Download CAHIMS UNIT 7 QUESTIONS WITH CORRECT ANSWERS 100% VERIFIED and more Exams Nursing in PDF only on Docsity! 1 / 23 CAHIMS UNIT 7 QUESTIONS WITH CORRECT ANSWERS 100% VERIFIED 1.True or false? Administrative activities, fraud and abuse investigations, and health insurance policy underwriting are not covered by the HIPAA Privacy Rule.: false In general, patient authorization is not required in order to disclose personal health information for the purposes of treatment, payment, and healthcare operations (TPO). Healthcare operations are all activities that support the treatment and pay- ment activities of healthcare. Administrative activities, fraud and abuse investiga- tions, and health insurance policy underwriting are just a few examples of healthcare operations. 2.The National Research Council (NRC) recommends that all organizations that handle protected health information (PHI) should have --authentica- tion/access/audit-- controls in place to ensure that users can access only the information they need to perform their job.: access 3.True or false? Under the HIPAA compliance audit program, entities that the Office for Civil Rights (OCR) finds not to be in good faith compliance with HIPAA could face large penalties.: true 4.True or false? Although it is resource intensive, humans must directly verify the accuracy of data stored in databases to ensure their integrity.: false 5. --Nonrepudiation/Integrity/Availability-- provides proof that a certain action has taken place or that something or someone is what or who they claim to be.: Nonrepudiation Nonrepudiation requires that those who access protected health information are allowed to do so and 2 / 23 that they prove they are who they say they are. 6. When Minjoon received a statement from his insurance company regarding his recent eye surgery, he noticed that it said he had surgery on his right eye, but the surgery was actually performed on his left eye. It turns out that the mistake was in the provider's records, which he eventually had corrected. Which of the following principles underlying HIPAA privacy and security came into play when the records were changed? Accountability Public responsibility Consumer control Security: consumer control 7.Under the HITECH Act, covered entities must maintain a log of breaches and annually report them to --HHS/affected patients/local media--.: HHS 8.Providing patients with a copy of their paper health record poses a security safeguard challenge because the data must be encrypted.: false Data encryption is a security safeguard for electronic data, not paper data. 9.An example of a public health agency that functions primarily as a --cov- ered/hybrid/noncovered-- entity is one that is mandated by state law to receive protected health information (PHI) from healthcare providers in order to con- duct an epidemiological investigation.: noncovered 10.In cases of --international disease outbreaks/births and deaths/workplace medical surveillance--, public health agencies must notify patients of disclo- sure of their protected health information (PHI) even though patient authoriza- tion is not required.: workplace medical surveillance 5 / 23 destruction or was inadvertently disclosed by authorized users. What are these types of breaches known as? Unsecured Secured Low probability Safe harbor: Safe harbor 20.True or false? A violation can occur within the same public health agency if its protected health information (PHI) crosses from its covered to its non- covered operations.: true 21. True or false? When any covered entity is required by law to report infor- mation to a public health agency, the public health agency is classified as a business associate of the covered entity, so a business associate agreement is required: false When any covered entity is required by law to report information to a public health agency, the public health agency is not a business associate of the covered entity, so a business associate agreement is not required. 22. Joyce is a professor at a community college who teaches courses for medical assistants. She also works part time at a hospital, which gave her permission to use some actual medical records as examples for her classes so long as she redacted (removed or blacked out) any protected health infor- mation (PHI) identifiers. Which of the following did Joyce have to remove or black out? Diagnosis codes Procedure charges Form number Medical record number: MRN 23.True or false? General Hospital has a backup server and contingency plans to protect its database in the event of 6 / 23 the destruction of its primary location. This is one of the National Research Council (NRC) recommendations for addressing information security concerns.: true True or false? General Hospital has a backup server and contingency plans to protect its database in the event of the destruction of its primary location. This is one of the National Research Council (NRC) recommendations for addressing information security concerns. 