HCISSP
Standard NIST SP 800-34, Rev 1
"Contingency Planning Guide for Federal Information Systems" - disaster recovery, backup operations, and continuity of operations related to network management
When was HIPAA enacted in the United States?
1996
All the various people who administratively support the provision of healthcare with the appropriate level of management and leadership.
Administration
Those with an interest or impact on the healthcare organization are called
Stakeholders
(TRUE or FALSE) A healthcare organization must have a notice of privacy practices identified and displayed in their organization for patients to view.
TRUE
The primary purpose of the IRB is to
protect human subjects from physical or psychological harm
The notice of privacy practices is similar to the
release of information policy
The key feature of managed care is in
the integration of healthcare provision and payment within one organization
Determination of business partner (or business associated) depends on whether the contract involves
the use, disclosure, transmission, or maintenance of PHI
Per the The EU DPD (officially Act 95/46/EC), conditions that must be met for necessary collection fall into three categories:
transparency, legitimate purpose, and proportionality
What are the functions of a clearinghouse?
1) Act as an intermediary between the provider and payer 2) Change paper-based information to digital 3) Streamline the claims processing and revenue collection of the provider
To define PHI, one must know
1. The definition of PII 2, Whether there is related health information 3. Is the organization that collects, uses, transfers, stores, or disposes of PII that relates to health information of an individual subject to HIPAA law.
At what stage of information life-cycle management are you most likely to have a data breach? A.Creation B.Retention C.Use D.Disposal
10. D. Even though any stage of the information life which point, it is stolen or lost.
When was the HITECH act amendment added?
2009
In the United States, the IRB is governed by
45 Code of Federal Regulations (CFR) part 46 (Department of HHS regulations for the protection of human subjects) and 21 CFR parts 50 and 56 (FDA regulations on the protection of human subjects)
What is the maximum length of time a patient can be placed in observation status before formally admitted as an inpatient?
48 hours
According to HIPAA, U.S. healthcare organizations are required to promptly report data breaches involving more than how many individual medical records to the Department of HHS.
500
Approximately what percent of individuals get their insurance through employer-based health insurance?
55%
What is the maximum field size of LOINC?
7
"Per member per month" is a common way to describe a payment model called A.Capitation B.Bundled payment C.Accountable care D.Managed care
A. "Per member per month" is a common measurement of what funds are provided to a healthcare organization for the delivery of care. The amount is preset and made available prior to the covered period of time. It has to relate to each individual over that measured period of time. Bundled payment, accountable care, and managed care are all somewhat related to financing healthcare, but none is specifically defined or measured in terms of each covered life over a period of time.
Which of these words best describes a vendor to a healthcare organization? A.Third-party B.Healthcare-specific C.Supply company D.Accredited service
A. A vendor to a healthcare organization is someone or some entity that sells, supplies, or provides a service or product. Vendor will have to be a third party because they are external to the healthcare organization. However, they do not have to be healthcare specific. They may do business with healthcare organizations only. They are not required to be exclusively healthcare vendors. Some vendors are supply companies and therefore supply products, but they can also be service providers or staff augmentation. Finally, while accreditation is a service some vendors provide, it is only a description of a subset of all vendors. The best answer that covers all vendors is that they are third parties.
ISO 27001: Information Security Management System outlines the concept and implementation of risk __________________. A.assessment B.tolerance C.measurement D.perspective
A. ISO 27001 is the central source from the ISO family of standards that introduces and formalizes the process of risk assessment in organizations. Because tolerance is a way to mitigate or deal with risk, it is a response to issues found in the risk assessment. Measurement and perspective are at best synonymous terms for assessment or mitigation (of risk) but are not used by ISO 27001.
Of the following, which health information exchange is an example of one that is having a significant impact on healthcare? A.Nationwide Health Information Network Exchange B.Blue Cross Blue Shield C.Managed Care Network D.Electronic Health Record
A. Nationwide Health Information Network Exchange is the only answer in this category that is accurate. Blue Cross Blue Shield is a commercial health insurer, and the Managed Care Network is a generic description of connected managed-care plans (which may describe contractual arrangements as well as information technology networking). The electronic health record is an application that may be networked in an exchange but is not by definition.
If you were asked to de-identify yesterday's patient appointment list containing the medical record number (MRN), patient name, and time of appointment, what action would be most appropriate? A.Delete all MRNs and change patient name to "PATIENT." B.Change the names to historical figures and delete the time of appointment. C.Increase each MRN by 15 and use only the last names of patient. D.Use only the patient name and time of appointment.
A. There are only two acceptable ways of de-identifying patient information. One is to create a statistically effective method so that an expert would determine no one could identify the patients. Option C is close to that type of method, but simply increasing the number by 15 would easily be deciphered. The MRN and the last name would be easy to use for re-identification. Options B and D would leave the MRN intact, which would clearly provide identification for a singular individual. Only option A would de-identify the patient information by rendering the information useless for identifying the individuals—yet would still allow for useful analysis of the data.
The international standard that requires that data collection meet the conditions of transparency, legitimate purpose, and proportionality is the ______________________. A.EU Data Protection Act B.ISO 29100: Privacy Framework C.Health Insurance Portability and Accountability Act D.Generally acceptable privacy principles
A.As we introduce the EU DPD in this chapter, the guiding conditions of transparency, legitimate purpose, and proportionality foreshadow the finer details covered later in the book. Of course, the DPD starts with a caution to collect personal information only if you must, and otherwise do not. The ISO Privacy Framework does not include these components, and the Health Insurance Portability and Accountability Act is not international. Finally, the generally acceptable privacy principles have similar concepts, but because the EU DPD specifically frames itself around these conditions, the EU DPD is the right answer.
Of the following, which would be found within the Organization for Economic Cooperation and Development (OECD) privacy principles? A.Collection limitation B.De-identification C.Onward transfer D.Choice and consent
A.Knowing and differentiating between the frameworks and international principles is difficult; they are similar. However, in some organizations and countries, it is required to be able to distinguish the principle and the source. That said, de-identification is a process of taking PHI and either removing all the identifiers or creating an algorithm to change the identifiers to make them unconnected to a person. Onward transfer is a concept covered under Safe Harbor, and choice and consent is a principle under GAPP. If your responsibilities do not include memorizing the principles and their sources, concentrate on knowing the definitions of the principles themselves.
