HIM Exam 12 and 13
11. Copying data onto tapes and storing the tapes at a distant location is an example of___________. a. Data backup b. Data mapping c. Data recovery d. Data storage for recovery
A
12. The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of what type of security control? a. Audit trail b. Access control c. Auto-authentication d. Override function
A
19. The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of a(n) __________. a. Audit trail. b. Access control. c. Auto-authentication. d. Override function.
A
20. Which of the following defines the study of encryption and decryption techniques? a. Cryptography b. Authentication c. Context-based access control d. Biometric identifier control
A
22. Key components to a contingency or disaster plan, mandated by the HIPAA Security Rule include __________. a. Data back-up, data recovery and emergency mode of operations. b. Data back-up and data recovery. c. Data recovery and emergency mode of operations. d. Date back-up, data recovery, emergency mode of operations and data encryption.
A
23. The VP of finance wants to consider sending all of the medical transcriptionists home to work. What security issues should be included in the risk analysis? a. Access of data by unauthorized persons b. Storage of data on remote devices c. Transmission risks when reporting data d. Potential for new regulations
A
23. The most important protection against loss of data is __________. a. User compliance with policy and procedures. b. User adoption of biometric identifiers. c. User adoption of employee nondisclosure agreements. d. User compliance with architecture and topology.
A
25. Some of the best steps that workers can take to comply with the HIPAA security rule include ensuring ___________. Bloom's Level: 3 a. The security of mobile devices b. All employees receive appropriate training c. That employees don't ever use email d. That employees secure their workplace
A
3. An individual designated as an inpatient coder may have access to an electronic medical record in order to code the record. Under which access security mechanism is the coder allowed access to the system? a. Role-based b. User-based c. Context-based d. None of the above
A
9. Which of the following statements about HIPAA training is false? a. Privacy and security training should be separated. b. Different levels of training are needed depending on an employee's position in the organization. c. All employees in a health care organization need HIPAA training. d. Training is required under the HIPAA security rule.
A
Encryption
A technique used to ensure that data transferred from one location on a network to another are secure from eavesdropping or interception
Creditor
Anyone who regularly meets one of the following criteria 1)Obtains or uses consumer reports in connection with a credit transaction 2)furnishes information to consumer reporting agencies in connection with a credit transaction 3)Advances funds to someone
12. What is the most common type of security threat to a health information system? a. External to the organization b. Internal to the organization c. Environmental in nature d. Computer viruses
B
18. The HIPAA security rule requires that passwords___________ a. Be updated every 90 days b. Bee updated by organizational policy c. Be updated every time there is a breach d. Be updated every 60 days
B
19. According to the HIPAA Security Rule, what should a covered entity instruct a physician who needs a new smart phone to do with her current smart phone that contains ePHI? a. Keep her old smart phone b. Turn in her old smart phone c. Recycle the old smart phone by giving it to a charity d. Do what she wants since IT is too busy with other projects
B
2. The director of health information services is allowed access to the medical record tracking system when providing the proper log-in and password. Under which access security mechanism is the director allowed access to the system? a. Role-based b. User-based c. Context-based d. None of the above
B
22. The admissions department is getting some new computers from the surgery department. The director is so excited to get the new computers that he does not contact IT and installs the computers over the weekend in admissions. Since the computers were not checked for the presence of ePHI, the admissions director has violated which provision of the HIPAA security rule? a. Access controls b. Device and media controls c. Emergency access procedure d. Contingency operations
B
24. Home health nurses at a covered entity want to use laptop computers to record patient notes. The director of nursing asks for guidance about whether or not this is a HIPAA violation. The most appropriate response from the security officer is that they___________. a. Need to sign business associate contracts before they get laptops b. Need additional training as remote workers c. Need to wait and come back to the office and record the notes d. Cannot have laptops since it is a security risk
B
The purpose of entity authentication is to __________. a. Prevent rebooting to deactivate a logoff system b. Read predetermined criteria to determine if a user is who he or she claims c. Allow rebooting to activate a sign-in process d. Rejects multiple log-in attempts
B
14. The enforcement agency for the security rule is___________. a. Office of the Inspector General b. Centers for Medicare and Medicaid Services c. Office for Civil Rights d. Office of Management and Budget
C
14. Which of the following requires financial institutions develop written medical identity theft programs? a. HIPAA Security Rule b. HITECH Act c. Fair and Accurate Credit Transactions Act d. HIPAA Privacy and Security Rule
C
17. Which of the following is an example of two-factor authentication? a. User name and password b. Password c. User name and password and token d. User name and PIN
C
17. With addressable standards, the covered entity may do all but which of the following? a. Implement the standard as written b. Implement an alternative standard c. Ignore the standard since it is addressable d. Determine the risk of not implementing is negligible
C
18. The predetermined time for an automatic log-off from the system is mandated by __________. a. HIPAA Security Rule b. HIPAA Privacy Rule c. Facility policy d. State Statute
C
2. One of the four general requirements a covered entity must adhere to for compliance with the HIPAA security rule is to ensure the confidentiality, integrity and ___________ of ePHI. a. Addressability b. Accuracy c. Availability d. Accountability
C
20. A nurse administrator who does not typically take call gets called in over the weekend to staff the emergency department. She does not have access to enter notes since this is not a part of her typical role. In order to meet the intent of the HIPAA Security Rule, the hospital policy should include___________. a. Aa requirement for her to attend training before accessing ePHI b. A provision to allow her to share a password with another nurse c. A provision to allow her emergency access to the system d. A restriction on her ability to access ePHI
C
21. The HIPAA security rule contains what provision about encryption? a. It is required for all ePHI. b. It is required based on CMS guidance. c. It is required based on organizational policy. d. It is not required for small providers.