24.Marcus is a medical assistant at a nursing home. He forgot his password, and the facility's desktop computer system locked him out after his third failed logon attempt. Which of the following safeguards did the nursing home apply? Information access management Integrity controls Person or audit authentication Theft prevention: Person or audit authentication 25.Federal law emphasizes that the security of electronic health information is a/an --optional recommendation/ongoing process/one-time goal--.: ongoing process 26.--Privacy/Confidentiality/Security-- means that personal information is shared only when it needs to be and among people who have a professional need to know it.: confidentiality 7 / 23 27.At her last office visit, Liza informed her doctor that she did not want the prescription that he gave her to be reported to her health insurance company and that she would pay for the drug herself. The doctor agreed to Liza's request and sent the prescription to her pharmacy via the clinic's e-prescribing system. Could this constitute a breach of the patient's request not to send the information to the insurance company? Yes. If the pharmacy is unaware of Liza's request, it will fill the prescription and submit the charge to her insurance company in order to determine the patient's owed amount. No. Liza did not submit her request in writing, which is required for this request to be honored. Yes. Using an e-prescribing system does not provide a way for the doctor to inform the pharmacy of Liza's request. Maybe. If the clinic has a business associate agreement with the pharmacy, then the pharmacy must honor Liza's request.: Yes. If the pharmacy is unaware of Liza's request, it will fill the prescription and submit the charge to her insurance company in order to determine the patient's owed amount. 28.Which one of the following describes a public health agency functioning as a hybrid? One that primarily provides immunizations for a variety of diseases and provides access to state-funded medications for patients with HIV who could not otherwise afford them One that primarily monitors global occurrences of communicable diseases and provides education and travel advisories to the public during outbreaks One that primarily provides diagnoses and treatments for sexually trans- mitted infections (STIs) and gathers and reports related data to the state to prevent and control the spread of STIs One that provides free dental checkups to children and distributes free toothpaste and toothbrushes to them: One that primarily provides diagnoses and treatments for sexually transmitted infections (STIs) and gathers and reports related data to the state to prevent and control the spread of STIs 29.Public health agencies in a Midwestern state have observed a spike in the number of illnesses caused by 10 / tokens Swipe cards Password and PINs: Password and PINs 37.Which of the following are network security objects? Select Yes or No for each option. Database table --YesNo Microsoft Word document --YesNo Laser printer --YesNo Security policy --YesNo User --YesNo SecureID security token --YesNo Wireless laptop computer --YesNo: yes yes yes no yes no yes 38.Which of the following is the preferred wireless network authentication and encryption security method for homes and small businesses? 11 / MAC WEP WPA2 RADIUS: WPA2 39.Which of the following contingency plan components is not required by the HIPAA Security Rule? Emergency mode operations plan Decommissioned device plan Disaster recovery plan Data backup plan: decomissioned device plan 40.Which of the following reviews and measures the level of compliance with security policies? Security log Active Directory Integrity Auditing: auditing 41.Which of the following are important information security concerns? Se- lect Yes or No for each option. Identity theft or impersonation --YesNo Loss, unauthorized modification, or compromise of data --YesNo Threats to disclose data or to disclose that data has been compromised --YesNo Business interruption due to denial of service --YesNo: yes yes yes 12 / yes 42.Which of the following protects a computer or computer network from network-based attacks by filtering the data traveling on the network? An uninterruptable power supply A firewall An authentication system An encryptor: a firewall 43.Which of the following are important information security concerns? Se- lect Yes or No for each option. Authorization --YesNo Availability --YesNo Physical security --YesNo 15 / Remove and destroy the hard drives. Take the rest of the computer to a recycling center. --YesNo Place the computers in the storage warehouse in case they are needed in the future. --YesNo: no no yes no 50.Which of the following is a major compliance driver of data security audits within medical organizations? Sarbanes-Oxley HIPAA FMLA Malware: HIPAA 51.True of false? Domain-based networks can be configured so that unautho- rized computers and other devices will not work on the network.: true 52.Piotr, the network administrator, and Bill and Sharon, the practice owners, decide not to set up their own credit card processing system on their network but to use a third-party external service instead. This is an example of which of the following risk management responses? Risk avoidance Risk mitigation Risk transfer Risk acceptance: risk transfer 53.Which of the following describes how individuals are expected to follow