HIPAA- PRx
How should a healthcare data breach be prevented?
A. Ensure passwords to PHI systems are strong and changed regularly. Cracking a weak password is one of the easiest ways to hack a system. B. Encryption of hardware devices (e.g. laptops, thumb drive, etc.). In case of lost or stolen devices, encryption can render PHI unusable, unreadable or indecipherable to unauthorized individuals. C. A and B Answer C- Both A and B
According to the HIPAA Breach Notification Rule, 45 CFR 164.400-414, a breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. Which of the following are examples of breaches of patient privacy? Check all that apply.
A. An employee uses another person's access (key/password) to log into PHI data B. An employee leaves patient identifiable information on a table in the medical library for others to see C. An employee discards copies of patient identifiable information in the trash Answer- A, B, and C
PipelineRx, as a covered entity, has developed and implemented the following policies and procedures to ensure HIPAA compliance. Check all that apply.
A. Employees must work in a secure, HIPAA compliant office. An auditory and visual audit will be performed annually to document such compliance B. PipelineRx issued equipment can only be used for PipelineRx required work. The IT team will have control over the employee's computer to ensure compliance and to update security measures C. Employees must work in the approved HIPAA compliant office at all times when accessing PHI. If an employee moves or requests an additional working location, the new or additional work location must be approved per PipelineRx policy before working in that location D. A yearly HIPAA competency is required for all employees of PipelineRx who have access to PHI. Answer-- ALL OF THE ABOVE
The Notice of Privacy Practices:
A. Explains how the medical center will use or disclose patients' protected health information
The Minimum Necessary Rule, a key protection of the HIPAA Privacy Rule, is based on a current practice that protected health information should not be used or disclosed when it is not necessary. The Minimum Necessary Rule requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. Which of the following are examples of standards established under the Minimum Necessary Rule?
A. I am only expected to complete the minimum requirements of my job B. A workforce member's access to PHI is limited to only what is needed to perform his/her responsibilities C. Request for and disclosure of PHI are limited to what is needed to perform the task D. A medical center is no longer allowed to provide information about patients to the media under any circumstance E. B and C (Correct Answer)
How can you prevent malicious software (malware) from harming your organization's network?
A. Install software (e.g music-sharing software, remote-access software, etc.) only with approval from your IT team. B. Connect other devices (laptop, computers or personal digital assistants) to the network only with approval from your IT team C. Download antimalware tools to your computer weekly D. Both A and B (Correct Answer)
Phishing is a specific type of social engineering that uses email, text message, or IM to trick a person into revealing sensitive personal information. In a phishing scam, a message appears to be from a trusted individual or organization that directs the victim to open an attachment or a link to a website. The attachment or link maliciously installs software to steal information or opens a website that requests account numbers, usernames, passwords, or other personal data and information. Which of the following are examples of how to protect yourself from phishing attacks? Check all that apply.
A. Never open a link or attachment from someone you do not know B. Notice any details in the email or link that might indicate it is a phishing scam, such as misspelling, typos, or links that are similar but are not a part of the organization C. Be cautious with emails from unknown senders D. Only download software or links as approved by your supervisor or IT team Answer- All of the above
Password management must be part of the HIPAA security compliance plan. PipelineRx must establish guidelines for creating passwords and changing them during periodic change cycles. What would be considered a strong password? Check all that apply.
A. Over 8 characters long B. Using a combination of upper and lower case letters C. Include at least one numeric and/or special character D. It cannot be your name but the same password can be reused more than once Correct Answer- A, B, C
The Privacy Rule permits use and disclosure of protected health information (PHI) to the following entities without an individual's authorization or permission.
A. Required by law (by statute, regulation or court orders); Public health activities (preventing or controlling disease; adverse event reporting); Health oversight activities (audits, investigations) B. Victims of abuse, Neglect or Domestic Violence Department; Law enforcement purposes; serious threat to health or safety (escapee or violent criminal) C. Judicial and administrative proceedings; Decedents' ; essential government function D. Cadaveric organ, eye or tissue donation; Research (Institutional Review Board approval), Worker's compensation E. All of the above (Correct Answer)
Which of the following is considered "individually identifiable health information" under HIPAA?
A.The individual's past, present or future physical or mental health or condition B. Healthcare payment, claims status, enrollment and unenrollment C. The past, present or future payment for the provision of healthcare to the individual D. Individual name, address, date of birth and Social Security number E. All of the above Answer- E All of the Above
Which of the following statements is true per the Technology policies 3.B.2 and 3.B.8 in the Standard Operating Procedures manual? Check all that apply.
B. The IT Department has a standard set up process for new equipment and software to ensure proper configuration and security. Software should not be installed by non-IT staff without obtaining IT approval. C. A Breach of information is the acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI. Upon discovery of the breach of information, the employee must immediately notify their supervisor or IT team. D. PipelineRx will provide its employees the equipment necessary for their job function. Only PipelineRx information is allowed to be on this hardware. Answers- B, C, and D
Which of the following statements is false regarding how PipelineRx employees can prevent HIPAA violations?
Electronic PHI can be shared on social media only with friends or family members.
Which of the following statements is true regarding the HIPAA Compliance Policy in the PipelineRx Standard Operating Procedures (SOP) manual?
Employees must protect the confidentiality and integrity of patient information by maintaining a paperless system and not printing any patient related materials which may contain PHI
If a person is given access to the hospital's systems or applications, then they have a right to view any information contained in those systems or applications.
False
Are Consents and Authorizations the same?
No, they cannot be used interchangeably, they are different.
The establishment of computer passwords and firewalls would fall under which type of safeguard required by the Security Rule of HIPAA?
Technical
How should an employee report a suspected privacy or security breach?
Tell your supervisor or IT team
The Security Rules do NOT allow for sending ePHI in an email or over an electronic open network unless it is protected or encrypted.
True
There are NO restrictions on the use or disclosure of de-identified health information.
True