HMIS Final Exam
4 components under the HIPAA Security Physical Safeguards:
1) Facility access controls 2) Workstation Use 3) Workstation Security 4) Device and media controls
What are the two safeguards under the HIPAA Security Rule?
1) HIPAA Security Physical Safeguards 2) HIPAA Security Technical Safeguards
5 areas that form the foundation of IT governance
1) IT principles 2) IT architecture 3) IT infrastructure strategies 4) Business application needs 5) IT investment and priorization
Describe Gartner's Hype Cycle
1) Innovation Trigger 2) Peak of inflated expectations 3) Trough of disillusionment 4) Slope of Enlightenment 5) Plateau of productivity
First comprehensive federal regulation to offer specific protection to private health information.
HIPAA (Health Information Portability and Accountability Act)
5 Major Components of HIPAA
-Boundaries -Security -Consumer Control -Accountability -Public Responsibility
Medicare Access and CHIP Reauthorization Act (MACRA) Current Model
-Cost -Quality -Improvement Activities -Advancing Care Information
What are the 4 Health IT Asset Categories?
1) Applications 2) Infrastructure 3) Data 4) IT staff members
Examples of Federal Quality Improvement Initiatives being phased out.
-Hospital value-based purchasing (HVBP) -Hospital readmissions reduction (HRR) -Hospital-acquired conditions (HAC) -Physician value-based modifier (PVBM)
Who is notified using the Breach Notification Rules?
-Individuals affected -Health and Human Services Secretary (through the Office for Civil Rights) -Major Media Outlets
When can PHI be released without the patients authorization?
-Presence of communicable disease -Suspected child or adult abuse -Legal duty to warn of clear and imminent danger -Bona fide medical emergency -Valid court order
What are 2 examples of when written authorization is required for all nonroutine uses or disclosure of PHI.
-School -Relative
Which entities enforce HIPAA?
-The Office for Civil Rights *Responsible for enforcing HIPAA Privacy & Security Rules -State attorney's general *Given authority through the HITECH Act to bring civil actions on behalf of the residents of their state for HIPAA violations
Name some types of Malware
-Viruses -Trojans -Spyware -Worms -Ransomeware
What are the 3 principles for effective IT investments and management?
1) A long-term renewal plan linked to corporate strategy 2) A simplified, unifying corporate technology platform 3) A highlight functional, performance-oriented IT organization (IT Strategy Alignment, IT Platform Unified, IT Organization High Performance)
5 components under the HIPAA Technical Safeguards
1) Access control 2) Audit controls 3) Integrity 4) Person or entity authentication 5) Transmission security
Name the 4 vectors and describe them
1) Organizational strategies 2) Continuous improvement of core processes and information management 3) Examination of the role of new information technologies 4) Assessment of strategic trajectories
Health IT Strategy Challenges:
1) Persistence of the alignment problem 2) Effective IT alignment requires the leadership understand: Strategic context & enivornment 3) Limitations of alignment 4) IT strategy is not always necessary 5) Emerging technology
HIPAA Penalties: How many Tiers are there? Explain the Tiers (Penalties)
1) There are 4 tiers of penalties Tier 1: The CE did not know or couldn't reasonably have known of the breach. Penalty: $100-$50,00 per incident up to $1.5 million Tier 2: The CE knew or by exercising reasonable diligence would have known of the violation, but did not act in willful neglect. Penalty: $1,000-$50,000 per incident not to exceed $1.5 million Tier 3: The CE acted with willful neglect and corrected the problem within a 30-day time period. Penalty: $10,000-$50,000 per incident not to exceed $1.5 million Tier 4: The CE acted with willful neglect and failed to make a timely correction. Penalty: $50,000 per incident not to exceed $1.5 million
HIPAA Timeline
1996: Signed into law by President Bill Clinton **First comprehensive federal regulation to offer specific protection to private health information!** 2003: HIPAA Privacy Rule 2005: HIPAA Security Rule Defines covered entities (CE) to which these rules apply
Who is the HHS Secretary?
