Health Information Privacy and Security
72. Which of the following examples is an exception to the definition of a breach? a. a coder accidentally sends PHI to a billing clerk in the same facility b. the wrong patient information was sent to the patient's attorney c. information was erroneously sent to another healthcare facility d. information was loaded on the Internet inappropriately
a. a coder accidentally sends PHI to a billing clerk in the same facility
64. A hacker recently accessed our database. We are trying to determine how the hacker got through the firewall and exactly what was accessed. The process used to gather this evidence is called a. forensics b. mitigation c. security event d. incident
a. forensics Computer forensics (also known as computer forensic science[1]) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
85. Which of the following a true statement about private key encryption? a. public encryption uses a private and public key b. the digital certificate shows that the keys are encrypted c. public key encryption requires both computers to have the same key d. the sending computer uses the public key
a. public encryption uses a private and public key Private key encryption is the form of encryption where only a single private key can encrypt and decrypt information. It is a fast process since it uses a single key. However, protecting one key creates a key management issue when everyone is using private keys. The private key may be stolen or leaked. Key management requires prevention of these risks and necessitates changing the encryption key often, and appropriately distributing the key. In contrast to private key encryption, Public Key Infrastructure, commonly referred to as PKI, uses two keys - one private and one public. The public key is distributed, whereas the private key is never shared.
12. The research coordinator viewed 10 patients' records for a research study being conducted. Select the term used for this practice a. use b. disclosure c. discovery d. release
a. use use is defined as the sharing, employment, application, utilization, examination, or analysis within a covered entity that creates or maintains the PHI
89. Before an employee can be given access to the EHR, someone has to determine what the employee is allowed to have access to. What is this known as? a. workforce clearance procedure b. authentication c. health care clearinghouse d. authorization
a. workforce clearance procedure
79. If an authorization is missing a social security number, can it be valid? a. yes b. no c. only if the patient is a minor d. only if the patient is an adult
a. yes
96. An effective monitoring program contains which of the following? a. log-ins to be reviewed b. outlining how employees suspected of a breach will be confronted c. training employees on what a breech is and the importance of security of ePHI d. installation of software that will monitor for and remove malware from any system that contains ePHI
b.
5. Mountain Hospital has discovered a security breach. Someone hacked into the system and viewed 50 medical records. According to ARRA, what is the responsibility of the covered entity in a reasonable time not to exceed 60 days? a. ARRA does not address this issue b. Notify the patient c. Notify CMs d. Notify FTC
b. Notify the patient Once a covered entity knows or by reasonable diligence should have known (referred to as the "date of discovery") that a breach of PHI has occurred, the entity has an obligation to notify the relevant parties (individuals, HHS and/or the media) "without unreasonable delay" or up to 60 calendar days following the date of discovery, even if upon discovery the entity was unsure as to whether PHI had been compromised.
57. The three components of a data security program are protecting the privacy of data, ensuring the integrity of data and ensuring the a. validity of data b. availability of data c. security of hardware d. security of data
b. availability of data page 319
26. You are a nurse who works on 3West during the day shift. One day, you had to work the night shift because they were shorthanded. However, you were unable to access the EHR. What type of access control(s) are being used? a. user-based b. context-based c. role-based d. either user-or role based
b. context based
58. HIPAA states that release to a coroner is allowed. State law says that the coroner must provide a subpoena. Which of the following is a correct statement? a. Follow the HIPAA requirement since it is federal law b. follow the state law since it is stricter c. You can follow either the state law or the HIPAA rule d. You must request a ruling from a judge
b. follow the state law since it is stricter
87. Miles has asked you to explain the rights he has via HIPAA privacy standards. Which of the following is one of his HIPAA given rights? a. he can review his bill b. he can asked to be contacted at an alternative site c. he can discuss financial arrangements with business office staff d. he can ask a patient advocate to sit on all appointments at the facility
b. he can be asked to be contacted at an alternative site
81. Intrusion detection systems analyze a. authentication b. network traffic c. audit trails d. firewalls
b. network traffic
6. The physician office has set the information systems so that they will log out after 5 minutes of inactivity. This is an example of which of the following? a. administration requirements b. physical safeguard c. cryptograpghy d. access safeguard
b. physical safeguard Physical safeguards are actual physical protections put in place to protect electronic systems, workplace equipment and patient data. These types of safeguards help to limit unauthorized workstation access, ensure that patient data is moved or disposed of properly and protect even the physical facilities where rereads are located. To that end, it also incorporates policies and procedures designed to physically protect records, equipment and an entity's buildings. An example of physical safeguards in action might be an entity's policy not to let employees take work laptops home on the weekends to protect against a computer being stolen and/or information being accessed by unauthorized individuals. Specific physical safeguards, according to HIPAA, include: Physical Safeguard What it Includes : Facility Access/Control Limiting access to buildings or facilities where patient data is used. Workstation/Device Security Maintaining security controls over work computers and other devices where patient data is stored. Technical Technical safeguards refer to the automated processes that employees use to access patient data. Think of things like log-on credentials, passkeys, passwords and other authentication measures that allow only authorized employees access to information.