security policy rules? Security definition Auditing Enforcement 16 / Authorization: enforcement 54.Which of the following is the best way to fix a compromised computer? Run an antivirus scan Format the hard disk and restore the files Install cleanup software from a website Reboot the computer: Format the hard disk and restore the files 55.When Judy logs on to her office network, she first enters her username and password. The system then sends her a text message on her personal cell phone with a PIN she also needs to enter to complete the logon. This is an example of --one-factor/two-factor/three-factor-- authentication.: two factor 56.True or false? Authorization occurs before authentication.: false 57. True or false? WEP provides better wireless network security than WPA.: - false Wired Equivalent Privacy (WEP) is the original wireless connection encryption method, which has design flaws, is easily broken, and is not to be used. 58.Reviewing firewall logs, interviewing IT staff on the frequency of backups, checking which patches are installed on a billing computer, and examining the permissions on the EHR database are all examples of what type of activity? Auditing Authentication Disaster recovery Enforcement: auditing 59.True or false? Well-designed technology-based security measures, includ- ing firewalls, antivirus software, password complexity requirements, data en- cryption, and email spam filters can prevent social engineering data 17 / compro- mises.: false 60.Which of the following refers to the meaning of core security principles? Confidentiality, integrity, and availability Application of the four forms of risk management responses Design and implementation of defense in depth Development and implementation of strong authentication and access con- trols: Confidentiality, integrity, and availability 61.True or false? Implementing network permissions is the best approach for a comprehensive information security strategy.: false A comprehensive information security strategy combines technical, business, and culture elements through the application of administrative policies and procedures, physical access controls, and network access controls. 62. The network indicates it is time to change your password. What is the best strategy for choosing a new one? Choose something easy to remember, such as your cat's name or spouse's birthday. Add a "!" or number "1" to the end of your existing password. Choose something you can remember, but modify it with some complex pattern of characters. Type a sequence of keys following a path on the keyboard.: Choose something you can remember, but modify it with some complex pattern of characters. 63.You receive an email from your bank asking you to log on to verify a payment. This is an example of which kind of attack? 20 / Physicians often use other physicians' user ID and passwords to access the system when they cannot use their own because they are locked out or cannot remember their password. --YesNo: yes yes yes no 71.True or false? Risk management is primarily an HIT function that also addresses elements of an HCO's business function and adherence to govern- ment regulations.: false Although health IT is a significant aspect of risk management, the HCO business and regulatory concerns are of equal or greater importance. Risk management is more a management than a technical endeavor. 72.True or false? Several risks identified by Arural Hospital's risk assessment process are HIT related. HIT staff should analyze those risks and take action to abate the risks with security controls and/or should develop a contingency plan to address the threat should an event occur.: true 73.True or false? Risk management in a healthcare setting is more critical than in most business environments because clinicians often face life-or-death situations that require access to accurate and current patient data.: true 74. In which step of the Risk Management Guide for Information Technology Systems (NIST Special Publication 800-30) risk assessment process is each threat or vulnerability considered and the risk determined when the likelihood and magnitude of the event have been identified? Step 1, preparation for risk assessment Step 2, conduct risk assessment 21 / Step 3, communicate results Step 4, maintain assessment: Step 2, conduct risk assessment 75.Which of these choices best defines why security, privacy, and confiden- tiality of patient health data is so critical? Patient data is particularly vulnerable to fraudulent use. Many situations must be monitored for threats and vulnerabilities. HIT staff must create contingency plans for all possible threats and vulnera- bilities. Healthcare employees are more likely than employees in other businesses to make human errors.: Patient data is particularly vulnerable to fraudulent use. 76.When AC Hospital creates plans to sustain system access and recover the system features, software, hardware, and databases in the event of an EHR system failure, which mission-critical concern is being addressed? Patient data privacy and confidentiality Patient data integrity EHR system availability: EHR system availability 77. In which step of the contingency planning process does Arural Hospital's HIT management design a strategy that supports the efforts to recover the hospital's healthcare delivery functions after an emergency? 