Privacy & Security

This is a false statement because it is prohibited by the HIPAA Privacy Rule.

Critique this statement: A business associate has the right to use a health care facility's information beyond the scope of their agreement with the health care facility. This is a false statement because the HIPAA Privacy Rule states that to use it in their own business, they must have the health care facility's approval. This is a true statement because business associates can use the information for their main source of business as long as the patient's privacy is protected. This is a false statement because it is prohibited by the HIPAA Privacy Rule. This is a true statement as long as they have patient consent.

Training can use many different methods.

Critique this statement: Security training must be face-to-face. Training can use many different methods. This is a true statement. Face-to-face is required for new employees. Training may be through a face-to-face meeting or through newsletters only.

limited data set.

Data has had some identifiers removed but it is still possible to identify the patient. This is known as a designated record set. deidentified patient identifiers. limited data set. incidental uses.

Data at rest

Data stored in a database may be referred to as kept data. accumulated data. data at rest. data in safekeeping.

training

Employee awareness of the HIPAA Privacy Rule should be addressed through health record management plan. training. policies and procedures. risk management program.

Public key encryption uses a private and public key.

Which of the following is a true statement about public key encryption? Public key encryption requires both computers to have the same key. The sending computer uses the public key. Public key encryption uses a private and public key. The digital certificate shows that the keys are encrypted.

permitting a spouse to pick up medication for the patient

Which of the following is allowed by HIPAA? letting a business associate use PHI in whatever manner they see fit mandating that a health care facility has to amend the health record of a patient at the patient's request releasing patient information to the patient's attorney without an authorization permitting a spouse to pick up medication for the patient

A hacker accessed PHI from off site.

Which of the following is an example of a security incident? A hacker accessed PHI from off site. Temporary employees were not given individual passwords. A handheld device was left unattended on the crash cart in the hall for 10 minutes. An employee took home a laptop with unsecured PHI.

A patient and user have the same last name.

Which of the following is an example of a trigger that might be used to reduce auditing? A patient has not signed their notice of privacy practices. A patient and user have the same last name. A nurse is caring for a patient and reviews the patient's record. The patient is a Medicare patient.

monitoring the computer access activity of the user

Which of the following is an example of administrative safeguards under the security rule? monitoring the computer access activity of the user assigning unique identifiers monitoring traffic on the network encryption

training

Which of the following is an example of an administrative safeguard? training firewall access control physical security of hardware

password and token

Which of the following is an example of two-factor authentication? token and smart card password and token fingerprint and retinal scan username and password

Authorship

Which of the following is the term used to identify who made an entry into a health record? authentication access control authorship accessibility

release of information company

Which of the following meets the definition of a business associate? security guards bulk food service provider childbirth class instructor release of information company

releasing information to the Bureau of Disability Determination

Which of the following situations would require authorization before disclosing PHI? releasing information to the Bureau of Disability Determination workers' compensation health oversight activity public health activities

"Mary, at work yesterday I saw that Susan had a hysterectomy."

Which of the following statements demonstrates a violation of protected health information? "Can you help me find Mary Smith's record?" "Mary, at work yesterday I saw that Susan had a hysterectomy." A member of the physician's office staff calls centralized scheduling and says, "Dr. Smith wants to perform a bunionectomy on Mary Jones next Tuesday." Dr. Jones tells a nurse on the floor to give Ms. Brown Demerol for her pain.

It applies only to documents maintained by the federal government.

Which of the following statements is true about the Privacy Act of 1974? It applies only to documents maintained by the federal government. It applies to all agencies in the federal government except for the Veterans Health Administration. It applies to all organizations that maintain health care data in any form. It applies to all health care organizations.

Biometrics

Which security measure utilizes fingerprints or retina scans? audit trail encryption authentication biometrics

A specific procedure must be followed for reporting and addressing a lost device.

Which statement is true about mobile device use by health care providers? ePHI should NEVER be stored on mobile devices. Devices should only be owned by the covered entity. A specific procedure must be followed for reporting and addressing a lost device. Mobile devices are exempt from encryption.

discharge summary

You are defining the designated record set for South Beach Healthcare Center. Which of the following would be included? information compiled for use in civil hearing quality reports discharge summary psychotherapy notes

risk assessment

You are looking for potential problems and violations of the privacy rule. What is this security management process called? risk assessment business continuity planning risk aversion risk management

risk assessment.

