CAHIMS

What is the policy pointer axiom? A. Data should not include the policy rules; the policy rules should point at the data they apply to. B. Data should always be pointed to in policies. C. Policy rules should never point to data. D. None of the above.

A. Data should not include the policy rules; the policy rules should point at the data to which they apply.

What event has led to the surge in cybersecurity threats to healthcare organizations? A. The HITECH act of 2009 B. The passage of HIPAA C. The coordination of regulations from the FDA D. The FTC changes in telehealth

A. The HITECH act of 2009 is the event that has led to the surge in cybersecurity threats in healthcare organizations.

What did the Medicare Access and CHIP Reauthorization Act (MACRA) of 2015 repeal? A. The Sustainable Growth Rate (SGR) Model B. The EHR Incentive Model C. The Physician Quality Reporting System D. None of the above

A. The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) repealed the Sustainable Growth Rate (SGR) model.

The Quality Information and Clinical Knowledge (QUICK) model is composed of: A. Merging the Quality Data Model (QDM) with Virtual Medical Record for Clinical Decision Support (vMR) B. Merging the Query Decision Model (QDM) with Virtual Medical Record for Clinical Decision Support (vMR) C. Merging the Quality Data Model (QDM) with Virtual Medical Record for Clinical Quality Decisions (vMR)

A. The Quality Information and Clinical Knowledge (QUICK) model is composed of merging the Quality Data Model (QDM) with Virtual Medical Record for Clinical Decision Support (vMR).

What process group occurs during all phases of a project's life cycle? A. Monitoring and controlling B. Watching and listening C. Executing and closing D. Planning and finishing

A. The monitoring and controlling process group occurs during all phases of a project's life cycle.

Which US government agency provides the regulatory for device manufacturers and importers? A. NIST B. FDA C. AHRQ D. NIH

B The FDA is the US government agency that provides regulatory framework for device manufacturers and importers.

In what year did cybersecurity become a priority concern for healthcare organizations? A. Cybersecurity has no become an issue for information technology for healthcare organizations. B. Cybersecurity became a priority concern for healthcare organizations in 2011. C. Cybersecurity became a priority concern for healthcare organizations in 2009. D. Cybersecurity became a priority concern for healthcare organizations in 2015.

C,. Cybersecurity became a priority concern for healthcare organizations in 2009 with the passage of HITECH act.

Which of the following is the acronym for the standard used to structure the format of an eCQM? A. QRDA B. Consolidated CDA C. HQMF D. S&I Framework

C. The standard to write an eMeasure is HQMF, the Healthcare Quality Measure Format, an HL7 standard.

Which of the following mitigations do not reduce the impact of a risk? A. Tape backups B. Disaster-recovery plans C. Firewalls D. Encryption E. C and D F. A, B, and C

E. Firewalls and encryption prevent risks but do not lower their impact if they do occur.

HIT large initiative governance has which of the following hallmark(s)? A. It includes and is accountable to all relevant stakeholders. B. Guiding principles based on the organization's mission. C. It is transparent to all constituents to assure decisions are fair and equitable. D. Its project leaders use online collaboration tools to optimize involvement and dissemination. E. All of the above.

E. HIT large initiative governance has the following hallmarks: it includes and is accountable to all relevant stakeholders, with guiding principles based on the organization's mission; it is transparent to all constituents to assure decisions are fair and equitable; and its project leaders use online collaboration tools to optimize involvement and dissemination.

Identify the factors that a computer uses to authenticate a human user. A. Something you are, have, and know B. Something with an image of you on it C. Something that you know, like a secret D. None of the above

A. Authentication factors are something you are (biometric), have (hardware token), or know (password).

Which type of backup clears the archive bit? (Choose all that apply.) A. Daily B. Differential C. Incremental D. Full

A, C, D. Only differential backups do not clear the archive bit. The archive bit is a file attribute that determines whether a file must be backed up. Changes to a file turn on the archive bit, which means the file must be backed up, but unlike incremental and full backups, which clear the archive bit, performing a differential backup does not clear the archive bit, meaning the file will be backed up again during the next backup regardless of whether it has changed.

What is a database management system (DBMS)? A. A set of software programs to control the organization, storage, management, and retrieval of data in a database B. A nonprocedural programming language C. A data security mechanism D. A set of Data Definition Language (DDL) statements

A. A database management system (DBMS) is a set of software programs to control the organization, storage, management, and retrieval of data in a database.

A laboratory information system can interface to a(n) _________________. A. laboratory instrument and instantly report a result of a patient's blood chemistry test to an EHR B. pharmacy system and direct a nurse to administer a unit of blood C. radiology system, resulting in an automatic order for an X-ray D. EHR system by route of a cybersecurity module of the healthcare organization interface engine

A. A laboratory information system can interface to a laboratory instrument and instantly report a result of a patient's blood chemistry test to an EHR system.

Which of the following metrics is used to assess provider performance and/or satisfaction after EHR or HIT go-lives? A. Orders time (average amount of time spent using the ordering tools per patient) B. Issues documentation time (average amount of time spent documenting issues with the system per provider) C. Boot camp time (minutes spent in remediation training per provider) D. Global job satisfaction scores

A. A metric used to assess provider performance and/or satisfaction after EHR or HIT go-lives is orders time (average amount of time spent using the ordering tools per patient).

Which of the following is not true about emergency departments? A. Can refuse treatment to patients who are unable to pay. B. Are designed to provide immediate and life sustaining treatment to patients who are seriously injured. C. Are often overcrowded because many underserved patients used the emergency department as their source for primary care. D. Treat heart attacks, stokes, and traumatic injuries (eg, people in serious traffic accidents)

A. All emergency departments must treat patients regardless of their ability to pay.

Moving data, including PHI, to the cloud has all of the benefits, except: A. Transferring responsibility for security to a third party B. Gaining specialized skillsets and certified personnel C. Access to security tools and techniques with moderate investment D. Professional services like vulnerability and patch management

A. Although any third-party agreement, particularly the business associate agreement, creates a shared responsibility, cloud services can never fully transfer responsibility. The covered entity remains ultimately responsible for the security of the data.

You have been put in charge of performing a risk assessment for a new software product. What should you do first? A. Identify information assets B. Identify the potential safety hazards C. Identify vulnerabilities D. Identify potential impact

A. Always start with identifying what you are trying to protect, i.e., the assets.

An ethernet hub _____. A. is a repeater that cleans up the digital signal B. is another term for a network switch C. replaced switches as a network element D. cannot be used to distribute a digital communication

A. An Ethernet hub is a repeater that cleans up the digital signal. It serves some of the same purposes as network switches but should not be confused with network switches, which perform the same role but have more functionality.

Members of executive leadership must be willing and able to recognize and remove barriers encountered by the EHR and HIT implementation teams. Which of the following is an effective way for them to accomplish this? A. Active involvement on an HIT or EHR steering committee B. Receiving "back channel" communication from important physicians in the organization C. Attending weekly project management meetings D. Sponsoring celebrations upon completion of major project milestones

A. An effective way for members of executive leadership to recognize and remove barriers encountered by the EHR and HIT implementation teams is to be actively involved on a HIT or EHR steering committee.

Which of the following is a true statement about medical screening? A. Performs tests on patients who have no signs or symptoms of a disease with the goal to identify treatable diseases in the very early stages in order to start treatment as quickly as possible and avoid disease progression or complications B. Cannot have "false positive" or "false negative" results C. Is performed when a physician is fairly certain a patient has a particular disease D. Is typically performed on patients suspected of having a disease in order to help the physician make an accurate diagnosis and begin treatment in a timely and cost-effective manner

A. As part of preventive care, medical screening is one of the few healthcare activities targeted at healthy individuals rather than those with a disease.

Which of the following activities are designed to simplify data collection andpublic health department reporting for clinical practitioners? A. The efforts of the ONC and CMS under ACA and MACRA to stimulate adoption of electronic medical records and health information exchange B. HIPAA rules that prohibit sharing data for public health purposes so no activities are allowed C. Neither of the above D. Both of the above

A. By providing subsidies, guidelines, and other incentives for adoption of EMRs and implementation of health information exchange (HIE), the federal government through CMS and the ONC is making it easier for clinical providers to adopt healthcare IT based on clinical information standards that will facilitate reporting data for public health purposes.

C++ is _________________. A. an object-oriented programming language B. a first-generation language C. a markup language D. by Sun Microsystems

A. C++ is an object-oriented programming language that is currently one of the most popular programming languages and is implemented on a wide variety of hardware and operating system platforms.

Characteristics of adult learners include which of the following? A. Are responsible for their learning, are ready to learn when the need arises, and are task oriented B. Are autonomous, need direction, and do not feel responsible for their learning C. A and B D. None of the above

A. Characteristics of adult learners include responsibility for their learning, are ready to learn when the need arises, and are task-oriented.

While a network layer PDU traverses the network, _________________. A. its destination MAC address never changes B. the source IP address is matched to the last gateway it passes C. its destination IP address is changed to that of the first router it encounters D. its source and destination addresses do not change

A. Client-server architecture by definition is many-to-one since the resources are centralized in the server.

Why do clinicians often fail to report disease cases to public health departments? A. Clinicians must take time to fill out paperwork for which they are not reimbursed, and are unaware that certain diseases need to be reported to health authorities. B. Electronic medical record systems are not connected to the Internet, preventing transmission. C. There are no requirements to report diseases to public health agencies. D. All of the above.

A. Clinicians are not always trained to know which diseases need to be reported, and there are few incentives for clinicians to report disease cases other than satisfaction in knowing they are contributing to the common good.

What is the Bureau of Labor Statistics estimate growth in the number of healthcare IT workers through 2018? A. The growth is expected to increase by 20 percent through 2018. B. There is no growth expectations for healthcare IT workers. C. The growth is expected to increase by 50 percent through healthcare. D. A decrease is expected because there is currently a surplus of healthcare IT workers.

A. Employment of healthcare IT professionals is expected to increase by 20% through 2018, according to the Bureau of Labor Statistics

Limiting access is a key component of preventing cyber events. Which of thefollowing is not a recommended practice? A. Encrypting just elevated privileges B. Vaulting elevated privileges C. Applying additional authentication factors to privileges D. Encrypting all privileges

A. Encrypting all privileges, applying multifactor authentication, and vaulting elevated privileges are all recommended practices for limiting access, a key component of making the enterprise more resilient to threat. If hackers cannot get hold of privileges, their task of exploiting the enterprise is exponentially harder.

What is a covered entity that inadvertently discloses protected health information on 500 or more individuals required to do? A. Report a breach to the U.S. Department of Health and Human Services B. Conduct an investigation to recover the data so they do not have to report it C. Contact the patients to see if they have had any credit report issues D. Ensure the records were backed up so there is another copy

A. For disclosures of 500 individuals or more, the covered entity is required to notify the U.S. Department of Health and Human Services.

What aspect of HIPAA security risk analysis covers cybersecurity for medical devices? A. HIPAA currently does not include security risk analysis that covers PHI cybersecurity in medical devices. B. HIPPA covers cybersecurity in the FDA regulations for medical devices. C. The FTC covers the HIPAA regulations for cybersecurity for medical devices. D. HHS covers cybersecurity for medical devices in its OCR regulations

A. HIPAA currently does not include cybersecurity risk analysis that covers PHI in medical devices. However, many devices include personal health information.

HTML is a _________________. A. markup language B. general-purpose programming language C. machine language D. network protocol

A. HTML is a markup language for describing web pages. HTML is not a programming language like Java or C++.

A user clicks an icon on their desktop and then types https://intranet.acme.us/emr to launch an EMR application. This user is using a thin client workstation. Which term best describes the type of EMR client station? A. Web browser client B. Terminal Services client C. Remote Desktop client D. ASP client

A. HTTPS is a web browser protocol. Even though some applications other than web browsers can use HTTPS, a web browser client is the best answer. Remote Desktop (formerly Terminal Services) clients do not normally use HTTPS; they normally use Remote Desktop Protocol (RDP). ASP client is a possible answer, but web browser client is the best answer.

Which of the following is true for hospice care? A. Focusing on managing patient's pain, nausea, and any other discomforts associated with a terminal illnesses (ie when the patient is believed to have less than six months to live). B. Can be provided to patients who are still receiving active treatment for the disease (chemo) C. Is only provided for inpatient setting. D. Is only provided by hospitals.

A. Hospice care is provided to a variety of settings, including the home. The care is focused on palliative care, including the patient's spiritual and emotional needs, and is not intended to cure or treat the patient's illness.

