Chapter 12
If a HIPAA security rule implementation specification is addressable, this means that a. The covered entity does not have to show that the specification has been met b. An alternative may be implemented c. The specification must be implemented as writen d. None of the above
b. An alternative may be implemented
The HIPAA security rule requires that passwords a. Be updated every 90 days b. Be updated by organizational policy c. Be updated every time there is a breach d. Be updated every 60 days
b. Be updated by organizational policy
The admissions department is getting some new computers from the surgery department. The director is so excited to get the new computers that he does not contact IT and installs the computers over the weekend in admissions. Since the computers were not checked for the presence of ePHI, the admissions director has violated which provision of the HIPAA security rule? a. Access controls b. Device and media controls c. Emergency access procedure d. Contingency operations
b. Device and media controls
Which of the following statements is false about the security officer? The Security Officer a. Is generally the individual within the healthcare organization responsible for overseeing the information security program b. Holds a required full-time position under HIPAA security rule c. Generally reports to an upper level administrator within the healthcare organization d. Is given the authority to effectively manage the security program, apply sanctions and influence employees
b. Hold a required full-time position under HIPAA security rule
The purpose of the implementation specifications of the HIPAA security rule is provide a. Protection of patient information b. Instruction for implementation of standards c. Guidance for security training and education d. sample policies and procedures for compliance
b. Instruction for implementation of standards
Home health nurses at a covered entity want to use laptop computers to record patient notes. The director of nursing asks for guidance about whether or not this is a HIPAA violation. The most appropriate response from the security officer is that they a. Need to sign business associate contracts before they get laptops b. Need additional training as remote workers c. Need to wait and come back to the office and record the notes d. Cannot have laplops since it is a security risk
b. Need additional training as remote workers
According to the HIPAA Security Rule, what should a covered entity instruct a physician who needs a new smart phone to do with her current smart phone that contains ePHI? a. Keep her old smart phone b. Turn in her old smart phone c. Recycle the old smart phone by giving it to a charity d. Do what she wants since IT is too busy with other projects
b. Turn in her old smart phone
The HIPAA security rule contains the following safeguards except a. Technical b. Administrative c. Physical d. Reliability
d. Reliability
The HIPAA security rule applies to which of the following covered entities? a. Hospital that bills Medicare b. Physician electronic billing company c. BlueCross health insurance plan d. a and e e. band e f. All of the above g. None of the above
f. All of the above
The VP of finance wants to consider sending all of the medical transcriptionists home to work. What security issues should be included in the risk analysis? a. Access of data by unauthorized persons b. Storage of data on remote devices c. Transmission risks when reporting data d. Potential for new regulations covered
a. Access of data by unauthorized persons
The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of what type of security control? a. Audit trail b. Access control c. Auto-authentication d. Override function
a. Audit trail
Copying data onto tapes and storing the tapes at a distant location is an example of a. Data backup b. Duta mapping c. Data recovery d. Data storage for recovery
a. Data backup
The HIPAA Security Awareness and Training administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except a. Disaster recovery plan b. Log-in monitoring c. Password management d. Security reminders
a. Disaster Recovery plan
Which of the following statements about HIPAA training is false? a. Privacy and security training should be separated. b. Different levels of training are needed depending on an employee's position in the organization. c. All employees in a health care organization need HIPAA training. d. Training is required under the HIPAA security rule.
a. Privacy and security training should be separated.
Some of the best steps that workers can take to comply with the HIPAA security rule include ensuring a. The security of mobile devices b. All employees receive appropriate training c. That employees don't ever use email d. That employees seoure their workplace
a. The security of mobile devices
A nurse administrator who does not typically take call gets called in over the weekend to staff the emergeney department. She does not have access to enter notes since this is not a part of her typical role. In order to meet the intent of the HIPAA Security Rule, the hospital policy should include a. A requirement for her to attend training before accessing ePHI b. A provision to allow her to share a password with another nurse c. A provision to allow her emergeney access to the system d. A restriction on her ability to access ePHI
c. A provision to allow her emergeney access to the system
One of the four general requirements a covered entity must adhere to for compliance with HIPAA security rule is to ensure the confidetiality, integrity and _________________ of ePHI. a. Addressability b. Accuracy c. Availability d. Accountability
c. Availability
Non-compliance with the HIPAA security rule can lead to a. Civil penalties b. Criminal penalties c. Both a and b d. A maximum annual penalty of $1 million
c. Both a and b
What are the primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule? a . The security rule applies to all forms of patients' PHI, whether electronic, written, or oral, but the security rule covers only electronic PHI. b. The security rule provides far more comprehensive security requirements than the privacy rule and includes a level of detail not provided in the privacy rule. c. Both a and b d. Neither a nor b; there are no distinctions
c. Both a and b
With addressable standards, the covered entity may do all but which of the following? a. Implement the standard as written b. Implement an alternative standard c. Ignore the standard since it is addressable d. Determine the risk of not implementing is negligible
c. Ignore the standard since it is addressable
The HIPAA security rule contains what provision about encryption? a. It is required for all ePHI. b. It is required based on CMS guidance. c. It is required based on organizational policy d. It is not required for small providers.
c. It is required based on organizational policy
The enforcement agency for the security rule is a. Office of the Inspector General b. Centers for Medicare and Medicaid Services c. Office for Civil Rights d. Office of Management and Budget
c. Office for Civil Rights
The HIPAA security rule requires that the covered entity a. Eliminate all threats to ePHI b. Hire a security consultant c. Protect ePHI from reasonably anticipated threats d. Protect ePHI at all costs
c. Protect ePHI from reasonably anticipated threats
The HIPAA Security Rule allows flexibility in implementation based on reasonableness and appropriateness. What does the covered entity use to make these determinations? a. Size of the covered entity b. Security capabilities of the covered entity's system c. Costs of security measures d. All of the above
d. All of the above
What term is also used to denote the HIPAA requirement of Contingency Planning? a. Data backup b. Data recovery c. Disaster planning d. Emergency mode of operation
d. Emergency mode of operation