HIPAA Final Exam with Complete
Solutions
ability or means necessary to read, write, modify or communicate data - ANSWER-
access
actions, plus policies and procedures to manage the selection, development,
implementation and maintenance of security measures in relation to the protection of
information. - ANSWER-administrative safeguard
audit trail - ANSWER-- data collected during the use of electronic devices that include
the who, what, when and where.
authentication - ANSWER-confirmation that a person is the one claimed
contingency plan - ANSWER-policies and procedures for responding to an
emergency /occurrence that damages systems contain e-PHI.
e-PHI - ANSWER-electronic protected health information
encryption - ANSWER-transforming confidential plain text into cipher text to protect it.
a system that normally includes software, information, data, applications,
communications and people. - ANSWER-information system
infrastructure - ANSWER-- underlying foundation or basic framework that directs
information system commands and responses and transports and stores data.
integrity - ANSWER-- property of data/information of having not been altered or
destroyed in an unauthorized manner.
- method by which the sender of data is provided with proof of delivery and the recipient
is assured of the sender's identity so that neither can later deny having processed the
data. - ANSWER-nonrepudiation
password - ANSWER-confidential, character string used in conjunction with a user ID to
verify the identity of an individual attempting to gain access to a computer system.
physical safeguards - ANSWER-physical measures, policies and procedures to
electronic information system/related buildings/equipment from natural/environmental
hazards and unauthorized intrusion
,impact and likelihood of an adverse event - ANSWER-risk
process of balancing the cost of security control measures against the losses that would
be expected - ANSWER-risk analysis
risk management - ANSWER-ongoing process that asses the risk to electronic
information resources and the information itself to determine adequate security for a
system that will reduce the threat and vulnerability to protect health information.
security incident - ANSWER-attempted or successful unauthorized access, use,
disclosure, modification or destruction of information.
technical safeguards - ANSWER-technology and the policies and procedures for its use
that protect e-PHI and control access to it.
workstation - ANSWER-electronic computing device
Which workstation security safeguards are YOU responsible for using and/or protecting
- ANSWER-user ID,log-off programs, password
True/False-Under HCPCS, the DHHS sets the standard but does not specify how to
comply; the Security Rule mandates that each covered entity appoint someone to be
responsible for securing e-PHI. - ANSWER-False
True/ False--- Healthcare clearinghouses process a large portion of the total volume of
health claims; these clearinghouses must maintain security of all e-PHI processed just
as a healthcare provider does - ANSWER-False
Discuss password protection and the need for privacy of passwords. Remembering that
passwords is problematic for some people. Why is it essential? - ANSWER-Short
passwords or those that use parts of name or address of individual are easily guessed.
Passwords of four characters can be guess in minutes; passwords of seven missed
alphanumeric characters take about 2 weeks to crack.
It is best to plan NOT to be an easy target. Access protection should challenge potential
hackers. It is not realistic to have an impenetrable firewall, just a good one that is better
than most.
Using videoconferencing to conduct an office visit with a physician located at a distance
is a technology that is becoming increasing utilized; what is the name of this
technology? - ANSWER-telemedicine
Any security incident must be disclosed to the individuals involved. Consider the impact
on a healthcare facility when the access is to their database and perhaps thousands of
patient records have been exposed. How is the facility to manage this breach within
, HIPAA rules? - ANSWER-They have to write a report, then place the written information
in each medical record that is associated with the incident, then send a letter to each
patient letting each one know what happened and how they were affected
The security rule requires that all policies be accessible for review either in electronic
policy form or on paper in a location that is readily available to all employees. These
policies are to be reviewed on a regular basis to ensure compliance. How long are the
policies and procedures to be kept even if the wording has been changed or eliminated?
- ANSWER-6 years
It appears that most entities have taken the actions required for compliance. AHIMA
reported the most common problems were found as policies and procedures were
developed for HIPAA. List three of the problems: - ANSWER-accounting for release of
PHI;
obtaining PHI from other providers;
access AND releasee of information to relatives or spouses;
complying with BA provisions;
confusion by individuals regarding the Notice of Privacy Practices;
access AND release of information to law enforcement.
