Chapter 19
An organization implements a policy on installing software service packs on all its computers. This is an example of which type of control? a. Administrative b. Technical c. Physical d. Electronic
ANS: A Administrative controls include establishing and adhering to security policies and procedures as well as dedicating resources to security. Implementing a policy on installing and updating service packs would be an example of administrative controls. Physical controls are actual physical methods to protect inappropriate access to PHI. Technical controls are using technology to protect against inappropriate access to PHI. Electronic controls is not an accurate term.
What is the difference between the safe harbor and expert determination methods of de-identifying data? a. The safe harbor method involves removal of 18 types of identifiers, and the expert determination method involves the application of statistical or scientific models. b. The safe harbor method involves the application of statistical or scientific models, and the expert determination method involves removal of 18 types of identifiers. c. The safe harbor method involves removal of all identifiers, and the expert determination method involves the removal of 18 types of identifiers. d. The safe harbor method involves securing identifiers in an encrypted database, and the expert determination specifically determines the riskiest identifiers to remove.
ANS: A The safe harbor method involves removal of 18 types of identifiers, and the expert determination method involves the application of statistical or scientific models to de-identify data. None of the other options accurately describe these two methods.
Which principles are included in IMIA's Code of Ethics for informatics? (Select all that apply.) a. Information-Privacy and Disposition b. Openness c. Elimination of Threats d. Legitimate Infringement e. Accountability
ANS: A, B, D, E IMIA's Code of Ethics for informatics includes Information-Privacy and Disposition, Openness, Security, Access, Legitimate Infringement, Least Intrusive Alternative, and Accountability. While the principles of the code might be to eliminate threats, elimination of threats is not a specific principle.
What are some examples of indirect costs to organizations that have security breaches? (Select all that apply.) a. Lost productivity b. Expensive fines c. Damaged public trust d. Remediation costs
ANS: A, C, D Indirect costs to an organization with security breaches are lost productivity, damaged public trust, and remediation costs. Fines are a direct penalty.
What is a negative impact of the increased use of mobile devices in transmitting health data? a. They support increased health data access for providers. b. They increase the risk of a security breach. c. They decrease productivity. d. They increase the number of medication errors.
ANS: B The largest downfall to the increased use of mobile devices is the increased risk for a security breach. The increased access for providers is a positive impact. Mobile devices have been proven to increase productivity rather than decrease it, and there is no evidence supporting an increase in medication errors due to mobile devices.
Which are examples of secondary use of health information? (Select all that apply.) a. Treatment b. Surveillance c. Research d. Marketing
ANS: B, C, D The three most common secondary uses of personal health information include public health monitoring or surveillance, research, and marketing. Treatment for an illness would be a primary use of health information.
A healthcare provider forgets to update a patient's medications. Which fair information principle is being violated? a. Correction b. Openness and transparency c. Data quality and integrity d. Safeguards
ANS: C By not keeping a patient's records current and up to date, the healthcare provider is violating the fair information principle of data quality and integrity. Correction involves allowing individuals to dispute the accuracy of their information, openness and transparency involve keeping patients informed on policies regarding PHI, and safeguards are actions implemented to protect sensitive data.
Which definition most accurately describes privacy? a. The means to ensure health record privacy and confidentiality b. Accuracy and completeness of health information c. The rights of individuals to control access to their person or information about themselves d. An act that has the potential to cause harm to an informational asset
ANS: C Privacy is the rights of individuals to control access to their person or information about themselves. Security is defined as the means to ensure health record privacy and confidentiality. Data integrity is defined as the accuracy and completeness of health information. A threat is an act that has the potential to cause harm to an informational asset.
Which example constitutes an internal security event? a. Servers containing clinical data were stolen from a facility. b. A person hacks into a facility's server and steals PHI electronically. c. A person installs a malicious code past a facilities firewall. d. A system administrator installed a new server without any security measures.
ANS: D Internal events are those perpetrated (usually accidentally) by people within an institution. A system administrator not taking proper security measures would be an example of this. The remaining examples are all external events.
Which organization works on an international level to improve information privacy? a. Health and Human Services Office of Civil Rights b. Health Information Security and Privacy Collaboration (HISPC) c. Department of Health and Human Services (DHHS) d. Electronic Frontier Foundation (EFF)
ANS: D The Electronic Frontier Foundation (EFF) maintains a website listing international privacy-related accords and agreements. Health and Human Services Office of Civil Rights, Health Information Security and Privacy Collaboration (HISPC), and Department of Health and Human Services (DHHS) are all examples of federal and/or state organizations.