What are some general T's&C's in a user agreement?
Access to protected health information is intended only for authorized users and for legitimate purposes. All other access is prohibited. Users consent to monitoring and auditing of their use of the application or the system. Users will protect and not share their access credentials (user ID and password, for example), which would allow someone else to access the system under their login or authentication. Some user agreements specifically mention that users maintain responsibility for any actions taken under their access credentials.
A principle of data protection law that states that a data controller should be accountable for complying with measures that give effect to the principles stated earlier.
Accountability Principle
The data must be up to date, and every reasonable step must be taken to ensure that data that is inaccurate or incomplete is erased or rectified.
Accurate
What is the traditional education path for physicians?
Almost all physicians obtain a bachelor's degree and then complete four more years in an accredited medical school. There has always been a measure of importance placed on actually performing under the guidance of a current physician. So, after medical school, on-the-job training continues via an internship for a year. Then the student must complete a residency, usually focusing on a specialty or area of increased proficiency, such as cardiology or internal medicine.
An individual patient's medical record in digital format is called
An electronic health record (EHR)
What are key elements of an Information Protection Program?
An information governance framework that identifies key information security roles and responsibilities, a robust privacy and security management process, risk analysis and risk management procedures, documentation to cover topics such as continuity of operations, personnel security procedures, and disposal of equipment.
When conducting clinical research, which of the following would ensure that the research presents a plan that includes alternate measures to safeguard protected health information? A.Board of governors B.Institutional review board C.Medical board certification D.Community advocacy board
B. An institutional review board exists to provide this level of oversight because it may be necessary to conduct research for the benefit of the community containing patient information. In these cases, patient consent may be impossible to obtain. Rather than prohibit the research, an IRB provides oversight. A board of governors is not likely to be involved at the clinical research level of the healthcare organization. Medical board certification is not related to this scenario but is relevant to workforce competency. A community advocacy board may get involved in research activities, especially if patient privacy is violated, but in this scenario, such an entity would not oversee the clinical research.
Which of the following is based on the privacy objective of using personal information in conformity with an organization's privacy notice? A.Fair information principles B.Generally acceptable privacy principles C.Purpose Specification Principle D.Internal governance directives
B. Internal governance directives can (or should) conform with an organization's privacy notice, and vice versa, but the question defines the foundation of the generally acceptable privacy principles. The Purpose Specification Principle is one of the principles in the OECD framework, while the fair information principles are the basis of the OECD framework.
A data incident reporting policy would identify that breaches of at least what number of individual records must be promptly reported to the U.S. Department of Health and Human Services? A.All breaches B.More than 500 C.More than 5000 D.A number based on hospital average daily census
B. This is a straightforward question that is fundamental to understanding and reporting healthcare data breaches. HHS has determined that 500 is the number that delineates prompt notification. After 500 records, various additional actions must happen, including notifying patients and the local media in some cases. Of course, more than 5,000 records would also meet this requirement, but the phrase "at least" makes option B the correct answer and matches the HIPAA law. All breaches are eventually reported in aggregate. Because this data incident reporting procedure is not established by any internal considerations, a measure such as average daily census is not applicable. But, knowing this fundamental number (500) helps you take the proper internal steps to respond to data breaches and mitigate any data loss.
A sensor (or multiple sensors) located on an individual that acts as an end-point computing device on a network is what type of network?
Body Area Network (BAN)
When a healthcare provider is compensated based on expected costs for each acute-care episode, not necessarily the actual costs it is called
Bundled payment
In the United States, a business partner is also called a
Business Associates
What subcategory of vendors for healthcare organizations are characterized as having longer or recurring relationships with the healthcare organization, commonly described in a contract or formal, written obligation?
Business Partners
What is one way a clearinghouse can streamline the claims processing and revenue collection of the provider?
By "scrubbing" each bill to make sure it adheres to each health plan's unique or proprietary data requirements
The most likely person to operate a magnetic resonance imaging (MRI) device is a: A.Nurse anesthetist B.Physician specialist C.Medical technician D.Nursing aide
C. Although it is possible that a physician specialist, such as a radiologist, may operate the MRI, a more likely scenario would involve a qualified MRI medical technician who would conduct the procedure, interpret the results for any obvious errors, and process them for use of a physician, nurse practitioner, or physician. Likewise, a nurse anesthetist would not be at the MRI controls (unless sedation of the patient was necessary). A nursing aide may be in the exam room to assist maneuvering the patient or at least calming them before the procedure but would not be responsible for operating the medical device.
The centerpiece of the health information system is the A.Medical device B.Provider note C.Electronic health record D.Firewall
C. Although the medical device category of systems is extremely important in collecting health information, it rarely does more than collect and transmit it to the electronic health record. A provider note is found within the electronic health record and is a key component. A firewall, on the other hand, should be part of any healthcare system architecture, but it should not be considered the centerpiece. The electronic health record is the repository of all the important inputs in the system to include medical devices and provider notes. Because of its value, devices such as a firewall are in place to protect it.
Who is the primary payer in most developed countries for healthcare? A.Self-pay B.Employers C.Government D.Military
C. The government is the primary payer in most developed countries of the world. Only a small percentage of individuals pay out-of-pocket for their healthcare. While employers are a sizable percentage of health insurance financers in the United States, it far less common internationally. The military, as a portion of government-provided health insurance, is partially correct; it is not the primary payer.
A predetermined compensation model where a payment arrangement of a set amount for each person covered by the third-party payer is called
Capitation
Name some conditions that have proved viable candidates for bundled payment.
Cataract surgery, services for end-stage renal disease, and coronary artery bypass graphing (CABG) to improve blood flow to the heart
What is the name of the entity that receives paper forms from multiple small practices, converts them to digital files, and submits them to the various payers?
Clearinghouse
The various processes and patterns of actions clinicians use to deliver healthcare are called
Clinical workflow
A principle of data protection law that states there should be limits to the collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject
Collection Limitation Principle
There are three primary types of government-licensed health insurance organizations.
Commercial health insurers Blue Cross and Blue Shield plans Health maintenance organizations (HMOs)
What does the Organizational Controls and Safeguards principle of a release of information policy include?