C
4. Under which access security mechanism would an individual be allowed access to ePHI if they have a proper log-in and password, belong to a specified group, and their workstation is located in a specific place within the facility? a. Role-based b. User-based c. Context-based d. None of the above
C
8. Non-compliance with the HIPAA security rule can lead to___________. a. Civil penalties b. Criminal penalties c. Both a and b d. A maximum annual penalty of $1 million
C
Of the following, which type of data encryption is primarily used in a wireless network environment? a. PKI b. PGP c. WEP d. None of the above
C
Which of the following is the best option for password management? a. User changes password every 45 days b. User changes password every 60 days c. System auto-assigns password d. User assigns password
C
Which of the following statements is false about a firewall? a. It is a system or combination of systems that supports an access control policy between two networks. b. The most common place to find a firewall is between the healthcare organization's internal network and the Internet. c. Firewalls are effective for preventing all types of attacks on a healthcare system. d. A firewall can limit internal users from accessing various portions of the Internet.
C
Which of the following would be considered a two-factor authentication system? a. User ID with a password b. User ID with voice scan c. Password and swipe card d. All of the above
C
Virus
Common types are classified as file infectors, which attach to program files so that when a program is loaded the virus is also loaded
1. The greatest threats to organizational security stem from __________. a. Natural threats b. Environmental threats c. International threats d. Internal threats
D
10. What term is also used to denote the HIPAA requirement of Contingency Planning? a. Data backup b. Data recovery c. Disaster planning d. Emergency mode of operation
D
13. With whom may patients may file a complaint if they suspect medical identity theft violations? a. Internal Revenue Service b. Office of Civil Rights c. Centers for Medicare and Medicaid Services d. Federal Trade Commission
D
15. The role of the HIM professional in medical identity theft protection programs includes all of the following except __________. a. Ensure safeguards are in place to protect the privacy and security of PHI b. Balance patient privacy protection with disclosing medical identity theft to victims c. Identify resources to assist patients who are victims of medical identity theft d. Defer all issues related to medical identity theft to the in-house attorney
D
16. Elements to include in a security system risk analysis program include all but which of the following? a. Limiting access to the minimum necessary b. Requiring user names and passwords c. Installing protective hardware devices d. Restricting remote access to users
D
16. The HIPAA Security Rule allows flexibility in implementation based on reasonableness and appropriateness. What does the covered entity use to make these determinations? a. Size of the covered entity b. Security capabilities of the covered entity's system c. Costs of security measures d. All of the above
D
21. Common safeguards utilized to protect e-mail communication include all but which of the following? a. Anti-spam software b. E-mail filtering c. Encryption software d. E-mail scrubbing
D
24. When determining the appropriate password composition, the HIIM professional should refer to which of the following? a. HIPAA Privacy Rule b. HIPAA Security Rule c. HITECH Act d. Organizational policy
D
25. Which of the following is not an access control commonly utilized by covered entities for compliance with the HIPAA security rule? a. User-based access b. Passwords c. Tokens d. Palm scanners
D
The HIPAA security rule contains the following safeguards except___________. a. Technical b. Administrative c. Physical d. Reliability
D
Which is the most common method for implementing entity authentication? a. Personal identification number b. Biometric identification systems c. Token systems d. Password systems
D
Token
Devices such as a key card that are inserted into doors or computers in order to gain entry
Ransomware
Distinct malware in that it attempts to deny access to a user's access to a user's data by encrypting the data with a key known to the hacker -When ransom is paid the user is given decryption key
An audit trail is a good tool for which of the following? a. Holding an individual employee accountable for actions b. Reconstructing electronic events c. Detecting a hacker d. Recognizing when a system is having problems e. a and d f. b and d g. All of the above h. None of the above
G
Firewall
Hardware or software devices that examine traffic entering and leaving a network and prevent some traffic from entering or leaving based on established rules -Can be used to describe the software that protects computing resources or to describe the combination of the software, hardware, and polices that protect the resources
Technology Neutral
Specific technologies are not prescribed in the rules, which allows the use of the latest and appropriate technology
Identity and Access Management (IAM)
