Chapter 12 and 13 Review Quiz (LAW)
Red Flag Rules
-Alert, notifications, or warning from a consumer reporting agency -Suspicious documents -Suspicious personally identifying information -Unusual use of, or suspicious activity relating to, a covered account -Notices from customers, victims of identity theft
Describe the purposes of the HIPAA Security Rule
-Implement appropriate security safeguards and protect electronic healthcare information that may be at risk -Protect an individual's health information while permitting appropriate access and use of that information
Recognize security components for risk management
-Must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the security standards
Summarize the components of the Security Rule
1) General Requirements: 2)Flexibility or Approach: Allow CE and BA to implement the standards 3)Standards: CE and BA must comply with standards (administrative, physical, technical, organizational, and policies, procedures, and documentation) 4)Implementation specifications: Detailed instructions for implementing a specific standard 5)Maintenance of security measures: Continuing review of the reasonableness and appropriateness of a CE or BA security measure
Identify potential internal and external security threats, distinguishing human threats from natural and environmental threats and describing vulnerabilities
1) Human Threats -Internal (members of organization) -External (outside organization) 2)Natural or Environmental -Internal (fire, water damage in organization) -External (flood, tornadoes, natural disasters) 3)Vulnerabilities -Weaknesses that impact security of systems and networks -Physical or software
Types of Medical identity theft
1)Use of a person's name and other identifiers, without the consent of the victim, to obtain medical goods or services (can by used with individual's consent but not a full understanding of the outcomes. 2)The use of a person's identity to obtain medical services by falsifying claims for medical services (business)
Role- based access control RBAC
A control system in which access decisions are based on the roles of individual users as part of an organization
Identity Theft
A crime in which an individual's personal information is stolen, often through the ease of obtaining data in electronic environments
Cyber Attack
A deliberate and often systematic attempt to gain unauthorized access to a device or network
Trojan horse
A destructive piece of programming codes that hides in another piece of programming code that looks harmless
Wired Equivalent Privacy (WEP)
A form of encryption used to authenticate the sender and the receiver of messages over networks, particularly when the internet is involved in the data transmission -Should provider authentication, data security and data non-repudiation
Data Encryption
A form of technical security used to ensure that data transferred from one location on a network to another are secure from anyone eavesdropping or seeking to intercept them
Confidentiality
A legal and ethical concept that establishes the healthcare provider's responsibility for protecting health records and other personal and private information from unauthorized use or disclosure
Business Associate (BA)
A person or organization other than a member of a CE workforce that performs functions or activities on behalf of or affecting a CE that involve the use or disclosure of individually identifiable health information
Contingency Planning
A plan for recovery in the event of a power failure, disaster, or other emergency that limits or eliminates access to facilities and electronic protected health information
Disaster Recovery Planning
A plan for securing electronic protected health information in the event of a disaster that limits or eliminates access to facilities and ePHI
Audit Trail
A record that shows who has accessed a computer system, when it was accessed, and what operations were performed
User based access control UBAC
A security mechanism used to grant users of a system access based on their identity
Automatic Log Off
A security procedure that causes a computer session to end after a predetermined period of inactivity (EX: 10 min)
Biometric Identification Systems
A security system that analyzes biological data about the user (fingerprint, voiceprint, or retinal scan)
External Security Threat
A security threat caused by individuals or forces outside the organization
Internal Security Threat
A security threat caused by individuals or forces within an organization
Physical Safeguards
A set of four standards defined by the HIPAA security rule: facility access controls, workstation use, workstation security, and device and media control
Worm
A special type of computer virus that stores and then replicates itself
Encryption
A technique used to ensure that data transferred from one location on a network to another are secure from eavesdropping or interception
Pretty Good Privacy
A type of encryption software that uses public key cryptology and digital signatures for authentication
Medical Identity Theft
A type of identity theft and financial fraud hat involves the inappropriate or unauthorized misrepresentation of one's identity to obtain medical goods or services, or to obtain money by falsifying claims for medical services
Distinguish access controls from systems controls and provide examples of each