Most disruptive attacks that spread rapidly through an enterprise are aided greatly by a lack of ____________. A. segmentation B. access control C. new hardware D. educated users

A. Lack of segmentation, typical of flat networks, is the biggest enabler of rapidly spreading viruses, ransomware, and other network attacks. Other factors contribute, of course, but lack of segmentation is the chief limiting factor in being able to stop the spread of an attack once it occurs.

How is a system's maintainability defined? A. It can be modified. B. It is fail-safe. C. It is redundant. D. It is rolled over.

A. Maintainability is defined as a system's ability to be modified.

Is the long useful life of medical devices a security concern? A. Yes, because older devices were not designed with today's threats in mind. B. No, because devices get updated on a regular basis. C. Yes, because software tends to become unreliable over time. D. No, because they are designed for robustness and safety.

A. Medical devices often have a useful life of ten years or even longer. As a consequence, older devices were not designed with knowledge of today's cybersecurity threat vectors. Another concern is that older devices may include software components that are no longer supported with security patches.

Kotter provides steps to help achieve successful organizational change. Clinicians are generally accustomed to making evidence-based practice change when new research advances practice on how to detect and diagnose, to test for problems or risks, or to initiate with new interventions or procedures. The change associated with electronic health records must mirror the level of constant change to ensure evidence-based practices are implemented sooner rather than later. Which one of the following least describes this level of systematic change? A. Quality improvement strategies: identify the focus, plan the solution, do the change, study the change through measurement, take action to implement the solution, and reinforce the value of successful change via recruitment and promotion. B. Establish a sense of urgency, build a team with the right people, develop a vision and plan, communicate this, reward and recognize ideas and risk taking, set aims to easily achieve, encourage new projects with change agents, and reinforce the change. C. Build a compelling case for change, identify a team with mix of skills to create direction, share the direction and listen for feedback, remove obstacles, generate short-term wins, encourage determination and persistence, and use change agents to weave change into the culture with successful change. D. Assess change readiness of stakeholders, engage sponsors, develop team competence and plan a clear direction, declutter communications, empower action, recognize wins and don't let up with new project work, and make change stick with change leaders.

A. Often, systematic and cultural change requires more than quality improvement strategies because the change needs to be at an organizational level and systematic. The consequences of one change can impact the practices of others and therefore a team approach with multiple skill sets is needed to plan, measure, and implement changes.

Which of the following is true? A. Accountable-care organizations (ACOs) are delivery system entities that are emerging in response to financial incentives to reduce the cost and improve the quality of healthcare. B. Patient-centered medical homes (PCMHs) are nursing homes that are designed to assist patients to make the transition from hospital care to home care. C. The Medicare Shared Savings Program (MSSP) is a way that Medicare beneficiaries can share in savings that derive from their efforts to take better care of themselves. D. Bundled payment programs are an exciting innovation, but to date there is very little experience with them.

A. PCMHs are primary care practices, with infrastructure designed to coordinate care (primarily ambulatory care, although transitions from hospital to home are important as well); they are not nursing homes. The MSSP is a program that permits providers (and, in particular, ACOs)—not patients/beneficiaries—to share savings with the Medicare program. There is considerable experience with bundled payments already—through hospital DRGs and through Medicare and private- sector pilots and demonstrations from the 1990s and early twenty-first century.

What are the components of RBAC? A. Identity, permission, role B. Consent only C. Permission and consent D. Role and consent

A. RBAC is a binding between an identity, role, and permission. Thus, it does not include consent.

Who did the ONC regional extension centers recruit to help others get over the hurdles of digitizing their medical records? A. Physician champions B. Nurse executives C. Industry researchers D. Hospital CEOs

A. Regional extension centers recruited physician champions to serve as role models and share best practices and lessons learned in becoming meaningful users of EHRs.

Which of the following is not an operational safeguard? A. Reliability B. Configuration management C. Sanctions D. Continuity of operations

A. Reliability is an architectural safeguard, not an operational safeguard.

How is a system's, product's, or component's reliability defined? A. The degree to which a system, product, or component performs specified functions under specified conditions for a specified period of time. B. The measure of the product's safety, efficiency, and effectiveness C. Its ease of use D. Assurance that the product is without fault

A. Reliability is the "degree to which a system, product, or component performs specified functions under specified conditions for a specified period of time"

Which of the following is true regarding clinical information standards that have been adopted to facilitate sharing of data between clinical-care providers and public health departments? A. LOINC codes for clinical observations and the HL7 Clinical Document Architecture have been adopted. B. The United States has yet to adopt clinical information standards to facilitate sharing between clinical-care providers and public health departments. C. All standards being developed are for acute care hospital environments. D. All of the above.

A. Several standards for terminologies (e.g., LOINC) and transport (e.g., HL7 CDA) have been adopted to facilitate exchange of information between clinical- care providers and public health departments.

A state law that is more stringent than the HIPAA Privacy Rule preempts HIPAA. What does stringent mean? A. Stringent is defined as providing greater protection of an individual's PHI or providing an individual greater access to their PHI. B. Stringent is defined as a state law that is in conflict with HIPAA. C. Stringent is defined as covering more serious disclosures. D. Stringent means allowing more enforcement.

A. Stringent is defined as providing greater protection of an individual's PHI or providing an individual greater access to their PHI.

What is the correct definition of telehealth? A. Telehealth is the use of medical information exchanged from one site to another via electronic communications to improve patients' health status. B. Telehealth is the emerging field in medical informatics, referring to the organization and delivery of health services and information using the Web and related technologies. C. Telehealth is the field of informatics using a handheld device. D. Telehealth cannot be defined since it is an evolving method.

A. Telehealth is the use of medical information exchanged from one site to another via electronic communications to improve patients' health status.

What is a key to the success of Tenet's IMPACT governance model (used as a governance example model)? A. Uses a three-tiered organizational structure B. Uses a bottom-up approach C. Engages multidisciplinary staff D. Uses technology effectively

A. Tenet Healthcare's governance model engages the corporation, regional operations, and their hospitals in a coordinated effort as part of the three-tiered organizational structure.

Which is the principal investigative agency in the fight against healthcare fraud? A. FBI B. HHS C. OIG D. HFPP E. OIG F. All of the above

A. The FBI serves as the principal investigative agency involved in the fight against healthcare fraud and maintains jurisdiction over both federal and private healthcare insurance programs.

A(n) ___________ is usually part of the vetting process when a healthcare organization is acquiring a new software system. A. Request for Proposal (RFP) B. Proof of Perquisites (PoP) C. Exit Plan (EP) D. Federal Government Audit (FGA)

A. The Request for Proposal (RFP) is usually part of the vetting process when a healthcare organization is acquiring a new software system.

What does the classic waterfall life cycle do? A. Assumes that most requirements can be obtained early on in the SDLC B. Allows for flexibility in carrying out systems analysis and design activities C. Allows for easily redoing phases D. Is well suited for the development of a complex interactive HIT application

A. The classic waterfall life cycle assumes that most requirements can be obtained early on in the SDLC and that those requirements remain fundamentally static and stable during the entire SDLC.

Who is responsible for creating and implementing regulations relevant to public health? A. Multiple agencies in federal, state, and local governments as well as some territories B. The Office of the National Coordinator for Health Information Technology (ONC) C. The Office of the Assistant Secretary for Planning and Evaluation (ASPE) in the Department of Health and Human Services (HHS) D. The Centers for Disease Control and Prevention (CDC)

A. The essential governmental role in public health is guided and implemented by a variety of federal, state/territorial, and local regulations and laws as well as federal, state/territorial, and local governmental public health departments.

What are the five principles of the plecosystem? A. Exponential growth of platforms, synergy through convergence across platforms, data liquidity, person-centricity of data, and acceleration through open source communities and components. B. There is only one principle of a plecosystem: it can accept sensor data. C. Person-centered data is the sole principle of a plecosystem. D. None of the above.

A. The five principles of the plecosystem are exponential growth of platforms, synergy through convergence across platforms, data liquidity, person-centricity of data, and acceleration through open source communities and components.

What are the broad areas used to categorize health data standards? A. Health data interchange and transport, vocabulary and terminology, content and structure, security B. Health data exchange, structured, content, security C. Terminology, vocabulary, content, privacy D. Nomenclatures, code sets, protocols, and transactions

A. The four broad areas used to categorize health data standards are health data interchange standards (used to establish a common, predictable, secure communication protocol between and among systems); vocabulary standards (standardized nomenclatures and code sets); content standards (used to share clinical information); and security standards (used for authentication, access control, and transmission of health data).

What best represents the future of mHealth inside healthcare facilities? A. Path toward consolidated and value-base care B. Access to TCP Internet usage C. Complete HL7 coverage D. Unified Internet communications

A. The future of mHealth inside healthcare facilities is best represented as a path toward consolidated and value-based care. Some of these innovations include paging and first-responder communication systems.

What is the most commonly used tool for modeling a database? A. Entity relationship diagram B. IDEF-1X C. Object role model D. Spiral developing model

A. The most commonly used tool for data modeling database is an entity relationship model (ERM).

What are some of the near-term wins for the role of genomics in healthcare? A. Diagnosing and treating cancer, diagnosing and treating over 500 known inborn errors of metabolism, pharmacogenomics decision support (selecting drug and dosing based on pharmacogenomics profiles), and early diagnosis and appropriate treatment of infectious diseases (where antibiotic resistance can be detected with initial sequencing). B. It is too early to determine the role of genomics in healthcare. C. The results of the Precision Medicine Initiative will determine the near-term wins for the role of genomics in healthcare. D. The only win will be in pharmacogenomics in selecting drug and dosing based on pharmacogenomics profiles.

A. The near-term wins for the role of genomics in healthcare are diagnosing and treating cancer, diagnosing and treating over 500 known inborn errors of metabolism, pharmacogenomics decision support (selecting drug and dosing based on pharmacogenomics profiles), and early diagnosis and appropriate treatment of infectious diseases (where antibiotic resistance can be detected with initial sequencing).

Which layer of the OSI model is responsible for determining the best routethrough a network? A. Network layer B. Physical layer C. Session layer D. None of the above

A. The network layer is responsible for routing and therefore figuring out the best path through the network.

What does "unsecure PHI" mean? A. PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by OCR B. PHI that is electronic and not encrypted C. PHI that is left in an area where patients and visitors can view the PHI D. PHI that is not totally and completely destroyed

A. Unsecure PHI is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by OCR.

The new push for virtualizing applications, storage, and computing power offers what dimension to your architectural safeguards? A. Scalability B. Data integrity C. Network audit and monitoring D. None of the above

A. Virtualizing applications, storage, and computing power provides the capability to scale as the need and demand for these resources increases.

What standard can be used to harmonize different identity and authentication systems? A. WS-Trust B. WAP C. Wi-Fi D. WEP

A. WS-Trust is the standard used to harmonize different identity and authentication systems.

How can you reverse the unhealthy impacts of environmental disruption? A. Polyfunctional sensors (fixed and mobile), pervasive testing of serum levels of toxic substances, identification of genetic variation in susceptibility, detoxification enzymes, and processes, and big data analytics and visualization methods to suggest correlations. B. Big data analytics and validation of causes alone. C. Wearable sensors alone. D. Big data analytics and visualization of genetic variation alone.

A. You can reverse the unhealthy impacts of environmental disruption with polyfunctional sensors (fixed and mobile), pervasive testing of serum levels of toxic substances, identification of genetic variation in susceptibility, detoxification enzymes, and processes, and big data analytics and visualization methods to suggest correlations.

You are an IT technician for a small rural medical clinic. The attending physician asks for the fastest type of external hard disk storage available for her state-of-the- art laptop. What should you recommend? A. eSATA B. IDE C. USB 2.0 D. FireWire 400

A. eSATA (3 Gbps), USB 2.0 (480 Mbps), and FireWire 400 (400 Mbps) are external disk interfaces; IDE is only internal.

Which two of the following choices accurately describe differences between paper-based medical records and EHRs? A. Paper records are easier to change than EHRs. B. EHRs are easier to change than paper records. C. Paper records exist in substantially greater volumes than EHRs. D. EHRs exist in substantially greater volumes than paper.

B, D. As outlined in Table 17-1, EHRs are easier to change than paper-based medical records and EHRs exist in substantially greater volumes than paper-based medical records.

What is a database model? A. A file processing system B. The structure of a database C. A set of mathematic algorithms D. A database management system (DBMS)

B. A database model is the structure of a database.

What is incident response planning? A. Good business management practice. B. A process approach to prepare for an incident (e.g., a cybersecurity event) that defines responsibilities and the appropriate action to be taken. C. A best practice to make sure patients do not become aware if something goes wrong. D. A replacement strategy for medical devices as they may fail and need to be replaced.

B. A good incident response plan should define responsibilities as well as a standardized process to guide through incident recovery and restoration, forensics, and postmortem. It should not just be internal-focused but also define external activities.