The security discipline that enables the right individuals to access the right resources at the right times for the right reason
Integrity
The state of being whole or unimpaired
Cryptography
The study of encryption and decryption techniques
Telehealth
The use of digital technologies to deliver medical care, health education, and public health services by connecting multiple users in different locations
15. The HIPAA security rule requires that the covered entity___________. a. Eliminate all threats to ePHI b. Hire a security consultant c. Protect ePHI from reasonably anticipated threats d. Protect ePHI at all costs
c
Business Associate (BA)
A person or organization other than a member of a CE workforce that performs functions or activities on behalf of or affecting a CE that involve the use or disclosure of individually identifiable health information
Contingency Planning
A plan for recovery in the event of a power failure, disaster, or other emergency that limits or eliminates access to facilities and electronic protected health information
Audit Trail
A record that shows who has accessed a computer system, when it was accessed, and what operations were performed
User based access control UBAC
A security mechanism used to grant users of a system access based on their identity
Automatic Log Off
A security procedure that causes a computer session to end after a predetermined period of inactivity (EX: 10 min)
Distinguish access controls from systems controls and provide examples of each
Access Controls 1)Prevent unauthorized individuals from retrieving, using, or altering information 2)Access rights 3)biometrics, pins,tokens Systems Control 1)Related to a systems hardware or software and functions such as transmission of ePHI via fax or email
Biometric identifiers signify something that the user knows?
False
Security awareness training is required every two years?
False
The Security Rule contains provisions that CEs can ignore?
False
The Security Rule is completely technical and requires computer programmers to address?
False
The safeguard requirements in the Privacy Rule are equivalent to compliance with the Security Rule?
False
Training is not necessary for remote workforce members as long as encryption is in place in the organization?
False
Vulnerabilities and threats are terms that can be used interchangeably?
False
Health Insurance Portability and Accountability Act
Federal legislation enacted to provide he continuity of health coverage, control fraud and abuse, reduce healthcare costs, and guarantee the security and privacy of health information
American Recovery and Reinvestment Act of 2009
Federal legislation that included significant funding for health information technology and provided for significant changes to the HIPAA Privacy Rule
Health Information Technology for Economic and Clinical Health (HITECH)
Federal legislation that was passed as a portion of the ARRA -Contains changes to the HIPAA Privacy Rule
Describe the purposes of the HIPAA Security Rule
Governs PHI that is transmitted by or maintained in some form of electronic media -Implement appropriate security safeguards and protect electronic healthcare information that may be at risk -Protect an individual's health information while permitting appropriate access and use of that information
Unintentional Threats
Include employee errors that may result from lack of training in proper system use
Recognize security components for risk management
-Must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the security standards
Summarize the components of the Security Rule
1) General Requirements: 2)Flexibility or Approach: Allow CE and BA to implement the standards 3)Standards: CE and BA must comply with standards (administrative, physical, technical, organizational, and policies, procedures, and documentation) 4)Implementation specifications: Detailed instructions for implementing a specific standard 5)Maintenance of security measures: Continuing review of the reasonableness and appropriateness of a CE or BA security measure
Identify potential internal and external security threats, distinguishing human threats from natural and environmental threats and describing vulnerabilities
1) Human Threats -Internal (members of organization) -External (outside organization) 2)Natural or Environmental -Internal (fire, water damage in organization) -External (flood, tornadoes, natural disasters) 3)Vulnerabilities -Weaknesses that impact security of systems and networks -Physical or software
Role- based access control RBAC
A control system in which access decisions are based on the roles of individual users as part of an organization
Identity Theft
A crime in which an individual's personal information is stolen, often through the ease of obtaining data in electronic environments
Cyber Attack
A deliberate and often systematic attempt to gain unauthorized access to a device or network
Trojan horse
A destructive piece of programming codes that hides in another piece of programming code that looks harmless
Wired Equivalent Privacy (WEP)
A form of encryption used to authenticate the sender and the receiver of messages over networks, particularly when the internet is involved in the data transmission -Should provider authentication, data security and data non-repudiation