1. Develop the contingency planning policy statement 2. Conduct the business impact analysis (BIA) 3. Identify preventive controls 4. Create contingency recovery strategies 5. Develop an information system contingency plan 22 / 6. Ensure plan testing, training, and exercises 7. Ensure plan maintenance: Create contingency recovery strategies 78. If AC Hospital's EHR project team is analyzing and designing software, hardware architecture, and solutions that address system redundancy, recov- ery strategies, and security controls, where is the team in terms of the system life cycle (SLC)? Phase 1, Initiation Phase 2, Development or acquisition Phase 3, Implementation Phase 4, Operations and maintenance Phase 5, Disposal: Phase 2, Development or acquisition 79.True or false? A robust risk assessment process, coupled with a thorough risk management program, comprehensive business and HIT emergency preparedness plans, and a well-prepared and knowledgeable staff are all essential to minimizing the negative ramifications of a security incident or disaster.: true 80.AC Hospital has completed its risk assessment process and is now de- veloping its risk management program. The hospital is ready to draft its emergency preparedness plans. The construction of the disaster recovery plan would be assigned to hospital --HIT/business-- managers.: HIT The disaster recovery plan is an HIT-focused plan for restoring HIT operations, not business operations, and it is limited to major, usually catastrophic, events that deny access to the regular facility for an extended period. 81.True or false? AC Hospital's business continuity plan (BCP) should ad- dress concerns related to tracking, responding to, and reporting all breach attempts.: true 25 / Feedback Part 1 Correct. Other physicians in Dr. Blue's practice are not business associations from a HIPAA perspective because, as partners, they are all subject to the risk management program that covers the practice. Part 2 Correct. Assuming Dr. Blue is not an employee of the hospital, each hospital that treats one of his patients and wants access to his patient records must be considered a business associate for HIPAA purposes. Part 3 Correct. Cardiology registries have valid reasons for requesting data regarding Dr. Blue's patients who have heart problems. The registries are considered business associates for HIPAA and other regulatory purposes. Part 4 Correct. Pharmacies that fill prescriptions for Dr. Blue's patients should be consid- ered business associates for HIPAA and other regulatory purposes. 89.Which risk response category represents eliminating risk by choosing not to allow a system feature to be used? Acceptance Mitigation Avoidance Transfer: avoidance 90.When AC Hospital implements security measures sufficient to address risks in a reasonable and appropriate 26 / manner, it is adhering to the --risk analysis/risk management/recurring risk evaluation-- mandate of the Code of Federal Regulations (CFR).: risk mgmt 91.Once a threat or vulnerability is identified, which of the following should be done to determine the actual risk of occurrence? Assign a priority to the risk. Identify the likelihood of the risk event occurrence. Measure the magnitude of the threat to the organization. Combine the likelihood of an occurrence with the magnitude of the event should it occur.: Combine the likelihood of an occurrence with the magnitude of the event should it occur. 92.Why do both HIPAA and the HITECH Act have rules that relate to specific diseases and genetic predispositions? Knowledge of these patients' health status could cause their insurance rates to go up. Knowledge of these patients' health status can affect their ability to recover from treatment. Knowledge of these patients' health status can affect their relationships and employment. These health conditions are difficult to treat.: Knowledge of these patients' health status can affect their relationships and employment. 93.When AC Hospital installs HIT security controls and contingency plans that establish access and authentication controls to safeguard protected health information (PHI), which mission-critical concern is being addressed? Patient data privacy and confidentiality Patient data integrity EHR system availability: Patient data privacy and confidentiality 27 / 94.Which step in the contingency planning process is implemented when Arural Hospital's HIT management establishes the criticality of each EHR system component and ranks them accordingly? 