Alex Azar
What rule requires CEs and their business associates to provide notification following the breach of unsecured protected health information of more than 500 individuals.
Breach Notification Rule
Health IT Asset
Composed of IT resources that the organization has or can obtain and are applied to further the goals, plans, and initiatives of the organization
Interruption of authorized users access to network services.
Denial of Service (DOS)
-Making decisions about the mission and goals of the organization and the activities and initiatives it will undertake to achieve them -Understanding the competing ideas and choosing between them a. Formulation b. Implementation
Formulation
What does the HIPAA Security Rule govern?
Governs ePHI -Protected health information maintained or transmitted in electronic form. -May be stores in any type of electronic media
Leading accrediting body for health plans
National Committee for Quality Assurance (NCQA)
Which of the following is a reason to conduct vendor demonstrations? a. Evaluate the look and feel of the system from the programmer's point of view b. Validate how much the vendor can deliver of what has been proposed. c. Conduct system usability testing d. All of these
On the test, he had (A) as the answer, but then he said it could be all the above.
What was the point of Federal Quality Improvement Initiatives?
Original value-based programs were an attempt to link performance on endorsed quality measures to reimbursement -Most are no longer being used or are in the phase out process.
Describe IT Governance
Refers to the principles, processes, and organizational structures that govern IT resources -Governance is NEVER static
Protected patient confidentiality only in FEDERALLY operated health care facilities.
The Privacy Act of 1974
During which phase of the hype cycle, developed by Gartner Inc., does interest wane as experiments and implementations fail to deliver on the hype of the peak?
Trough of Disillusionment
Tableau can connect to what kind of data format? a. All of these b. Microsoft Excel c. JSON file d. Oracle Server
a. All of these
What are the major stated benefits of EHR systems? a. All of these b. Quality, outcomes, safety c. Provider and Patient Satisfaction d. Efficiency, improved revenues, and cost reduction
a. All of these
Which of the following would help reduce errors during data collection and processing? a. All of these b. Institution real-time quality checking c. Building human capacity d. Standardize data entry fields
a. All of these
As of FY18, which of the following best describe the implementation of MHS Genesis? a. All of these describe MHS Genesis b. MHS Genesis is not operationally effective c. MHS does not demonstrate workable functionality to document patient care d. MHS Genesis is not survivable in a cyber-contested environment
a. All of these describe MHS Genesis
In the process of increasing accountability for investments, who should defend the IT investment? a. Business owners b. IT staff members c. Vendor d. Project sponsors
a. Business owners
Data should be cleaned before being converted. Which of the following does NOT characterize clean data? a. Consistent b. Accurate c. Complete d. Current
a. Consistent
Replicates itself and destroys files on the host computer. a. Malware b. Worms c. Trojans d. Viruses
b. Worms
___________is best defined as the ability of a system to exchange electronic health information with and use electronic health information from other systems without special effort on the part of the user. a. Interoperability b. Integration c. Coordination of Care d. Meaningful Use
a. Interoperability
Despite the proliferation in the adoption and use of the EHR systems, health care providers and organizations still face which three critical issues? a. Interoperability, usability, and health IT safety b. Interoperability, consistency, and training c. Interoperability, inefficiency, and quality d. Interoperability, standardization, and satisfaction
a. Interoperability, usability, and health IT safety
Which of the following statements best fit with Machine Intelligence? a. Machine Intelligence is a prediction technology b. The cost of goods and services that rely on prediction are increasing c. All of these statements fit with Machine Intelligence d. The cost of prediction is increasing
a. Machine Intelligence is a prediction technology
Which entity is responsible for investigating fraud involving government health insurance programs? a. Office of the Inspector General (OIG) b. American Medical Association (AMA) c. Centers for Medicare and Medicaid Services (CMS) d. The Joint Commission
a. Office of the Inspector General (OIG)
