HIM Exam 12 and 13

अब Quizwiz के साथ अपने होमवर्क और परीक्षाओं को एस करें!

11. Copying data onto tapes and storing the tapes at a distant location is an example of___________. a. Data backup b. Data mapping c. Data recovery d. Data storage for recovery

A

12. The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of what type of security control? a. Audit trail b. Access control c. Auto-authentication d. Override function

A

19. The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of a(n) __________. a. Audit trail. b. Access control. c. Auto-authentication. d. Override function.

A

20. Which of the following defines the study of encryption and decryption techniques? a. Cryptography b. Authentication c. Context-based access control d. Biometric identifier control

A

22. Key components to a contingency or disaster plan, mandated by the HIPAA Security Rule include __________. a. Data back-up, data recovery and emergency mode of operations. b. Data back-up and data recovery. c. Data recovery and emergency mode of operations. d. Date back-up, data recovery, emergency mode of operations and data encryption.

A

23. The VP of finance wants to consider sending all of the medical transcriptionists home to work. What security issues should be included in the risk analysis? a. Access of data by unauthorized persons b. Storage of data on remote devices c. Transmission risks when reporting data d. Potential for new regulations

A

23. The most important protection against loss of data is __________. a. User compliance with policy and procedures. b. User adoption of biometric identifiers. c. User adoption of employee nondisclosure agreements. d. User compliance with architecture and topology.

A

25. Some of the best steps that workers can take to comply with the HIPAA security rule include ensuring ___________. Bloom's Level: 3 a. The security of mobile devices b. All employees receive appropriate training c. That employees don't ever use email d. That employees secure their workplace

A

3. An individual designated as an inpatient coder may have access to an electronic medical record in order to code the record. Under which access security mechanism is the coder allowed access to the system? a. Role-based b. User-based c. Context-based d. None of the above

A

9. Which of the following statements about HIPAA training is false? a. Privacy and security training should be separated. b. Different levels of training are needed depending on an employee's position in the organization. c. All employees in a health care organization need HIPAA training. d. Training is required under the HIPAA security rule.

A

Encryption

A technique used to ensure that data transferred from one location on a network to another are secure from eavesdropping or interception

Creditor

Anyone who regularly meets one of the following criteria 1)Obtains or uses consumer reports in connection with a credit transaction 2)furnishes information to consumer reporting agencies in connection with a credit transaction 3)Advances funds to someone

12. What is the most common type of security threat to a health information system? a. External to the organization b. Internal to the organization c. Environmental in nature d. Computer viruses

B

18. The HIPAA security rule requires that passwords___________ a. Be updated every 90 days b. Bee updated by organizational policy c. Be updated every time there is a breach d. Be updated every 60 days

B

19. According to the HIPAA Security Rule, what should a covered entity instruct a physician who needs a new smart phone to do with her current smart phone that contains ePHI? a. Keep her old smart phone b. Turn in her old smart phone c. Recycle the old smart phone by giving it to a charity d. Do what she wants since IT is too busy with other projects

B

2. The director of health information services is allowed access to the medical record tracking system when providing the proper log-in and password. Under which access security mechanism is the director allowed access to the system? a. Role-based b. User-based c. Context-based d. None of the above

B

22. The admissions department is getting some new computers from the surgery department. The director is so excited to get the new computers that he does not contact IT and installs the computers over the weekend in admissions. Since the computers were not checked for the presence of ePHI, the admissions director has violated which provision of the HIPAA security rule? a. Access controls b. Device and media controls c. Emergency access procedure d. Contingency operations

B

24. Home health nurses at a covered entity want to use laptop computers to record patient notes. The director of nursing asks for guidance about whether or not this is a HIPAA violation. The most appropriate response from the security officer is that they___________. a. Need to sign business associate contracts before they get laptops b. Need additional training as remote workers c. Need to wait and come back to the office and record the notes d. Cannot have laptops since it is a security risk

B

The purpose of entity authentication is to __________. a. Prevent rebooting to deactivate a logoff system b. Read predetermined criteria to determine if a user is who he or she claims c. Allow rebooting to activate a sign-in process d. Rejects multiple log-in attempts

B

14. The enforcement agency for the security rule is___________. a. Office of the Inspector General b. Centers for Medicare and Medicaid Services c. Office for Civil Rights d. Office of Management and Budget

C

14. Which of the following requires financial institutions develop written medical identity theft programs? a. HIPAA Security Rule b. HITECH Act c. Fair and Accurate Credit Transactions Act d. HIPAA Privacy and Security Rule