You are reviewing your privacy and security policies, procedures, training program, and so on and comparing them to the HIPAA and ARRA regulations. You are conducting a risk management. policy assessment. compliance audit. risk assessment.

patient's Social Security number used for credit card applications

You have been asked to create a presentation on intentional and unintentional threats. Which of the following should be included in the list of threats you cite? hard drive failures patient's Social Security number used for credit card applications data loss due to electrical failures due to a hurricane data deleted by accident by an employee who was trying to figure out how to do something

data that is encrypted that makes it unreadable

You have been asked to give an example of secure data. Which of the following will you give as your answer? data that requires a password to access data that is encrypted that makes it unreadable data that requires user name and password access data in a locked room

Encryption

You have been asked to provide examples of technical security measures. Which of the following would you include in your list of examples? training encryption locked doors minimum necessary

Disaster planning

You have been assigned the responsibility of reviewing and revising the contingency plan. Identify what needs to be included. hiring practices disaster planning data quality systems analysis

This is not de-identified information, because it is possible to identify the patient.

You have been given some information that includes the patient's account number. Identify the true statement. This is not de-identified information, because it is possible to identify the patient. This information is a limited data set. This data is aggregate data. This is de-identified information because the patient's name and Social Security number are not included in the data.

Degaussing

You have been given the responsibility of destroying the PHI contained in the system's old server before it is trashed. What destruction method do you recommend? crushing incineration overwriting data degaussing

Risk Determination

You have to determine how likely a threat will occur. What is this assessment known as? control recommendation risk determination impact analysis control analysis

availability.

The three components of a data security program are confidentiality, integrity, and authentication. validity. protection. availability.

legal guardian

ohn is a 45-year-old male who is mentally disabled. Who can authorize release of his health record? John's sister executive of his will John legal guardian

virus checker

The data on a hard drive were erased by a corrupted file that had been attached to an e-mail message. Which of the following can be used to prevent this? encryption acceptance testing virus checker messaging standards

medical and billing information.

The designated record set includes medical information. billing information. demographic information. medical and billing information.

includes health care providers who perform specified actions electronically.

A covered entity is exempt from the HIPAA Privacy and Security Rules. must utilize business associates to conduct business. includes health care providers who perform specified actions electronically. includes all health care providers.

Notice of Privacy Practices (NPP).

A document requirement of health facilities pursuant to HIPAA legislation, that informs patient how a covered entity intends to use and disclose protected health information is called informed consent. incident report. Notice of Privacy Practices (NPP). periodic performance review (PPR).

forensics.

A hacker recently accessed our database. We are trying to determine how the hacker got through the firewall and exactly what was accessed. The process used to gather this evidence is called a security event. mitigation. forensics. incident.

integrity.

A mechanism to ensure that PHI has not been altered or destroyed inappropriately has been established. This process is called integrity. entity authentication. access control. audit controls.

Yes, as long as it has not been released already.

A patient signed an authorization to release information to a physician but decided not to go see that physician. Can he stop the release? No, once the release is signed, it cannot be reversed. Yes, as long as the physician agrees. Yes, as long as it has not been released already. Yes—in all circumstances.

Another person may be harmed by the release.

A patient was denied access to his PHI. He asked for an appeal of the decision and was allowed the appeal. Which circumstance might explain why? Another person may be harmed by the release. Patient is an inmate and release may cause safety concern. The CE is exempt from CLIA. Patient is part of research and has agreed to a temporary suspension of his rights.

the method of destruction.

A record destruction program should include requirement of daily destruction. the method of destruction. the name of the supervisor of the person destroying the records. citing the laws followed.

expiration date.

According to the HIPAA Privacy Rule, valid authorizations require a(n) statement regarding release of psychiatric information. Social Security number. expiration date. statement that the PHR is subject to privacy rule.

creating a password that utilizes a combination of letters and numbers

Alisa has trouble remembering her password. She is trying to come up with a solution that will help her remember. Which one of the following would be the BEST practice? using her daughter's name for her password writing the complex password on the last page of her calendar creating a password that utilizes a combination of letters and numbers using the word "password" for her password

identity theft

An employee in the admission department stole the patient's name, Social Security number, and other information and used it to get a charge card in the patient's name. This is an example of identity theft. disclosure. mitigation. release of information.

developing a plan for reporting privacy complaints

As chief privacy officer for Premier Medical Center, you are responsible for which of the following? writing policies on protecting hardware developing a plan for reporting privacy complaints writing policies on encryption standards writing policies on protecting hardware

system characterization.

