HIM 3132 ch. 12 & 13 exam

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

a nurse administrator who does not typically take calls gets called in over the weekend to staff the emergency department. She does not have access to enter notes since this is not a part of her typical role. in order to meet the intent of the HIPAA Security Rule, the hospital policy should include

a provision to allow her emergency access to the system

The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of what type of security control?

audit trail

Copying data onto tapes and storing the tapes at a distant location is an example of

data backup

key components to a contingency or disaster plan, mandated by the HIPAA Security Rule include

data backup, data recovery and emergency mode of operations

The role of the HIIM professional in medical identity theft protection programs includes all of the following except:

defer all issues related to medical identity theft to the in-house attorney

The HIPAA Security Awareness and Training administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except:

disaster recovery plan

Biometric identifiers signify something that the user knows

false

Compliance with the HIPAA Security Rule is the only standards that should be considered when developing a security plan and performing a risk assessment.

false

Content Based Access Control is less stringent than Role Based Access Control

false

Disaster recovery and contingency plans related to ePHI are nice to have but not necessary.

false

Facsimile machines provide a highly secure method of communication

false

Organization's firewall limits external Internet users from accessing portions of the healthcare network, but it does not limit internal users from accessing portions of the Internet

false

Vulnerabilities and threats are terms that can be used interchangeably

false

which of the following statements is false about a firewall?

firewall are effective for preventing all types of attacks on a healthcare system

The VP of finance wants to consider sending all of the medical transcriptions home to work. What security issues should be included in the risk analysis?

Access of data by unauthorized persons

The safeguard requirements in the Privacy Rule are equivalent to compliance with the Security Rule

False

With addressable standards, the covered entity may do all BUT WHICH of the following?

Ignore the standard since it is addressable

The enforcement agency for the security rule is the:

Office for Civil Rights

When determining the appropriate password composition, the HIIM professional should refer to which of the following?

Organization policy

What are the primary distinctions between the HIPAAA Security Rule and HIPAA Privacy rule?

Security rule applies to all forms of patients' PHI whether electronic, written, or oral, but the security rule covers only electronic PHI. Security rule provides for far more comprehensive security requirements than the security rule and includes a level of detail not provided in the security rule.

according to the HIPAA Security Rule, what should a covered entity instruct a physician who needs a new smart phone to do with her current smart phone that contains ePHI?

Turn in her old smart phone

An audit trail is a record that shows when a particular user accessed a computer system.

true

Assignment of patient medical record numbers is one of the priorities of the HIM professional during system downtime during a disaster.

true

Data encryption ensures that data transferred from one location on a network to another are secure from eavesdropping or data interception.

true

Employee nondisclosure agreements are particularly important for employees who work in remote locations or telecommute.

true

Hacking is more prevalent in healthcare due to the value of patient information on the black market.

true

The most important protection against loss of data is

user compliance with policy and procedures

Which of the following is an example of two-factor authentication?

user name and password and token

Computers storing epHI that are easily assessable to the public pose a vulnerability to a CE

True

If a HIPAA security rule implementation specification is addressable, this means

an alternative may be implemented

The purpose of the implementation specifications of the HIPAA security rule is to provide:

instruction for implementation of standards

The greatest threats to organizational security stem from

internal threats

What is the most common type of security threat to a health information system?

internal to the organization

The HIPAA security rule contains what provisions about encryption?

it is required based on organizational policy

the HIPAA Security Rule allows flexibility in implementation based on reasonableness and appropriateness. What does the covered entity use to make these determinations?

1) size of the covered entity 2) security capabilities of the covered entities system 3) costs of security measures

The admissions department is getting some new computers from the surgery department. The director is so excited to get the new computers that he does not contact IT and installs the computers over the weekend in admissions. Since the computers were not checked for the presence of ePHI, the admissions director has violated which provision of the HIPAA security rule?

Device and media control

Common safeguards utilized to protect e-mail communication include all but which of the following? A. anti-spam software B. e-mail filtering C. encryption software D. e-mail scrubbing

Email scrubbing

The predetermined time for an automatic log-off from the system is mandated by

Facility policy

Which of the following requires financial institutions to develop written medical identity theft programs?

