MOD 3 WEEK 4 Compliance in Healthcare Environments
False
Cyber hackers mainly target larger organizations. (T/F)?
False
Cybersecurity is only needed to access an EHR through the internet from a cloud server and not locally from the office? (T/F)?
Business Associate
Data analysis is an example of this kind of entity.
No more than 60 days
How long after the discovery of a breach must a notification be made?
6 years after creation or last effective date (whichever is later)
How long must a covered entity maintain written security policies and procedures and written records of required actions, activities, or assessments?
Ø Require the business associate safeguard the PHI Ø Detail the disclosure of the PHI that the associate can make
If a covered entity enlists the help of a business associate then a written contract or other arrangements must contain what 2 things?
Yes
If a patient can't access their PHI, this is a violation of HIPAA security?
True
If an entity does not meet the definition of covered entity or business associate, it does not have to comply with HIPAA. (T/F)?
True
If information is encrypted, there is a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text. (T/F)?
Business Associate
Legal services are example of this kind of entity.
Ø Health Plans Ø Those health care providers who conduct certain electronic transactions Ø Healthcare clearing houses Ø Business Associates
List 4 entities that must comply with HIPAA
Administrative, Physical, Organizational, Policy and Procedures
List 4 safeguards/requirements for HIPAA security.
Ø ePHI encryption Ø Auditing functions Ø Backup and recovery routines Ø Unique user IDs and strong passwords Ø Role- or user-based access controls Ø Auto time-out Ø Emergency access Ø Amendments and accounting of disclosures
List some features of security software that would benefit the medical practice?
Business Associate
Management administration is an example of this kind of entity.
True
Most EHRs and related equipment have security features built in or provided as part of a service, but they are not always configured or enabled properly. (T/F)?
False
Most of the activities of the HER can be conducted offline. (T/F)?
Health and Human Services
Notifications of smaller breaches of less than 500 individuals must be submitted to who annually?
False, they can recognize dangerous drug interactions
One downfall of the EMR is that they can't recognize dangerous drug interactions. (T/F)?
Physical Safeguards
Physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion describes what?
Covered Entity
A chiropractor is an example of this kind of entity
Business Associate
A person or organization, other than an employee of a covered entity, that performs certain functions on behalf of, or provides certain services to, a covered entity that involves access to PHI.
Health care clearing house
A public or private entity that processes another entity's health care transactions from a standard format to a non-standard format, or vice versa describes what?
Business Associate
Accreditation is an example of this kind of entity.
Administrative Safeguards
Actions, policies, and procedures to prevent, detect, contain, and correct security violations describes what?
Health Plan
Any individual or group plan that provides or pays the cost of health care describes what?
Covered Entity
Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard describes what?
Business Associate
Billing is an example of this kind of entity.
Business Associate
Claims processing is an example of this kind of entity.
True
Does cybersecurity protect information stored in any digital memory device?
Yes
Does cybersecurity protect your information or any form of digital asset stored in your computer?
True
EMRs are beneficial to doctors because they allow for data to be tracked over time. (T/F)?
True
EMRs are beneficial to doctors because they allow for identification of patients who are due for preventative visits and screenings. (T/F)?
True
EMRs can help monitor how patients measure up to certain limitations of vaccinations and blood pressure readings. (T/F)?
True
EMRs can reduce the potential for potentially risky tests and procedures. (T/F)?
True
EMRs can verify medications and doses. (T/F)?
Business Associate
Financial Services is an example of this kind of entity.
False
Financial incentives are not currently available to help providers transition into EMRs. (T/F)?
Risk analysis or risk management
In maintaining the security of patients ePHI, this process guides you through a systematic examination of many aspects of your health care practice to identify potential security weaknesses and flaws.
Protected Health Information
Individually identifiable health information that is transmitted or maintained by electronic or other media, such as computer storage devices is known as __________?
Policies and procedures
Require a CE to adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule describes what?
True
The HIPAA Privacy Rule established standards of protection of PHI held by business associates (T/F)?
False
The HIPAA security rule dictates security measures. (T/F)?
True
Your practice is responsible for taking the steps needed to protect the confidentiality, integrity, and availability of ePHI maintained in your EHR. (T/F)?
False
The guardian of the ePHI isn't responsible for making sure the basic features are functioning and updated. (T/F)?
Organizational Standards
The requirement of a CE to have contracts or other arrangements with BAs that will have access to the CE's ePHI describes what?