Access Controls 1)Prevent unauthorized individuals from retrieving, using, or altering information 2)Access rights 3)biometrics, pins,tokens Systems Control 1)Related to a systems hardware or software and functions such as transmission of ePHI via fax or email
Fair and Accurate Credit Transactions Act (FACTA)
An act that requires advance employee authorization for a consumer reporting agency to share medical information with employers for employment or insurance purposes -It also requires financial institutions and creditors to develop and implement written identity theft programs that identify, detect, and respond to red flags that may signal the presence of identity theft
Information System
An automated system that uses computer hardware and software to record, manipulate, store, recover, and disseminate data
Security Officer
An individual responsible for overseeing privacy policies and procedures
Creditor
Anyone who regularly meets one of the following criteria 1)Obtains or uses consumer reports in connection with a credit transaction 2)furnishes information to consumer reporting agencies in connection with a credit transaction 3)Advances funds to someone
Intentional Threats
Attacks from outside the network or internal malicious actions by workforce members
1. The purpose of the implementation specifications of the HIPAA security rule is to provide______. a. Protection of patient information b. Instruction for implementation of standards c. Guidance for security training and education d. Sample policies and procedures for compliance
B
5. If a HIPAA security rule implementation specification is addressable, this means that___________. a. The covered entity does not have to show that the specification has been met b. An alternative may be implemented c. The specification must be implemented as written d. None of the above
B
7. Which of the following statements is false about the security officer? The Security Officer___________. a. Is generally the individual within the healthcare organization responsible for overseeing the information security program b. Holds a required full-time position under HIPAA security rule c. Generally reports to an upper level administrator within the healthcare organization d. Is given the authority to effectively manage the security program, apply sanctions and influence employees
B
2. One of the four general requirements a covered entity must adhere to for compliance with the HIPAA security rule is to ensure the confidentiality, integrity and ___________ of ePHI. a. Addressability b. Accuracy c. Availability d. Accountability
C
3. What are the primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule? a. The Privacy rule applies to all forms of patients' PHI, whether electronic, written, or oral, but the security rule covers only electronic PHI. b. The security rule provides far more comprehensive security requirements than the privacy rule and includes a level of detail not provided in the security rule. c. Both a and b d. Neither a nor b; there are no distinctions
C
Virus
Common types are classified as file infectors, which attach to program files so that when a program is loaded the virus is also loaded
Token
Devices such as a key card that are inserted into doors or computers in order to gain entry
Ransomware
Distinct malware in that it attempts to deny access to a user's access to a user's data by encrypting the data with a key known to the hacker -When ransom is paid the user is given decryption key
4. The HIPAA security rule applies to which of the following covered entities? a. Hospital that bills Medicare b. Physician electronic billing company c. BlueCross health insurance plan d. a and c e. b and c f. All of the above g. None of the above
F
Biometric identifiers signify something that the user knows?
False
CEs can decide to comply with only the Privacy Rule and don't have to comply with the Security Rule?
False
Compliance with the HIPAA Security Rule is the only standards that should be considered when developing a security plan and performing a risk assessment?
False
Content Based Access Control is less stringent than Role Based Access Control?
False
Disaster recovery and contingency plans related to ePHI are nice to have but not necessary?
False
E-mail related to patient care should be kept separate from the patient medical record?
False
Employee training programs are not necessary to protect the security of PHI?
False
Facsimile machines provide a highly secure method of communication?
False
Healthcare organizations are excluded from the definition of "creditor" under FACTA?
False
It is best practice to select a very strong password and use it for all accounts?
False
Only healthcare providers are required to comply with the Security Rule?
False
Organization's firewall limits external Internet users from accessing portions of the healthcare network, but it does not limit internal users from accessing portions of the Internet?
False
Security awareness training is required every two years?
False
The Security Rule contains provisions that CEs can ignore?
False
The Security Rule is completely technical and requires computer programmers to address?
False
The safeguard requirements in the Privacy Rule are equivalent to compliance with the Security Rule?
False
Training is not necessary for remote workforce members as long as encryption is in place in the organization?
False
Vulnerabilities and threats are terms that can be used interchangeably?