18. HIPAA allows health care providers to charge patients reasonable cost-based charges. Which of the following is allowed when determining the charge? a. chart retrieval fees b. preparing a summary c. utilities d. insurance for the facility
b. preparing a summary Non-patients can be charged a retrieval fee but not the patient A covered entity may calculate actual labor costs to fulfill the request, as long as the labor included is only for copying (and/or creating a summary or explanation if the individual chooses to receive a summary or explanation) and the labor rates used are reasonable for such activity.
7. You are reviewing your privacy and security policies, procedures, training program, and so on and comparing them to HIPAA and ARRA regulations. You are conducting a a. policy assessment b. risk assessment c. compliance audit d. risk management
b. risk assessment A risk assessment identifies the risks to HIPAA compliance, whereas a risk analysis assigns risk levels for vulnerability and impact combinations.
76. Which of the following is an example of a trigger that might be used to reduce auditing? a. a patient has not signed their notice of privacy practices b. a patient and user have the same last name c. a nurse is caring for a patient and reviews the patient's record d. the patient is a medicare patient
b. the patient and user have the same last name
41. Nancy has asked the health care facility for a copy of her grandmother's health record. Her grandmother died 20 years ago. Nancy is not the executor of the estate, and she does not want to ask her aunt who is for permission. Select the appropriate response to Nancy. a. since you are a descendant, please sign this release b. you cannot access your grandmother's privacy, as she has the right of privacy for 50 years after her death c. You cannot access your grandmother's privacy, as she has the right to privacy for 50 years after her death or her 100th birthday d. you cannot access your grandmother's health record until she has been deceased for 25 years
b. you cannot access your grandmother's privacy, as she has the right of privacy for 50 years after her death In the final rule, the Department of Health and Human Services (HHS) recommended suspending the privacy rights of patients 50 years after the date of their death. According to the final rule, this was done to "balance the privacy interest of living relatives or other affected individuals with a relationship to the decedent." The change was also proposed due to the difficulties people face obtaining authorizations from personal representatives as time passes.nother reason for selecting 50 years as the protection benchmark is HHS felt it was long enough that healthcare organizations wouldn't try to profit from various uses of decedent health records that were five decades old.
99. You have been assigned the responsibility of performing an audit to confirm that all of the workforce's access is appropriate for their role in the organization. This process is called a. risk assessment b. information system activity review c. workforce clearance procedure d. information access management
c
100. A home health care agency employee has contacted the Center for Medicare and Medicaid Services to report health care fraud. Patient information is provided in the report. Which of the following is true? a. this is a violation of the patient rights and he employees should be charged with a HIPAA violation b. The disclosure is not a violation of HIPAA even if the employee made up the charges c. the disclosure is not a violation of HIPAA if the information was provided in good faith d. CMS can never access patient information
c.
20. The patient has requested an amendment to her health record. The facility, after review with the physician, has decided to deny the request. According to HIPAA, the patient must be notified within how many days? a. 90 b. 30 c. 60 d. 45
c. 60 If the amendment is accepted by the author, the PHI will be amended (according to HIPAA guidelines) and the patient will be informed within 60 days of the written request.
19. Which of the following statements is true about the Privacy Act of 1974?? a. it applies to all organizations that maintain health care data in any form b. it applies to all health care organizations c. it applies to the federal government d. it applies to federal government except for the Veterans Health Administration
c. It applies to the federal government The Privacy Act of 1974 was an early piece of federal legislation that addressed the right to privacy. This act was written to give individuals some control over the large amounts of information collected about them by the federal government and its contractors. Under the privacy act of 1974, people have the right to learn what information has been collected about them; view and obtain a copy of that information; and maintain limited control over the disclosure
52. To which of the following requesters can a facility release information about a patient without that patient's authorization? a. the public's health department b. the nurse caring for the patient c. a court with a court order d. a business associate
c. a court with a court order
33. When the patients are able to obtain a copy of their health record, this is an example of which of the following? a. a required standard b. an addressable requirement c. a patient right d. a preemption
c. a patient right
54. Which of the following is the term used to identify who made an entry into a health record? a. access control b. authentication c. authorship d. accessibility
c. authorship Authentication of medical record entries may include written signatures, initials, computer key, or other code
84. Our website was attacked by malware that overloaded it. What type of malware is this? a. phishing b. virus c. denial of service d. spyware
c. denial of service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash.
