Chapter 12 and 13 Review Quiz (LAW)

Red Flag Rules

-Alert, notifications, or warning from a consumer reporting agency -Suspicious documents -Suspicious personally identifying information -Unusual use of, or suspicious activity relating to, a covered account -Notices from customers, victims of identity theft

Describe the purposes of the HIPAA Security Rule

-Implement appropriate security safeguards and protect electronic healthcare information that may be at risk -Protect an individual's health information while permitting appropriate access and use of that information

Recognize security components for risk management

-Must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the security standards

Summarize the components of the Security Rule

1) General Requirements: 2)Flexibility or Approach: Allow CE and BA to implement the standards 3)Standards: CE and BA must comply with standards (administrative, physical, technical, organizational, and policies, procedures, and documentation) 4)Implementation specifications: Detailed instructions for implementing a specific standard 5)Maintenance of security measures: Continuing review of the reasonableness and appropriateness of a CE or BA security measure

Identify potential internal and external security threats, distinguishing human threats from natural and environmental threats and describing vulnerabilities

1) Human Threats -Internal (members of organization) -External (outside organization) 2)Natural or Environmental -Internal (fire, water damage in organization) -External (flood, tornadoes, natural disasters) 3)Vulnerabilities -Weaknesses that impact security of systems and networks -Physical or software

Types of Medical identity theft

1)Use of a person's name and other identifiers, without the consent of the victim, to obtain medical goods or services (can by used with individual's consent but not a full understanding of the outcomes. 2)The use of a person's identity to obtain medical services by falsifying claims for medical services (business)

Role- based access control RBAC

A control system in which access decisions are based on the roles of individual users as part of an organization

Identity Theft

A crime in which an individual's personal information is stolen, often through the ease of obtaining data in electronic environments

Cyber Attack

A deliberate and often systematic attempt to gain unauthorized access to a device or network

Trojan horse

A destructive piece of programming codes that hides in another piece of programming code that looks harmless

Wired Equivalent Privacy (WEP)

A form of encryption used to authenticate the sender and the receiver of messages over networks, particularly when the internet is involved in the data transmission -Should provider authentication, data security and data non-repudiation

Data Encryption

A form of technical security used to ensure that data transferred from one location on a network to another are secure from anyone eavesdropping or seeking to intercept them

Confidentiality

A legal and ethical concept that establishes the healthcare provider's responsibility for protecting health records and other personal and private information from unauthorized use or disclosure

Business Associate (BA)

A person or organization other than a member of a CE workforce that performs functions or activities on behalf of or affecting a CE that involve the use or disclosure of individually identifiable health information

Contingency Planning

A plan for recovery in the event of a power failure, disaster, or other emergency that limits or eliminates access to facilities and electronic protected health information

Disaster Recovery Planning

A plan for securing electronic protected health information in the event of a disaster that limits or eliminates access to facilities and ePHI

Audit Trail

A record that shows who has accessed a computer system, when it was accessed, and what operations were performed

User based access control UBAC

A security mechanism used to grant users of a system access based on their identity

Automatic Log Off

A security procedure that causes a computer session to end after a predetermined period of inactivity (EX: 10 min)

Biometric Identification Systems

A security system that analyzes biological data about the user (fingerprint, voiceprint, or retinal scan)

External Security Threat

A security threat caused by individuals or forces outside the organization

Internal Security Threat

A security threat caused by individuals or forces within an organization

Physical Safeguards

A set of four standards defined by the HIPAA security rule: facility access controls, workstation use, workstation security, and device and media control

Worm

A special type of computer virus that stores and then replicates itself

Encryption

A technique used to ensure that data transferred from one location on a network to another are secure from eavesdropping or interception

Pretty Good Privacy

A type of encryption software that uses public key cryptology and digital signatures for authentication

Medical Identity Theft

A type of identity theft and financial fraud hat involves the inappropriate or unauthorized misrepresentation of one's identity to obtain medical goods or services, or to obtain money by falsifying claims for medical services

Distinguish access controls from systems controls and provide examples of each

Access Controls 1)Prevent unauthorized individuals from retrieving, using, or altering information 2)Access rights 3)biometrics, pins,tokens Systems Control 1)Related to a systems hardware or software and functions such as transmission of ePHI via fax or email

Fair and Accurate Credit Transactions Act (FACTA)