False
Health Insurance Portability and Accountability Act
Federal legislation enacted to provide the continuity of health coverage, control fraud and abuse, reduce healthcare costs, and guarantee the security and privacy of health information
American Recovery and Reinvestment Act of 2009
Federal legislation that included significant funding for health information technology and provided for significant changes to the HIPAA Privacy Rule
Health Information Technology for Economic and Clinical Health (HITECH)
Federal legislation that was passed as a portion of the ARRA -Contains changes to the HIPAA Privacy Rule
Firewall
Hardware or software devices that examine traffic entering and leaving a network and prevent some traffic from entering or leaving based on established rules -Can be used to describe the software that protects computing resources or to describe the combination of the software, hardware, and polices that protect the resources
Unintentional Threats
Include employee errors that may result from lack of training in proper system use
Recognize the importance of contingency planning or disaster recovery planning in securing health information
It creates a plan of Acton in the event of a problem like power failures or disasters -Protects patient information and ePHI
Social Media
Often used by healthcare organizations as marketing tools and mechanisms to communicate with consumers or patients
Federal Information Processing Standards (FIPS)
Outlines approved security functions, approved protection profiles, approved random number generator, and approved key establishment techniques
Covered Entity
Persons or organizations that must comply with the HIPAA privacy and security rules -Including healthcare providers, health plans, and healthcare clearinghouses
List mechanisms to prevent and detect identity theft
Red Flag Rules 1)Alerts,notifications, or warnings from a consumer reporting agency 2)Suspicious documents 3)Suspicious personally identifiable information such as a suspicious address 4)Unusual use of or suspicious activity relating to , a covered account 5)Notices from customers, victims of identity theft, law enforcement agencies, or other businesses about possible identity theft in connection with and account
Person or Entity Authentication
Requires the implementation of procedures to verify that a person or entity seeking access to ePHI is the person or entity they claim to be
Technical Safeguard
Security measures that are based on technology rather than on administration or physical security -Includes access control, unique user identification, automatic logoff, and encryption and decryption
Technology Neutral
Specific technologies are not prescribed in the rules, which allows the use of the latest and appropriate technology
Scalability
The concept that based on the size of the CE, the threshold of compliance varies
Entity Authentication
The corroboration that an entity is the one claimed -The computer reds a predetermined set of criteria to determine whether the user is who he or she claims to be
Addressable Specification
The implementation specifications of the HIPAA Security Rule that are designated as addressable rather than required -To be in compliance with the rule, the CE must implement the specification as written, implement an alternative, or document that the risk does not exist in the organization or exists with little probability of occurrence
Required Specification
The implementation specifications of the HIPAA security rule that are designated required rather than addressable
Context Based Access Control CBAC
The most stringent type of access control -Takes into account the person attempting to access the data, the type of data being accessed, and the context of the transaction in which the access attempt is made
Identity and Access Management (IAM)
The security discipline that enables the right individuals to access the right resources at the right times for the right reason
Integrity
The state of being whole or unimpaired
Cryptography
The study of encryption and decryption techniques
Telehealth
The use of digital technologies to deliver medical care, health education, and public health services by connecting multiple users in different locations
Telemedicine
The use of medical information exchanged from one site to another via electronic communication to improve patient's health
An audit trail is a record that shows when a particular user accessed a computer system?
True
Assignment of patient medical record numbers is one of the priorities of the HIM professional during system downtime during a disaster?
True
Computers storing ePHI that are easily assessable to the public pose a vulnerability to a CE?
True
Data encryption ensures that data transferred from one location on a network to another are secure from eavesdropping or data interception?
True
Employee nondisclosure agreements are particularly important for employees who work in remote locations or telecommute?
True
Hacking is more prevalent in healthcare due to the value of patient information on the black market?
True
Internal security breaches are far more common than external breaches?
True
Medical identity theft has increased because of the expansion of electronic health record utilization and the expanded availability of data?
True
Red flags are used to help a healthcare provider detect medical identity theft?
True
The Identity Theft and Assumption Deterrence Act of 1998 makes it a federal crime to commit an act of identity theft?
True
The Security Rule contains both required and addressable standards?
True
The goal of the Security Rule is to ensure that patient information is protected from unauthorized access, alteration, deletion, and transmission?
True
Electronic Protected Health Information (ePHI)
Under HIPAA, all individually identifiable information that is created or received electronically by a healthcare provider or any other entity subject to HIPAA requirements
Authentication
Verification of a record's validity and its reliability as evidence -Also a security mechanism to validate the identity of a user in an electronic system
Vulnerabilities
Weaknesses that impact security of systems and networks
Phising
When someone impersonates a business or other known entity to attempt to have the user provide personal information
6. The HIPAA Security Awareness and Training administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except___________. a. Disaster recovery plan b. Log-in monitoring c. Password management d. Security reminders
a