Before we can go any further with our risk analysis, we need to determine what systems/information need to be protected. This step is known as risk determination. vulnerability. system characterization. control analysis.

terminating access.

Bob submitted his resignation from Coastal Hospital. His last day is today. He should no longer have access to the EHR and other systems as of 5:00 PM today. The removal of his privileges is known as sanction policy. isolating access. terminating access. password management.

the probability of PHI being compromised is low.

Breach notification is required unless the probability of PHI being compromised is low. the organization does not take Medicare patients. the hacker made an electronic download of the data. the organization is a covered entity.

preparing a summary

HIPAA allows health care providers to charge patients reasonable cost-based charges for copies of their health record. Which of the following is allowed when determining the charge? retrieval fees utilities preparing a summary insurance for the facility

Follow the state law since it is stricter

HIPAA states that release to a coroner is allowed. State law says that the coroner must provide a subpoena. Identify the true statement regarding this situation. Follow the HIPAA requirement since it is a federal law. You must request a ruling from a judge. You can follow either the state law or the HIPAA rule. Follow the state law since it is stricter.

when 500 or more patients are impacted CMS must be notified immediately when 500 or more patients are impacted. Below that number, the notification can be done at the end of the year.

I am creating a presentation on breach notification. What should I tell the attendees regarding when CMS should be notified immediately? when 500 or more patients are impacted when 200 or more patients are impacted when 100 or more patients are impacted when 250 or more patients are impacted

The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples.

Identify the situation that violates a patient's privacy. The hospital uses aggregate data to determine whether or not to add a new operating room suite. The physician on the Quality Improvement Committee reviews medical records for potential quality problems. The hospital provides patient names and addresses to a pharmaceutical company to be used in a mass mailing of free drug samples. The hospital sends patients who are scheduled for deliveries information on free childbirth classes.

criticality analysis

In a recent review, it was determined that the EHR is essential to the operations of the home health agency. What type of review is this? criticality analysis risk analysis emergency mode operation plan risk assessment

placement of water pipes in the facility

In conducting an environmental risk assessment, which of the following would be considered in the assessment? use of single sign-on technology verifying that virus-checking software is in place placement of water pipes in the facility authentication

unreadable, unusable, and indecipherable.

In order to be secure, data has to be unreadable. unusable. indecipherable. unreadable, unusable, and indecipherable.

network traffic

Intrusion detection systems analyze network traffic. firewalls. authentications. audit trails.

physical

The computer system containing the electronic health record was located in a room that was flooded. As a result, the system is inoperable. Which of the following security measures would be implemented? network transmission physical administrative

Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule.

Mary processed a request for information and mailed it out last week. Today, the requestor, an attorney, called and said that all of the requested information was not provided. Mary pulls the documentation, including the authorization and what was sent. She believes that she sent everything that was required based on what was requested. She confirms this with her supervisor. The requestor still believes that some extra documentation is required. Given the above information, which of the following statements is true? Mary is required to release the extra documentation because the requestor knows what is needed. Mary is required to release the extra documentation because, in the customer service program for the facility, the customer is always right. Mary is not required to release the extra documentation because the facility has the right to interpret a request and apply the minimum standard rule. Mary is not required to release the additional information because her administrator agrees with her.

He can ask to be contacted at an alternative site.

Miles has asked you to explain the rights he has via HIPAA privacy standards. Which of the following is a right that you would explain? He can discuss financial arrangements with business office staff. He can ask a patient advocate to sit in on all appointments at the facility. He can review his bill. He can ask to be contacted at an alternative site.

Notify the patient.

Mountain Hospital has discovered a security breach. Someone hacked into the system and viewed 50 medical records. According to ARRA, what is the responsibility of the covered entity in a reasonable time not to exceed 60 days? Notify CMS. ARRA does not address security breaches Notify FTC. Notify the patient.

psychotherapy notes.