C

17. Which of the following is an example of two-factor authentication? a. User name and password b. Password c. User name and password and token d. User name and PIN

C

17. With addressable standards, the covered entity may do all but which of the following? a. Implement the standard as written b. Implement an alternative standard c. Ignore the standard since it is addressable d. Determine the risk of not implementing is negligible

C

18. The predetermined time for an automatic log-off from the system is mandated by __________. a. HIPAA Security Rule b. HIPAA Privacy Rule c. Facility policy d. State Statute

C

2. One of the four general requirements a covered entity must adhere to for compliance with the HIPAA security rule is to ensure the confidentiality, integrity and ___________ of ePHI. a. Addressability b. Accuracy c. Availability d. Accountability

C

20. A nurse administrator who does not typically take call gets called in over the weekend to staff the emergency department. She does not have access to enter notes since this is not a part of her typical role. In order to meet the intent of the HIPAA Security Rule, the hospital policy should include___________. a. Aa requirement for her to attend training before accessing ePHI b. A provision to allow her to share a password with another nurse c. A provision to allow her emergency access to the system d. A restriction on her ability to access ePHI

C

21. The HIPAA security rule contains what provision about encryption? a. It is required for all ePHI. b. It is required based on CMS guidance. c. It is required based on organizational policy. d. It is not required for small providers.

C

4. Under which access security mechanism would an individual be allowed access to ePHI if they have a proper log-in and password, belong to a specified group, and their workstation is located in a specific place within the facility? a. Role-based b. User-based c. Context-based d. None of the above

C

8. Non-compliance with the HIPAA security rule can lead to___________. a. Civil penalties b. Criminal penalties c. Both a and b d. A maximum annual penalty of $1 million

C

Of the following, which type of data encryption is primarily used in a wireless network environment? a. PKI b. PGP c. WEP d. None of the above

C

Which of the following is the best option for password management? a. User changes password every 45 days b. User changes password every 60 days c. System auto-assigns password d. User assigns password

C

Which of the following statements is false about a firewall? a. It is a system or combination of systems that supports an access control policy between two networks. b. The most common place to find a firewall is between the healthcare organization's internal network and the Internet. c. Firewalls are effective for preventing all types of attacks on a healthcare system. d. A firewall can limit internal users from accessing various portions of the Internet.

C

Which of the following would be considered a two-factor authentication system? a. User ID with a password b. User ID with voice scan c. Password and swipe card d. All of the above

C

Virus

Common types are classified as file infectors, which attach to program files so that when a program is loaded the virus is also loaded

1. The greatest threats to organizational security stem from __________. a. Natural threats b. Environmental threats c. International threats d. Internal threats

D

10. What term is also used to denote the HIPAA requirement of Contingency Planning? a. Data backup b. Data recovery c. Disaster planning d. Emergency mode of operation

D

13. With whom may patients may file a complaint if they suspect medical identity theft violations? a. Internal Revenue Service b. Office of Civil Rights c. Centers for Medicare and Medicaid Services d. Federal Trade Commission

D

15. The role of the HIM professional in medical identity theft protection programs includes all of the following except __________. a. Ensure safeguards are in place to protect the privacy and security of PHI b. Balance patient privacy protection with disclosing medical identity theft to victims c. Identify resources to assist patients who are victims of medical identity theft d. Defer all issues related to medical identity theft to the in-house attorney

D

16. Elements to include in a security system risk analysis program include all but which of the following? a. Limiting access to the minimum necessary b. Requiring user names and passwords c. Installing protective hardware devices d. Restricting remote access to users

D

16. The HIPAA Security Rule allows flexibility in implementation based on reasonableness and appropriateness. What does the covered entity use to make these determinations? a. Size of the covered entity b. Security capabilities of the covered entity's system c. Costs of security measures d. All of the above

D

21. Common safeguards utilized to protect e-mail communication include all but which of the following? a. Anti-spam software b. E-mail filtering c. Encryption software d. E-mail scrubbing

D

24. When determining the appropriate password composition, the HIIM professional should refer to which of the following? a. HIPAA Privacy Rule b. HIPAA Security Rule c. HITECH Act d. Organizational policy

D

25. Which of the following is not an access control commonly utilized by covered entities for compliance with the HIPAA security rule? a. User-based access b. Passwords c. Tokens d. Palm scanners

D

The HIPAA security rule contains the following safeguards except___________. a. Technical b. Administrative c. Physical d. Reliability