Contingency and risk management information concerning how protected health information will be secured during business and clinical workflow interruptions.
Information Life Cycle Management (ILM) includes the following steps
Creation, Retention, Maintenance, Use, Disposal
If a payer is a public source, which of these would be the source of funds? A.Employer group B.Health maintenance organization C.Public health agency D.Government entity
D. An employer group or employer-based healthcare insurance would be considered a private payer. A health maintenance organization can be a method of organizing delivery of care under a government payer plan, like Medicare, but it is not a public source of funds. A public health agency is unlikely to reimburse providers for care as part of their surveillance responsibilities. Therefore, the best answer is D, a government entity that uses public tax dollars or other publicly acquired funds to fund or reimburse providers for healthcare.
The potential for a malpractice lawsuit because of a network outage most likely results from: A.Providers using manual processes that are not peer reviewed B.Hospitals diverting patients to other hospitals with fewer capabilities C.Out-of-date disaster recovery plans with invalid backup data D.Medical device patient monitoring functions impeded
D. Because medical devices are regulated by the FDA, healthcare organizations have additional responsibilities to ensure their special-purpose computing platforms have either high availability or adequate continuity procedures. Otherwise, it may be considered negligence, and therefore malpractice, if a network outage impedes the monitoring of a patient. The other responses are incorrect because these actions probably would happen but would not necessarily put patients at additional direct risk.
To increase revenue through efficient bed management, which of the following occupational categories plays the largest role? A.C-suite executive B.Medical technicians C.Nursing staff D.Environmental services
D. Environmental services include housekeeping and maintenance departments. To ensure that rooms and beds are clean, ready for new occupancy, and all that is communicated as quickly as possible, environmental services are the key group of staff members. The time elapsed between patient discharge to patient admission is a terrific measurement of increased revenue if the time can be compressed. C-suite executives will play a role in overseeing the revenue measures, creating policy, and making resourcing decisions around them. Nursing staff will certainly be crucial in managing patients, and their responsibilities extend beyond admission and discharge, but the actual turnover of the room really depends on how fast the environmental services personnel do their job. Medical technicians may have a small role in some bed management processes, especially where the organization uses beds that have information technology and networking capabilities.
To bridge any privacy differences between the European Union and United States, the __________________ was developed. A.Fair information principles B.Privacy Rule C.Generally acceptable privacy principles D.Safe Harbor
D. The fair information principles, in this context, are related to the OECD framework that represent widely accepted concepts concerning protecting privacy. The Privacy Rule is an amendment to U.S. HIPAA law and is not applicable to the European Union. While generally acceptable privacy principles are internationally recognized, they are more prevalent in U.S. and Canadian data exchange. The correct answer is Safe Harbor, which is the method to address any perceived gap in the privacy practices of the United States from the EU perspective.
What is the governance board that oversees information protection of research called? A.Information management council B.Configuration control board C.Incident response team D.Institutional review board
D. The institutional review board (IRB) is the only choice that is relevant to research. When information protection in healthcare research with human subjects is referenced, there must be a governing IRB in place. The other choices are legitimate groups of internal staff members and leadership in a healthcare organization with information protection responsibilities, but none is specifically required for the research of human subjects.
For which patients does an orthopedic specialist care? A.Oral conditions B.Foot and mouth disease C.Child development D.Joint problems
D.An orthopedist is a specialist who is concerned with patient care of the joint, bones, muscles, and cartilage, primary for knees, ankles, and hips. Orthodontists would be more appropriate for oral conditions, while foot-in-mouth disease probably would bring in an epidemiologist or even a veterinarian. The type of specialist primarily focused on child development is the pediatrician.
A principle of data protection law that states personal data should be relevant to the purposes for which it is to be used and, to the extent necessary for those purposes, should be accurate, complete, and kept up to date
Data Quality Principle
Standard classification and taxonomy allow comparative analysis on larger and larger volumes of data becomes a reality at a reasonable cost. This is called
Data analytics
Applies a value relative to how sensitive and critical the information is as defined by the organization which will determine what level of information protection controls will be applied to information collected, maintained, retained, used, and disposed of when no longer needed.
Data classification
In terms of the EU DPD, who is the entity or entities that determines the purposes for why and how and personal data is, or will be, processed.
Data controller
In terms of the EU DPD, who processes the data on behalf of the data controller but is not an employee of the data controller (such as a third party business partner)
Data processor
A formal, written agreement that describes the access to and expectations for a third party's use of patient information is a __________________ agreement.
Data sharing. A data sharing agreement is by definition a formal, written agreement that describes the access to and expectations for a third party's use of patient information.
In terms of the EU DPD, who is the person to whom data pertains or identifies?
Data subject
Categorizing data into a standardized format with common meaning so it can be standardized to introduce convenience and reduce wasted efforts in trying to establish common definitions and context
Data taxonomy
Removing any individually identifying information from the data set so that you can be reasonably certain no one can identify someone based on the remaining information
De-identification of patient information
A standard method for transferring images and associated information between medical devices and for use in EHRs manufactured by various vendors is called
Digital Imaging and Communications in Medicine (DICOM)
Final step in the life cycle process to render data unreadable and unrecoverable when it is no longer required
Disposal
Which 2 Department of Defense (DoD) regulations apply to protecting the military's handling of sensitive personal information?
DoD directive 5410.11, "DoD Privacy Program," and DoD directive 8500.01, "Information Assurance (IA).
What are some specific user actions concerning user behavior that may be outlined in the user agreement?
Downloading protected health information to external devices may be prohibited. Transporting external media from the healthcare organization may not be allowed. Computer systems must be fully powered off when not in use to ensure full disk encryption is enabled. Data incident reporting procedures must be followed according to relative policy. Any training that is required prior to accessing the system must be completed, and proof of completion (certificate) must be provided to appropriate personnel.
Technicians with special training to provide first response to emergency situations and to handle traumatic injuries and medical care at the accident scenes
Emergency medical technicians
The employer purchases government-licensed insurance that is regulated by the respective U.S. state in which it is operating and, to some extent, the U.S. federal government. The insurance company collects premiums and bears the financial risk if what the company has to pay out goes beyond the collected premiums.
