Chapter 14 Review Questions
Which of the following statements is true of a business associate's HIPAA/HITECH compliance requirements?
A business associate's HIPPA/HITECH compliance requirements are the same as a health-care providers'
Which of the following statements best defines the documented policies and procedures for managing day-to-day operations, conduct, and access of workforce members to ePHI, as well as the selection, development, and use of security controls?
Administrative safeguards
A breach notification must include which of the following information?
All of the above
The Final Omnibus Rule made significant changes in coverage, enforcement, and patient protection in which of the following ways?
All of the above
Which of the following are considered health-care providers by the HIPAA Security Rule?
All of the above
Per DHHS guidance, which of the following activities are included in the risk management process? (Choose two)
Analysis Management
Which of the following statements best defines authorization?
Authorization is the process of granting users or systems a predetermined level of access to information resources
Which of the following statements is false?
Clinical-based access is granted by patient name
Which of the following is NOT a HIPAA/HITECH Security Rule category?
Compliance
Which of the following is NOT true?
DHHS never publishes the breach cases being investigated and archived to maintain the privacy of the health-care provider
Which of the following federal agencies is responsible for HIPAA/HITECH administration, oversight, and enforcement?
Department of Health and Human Services
A HIPAA standard defines what a covered entity must do; implementation specifications ________
Describe how it must be done and/or what it must achieve
The safe harbor provision applies to
Encrypted data
In the context of HIPAA/HITECH, which of the following is NOT a factor to be considered in the determination of "reasonable and appropriate" security measures?
Geographic location of the CE
Which of the following statements is NOT true?
HIPAA has also been adopted in Brazil and Canada
Which of the following protocols/mechanisms cannot be used for transmitting ePHI?
HTTP
Which of the following is an entity that provides payment for medical services such as health insurance companies, HMOs, government health plans, or government programs that pay for health care such as Medicare, Medicaid, military, and veterans' programs?
Health plan
Which of the following defines what a breach is?
Impermissible acquisition, access, or use or disclosure of unsecured PHI, unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised
Which of the following statements is true?
Implementation specifications are either required or addressable
Granting the minimal amount of permissions necessary to do a job reflects the security principle of ________
Least privilege
Which of the following is NOT an acceptable end-of-life disposal process for media that contains ePHI?
Recycle it
Users should be trained to recognize and ________ a potential security incident
Report
The security incident procedures standard addresses which of the following?
Reporting and responding to cybersecurity incidents
Both the HITECH Act and the Omnibus Rule refer to unsecure data, which means data ________
That is unencrypted
Which of the following statements is true?
The CE must also provide notice to "prominent media outlets" if the breach affects more than 500 individuals in a state or jurisdiction
Which of the following changes was NOT introduced by the Omnibus Rule?
The Omniubus Rule explicitly denied enforcement authority to State Attorneys General
Which of the following is NOT true about security awareness training?
The campaign should not be extended to anyone who interacts with the CE's ePHI
Which of the following statements best describes the intent of the initial HIPAA legislation adopted in 1996?
The intent of the initial HIPAA legislation was to simplify and standardize the health-care administrative process
To demonstrate that there is a low probability that a breach compromised ePHI, a CE or business associate must perform a risk assessment that addresses which of the following minimum standards?
The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
Which of the following statements is true of the role of a HIPAA Security Officer?
The role of a HIPPA Security Officer is responsible for overseeing the development of policies and procedures, management and supervision of the use of security measures to protect data, and oversight of personnel access to data