Ms. Thomas was a patient at your health care facility. She has been told that there are some records that she cannot have access to. These records are most likely AIDS records. psychotherapy notes. a mental health assessment. alcohol and drug records.

individually identifiable health information in any format stored by a health care provider or business associate.

Protected health information includes individually identifiable health information in any format stored by a health care provider or business associate. individually identifiable health information in any format stored by a health care provider. only electronic individually identifiable health information. only paper individually identifiable health information

a trigger

Robert Burchfield was recently caught accessing his wife's health record. The system automatically notified the staff of a potential breach due to the same last name for the user and the patient. This was an example of biometrics. a trigger. transmission security. telephone callback procedures.

phishing

The HIM director received an e-mail from the technology support services department about her e-mail being full and asking for her password. The director contacted tech support, and it was confirmed that their department did not send this e-mail. This is an example of what type of malware? virus spyware phishing denial of service

clinical data repository

The HIPAA Security Rule impacts which of the following protected health information? clinical data repository faxed records X-ray films stored in radiology paper medical records

"All employees are required to participate in the training, including top administration."

The administrator states that he should not have to participate in privacy and security training as he does not use PHI. How should you respond? "Did you read the privacy rules?" "You are correct. There is no reason for you to participate in the training." "I will record that in my files so that we will not bother you again on this issue." "All employees are required to participate in the training, including top administration."

logic bomb

The clinic has decided to use mobile technology. Identify the best practice for this technology. Trojan horse logic bomb viruses rootkit

information system activity review.

The company's policy states that audit logs, access reports, and security incident reports should be reviewed daily. This review is known as a(n) workforce clearinghouse. data criticality analysis. risk analysis. information system activity review.

De-identification

The expert determination method is a method of de-identification. disclosure. criticality assessment. emergency mode operation plan.

60 days from October 10

The facility had a security breach. The breach was identified on October 10, 2017. The investigation was completed on October 15, 2017. What is the deadline that the patient notification must be completed? 60 days from October 15 60 days from October 10 30 days from October 10 30 days from October 15

identity theft

The fair and accurate credit transaction act works to reduce security breaches identity theft privacy breaches the number of invalid transations

intrusion detection.

The information system has just notified you that someone has attempted to access the system inappropriately. This process is known as integrity. intrusion protocol. intrusion detection. cryptography.

spoliation

The information systems department was performing their routine destruction of data that they do every year. Unfortunately, they accidentally deleted a record that is involved in a medical malpractice case. This unintentional destruction of evidence is called forensics. a security event. mitigation. spoliation.

digital certificate.

The method of verifying who a public key belongs to is called a(n) secure socket layer. intrusion detection system. digital signature. digital certificate.

Authentication

The nurse needs to look up new physician orders. First, the nurse should confirm that she has access to this information. This process is known as notification. authentication. access control. authorization.

60

The patient has requested an amendment to her heath record. The covered entity, after review with the physician, has decided to deny the request. According to HIPAA, the patient must be notified within how many days? 30 45 90 60

privacy

The patient has the right to control access to his or her health information. This is known as confidentiality. disclosure. privacy. security.

The notice of privacy practices can be mailed to the patient.

The patient was admitted and discharged before a notice of privacy practices could be provided to him. Which of the following is true about notice of privacy practices? The notice of privacy practices can be mailed to the patient. The patient must come back in within 72 hours to sign the document. The covered entity must send someone to the patient's home to get him or her to sign for receipt. You can give him the notice on the next visit.

physical safeguard

The physician office has set the information systems so that they will log out after 5 minutes of inactivity. This is an example of which of the following? cryptography physical safeguard access safeguard administrative requirements

There has been unauthorized alteration of patient information

The physician office you go to has a data integrity issue. What does this mean? Someone in the practice has released information inappropriately There has been unauthorized alteration of patient information a break in attempt has been identified the users access has not been defined

"Certainly, Officer. We will be glad to do that as soon as we have the request in writing."

The police came to the HIM department today and asked that a patient's right to an accounting of disclosure be suspended for two months. What is the proper response to this request? "Certainly, Officer. We will be glad to do that as soon as we have the request in writing." "Certainly, Officer. We will take care of that right now." "I'm sorry, Officer, but we can only do this for one month." "I'm sorry, Officer, but privacy regulations do not allow us to do this."

notify the patient of uses of PHI

The purpose of the notice of privacy practices is to report incidents to the OIG. notify the patient of audits. notify researchers of allowable data use. notify the patient of uses of PHI

a workforce clearance procedure

The supervisors have decided to give nursing staff access to the EHR. They can add notes, view, and print. This is an example of what? the termination process spoliation a workforce clearance procedure an information system activity review

incidental disclosure.