An act that requires advance employee authorization for a consumer reporting agency to share medical information with employers for employment or insurance purposes -It also requires financial institutions and creditors to develop and implement written identity theft programs that identify, detect, and respond to red flags that may signal the presence of identity theft

Information System

An automated system that uses computer hardware and software to record, manipulate, store, recover, and disseminate data

Security Officer

An individual responsible for overseeing privacy policies and procedures

Creditor

Anyone who regularly meets one of the following criteria 1)Obtains or uses consumer reports in connection with a credit transaction 2)furnishes information to consumer reporting agencies in connection with a credit transaction 3)Advances funds to someone

Intentional Threats

Attacks from outside the network or internal malicious actions by workforce members

1. The purpose of the implementation specifications of the HIPAA security rule is to provide______. a. Protection of patient information b. Instruction for implementation of standards c. Guidance for security training and education d. Sample policies and procedures for compliance

B

5. If a HIPAA security rule implementation specification is addressable, this means that___________. a. The covered entity does not have to show that the specification has been met b. An alternative may be implemented c. The specification must be implemented as written d. None of the above

B

7. Which of the following statements is false about the security officer? The Security Officer___________. a. Is generally the individual within the healthcare organization responsible for overseeing the information security program b. Holds a required full-time position under HIPAA security rule c. Generally reports to an upper level administrator within the healthcare organization d. Is given the authority to effectively manage the security program, apply sanctions and influence employees

B

2. One of the four general requirements a covered entity must adhere to for compliance with the HIPAA security rule is to ensure the confidentiality, integrity and ___________ of ePHI. a. Addressability b. Accuracy c. Availability d. Accountability

C

3. What are the primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule? a. The Privacy rule applies to all forms of patients' PHI, whether electronic, written, or oral, but the security rule covers only electronic PHI. b. The security rule provides far more comprehensive security requirements than the privacy rule and includes a level of detail not provided in the security rule. c. Both a and b d. Neither a nor b; there are no distinctions

C

Virus

Common types are classified as file infectors, which attach to program files so that when a program is loaded the virus is also loaded

Token

Devices such as a key card that are inserted into doors or computers in order to gain entry

Ransomware

Distinct malware in that it attempts to deny access to a user's access to a user's data by encrypting the data with a key known to the hacker -When ransom is paid the user is given decryption key

4. The HIPAA security rule applies to which of the following covered entities? a. Hospital that bills Medicare b. Physician electronic billing company c. BlueCross health insurance plan d. a and c e. b and c f. All of the above g. None of the above

F

Biometric identifiers signify something that the user knows?

False

CEs can decide to comply with only the Privacy Rule and don't have to comply with the Security Rule?

False

Compliance with the HIPAA Security Rule is the only standards that should be considered when developing a security plan and performing a risk assessment?

False

Content Based Access Control is less stringent than Role Based Access Control?

False

Disaster recovery and contingency plans related to ePHI are nice to have but not necessary?

False

E-mail related to patient care should be kept separate from the patient medical record?

False

Employee training programs are not necessary to protect the security of PHI?

False

Facsimile machines provide a highly secure method of communication?

False

Healthcare organizations are excluded from the definition of "creditor" under FACTA?

False

It is best practice to select a very strong password and use it for all accounts?

False

Only healthcare providers are required to comply with the Security Rule?

False

Organization's firewall limits external Internet users from accessing portions of the healthcare network, but it does not limit internal users from accessing portions of the Internet?

False

Security awareness training is required every two years?

False

The Security Rule contains provisions that CEs can ignore?

False

The Security Rule is completely technical and requires computer programmers to address?

False

The safeguard requirements in the Privacy Rule are equivalent to compliance with the Security Rule?

False

Training is not necessary for remote workforce members as long as encryption is in place in the organization?

False

Vulnerabilities and threats are terms that can be used interchangeably?

