In the US, privacy protections for health information come from:
answer
Privacy protections come from all of these sources - both federal and state law, as well as the requirements of private certification organizations.
question
Privacy, in the health information context discussed here, refers to:
answer
The rules about who can access health information, and under what circumstances.
question
Under the federal HIPAA regulations, state health privacy laws:
answer
Remain in effect if more stringent than what HIPAA provides.
question
What kinds of persons and organizations are affected by HIPAA's requirements?
answer
Health care providers, health plans, and health information clearinghouses, their business associates, and the workers for those organizations.
question
HIPAA privacy protections cover identifiable personal information about the "past, present or future physical or mental health condition." What does that include?
answer
Health information in any form or medium, as long as it is identified (or identifiable) as a particular person's information.
question
When patients receive a copy of an organization's Privacy Notice, they are asked to sign an acknowledgment. Why?
answer
It shows they received it.
question
Organizations covered by the federal HIPAA privacy law are expected to
answer
Protect the health information under their control, train their workers in how to protect information, and help patients exercise their rights under the law.
question
Which of these is not a right under HIPAA?
answer
To control all disclosures of information in the health record.
question
What does HIPAA's "minimum necessary" standard require of health care workers?
answer
Use or disclose only the minimum necessary amount of health information to accomplish a task.
question
HIPAA's "incidental uses and disclosures" provision excuses deviations from the minimum necessary standard. What is excused?
answer
Truly accidental "excess" uses and disclosures, where reasonable caution was otherwise used and there was no negligence.
question
When a privacy problem is discovered, which of the following is/are true?
answer
All of the above
question
HIPAA allows health care organizations to control many information decisions. But where the patient retains control, which of the following is/are true?
answer
If a person has a right to make a health care decision, then he/she has a right to control information associated with that decision.
question
With respect to permissions for uses and disclosures, HIPAA divides up health information into three categories. Into which category does information related to" treatment, payment and health care operations" go?
answer
Uses or disclosures that generally require oral agreement only.
question
With respect to permissions for uses and disclosures, HIPAA divides up health information into three categories. Into which category do discussions with family members go?
answer
Uses or disclosures that require generally oral agreement only.
question
With respect to permissions for uses and disclosures, HIPAA divides up health information into three categories. Into which category does information related to research, marketing and fundraising go?
answer
Uses or disclosures that generally require specific written authorization.
question
Which of the following are organizations required to do under HIPAA?
answer
Appoint a Privacy Officer to administer HIPAA rules.
question
HIPAA allows healthcare organizations to control many information decisions. However, where the patient retains control, which of the following is true?
answer
If a person has a right to make a healthcare decision, then generally that person has a right to control information associated with the decision.
question
Which of these is not generally a good practice for telephone use?
answer
Using voicemail systems and answering machines that do not require a password or PIN for access.
question
Which of these is not generally a good practice for fax machine use?
answer
Sensitive faxes -- inbound or outbound -- are left sitting in or around the machine.
question
Which of these is not a good practice for physical security?
answer
To preserve good customer relations, visitors are generally allowed access to all areas of a facility unless it appears they are doing something suspicious.
question
Which of these is generally not a good practice with respect to oral communications (that is, talking) in organizations like healthcare facilities?
answer
Use of full names in public areas or on intercom/paging systems, because there is no security issue with identifying persons in public areas and using full names helps avoid misidentification.
question
Information security's goals are sometimes described by the letters "CIA." Which of the following is correct definition of C, I, or A?
answer
All the above
question
Which of the following is true?
answer
Federal regulations include treatment-related uses and disclosures in a large category (along with payment and healthcare operations) that require no specific permission from patients.
question
When a patient enters a clinical facility, they must inevitably surrender control of their information for a broad range of uses and disclosures. In the circumstances where the patient retains control of information, which of the following is true?
answer
If the person controls a decision about treatment, he/she controls information about the information associated with it.
question
Patients must be provided with federally-mandated Privacy Notices when they first encounter direct treatment providers. Which of the following is an implication of that for clinicians?
answer
The provision of the notice just before receiving treatment means clinicians will receive some questions about privacy issues. There is an obligation to know the answers, or to be able to direct the patient to someone who does.