1. Develop the contingency planning policy statement 2. Conduct the business impact analysis (BIA) 3. Identify preventive controls 4. Create contingency recovery strategies 5. Develop an information system contingency plan 6. Ensure plan testing, training, and exercises 7. Ensure plan maintenance: 2. Conduct the business impact analysis (BIA) 95.AC Hospital has completed its risk assessment process and is now devel- oping its risk management program. The hospital is ready to draft its emer- gency preparedness plans. The construction of the continuity of operations plan would be assigned to hospital --HIT/business-- managers.: business 96.True or false? AC Hospital's business continuity plan (BCP) should ad- dress concerns related to protecting the privacy, confidentiality, and integrity of patient data.: true 97.True or false? Healthcare regulatory requirements have a minimal effect on risk management for an HCO, and they are not particularly unique to healthcare compared to other business environments.: false 98.True or false? Risk management is primarily an HCO management function that considers all aspects of risk to the organization, including HIT systems and adherence to government regulations.: true Risk management is primarily a management function that must cover all HIT, systems, 30 / 106. Which of these risk management issues relates to patients' right to opt out of HIO/HIE electronic health data exchange? Data stewardship Access and authentication controls HIO/HIO risk management program Patient consent: patient consent 107. Which risk response category is represented by implementing a process, technology, or action to reduce the likelihood and/or impact of a threat? Avoidance Transfer Mitigation Acceptance: mitigation 108. In which step of the Risk Management Guide for Information Technology Systems (NIST Special Publication 800-30) risk assessment process are HCO stakeholders made aware of the risk analysis results? Step 1, preparation for risk assessment Step 2, conduct risk assessment Step 3, communicate results Step 4, maintain assessment: Step 3, communicate results 109. If an EHR system user updates a patient's record and the system vali- dates the data and records who performed the update, which mission-critical concern is being addressed? Patient data privacy and confidentiality Patient data integrity EHR system availability: patient data integrity 31 / 110. The business continuity plan and the HIT contingency plan are emer- gency preparedness plans developed to --protect/sustain/recover-- when a security incident, breach event, or disaster strikes an HCO.: recover The business continuity plan and HIT contingency plan are emergency prepared- ness plans designed to address recovery efforts following a security incident, breach event, or disaster. The business recovery plan and the disaster recovery plan are also invoked, as needed, during recovery efforts. 111. HIPAA --requires/recommends-- that hospitals include plans for backups of all electronic protected health information (ePHI) in their business continu- ity plan (BCP).: requires 112. Traditional HCO business structure is decentralized, individual depart- ments are often autonomous, and department heads function independently. Which of the following solutions should AC Hospital use to address this concern in its business continuity plan (BCP)? Disk-to-disk (D2D) backups, offsite standby system, virtual system HCO executive support and enterprise culture Service level agreements (SLAs) and vendor testing and training participation External network and network service provider testing: HCO executive support and enterprise culture 113. AC Hospital recognizes that health data is a valuable commodity for pur- poses of identity theft and consumer credit access. Therefore, the hospital IT security controls include firewalls and other mechanisms designed to protect the health data from --regulation/hacking/patient illegal use-- attempts.: hack- ing 114. When Arural Hospital's IT team is planning data backup strategies, it has several decisions to make to ensure data is protected and available for efficient and timely restoration if a disaster occurs. Which of the 32 / following options will protect the health data in the event the backups are stolen or somehow intercepted while in backup is in progress? Tape, D2D, and/or cloud options Frequency Onsite/offsite Encryption: encryption 115. True or false? When Arural Hospital approaches its risk management program, its risk assessment process, traditional access and authentication controls, controls to ensure system availability, strategic plans for security, security controls, and HIT contingency plans, its efforts should be similar in nature and proportion to those of a typical business outside the healthcare arena.: false 116. Periodically, and particularly when environmental or organizational changes occur, risk assessments must be reviewed and updated to ensure the risk management program is current. Which step of the Risk Management Guide for Information Technology Systems (NIST Special Publication 800-30) risk assessment process covers this evaluation process? Step 1, preparation for risk assessment Step 2, conduct risk assessment Step 3, communicate results Step 4, maintain assessment: Step 4, maintain assessment 117. When AC Hospital conducts its security awareness training, what might be the most important concepts to communicate to the hospital staff? Examples of common security breaches Common language rather than technical language to describe the issues Presenting the reasons for the security and emergency preparedness policies The hierarchy of responsibilities during an emergency: Presenting the reasons for the security and emergency preparedness policies