounter b. Name of the individual's next of kin c. Date the information is to be disclosed by d. To whom the disclosure may be made
d. To whom the disclosure may be made
Which of the following destroys electronic data? a. Degaussing b. Clearing c. Physical destruction of electronic media d. All of the above
d. all of the above
Which of the following describes the processes and controls to be followed until operations are fully restored after an event? a. Business continuity plan b. Disaster recovery plan c. Data management and recovery d. Emergency mode operations plan
d. emergency mode operations
Which of the following is not a technical safeguard standard? a. Access control b. Integrity c. Transmission security d. Workstation security
d. workstation security
Organizations within a health information exchange must consider: a. How data ownership is defined b. What information will be exchanged c. How authorization will be tracked and controlled d. How user access will be authenticated e. All of the above
e. all of the above