The surgeon comes out to speak to a patient's family. He tells them that the patient came through the surgery fine. The mass was benign and they could see the patient in an hour. He talks low so that the other people in the waiting room will not hear, but someone walked by and heard. This is called a(n) privacy incident. incidental disclosure. violation of policy. privacy breach.

implementation specification.

The term for instructions on how to comply with security standards is known as access control. validation procedures. implementation specification. safeguards.

disclosing information to a family member who is directly involved in care. There are two circumstances when patients have the right to agree or object to disclosure of protected health information. This includes facility directory and disclosing information to family member who is directly involved in care.

There are some circumstances when patients have the right to agree or object to disclosure of protected health information. This includes disclosing information to patient's or covered entities' minister. disclosing information to a family member who is not directly involved in the care. disclosing information to patient's attorney. disclosing information to a family member who is directly involved in care.

redundancy

To prevent their network from going down, a company has duplicated much of its hardware and cables. This duplication is called a business continuity planning. redundancy. an emergency mode plan. a contingency plan.

patient's attorney

To which of the following requesters does a covered entity require patient authorization before releasing PHI? the public health department a business associate patient's attorney the nurse caring for the patient

person authentication.

We have created a method of ensuring that the user is who he or she says he or she is. This process is known as person authentication. intrusion prevention. account lockout. safeguard.

digital signature

What type of digital signature uses encryption? electronic signature encryption is not a part of digital signatures digitized signature digital signature

CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart)

When logging into a system, you are instructed to enter a string of characters. These characters appear distorted onscreen, however. What kind of access control is this? CAPTCHA token biometrics two-factor authentication

a patient right

When patients are able to obtain a copy of their health record, they are using which HIPAA Privacy Rule? required standard a patient right preemption addressable requirement

de-identified health information

Which of the following can be released without consent or authorization? summary of patient care for the latest discharge protected health information de-identified health information personal health information

release to patient's family

Which of the following disclosures would require patient authorization? law enforcement activities workers' compensation release to patient's family public health activities

scanned operative report stored on CD

Which of the following documents is subject to the HIPAA Security Rule? scanned operative report stored on CD paper medical record copy of discharge summary document faxed to the facility

A coder accidently sends PHI to a billing clerk in the same facility.

Which of the following examples is an exception to the definition of a breach? The wrong patient information was sent to the patient's attorney. A coder accidently sends PHI to a billing clerk in the same facility. Information was loaded on the Internet inappropriately. Information was erroneously sent to another health care facility.

scalable.

You work for a 60-bed hospital in a rural community. You are conducting research on what you need to do to comply with HIPAA. You are afraid that you will have to implement all of the steps that your friend at a 900-bed teaching hospital is implementing at his facility. You continue reading and learn that you only have to implement what is prudent and reasonable for your facility. This is called access control. technology neutral. scalable. risk assessment.

Separate the ePHI from the noncovered entity portion of the organization.

You work for an organization that publishes a health information management journal and provides clearinghouse services. What must you do? Separate the ePHI from the noncovered entity portion of the organization. Have the same security plan for the entire organization. Train the journal staff on HIPAA security awareness. Follow the same rules in all parts of the organization.

Write the patient and tell him that you will need a 30-day extension.

Your department was unable to provide a patient with a copy of his health record within HIPAA's 30-day limitation. What should you do? Call the patient and apologize. Write the patient and tell him that you will need a 30-day extension. Call the patient and let him know that you will need a 30-day extension. Write and call the patient to tell him you need a 30-day extension.

data encryption.

Your organization is sending confidential patient information across the Internet using technology that will transform the original data into unintelligible code that can be re-created by authorized users. This technique is called validity processing. data in motion. a firewall. data encryption.

my friends and family can find my room number

i have been asked if i want to be in the the directory. The admission clerk explains that if I am in the directory, my condition can be released to hospital staff only my condition can be discussed with any caller in detail my friends and family can find my room number my condition can be release to the news media