CITI - HIPAA Training
- ANS -
A covered entity may use or disclose PHI without an authorization, or documentation of
a waiver or an alteration of authorization, for all of the following EXCEPT: - ANS - Data
that does not cross state lines when disclosed by the covered entity.
A HIPAA authorization has which of the following characteristics: - ANS - Uses "plain
language" that the data subject can understand, similar to the requirement for an
informed consent document.
Compared to fixed location (desktop) computers, physical security for portable devices
is: - ANS - Generally more necessary, because portable devices tend to be used in
physical environments that are inherently less secure.
Desktop computers are often provided in the workplace by organizations, and laptops
may be as well. However, portable devices (such as tablets and smartphones) may
more commonly be allowed on a BYOD basis. For a BYOD (personally-owned) device: -
ANS - Organizations may have requirements about how BYOD devices may be
configured or used, as a condition of accessing the organization's information
resources.
Desktop computers are often provided in the workplace by organizations, and laptops
may be as well. However, portable devices (such as tablets and smartphones) may
more commonly be allowed on a BYOD basis. For a BYOD (personally-owned) device: -
ANS - Organizations may have requirements about how BYOD devices may be
configured or used, as a condition of accessing the organization's information
resources.
Devices used purely for storage, like USB flash ("thumb") drives and external hard
drives: - ANS - May expose large amounts of data if compromised, so should also use
protections like access passwords or PINs and whole-device data encryption.
Enabling a device login password or PIN, and an inactivity timeout to force (re)login with
that password or PIN after the device is idle for a defined period, is generally
considered: - ANS - Generally considered essential for any portable device.
, Enabling encryption of all data on a desktop or laptop computer is generally considered:
- ANS - Essential for any computer. Only data on computers that are guaranteed to
contain no sensitive information, or where the physical and technical security of the
device is assured, can safely be left unencrypted.
Enabling encryption of all data on a portable device is generally considered: - ANS -
Essential for any portable device.
Ensuring data backups for data stored on a portable device is generally considered: -
ANS - Necessary when the device would otherwise be the only source of
hard-to-replace data, but the backup mechanism must also be secure
External labeling with a physical label, or configuring a device to display the owner's
name and contact information on a login screen, is: - ANS - Generally considered a
good idea, because it allows the device to be returned to its owner when found.
However, always check organizational policies about the practice.
Fines and jail time (occasionally) for information security failures are: - ANS - Generally,
only applied for serious, deliberate misuse, where someone intentionally accesses data
in order to do harm or for personal gain.
For health information privacy and security, are the legal and regulatory requirements
for students different from those for regular members of the healthcare workforce? -
ANS - No, students must meet the same standards as a regular member of the
workforce performing the same tasks.
HIPAA allows health care organizations to control many information decisions. But
where the patient retains control, which of the following is/are true? - ANS - If a person
has a right to make a health care decision, then he/she has a right to control information
associated with that decision.
HIPAA allows healthcare organizations to control many information decisions. However,
where the patient retains control, which of the following is true? - ANS - If a person has
a right to make a healthcare decision, then generally that person has a right to control
information associated with the decision.
HIPAA includes in its definition of "research," activities related to: - ANS - Development
of generalizable knowledge.
- ANS -
A covered entity may use or disclose PHI without an authorization, or documentation of
a waiver or an alteration of authorization, for all of the following EXCEPT: - ANS - Data
that does not cross state lines when disclosed by the covered entity.
A HIPAA authorization has which of the following characteristics: - ANS - Uses "plain
language" that the data subject can understand, similar to the requirement for an
informed consent document.
Compared to fixed location (desktop) computers, physical security for portable devices
is: - ANS - Generally more necessary, because portable devices tend to be used in
physical environments that are inherently less secure.
Desktop computers are often provided in the workplace by organizations, and laptops
may be as well. However, portable devices (such as tablets and smartphones) may
more commonly be allowed on a BYOD basis. For a BYOD (personally-owned) device: -
ANS - Organizations may have requirements about how BYOD devices may be
configured or used, as a condition of accessing the organization's information
resources.
Desktop computers are often provided in the workplace by organizations, and laptops
may be as well. However, portable devices (such as tablets and smartphones) may
more commonly be allowed on a BYOD basis. For a BYOD (personally-owned) device: -
ANS - Organizations may have requirements about how BYOD devices may be
configured or used, as a condition of accessing the organization's information
resources.
Devices used purely for storage, like USB flash ("thumb") drives and external hard
drives: - ANS - May expose large amounts of data if compromised, so should also use
protections like access passwords or PINs and whole-device data encryption.
Enabling a device login password or PIN, and an inactivity timeout to force (re)login with
that password or PIN after the device is idle for a defined period, is generally
considered: - ANS - Generally considered essential for any portable device.
, Enabling encryption of all data on a desktop or laptop computer is generally considered:
- ANS - Essential for any computer. Only data on computers that are guaranteed to
contain no sensitive information, or where the physical and technical security of the
device is assured, can safely be left unencrypted.
Enabling encryption of all data on a portable device is generally considered: - ANS -
Essential for any portable device.
Ensuring data backups for data stored on a portable device is generally considered: -
ANS - Necessary when the device would otherwise be the only source of
hard-to-replace data, but the backup mechanism must also be secure
External labeling with a physical label, or configuring a device to display the owner's
name and contact information on a login screen, is: - ANS - Generally considered a
good idea, because it allows the device to be returned to its owner when found.
However, always check organizational policies about the practice.
Fines and jail time (occasionally) for information security failures are: - ANS - Generally,
only applied for serious, deliberate misuse, where someone intentionally accesses data
in order to do harm or for personal gain.
For health information privacy and security, are the legal and regulatory requirements
for students different from those for regular members of the healthcare workforce? -
ANS - No, students must meet the same standards as a regular member of the
workforce performing the same tasks.
HIPAA allows health care organizations to control many information decisions. But
where the patient retains control, which of the following is/are true? - ANS - If a person
has a right to make a health care decision, then he/she has a right to control information
associated with that decision.
HIPAA allows healthcare organizations to control many information decisions. However,
where the patient retains control, which of the following is true? - ANS - If a person has
a right to make a healthcare decision, then generally that person has a right to control
information associated with the decision.
HIPAA includes in its definition of "research," activities related to: - ANS - Development
of generalizable knowledge.
