CPHIMS EXAM QUESTIONS AND 100% CORRECT ANSWERS
(A+ GRADED) 2025-2026
A patient has been diagnosed with HIV-positive status. The patient calls in for his results
when the doctor and nurse are offsite. One of the clerical staff logs onto the electronic
chart and informs the patient of his positive result. One of the office supervisors
overhears this discussion and realizes that the clerical staff should not have been able
to access the chart or confidential lab test. Which of the following is the BEST method of
preventing similar security violations in the future?
A. Perform chart audits to detect inappropriate accesses.
B. Expect self-reporting of violations.
C. Limit chart access of users by using role-based security.
D. Establish policies on patient confidentiality. - Answer C. Limit chart access of users
by using role-based security.
Option "C" is active restriction to patient data, and therefore most effective.
A disaster recovery plan has been implemented for an organization which involves a
daily tape backup of the data and an uninterruptable power source for the servers. Of
the options below, which is the NEXT area to concentrate on to improve the disaster
recovery plan?
A. lightning suppression
B. data circuit backup
C. antiviral software
D. implement firewall - Answer B. data circuit backup
The best answer is "B" because having a backup line to a data center is important to
data continuity. "A" is not correct because an uninterruptible power supply should
handle the electrical surges due to lightning. "C" and "D" must already be parts of the
disaster recovery plan; hence they are not the best answers.
,A new compliance officer has initiated a review of information security policy
compliance for this organization. The BEST first step would be to determine whether the
organization has:
A. formally assigned security responsibility to an individual.
B. developed an employee security awareness program.
C. performed a security policies and procedures review.
D. The organization's information systems were tested for physical security. -Answer A.
Security responsibility was formally vested in someone.
The other options are incorrect because while they do describe individual parts of a
security plan, none would be the first thing that would be done.
A healthcare organization has implemented application audit logging and reporting to
more closely identify potential system misuse. Which of the following authorization
methods would likely provide the most valuable audit information with the least number
of false-positives?
A. Assign explicit user level permissions to each service.
B. Assign explicit user-level permission for services on an as-needed basis.
C. Use group-based authorization
D. Use role-based authorization - Answer D. Use role-based authorization
With role-based authorization, an individual is granted system access based on the role
they play within an organization. Data access controls using role-based authorization
grant users access to information related to their specific job duties and responsibilities
while preventing users from accessing data that is not pertinent to their role. This would
also reflect, through audit data, role-based authorization by an individual and reduce
false positives by virtue of eliminating access to data not relevant to the individual's role
in the organization.
A health care organization is testing its disaster recovery plan. The quality director
understands computer files are backed up to tape, but remains concerned about data
integrity should the organization need to restore files from tape. Below is a table
showing procedures for computer backups:
,Daily | tape backup | $6000
weekly | offsite tape storage | $3000
periodically | old records to storage | $7200
Which of the following should the CIO recommend in order to give the organization more
confidence in data integrity in case of a disaster?
A. Periodically restore from tape, additional cost $3,000/month
B. Replace tape backup system with new one; one-time cost $50,000.
C. Contract with hot site facility, additional cost $23,000/month
D. Store copies of all paper records offsite for an additional $4,500/month. - Answer A.
Perform periodic restores from tape for an additional $3,000/month
because, besides daily backups stored offsite on tape, periodic restores to prove that
the backups are successful will help ensure that data is accurate.
What of the following are ways to internally market system services?
1. holding roadshow product demonstrations
2. giving bonuses for training completion
3. providing monthly newsletter updates
4. publishing postimplementation results
A. 1, 2 and 3 only
B. 1, 2 and 4 only
C. 1, 3 and 4 only
D. 2, 3 and 4 only - Answer C. 1, 3 and 4 only
Because #2, giving bonuses for the completion of training, is helpful way to provide
incentives for training but does not promote services.
, A healthcare system's statement of basic purpose and activities is the:
A. vision statement.
B. values statement.
C. mission statement.
D. strategic plan. Answer C. mission statement.
The mission statement identifies why an organization exists. An organization's mission is
the most central agreement among its various stakeholders, and it tends to be the most
permanent. "A" is not correct since the vision statement is not a basic purpose, it is a
future goal. The vision is usually a simple statement of the contribution to universal
goals. "B" is not correct because values statements list the principles which guide
actions. The values statement often calls for "respect", "quality", "safety", "honesty."
Values statements establish the moral foundation for the enterprise. "D" is not correct
because the strategic plan represents a road map to achieve goals, usually spelling out
tactics year to year.
An institutional vendor is hired to implement a new cardiology information system. The
IT organizational structure is to be matrixed. The vendor must determine the members
of the project team for the following roles and will require identifying who is responsible
for each of the following:
Maintaining the project plans current
Implementation of the cardiology information system
It will be responsible for designing interfaces and user customizations, constructing the
procedure tables. Which of the following project team roles directly correspond to the
functions in the order listed above? A. product manager, project manager, software
programmer, analyst B. project manager, product manager, software programmer,
analyst C. project manager, software programmer, product manager, analyst
D. product manager, software programmer, product manager, analyst - An. B. project
manager, product manager, software programmer, analyst
The project manager is responsible for keeping the project plans current. The product
manager is responsible for the implementation of the cardiology information system.
The software programmer is responsible to design the interfaces and the user
customizations. The Analyst is responsible to build the procedure tables.