For which reason would a government agency be concerned about mobile devices/apps used to treat or monitor patients? A. The mobile device may be too expensive for the patient. B. The reliability and effectiveness of a mobile app used with a patient could present a potential risk to patient safety. C. Use of mobile medical devices is not yet reimbursable by Medicare. D. Use of a mobile medical app is not consistent with medical guidelines.

B. A government agency would be concerned with the reliability and effectiveness of a mobile app to ensure that it doesn't present a potential risk to patient safety.

A radiologist uses speech recognition software to accomplish which of the following? A. Automatically classify images B. More easily document findings related to images C. Interpret communication from patients and staff members who speak other languages D. Keep track of tasks

B. A radiologist uses speech recognition software to more easily document his or her findings related to the images.

What is a value set? A. A range of numbers that are normal results for laboratory tests B. A set of codes chosen by a measure developer to define a data element in a measure C. The relative strength of recommendations as supported by evidence for the interventions expected in a quality measure D. The combination of a measure's validity, reliability, and feasibility that describes its potential use in value-based purchasing programs

B. A value set is a set of codes chosen by a measure developer to define a data element in a measure.

What caused the lack of clinician adoption and resistance toward use of CPOE in 2001 at a major West Coast academic medical center? A. Insufficient funding B. Insufficient information and inadequate training on clinical decision support tools C. Lack of leadership D. Poor implementation

B. A well-known West Coast academic medical center experienced significant resistance to its CPOE implementation because it provided insufficient information and inadequate training on CDS tools, and this proved to serve as a strong lesson-learned case example for the industry on the importance of effective communication on CPOE and EHR implementation projects.

Which of the following describes a way of using health information systems in a manner not originally designed, resulting in unplanned and unexpected outcomes? A. Workflows B. Workarounds C. Tracking issues D. Flowcharts

B. A workaround is a way to use the electronic health records, other information system, or paper-based alternatives in an unintentional way. A common example is the use of nursing communication orders in place of actual departmental orders to communicate the need for a specific test. A delay occurs while the nurse contacts the physician to determine and place the correct order, with the continued risk of miscommunication. The department misreads the test and completes the test incorrectly, resulting in invalid results, and the patient needs a repeat test for diagnostic accuracy.

Big Bull Community Hospital signs an agreement with a "cloud" vendor to host their applications and data. The vendor will provide storage and continuity-of- operations support to include disaster recovery. As a covered entity subject to HIPAA law, Big Bull must insist on all of the following, except A. PHI should not be stored on shared resources with other tenants' data. B. Adequate bandwidth for data availability is a HIPAA requirement. C. Disaster recovery requirements are not lessened because other tenants compete for resources or have lesser recovery requirements. D. Big Bull should require the cloud vendor to sign a business associate agreement.

B. Adequate bandwidth is a concern, but it is not applicable to HIPAA requirements.

Which is an example of an object-oriented diagram that depicts overall system requirements? A. Sequence diagram B. Use case diagram C. Data flow diagram D. Entity relationship diagram

B. An example of an object-oriented diagram that depicts overall system requirements is a use case diagram.

Given the ACA supplement, what is the minimum FMAP that will qualify a state for the maximum eFMAP? A. 83% B. 67.14% C. 85% D. 100%

B. Between 2016 and 2019 the maximum allowed eFMAP is 100 percent; thus, to find the answer, the following algebra equation must be solved for x: x + 0.30 × (100% − x) + 23% = 100%

Given the ACA supplement, what is the minimum FMAP that will qualify a state for the maximum eFMAP? A. 83% B. 67.14% C. 85% D. 100%

B. Between 2016 and 2019 the maximum allowed eFMAP is 100 percent; thus, to find the answer, the following algebra equation must be solved for x: x + 0.30 × (100% − x) + 23% = 100%

When may a CE disclose a limited data set? A. If the CE is contracting with an outside vendor to conduct marketing on behalf of the CE B. Only for the purposes of research, public health, or healthcare operations C. When requesting payment from a health plan D. If the CE is contracting with an outside vendor to conduct fundraising on behalf of the CE

B. CEs may use or disclose a limited data set only for the purposes of research, public health, or healthcare operations.

What are the most common mHealth platforms? A. Smartphones, electronic tablets, and remote technologies B. Cellular networks, wireless networks, and mobile devices C. Electronic tablets, mobile devices, and cellular networks D. Remote technologies, smartphones, and wireless devices

B. Cellular networks, wireless networks, and mobile devices are the most common mHealth platforms.

The HIT professional is involved in the analysis of workflow processes. Which of the following is not a list of roles, responsibilities, and tools of the HIT professional to accomplish this analysis to avoid workarounds and to find solutions? A. Provide updates on tasks/deliverables; document issues within analytical tools/ database to follow; monitor usage and track unexpected outcomes of harms. B. Define and prioritize healthcare requirements and standards for care within the workflow; provide strategies to best use technology to efficiently retrieve and document clinical processes; know the healthcare standards for safety and quality requirements for clinical practice. C. Evaluate implemented solution with business requirements for interoperability; develop documentation requests for information and maintain documentation on the compatibility of software, hardware, and network components to evolve the EHR use cases in the future (i.e., information exchange) for continuity of care; apply approved data management and information practices. D. Identify and track project activities; participate in development of proposed recommended approaches and solutions; recognize major risks or benefits associated with different solutions.

B. Central to the role of clinicians (not HIT professionals) is to define and prioritize healthcare requirements and standards for practice within the workflow; provide strategies to best use technology to efficiently retrieve and document clinical processes; and know the healthcare standards, safety, and quality requirements for clinical practice. Each healthcare professional must ethically and legally provide care according to their state's or country's (if outside of the US) professional practice act and their scope and standards of practice for their specialty practices. HIT professionals would not be expected to fully understand the scope of practice for each clinical discipline or their respective specialties.

Clinical documentation templates _________________. A. cannot vary across clinical or medical specialties B. include required fields to foster compliance with regulations or standards C. can accommodate any possible permutation of healthcare D. should not be used, as the best practice for clinical documentation is free text entry

B. Clinical documentation templates include required fields to foster compliance with regulations or standards.

What are the document creation and retention requirements for CEs? A. CEs are required to retain medical records for a minimum of six years. B. CEs are required to create and retain for a minimum of six years all disclosures, complaints, mitigations, compliance reviews, and EHR audit reports. C. All document retention requirements are for one year only. D. CEs are required to retain all elements of PHI information indefinitely.

B. Covered entities are required to create and retain for six years all disclosures, complaints, mitigations, compliance reviews, and EHR audit reports.

What is not the reason for creating a data mart? A. Lowering cost B. Providing more business functions C. Improving end-user response time D. Creating a collective view for a group of users

B. Creating a data mart is not for providing more business functions.

Due to the increase in use and importance of the electronic health record (EHR) in healthcare organizations, _________________. A. non-EHR systems are no longer needed B. non-EHR systems usually interface or integrate with the EHR system C. non-EHR systems have been entirely replaced by EHR modules D. non-EHR systems have not proliferated

B. Due to the increase in use and importance of the EHR in healthcare organizations, non-EHR systems usually interface or integrate with the EHR system.

What is federated identity? A. It includes the concepts of authentication, authorization, and identity. B. It provides a mechanism for communicating claims of identity and authentication to a relying party in a way that can be understood and trusted. C. Identity can never be federated. D. None of the above.

B. Federated identity keeps local the identity management task by providing a mechanism for communicating claims of identity and authentication to a relying party in a way that can be understood and trusted.

Which of these is the most recent of the HIPAA amendments? A. HITECH Act B. Omnibus Final Rule C. Privacy Rule D. Security Rule

B. HIPAA as written in 1996 has had several updates over the years, called amendments. The most recent is the HIPAA Omnibus Final Rule, which went into effect in September of 2013.

While there are more physical thefts and loss of data events, hacking still represents the biggest risk because: A. It is the most damaging B. It represents the largest risk of compromised records C. It is conducted by cybercriminals D. It is bad for business

B. Hacking as of 2015 now represents the greatest risk to patient information from a compromised records perspective. While physical theft and loss still account for the majority of events, hacking, by a wide margin, accounts for the greatest number of records compromised.

Which of the following does not represent a business value of health data standards? A. Reduced costs B. Decreased worker productivity C. Reduced manual intervention D. Ability to validate deployed systems

B. Having health data standards for data exchange and information modeling will provide a mechanism against which deployed systems can be validated. Reducing manual intervention will increase (not decrease) worker productivity and streamline operations. Defining information exchange requirements will enhance the ability to automate interaction with external partners, which will reduce costs.

After troubleshooting a software application problem, you discover that the vendor has a link on its website to download a script file that solves the problem. When you click the link, instead of downloading the script file, you are asked to provide your e-mail address so that you can be sent the script file. What term best describes this script file? A. Service pack B. Hotfix C. Update D. Patch

B. Hotfixes are solutions to very specific problems and are not normally publicly available for download like service packs, updates, and patches typically are. Many vendors will send you an e-mail message with details on how to obtain the hotfix.

Human factors can be defined as what? A. The study of making more effective user interfaces to computer-based systems B. The field that examines human elements of systems C. The group of methods that can be used to make systems more usable D. The study of technology-induced errors

B. Human factors broadly examines human elements of systems, where systems represent physical, cognitive, and organizational artifacts that people interact with (e.g., computers).

What should systems be designed to do if they fail? A. Roll over to a different system B. Do no harm to the patient C. Contain backups D. Contain an audit of failures

B. If a system fails, it should be designed to do no harm to the patient.

In Java, _________________. A. the syntax is not similar to C++ B. bytecodes are the machine language of the Java Virtual Machine C. the same program cannot run on different machines D. you use Microsoft Word to edit the source program

B. In Java, bytecodes are the machine language of the Java Virtual Machine.

Which of the following statements is correct? A. Authorization is a way of identifying a user before access is granted. B. A database administrator puts integrity controls on the database to ensure that data are kept consistent and correct. C. Data breaches mean that data, applications, or networks are unavailable to database users. D. Data security is not important in the database system design.

B. Integrity controls keep the data consistent and correct by means of controls that a database administrator puts on the database.

Which of the following best describes academic health centers? A. Any healthcare venue where research is performed B. Usually a portion of a major university where hospital(s) are co-located with schools such as medicine, nursing and pharmacy. C. Limited to one institution per state. D. Required to conduct federally funded research or lose accreditation

B. It is a hospital or health system that has a formalized relationship with a university. Academic health centers usually support the training of many of the health professions, support and conduct research, and offer care not widely available in the regions they serve.

What is the level of assurance of identity proofing that requires the presentation of a government-issued identity but does not require verification of that government-issued identity? A. Level 1 B. Level 2 C. Level 3 D. Level 4

B. Level 2 requires presenting government-issued identification that includes your full name, picture, and address or nationality; it does not require that the identity be proven as authentic.

What innovations are driving new roadmaps, workflows and algorithms in the delivery of healthcare? A. Mobile health alone B. Mobile devices, genetics, genomics, telehealth C. Ever-increasing delivery of services via the internet, including EHRs as hosted services D. None of the above

B. Mobile devices, genetics, genomics, and telehealth are driving roadmaps, workflows and algorithms in the delivery of care.

What enforcement action can OCR take if a CE violates provisions of HIPAA's Administrative Simplification provisions? A. OCR has no enforcement authority. B. OCR may levy up to $50,000 for any level of violation with a maximum of $1.5 million per calendar year for the same type of violation. C. OCR may levy up to $25,000 for any level of violation with a maximum of $500,000 per calendar year for the same type of violation. D. The penalty depends on the severity of the disclosure.

B. OCR may levy up to $50,000 for any level of violation with a maximum of $1.5 million per calendar year for the same type of violation.

What are the privacy rights afforded patients pursuant to the HIPAA Privacy Rule (45 CFR Part 164, Subpart E)? A. The maximum rights of quality, efficiency, and effectiveness. B. Patients must be informed of disclosed PHI other than for treatment, payment, and healthcare operations. C. The patient has the right to request a copy of their legal medical record. D. The patient has the right to register a complaint with the U.S. Department of Health and Human Services, Office of the Inspector General.