Which of the following is NOT a feature of a patient portal? a. Patients can contact their physician during off hours in emergency situations b. Patients can access test results c. Patients can request a refill on prescriptions d. Patients can view their account and pay their bill online
a. Patients can contact their physician during off hours in emergency situations
An individual's right to be left alone and to limit access to his or her health care information. a. Privacy b. Confidentiality c. Security d. HIPAA
a. Privacy
The project steering committee should compile a final report. All of the following elements should be included except: a. Project repository b. Final recommendation and ranking c. System goals and criteria d. Cost-benefit analysis
a. Project repository
Of the four classes of investment identified by Ross and Beath, which involves upgrading core IT infrastructure and applications, reducing the costs, or improving the quality of IT services? a. Renewal b. Transformation c. Experiments d. Process improvement
a. Renewal
All of the following are examples of technical infrastructure except: a. Software upgrades b. Security c. Disaster Recovery d. Hardware requirements
a. Software upgrades
A(n) ______________ is someone who is well respected in the organization, sees the new system as necessary to the organization's achievement of its strategic goals, and is passionate about implementing it. a. System champion b. Business sponsor c. Project manager d. IT manager
a. System champion
Which of the following is the primary problem with the train the trainer approach? a. The trainer may leave the organization b. The training process depends on the vendor c. The trainer may be ineffective d. Training takes time away from the trainer's primary duties
a. The trainer may leave the organization
Designed to look like a safe program; steals personal information or takes over the resources of the host computer. a. Trojans b. Viruses c. Worms d. Spyware
a. Trojans
Which of the following is NOT considered one of the "three V's" of Big Data? a. Validity b. Variety c. Velocity d. Volume
a. Validity
If users are ever to fully realize the system's value, they must have access to technical support, preferably by--- a. Providing local, in-house support b. Contracting with a local computer firm c. Training an employee to assume the support role d. Partnering with a neighboring organization
a. providing local, in-house support
Voluntary, external review process. Financial and legal incentives. a. Licensure b. Accreditation c. Certification
b. Accreditation
Which standards development method occurs when a group of interested people or organizations agrees on a certain specification without any formal adoption process? a. De facto b. Ad hoc c. Government mandate d. Consesus
b. Ad hoc
Which of the following should be considered when determining the go-live date? a. When IT staff are available to monitor and assess system problems b. All of these should be considered c. After all staff have been trained d. On a day when the patient census is low
b. All of these should be considered
Gives a health care organization the authority to participate in the federal Medicare and Medicaid programs. CMS developed minimum standards, conditions of participation (CoPs) a. Certification b. Licensure c. Accreditation
b. Certification
Addresses the expectation that information shared with a health care provider during the course of treatment will be used only for its intended purpose and not disclosed otherwise. a. Privacy b. Confidentiality c. Security d. HIPAA
b. Confidentiality
All alternatives are considered, a cost-benefit analysis is done, a system is selected, and vendor negotiations are finalized in which phase of the system development life cycle? a. Implementation b. Design c. Planning and analysis d. Support and evaluation
b. Design
Assuming that a strategic IT plan already exist, the first step in a system acquisition process is which of the following? a. Screen the marketplace and review vendor profiles b. Establish a project steering committee and appoint a project manager c. Determine system goals d. Define project objectives and scope of analysis
b. Establish a project steering committee and appoint a project manager
Which of the following is NOT a component of the HITECH Act? a. Funding for workforce training programs to support the education of HIT professionals b. Establishing value-based incentive programs c. Funding regional extensions centers to support providers in adopting and becoming meaningful users of EHRs d. Establishing Medicare and Medicaid EHR Incentive Programs
b. Establishing value-based incentive programs
Person who uses computer technology to gain unauthorized access to computers & data. a. Scammer b. Hacker c. Hacktivist d. Terrorists
