HIM 3132 ch. 12 & 13 exam
a nurse administrator who does not typically take calls gets called in over the weekend to staff the emergency department. She does not have access to enter notes since this is not a part of her typical role. in order to meet the intent of the HIPAA Security Rule, the hospital policy should include
a provision to allow her emergency access to the system
The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of what type of security control?
audit trail
Copying data onto tapes and storing the tapes at a distant location is an example of
data backup
key components to a contingency or disaster plan, mandated by the HIPAA Security Rule include
data backup, data recovery and emergency mode of operations
The role of the HIIM professional in medical identity theft protection programs includes all of the following except:
defer all issues related to medical identity theft to the in-house attorney
The HIPAA Security Awareness and Training administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except:
disaster recovery plan
Biometric identifiers signify something that the user knows
false
Compliance with the HIPAA Security Rule is the only standards that should be considered when developing a security plan and performing a risk assessment.
false
Content Based Access Control is less stringent than Role Based Access Control
false
Disaster recovery and contingency plans related to ePHI are nice to have but not necessary.
false
Facsimile machines provide a highly secure method of communication
false
Organization's firewall limits external Internet users from accessing portions of the healthcare network, but it does not limit internal users from accessing portions of the Internet
false
Vulnerabilities and threats are terms that can be used interchangeably
false
which of the following statements is false about a firewall?
firewall are effective for preventing all types of attacks on a healthcare system
The VP of finance wants to consider sending all of the medical transcriptions home to work. What security issues should be included in the risk analysis?
Access of data by unauthorized persons
The safeguard requirements in the Privacy Rule are equivalent to compliance with the Security Rule
False
With addressable standards, the covered entity may do all BUT WHICH of the following?
Ignore the standard since it is addressable
The enforcement agency for the security rule is the:
Office for Civil Rights
When determining the appropriate password composition, the HIIM professional should refer to which of the following?
Organization policy
What are the primary distinctions between the HIPAAA Security Rule and HIPAA Privacy rule?
Security rule applies to all forms of patients' PHI whether electronic, written, or oral, but the security rule covers only electronic PHI. Security rule provides for far more comprehensive security requirements than the security rule and includes a level of detail not provided in the security rule.
according to the HIPAA Security Rule, what should a covered entity instruct a physician who needs a new smart phone to do with her current smart phone that contains ePHI?
Turn in her old smart phone
An audit trail is a record that shows when a particular user accessed a computer system.
true
Assignment of patient medical record numbers is one of the priorities of the HIM professional during system downtime during a disaster.
true
Data encryption ensures that data transferred from one location on a network to another are secure from eavesdropping or data interception.
true
Employee nondisclosure agreements are particularly important for employees who work in remote locations or telecommute.
true
Hacking is more prevalent in healthcare due to the value of patient information on the black market.
true
The most important protection against loss of data is
user compliance with policy and procedures
Which of the following is an example of two-factor authentication?
user name and password and token
Computers storing epHI that are easily assessable to the public pose a vulnerability to a CE
True
If a HIPAA security rule implementation specification is addressable, this means
an alternative may be implemented
The purpose of the implementation specifications of the HIPAA security rule is to provide:
instruction for implementation of standards
The greatest threats to organizational security stem from
internal threats
What is the most common type of security threat to a health information system?
internal to the organization
The HIPAA security rule contains what provisions about encryption?
it is required based on organizational policy
the HIPAA Security Rule allows flexibility in implementation based on reasonableness and appropriateness. What does the covered entity use to make these determinations?
1) size of the covered entity 2) security capabilities of the covered entities system 3) costs of security measures
The admissions department is getting some new computers from the surgery department. The director is so excited to get the new computers that he does not contact IT and installs the computers over the weekend in admissions. Since the computers were not checked for the presence of ePHI, the admissions director has violated which provision of the HIPAA security rule?