Employer based covered, Fully insured health plans (still, fee-for-service)
The employer has the responsibility of paying directly for healthcare services
Employer based covered, Self-funded employee health benefit plans
Only the minimum amount of identifying data that is needed should be collected.
Excessive
(TRUE or FALSE) Under certain conditions, workplace medical surveillance containing patient information can be disclosed without prior individual consent because of clinical research provisions.
FALSE. Clinical research would be concerned with some types of surveillance, but by definition public health reporting is permissible under this scenario because the healthcare is provided at the request of the employer or as a member of the employer's workforce.
(TRUE or FALSE) DICOM is the standard established to help electronic health records to interconnect.
FALSE. DICOM is Digital Imaging and Communications in Medicine and is used to facilitate the transmission of digital images from radiology exams, for example. The only standard that fits the definition of electronic health record interconnectivity is Health Level 7 (HL7).
(TRUE or FALSE) Because she or he is required to practice autonomously, an independent duty nurse requires the highest level of formal education.
FALSE. Of these different types of nurses, a registered nurse requires as many as four years of training and education before licensure. In most cases, an RN earns a bachelor's degree as part of their academic training. The only other type of nurse offered as a possible answer that would require a specific level of formal education is the licensed practical nurse who either earns an associate degree for their two years of coursework or graduates from an equivalent hospital-based LPN program. The nurses' aides or independent duty nurses may or may not have a high-school diploma or higher. Further, an independent duty nurse can be an LPN or RN performing nursing service for a home health patient outside of the hospital.
(TRUE or FALSE) Federal law is the best source for day-to-day reference of healthcare information privacy and security practices.
FALSE. The best source should be internal policies and procedures. Of course, these policies and procedures should be built upon the principles and standards found in local, national, and, in some cases, international law. Industry standards are based upon law, but in some cases, these standards reflect best practices or controls with voluntary compliance. In any case, they are valid sources for internal policies and procedures.
What are some general phases of incident reporting policy?
First, the incident is suspected or detected (detection phase), escalate the event (alert phase), triage (response phase).
In the US, patient notification of a data breach requirement was implemented with the
HITECH act amendment of 2009
HIPAA stands for
Health Insurance Portability and Accountability Act
A protocol developed to enable different information systems to exchange data using a standard is
Health Level 7 (HL7)
Four main types of managed-care options
Health maintenance organization Preferred provider organization (PPO) Point-of-service (POS) High-deductible health plan with savings option (HDHP/SO)
What does the Minimum Necessary Rules principle of a release of information policy include?
Healthcare organizations must make efforts to disclose only what is needed.
Who is considered the Father of Modern Medicine?
Hippocrates
What does the Use and disclosure principle of a release of information policy include?
How the information is normally shared, with whom, and when specific patient consent would be needed. Otherwise, the information will be released without requiring a patient signature or additional authorization. You also need to include any situations where information cannot be shared.
Diagnostic-related groups (DRGs) in the United States are based on
ICD codes from the patient record and the patient's demographic data
How does LOINC differs from ICD?
ICD primarily exists to record diagnoses. LOINC is specific to identifying test observations.
This standard helps organizations implement security as a system versus numerous controls put in place to solve seemingly isolated issues. The standard includes handling of electronic information as well as paper-based information. From the management perspective, this standard, main contribution is to formalize the concept of risk assessments and organize information security as a quality improvement activity. The standard includes the plan-do-check-act (PDCA) concept as well as the principle of continually assessing the organization, not just episodically.
ISO 27001: Information Security Management System
This defines information security management in health, which uses ISO/IEC 27002 and augments the requirements of 27002 with healthcare-specific considerations for information security management.
ISO 27799: Health Informatics
This defines requirements for properly safeguarding personally identifiable information used by a data collector. The standard introduces terminology, outlines roles and responsibilities, and describes the following 11 privacy principles: Consent and choice Purpose legitimacy and specification Collection limitation Data minimization Use, retention, and disclosure limitation Accuracy and quality Openness, transparency, and notice Individual participation and access Accountability Information security Privacy compliance
ISO 29100: Privacy Framework
A tactical guide, this standard contains best practices collected from the industry for processing personally identifiable information. The guidance delivers consistent, technical implementation of privacy requirements. By using the guide, you can build a privacy reference architecture with the necessary privacy safeguarding measures built into the system functionally and systematically across the entire enterprise. The goal is to include all relevant systems and integrate with already existing safeguarding controls.
ISO 29101: Privacy Reference Architecture
This standard gives an organization the tools to determine their level of maturity in their processes for collecting, using, disclosing, retaining, and disposing of personal information. The level of maturity is assessed based on whether the organization has evidence of processes related to information governance, risk assessments, third-party management, and relevant policy among other areas of concern.
ISO 29190: Privacy Capability Assessment Model
The extent to which information serves to identify an individual is called
Identifiability
What is the distinction in healthcare-critical infrastructure and the other examples with respect to the impact of network disruption?
In addition to the potential loss of revenue and cost of recovery, direct patient care may be at risk during unplanned network outages. First, this has the potential to open the healthcare organization to malpractice claims if there is patient harm. Second, if an unplanned outage causes an adverse event as defined by relevant healthcare accrediting agencies, in the United States and internationally (the Joint Commission, for example), it is reportable to them.
What does the Right to Revoke or Opt Out principle of a release of information policy include?
In many countries, your release of information policy must allow the patient to change their mind and provide information as to how to indicate their changing preference.
What are the benefits of integrated delivery systems
Increased efficiency and reduced redundancy in providing quality healthcare
This model for insurance payment is based on fee-for-service. A patient receives healthcare services, pays for it at the point of care, and then submits a claim to the insurance company for reimbursement. In this scenario, the patient has the maximum freedom of choice in physicians or other restrictions to services. This scenario also results in the highest cost
Indemnity Insurance
A principle of data protection law that states that an individual should have the right to do the following: Obtain from, or otherwise, obtain confirmation of whether the data controller has data relating to him Have communicated to him data relating to him, within the following parameters: Within a reasonable time At a charge, if any, that is not excessive In a reasonable manner In a form that is readily intelligible to him Be given reasons if a request made by an individual to access their information is denied and be able to challenge such denial Challenge data relating to him and, if the challenge is successful, have the data erased, rectified, completely amended, or annotated in the case where the patient and provider are not in agreement
Individual Participation Principle
International organization that is providing a standards framework
Integrating the Healthcare Enterprise (IHE)
Invasion of privacy is part of which torte action?