b. Hacker
Which law made incentive money available for eligible professionals and hospitals to adopt and become "meaningful users" of EHR? a. HIPAA, 1996 b. Health Information for Economic and Clinical Health (HITECH) Act, 2009 c. Medicare Modernization Act, 2003 d. None of these
b. Health Information for Economic and Clinical Health (HITECH) Act, 2009
Making decisions about how we structure ourselves, acquire skills, establish organizational capabilities, and alter organizational processes to achieve the goals and carry out the activities we have defined during formulation. a. Formulation b. Implementation
b. Implementation
The process that gives a facility legal approval to operate. State governments oversee this. a. Accreditation b. Licensure c. Certification
b. Licensure
Software that is intended to damage or disable computers or computer systems. a. Worms b. Malware c. Trojans d. Pineapples
b. Malware
Who is the principle entity responsible for implementation for U.S. health care IT standards for interoperability? a. Health Level Seven International (HL7) b. Office of the National Coordinator for Health IT (ONC) c. American National Standards Institute d. American Society for Testing and Materials
b. Office of the National Coordinator for Health IT (ONC)
Which of the following is NOT a person-generated health data (PHGD) technology? a. Fitbits b. Pace Makers c. Food diary apps d. None of these (they are all example)
b. Pace makers
A projection with great certainty that people will use the system in specific ways that we expect or want them to is an example of which common proposal problem? a. Underestimating the effort b. Reliance on complex behavior c. Shaky extrapolations d. Fractions of effort
b. Reliance on complex behavior
Which of the following is NOT a mechanism used by a steering committee when determining system requirements? a. Representatives gather input from users in specific areas b. Request for proposals c. Focus-group sessions or small-group interviews d. Written or electronic surveys
b. Request for proposals
Malicious software designed to access protected areas of system. Can evade tools designed to protect/locate infections. a. Malware b. Rootkits c. Spyware d. Phishing
b. Rootkits
HIPPA, signed into law in 1996, was designed primarily to: a. Make health insurance more affordable b. Protect the security and confidentiality of personal health information c. All of these d. Simplify administrative processes
c. All of these
Which of the following describes protected health information? a. Related to past, present, or future physical or mental health or condition of an individual b. Created or received by a health care provider, health plan, public health authority, employer, life insurer, school/university, or health care clearinghouse c. All of these d. Oral or recorded in any form or medium
c. All of these
Companies should employ all of the following types of training except: a. Training before and after go-live b. Group training c. All types of training should be utilized d. One-on-one training
c. All types of training should be utilized
What is the final step of the system acquisition process where expectations are outlined and performance requirements are determined with the vendor? a. Contract summary b. Vendor agreement c. Contract negotiations d. Vendor analysis
c. Contract negotiations
Intentional or unintentional release of secure or private information to untrusted environment. a. Breach b. Security Breach c. Data Breach d. Malware
c. Data Breach
Using an abbreviation that has two different meanings is an example of lack of: a. Data precision b. Data comprehensiveness c. Data consistency d. Data definition
c. Data consistency
Which IT staff member identifies user requirements, sets up user account and coordinates systems with the Chief Security Officer? a. Programmer b. Project leader c. Database administrator d. Systems analyst
c. Database administrator
Which federal agency recently released a proposed regulatory framework for Modifications to Artificial Intelligence/Machine Learning based Software as a Medical Device (SaMD)? a. Federal Communications Commission (FCC) b. Federal Trade Commission (FTC) c. Food and Drug Administration (FDA) d. Office of the National Coordinator for Health IT (ONC)
c. Food and Drug Administration (FDA)
Which of the following is the largest barrier to health information exchange? a. Technology b. Incentive programs c. Health information blocking d. None of these
c. Health information blocking
Which of the following is an example of intangible value? a. Quicker admissions process b. Reduction in staff turnover c. Improved communication d. Increase in revenue
c. Improved communication