Fair and Accurate Credit Transactions Act

CEs can decide to comply with only the Privacy Rule and don't have to comply with the Security Rule.

False

Only healthcare providers are required to comply with the Security Rule.

False

Security awareness training is required every two years.

False

The security rule contains provisions that CEs can ignore.

False

The security rule is completely technical and requires computer programmers to address

False

Training is not necessary for remote workforce members as long as encryption is in place in the organization.

False

With whom may patients file a complaint if they suspect medical identity theft violations?

Federal Trade Commission

Which is the following statements about HIPAA training is false?

Privacy and security training should be separate

Elements to include in a security system risk analysis program include all but which of the following?

Restricting remote access to users

Medical identity theft has increased because of the expansion of electronic health record utilization and the expanded availability of data

True

The Security Rule contains both required and addressable standards.

True

The goal of the Security Rule is to ensure that patient information is protected from unauthorized access, alteration, deletion, and transmission.

True

of the following, which type of data encryption is primarily used in a wireless network environment?

WEP

One of the four general requirements a covered entity must adhere to for compliance with the HIPAA security rule is to ensure the confidentiality, integrity and ___________ of ePHI.

availability

the HIPAA security rule requires that passwords:

be updated by organizational policy

Under which access security mechanism would an individual be allowed access to ePHI if they have a specific proper login and password, belong to a specified group and their workstation is located in a specific place within the facility?

context-based

Non-compliance with the HIPAA security rule can lead to

criminal penalties and civil penalties

Which of the following defines the study of encryption and decryption techniques?

cryptography

What term is also used to denote the HIPAA requirement of Contingency Planning?

emergency mode of operation

E-mail related to patient care should be kept separate from the patient medical record.

false

Employee training programs are not necessary to protect the security of PHI

false

Healthcare organizations are excluded from the definition of "creditor" under FACTA.

false

It is best practice to select a very strong password and use it for all accounts.

false

An audit trail is a good tool for which of the following?

holding an individual employee accountable for actions, reconstructing electronic events, detecting a hacker, recognizing when a system is having problems

Which of the following statements is false about the security officer? The security officer

holds a required full-time position under HIPAA security rule

The HIPAA security rule applied to which of the following covered entities?

hospitals that bills medicare, physician electronic billing company, BlueCross health insurance plan

Home health nurses at a covered entity want to use laptop computers to record patient notes. The director of nursing asks for guidance about whether or not this is a HIPAA violation. The most appropriate response from the security officer is that they

need additional training as remote workers

Which of the following is not an access control commonly utilized by covered entities for compliance with the HIPAA security rule?

palm scanners

Which of the following would be considered a two-factor authentication system?

password and swipe card

What is the most common method for implementing entity authentication?

password systems

The HIPAA security rule requires that the covered entity

protect ePHI from reasonably anticipated threats

The purpose of entity authentication is to

read predetermined criteria to determine if a user is who he or she claims

the HIPAA security rule contains the following safeguards except:

reliability

An individual designated as an inpatient coder may have access to an electronic medical record to code the record. Under what access security mechanism is the coder allowed access to the system?

role-based

which of the following is the best option for password management?

system auto-assigns password

Some of the best steps that workers can take to comply with the HIPAA security rule include ensuring

the security of mobile devices

Internal security breaches are far more common than external breaches

true

Red flags are used to help a healthcare provider detect medical identity theft.

true

The Identity Theft and Assumption Deterrence Act of 1998 makes it a federal crime to commit an act of identity theft.

true

The director of health information services is allowed access to the medical record tracking system when providing the proper login and password. Under which access security mechanism is the director allowed access to the system?

user-based


Ensembles d'études connexes

Chapter 14: Collective Bargaining and Labor Relations

View Set

Professional Nursing: Healthcare Law

View Set

Contemporary social problems chapter 3

View Set

AP Psych: Unit 9 LearningCurve Examples

View Set