CHIMA NCE EXAMINATION TEST Question and
Answer 2026 | Complete Certification Review
Guide | Grade A+
• Project risks may pose a problem for e-health implementation. The 4 major threats
associated
a. project failure, scope compromise, timetable delay, cost overruns.
b. incompatible technology, security issues, quality issues, cost overruns.
c. project failure, quality issues, contractual issues, staff issues
d. stakeholder buy-in, score compromise, timetable delay, a budgetary insufficiency. -
✓✓a. project failure, scope compromise, timetable delay, cost overruns.
• 2. What type of risk is the unauthorized disclosure of personal health information?
a. Security risk.
b. Business risk.
c. Privacy risk.
d. Safety risk. -✓✓c. Privacy risk.
• Which of the following would NOT be classified as an operational risk?
a. Human factors issues.
b. Political influence.
c. Business interruption.
d. Lack of skilled human resources -✓✓d. Lack of skilled human resources
• The three objectives associated with information security are:
a. privacy, security, confidentiality.
b. confidentiality, integrity, availability.
c. confidentiality, privacy, integrity.
d. integrity, data quality, privacy. -✓✓b. confidentiality, integrity, availability.
• Which of the following is concerned with ensuring that information is complete,
accurate and up to-date and that the information is not corrupted in any way?
a. Confidentiality.
b. Integrity.
c. Availability.
d. Security. -✓✓b. Integrity.
• 6. Which of the following is concerned with ensuring that personal health information is
available to authorized users when it is needed?
a. Confidentiality.
b. Integrity.
c. Availability.
d. Security. -✓✓c. Availability.
,• Which of the following is concerned with ensuring that personal health information is
protected from unauthorized access, use and disclosure?
a. Confidentiality.
b. Integrity.
c. Availability.
d. Security. -✓✓a. Confidentiality.
• 8. Which of the following is NOT a security risk?
a. Loss of Personal Health Information.
b. Corruption or unauthorized modification of PHI.
c. Loss of critical information and communication technologies (ICT) services.
d. Inability to meet service levels. -✓✓d. Inability to meet service levels.
• A virus attacks a hospital's information systems and permanently destroys some
Personal Health Information. What type of risk would this be categorized as?
a. Safety risk.
b. Privacy risk.
c. Security risk.
d. Integrity risk. -✓✓c. Security risk.
• A patient is denied access to their own personal health Information. Which risk
category would this event be classified under?
a. Security risk.
b. Privacy risk.
c. Operational risk.
d. Business risk. -✓✓b. Privacy risk.
• A new medication administration system is implemented in a health care organization.
Unfortunately, the IT department did not involve front-line users in the testing of possible
systems before choosing and implementing one. The user interface of the new system
is not user friendly and many data entry errors are occurring related to patient
medications. What type of risk is this?
a. Safety risk.
b. Security risk.
c. Privacy risk.
d. Business risk. -✓✓a. Safety risk.
• 12. Incompatible technology, obsolescence, inability to meet service levels and lack of
skilled human resources are e-health issues associated with what type of risk?
a. Project risks.
b. Business risks.
c. Operational risks.
d. Strategic risks. -✓✓c. Operational risks.
,• Which of the following is concerned with ensuring that personal health information is
available to authorized users when it is needed?
a. Confidentiality.
b. Integrity.
c. Availability.
d. Security. -✓✓c. Availability.
• Which of the following is NOT a key component of the risk management process?
a. Establish the context.
b. Consult and communicate. c. Monitor and review.
d. Mitigate. -✓✓d. Mitigate.
• Which of the following is part of the external context related to e-health solutions?
a. Political context.
b. Technical solution.
c. Information governance.
d. Organizational culture. -✓✓a. Political context.
• The extent to which an organ on can cope with changes driven by an e-health solution
is called:
a. information governance.
b. risk tolerance.
c. organization culture.
d. capacity for change. -✓✓d. capacity for change.