question
Which of the following is true?
answer
The "minimum necessary" standard applies to treatment-related uses, but not treatment-related disclosures, so as to avoid any interference with information exchanges among practitioners.
question
Which category of health information does HIPAA extend "extra" protections, with a requirement for separate authorization?
answer
Psychotherapy notes
question
Which best describes the role of the clinician in managing privacy matters?
answer
How clinicians handle information inevitably sets the tone for everyone else, so the example they set is critical.
question
When required, the information provided to the data subject in a HIPAA disclosure accounting ...
answer
must be more detailed for disclosures that involve fewer than 50 subject records.
question
The HIPAA "minimum necessary" standard applies...
answer
To all human subjects research that uses PHI without an authorization from the data subject.
question
HIPAA protects a category of information known as protected health information (PHI). PHI covered under HIPAA includes:
answer
Identifiable health information that is created or held by covered entities and their business associates.
question
A covered entity may use or disclose PHI without an authorization, or documentation of a waiver or an alteration of authorization, for all of the following EXCEPT:
answer
Data that does not cross state lines when disclosed by the covered entity.
question
If you're unsure about the particulars of HIPAA research requirements at your organization or have questions, you can usually consult with:
answer
An organizational IRB or Privacy Board, privacy official ("Privacy Officer"), or security official ("Security Officer"), depending on the issue.
question
HIPAA includes in its definition of "research," activities related to:
answer
Development of generalizable knowledge.
question
A HIPAA authorization has which of the following characteristics:
answer
Uses "plain language" that the data subject can understand, similar to the requirement for an informed consent document.
question
HIPAA's protections for health information used for research purposes...
answer
Supplement those of the Common Rule and FDA.
question
How are the ethical standards for student uses and disclosures of patients' health information different from those for regular members of the healthcare workforce?
answer
Some would say it is higher, because patients do not always benefit from students' access to their data.
question
For health information privacy and security, are the legal and regulatory requirements for students different from those for regular members of the healthcare workforce?
answer
No, students must meet the same standards as a regular member of the workforce performing the same tasks.
question
Use of social media tools and other new technologies to facilitate training-related communications is:
answer
Depends on the organization's policies, so you should check with your organization's officials about what is allowed or prohibited.
question
In regard to reporting privacy or security problems, are the requirements for students the same as for regular workers?
answer
Yes. Like any other member of the workforce, students are obligated to report problems they are not in a position to correct.
question
Patients have to provide an additional, specific authorization for training uses and disclosures of their information.
answer
False
question
Which of the following is a good practice if one wishes to avoid "social engineering" attacks?
answer
All of the above
question
Which of these is not a good practice for controlling computer access?
answer
Logging into systems with a shared user-ID or password
question
Which of these is not a good practice for protecting computing devices?
answer
Login and screen-saver passwords, or token or biometric mechanisms, are disabled to make it easier to use the device quickly.
question
Which of the following are important for protecting computing devices and systems?
answer
All of the above
question
Which of these is not a good security practice for web browsing?
answer
Browsing to sites using links sent in emails without taking steps to assure the destination is safe.
question
Desktop computers are often provided in the workplace by organizations, and laptops may be as well. However, portable devices (such as tablets and smartphones) may more commonly be allowed on a BYOD basis. For a BYOD (personally-owned) device:
answer
Organizations may have requirements about how BYOD devices may be configured or used, as a condition of accessing the organization's information resources.
question
Secure disposal of a desktop or laptop computer at the end of its service life is:
answer
Generally considered essential for all computing and storage devices. One should not assume there is no sensitive personal or organizational data on a device or accessible by it.
question
Supplemental security software (such as anti-virus [anti-malware]) is:
answer
Increasingly common for smartphones and tablets, and can include protections like remote-locate, remote-disable, and remote-data-wipe.
question
Secure communications, like those provided by "encrypted" web connections using https or a virtual private network (VPN), are:
answer
Generally considered essential.
question
When choosing the security measures needed for a desktop or laptop computer:
answer
The more security measures applied, the more secure a computer will be. However, it is impossible to have a uniform set of rules for all circumstances.
