Combo with "Law Chapter 10 Final Review" and 1 other
A nurse administrator who does not typically take call gets called in over the weekend to staff the emergency department. She does not have access to enter notes since this is not a part of her typical role. In order to meet the intent of the HIPAA Security Rule, the hospital policy should include
a provision to allow her emergency access to the system
If a HIPAA security rule implementation specification is addressable, this means that
an alternative may be implemented...
The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of what type of security control?
audit trail
One of the four general requirements a covered entity must adhere to for compliance with the HIPAA security rule is to ensure the confidentiality, integrity and ___________ of ePHI.
availability
The HIPAA security rule requires that passwords
be updated by organizational policy
Non-compliance with the HIPAA security rule can lead to
both civil penalties and criminal penalties
The workforce security administrative safeguard requires policies and procedures that
both ensure appropriate ePHI access by workforce members and prevent access to ePHI by workforce members who should not have access
The latest provisions to HIPAA include
breach notification, enforcement and modifications to the privacy and security rules
Which of the following would provide the best support of an organization's efforts toward compliance with the security rule?
build security into software and systems
Copying data onto tapes and storing the tapes at a distant location is an example of
data backup
To ensure compliance with the HIPAA security rule training requirement, the HIIM Director should do which of the following?
determine special needs of HIM staff and provide training
Helpful University Health System has a laptop sharing program which allows users to request laptop computers to use for short-term projects. Many of the projects involve the use of ePHI. When the laptops are returned to the office, they are often immediately recirculated to another user in the system. This is an example of a violation of which of the following aspects of the security rule?
device and media controls
The admissions department is getting some new computers from the surgery department. The director is so excited to get the new computers that he does not contact IT and installs the computers over the weekend in admissions. Since the computers were not checked for the presence of ePHI, the admissions director has violated which provision of the HIPAA security rule?
device and media controls
Which portion of a security program would ensure that ePHI is not stored on recycled equipment?
device and media controls
The HIPAA "Security Awareness and Training" administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except
disaster recovery plan..
What term is also used to denote the HIPAA requirement of Contingency Planning?
emergency mode of operation
The security rule's five sections includes all of the following except:
encryption requirements
Which of the following statements is false about the Security Officer? The Security Officer
holds a required full-time position under HIPAA security rule..
The HIPAA security rule allows flexibility in implementation based on reasonableness and appropriateness. This means that covered entities can
implement based on organizational assessment
The purpose of the implementation specifications of the HIPAA security rule is to provide
instruction for implementation of standards
One of the four general requirements a covered entity must adhere to for compliance with the HIPAA security rule is to ensure the confidentiality, ________, and availability of ePHI.
integrity
Which of the term does the security rule use to define data or information that has not been altered or destroyed in an unauthorized manner?
integrity
Which of the following best describes the role that the HIIM professional should play in HIPAA security compliance?
moderate involvement since the rule is very operational
The HIPAA security rule applies to which of the following covered entities?
A) Hospital that bills Medicare B) Physician electronic billing company C) BlueCross health insurance plan
Assessing HIPAA training programs is important for which of the following reasons?
A) It is how the workforce knows what to do. B) It is highly visible to auditors.
All of the following are security rule physical safeguard standards except
A) facility access controls *** contingency planning*** C) workstation security D) device and media controls
With addressable standards, the covered entity may do all but which of the following?
A) implement the standard as written B) implement an alternative standard *** ignore the standard since it is addressable*** D) determine that the risk of not implementing is negligible
The HIPAA Security Rule allows flexibility in implementation based on reasonableness and appropriateness. What does the covered entity use to make these determinations?
A) size of the covered entity B) security capabilities of the covered entity's system C) costs of security measures
Home health nurses at a covered entity want to use laptop computers to record patient notes. The director of nursing asks for guidance about whether or not this is a HIPAA violation. The most appropriate response from the Security Officer is that they:
need additional training as remote workers
Which of the following is a best practice to comply with the revised security provisions of the HITECH Act?
Inventory BAs to determine which Business Associates Agreements need to be amended.
The HIPAA security rule contains what provision about encryption?
It is required based on organizational policy.
The enforcement agency for the security rule is
Office for Civil Rights
Which of the following statements about HIPAA training is false?
Privacy and security training should be separated.
Some of the best steps that workers can take to comply with the HIPAA security rule include ensuring
the security of mobile devices
A subcontractor of a business associate may
transmit ePHI on the business associate's behalf if it provides satisfactory assurances that the information will be appropriately safeguarded
According to the HIPAA Security Rule, how should a covered entity instruct a physician who needs a new smart phone and her current smart phone contains ePHI?
turn in her old smart phone
Disabling the USB drive on a computer is an example of what type of security?
workstation
What are the primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule?
.both The security rule applies to all forms of patients' PHI, whether electronic, written, or oral, but the security rule covers only electronic PHI and the security rule provides for far more comprehensive security requirements than the security rule and includes a level of detail not provided in the security rule..
The best source for obtaining primary information on addressing the HIPAA Security Rule would be which of the following sources?
Department of HHS
The VP of Finance wants to consider sending all of the medical transcriptionists home to work. What security issues should be included in the risk analysis?
access of data by unauthorized persons
Security awareness training programs require the implementation of awareness and training of all workforce members and should include
periodic security reminders
In general, reviews for compliance with various aspects of the security rule should be conducted
periodically
When developing security procedures for remote workforce, the HIM director should reference which of the following?
privacy and security rules, state statutes and other federal statutes
Fred resigned from his position at University Hospital. According to the HIPAA security rule, his access to the electronic health record system should be terminated
promptly upon resignation
The HIPAA security rule requires that the covered entity
protect ePHI from reasonably anticipated threats
The HIPAA security rule contains the following safeguards except
reliability
Dr. Watson is known to chronically not remember his password and ask other physicians and nurses to use their passwords. This is reported by various staff, but the security officer ignores the complaints since Dr. Watson is the chief of staff. The hospital most likely has not complied with which of the following?
sanction policy
When external reviewers request access to electronic patient records, the IT professionals at Charity Clinic determine that giving the reviewers a user name and password to access all records in the database is the quickest and easiest approach. As the HIIM Director, your response to this would be to
suggest records necessary for audit be placed in a queue