B. Patients must be informed of disclosed PHI other than for treatment, payment, and healthcare operations.

You are asked to measure how often doctors in your network evaluate a newborn baby's home environment for factors that might put them at risk. The factors include lead paint in the home; if the baby's mother has been screened for postpartum depression; if she has been screened and tested positive and is under treatment; and if there are pets in the home. You cannot find specific fields in your EHR for each of these items. What actions do you take? A. Immediately add fields to the EHR patient demographic section for Yes/No/ Not Applicable responses to (1) lead paint in the home, (2) mother screened for depression, (3) if depressed mother is on treatment, and (4) pets in the home. B. Request input from an appropriate group of practicing clinicians to determine the workflow to capture and evaluate such information and implement a solution consistent with existing best practice to which the majority agree. C. Immediately add fields to the EHR patient demographic section for Yes/No/ Not Applicable responses to (1) lead paint in the home and (2) pets in the home, and you look in the family history section of the EHR for evidence of depression in the mother. D. Search the literature to find a screening tool shown to work for another organization and implement it directly in your EHR.

B. Request input from an appropriate group of practicing clinicians to determine the workflow to capture and evaluate such information and implement a solution consistent with existing best practice to which the majority agree. Adding additional fields to "hardwire" a solution has the

How is scalability defined? A. A system that allows integration of multiple patient records B. A system capable of growth C. A system that is geographically diverse D. A system that provides multiple layers

B. Scalability means a system is capable of growth.

Are medical devices at risk of a malicious cyberattack? A. No, because they typically are not connected to an open network. B. Yes, because of their many software vulnerabilities. C. No, because even hackers would not stoop that low. D. Yes, but such an attack is highly unlikely.

B. Security researchers, healthcare providers, and government agencies have conducted medical device security testing and demonstrated vast vulnerability due to poor security design practices.

Motion detectors are considered to belong to which of the following classes of environmental controls? A. Fire suppression B. Surveillance C. Security lighting D. UPS

B. Surveillance includes cameras, motion detectors, alarms systems, and other devices.

In syndromic surveillance, public health departments capture which type(s) of data from healthcare providers electronically? A. Diagnostic codes representing the diseases affecting patients seen by the providers B. Symptoms or prediagnostic data representing reasons why the patient visited the providers C. Laboratory results representing confirmed diseases in patients who visit the providers D. Statistical data from hospitals on the number of patients who come in with signs of the flu

B. Syndromic surveillance focuses on prediagnostic data, sometimes referred to as "chief complaints," to provide preclinical diagnoses of specific diseases to inform monitoring of overall trends.

Which of the following mitigations does not reduce the likelihood of a risk? A. Antivirus B. Tape backups C. Awareness and training D. Access controls

B. Tape backups reduce the impact but not the likelihood of a risk by making sure that the information can be restored quickly.

Which of the following is true of the insurance mandate in the Affordable Care Act? A. It will mean that the federal government and the states will no longer need to provide Medicaid. B. One of its goals was to increase the efficiency of insurance by bringing more (and lower-risk) Americans into the insurance risk pool. C. It is unconstitutional, because the federal government cannot require Americans to buy anything (even health insurance). D. It does not support delivery system innovations such as ACOs.

B. The Affordable Care Act intended to increase the efficiency of insurance by bringing more (and lower-risk) Americans into the insurance risk pool.

The HIPAA Omnibus Final Rule specifically defines which of these? A. Unauthorized disclosures B. Business associates C. Cloud providers D. Minimum penalties

B. The HIPAA Omnibus Final Rule of 2013 has a dramatic, important feature. It clearly identifies that anyone performing services subject to HIPAA law on behalf of a covered entity is a business associate. This significantly reduced any confusion from third parties who had any action in handling PHI for the covered entity.

Which of the following organizations is involved in the development of health data interchange standards? A. American Medical Association (AMA) B. Institute of Electrical and Electronics Engineers (IEEE) C. American Nurses Association (ANA) D. National Library of Medicine (NLM)

B. The Institute of Electrical and Electronics Engineers (IEEE) has developed a series of standards that focus on telecommunications and information exchange between systems, including local and metropolitan area networks.

Which three programs does the Merit-based Incentive Payment System aim to streamline to substantially change the way practitioners are reimbursed? A. Physician Quality Reporting System (PQRS), Physician Vendor-based Payment Modifier (VM), and Medicare EHR Incentive Program for Eligible Practitioners (EPs) B. The Merit-based Incentive Payment System (MIPS) aims to streamline Physician Quality Reporting System (PQRS), Physician Value-based Payment Modifier (VM), and the Medicare EHR Incentive Program for Eligible Professionals (EPs) to substantially change the way practitioners are reimbursed. C. Physician Querying Release System (PQRS), Physician Value-based Payment Mediator (VM), and Medicaid EHR Incentive Program for Eligible Professionals (EPs)

B. The Merit-based Incentive Payment System (MIPS) aims to streamline Physician Quality Reporting System (PQRS), Physician Value-based Payment Modifier (VM), and the Medicare EHR Incentive Program for Eligible Professionals (EPs) to substantially change the way practitioners are reimbursed.

Which U.S. government agency regulates the release of medical devices and assures their safety and effectiveness? A. FTC B. FDA C. DHS D. FCC

B. The U.S. Food and Drug Administration (FDA) regulates firms who manufacture, repackage, relabel, and/or import medical devices sold in the United States through its Center for Devices and Radiological Health (CDRH).

Which agency of the government has the Value Set Authority Center (VSAC)? A. AHRQ B. NLM C. FDA D. CMS

B. The Value Set Authority Center (VSAC) is in the National Library of Medicine (NLM).

During which step of the ADDIE model is it appropriate to write the learning objectives? A. Analyze B. Design C. Develop D. Implement

B. The design step of the ADDIE model includes writing the objectives.

What part of the continuum of care is affected by genetics and genomics? A. None of the continuum of care components is affected. B. The continuum of care from preconception to death. C. The continuum of care from a diagnosis to death. D. The continuum of care from diagnosis to treatment.

B. The entire continuum of care from preconception to death is affected by genetics and genomics.

What are the four main components of HCI? A. Software, task, subtask, human factors engineer B. Technology, task, user, context of use C. Software, hardware, user, outcome D. User, user interface, human factors engineer, usability testing lab

B. The four main components of HCI are the technology itself, the task, the user of the technology, and the context of use of the technology.

The importance of genomics in healthcare is to: A. Understand the genetics in healthcare B. Facilitate risk identification and diagnosis and establish prognosis and symptom management C. Plan for the future of healthcare D. Understand the actions of each gene

B. The importance of genomics in healthcare is to facilitate risk identification and diagnosis and to establish prognosis and symptom management.

What is a preferred method for creating an eCQM for use in a clinical setting? A. Scour the literature, find a clinical guideline, develop value sets and create the measure using QDM in the Measure Authoring Tool, then pilot the measure in a clinical setting. B. Identify the clinical outcomes most significant to the patient population seen by your organization, meet with local clinical experts to evaluate best practices to achieve those outcomes, incorporate capturing the required data as part of routine clinical workflow and assure it works, then prototype the measure for review prior to entering it into the Measure Authoring Tool for testing. C. Identify the clinical outcomes most significant to the patient population seen by your organization, meet with local clinical experts to select the most relevant clinical guideline, identify existing value sets in VSAC and create new ones as needed, then enter the measure into the Measure Authoring Tool for testing and modification of clinical workflow. D. Select a measure that already exists and consider how to adjust local clinical workflow to capture the required data, retrieve it, and measure.

B. The most preferred method for creating an eCQM is to identify the clinical outcomes most significant to the patient population seen by your organization, meet with local clinical experts to evaluate best practices to achieve those outcomes, incorporate capturing the required data as part of routine clinical workflow and assure it works, then prototype the measure for review prior to entering it into the Measure Authoring Tool for testing.

Which operational process is most critical to the effectiveness of a broad range of security technical safeguards? A. System activity review B. Identity management C. Incident procedures D. Secure e-mail

B. The operational process most critical to the effectiveness of a broad range of security technical safeguards is identity management.

Which of the following principles is used by two-factor authentication to grant physical access to systems? A. Something you have B. Something you know C. Both A and B D. Neither A or B

B. The principle of "something you know" covers passwords and personal identification numbers (PINs), as opposed to "something you have," which covers an access-control device such as a key fob or badge or a part of your person such as a fingerprint or retina.

What are the three levels of interoperability? A. Structural, pseudonym, and biological B. Foundational, structural, and semantic C. Semantic, workflow, and classification D. Technological, structural, and foundational

B. The three levels of interoperability are foundational, structural, and semantic.

A PDU has what basic structure? A. A beginning delimiter and ending delimiter with a payload between these two delimiters B. A beginning delimiter and ending delimiter, source address and destination address fields, a control field, a payload field, and an error check field C. Source address and destination address fields and a payload D. A control field and a payload

B. There are seven basic fields: a beginning delimiter and ending delimiter, source address and destination address fields, a control field, a payload field, and an error check field.

Which of the following is true of the Medicare program? A. All Americans older than 64 must participate. B. The distribution of its beneficiaries across insurance products is very different from private insurance. C. It has, since its inception, covered hospital care, ambulatory care, and prescription drugs. D. All of the above.

B. Traditional (open-access, FFS) care dominates Medicare. That is very rare in the private sector. The distribution of its beneficiaries across insurance products is very different from private insurance.

Which of the following is not true? A. Usability testing can be conducted inexpensively in hospitals. B. Usability testing should be conducted only by human factors engineers. C. Lack of user input in design and testing is one of the biggest causes of system implementation failure. D. Nurses and physicians should be involved in systems design.

B. Usability testing can be conducted by professionals with varied backgrounds and not just by human factors engineers. Usability engineering methods have become more widely known and have been simplified and used by different types of IT and health professionals.

Which of the following is not true about Agile design? A. Ensuring end user satisfaction is the highest goal. B. Requirements should not be changed after the system design phase is complete. C. Time-boxing can be used to drive iterative cycles of development. D. The best designs often emerge from self-organizing teams, so this should be encouraged.

B. Using the Agile approach, changes to requirements are welcome throughout the entire process of system development, even during later stages and after initial system design has been completed

How can the gap between science and action be closed to address the crippling disorders of lifestyle? A. There are no innovative tools that can close the gap between science and action to address the crippling disorders of lifestyle. B. Start in early life to develop healthy habits of sleeping, eating, exercise, and social health and use modern motivational tools and techniques to personalize the behavioral program for each individual and create a digitally enhanced "behavioral symphony of wellness." C. Develop new empathy tools for patients. D. None of the above.

B. We close the gap between science and action to address the crippling disorders of lifestyle by starting in early life to develop healthy habits of sleeping, eating, exercise, and social health and use modern motivational tools and techniques to personalize the behavioral program for each individual and create a digitally enhanced "behavioral symphony of wellness."

What is it called when one system asks another to enforce a policy fragment? A. Liability B. Obligation C. Commitment D. Permission

B. When a sending system needs a receiving system to enforce a policy fragment, and it knows that the receiving system can enforce this policy fragment, then it would convey the policy fragment using an obligation. An obligation might be explicit or implied.

When developing content using presentation software, good design principles include which of the following? A. An abundance of animation and a variety of background colors B. Consistency and uniformity of text and font sizes C. Excessive use of graphics and text to convey the message ("eye charts") D. Cartoons and humor to hold the learner's attention

B. When developing content using presentation software, good design principles include consistency and uniformity of text and font sizes.

Which of the following does not accurately describe the Office of the National Coordinator for Health Information Technology? A. Is responsible for setting policies and standards for, as well as promoting the use of, health IT in the United States B. Charges fines to physicians or hospitals that do not comply with its health IT regulations C. Is also known as "the Office of the National Coordinator" or "the ONC" D. Is organizationally located within the Office of the Secretary for the U.S. Department of Health and Human Services (HHS)

B. While the ONC defines many of the technological criteria and coordinates across federal and nonfederal partners, the Center for Medicare and Medicaid Services, as the largest payer of healthcare in the United States, has created incentives for providers to adopt (and penalties for providers who do not adopt) HIT under the Meaningful Use program of the ACA, and will continue to do so under MACRA.

You can use _________________ to edit a C program. A. Microsoft Word B. TextPad C. Microsoft PowerPoint D. Microsoft Excel

B. You can use TextPad to edit a C program. Adobe Dreamweaver, Microsoft WordPad, and Microsoft Notepad are other text editors that can be used to edit C programs.

When should you perform a privacy risk assessment? A. At the start of a project B. At the start, middle, and end of a project C. At the end of a project D. In the middle of a project

B. You should conduct a risk privacy assessment at the start, middle, and end of a project.

How many connections would be needed to fully connect six people? A. 6 B. 15 C. 12 D. 18

B. n × (n - 1)/2 = 6 × (6 - 1)/2 = 15 connections would be needed to fully connect six people.

What does FMEA stand for? A. Federal management event archives B. Failure management event archive C. Failure mode and effects analysis D. None of the above

C. FMEA is the acronym used for failure mode and effects analysis.

A compiler is a _________________. A. set of machine codes B. programming language C. program that transforms language source codes into machine-specific instructions D. sequences of binary 1s and 0s

C. A compiler is a program that transforms language source codes into machine-specific instructions. The code is then saved as an executable computer-readable file.