Intentional tortes
Standardized codes up to six digits long that are internationally understood to represent diagnosis verbiage is represented by
International Classification of Diseases (ICD) code
The __________________ is a third-party vendor to healthcare organizations that provides accreditation for quality and patient safety standards.
Joint Commission. Because a healthcare organization voluntarily undergoes Joint Commission review and the Joint Commission is not an agent of the U.S. government or any other government, their review is an accreditation. An inspection would be something formal and government directed, like an OSHA inspection. Credentialing is done for healthcare workforce personnel, such as physicians and specialists. Nurses and several other allied health professionals would test to receive licensing from educational organizations certified to confer licensing.
What is the framework of an incident reporting policy?
Knowing how to handle escalation of events and coordination among the right people.
Personal data can be processed only for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes.
Legitimate Purpose
What is the extent to which you can link various data elements together to positively identify someone called?
Linkability
The categories of information technology networks are
Local Area Network (LAN), Body Area Network (BAN), and Personal Area Network (PAN)
A widely accepted code system specially formulated for identifying laboratory and clinical observations is called
Logical Observation Identifiers Names and Codes (LOINC)
Store and protect data while in the possession of the provider with the same level of availability to providers and data integrity as long as the information is useful
Maintenance
Describe a cloud computing risk unique to healthcare.
Many cloud computing vendors are unfamiliar with the special requirements of healthcare. One such unique requirement is the need for all healthcare organizations to conduct a third-party risk assessment of vendors that handle protected health information (PHI) on their behalf. Because other industries may not have these assessments, or a legal requirement for assessments, vendors can be reluctant to comply with these requirements or reluctant to comply with mitigating any findings.
Medical device manufacturers self-regulate through the use of this form it provides to its customers to document the significant security features of the device.
Medical Device Security Manufacturers' Disclosure Statement (MDS)
Regarding medical devices, how does the FDA extend its reach globally?
Medical device manufacturers provide the same medical devices cleared for use in the United States through the FDA to their international customers.
To what group is the ACO model currently available?
Medicare patients
What education is required to become and RN?
Most commonly, RNs receive a bachelor's degree in nursing. It is possible, however, to obtain RN licensure with an associate's degree in nursing or a diploma from select nursing programs. All RNs must obtain their license by passing a national RN licensing exam.
What publication lists the 18 identifying elements of PII?
NIST Special Publication 800-122
What are sources of data that may be individually identifiable information (from the National Institute of Standards and Technology [NIST] Special Publication 800-122[14]?
Name, such as full name, maiden name, mother's maiden name, or alias Personal identification number, such as Social Security number (SSN), passport number, driver's license number, taxpayer identification number, patient identification number, and financial account or credit card number Address information, such as street address or e-mail address Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people Telephone numbers, including mobile, business, and personal numbers Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), X-rays, fingerprints, or other biometric image or template data (for example, retina scan, voice signature, and facial geometry) Information identifying personally owned property, such as vehicle registration number or title number and related information Information about an individual that is linked or linkable to one of the previous (for example, date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, and financial information)
What are the 18 identifying elements of PII?
Name, such as full name, maiden name, mother's maiden name, or alias Personal identification number, such as Social Security number (SSN), passport number, driver's license number, taxpayer identification number, patient identification number, and financial account or credit card number Address information, such as street address or e-mail address Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people Telephone numbers, including mobile, business, and personal numbers Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), X-rays, fingerprints, or other biometric image or template data (for example, retina scan, voice signature, facial geometry) Information identifying personally owned property, such as vehicle registration number or title number and related information Information about an individual that is linked or linkable to one of the previous items (for example, date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, or financial information)
In the United States, federal agencies; state, regional, and local health information organizations; integrated delivery networks; and private organizations are coming together to establish an HIE of HIEs, called the
Nationwide Health Information Network Exchange
To become EU Safe Harbor certified, a U.S. organization must comply with the following seven principles:
Notice The organization must let the individual know why it is collecting the information and how it will be used. Choice The individual must have the opportunity to opt out of the information collection, and the organization must inform the individual of the resulting alternatives to not providing the information. Onward transfer Safe Harbor-certified organizations can transfer information to third parties only if those organizations also agree to follow adequate information protection principles. Access Individuals must be able to access their information. When it is inaccurate, they must have remedies available to them to correct or delete it. Security There must be reasonable controls in place to protect personal information from loss and unauthorized disclosure. Data integrity Organizations must limit information collection to only that which is relevant to its use. The information must be protected so that it remains reliable for that use. Enforcement Organizations must have procedures to enforce these principles. For instance, sanctions must be convincing enough to encourage compliance.
What profession makes up the largest percentage of the healthcare workforce?
Nurses
The extent to which you can identify or link an identity to a system by virtue of an individual's use of the system is called
Observability
A principle of data protection law that states that there should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available for establishing the existence and nature of personal data and the main purposes of its use, as well as the identity and jurisdiction of the data controller.
Openness Principle
Three common disposal options whether it is paper or digital information
Overwriting, degaussing, physical destruction
An accomplishment of DICOM is the advent of
PACS, which can consist of dozens of modalities, set up in a LAN configuration connected to several different types of servers for image processing, demographic patient data integration with the images, and file transfer to end-user viewing stations.
Protected Heath Information (PHI) is built upon the existing definition of
PII (Personally Identifiable Information)
Someone who finances or reimburses the cost of healthcare
Payer
A small network consisting of a communications area near an individual and may include a BAN is called a
Personal Area Network (PAN)
In other countries with privacy protection laws, PII is typically called
Personal information
These people have responsibility in the proper and safe use of medications. They are an integral part of the healthcare team in that they often provide meaningful education and counseling for patients who are receiving medication.
Pharmacist
Another general category of healthcare professional on staff who has a license to practice medicine under the guidance of a physician, primarily recognized in the US, is the
Physician Assistant (PA)
In the case where the term provider is used to describe the actual people who provide healthcare, what is another interchangeable term?