Data Encryption
A form of technical security used to ensure that data transferred from one location on a network to another are secure from anyone eavesdropping or seeking to intercept them
Confidentiality
A legal and ethical concept that establishes the healthcare provider's responsibility for protecting health records and other personal and private information from unauthorized use or disclosure
Disaster Recovery Planning
A plan for securing electronic protected health information in the event of a disaster that limits or eliminates access to facilities and ePHI
Red Flag Rule
A provision under FACTA that requires financial institutions and creditors to develop and implement written programs that identify, detect, and respond to red flags that may signal the presence of identity theft
Biometric Identification Systems
A security system that analyzes biological data about the user (fingerprint, voiceprint, or retinal scan)
External Security Threat
A security threat caused by individuals or forces outside the organization
Internal Security Threat
A security threat caused by individuals or forces within an organization
Physical Safeguards
A set of four standards defined by the HIPAA security rule: facility access controls, workstation use, workstation security, and device and media control
Worm
A special type of computer virus that stores and then replicates itself
Pretty Good Privacy
A type of encryption software that uses public key cryptology and digital signatures for authentication
Medical Identity Theft
A type of identity theft and financial fraud hat involves the inappropriate or unauthorized misrepresentation of one's identity to obtain medical goods or services, or to obtain money by falsifying claims for medical services
Fair and Accurate Credit Transactions Act (FACTA)
An act that requires advance employee authorization for a consumer reporting agency to share medical information with employers for employment or insurance purposes -It also requires financial institutions and creditors to develop and implement written identity theft programs that identify, detect, and respond to red flags that may signal the presence of identity theft
Information System
An automated system that uses computer hardware and software to record, manipulate, store, recover, and disseminate data
Security Officer
An individual responsible for overseeing privacy policies and procedures
Intentional Threats
Attacks from outside the network or internal malicious actions by workforce members
1. The purpose of the implementation specifications of the HIPAA security rule is to provide______. a. Protection of patient information b. Instruction for implementation of standards c. Guidance for security training and education d. Sample policies and procedures for compliance
B
5. If a HIPAA security rule implementation specification is addressable, this means that___________. a. The covered entity does not have to show that the specification has been met b. An alternative may be implemented c. The specification must be implemented as written d. None of the above
B
7. Which of the following statements is false about the security officer? The Security Officer___________. a. Is generally the individual within the healthcare organization responsible for overseeing the information security program b. Holds a required full-time position under HIPAA security rule c. Generally reports to an upper level administrator within the healthcare organization d. Is given the authority to effectively manage the security program, apply sanctions and influence employees
B
3. What are the primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule? a. The security rule applies to all forms of patients' PHI, whether electronic, written, or oral, but the security rule covers only electronic PHI. b. The security rule provides for far more comprehensive security requirements than the security rule and includes a level of detail not provided in the security rule. c. Both a and b d. Neither a nor b; there are no distinctions
C
4. The HIPAA security rule applies to which of the following covered entities? a. Hospital that bills Medicare b. Physician electronic billing company c. BlueCross health insurance plan d. a and c e. b and c f. All of the above g. None of the above
F
CEs can decide to comply with only the Privacy Rule and don't have to comply with the Security Rule?
False
Compliance with the HIPAA Security Rule is the only standards that should be considered when developing a security plan and performing a risk assessment?
False
Content Based Access Control is less stringent than Role Based Access Control?
False
Disaster recovery and contingency plans related to ePHI are nice to have but not necessary?
False
E-mail related to patient care should be kept separate from the patient medical record?
False
Employee training programs are not necessary to protect the security of PHI?
False
Facsimile machines provide a highly secure method of communication?
False
Healthcare organizations are excluded from the definition of "creditor" under FACTA?
False
It is best practice to select a very strong password and use it for all accounts?
False
Only healthcare providers are required to comply with the Security Rule?