Device and media control
Common safeguards utilized to protect e-mail communication include all but which of the following? A. anti-spam software B. e-mail filtering C. encryption software D. e-mail scrubbing
Email scrubbing
The predetermined time for an automatic log-off from the system is mandated by
Facility policy
Which of the following requires financial institutions to develop written medical identity theft programs?
Fair and Accurate Credit Transactions Act
CEs can decide to comply with only the Privacy Rule and don't have to comply with the Security Rule.
False
Only healthcare providers are required to comply with the Security Rule.
False
Security awareness training is required every two years.
False
The security rule contains provisions that CEs can ignore.
False
The security rule is completely technical and requires computer programmers to address
False
Training is not necessary for remote workforce members as long as encryption is in place in the organization.
False
With whom may patients file a complaint if they suspect medical identity theft violations?
Federal Trade Commission
Which is the following statements about HIPAA training is false?
Privacy and security training should be separate
Elements to include in a security system risk analysis program include all but which of the following?
Restricting remote access to users
Medical identity theft has increased because of the expansion of electronic health record utilization and the expanded availability of data
True
The Security Rule contains both required and addressable standards.
True
The goal of the Security Rule is to ensure that patient information is protected from unauthorized access, alteration, deletion, and transmission.
True
of the following, which type of data encryption is primarily used in a wireless network environment?
WEP
One of the four general requirements a covered entity must adhere to for compliance with the HIPAA security rule is to ensure the confidentiality, integrity and ___________ of ePHI.
availability
the HIPAA security rule requires that passwords:
be updated by organizational policy
Under which access security mechanism would an individual be allowed access to ePHI if they have a specific proper login and password, belong to a specified group and their workstation is located in a specific place within the facility?
context-based
Non-compliance with the HIPAA security rule can lead to
criminal penalties and civil penalties
Which of the following defines the study of encryption and decryption techniques?
cryptography
What term is also used to denote the HIPAA requirement of Contingency Planning?
emergency mode of operation
E-mail related to patient care should be kept separate from the patient medical record.
false
Employee training programs are not necessary to protect the security of PHI
false
Healthcare organizations are excluded from the definition of "creditor" under FACTA.
false
It is best practice to select a very strong password and use it for all accounts.
false
An audit trail is a good tool for which of the following?
holding an individual employee accountable for actions, reconstructing electronic events, detecting a hacker, recognizing when a system is having problems
Which of the following statements is false about the security officer? The security officer
holds a required full-time position under HIPAA security rule
The HIPAA security rule applied to which of the following covered entities?
hospitals that bills medicare, physician electronic billing company, BlueCross health insurance plan
Home health nurses at a covered entity want to use laptop computers to record patient notes. The director of nursing asks for guidance about whether or not this is a HIPAA violation. The most appropriate response from the security officer is that they
need additional training as remote workers
Which of the following is not an access control commonly utilized by covered entities for compliance with the HIPAA security rule?
palm scanners
Which of the following would be considered a two-factor authentication system?
password and swipe card
What is the most common method for implementing entity authentication?
password systems
The HIPAA security rule requires that the covered entity
protect ePHI from reasonably anticipated threats
The purpose of entity authentication is to
read predetermined criteria to determine if a user is who he or she claims
the HIPAA security rule contains the following safeguards except:
reliability
An individual designated as an inpatient coder may have access to an electronic medical record to code the record. Under what access security mechanism is the coder allowed access to the system?
role-based
which of the following is the best option for password management?
system auto-assigns password
Some of the best steps that workers can take to comply with the HIPAA security rule include ensuring
the security of mobile devices
Internal security breaches are far more common than external breaches
true
Red flags are used to help a healthcare provider detect medical identity theft.
true
The Identity Theft and Assumption Deterrence Act of 1998 makes it a federal crime to commit an act of identity theft.
true
The director of health information services is allowed access to the medical record tracking system when providing the proper login and password. Under which access security mechanism is the director allowed access to the system?
user-based