A distributed data warehouse _________________. A. stores all aggregated data in a single physical storage location B. is also called online analytical processing (OLAP) C. usually consists of several department data marts D. consists of snapshot and longitudinal databases

C. A distributed data warehouse usually consists of several department data marts.

Which of the following is a dedicated network that provides access to consolidated, block-level data storage? A. Servers B. NAS C. SAN D. SD card

C. A storage area network (SAN) generally provides access to consolidated, block- level data storage, generally in the form of storage devices, such as disk arrays, tape libraries, and optical jukeboxes, accessible to servers so that the devices appear to the operating system to be locally attached devices.

Which of the following is an example of an administrative control? A. Firewall B. Fence C. Organizational policy D. Security guard

C. An organizational policy is an example of an administrative control.

Why is avoiding a risk the least desirable type of mitigation? A. Because it doesn't work to reduce the impact of the risk B. Because it doesn't work to reduce the likelihood of the risk C. Because all the positive opportunities associated with the avoided action are also lost D. Because risks are impossible to avoid

C. Avoiding a risk often involves cancelling a feature, or even a whole project, resulting in the loss of the opportunities presented by the feature or project.

For a project manager to accurately estimate the time, cost, and resources necessary to achieve a project's objectives, what will the project manager need to do? A. Understand what is required and decide who needs to be involved B. Prioritize project activities C. A and B D. None of the above

C. For a project manager to accurately estimate the time, cost, and resources necessary to achieve a project's objectives, the project manager will need to understand what is required, decide who needs to be involved, and prioritize activities and tasks.

Which of the following workflows should be addressed during an EHR implementation? A. Pharmacy prescription dispensing B. Disaster preparedness C. Handoffs between clinical care teams D. Executive leadership participation in important project meetings

C. Handoffs between clinical care teams should be addressed during an EHR implementation.

What is the critical fact about healthcare data that separates it from other data? A. It is large. B. It is detailed. C. It can't be changed or revoked. D. There is nothing special about healthcare data.

C. Healthcare data can't be changed or revoked, thus it is extra important to protect against inappropriate disclosure. Healthcare data also are often used to make life-critical or lifesaving decisions.

Integrating the Healthcare Enterprise (IHE) has developed a mechanism for registering and searching products that support IHE profiles. What is this mechanism called? A. IHE Technical Framework B. Consolidated CDA guide C. IHE Product Registry D. IHE Integration Statements

C. IHE maintains the Product Registry as a mechanism for registering and searching products that support IHE profiles. The registry includes IHE Integration Statements, which are documents prepared and published by vendors that describe the conformance of their products with the IHE Technical Framework.

Which of the following are not insurance products commonly offered in the United States? A. Traditional/open-access health insurance plans B. Preferred Provider Organizations (PPOs) and Health Maintenance Organizations (HMOs) C. Independent Practice Associations (IPAs) and Patient-Centered Medical Homes (PCMHs) D. Consumer-Directed Health Plans (CDHPs) and Health Savings Accounts (HSAs)

C. IPAs are groups of individual physicians and medical practices that provide services to managed-care organizations. PCMHs are medical practices that have put in place the infrastructure needed to coordinate care. IPAs and PCMHs will often contract with managed-care organizations (in particular, PPOs and HMOs), but they do so to provide care (not to provide insurance).

Effective communication programs support the goal of achieving the Institute of Medicine's six aims for improvement in quality care delivery. Which of the following is not one of the six aims? A. Effective B. Safe C. Noteworthy D. Equitable

C. In the Institute of Medicine's 2001 seminal report, "Crossing the Quality Chasm: A Health System for the 21st Century," six aims for improving the quality of healthcare were identified as safe, equitable, effective, patient-centered, timely, and efficient.

In the relational database model, _________________. A. a table name is used to uniquely identify a column B. the primary key is used to identify a column in one table that refers to a column in another table C. tables are the basic unit of data storage D. Data Control Language (DCL) statements can commit or roll back the processing of transactions

C. In the relational database model, tables are the basic unit of data storage.

What best describes wireless communications? A. Networks that provide faster performance B. Networks that support only the Internet C. Mobile computing devices that connect with networks in multiple ways D. New technology transfers high bit rates

C. Mobile computer devices that connect with networks in multiple ways best describes wireless communications. Technologies used to wirelessly communicate with mobile devices include mobile telecommunication such as Wi-Fi.

Which of the following is a true statement about mobile learning? A. It is now a preferred method of learning. B. It should be an option for all courses developed. C. It is not yet fully developed. D. None of the above.

C. Mobile learning is not yet fully developed.

Which of the following is not typical of how external attacks are initiated? A. Phishing B. Social engineering C. Brute-force attack D. Water-cooler attack

C. Most hacking starts with social engineering, phishing, or water-cooler type attacks because they are easier and less risky.

Which piece of hardware allows multiple network devices to be plugged in? A. Router B. NIC C. Switch D. Domain controller

C. Network devices plug into a switch so that they can communicate. Routers interconnect different networks; network devices do not plug directly into a router. Network interface cards (NICs) allow devices to communicate on a network. Domain controllers are Windows servers that can service domain user logon requests; they hold a copy of the Active Directory database that replicates to other domain controllers.

What authentication standard is best paired with FHIR®? A. SOAP B. kAuth C. OAuth D. Password

C. OAuth is considered the best security protocol for use with HL7 FHIR® along with HTTPS. Note that client certificates and SAML are also used.

Which is a method to articulate the tasks, time, manual work, delays, and multiple variations that exist within care processes for a discipline or with a reporting process associated with many departments? A. Modeling workflow based on scope of professional practice standards B. Simulation C. Observation of daily activities D. Lean strategy, Six Sigma, and continuous improvement E. Business process management and modeling tools

C. Observation of workflow will help identify some gaps, the time involved, and delays, but this method alone will not help clinicians and IT professionals in discerning all potential interactions and gaps in practice workflows.

Of the following, which is the appropriate approach to operational safeguards for a healthcare organization to require from a cloud services provider? A. Sign a contract to transfer security responsibility to the cloud services provider B. Reduce impact of data breach by contracting with multiple cloud service providers and spread data stores out across all of them C. Complement the cloud services provider's security offerings with the healthcare organization's use of a CASB D. Ensure an exact copy of the data is maintained within the healthcare organization's computing environment to prevent data loss

C. Of the choices, using a cloud access security broker (CASB) is a great approach to maintaining the required level of information security controls on the cloud (outsourced) environment.

In general, how does Medicare pay physicians? A. Based on what physicians charge B. Based on fees that are negotiated with physicians C. Based on a fee schedule that is based on the resources required to deliver different services D. On a capitated (per-member per-month [PMPM]) basis

C. Physicians are paid based on the Medicare fee schedule, which in turn is based on a resource-based relative value scale (RBRVS).

Which of the following can directly affect a system's reliability? A. Organizational policies B. Employee training C. Poor coding practices D. Unauthorized access

C. Poor coding practices can create vulnerabilities that can affect system reliability.

Healthcare services are organized by many service lines of care such as surgical or obstetrical (i.e., maternal-child) services. Within each service, processes are organized such that they can be replicated across many services. Which of the following does not describe the healthcare general processes within venues of healthcare services? A. Registration, admission, daily care coordination, shift change, discharge B. Surgical preoperative visit, surgery, postoperative, same-day discharge C. Registration, dining, coding, billing, reporting D. Check-in, laboratory testing, radiology test, chemotherapy infusion visit, depart E. Emergency triage, registration, assessment, examination, education, discharge

C. Processes within most venues have a well-defined start and endpoint and include a number of service lines during the episode of care. This option does not include any processes for care delivery, whereas the others depict general processes to consider where patient data and information are being collected from the patient and used to plan and deliver care.

Project management techniques are useful tools for healthcare IT project managers to have because it helps them do what? A. Teach their project team how to cut corners so they can get their work done more quickly B. Manage computer projects better C. Facilitate the planning, scheduling, and controlling of projects D. Execute healthcare IT projects without having to create a plan

C. Project management knowledge and techniques are useful tools for healthcare IT project managers to have because it helps them to facilitate the planning, scheduling, and controlling of projects.

The thing that makes ransomware particularly troublesome for healthcare is: A. It encrypts data B. It involves negotiating with an extortionist C. It undermines the health system's ability to provide care D. It only attacks health systems

C. Ransomware has become a very real threat to healthcare because it does affect directly healthcare's ability to deliver care by disrupting its systems, communications, and data.

What does SAML do? A. Provisions user accounts B. Makes access control decisions C. Defines an identity claim D. Provides an audit logging system

C. SAML defines a way to convey an identity and authentication claim from one party to a relying party.

You are asked to convert a patient paper chart to an EMR. What type of hardware should you use? A. Printer B. NIC C. Scanner D. USB keyboard

C. Scanners can digitize physical paper documents such as patient charts. Printers do the opposite; they take digital data and print onto a physical medium such as paper. NICs allow connectivity to a network. A USB keyboard plugs into a USB computer port (older keyboards have a different plug that plugs into a computer PS/2 keyboard port).

What is the predecessor of Transport Layer Security (TLS)? A. Triple DES (3DES) B. Pretty Good Privacy (PGP) C. Secure Sockets Layer (SSL) D. Data Encryption Standard (DES)

C. Secure Sockets Layer is the predecessor to TLS, though both are frequently referred to as SSL. They are cryptographic protocols that provide communications security over a computer network.

Which of these statements best describes the relationship between security and privacy? A. The terms are synonymous. B. Security deals with cybercriminals, whereas privacy does not. C. Security helps protect individual privacy. D. Privacy is a security mechanism.

C. Security helps protect individual privacy.

Which of the following is an important consideration for creating order sets? A. They should only be created after go-live. B. Since physicians sign the order sets, they should be the only clinical care team members involved in their development. C. Since order sets have a significant effect on the work of many different care team members, representatives of those disciplines should participate in order set development. D. Order sets should be evidence-based and as such should never be adjusted for local healthcare organization reasons.

C. Since order sets have a significant effect on the work of many different care team members, representatives of those disciplines should participate in order set development.

Which of the following is not a provision of the Affordable Care Act (ACA): A. Requires all Americans to have a basic form of health insurance or pay a federal tax penalty B. Allows a young adult to continue coverage on their parents' health insurance up to the age of 26 C. Requires all Americans to see only physicians assigned to them by the federal government D. Ends preexisting condition exclusions so that insurance companies cannot refuse to insure an applicant due to an existing medical condition

C. The ACA includes many provisions but attempts to preserve patient choice of insurance plan and providers within the insurance plan's provision.

The HIPAA Security Rule requires PHI to be encrypted in which circumstance? A. If the PHI will be transmitted over an open network. B. If the PHI is stored on a USB drive. C. If the risk of the exposure of PHI that is stored or transmitted is significant, such as when stored on mobile devices or emailed to an entity or individual outside of the CE or BA's network environment. D. All PHI must be encrypted at all times.

C. The HIPAA Security Rule requires the encryption of PHI when PHI is transmitted over an open network, if the risk of exposure of stored PHI is significant. This would include the need to encrypt the PHI when stored on mobile devices or portable media and, wherever feasible, when the PHI is stored in an application, such as when PHI is stored in an electronic health record.

What are the correct processes, procedures, standards, and practices governing the creation, handling, usage, and sharing of health information called? A. Technical standards B. Administrative safeguards C. Operational safeguards D. Physical standards

C. This is the definition of operational safeguards.

The OCR published a new series of FAQs in 2016 to educate individuals about which of the following? A. Procedures for enrollment in the Health Insurance Marketplace B. How to file a discrimination complaint C. Individuals' rights to access their health information D. Fines and penalties for HIPAA violations

C. The OCR published the new set of FAQs to educate individuals about their rights to access their health information. The Privacy Rule generally requires HIPAA covered entities (health plans and most healthcare providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more designated record sets maintained by or for the covered entity.

The best way to conduct a needs assessment is to do which of the following? A. Conduct a survey B. Conduct a focus group or structured interview C. A and B D. None of the above

C. The best way to conduct a needs assessment is a survey or a structured focus group.

From a regulatory perspective, what are the differences between what a BA is required to adhere to when it comes to the HIPAA rules and what a CE must adhere to? A. There are no differences. B. The BA is required to adhere to the HIPAA Privacy, Security, and Breach Notification Rules, but the CE is not required to adhere to any of them. C. The BA is required to adhere to the use and disclosure provisions of the HIPAA Privacy Rule and the full Security and Breach Notification Rules, and the CE is required to adhere to the Privacy, Security, and Breach Notification Rules and the other HIPAA Administrative Simplification provisions. D. The BA is required to adhere to the full Security and Breach Notification Rules, and the CE is required to adhere to the Privacy, Security, and Breach Notification Rules and the other HIPAA Administrative Simplification provisions.