Practitioner
How do Privacy Boards differ from IRBs?
Privacy boards have no other authority within human subject research or FDA-sponsored research other than to allow PHI disclosure without additional patient consent for research
Written instructions, illustrated flowcharts, or checklists that describe how policies will be put into action
Processes (sometimes called Standard Operating Procedures)
Personal data may be processed only insofar as it is accurate, relevant, and not excessive in relation to the purposes for which they are collected and/or further processed.
Proportionality
Healthcare institutions that exist to provide a service to patients or the actual people who provide healthcare are called
Providers
As MDs, psychologists provide patient care with respect to behavior and mental processes. They provide counseling services and conduct research within academic settings
Psychologists
What is an almost universal exception to the information protection guidelines?
Public health reporting allowances
A principle of data protection law that states the purposes for which personal data is collected should be specified no later than at the time of data collection, and the subsequent use should be limited to the fulfillment of those purposes or any occasions that are not incompatible with those purposes and as specified on each occasion of change of purpose.
Purpose Specification Principle
To become a NP (Nurse Practitioner), one must first be an
RN (Registered Nurse)
LPNs work under the supervision of
RNs (Registered Nurses)
What is the benefit of having SOPs to clarify policies at the varying levels?
Reduce uncertainty and variation in performance
The data shouldn't be kept in a form that permits identification of data subjects for longer than is necessary for the purposes for which the data was collected or for which it is further processed. Member states shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical, or scientific use.
Relevant
What are the guiding principles of any IRB?
Respect for people People should be treated as autonomous agents (individuals), and those with diminished autonomy must be protected. Beneficence The well-being of study participants should be protected by adhering to "do no harm" and maximizing benefits while minimizing potential damages. Justice Participants should have equal opportunity to be selected because even if there is a benefit, there is probably a burden some people will have to bear.
The length of time the records are useful and after which outdated records are discarded.
Retention
What is is the key difference between SNOMED CT and ICDs?
SNOMED CT is so specific so as to be able to describe extensive clinical terminology that is meant more as machine language to construct the EHR. ICDs classify diagnoses and procedures suited for output to billing and data analysis functions.
Give an example of an agreement or treatise that can help bridge jurisdiction issues.
Safe Harbor, which is put in place between EU and foreign organizations wanting to share information
A principle of data protection law that states that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.
Security Safeguards Principle
What was the effective date of the HIPAA Omnibus Final Rule
Sept. 23, 2013
Requirements for signing a BAA for cloud computing vendors with U.S. healthcare customers were defined in
September 23, 2013, effective date of the HIPAA Omnibus Final Rule.
This profession concentrates on patients' quality of life and subjective well-being. They administer to individuals, groups, and communities. Areas of practice include research, counseling, crisis intervention, and teaching
Social worker
What should he contents of a legal medical record should (at least) do?
Support patient care decisions Document the care provided for the purposes of reimbursement Serve as evidence in legal proceedings about such care
Another type of coding prevalent in healthcare which is a comprehensive clinical terminology that provides clinical content and expressivity for clinical documentation and reporting. It can be used to code, retrieve, and analyze clinical data.
Systematized Nomenclature of Medicine-Clinical Terms (SNOMED CT)
(TRUE or FALSE) A data controller that should comply with measures found in the Organization for Economic Cooperation and Development (OECD) principles fits the definition of accountability.
TRUE This is a better example of knowing the definition of the principles versus memorizing which set of standards they came from. Accountability is the OECD principle that says data controllers should be accountable for compliance with OECD and laws that follow those principles.
(TRUE or FALSE) For Canada, the transfer of data across borders is not prohibited by PIPEDA.
TRUE, but more and more government agencies are requiring that restriction in their business contracts.
(TRUE or FALSE) An inpatient is defined as an individual who checks into the emergency room and is admitted overnight for less than 24 hours.
TRUE. A recurring appointment each day from 5 p.m. to 6 p.m. is an outpatient visit, as are appointments that do not require admissions officially into the hospital. The knee surgery with transportation to an assisted-living residence implies discharging the patient to his or her home. A sleep study, although overnight, is not an admission to a hospital. The emergency room that results in a formal admission into the hospital fits the definition of inpatient.
(TRUE or FALSE) Assuring confidentiality, integrity, and availability of data, both in paper form or digital, is a central concern of security in the data management program.
TRUE. By definition, security applies to the efforts to assure confidentiality, integrity, and availability of data. While the governance, stewardship, and standards are all valid health data management principles, only security exactly meets this definition.
Digital Imaging and Communications in Medicine (DICOM) was developed by
The American College of Radiology (ACR) and the National Electrical Manufacturers Association (NEMA) joint committee formed in 1983
In addition to HIPAA, healthcare also must comply with regulations that apply across other industries. Name two.
The Gramm-Leach-Bliley Act (GLBA) and the Red Flags Rule governed by the Federal Trade Commission (FTC) standards.
An international standard-setting body that consists of qualified subject-matter experts from more than 150 countries that attempt to integrate national standards like those from the American National Standards Institute, ISO Technical Committee (TC) 215 Health Informatics, the BSI Group from the United Kingdom, and the Standards Council of Canada, to name a select few.
The International Organization for Standardization (ISO)
OECD stands for
The Organisation of Economic Co-operation and Development. Established in 1961, headquartered in France, 34 membership countries. The mission of the Organisation for Economic Co-operation and Development (OECD) is to promote policies that will improve the economic and social well-being of people around the world.
What is the main difference between a personal health record (PHR) and an electronic health record (EHR)?
The PHR is maintained by the patient as opposed to the provider organization.
What HIPAA amendment has a provision for a privacy board?
The Privacy Rule 45 CFR parts 160 and 164, specifically, section 164.508
What are the amendments of HIPAA?
The Privacy Rule, the Security Rule, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the recent Omnibus HIPAA Final Rule.
__________________ is required to be provided to inform individuals of their privacy rights with respect to their personal health information.
The correct answer is a notice of privacy practices, which is the policy (and form) healthcare organizations must comply with to notify patients of their privacy rights.
What is the central relationship in healthcare?
The doctor-patient relationship
Define privacy principle Collection
The entity collects personal information only for the purposes identified in the notice.