• What type of risk treatment would the purchase of insurance be categorized as?
a. Avoidance.
b. Acceptance.
c. Transfer.
d. Mitigation. -✓✓c. Transfer.
• Which of the following is usually the preferred approach to risk management?
a. Avoidance.
b. Acceptance.
c. Transfer.
d. Mitigation. -✓✓d. Mitigation.
• Sometimes, risks must simply be accepted. This statement is:
a. true, and there is nothing further an organization can do.
b. false. There is always a mitigation strategy available.
c. true, but contingency and monitoring plans must be put in place.
d. false. Organizations can at least avoid risks even if they can't mitigate them. -✓✓c.
true, but contingency and monitoring plans must be put in place.
, • Which of the following are factors included in the external context of an e-health
solution?
a. Financial context.
b. Legal/regulatory context.
c. Physical environment.
d. All of the above. -✓✓d. All of the above.
• The phase of the risk management process that involves ensuring that adverse events
are continuously reported, investigated and managed and that risks are identified is:
a. communication and consultation.
b. risk assessment.
c. risk treatment.
d. monitoring and review. -✓✓d. monitoring and review.
• Organizations located in areas that are very high risk for floods must take this into
consideration when implementing new IT infrastructure, and in developing security
plans, These considerations are part of establishing what context?
a. Solution.
b. Internal.
c. External
d. All of the above. -✓✓c. External
• Procurement challenges would be what type of risk?
a. operational.
b. Business.
c. project.
d. security. -✓✓b. Business.
• Fortunately, e-health issues do not affect patient safety.
True / False -✓✓False
• E-Health projects are very specific and require narrow project scopes to be successful.
True / False -✓✓False
• It is necessary to allow staff to take reasonable risks in order to build a healthy risk
management culture.
True / False -✓✓True
• One key aspect of building a risk management culture is ensuring staff who make risky
accidental errors are identified and are disciplined for them in a timely fashion
True / False -✓✓False
Answer 2026 | Complete Certification Review
Guide | Grade A+
• Project risks may pose a problem for e-health implementation. The 4 major threats
associated
a. project failure, scope compromise, timetable delay, cost overruns.
b. incompatible technology, security issues, quality issues, cost overruns.
c. project failure, quality issues, contractual issues, staff issues
d. stakeholder buy-in, score compromise, timetable delay, a budgetary insufficiency. -
✓✓a. project failure, scope compromise, timetable delay, cost overruns.
• 2. What type of risk is the unauthorized disclosure of personal health information?
a. Security risk.
b. Business risk.
c. Privacy risk.
d. Safety risk. -✓✓c. Privacy risk.
• Which of the following would NOT be classified as an operational risk?
a. Human factors issues.
b. Political influence.
c. Business interruption.
d. Lack of skilled human resources -✓✓d. Lack of skilled human resources
• The three objectives associated with information security are:
a. privacy, security, confidentiality.
b. confidentiality, integrity, availability.
c. confidentiality, privacy, integrity.
d. integrity, data quality, privacy. -✓✓b. confidentiality, integrity, availability.
• Which of the following is concerned with ensuring that information is complete,
accurate and up to-date and that the information is not corrupted in any way?
a. Confidentiality.
b. Integrity.
c. Availability.
d. Security. -✓✓b. Integrity.
• 6. Which of the following is concerned with ensuring that personal health information is
available to authorized users when it is needed?
a. Confidentiality.
b. Integrity.
c. Availability.
d. Security. -✓✓c. Availability.
,• Which of the following is concerned with ensuring that personal health information is
protected from unauthorized access, use and disclosure?
a. Confidentiality.
b. Integrity.
c. Availability.
d. Security. -✓✓a. Confidentiality.
• 8. Which of the following is NOT a security risk?
a. Loss of Personal Health Information.
b. Corruption or unauthorized modification of PHI.
c. Loss of critical information and communication technologies (ICT) services.
d. Inability to meet service levels. -✓✓d. Inability to meet service levels.