False
Organization's firewall limits external Internet users from accessing portions of the healthcare network, but it does not limit internal users from accessing portions of the Internet?
False
Recognize the importance of contingency planning or disaster recovery planning in securing health information
It creates a plan of Acton in the event of a problem like power failures or disasters -Protects patient information and ePHI
Social Media
Often used by healthcare organizations as marketing tools and mechanisms to communicate with consumers or patients
Federal Information Processing Standards (FIPS)
Outlines approved security functions, approved protection profiles, approved random number generator, and approved key establishment techniques
Covered Entity
Persons or organizations that must comply with the HIPAA privacy and security rules -Including healthcare providers, health plans, and healthcare clearinghouses
List mechanisms to prevent and detect identity theft
Red Flag Rules 1)Alerts,notifications, or warnings from a consumer reporting agency 2)Suspicious documents 3)Suspicious personally identifiable information such as a suspicious address 4)Unusual use of or suspicious activity relating to , a covered account 5)Notices from customers, victims of identity theft, law enforcement agencies, or other businesses about possible identity theft in connection with and account
Person or Entity Authentication
Requires the implementation of procedures to verify that a person or entity seeking access to ePHI is the person or entity they claim to be
Technical Safeguard
Security measures that are based on technology rather than on administration or physical security -Includes access control, unique user identification, automatic logoff, and encryption and decryption
Identify types of medical identity theft and mechanisms to prevent, detect, and mitigate such theft
TYPES 1)Use of a person's name and other identifiers, without the consent of the victim, to obtain medical goods or services (can by used with individual's consent but not a full understanding of the outcomes. 2)The use of a person's identity to obtain medical services by falsifying claims for medical services (business) MITIGATION 1)Build awareness by providing education to all staff about the issue and impact 2)Educate registration staff to watch for indicators (forged documents) 3)Collaborate with IT 4)Pre-employee background checks 5) Monitor business associates 6)Fraud prevention measures and data flagging 7)Proactive Audits
Scalability
The concept that based on the size of the CE, the threshold of compliance varies
Entity Authentication
The corroboration that an entity is the one claimed -The computer reds a predetermined set of criteria to determine whether the user is who he or she claims to be
Addressable Specification
The implementation specifications of the HIPAA Security Rule that are designated as addressable rather than required -To be in compliance with the rule, the CE must implement the specification as written, implement an alternative, or document that the risk does not exist in the organization or exists with little probability of occurrence
Required Specification
The implementation specifications of the HIPAA security rule that are designated required rather than addressable
Context Based Access Control CBAC
The most stringent type of access control -Takes into account the person attempting to access the data, the type of data being accessed, and the context of the transaction in which the access attempt is made
Telemedicine
The use of medical information exchanged from one site to another via electronic communication to improve patient's health
An audit trail is a record that shows when a particular user accessed a computer system?
True
Assignment of patient medical record numbers is one of the priorities of the HIM professional during system downtime during a disaster?
True
Computers storing ePHI that are easily assessable to the public pose a vulnerability to a CE?
True
Data encryption ensures that data transferred from one location on a network to another are secure from eavesdropping or data interception?
True
Employee nondisclosure agreements are particularly important for employees who work in remote locations or telecommute?
True
Hacking is more prevalent in healthcare due to the value of patient information on the black market?
True
Internal security breaches are far more common than external breaches?
True
Medical identity theft has increased because of the expansion of electronic health record utilization and the expanded availability of data?
True
Red flags are used to help a healthcare provider detect medical identity theft?
True
The Identity Theft and Assumption Deterrence Act of 1998 makes it a federal crime to commit an act of identity theft?
True
The Security Rule contains both required and addressable standards?
True
The goal of the Security Rule is to ensure that patient information is protected from unauthorized access, alteration, deletion, and transmission?
True
Electronic Protected Health Information (ePHI)
Under HIPAA, all individually identifiable information that is created or received electronically by a healthcare provider r any other entity subject to HIPAA requirements
Authentication
Verification of a record's validity and its reliability as evidence -Also a security mechanism to validate the identity of a user in an electronic system
Vulnerabilities
Weaknesses that impact security of systems and networks
Phising
When someone impersonates a business or other known entity to attempt to have the user provide personal information
6. The HIPAA Security Awareness and Training administrative safeguard requires all of the following addressable implementation programs for an entity's workforce except___________. a. Disaster recovery plan b. Log-in monitoring c. Password management d. Security reminders
a