Define privacy principle Management
The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
Define privacy principle Choice and Consent
The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
Define privacy principle Disclosure to Third Parties
The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
Define privacy principle Use, Retention, and Disposal
The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes, or as required by law or regulations, and thereafter appropriately disposes of such information.
Define privacy principle Quality
The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
Define privacy principle Monitoring and Enforcement
The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.
Define privacy principle Security for Privacy
The entity protects personal information against unauthorized access (both physical and logical).
Define privacy principle Access
The entity provides individuals with access to their personal information for review and update.
Define privacy principle Notice
The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
Name some LAN configurations, called topologies.
The first three were the star, the ring, and the bus configurations. As LANs were able to operate at higher speeds with low-cost switching technology, the point-to-point topology became more common and is the relative standard today.
What does the Patient Rights principle of a release of information policy include?
The healthcare organization has to inform patients about what rights they have concerning their information and how it is released to other entities.
Today, a risk assessment to determine a data breach of PHI must consider
The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification The unauthorized person who used the protected health information or to whom the disclosure was made Whether the protected health information was actually acquired or viewed The extent to which the risk to the protected health information has been mitigated
The healthcare information associated with PII can relate to the following:
The past, present, or future physical or mental health or condition The provision of healthcare to the individual The past, present, or future payment for the provision of healthcare to the individual
Which policy is more incident-specific, the release of information policy or the notice of privacy practices policy?
The release of information policy. The healthcare organization provides the privacy practices notice at several times. For instance, in the United States, it is provided at the time of enrollment in a health plan. Every three years or sooner, the notice is sent as a reminder or upon request. Finally, the notice is to be prominently displayed on a web site for their patients to access.
Today, to determine whether there is a data breach of PHI, the U.S. government has determined a measurement threshold. What is that measurement threshold?
The standard is whether there was a risk of disclosure of the information.
What is the job of the certified registered nurse anesthetist (CRNA)?
These nurses provide anesthesia to patients and can do so for any surgery or procedure that requires anesthesia.
According to HIPAA, all internal documentation must be implemented with the following:
Time limit: You must keep the documents for at least six years (or longer if another requirement exists, such as accreditation). Availability: The organization must make internal guidance available (usually through intranet or printed pamphlets for staff). Updates: The organization must review and update the guidance periodically.
If referring to HIPAA in the United States, all internal documentation must be implemented with the following:
Time limit: You must keep the documents for at least six years (or longer if another requirement exists, such as accreditation). Availability: The organization must make internal guidance available (usually through intranet or printed pamphlets for staff). Updates: The organization must review and update the guidance periodically.
The data subject has the right to be informed when his personal data is being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data, and all other information required to ensure the processing is fair.
Transparency
(T or F) The use of Safe Harbor in terms of internal policies likely applies to Safe Harbor as it is governed by the EU.
True (specific actions that are taken "in good faith" are usually exempted in most U.S. laws, called Safe Harbor provisions)
Most used publicly available software-based data sanitization methods guidance
U.S. Department of Defense (DoD) 5220.22-M
If after complex combinations and attempts, you cannot determine identity by linking the information,this is called
Unlinkability
Information has to be used in a manner consistent with the reasons it was collected and never for a provider's personal gain
Use
A principle of data protection law that states that personal data should not be disclosed, made available, or otherwise used for purposes other than those specified except in the following cases: With the consent of the data subject By the authority of law
Use Limitation Principle
Every release of information policy should follow these basic principles:
Use and disclosure This includes how the information is normally shared, with whom, and when specific patient consent would be needed. Otherwise, the information will be released without requiring a patient signature or additional authorization. You also need to include any situations where information cannot be shared. Minimum necessary rules Healthcare organizations must make efforts to disclose only what is needed. In a scenario where one specific encounter is under review, the entire legal medical record probably is not needed for disclosure. Patient rights The healthcare organization has to inform patients about what rights they have concerning their information and how it is released to other entities. Organizational controls and safeguards The release of information policy will include contingency and risk management information concerning how protected health information will be secured during business and clinical workflow interruptions. Right to revoke or opt out In many countries, your release of information policy must allow the patient to change their mind and provide information as to how to indicate their changing preference.
What are the basic principles of every release of information policy?
Use and disclosure, Minimum necessary rules, Patient rights, Organizational controls and safeguards, and Right to revoke or opt out
someone or some entity that sells, supplies, or provides a service or product
Vendor
Examples of covered entities are
a healthcare provider, health plan, healthcare clearinghouse
An overarching control found in almost every regulation is
a legal obligation for each healthcare organization to have its own internal guidelines to prevent, detect, contain, and correct information protection violations.
Any item (hardware, software, or applications, networked or stand-alone) that a provider uses to diagnose, prevent, monitor, or treat a disease, injury, or physiological process is called
a medical device or technology
A model that joins them together contractually to provide a broad set of healthcare services is called
accountable-care organization (ACO)
What additional education / certification is required to become a NP?
advanced classroom and clinical education, where they must graduate from an additional program accredited for conferring the master's of science in nursing (MSN) or the doctorate of nursing practice (DNP) degree. The next step is to pass a national board-certifying exam. The NP will take the exam based on what specific clinical area their educational program focused on.
Another name for outpatient status is called
ambulatory care
Various types of computing equipment, including the medical devices mentioned previously, office automation computers, the cabling, the machines used to route and monitor traffic, and software (operating systems and so on) is called
an information technology network
According to the U.S. Food and Drug Administration (FDA), a medical device is
an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is (in part) intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals.
Related to the location of data and how it flows through the organization, inventory and documentation, identification of stakeholders and the relevant information life cycle, defining the organization's metadata
architecture
When does a a new patient receives a copy of the notice of privacy practices?
at the first service encounter or appointment. If the treatment is under emergency conditions, the notice is given to the individual as soon as possible after the emergency is over.
The personnel who maintain (as opposed to operate) the medical devices are
biomedical technicians and clinical engineers
One of the key differences between biomedical technicians and clinical engineers and general medical technicians is
biomedical technicians and clinical engineers typically do not require extensive training on human anatomy, physiology, and clinical technique
For the purpose of the definition of Payers, self-care refers to those who
choose to forgo third-party payment and fund their healthcare out of their personal funds
Tort law is comprised of
civil (versus criminal) acts that provide patients with a remedy against wrongful acts committed against them.