• A virus attacks a hospital's information systems and permanently destroys some
Personal Health Information. What type of risk would this be categorized as?
a. Safety risk.
b. Privacy risk.
c. Security risk.
d. Integrity risk. -✓✓c. Security risk.
• A patient is denied access to their own personal health Information. Which risk
category would this event be classified under?
a. Security risk.
b. Privacy risk.
c. Operational risk.
d. Business risk. -✓✓b. Privacy risk.
• A new medication administration system is implemented in a health care organization.
Unfortunately, the IT department did not involve front-line users in the testing of possible
systems before choosing and implementing one. The user interface of the new system
is not user friendly and many data entry errors are occurring related to patient
medications. What type of risk is this?
a. Safety risk.
b. Security risk.
c. Privacy risk.
d. Business risk. -✓✓a. Safety risk.
• 12. Incompatible technology, obsolescence, inability to meet service levels and lack of
skilled human resources are e-health issues associated with what type of risk?
a. Project risks.
b. Business risks.
c. Operational risks.
d. Strategic risks. -✓✓c. Operational risks.
,• Which of the following is concerned with ensuring that personal health information is
available to authorized users when it is needed?
a. Confidentiality.
b. Integrity.
c. Availability.
d. Security. -✓✓c. Availability.
• Which of the following is NOT a key component of the risk management process?
a. Establish the context.
b. Consult and communicate. c. Monitor and review.
d. Mitigate. -✓✓d. Mitigate.
• Which of the following is part of the external context related to e-health solutions?
a. Political context.
b. Technical solution.
c. Information governance.
d. Organizational culture. -✓✓a. Political context.
• The extent to which an organ on can cope with changes driven by an e-health solution
is called:
a. information governance.
b. risk tolerance.
c. organization culture.
d. capacity for change. -✓✓d. capacity for change.
• What type of risk treatment would the purchase of insurance be categorized as?
a. Avoidance.
b. Acceptance.
c. Transfer.
d. Mitigation. -✓✓c. Transfer.
• Which of the following is usually the preferred approach to risk management?
a. Avoidance.
b. Acceptance.
c. Transfer.
d. Mitigation. -✓✓d. Mitigation.
• Sometimes, risks must simply be accepted. This statement is:
a. true, and there is nothing further an organization can do.
b. false. There is always a mitigation strategy available.
c. true, but contingency and monitoring plans must be put in place.
d. false. Organizations can at least avoid risks even if they can't mitigate them. -✓✓c.
true, but contingency and monitoring plans must be put in place.
, • Which of the following are factors included in the external context of an e-health
solution?
a. Financial context.
b. Legal/regulatory context.
c. Physical environment.
d. All of the above. -✓✓d. All of the above.
• The phase of the risk management process that involves ensuring that adverse events
are continuously reported, investigated and managed and that risks are identified is:
a. communication and consultation.
b. risk assessment.
c. risk treatment.
d. monitoring and review. -✓✓d. monitoring and review.
• Organizations located in areas that are very high risk for floods must take this into
consideration when implementing new IT infrastructure, and in developing security
plans, These considerations are part of establishing what context?
a. Solution.
b. Internal.
c. External
d. All of the above. -✓✓c. External
• Procurement challenges would be what type of risk?
a. operational.
b. Business.
c. project.
d. security. -✓✓b. Business.
• Fortunately, e-health issues do not affect patient safety.
True / False -✓✓False
• E-Health projects are very specific and require narrow project scopes to be successful.
True / False -✓✓False
• It is necessary to allow staff to take reasonable risks in order to build a healthy risk
management culture.
True / False -✓✓True
• One key aspect of building a risk management culture is ensuring staff who make risky
accidental errors are identified and are disciplined for them in a timely fashion
True / False -✓✓False