28. You are defining the designated record set for South Beach Healthcare Center. Which of the following would be included a. quality reports b. psychotherapy notes c. discharge summary d. information compiled for use in civil hearing
c. discharge summary page 313 A designated data set is: a group of records maintained by ot for covered entity that may include patient medical and billing records; the enrollment, payment, claims, adjudication, and cases or medical management record systems maintained by or for a health plan; or information used in whole or in part to make care-related decisions
46. A covered entity a. is exempt from te HIPAA privacy and security rules b. includes all health care providers c. includes health care providers who perform specified actions electronically d. must utilize business associates
c. includes health care providers who perform specified actions electronically
9. Kyle the HIM director, has received a request to amend a patient's health record. The appropriate action for him to take is a. make the modification because you have received the request. b. file the request in the chart to document the disagreement with the information contained in the medical record c. route the request to the physician who wrote the note in question to determine appropriateness of the amendment d. return the notice to the patient because amendments are not allowed
c. route the request to the physician who wrote the note in question to determine appropriateness of the amendment The person who recorded the documentation in question should be the one who authorizes the change While these references may not explicitly state this, it does state that the form should have a place from the provider's signature and comments
53. The data on a hard drive were erased by a corrupted file that had been attached to an email message. Which of the following can be used to prevent this? a. messaging standards b. acceptance testing c. virus checker d. encryption
c. virus checker A corrupted file is essentially a file that has become damaged and refuses to open properly. Viruses and other malware can also cause file corruption. Run anti-virus scans regularly to keep malware at bay and use a surge protector to prevent problems while saving. Keep your software CDs and operating system recovery discs close in case you need to use them to fix a corrupted file.
16. Your department was unable to provide a patient with a copy of his record within 30-day limitation. What should you do? a. call the patient and apologize b. call the patient and let him know that you will need a 30 day extension c. write the patient and tell him that you need a 30-day extension d. both write and call the patient to tell him you need a 30-day extension
c. write the patient and tell him you need a 30-day extension
104. Critique this statement: A business associate has the right to use a health care facility's information beyond the scope of their agreement with the health care facility. a. This is a true statement because business associates can use the information for their main source of business as long as the patient's privacy is protected b. This is a true statement as long as they have consent c. This is a false statement because the HIPAA privacy rule states that to use it in their own business they must have the health care facility's approval d. This is a false statement because it is prohibited by the HIPAA privacy rule
d
94. The police came to the HIM department today and asked that a patient's right to an account disclosure be suspended for 2 months. What is the proper response to this request? a. "im sorry officer, but privacy regulations do not allow us to do this." b. "im sorry officer but we can only do this for one month." c. "certainly officer. We will take care of that right now." d. "certainly officer. We will be glad to do that as soon as we have the request in writing."
d.
22. Someone access the covered entity's electronic health record and sold the information that was accessed. This person is known as which of the following? a. malware b. a virus c. a hacker d. a cracker
d. a cracker
67. Which of the following is an example of a security incident? a. temporary employees were not given individual passwords b. an employee took home a laptop with unsecured PHI c. A handheld device was left unattended on the crash cart in the hall for 10 minutes d. a hacker accessed PHI from off site
d. a hacker accessed PHI from off site A security incident is an event that may indicate that an organization's systems or data have been compromised or that measures put in place to protect them have failed. In IT, an event is anything that has significance for system hardware or software and an incident is an event that disrupts normal operations Examples of security incidents include: Computer system breach. Unauthorized access to, or use of, systems, software, or data. ... Loss or theft of equipment storing institutional data.
70. The supervisors have decided to give nursing staff access to EHR. They can add notes, view, and print. This is an example of what? a. the termination process b. an information system activity review c. spoliation d. a workforce clearance procedure
d. a workforce clearance procedure Implement procedures to determine that the access of a workforce member to PHI is appropriate. That means, the clearance process must establish the procedures to verify that a workforce member does in fact have the appropriate access for their job function.
13. Before a user is allowed to access protected health information, the system confirms that this is a valid user. This is known as a. access control b. notification c. authorization d. authentication
d. authentication
23. The patient has the right to agree or object in which of the following situations? a. disclosing information to patient's attorney b. disclosing information to minister c. disclosing information to family member who is not directly involved in the care d. disclosing information to family members who is directly involved in care
d. disclosing information to family member who is directly involved in care