D

Which is the most common method for implementing entity authentication? a. Personal identification number b. Biometric identification systems c. Token systems d. Password systems

D

Token

Devices such as a key card that are inserted into doors or computers in order to gain entry

Ransomware

Distinct malware in that it attempts to deny access to a user's access to a user's data by encrypting the data with a key known to the hacker -When ransom is paid the user is given decryption key

An audit trail is a good tool for which of the following? a. Holding an individual employee accountable for actions b. Reconstructing electronic events c. Detecting a hacker d. Recognizing when a system is having problems e. a and d f. b and d g. All of the above h. None of the above

G

Firewall

Hardware or software devices that examine traffic entering and leaving a network and prevent some traffic from entering or leaving based on established rules -Can be used to describe the software that protects computing resources or to describe the combination of the software, hardware, and polices that protect the resources

Technology Neutral

Specific technologies are not prescribed in the rules, which allows the use of the latest and appropriate technology

Identity and Access Management (IAM)

The security discipline that enables the right individuals to access the right resources at the right times for the right reason

Integrity

The state of being whole or unimpaired

Cryptography

The study of encryption and decryption techniques

Telehealth

The use of digital technologies to deliver medical care, health education, and public health services by connecting multiple users in different locations

15. The HIPAA security rule requires that the covered entity___________. a. Eliminate all threats to ePHI b. Hire a security consultant c. Protect ePHI from reasonably anticipated threats d. Protect ePHI at all costs

c

Business Associate (BA)

A person or organization other than a member of a CE workforce that performs functions or activities on behalf of or affecting a CE that involve the use or disclosure of individually identifiable health information

Contingency Planning

A plan for recovery in the event of a power failure, disaster, or other emergency that limits or eliminates access to facilities and electronic protected health information

Audit Trail

A record that shows who has accessed a computer system, when it was accessed, and what operations were performed

User based access control UBAC

A security mechanism used to grant users of a system access based on their identity

Automatic Log Off

A security procedure that causes a computer session to end after a predetermined period of inactivity (EX: 10 min)

Distinguish access controls from systems controls and provide examples of each

Access Controls 1)Prevent unauthorized individuals from retrieving, using, or altering information 2)Access rights 3)biometrics, pins,tokens Systems Control 1)Related to a systems hardware or software and functions such as transmission of ePHI via fax or email

Biometric identifiers signify something that the user knows?

False

Security awareness training is required every two years?

False

The Security Rule contains provisions that CEs can ignore?

False

The Security Rule is completely technical and requires computer programmers to address?

False

The safeguard requirements in the Privacy Rule are equivalent to compliance with the Security Rule?

False

Training is not necessary for remote workforce members as long as encryption is in place in the organization?

False

Vulnerabilities and threats are terms that can be used interchangeably?

False

Health Insurance Portability and Accountability Act

Federal legislation enacted to provide he continuity of health coverage, control fraud and abuse, reduce healthcare costs, and guarantee the security and privacy of health information

American Recovery and Reinvestment Act of 2009

Federal legislation that included significant funding for health information technology and provided for significant changes to the HIPAA Privacy Rule

Health Information Technology for Economic and Clinical Health (HITECH)

Federal legislation that was passed as a portion of the ARRA -Contains changes to the HIPAA Privacy Rule

Describe the purposes of the HIPAA Security Rule

Governs PHI that is transmitted by or maintained in some form of electronic media -Implement appropriate security safeguards and protect electronic healthcare information that may be at risk -Protect an individual's health information while permitting appropriate access and use of that information

Unintentional Threats

Include employee errors that may result from lack of training in proper system use

Recognize security components for risk management

-Must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the security standards

Summarize the components of the Security Rule

1) General Requirements: 2)Flexibility or Approach: Allow CE and BA to implement the standards 3)Standards: CE and BA must comply with standards (administrative, physical, technical, organizational, and policies, procedures, and documentation) 4)Implementation specifications: Detailed instructions for implementing a specific standard 5)Maintenance of security measures: Continuing review of the reasonableness and appropriateness of a CE or BA security measure

Identify potential internal and external security threats, distinguishing human threats from natural and environmental threats and describing vulnerabilities

1) Human Threats -Internal (members of organization) -External (outside organization) 2)Natural or Environmental -Internal (fire, water damage in organization) -External (flood, tornadoes, natural disasters) 3)Vulnerabilities -Weaknesses that impact security of systems and networks -Physical or software