C. The business associate is required to adhere to the use and disclosure provisions of the HIPAA Privacy Rule and the complete Security and Breach Notification Rules, and the covered entity is required to adhere to the Privacy, Security, and Breach Notification Rules and the other HIPAA Administrative Simplification provisions.

Which of the following best describes a business relationship manager (BRM) in a healthcare IT department? A. The information systems department manager who handles human relations issues B. A quality improvement professional C. The person representing the needs of the clinical and nonclinical departments to the HIT department D. The person representing the needs of the vendors to the HIT department

C. The business relationship manager (BRM) is usually the person representing the needs of the clinical and nonclinical departments to the HIT department.

Which of the following is a major clinical system, whether a stand-alone system interfaced with the EHR system or a module of the EHR system? A. Supply chain system B. Patient relationship management system C. Clinical laboratory system D. Revenue cycle system

C. The clinical laboratory is a major clinical system, whether it is a stand-alone system interfaced with the EHR or a module of the EHR system.

Which of the following is considered a potential negative issue with cloud computing in healthcare? A. The high cost of setting up cloud computing B. Lack of easy accessibility to data resources C. Privacy and confidentiality of health data stored on a cloud D. Need for advanced technical knowledge

C. The confidentiality and privacy of data must be considered when using a cloud-based solution for healthcare applications involving the storage of health data.

The current consent management landscape is separated into which of thefollowing three components and maturity levels? A. Phase I, Current State: Consent is captured on paper forms. Phase II, Current Growth: This phase is experiencing both paper collected manually as well as consent captured electronically from the beginning. Phase III, Future State: Consent is collected electronically and structured data are collected through a nonstandard process. B. Phase I, Current State: Consent is captured on paper forms. Phase II, Current Growth: This phase is experiencing both paper collected consent and then entered into the system manually. Phase III, Future State: Consent is collected electronically and structured data are collected through a standard process. C. Phase I, Current State: Consent is captured on paper forms and is then scanned and stored into a healthcare IT system. Phase II, Current Growth: This phase is experiencing both paper collected consent and then entered into the system manually as well as consent captured electronically from the beginning. Phase III, Future State: Consent is collected electronically and structured data are collected through a standard process. D. Phase I, Current State: Consent is captured on paper forms and not scanned and stored into a healthcare IT system. Phase II, Current Growth: This phase is experiencing both paper collected consent and then entered into the system manually. Phase III, Future State: Consent is collected electronically and structured data are collected through a nonstandard process.

C. The current consent management landscape is separated into the following levels of maturity: Phase I Current State: Consent is captured on paper forms and is then scanned and stored into a healthcare IT system. Phase II Current Growth: This phase is experiencing both paper collected consent and then entered into the system manually as well as consent captured electronically from the beginning. Phase III Future State: Consent is collected electronically and structured data are collected through a standard process.

What has incentivized the uptake of healthcare information technology in the United States? A. FDA regulations for drug manufacturing B. The insistence of the US population on identity management and quality C. The financial incentives in the HITECH Act D. The inability of paper based charts to accommodate the volume of healthcare information

C. The financial incentives of the HITECH Act have incentivized the uptake of healthcare information in the United States.

Why is the healthcare IT industry motivated to adopt and implement legislated, government-developed standards into proprietary information systems and related products? A. Government-developed standards are more suitable for general, private-sector use. B. Maintenance of government-developed standards is typically on a fast pace. C. Government-developed standards typically enable compliance with regulations. D. Bureaucratic overhead is lessened with government-developed standards.

C. The healthcare IT industry is motivated to adopt and implement government- developed standards into proprietary information systems and related products in order to be in compliance with these regulations and achieve a strong market presence.

Which of the following is a network device usually located on each floor (sometimes more than one per floor) in a larger building? A. MDF B. DMZ C. IDF D. Both A and C

C. The intermediate distribution frame (IDF) is usually placed in the data closet, while the main distribution frame (MDF) is more centralized and located in the data center or other communications area of the facility.

The process of moving project activities out until resources are available, even if it means the project end date slips, is called what? A. Time-critical leveling B. Scheduling adjusting C. Resource-critical leveling D. Project leveling

C. The process of moving tasks out until resources are available, even if it means the project end date slips, is called resource-critical leveling.

With the arrival of the digital age, innovations in ______________ have enriched communications options to support successful healthcare IT integration. A. Speech communications B. Transportation services C. Mobile devices and social media D. Fiber-optic cable

C. These two types of innovations have strengthened communication options, increasing the success of EHRs and other healthcare IT.

Which of the following is not one of Nielsen's heuristics? A. Allow for error prevention. B. Support recognition rather than recall. C. Use bright colors to be aesthetically pleasing. D. Allow for flexibility and efficiency of use.

C. Using bright colors is not one of Nielsen's heuristics.

How do we architect an infrastructure for continuous learning? A. Feedback from sensors and avatars. B. Bring analytics as close to the source data as practical. C. Accordion model of learning, filter noise out close to the source, bring analytics close to the source, identify triggers, and leverage evidence-based practice. D. None of the above.

C. We architect an infrastructure for continuous learning by the accordion model of learning, filter noise out close to the source, bring analytics as close to the source data as practical, identify triggers that allow the accordion to reopen to "old noise" and discover a new "signal" within it as new knowledge and technologies emerge, and leverage a virtuous cycle of evidence-based practice and practice-based evidence.

Why is Web 2.0 (or current Internet) technology becoming popular in education and training? A. Younger generations are familiar with this technology. B. Many frameworks exist for the use and incorporation of this technology into training. C. Research is beginning to show the effectiveness of this technology in collaborative learning.

C. Web 2.0 technology is increasingly popular in education and training because initial research is showing its effectiveness in collaborative learning.

Which of the following statements is correct? A. XML was designed to display data with a focus on how the data appears. B. The tags used in XML are predefined. C. XML tags are designed to be self-descriptive and not predefined. D. A well-formed XML document is also a valid XML document.

C. XML tags are designed to be self-descriptive and not predefined. Document authors must define their own tags.

How should you mitigate the risk of phishing? A. Education and awareness B. E-mail filtering C. A and B D. None of the above

C. You mitigate the risk of phishing with education and awareness and e-mail filtering.

Black-box testing refers to what? A. Testing the internal logic of a health information system B. Testing system components in isolation C. Testing system components in an integrated manner D. Testing systems without considering underlying program logic

D. Black-box testing refers to testing systems without considering underlying program logic.

Which standards organization developed the Health Quality Measure Format? A. The ONC Standards Committee B. ANSI C. NCQF D. HL7

D. HL7 is the standards organization that developed the Health Quality Measure Format (HQMF).

What are the typical parts of a comprehensive security risk management program? A. Risk definition, assessment, and mitigation B. Vulnerability, threat, and impact analysis C. Replacement cost versus remaining life expectancy D. Risk analysis, assessment, and mitigation

D. A complete and comprehensive risk management program should include the steps of risk analysis (threats, vulnerabilities), risk assessment (likelihood, impact), and risk mitigation (reducing risk through technical or administrative controls or financial protection such as insurance). Note that acceptance of risk is also a possible outcome, but should always be supported by a conscious decision process and an understanding of the possible impact.

When determining the appropriate location of PCs in your organization, which of the following should you consider? A. Security of the location B. Ability to view the screen C. Whether privacy screens are available D. All of the above

D. All PCs, specifically those used to access sensitive information, should be placed in locations where only the intended viewers of the data can see it. They should also be located in a place that would make it impossible for an unauthorized person to simply pick up the device and walk out without being observed. If a device must be placed in a more public space, consider using privacy screens to allow only a limited field of view of the data being displayed.

What can hospitals do to protect their medical devices from cybersecurity risks? A. Buy only secure devices. B. Make sure that devices are always password protected. C. Nothing, because regulations prevent them from doing anything. D. Network segregation architecture, network-based security, security event monitoring, and device patching.

D. Although hospitals are typically prevented from making changes to the actual devices without manufacturer approval, they can improve their devices' security posture through network segregation architecture, network-based security and event monitoring, secure handling, and configuration maintenance (including patching).

A medical record is generally admitted as evidence into a court of law under the ______________. A. HIPAA rule B. Hearsay rule C. Federal Rule of Civil Procedure 37(e) D. Federal Rule of Evidence 803 E. All of the above F. None of the above

D. Although medical records are considered to be hearsay in the eyes of the court, they generally are admitted as evidence on other grounds. The most common way in which medical records are admitted as evidence into a court of law is through FRE 803, which is titled Exceptions to the Rule Against Hearsay.

EMR systems can be hosted by which third-party entity? A. ISP B. NIC C. SAN D. ASP

D. An application service provider (ASP) provides application services to its clients. The hardware and software installation, configuration, and maintenance are the responsibility of the ASP, not the client; the client pays a fee to use the service, such as an EMR system. An Internet service provider (ISP) is a company that provides subscribers or other users access to the Internet. A NIC allows connectivity to a network. A storage area network (SAN) is a specialized high- speed storage network used by servers.

Are vendors required to adhere to HIPAA? A. Yes, if the vendor contracts with a CE. B. Only if the vendor is a software vendor or a cloud services vendor that uses, discloses, maintains, or transmits PHI on behalf of a CE. C. Only if the vendor has not passed a HIPAA certification course recognized by OCR. D. Only if the vendor uses, discloses, maintains, or transmits PHI on behalf of a CE or another BA.

D. Any vendor who uses, discloses, maintains, or transmits PHI on behalf of a CE or another BA is required to adhere to HIPAA.

Apple iOS or Google Android is a _________________. A. webpage design language B. wording system C. compiling language D. mobile device operating system

D. Apple iOS and Google Android are mobile device operating systems.

Why is employer-provided education and training for employees necessary? A. Compliance requirements change or their interpretation changes. B. Healthcare organizations are responsible for the actions of their employees. C. Consumers are becoming more aware of the requirements that healthcare organizations must comply with. D. All of the above.

D. As compliance requirements age, they are often changed, or the interpretation of specific requirements might change. Additionally, these changes often enact fines and penalties, and although often the individual might be held accountable for noncompliance, in most cases the healthcare organizations are also responsible for the actions of their employees. Lastly, and this is often a good thing, consumers are becoming more aware of the requirements that healthcare organizations must comply with and therefore are more likely to make an effort to ensure accountability.

What is the name of the agency that oversees the privacy and security of health data collected by entities not regulated by HIPAA? A. FTC B. CMS C. FDA D. No federal agency has been designated to oversee the privacy and security of health data collected by entities not regulated by HIPAA.

D. At the present time, oversight gaps exist between HIPAA covered entities that collect health date from individuals and entities that are not regulated by HIPAA but also collect health data. There is no federal agency with oversight for the latter group.

When New York State used data standards to develop their emergency-department data-collection system, which of the following outcomes resulted? A. Need for additional resources B. Dissatisfied users C. Ambiguous data requirements D. Positive return on investment

D. By using data standards to develop their emergency-department data-collection system, New York State completed their project on time without additional resources and generated a positive return on investment. The use of standards provided the basis for consensus between the hospital industry and the state, a robust pool of information that satisfied the users, and the structure necessary to create unambiguous data requirements and specifications.

Which of the following principles is not included in the globally accepted principles for standards development set forth in ANSI's United States Standards Strategy? A. Transparency B. Openness C. Consensus D. Complexity

D. Complexity is not included in the set of globally accepted principles for standards development. The nine principles are transparency, openness, impartiality, effectiveness and relevance, consensus, performance based, coherence, due process, and technical assistance.

What is the best way to address risks introduced by big data? A. Risk analysis B. Risk mitigation C. De-identification D. All of the above

D. De-identification is a key mitigation in addition to risk analysis and mitigation for any big data initiatives.

Which of the following is not a principle of privacy? A. The purpose for data collection should be known, limited, and stated. B. An individual (patient) should have the right to see the data that has beencollected and correct it if it is found to be inaccurate. C. The data should be controlled against any inappropriate use or access. D. The data must be digitally signed.

D. Digital signatures are not a principle of privacy. Digital signatures are used to provide proof of provenance, or proof of action. They might be used to sign a privacy consent.

EHR downtimes can occur due to _________________. A. temporary loss of network connectivity B. malfunction of interfaces C. scheduled time to perform system upgrades D. all of the above

D. EHR downtimes can occur due to temporary loss of network connectivity, malfunction of interfaces, and scheduled time to perform system upgrades.

