Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
HIM 320 FINAL EXAM QUESTIONS LATEST UPDATE 2024/2025 WITH 100% DETAILED VERIFIED ANSWERS
Typology: Exams
1 / 7
protecting information from loss, unauthorized access of misuse, and keeping it confidential Security Which HIPAA rule deals with just electronic PHI, and which governs all PHI, regardless of medium? Security rule deals with ePHI & the Privacy rule is for all PHI Balancing the need for ready access to PHI by those involved in patient care, and the need to protect against unauthorized access and loss of critical health information HIPAA Privacy rule What are the components of the CIA Triad? Confidentiality, Integrity, Availability A requirement that private or confidential information not be disclosed to unauthorized individuals Confidentiality A requirement that info and programs are changed only in a specified and authorized manner; performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system Integrity A requirement intended to ensure that systems work promptly and service is not denied to authorized users.
Availability The standards of the HIPAA security unique in that they sate fairly general objectives, but provide no detailed instructions concerning how to meet them (technology neutral) Who is applicable to the privacy and security rule? Covered entity (CE), Business agreement (BA), subcontractors of BAs General security standard requirements for HIPAA security rule
T/F: According to the security rule, all healthcare organizations must implement the same security measures. False In the security rule, detailed instructions for implementing a particular standard are called: implementation specifications T/F: The HIM directory could serve as Security officer of a covered entity. True Administrative safeguards *security management process *assigned security responsibility *workforce security *information access management *security awareness training *security incident reporting *contingency planning *evaluation *business associate contracts & other arrangements Requires the implementation of policies and procedures to prevent, detect, contain, and correct security violations Security management process Must conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI risk analysis Must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the security standards Risk management
must apply appropriate sanctions against workforce members who fail to comply with their security policies and procedures Sanction policy Must implement procedures to regularly review records of information system activity, access reports, and security incident tracking reports Information system activity review Required identification of the individual responsible for overseeing development of the organization's security policies and procedures; privacy official and the security official positions may be filled by the same person Assigned security responsibility Requires implementation of policies and procedures to ensure that all members of a CEs workforce have appropriate access to ePHI and prevent those workforce members who do not have access from obtaining access Workforce security Must have procedures for ensuring that the workforce working with ePHI has adequate authorization and/or supervision Authorization and supervision Must be a procedure to determine what access is appropriate for the workforce Workforce clearance procedure Must be a procedure for terminating access to ePHI when a workforce member is no longer employed or responsibilities change Termination procedures Requires policies and procedures for authorizing access to ePHI Information access management Policy and procedure for granting access to ePHI through a workstation, transaction, program, or other process
Access authorization Policy and procedure to establish, document, review, and modify a user's right to access a workstation, transaction, program, or process Access establishment and modification Requires implementation of ongoing, reasonable, and appropriate security awareness training for a CE's workforce Security awareness training Four implementation specs for security awareness training *Security reminders (a) *Protection from malicious software *Log-in monitoring *Password management An event in which the security of a system was breached or threatened Policies and procedures to address this event is required. Security incident reporting Implementation spec for security incident reporting response and reporting Five implementation specifications of contingency planning data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and applications and data criticality analysis Procedures to create an exact copy of ePHI Data backup plan Procedures to restore lost data Disaster recovery plan
Procedures for continuation of critical business processes needed to protect ePHI while operating in emergency mode Emergency mode operation plan Test all contingency plans periodically testing and revision procedures assess the criticality of specific applications and data in support of contingency plans Application and data criticality analysis Periodic performance of technical and nontechnical evaluations in response to changes affecting the security of ePHI Security safeguards evaluation Business associate contracts and other arrangements implementation spec. written contract or other arrangement HIPAA security rule physical safeguards facility access controls, workstation use, workstation security, device and media controls Requires policies and procedures to limit physical access to electronic information systems and facilities that contain such systems Facility access controls Allow facility access to support the restoration of lost data under disaster recovery plan and emergency mode operations plan Contingency operations Policy and procedures to safeguard facility and equipment from unauthorized access, tampering, and theft Facility security plan Procedure to control and validate access to facilities based on user functions
Access control and validation procedures document repairs and modifications to physical components of a facility as they related to security Maintenance records Requires policies and procedures to secure ePHI contained in or used at workstations Workstation Use Policies for workstation use should specify: *Proper functions to be performed *Manner in which those functions are to be performed *Physical attributes of the surroundings of a specific workstation *Classification of workstation that can be used to access PHI