Role- based access control RBAC

A control system in which access decisions are based on the roles of individual users as part of an organization

Identity Theft

A crime in which an individual's personal information is stolen, often through the ease of obtaining data in electronic environments

Cyber Attack

A deliberate and often systematic attempt to gain unauthorized access to a device or network

Trojan horse

A destructive piece of programming codes that hides in another piece of programming code that looks harmless

Wired Equivalent Privacy (WEP)

A form of encryption used to authenticate the sender and the receiver of messages over networks, particularly when the internet is involved in the data transmission -Should provider authentication, data security and data non-repudiation

Data Encryption

A form of technical security used to ensure that data transferred from one location on a network to another are secure from anyone eavesdropping or seeking to intercept them

Confidentiality

A legal and ethical concept that establishes the healthcare provider's responsibility for protecting health records and other personal and private information from unauthorized use or disclosure

Disaster Recovery Planning

A plan for securing electronic protected health information in the event of a disaster that limits or eliminates access to facilities and ePHI

Red Flag Rule

A provision under FACTA that requires financial institutions and creditors to develop and implement written programs that identify, detect, and respond to red flags that may signal the presence of identity theft

Biometric Identification Systems

A security system that analyzes biological data about the user (fingerprint, voiceprint, or retinal scan)

External Security Threat

A security threat caused by individuals or forces outside the organization

Internal Security Threat

A security threat caused by individuals or forces within an organization

Physical Safeguards

A set of four standards defined by the HIPAA security rule: facility access controls, workstation use, workstation security, and device and media control

Worm

A special type of computer virus that stores and then replicates itself

Pretty Good Privacy

A type of encryption software that uses public key cryptology and digital signatures for authentication

Medical Identity Theft

A type of identity theft and financial fraud hat involves the inappropriate or unauthorized misrepresentation of one's identity to obtain medical goods or services, or to obtain money by falsifying claims for medical services

Fair and Accurate Credit Transactions Act (FACTA)

An act that requires advance employee authorization for a consumer reporting agency to share medical information with employers for employment or insurance purposes -It also requires financial institutions and creditors to develop and implement written identity theft programs that identify, detect, and respond to red flags that may signal the presence of identity theft

Information System

An automated system that uses computer hardware and software to record, manipulate, store, recover, and disseminate data

Security Officer

An individual responsible for overseeing privacy policies and procedures

Intentional Threats

Attacks from outside the network or internal malicious actions by workforce members

1. The purpose of the implementation specifications of the HIPAA security rule is to provide______. a. Protection of patient information b. Instruction for implementation of standards c. Guidance for security training and education d. Sample policies and procedures for compliance

B

5. If a HIPAA security rule implementation specification is addressable, this means that___________. a. The covered entity does not have to show that the specification has been met b. An alternative may be implemented c. The specification must be implemented as written d. None of the above

B

7. Which of the following statements is false about the security officer? The Security Officer___________. a. Is generally the individual within the healthcare organization responsible for overseeing the information security program b. Holds a required full-time position under HIPAA security rule c. Generally reports to an upper level administrator within the healthcare organization d. Is given the authority to effectively manage the security program, apply sanctions and influence employees

B

3. What are the primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule? a. The security rule applies to all forms of patients' PHI, whether electronic, written, or oral, but the security rule covers only electronic PHI. b. The security rule provides for far more comprehensive security requirements than the security rule and includes a level of detail not provided in the security rule. c. Both a and b d. Neither a nor b; there are no distinctions

C

4. The HIPAA security rule applies to which of the following covered entities? a. Hospital that bills Medicare b. Physician electronic billing company c. BlueCross health insurance plan d. a and c e. b and c f. All of the above g. None of the above

F

CEs can decide to comply with only the Privacy Rule and don't have to comply with the Security Rule?

False

Compliance with the HIPAA Security Rule is the only standards that should be considered when developing a security plan and performing a risk assessment?

False

Content Based Access Control is less stringent than Role Based Access Control?

False

Disaster recovery and contingency plans related to ePHI are nice to have but not necessary?

False

E-mail related to patient care should be kept separate from the patient medical record?

False

Employee training programs are not necessary to protect the security of PHI?

False

Facsimile machines provide a highly secure method of communication?

False

Healthcare organizations are excluded from the definition of "creditor" under FACTA?

False

It is best practice to select a very strong password and use it for all accounts?

False

Only healthcare providers are required to comply with the Security Rule?

