Deck 4: Security Rule Explained

A) Organization requirements; policies, procedures, and documentation; technical safeguards; administrative safeguards; and physical safeguards
B) Unique identifiers; administrative safeguards; technical safeguards; physical safeguards; and electronic signatures
C) Administrative safeguards; physical safeguards; policies, procedures, and documentation; a HIPAA Security Officer in charge; and a complex computer data backup system
D) Policies, procedures, and documentation; organization requirements; protected wireless access; secure firewalls; and virus protection

A) having the ability to enter a facility where paper medical records are kept.
B) what allows an individual to enter a computer system for an authorized purpose.
C) finding a password to gain access to medical information.
D) permitted only to the HIPAA Officer and the computer technicians.

A) unrecorded video teleconferencing.
B) any computer storage media.
C) voicemail messages
D) paper-to-paper faxes.

A) the HIPAA Security Officer has placed limits on what information is viewed by Business Associates determined by their job description.
B) policies and procedures are written to protect against unlawful access by administration.
C) changing the passwords for computer access every 30 days.
D) safeguards are in place to protect it against unauthorized access or loss.

A) when the Security Officer includes budget items to pay for a better computer system.
B) how hard it is for hackers to access the computer system.
C) a balance between what is cost-effective and the potential risks of disclosure.
D) the cost of insurance to cover possible losses.

A) Regular biohazard drills
B) Risk analysis
C) Emergency mode operation plan
D) Find someone to figure the payroll

A) Workstation security
B) Device and media controls
C) Facility access controls
D) Electronic signatures
E) Workstation location and access

A) Workstation location
B) Data backup plan
C) Sufficient storage capacity
D) Entity authentication

A) decoded messages.
B) transmission architecture.
C) HIPAA protocol.
D) encryption.

A) must be met with documentation being optional since everyone must comply.
B) must be achieved and documented.
C) may be met with a "reasonable and appropriate" approach.
D) are the administrative and technical safeguards.

A) has been backed up routinely.
B) is accurate and has not been altered, lost, or destroyed in an unauthorized manner.
C) has accepted all changes and modifications to the medical record.
D) has been reviewed by the Security Officer as being accurate.

A) Report disclosure to all patients.
B) Notation of incident is to be excluded from the patient's medical record.
C) Notify Business Associates and Trading Partners of the breach.
D) Change passwords to protect from further invasion.

A) Business Associate contracts for compliancy issues.
B) Trading Partner agreements to ensure they are fully complying with HIPAA rules.
C) Both A and B as required by Organization Requirements of Security Rule.
D) Neither A nor B in order to comply with the Security Rule.

A) wording that protects the integrity of HIPAA standard transmissions.
B) assurance that each covered entity will use the HIPAA identifiers in transmissions.
C) implementation of safeguards to ensure data integrity.
D) only items as related to the Privacy Rule.

A) never covered by HIPAA Security Rule.
B) covered by HIPAA Security Rule if they are not erased after the physician's report is signed.
C) covered by HIPAA Security Rule only if the patient has not signed a consent form.
D) not covered by HIPAA Security Rule if used to train medical students.

A) all computer hardware and software used within the facility when it comes in and when it goes out of the facility.
B) just the addition of hardware and software within the facility to be sure they are compliant with the Security Rule.
C) just the removal of hardware and software within the facility to be sure all data is removed.
D) the net value of disposed equipment that the facility has removed from use.

A) 3 years.
B) 5 years.
C) 6 years.
D) until the next fiscal year.

A) need to be changed once a year.
B) should be lengthened when staff changes position.
C) can be any four letters in a person's name for ease of remembering.
D) should be changed every ninety days or sooner.

A) a staff escort at all times.
B) having monitors turned away from viewing by visitors.
C) have a sign-in and sign-out register for all visitors.
D) provide all visitors with your policy document.

A) 4 years.
B) 6 years.
C) 7 years.
D) an indefinite time.

A) making recommendations for new computers and seeing that they are configured to ensure secure e-PHI.
B) developing and implementing policies and procedures for the facility.
C) overseeing the training of new doctors and the retraining of all doctors on a regular basis.
D) reviewing the Notice of Privacy Practices for the facility and keeping them up to date.

A) access to the medical record for treatment purposes.
B) limiting access to the minimum necessary for the particular job assigned to the particular login.
C) restricting access to only clinical staff for treatment purposes, medical records department for coding purposes, and the billing department for purposes of claim submission.
D) only allowing patients access to their medical records if it is court ordered.

A) Unique health plan identifiers
B) Workforce security training
C) Evaluation of computer security effectiveness
D) Sanctions for unauthorized disclosures

A) who logged in, what was done, when it was done, and what equipment was accessed.
B) who logged in, what was changed, and when it was altered.
C) all users' passwords and login information.
D) all security incidents recorded in patient records.

A) Centers for Medicare and Medicaid Services.
B) Office of E-Health Standards and Services.
C) Office for Civil Rights.
D) Office of HIPAA Standards.

A) Department of Justice.
B) Department of Health and Human Services.
C) Office of HIPAA Standards.
D) Office of Inspector General.

A) permitted only if a security algorithm is in place.
B) permitted without restrictions.
C) excluded from possible use under the Security Rule.
D) allowed only if both sender and receiver(s) agree to keep e-PHI private.

A) all clinical staff personnel.
B) only volunteer and nonpaid staff.
C) only new employees.
D) all workforce employees and nonemployees.

A) check the item off the list of equipment to maintain in the facility.
B) verify that the facility does not need the equipment any more before selling it.
C) log the date of disposal and the amount of its depreciation.
D) record when and how it is disposed and that all data was deleted from the device.

A) those who bill health claims only.
B) authorizing personnel to view PHI.
C) information sent to a health plan for reimbursement.
D) for all clinical staff when treating a patient.