True
The security rule does not apply to patients sending information to their physician. (T/F)?
g
The security rule mandates that: a. a security officer must be assigned the responsibility for the medical facility's security b. All staff, including management, receives security awareness training c. Medical facilities must implement audit controls to record and examine staff who have logged into information that contain PHI d. Organizations limit physical access to medical facilities that contain electronic PHI e. Organizations must conduct risk analyses to determine information security risks and vulnerabilities f. Organizations must establish policies and procedures that allow access to electronic PHI on a need-to-know basis g. All of the above
AHIMA
This Association strives to improve health information management through support of people, research, and resources. Improve health record quality and works towards advancing the implementation of electronic health record by leading key industry initiatives, and advocating high and consistent standards.
Encrypting
This is a method of converting an original message of regular text into encoded text.
HIMSS
This is a non-profit organization focused on better health through information technology. Works to improve the quality, cost, effectiveness, access, and value of healthcare through IT.
Breach Notification Rule
This rule also requires that business associates of covered entities notify the covered entity of breaches at or by the business associate.
HIPAA Security Rule
This rule established in 2003, regulates the administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of health information covered by HIPAA.
Breach Notification Rule
This rule requires covered entities to notify affected individuals, U.S. Department of Health and Human Services, and in some cases the media, of a breach of unsecured PHI?
HIPAA Privacy Rule
This rule, as applicable in HIPAA title II, is designed to provide strong privacy protections that do not interfere with patient access to health care or the quality of health-care delivery. Sets national standards for when PHI may be used and disclosed.
Risk Analysis
To uphold patient trust as your practice continues to adopt and use an EHR or other electronic technology for collection and use of ePHI, and to comply with HIPAA Security Rule and Meaningful Use requirements, your practice must conduct
False
Unfortunately, properly configured and certified EHRs can't provide more protection to ePHI than paper files provided. (T/F)?
Cybersecurity
Ways to prevent, detect, and respond to attacks against or unauthorized access against a computer system and its information describes what?
American Health Information and Management Association
What does AHIMA stand for?
Health Information and Management Systems Society
What does HIMSS stand for?
Key code or access to another confidential process
What must the receiver of an encrypted message/information have in order to decrypt it?
Immediately
When does the HIPAA security or privacy rule take affect on PHI delivered to a health care facility?
a
Which of the following describes Physical Standards of the HIPAA security rule? a) Technology and the policies and procedures for its use that protect ePHI and control access to it. b) A CE must periodically review and update its documentation in response to environmental or organizational changes that affect the security of ePHI. c) Selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of workforce members in relation to the protection of that information d) Provides the specific criteria required for written contracts or other arrangements
b
Which of the following describes Policies and Procedures standards of the HIPAA security rule? a. Physical safeguards: technology and the policies and procedures for its use that protect ePHI and control access to it. b. A CE must periodically review and update its documentation in response to environmental or organizational changes that affect the security of ePHI. c. Administration safeguards: selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of workforce members in relation to the protection of that information d. Provides the specific criteria required for written contracts or other arrangements
e
Which of the following is an example of a healthcare clearing house? a. Dentist b. Repricing companies c. Community Health Management Information Systems d. HMO e. b&c
c
Which of the following is not considered identifiable health information: a. account numbers b. web URLs c. hair color d. email address e. Internet Protocol (IP) address number f. payments
e
Which of the following is true regarding the HIPAA privacy rule except: a. gives patients more control over their health information b. establish safeguards used to protect the privacy of health information c. hold violators accountable if they violate patient's privacy rights d. disclosure of some forms of data e. All are true
c
Which of the following refers to Administrative Safeguards of the HIPAA security rule? a. Technology and the policies and procedures for its use that protect ePHI and control access to it. b. A CE must periodically review and update its documentation in response to environmental or organizational changes that affect the security of ePHI. c. Selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of workforce members in relation to the protection of that information d. Provides the specific criteria required for written contracts or other arrangements
d
Which of the following refers to Organization Standards of the HIPAA security rule? a) Technology and the policies and procedures for its use that protect ePHI and control access to it. b) A CE must periodically review and update its documentation in response to environmental or organizational changes that affect the security of ePHI. c) Selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of workforce members in relation to the protection of that information d) Provides the specific criteria required for written contracts or other arrangements
HHS Office for Civil Rights
Who enforces the HIPAA security, privacy, and breach notification rules
Business Associate Covered Entity
With reference to the HIPAA security rule, what do these two acronyms stand for. (BA) and (CE)?
Office of the National Coordinator for Health Information Technology (ONC)
is at the forefront of the administration's health IT efforts and is a resource to the entire health system to support the adoption of health information technology and the promotion of nationwide health information exchange to improve health care.