False

Organization's firewall limits external Internet users from accessing portions of the healthcare network, but it does not limit internal users from accessing portions of the Internet?

False

Recognize the importance of contingency planning or disaster recovery planning in securing health information

It creates a plan of Acton in the event of a problem like power failures or disasters -Protects patient information and ePHI

Social Media

Often used by healthcare organizations as marketing tools and mechanisms to communicate with consumers or patients

Federal Information Processing Standards (FIPS)

Outlines approved security functions, approved protection profiles, approved random number generator, and approved key establishment techniques

Covered Entity

Persons or organizations that must comply with the HIPAA privacy and security rules -Including healthcare providers, health plans, and healthcare clearinghouses

List mechanisms to prevent and detect identity theft

Red Flag Rules 1)Alerts,notifications, or warnings from a consumer reporting agency 2)Suspicious documents 3)Suspicious personally identifiable information such as a suspicious address 4)Unusual use of or suspicious activity relating to , a covered account 5)Notices from customers, victims of identity theft, law enforcement agencies, or other businesses about possible identity theft in connection with and account

Person or Entity Authentication

Requires the implementation of procedures to verify that a person or entity seeking access to ePHI is the person or entity they claim to be

Technical Safeguard

Security measures that are based on technology rather than on administration or physical security -Includes access control, unique user identification, automatic logoff, and encryption and decryption

Identify types of medical identity theft and mechanisms to prevent, detect, and mitigate such theft

TYPES 1)Use of a person's name and other identifiers, without the consent of the victim, to obtain medical goods or services (can by used with individual's consent but not a full understanding of the outcomes. 2)The use of a person's identity to obtain medical services by falsifying claims for medical services (business) MITIGATION 1)Build awareness by providing education to all staff about the issue and impact 2)Educate registration staff to watch for indicators (forged documents) 3)Collaborate with IT 4)Pre-employee background checks 5) Monitor business associates 6)Fraud prevention measures and data flagging 7)Proactive Audits

Scalability

The concept that based on the size of the CE, the threshold of compliance varies

Entity Authentication

The corroboration that an entity is the one claimed -The computer reds a predetermined set of criteria to determine whether the user is who he or she claims to be

Addressable Specification

The implementation specifications of the HIPAA Security Rule that are designated as addressable rather than required -To be in compliance with the rule, the CE must implement the specification as written, implement an alternative, or document that the risk does not exist in the organization or exists with little probability of occurrence

Required Specification

The implementation specifications of the HIPAA security rule that are designated required rather than addressable

Context Based Access Control CBAC

The most stringent type of access control -Takes into account the person attempting to access the data, the type of data being accessed, and the context of the transaction in which the access attempt is made

Telemedicine

The use of medical information exchanged from one site to another via electronic communication to improve patient's health

An audit trail is a record that shows when a particular user accessed a computer system?

True

Assignment of patient medical record numbers is one of the priorities of the HIM professional during system downtime during a disaster?

True

Computers storing ePHI that are easily assessable to the public pose a vulnerability to a CE?

True

Data encryption ensures that data transferred from one location on a network to another are secure from eavesdropping or data interception?

True

Employee nondisclosure agreements are particularly important for employees who work in remote locations or telecommute?

True

Hacking is more prevalent in healthcare due to the value of patient information on the black market?

True

Internal security breaches are far more common than external breaches?

True

Medical identity theft has increased because of the expansion of electronic health record utilization and the expanded availability of data?

True

Red flags are used to help a healthcare provider detect medical identity theft?

True

The Identity Theft and Assumption Deterrence Act of 1998 makes it a federal crime to commit an act of identity theft?

True

The Security Rule contains both required and addressable standards?

True

The goal of the Security Rule is to ensure that patient information is protected from unauthorized access, alteration, deletion, and transmission?

True

Electronic Protected Health Information (ePHI)

Under HIPAA, all individually identifiable information that is created or received electronically by a healthcare provider r any other entity subject to HIPAA requirements

Authentication

Verification of a record's validity and its reliability as evidence -Also a security mechanism to validate the identity of a user in an electronic system

Vulnerabilities

Weaknesses that impact security of systems and networks

Phising

When someone impersonates a business or other known entity to attempt to have the user provide personal information

6. The HIPAA Security Awareness and Training administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except___________. a. Disaster recovery plan b. Log-in monitoring c. Password management d. Security reminders

a


संबंधित स्टडी सेट्स

WW1 Unit Test, WWI History Test Notes, Historical Concepts

View Set