The transformation of clinical workflow from any type of description in narrative or words into numerical data sets, or codes that are used for documenting disease description, injuries, symptoms, and conditions is called
coding
User agreements may be considered synonymous with
confidentiality agreements, end user agreements (EULAs), or personal accountability documents
What is the origin for determining medical necessity?
federal Medicare statute
What is the range of identifiability
full anonymity (not identifiable) to full verinymity (positively identified)
Employer based coverage comes in two types...
fully insured plans and self-funded plans
Give 3 examples of levels of policies
governing programs, system-specific, and issue-specific
An organization that exists to facilitate the electronic sharing of healthcare information across multiple healthcare organizations is called
health information exchange (HIE)
The electronic sharing of healthcare information between providers and payers is called
health information exchange (HIE)
What are the distinctive features of a LAN?
high speed, low error rate, private ownership, and small geographic area
In reference to electronic information and EHRs, clinical workflow describes
how the data moves through the information system and by whom, to whom, when, and how often.
In general, the international view of safeguarding an individual's identifying information is a
human right.
When a healthcare organization defines its legal medical record as having both paper and digital information, that record is called a
hybrid legal medical record
Benefits of this data sharing include
improving patient outcomes, streamlining processes, and reducing patient safety risks
PII is
information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context
When a patient is admitted to a healthcare facility and they remain there for more than 24 hours, usually they are considered
inpatient
Formal, chartered committees that approve, monitor, and review biomedical and behavioral research involving humans are called
institutional review board (IRB), also called independent ethics committees or ethical review boards
When multiple types of provider organizations, both inpatient and outpatient services, are organized into a coordinated system of clinics and hospitals, they are called
integrated delivery systems
The process of submitting and following up on claims with health insurance companies in order to receive payment for services rendered by a healthcare provider is called
medical billing
Digital diagnostic imaging devices are called
modalities
What is the required training for an LPN (Licensed Practical Nurse)
must complete a yearlong (typically) certified educational program. Often these programs are affiliated with a teaching hospital that provides some hands-on experience for the students. After the students complete the program, there is an additional licensing exam.
Malpractice lawsuit is based upon
negligence or carelessness by a healthcare provider
If a breach involves more than 500 individual records and there is not a low probability of compromise, the organization must
notify the U.S. Department of Health and Human Services (HHS) of the loss, theft, or certain other impermissible uses or disclosures of unsecured PHI. The organization must alert the media if the breach affects more than 500 residents of a single state. The organization must notify the affected individuals, but in most other data breaches the healthcare organization will notify their patients as well.
What are the general categories of nursing?
nurses' aides, licensed practical nurses, and registered nurses (to include nurse practitioners and certified registered nurses).
When patients receive care in one of numerous healthcare settings without being admitted to a healthcare facility and without staying on the facility to a certain number of hours to receive a diagnosis and treatment, usually they are considered
outpatient
Who developed the Medical Device Security Manufacturers' Disclosure Statement (MDS) form?
partnership with the Healthcare Information and Management Systems Society (HIMSS) and leading clinical engineering associations
A person who seeks assistance with matters of health (mental or physical), improvement of health status, or treatment of illness
patient
Sources of available, trusted, reliable, and concise data include
patient, a provider, or any number of different medical devices and diagnostic tools
What is the name of the model where patient treatment is coordinated by a primary-care manager who makes sure the patient receives appropriate levels of care?
patient-centered medical home (PCMH)
Generally speaking, a healthcare system consists of
patients, providers, payers, and other stakeholders (such as vendors)
Collectively, the NP, CRNA, and PA are often called
physician extenders
The education level of most nurses' aides is
post-high school (a diploma or certificate). It is not uncommon for healthcare organizations to require at least a competency exam that the nurses' aide needs to pass.
Adequate checks and oversight in place to achieve data that is relevant, accurate, timely, and accessible
quality
Repayment for expense incurred is called
reimburesement
What are two key elements of privacy and security management process?
risk analysis and risk management procedures
Prior to he HIPAA Omnibus Rule in 2013, the risk threshold to determine a data breach of PHI was
risk of harm to the individual through disclosure of information.
What is the purpose of Safe Harbor framework?
satisfies the adequacy requirement (in other words, the entity that is collecting the data has adequate privacy processes and safeguards in place)
A data governance committee must include
senior-level executives and specialists from other business and clinical areas (along with IT representatives) who provide vision and authority to the data governance function to strategically align processes and technology
The effort to establish and maintain data with common understanding and meaning using a combination of regulations, customs, and user acceptance
standards
Ownership and accountability in regards to managing data
stewardship
Who developed Safe Harbor framework?
the European Union and United States, through the Department of Commerce
Examples of universal standards with privacy and security directives that extend across all industries, including healthcare are...
the European Union's Data Protection Directive (DPD) Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and Australia's Privacy Amendment (Private Sector) Act of 2000.
Medical device manufacturers that do business internationally base their requirements on
the International Organization for Standardization (ISO) frameworks for securing systems
a collection of standard implementation specifications,called profiles, that defines specific implementations of established standards to achieve integration goals of clinical laboratories with other components of a healthcare enterprise or with a broader community of healthcare is called
the Laboratory Technical Framework (LAB TF)
NIST 800-15, "Generally Accepted Principles and Practices for Securing Information Technology Systems," which draws upon what for the security of information systems?
the OECD's guidelines
HIPAA defines two types of organizations. They are
the covered entity and the business associate
The overarching term medical technician describes
the kind of work done in clinical laboratories performing tests and exams. They also must be able to understand medical data that comes from their specific equipment and how it relates to the patient. They are the first line of interpreters of results.
What is one of the more contentious features of managed care?
the requirement for patients and referring providers to obtain prior authorization for certain services
What is one of the best uses of a user agreement?
to authorize a specific user to access an application or clinical system, like the EHR.
Reimbursement for healthcare services must be __________________, __________________, and __________________.
usual, customary, and reasonable. The only correct combination of adjectives is "usual, customary, and reasonable." All of the others are not found within any typical definition of what charges are reimbursable.