How would you mitigate the risk of clinical decision support data being sent through a wi-fi network that may be accessed by unauthorized individuals? A. Encryption B. Awareness and training C. Change the network configuration D. A and C E. B and C

D. Encrypting the data will make it harder to access, as will changing the network so that the data is not sent over the public Wi-Fi.

In a healthcare office environment, which of the following applications must be considered as possibly having sensitive data included within its storage media? A. E-mail B. Scheduling C. Billing D. All of the above

D. Even though a healthcare office may have policies in place that prohibit the use of e-mail for communications with the patient about specific sensitive healthcare diagnoses and so forth, the fact is that users and patients could be including this in their communications. As a result, you should assume that e-mail data must be stored with the same security controls as other sensitive data systems. Clearly, patient scheduling and billing applications contain personally identifiable data as well as protected health information.

What evidence-based approaches will guide how we implement virtual care? A. Individual patient's preference for communication tools alone will be the best approach. B. Explicit methods for balancing between NLP and NLU voice capture. C. There are no ways that evidence-based approaches guide virtual care. D. Evidence basis of which form of care is most effective for an individual at a point in time, based on their complete health history as well as their current problem, patient's preferences for communication tools, and explicit methods for balancing between the evidence and the patient preference when they are in conflict.

D. Evidence-based approaches that will guide how we implement virtual care include using an evidence basis of which form of care is most effective for an individual at a point in time, based on their complete health history as well as their current problem, the individual patient's preference for communication tools, and explicit methods for balancing between the evidence basis of effectiveness and the individual patient preference, when they are in conflict.

Which of the following lists two examples of alternative payment models? A. Bundled payment model and synchronized payment model B. Bundled payment model and integrated payment model C. Integrated payment model and accountable-care organizations D. Bundled payment model and accountable-care organizations

D. Examples of alternative payment models are the bundled payment model and accountable-care organizations.

FHIR stands for: A. Fast Healthcare Interoperability Reasons B. Fast Healthcare Interactive Resources C. Frequent Health Integrated Resources D. Fast Healthcare Interoperability Resources

D. FHIR stands for Fast Healthcare Interoperability Resources.

Which of the following does not accurately describe Federally Qualified Health Centers (FQHCs)? A. Healthcare organizations that receive enhanced reimbursement from Medicare and Medicaid if they meet a number of requirements B. Include such examples as Community Health Centers that focus on underserved populations, Migrant Health Centers that focus on workers who move frequently, and Health Care for the Homeless Centers that focus on homeless adults and children C. Target underserved populations, charge a sliding-scale fee based on income, and have ongoing quality assessment programs D. Any health center that receives reimbursement from Medicare or Medicaid

D. FQHCs are established by a very specific federal program. There are many health centers that share many characteristics with FQHCs but do not meet all of the program requirements and, therefore, are not FQHCs.

Finance and operations systems are used for which of the following? A. Clinical decision support B. Clinical case management C. Priority management D. Billing

D. Finance and operations systems are used for billing.

Name five of the platform types in the plecosystem? A. Data, API, financial support, Internet, consumer service B. Data, economic, Internet, consumer, and API C. API, data, economic, Internet, and consumer D. Experience, financial support for entrepreneurs, economic platforms, cognitive platforms, and sociocultural/geopolitical/value/ethical platforms

D. Five of the platform types in the plecosystem are experience, financial support for entrepreneurs, economic platforms, cognitive platforms, and sociocultural/ geopolitical/value/ethical platforms. Service, data, and APIs are also platform types, but not sole platform types.

8. HL7 v2 _________________. A. is no longer used B. has the majority of implementations because vendors discounted prices greatly C. is exhaustive and rigorous because it has an RIM D. has the majority of implementations because adoption was a design goal and the developers purposely made it flexible in order to get that adoption

D. HL7 v2 has the majority of implementations because adoption was a design goal and the developers purposely made it flexible in order to get that adoption. Another factor is that it was the first and only standard for ten years until HL7 v3 was written.

The cyber threats facing healthcare today include which of the following? A. Extortion B. Hacktivism C. Espionage D. All the above

D. Healthcare organizations today face cyber threats in the form of extortion attempts, wholesale theft of data for espionage, as well as long-term exploitations and hacktivism when groups do not like positions that the organizations have taken on social issues.

Interoperability can be more rapidly advanced through coordinated, joint standards-development efforts. Which of the following is a recent example of such a joint effort between CDISC and NIH/NCI, the FDA, and HL7? A. EHR System Functional Model B. Precision Medicine Initiative C. Consolidated CDA D. BRIDG model

D. In a recent, joint standards-development effort, the Clinical Data Interchange Standards Consortium (CDISC) published the BRIDG model. This model was produced and developed through the joint efforts of the National Institutes of Health (NIH)/National Cancer Institute (NCI), the Food and Drug Administration (FDA), and Health Level Seven International (HL7).

Which of the following are life-cycle phases of large-scale health information technology changes? A. Workflows with workarounds and testing the technology with users B. Planning, implementation, quality monitoring, and improvement C. Planning, training, testing, implementation, and closure D. Planning, implementation, stabilization, optimization, and transformation

D. In summary, with large-scale HIT change, the stakeholders are involved from project conception with planning; implementation; feeling a sense of normalcy within the clinic or hospital (stabilization); optimizing practices; and embracing the change and fully using the data to determine performance to advance practice with transformation.

Which of the following is true? A. Individuals pay a relatively small percentage of the annual cost of their insurance. B. Individuals pay a copayment that is a relatively small percentage of the cost of most services they use. C. Individuals with private health insurance—particularly those with employer- sponsored health insurance—pay (and are likely to pay in the future) a larger share of the cost associated with their healthcare than individuals with Medicare or Medicaid. D. All of the above.

D. Individuals with private insurance typically pay less than 25 percent of their annual premium, and Medicare and Medicaid enrollees pay less than that. Similarly, copayments—though rising and often perceived as high—are typically far less than the cost of the service provided. As costs (and therefore insurance premiums) rise, insurance products are evolving to shift costs to individuals, both to reduce the employer (or public) contribution to care and to create an incentive for individuals to use care wisely.

In general, how does Medicare pay hospitals? A. Based on what hospitals charge for each service they provide B. Based on fees that are negotiated with hospitals for each service they provide C. Through a shared savings program that rewards hospitals for saving money D. Through a "bundled payment" system that offers a fixed price for all hospital services delivered during a hospital stay

D. Medicare has paid hospitals for more than two decades using diagnosis- related groups (DRGs) that cover hospital—but not physician—services provided during a hospital stay. Increasingly, hospital reimbursement can be enhanced (or threatened) by quality performance. The Medicare Shared Savings Program (MSSP) is a voluntary program that gives hospitals (through establishing accountable-care organizations) the opportunity to improve profitability by generating savings (but only if they reduce their own production costs as well).

The security officer at Methodist Hospital expressed concern with a proposal to host a utilization management application serviced by a global cloud provider company. Which of these could be her valid concern? A. PHI cannot be used by non-US personnel. B. Global companies do not have to abide by US contracts. C. PHI cannot be translated into foreign languages. D. Global companies may be out of HIPAA jurisdiction.

D. One of the several concerns with off-shoring PHI to international third parties is the fact that they are likely not subject to U.S. law, including HIPAA.

Which subcommittee of the HIT Standards Committee was dedicated to ensuring that what is being asked of the greater health-system and physician- practice communities is actually feasible in terms of adoption and meaningful use? A. Operations B. Strategic Planning C. Public Relations D. Implementation

D. Out of six subcommittees of the ONC-HIT Standards Committee, the Implementation subcommittee has a strong public communications strategy and maintains an active liaison role with the HIT Policy Committee.

What is the purpose of PHP: Hypertext Preprocessor (PHP)? A. It was designed to protect data security. B. It defines an XML structure. C. It cannot run efficiently on different computer platforms. D. It is a server-side scripting language where the scripts are executed on the server and returned to the browser as plain HTML.

D. PHP: Hypertext Preprocessor (PHP) is a server-side scripting language where the scripts are executed on the server and returned to the browser as plain HTML.

What is rapid prototyping? A. It involves iterative cycles of development and testing. B. It is often associated with object-oriented development approaches. C. It is useful in designing complex or highly interactive systems. D. All of the above. E. None of the above.

D. Rapid prototyping involves iterative cycles of development and testing, is often associated with object-oriented development approaches, and is useful in designing complex or highly interactive systems.

In the United States, responsibility for collecting and sharing data on population health is distributed at what organizational level(s)? A. Federal (e.g., CDC) B. State and territorial C. Local (e.g., county and city health departments) D. Federal, state, and local

D. Responsibility for data collection and sharing in public health is shared by federal, state, and local health departments.

Rogers' theory called diffusion of _________________ has been used as a change management framework to guide healthcare EHR implementation projects. A. electronic health records B. electronic medical records C. transformation D. innovations E. technology

D. Rogers' theory called diffusion of innovations has been used as a change management framework to guide healthcare EHR implementation projects.

Which of the following provides the fastest data transfer rate? A. USB 3.0 B. FireWire 800 C. IDE D. SATA 3.0

D. SATA 3.0 is rated at 750 MBps (6 Gbps), USB 3.0 at 625 MBps (5 Gbps), FireWire 800 at 100 MBps (800 Mbps), and IDE at 133 MBps.

Successfully monitoring and detection of cyber events in the future will likely involve which of the following? A. Use of advanced detection systems with behavioral-based approaches B. Advanced event correlation and analysis C. Partnering with a managed security service provider for expertise D. All the above

D. Successful monitoring requires the integration of many systems, with advanced detection capabilities, and the use of advanced correlation and analysis tools like SIEM. This task, for most organizations, has grown too complex, and requires 365/24 coverage, which most cannot provide, making partnering with a managed security services provider (MSSP) necessary.

Where can the guidelines be found for pharmacogenomics evidence? A. There is no evidence in pharmacogenomics. B. There is evidence in the FDA guidelines for genomics. C. There is evidence in the AHRQ guidelines for disease treatment. D. The CPIC guidelines contain the pharmacogenomics evidence.

D. The Clinical Pharmacogenomics Implementation Consortium (CPIC) guidelines contain the pharmacogenomics evidence.

The passage of the 21st Century Cures Act lays forth which of the following? A. Interoperability and healthcare IT standards B. A new era in the evolution of the nation's healthcare delivery system and information infrastructure C. HIPAA provisions for access to PHI in research D. All of the above E. None of the above

D. The Cures Act is a milestone piece of legislation in the evolution of the nation's health information infrastructure and the future of healthcare.

What is the purpose of the FDA premarket and postmarket cybersecurity guidance documents pertaining to medical devices? A. They inform medical device manufacturers about expected future regulations. B. They define what hospitals should consider when they buy a new device aswell as when they discard a device at the end of its useful life. C. They define what security requirements manufacturers need to meet for a device in clinical trials. D. They provide guidance on device manufacturers' cybersecurity responsibilities prior to market release and after market release of a medical device.

D. The FDA's premarket (October 2014) and postmarket (December 2016) guidance documents lay out the agency's interpretation of existing regulation with regard to medical device manufacturers' cybersecurity responsibilities as they release a new product to the market (premarket) and maintain its security posture once it is released and in use (postmarket).

The HIPAA Security Rule prescribes four standards for physically safeguarding electronic health information protected under HIPAA. Which four are they? A. Redundancy,failover, reliability, and availability B. Isolation, simplicity, redundancy, and fail-safe design C. Interoperability, facility-access control, cloud control, and device control D. Facility-access controls, workstation use, workstation security, and device and media controls

D. The HIPAA Security Rule prescribes four standards for physically safeguarding electronic health information protected under HIPAA: facility-access controls, workstation use, workstation security, and device and media controls.

The Omnibus Rule expanded the number of entities who are required to adhere to HIPAA. Which new category of entity was added to entities that are required to adhere to HIPAA? A. SaaS vendors B. Vendors who contract with CEs and have access to PHI C. Vendors who contract with a CE or a BA and who can view PHI D. Vendors who contract with a CE or a BA and who use, disclose, maintain, or transmit PHI on behalf of the CE or BA

D. The Omnibus Rule expanded the type of entities that are required to adhere to HIPAA. The new category of entities are BA subcontractors who use, disclose, maintain, or transmit PHI on behalf of a CE or a BA.

The Precision Medicine Initiative cohort that is composed of one million or more Americans will provide researchers with the ability to do which of the following? A. Develop new disease classifications and relationships B. Identify the causes of individual differences in response to commonly used drugs C. Empower study participants with data and information to improve their own health D. All of the above

D. The PMI cohort of one million or more Americans will provide researchers with the ability to develop new disease classifications and relationships, identify the causes of individual differences in response to commonly used drugs, and empower study participants with data and information to improve their own health.