question
Ensuring data backups for data stored on a portable device is generally considered:
answer
Necessary when the device would otherwise be the only source of hard-to-replace data, but the backup mechanism must also be secure
question
External labeling with a physical label, or configuring a device to display the owner's name and contact information on a login screen, is:
answer
Generally considered a good idea, because it allows the device to be returned to its owner when found. However, always check organizational policies about the practice.
question
Enabling a device login password or PIN, and an inactivity timeout to force (re)login with that password or PIN after the device is idle for a defined period, is generally considered:
answer
Generally considered essential for any portable device.
question
Compared to fixed location (desktop) computers, physical security for portable devices is:
answer
Generally more necessary, because portable devices tend to be used in physical environments that are inherently less secure.
question
Desktop computers are often provided in the workplace by organizations, and laptops may be as well. However, portable devices (such as tablets and smartphones) may more commonly be allowed on a BYOD basis. For a BYOD (personally-owned) device:
answer
Organizations may have requirements about how BYOD devices may be configured or used, as a condition of accessing the organization's information resources.
question
Which of these is a greater risk "off site" than when a computer is used in a protected office environment?
answer
All the above
question
What "administrative" measures do you usually need to take?
answer
All the above
question
What "technical measures" do you usually need to take with an off-site computer?
answer
All the above
question
What "physical" security measures do you usually need to take for an off-site computer?
answer
All the above
question
Under HIPAA, an organization is required to do which of the following?
answer
Appoint a Privacy Officer to administer HIPAA rules.
question
Recruiting into research ...
answer
Can qualify as an activity "preparatory to research," at least for the initial contact, but data should not leave the covered entity.
question
Fines and jail time (occasionally) for information security failures are:
answer
Generally, only applied for serious, deliberate misuse, where someone intentionally accesses data in order to do harm or for personal gain.
question
Which of these is not a good security practice for portable devices?
answer
Disabling any remote-locate, remote-shutdown, and remote-erase capabilities because these can accidentally erase data.
question
Which of the following is generally allowed in most organizations?
answer
Social networking if done for approved business-related purposes.
question
Enabling encryption of all data on a desktop or laptop computer is generally considered:
answer
Essential for any computer. Only data on computers that are guaranteed to contain no sensitive information, or where the physical and technical security of the device is assured, can safely be left unencrypted.
question
Software on a desktop or laptop computer should be:
answer
Installed or updated only from trusted sources to be certain that it is a legitimate version.
question
Devices used purely for storage, like USB flash ("thumb") drives and external hard drives:
answer
May expose large amounts of data if compromised, so should also use protections like access passwords or PINs and whole-device data encryption.
question
Secure disposal of a portable device at the end of its service life is:
answer
Generally considered essential for all devices. One should not assume there is no sensitive personal or organizational data on a device or accessible by it.
question
Secure communications, like that provided by "encrypted" web connections using https or a Virtual Private Network (VPN), are:
answer
Generally considered essential for smartphones and tablets, because time sensitive information is being accessed, received, or transmitted.
question
Which of these is a greater risk "off site" than when a computer is used in a protected office environment?
answer
All the above
question
Under HIPAA, "retrospective research" (a.k.a., data mining) on collections of PHI generally ...
answer
Is research, and so requires either an authorization or meeting one of the criteria for a waiver of authorization.
question
Which of these is not generally a good practice for fax machine use?
answer
Sensitive faxes -- inbound or outbound -- are left sitting in or around the machine.
question
Which of the following is a correct statement about the balance among prevention, detection, and response (PDR)?
answer
The greater the sensitivity and quantity of the data at issue, the more carefully the balance among these three must be evaluated.
question
Which of these is not a good security practice for email?
answer
Sending sensitive information in email messages or in attachments to such messages, as long as a legally-binding confidentiality notice is included.
question
Physical security for fixed location (desktop) computers is:
answer
Necessary to consider, because physical security is always something that must be evaluated. Very few locations are guaranteed to be secure.
question
Enabling encryption of all data on a portable device is generally considered:
answer
Essential for any portable device.
Haven't found what you need?
Search for quizzes and test answers now
Quizzes.studymoose.com uses cookies. By continuing you agree to our cookie policy