False

Health Insurance Portability and Accountability Act

Federal legislation enacted to provide the continuity of health coverage, control fraud and abuse, reduce healthcare costs, and guarantee the security and privacy of health information

American Recovery and Reinvestment Act of 2009

Federal legislation that included significant funding for health information technology and provided for significant changes to the HIPAA Privacy Rule

Health Information Technology for Economic and Clinical Health (HITECH)

Federal legislation that was passed as a portion of the ARRA -Contains changes to the HIPAA Privacy Rule

Firewall

Hardware or software devices that examine traffic entering and leaving a network and prevent some traffic from entering or leaving based on established rules -Can be used to describe the software that protects computing resources or to describe the combination of the software, hardware, and polices that protect the resources

Unintentional Threats

Include employee errors that may result from lack of training in proper system use

Recognize the importance of contingency planning or disaster recovery planning in securing health information

It creates a plan of Acton in the event of a problem like power failures or disasters -Protects patient information and ePHI

Social Media

Often used by healthcare organizations as marketing tools and mechanisms to communicate with consumers or patients

Federal Information Processing Standards (FIPS)

Outlines approved security functions, approved protection profiles, approved random number generator, and approved key establishment techniques

Covered Entity

Persons or organizations that must comply with the HIPAA privacy and security rules -Including healthcare providers, health plans, and healthcare clearinghouses

List mechanisms to prevent and detect identity theft

Red Flag Rules 1)Alerts,notifications, or warnings from a consumer reporting agency 2)Suspicious documents 3)Suspicious personally identifiable information such as a suspicious address 4)Unusual use of or suspicious activity relating to , a covered account 5)Notices from customers, victims of identity theft, law enforcement agencies, or other businesses about possible identity theft in connection with and account

Person or Entity Authentication

Requires the implementation of procedures to verify that a person or entity seeking access to ePHI is the person or entity they claim to be

Technical Safeguard

Security measures that are based on technology rather than on administration or physical security -Includes access control, unique user identification, automatic logoff, and encryption and decryption

Technology Neutral

Specific technologies are not prescribed in the rules, which allows the use of the latest and appropriate technology

Scalability

The concept that based on the size of the CE, the threshold of compliance varies

Entity Authentication

The corroboration that an entity is the one claimed -The computer reds a predetermined set of criteria to determine whether the user is who he or she claims to be

Addressable Specification

The implementation specifications of the HIPAA Security Rule that are designated as addressable rather than required -To be in compliance with the rule, the CE must implement the specification as written, implement an alternative, or document that the risk does not exist in the organization or exists with little probability of occurrence

Required Specification

The implementation specifications of the HIPAA security rule that are designated required rather than addressable

Context Based Access Control CBAC

The most stringent type of access control -Takes into account the person attempting to access the data, the type of data being accessed, and the context of the transaction in which the access attempt is made

Identity and Access Management (IAM)

The security discipline that enables the right individuals to access the right resources at the right times for the right reason

Integrity

The state of being whole or unimpaired

Cryptography

The study of encryption and decryption techniques

Telehealth

The use of digital technologies to deliver medical care, health education, and public health services by connecting multiple users in different locations

Telemedicine

The use of medical information exchanged from one site to another via electronic communication to improve patient's health

An audit trail is a record that shows when a particular user accessed a computer system?

True

Assignment of patient medical record numbers is one of the priorities of the HIM professional during system downtime during a disaster?

True

Computers storing ePHI that are easily assessable to the public pose a vulnerability to a CE?

True

Data encryption ensures that data transferred from one location on a network to another are secure from eavesdropping or data interception?

True

Employee nondisclosure agreements are particularly important for employees who work in remote locations or telecommute?

True

Hacking is more prevalent in healthcare due to the value of patient information on the black market?

True

Internal security breaches are far more common than external breaches?

True

Medical identity theft has increased because of the expansion of electronic health record utilization and the expanded availability of data?

True

Red flags are used to help a healthcare provider detect medical identity theft?

True

The Identity Theft and Assumption Deterrence Act of 1998 makes it a federal crime to commit an act of identity theft?

True

The Security Rule contains both required and addressable standards?

True

The goal of the Security Rule is to ensure that patient information is protected from unauthorized access, alteration, deletion, and transmission?

True

Electronic Protected Health Information (ePHI)

Under HIPAA, all individually identifiable information that is created or received electronically by a healthcare provider or any other entity subject to HIPAA requirements

Authentication

Verification of a record's validity and its reliability as evidence -Also a security mechanism to validate the identity of a user in an electronic system

Vulnerabilities

Weaknesses that impact security of systems and networks

Phising

When someone impersonates a business or other known entity to attempt to have the user provide personal information

6. The HIPAA Security Awareness and Training administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except___________. a. Disaster recovery plan b. Log-in monitoring c. Password management d. Security reminders

a