Usually hidden software designed to record end user keystrokes. a. Ransomware b. Root kits c. Keyloggers d. Hackers
c. Keyloggers
What is the universal product identifier for all human drugs? a. None of these b. Logical Observation Identifiers Names and Codes (LONC) c. National Drug Code (NDC) d. National Library of Medicine's Unified Medical Language (UMLS)
c. National Drug Code (NDC)
The systems in place to protect health information and the systems within which it resides. a. Privacy b. Confidentiality c. Security d. HIPAA
c. Security
General category of software designed to observe and report on end user activities without their knowledge. a. Hacker b. Rootkits c. Spyware d. Scary
c. Spyware
Tracks Internet activities assisting the hacker in gathering information without consent. a. Worms b. Malware c. Spyware d. Root kits
c. Spyware
Infects the host system and spreads itself a. Trojans b. Keyloggers c. Virus d. Worms
c. Virus
Which of the following is NOT a pitfall in the acquisition process? a. Assigning too little weight to the RFP process b. Turning negotiations into a blood sport c. Not defining criteria & methods for selecting a vendor d. All of these are pitfalls
d. All of these are pitfalls
Which IT leadership role is a relatively new position and emerged as a result of the growing interest in adopting clinical information systems and leveraging those systems to improve care? a. Chief information security officer (CISO) b. Chief information officer (CIO) c. Chief technology officer (CTO) d. Chief medical information officer (CMIO)
d. Chief medical information officer (CMIO
Which of the following is NOT a basic element of health care data analysis? a. Data must be reported in a useable manner b. Data must be stored in a retrievable manner c. An analytical tool must be applied to the data d. Data must be verified and cleaned
d. Data must be verified and cleaned
Social or politically motivated group that carriers out hacking or denial of service attack to advance cause. a. Hacker b. Scammer c. Terrorists d. Hacktivist
d. Hacktivist
Which of the following statements is true? a. In creating an architecture, an organization will implement platforms and be guided by its IT infrastructure. b. In creating an infrastructure, an organization will implement architecture and be guided by its IT platform. c. In creating a platform, an organization will implement infrastructure and be guided by its IT architecture. d. In creating an infrastructure, an organization will implement platforms and be guided by its IT architecture.
d. In creating an infrastructure, an organization will implement platforms and be guided by its IT architecture.
Which of the following is the primary purpose for creating and maintain patient records? a. Legal documentation b. Billing and Reimbursement c. Communication d. Patient Care
d. Patient Care
Which of the following was NOT identified by Ash and colleagues as an unintended consequence of implementing a CPOE? a. New kinds of errors b. Dependence on the system c. More work/new work d. Patient dissatisfaction
d. Patient dissatisfaction
Encrypts and locks folders; demands money to unlock. a. Malware b. Trojans c. Terrorists d. Ransomware
d. Ransomware
__________is defined as the process that occurs from the time the decision is made to select a new system until the time a contract had been negotiated and signed. a. System development b. System implementation c. System selection d. System acquisition
d. System acquisition
In which phase does the IT staff play the biggest role? a. Workflow and process analysis b. Data conversion c. Staff training d. System installation
d. System installation
Which of the following initiatives led to the rapid achievement and adoption of e-prescribing in health care due to mandates? a. The HITECH Act b. None of these c. HIPAA d. The Medicare Modernization Act of 2003
d. The Medicare Modernization Act of 2003
What agency provides annual updates regarding the Department of Defense Healthcare Management System Modernization (DHMSM) program? a. U.S. Army Acquisition Support Center (USAASC) b. Office of the National Coordinator (ONC) c. The Defense Health Agency (DHA) d. The office of the Director, Operational Test and Evaluation (DOT&E)
d. The office of the Director, Operational Test and Evaluation (DOT&E)
The four phase of the system development life cycle in sequential order are a. Planning and analysis, implementation, design, support and evaluation b. Design, planning and analysis, implementation, support an evaluation c. Support and evaluation, implementation, design, planning and analysis d. Planning and analysis, design, implementation, support and evaluation
d. planning and analysis, design, implementation, support and evaluation