What approaches enhance data capture and usability? A. Enhanced sensor data only B. Enhanced video capture only C. Enhanced capture and analytics of genomic data only D. Enhanced voice capture with real-time NLP and NLU, enhanced video capture with real-time video analytics, and enhanced capture and analytics of haptics-based data as well as the increasing array of noninvasive sensor data

D. The approaches to enhancing data capture and usability are through enhanced voice capture with real-time NLP and NLU, enhanced video capture with real- time video analytics, and enhanced capture and analytics of haptics-based data as well as the increasing array of noninvasive sensor data.

The benefits of using a learning management system (LMS) to implement a training program include all of the following except which one? A. Automatic tracking of user grades and participation B. Incorporation of SCORM standards C. Administrative management D. Turnkey technology

D. The benefits of using a learning management system (LMS) to implement a training program include all of the options given except that it is not turnkey technology.

Which of the following is not a user interface metaphor? A. The desktop metaphor B. The document metaphor C. The patient chart metaphor D. The command-line metaphor

D. The command line is not a metaphor; it does not represent some other object in the world.

What components are included in an information assurance policy? A. Rules for protecting confidential information B. Rules for assigning roles and making access-control decisions C. Individual sanctions for violating rules for acceptable behavior D. All of the above

D. The components in an information assurance policy include rules for protecting confidential information, rules for assigning roles and making access-control decisions, and individual sanctions for violating rules for acceptable behavior.

Why does genetic and genomic information require big data storage and analytics? A. Quality cost data has to be included in documenting genetics/genomic information. B. State and national healthcare data are needed. C. It is costly to pay for the genetics/genomics data. D. The diagnosis and analysis data involved in genomics requires the integration of several large databases, oftentimes requiring cloud computing.

D. The diagnosis and analysis involved in genomics requires the integration of several large databases. An actionable treatment course cannot be selected until the genes and pathways involved in the abnormality have been researched in multiple public and private databases. Both the clinical actions and the biologic actions need to determine the relevance to the treatment. These involve heuristic tools, curated and annotated databases, genomic tumor databases, and other knowledge bases that include outcome databases, genomic registries, integrative analysis tools, and machine learning systems. And in many cases, there are several possible treatment alternatives to a particular abnormality.

Which of the following is not one of the four goals of the HITECH Act? A. Savings B. Investment in HIT infrastructure C. Government oversight D. Establishment of the Health Insurance Marketplace

D. The establishment of the Health Insurance Marketplace is not one of the four goals of the HITECH Act. The four main goals of the HITECH Act are government oversight, investment in HIT infrastructure, savings, and the establishment and enforcement of stricter federal privacy and security laws.

What are the operations on a class of objects that make up a permission? A. Identity, authentication, authorization, and consent B. Authentication, authorization, and identity C. Consent, identity, and authorization D. Create, read, update, delete, and execute (aka CRUDE)

D. The fundamental actions that make up a permission are create, read, update, delete, and execute (aka CRUDE).

Which one of the functional areas of an application data interchange is notconsidered a main functional area? A. The interface engine B. The integrated development environment (IDE) C. The management console D. Mobile smartphone-mediated management

D. The interface engine, integrated development environment (IDE), and management console are considered the three main functional areas of an application data interchange. A mobile app that supports smartphone-mediated management may be an option. Another management console option that is not listed in the choices is a web-based dashboard.

What is the purpose of a work breakdown structure? A. To create a diagram of all the people on the project team and what work they will do B. To break the project down so that the scope of the project is decreased and the project can be executed more quickly C. To create a visual representation of the project so everyone can understand the purpose of the project D. To break the project's work and deliverables down into smaller, more manageable components, which helps the project manager maintain control of the project and helps provide clear direction to the team as to what work needs to be done

D. The purpose of a work breakdown structure is to break the project's work and deliverables down into smaller, more manageable components, which helps the project manager maintain control of the project and helps provide clear direction to the team as to what work needs to be done.

The purpose of risk management is to help an organization accomplish which of the following? A. Identify its vulnerabilities, and assess the damage that might result if a threat were able to exploit those vulnerabilities B. Decide what security policies, mechanisms, and operational procedures it needs C. Figure out where to allocate a limited security budget in order to protect the organization's most valuable assets D. All of the above

D. The purpose of risk management is to help an organization: identify its vulnerabilities and assess the damage that might result if a threat were able to exploit those vulnerabilities; decide what security policies, mechanisms, and operational procedures it needs; and figure out where to allocate a limited security budget in order to get the most "bang for the buck."

What does the SDLC do? A. Provides guidance in system development B. Provides a checklist of activities C. Provides a set of stages for system development D. All of the above

D. The systems development life cycle (SDLC) involves the following phases: Planning, Analysis, Design, Implementation, and Support. It involves activities and phenomena such as guidance in system development, a checklist of activities, and a set of stages for system development.

What are three dimensions of quality defined by Donabedian that have become the backbone of how the industry defines measurement? A. Performance, quality, and risks B. Performance, risks, and security C. Structure, outcomes, and risks D. Structure, process, and outcomes

D. The three dimensions of quality defined by Donabedian that have become the backbone of how the industry defines measurement are structure, process, and outcomes.

What type of security information is time of day? A. Permission B. Role C. Label D. Context

D. Time of day is part of the context of the transaction.

What does a project manager need to know to determine the critical path? A. All project activities that are required to complete the project (from the WBS) B. The time each activity will take to complete C. The relationship between all activities D. All of the above

D. To determine the critical path, a project manager needs to know all project activities that are required to complete the project (from the WBS), the time each activity will take to complete, and the relationship between all activities.

What are two types of usability features? A. Data encryption and authenticity B. Access control and audit logs C. Malicious network protection and isolation D. Single sign-on and identity federation

D. Two types of usability features are single sign-on and identity federation.

Why are medical devices' software patch levels difficult to keep up to date? A. Because of the devices' critical patient care role. B. Because the impact of a patch on cybersecurity is difficult to predict. C. Because a new patch requires a new regulatory filing. D. Because a new patch requires manufacturer testing and approval.

D. Under FDA guidance, as long as a patch or update does not change a device's functionality or intended use, in most cases the device manufacturer is not required to update its regulatory filing. However, under the Quality Systems Regulation, the patch or update still needs to be approved by the manufacturer and undergo formal testing to assure system safety has not been compromised. This adds cost and overhead to each release, which makes it difficult to provide timely and frequent security patches.

In recent years, what has added to the complexity in understanding healthcare information technology? A. The challenge of maintaining privacy, confidentiality, and security in the widely expanding complex architecture. B. Greater access to healthcare data from multiple groups, including patients. C. The increase in mobile computing and the use of clouds for storage. d. all of the above

D. Understanding healthcare IT has become more complex in recent years because of the challenge of maintaining privacy, confidentiality, and security in widely expanding complex architecture; healthcare data has become more accessible to multiple groups, including patients; and mobile computing and the use of clouds for storage have increased.

Which of the following does not characterize urgent care centers? A. Usually open late evening and weekend hours. B. Located in convenient locations in the community such as in a shopping center. C. Designed for patients who need immediate but not life threatening care. D. Owned only by public health agencies.

D. Urgent care centers are somewhat similar to emergency departments in that they provide care outside of the usual hours that ambulatory care providers are available, but urgent care centers are not designed to provide care for complex or life threatening illnesses. In addition to offering long hours, they tend to be located for convenient access. Pharmacies, health systems, private medical practices and others can own and operate urgent care centers.

Utilizing an instructional systems design model can facilitate the transfer of which of the following? A. Knowledge B. Attitude C. Skills D. All of the above

D. Use of an instructional systems design model to develop a training program can facilitate the transfer of knowledge, attitude, and skills to the learner.

Using a framework like the NIST CSF provides which of the following benefits? A. A guideline for building and selecting controls B. A way of demonstrating compliance C. A way of communicating cyber readiness to business partners D. All of the above

D. Using a framework like the NIST CSF provides many benefits, including a structure for selecting controls, a method of measuring maturity, and a way to demonstrate compliance or communicate security posture to others.

What is not one of the "rules to live by for" governance committees article? A. Hardwire the committees. B. Set clear levels of successive authority. C. Form no governance before its time. D. Have concise committee meeting agendas.

D. While having well-planned meetings is important, it was not one of the "rules to live by" for governance committees. Options A, B, and C were part of the rules to live by, along with putting someone in charge who can take a stand and doing real work every time.

What is different about wireless networks versus wired networks? A. A wireless network is constrained to a 1-meter radius versus a wired network that can span rooms or city blocks. B. The OSI stack is different for a wireless network versus a wired network. C. Wired networks use radio waves to communicate. D. Wireless networks use radio waves to communicate.

D. Wired networks use wires, and wireless networks depend on radio waves.

The chief medical officer of your organization asks you to set up a measure for his research study for all of his patients with high blood pressure whose blood pressure improves after six months, regardless of treatment given. How do you define high blood pressure? A. Systolic blood pressure of <120 mmHg as you found at the National Heart, Lung, and Blood Institute web site. B. Diastolic blood pressure of <80 mmHg as you found at the National Heart, Lung, and Blood Institute web site. C. Blood pressure less than the ninetieth percentile by height, age, and gender per the National Heart, Lung, and Blood Institute web site. D. You don't have enough information to proceed and thus ask the CMO for more clarity.

D. You don't have enough information to proceed and ask for more clarity. Measures require precise definition and often require inclusion and exclusion criteria. The information provided by the chief medical officer was not precise as to the definition of blood pressure and high blood pressure is age dependent.

The role-based (person-to-person) workflow describes processes by which of the following? A. Using swim lanes to show the roles B. Describing steps in the process (rectangles) with action verbs C. Organizing into venues for care (e.g., admission, clinic visit, surgery) D. Displaying physician or nurse decisions (diamonds) E. All of the above

E. All four answers describe how workflow is designed to display the steps and decisions within a process for those with a role in taking care of patients.

Which of the following does the National Learning Consortium's Change Management in EHR Implementation primer suggest including in a communications plan? A. Vendor demonstrations, videos B. Role playing C. Simulated question/answer (Q/A) communication D. Staff visits to practices that have had successful EHR implementations E. All of the above

E. NLC's Change Management in EHR Implementation offers these ideas and more for including in a communications plan.

What can technology-induced errors arise from? A. Programming errors B. Systems design flaws C. Inadequate requirements gathering D. Poorly planned systems implementation E. A, B, C, D F. A, C

E. Programming errors, systems design flaws, inadequate requirements gathering, and poorly planned systems implementation have all been identified as factors that cause technology-induced error in healthcare.

Which workflow best describes the clinical scenario of a nurse sending a secure message using the health information exchange network to a home-care provider on research protocols which involve medication administration at very specific times for three days in the patient's home setting? A. Functional or application workflow B. Role-based workflow C. Enterprise-to-enterprise workflow D. Venue-to-venue workflow E. Task-to-task workflow

E. Task-to-task workflows provide additional detailed steps for less frequent activities that might occur during care delivery (e.g., a patient involved in a research study). In this scenario, the task-to-task workflow represents a process step beyond the hospital setting to ensure an intervention is coordinated between the physician, nurse, and home-care provider. When the health information exchange network is utilized to share information, the enterprise-to-enterprise workflow will work to share the patient's plan of care through a continuity of care document, but the uniqueness of a research study makes this a task-to-task workflow.

Which of the following are distinct types of innovation? A. Disruption and disintegration of old tools, jobs, and processes with new ideas, tools, and business models B. Incremental optimization of how a technology is operationalized and advances C. Identify, scale, and spread local successes (hotspotting, positive deviance) D. Cultural transformation E. All of the above

E. The four distinct types of innovations are (1) disruption and displacement of old tools, jobs, and processes with new ideas, tools, and business models, (2) incremental optimization of how a technology is operationalized and advanced, (3) identify, scale, and spread local successes (e.g., hotspotting, positive deviance); and (4) cultural transformation.

What are the main methods from usability engineering? A. Participatory design B. Cognitive walk-through C. Heuristic inspection D. Usability testing E. B, C, D F. A, B, D

E. The main methods used in usability engineering are: (1) the cognitive walk-through, (2) heuristic inspection, and (3) usability testing.

User-centered design involves which of the following? A. An early focus on the user and their needs B. Continued testing of system design with users C. Iterative feedback into redesign D. Participation of users as members of the design team E. All of the above F. A, B, C, D G. A, B, C

G. User-centered design involves: (1) an early focus on users and their needs, (2) continued testing of system design with users, and (3) iterative feedback into redesign.