(A+ GRADED) 2025-2026
A patient has been diagnosed with HIV-positive status. The patient calls in for his results
when the doctor and nurse are offsite. One of the clerical staff logs onto the electronic
chart and informs the patient of his positive result. One of the office supervisors
overhears this discussion and realizes that the clerical staff should not have been able
to access the chart or confidential lab test. Which of the following is the BEST method of
preventing similar security violations in the future?
A. Perform chart audits to detect inappropriate accesses.
B. Expect self-reporting of violations.
C. Limit chart access of users by using role-based security.
D. Establish policies on patient confidentiality. - Answer C. Limit chart access of users
by using role-based security.
Option "C" is active restriction to patient data, and therefore most effective.
A disaster recovery plan has been implemented for an organization which involves a
daily tape backup of the data and an uninterruptable power source for the servers. Of
the options below, which is the NEXT area to concentrate on to improve the disaster
recovery plan?
A. lightning suppression
B. data circuit backup
C. antiviral software
D. implement firewall - Answer B. data circuit backup
The best answer is "B" because having a backup line to a data center is important to
data continuity. "A" is not correct because an uninterruptible power supply should
handle the electrical surges due to lightning. "C" and "D" must already be parts of the
disaster recovery plan; hence they are not the best answers.
,A new compliance officer has initiated a review of information security policy
compliance for this organization. The BEST first step would be to determine whether the
organization has:
A. formally assigned security responsibility to an individual.
B. developed an employee security awareness program.
C. performed a security policies and procedures review.
D. The organization's information systems were tested for physical security. -Answer A.
Security responsibility was formally vested in someone.
The other options are incorrect because while they do describe individual parts of a
security plan, none would be the first thing that would be done.
A healthcare organization has implemented application audit logging and reporting to
more closely identify potential system misuse. Which of the following authorization
methods would likely provide the most valuable audit information with the least number
of false-positives?
A. Assign explicit user level permissions to each service.
B. Assign explicit user-level permission for services on an as-needed basis.
C. Use group-based authorization
D. Use role-based authorization - Answer D. Use role-based authorization
With role-based authorization, an individual is granted system access based on the role
they play within an organization. Data access controls using role-based authorization
grant users access to information related to their specific job duties and responsibilities
while preventing users from accessing data that is not pertinent to their role. This would
also reflect, through audit data, role-based authorization by an individual and reduce
false positives by virtue of eliminating access to data not relevant to the individual's role
in the organization.
A health care organization is testing its disaster recovery plan. The quality director
understands computer files are backed up to tape, but remains concerned about data
integrity should the organization need to restore files from tape. Below is a table
showing procedures for computer backups:
,Daily | tape backup | $6000
weekly | offsite tape storage | $3000
periodically | old records to storage | $7200
Which of the following should the CIO recommend in order to give the organization more
confidence in data integrity in case of a disaster?
A. Periodically restore from tape, additional cost $3,000/month
B. Replace tape backup system with new one; one-time cost $50,000.
C. Contract with hot site facility, additional cost $23,000/month
D. Store copies of all paper records offsite for an additional $4,500/month. - Answer A.
Perform periodic restores from tape for an additional $3,000/month
because, besides daily backups stored offsite on tape, periodic restores to prove that
the backups are successful will help ensure that data is accurate.
What of the following are ways to internally market system services?
1. holding roadshow product demonstrations
2. giving bonuses for training completion
3. providing monthly newsletter updates
4. publishing postimplementation results
A. 1, 2 and 3 only
B. 1, 2 and 4 only
C. 1, 3 and 4 only
D. 2, 3 and 4 only - Answer C. 1, 3 and 4 only
Because #2, giving bonuses for the completion of training, is helpful way to provide
incentives for training but does not promote services.
, A healthcare system's statement of basic purpose and activities is the:
A. vision statement.
B. values statement.
C. mission statement.
D. strategic plan. Answer C. mission statement.
The mission statement identifies why an organization exists. An organization's mission is
the most central agreement among its various stakeholders, and it tends to be the most
permanent. "A" is not correct since the vision statement is not a basic purpose, it is a
future goal. The vision is usually a simple statement of the contribution to universal
goals. "B" is not correct because values statements list the principles which guide
actions. The values statement often calls for "respect", "quality", "safety", "honesty."
Values statements establish the moral foundation for the enterprise. "D" is not correct
because the strategic plan represents a road map to achieve goals, usually spelling out
tactics year to year.
An institutional vendor is hired to implement a new cardiology information system. The
IT organizational structure is to be matrixed. The vendor must determine the members
of the project team for the following roles and will require identifying who is responsible
for each of the following:
Maintaining the project plans current
Implementation of the cardiology information system
It will be responsible for designing interfaces and user customizations, constructing the
procedure tables. Which of the following project team roles directly correspond to the
functions in the order listed above? A. product manager, project manager, software
programmer, analyst B. project manager, product manager, software programmer,
analyst C. project manager, software programmer, product manager, analyst
D. product manager, software programmer, product manager, analyst - An. B. project
manager, product manager, software programmer, analyst
The project manager is responsible for keeping the project plans current. The product
manager is responsible for the implementation of the cardiology information system.
The software programmer is responsible to design the interfaces and the user
customizations. The Analyst is responsible to build the procedure tables.