True/False--Healthcare plans do not need a unique identifier to go along with the
identifiers for each healthcare provider and employer that uses standardized
transactions. - ANSWER-False
Presently there are 5 situational uses of the standard unique employer identifier in
electronic transactions; name 3 uses: - ANSWER-healthcare eligibility benefit inquiry
and response;
healthcare claim status request/response;
benefit enrollment and maintenance in a health plan;
health plan premium payments;
healthcare claim (dental, professional or institutional.
Several organizations are developing plans to establish a unique identifier for patients
for possible future use. There are seven possible systems - list 3 different types: -
ANSWER-standard guide for properties of a universal health identifier UHID;
social security number SSN;
biometrics ID;
directory service;
personal immutable properties;
patient identification system based on existing MR number and practitioner prefix;
public key - private key cryptology method
Obtaining by theft or deception of personal medical information, such as one's address,
social security number or health insurance information for use in submitting false claims
or seeking medical care or goods is called: - ANSWER-medical identity theft
Solutions
ability or means necessary to read, write, modify or communicate data - ANSWER-
access
actions, plus policies and procedures to manage the selection, development,
implementation and maintenance of security measures in relation to the protection of
information. - ANSWER-administrative safeguard
audit trail - ANSWER-- data collected during the use of electronic devices that include
the who, what, when and where.
authentication - ANSWER-confirmation that a person is the one claimed
contingency plan - ANSWER-policies and procedures for responding to an
emergency /occurrence that damages systems contain e-PHI.
e-PHI - ANSWER-electronic protected health information
encryption - ANSWER-transforming confidential plain text into cipher text to protect it.
a system that normally includes software, information, data, applications,
communications and people. - ANSWER-information system
infrastructure - ANSWER-- underlying foundation or basic framework that directs
information system commands and responses and transports and stores data.
integrity - ANSWER-- property of data/information of having not been altered or
destroyed in an unauthorized manner.
- method by which the sender of data is provided with proof of delivery and the recipient
is assured of the sender's identity so that neither can later deny having processed the
data. - ANSWER-nonrepudiation
password - ANSWER-confidential, character string used in conjunction with a user ID to
verify the identity of an individual attempting to gain access to a computer system.
physical safeguards - ANSWER-physical measures, policies and procedures to
electronic information system/related buildings/equipment from natural/environmental
hazards and unauthorized intrusion
,impact and likelihood of an adverse event - ANSWER-risk
process of balancing the cost of security control measures against the losses that would
be expected - ANSWER-risk analysis
risk management - ANSWER-ongoing process that asses the risk to electronic
information resources and the information itself to determine adequate security for a
system that will reduce the threat and vulnerability to protect health information.
security incident - ANSWER-attempted or successful unauthorized access, use,
disclosure, modification or destruction of information.
technical safeguards - ANSWER-technology and the policies and procedures for its use
that protect e-PHI and control access to it.
workstation - ANSWER-electronic computing device
Which workstation security safeguards are YOU responsible for using and/or protecting
- ANSWER-user ID,log-off programs, password
True/False-Under HCPCS, the DHHS sets the standard but does not specify how to
comply; the Security Rule mandates that each covered entity appoint someone to be
responsible for securing e-PHI. - ANSWER-False
True/ False--- Healthcare clearinghouses process a large portion of the total volume of
health claims; these clearinghouses must maintain security of all e-PHI processed just
as a healthcare provider does - ANSWER-False
Discuss password protection and the need for privacy of passwords. Remembering that
passwords is problematic for some people. Why is it essential? - ANSWER-Short
passwords or those that use parts of name or address of individual are easily guessed.
Passwords of four characters can be guess in minutes; passwords of seven missed
alphanumeric characters take about 2 weeks to crack.
It is best to plan NOT to be an easy target. Access protection should challenge potential
hackers. It is not realistic to have an impenetrable firewall, just a good one that is better
than most.
Using videoconferencing to conduct an office visit with a physician located at a distance
is a technology that is becoming increasing utilized; what is the name of this
technology? - ANSWER-telemedicine
Any security incident must be disclosed to the individuals involved. Consider the impact
on a healthcare facility when the access is to their database and perhaps thousands of
patient records have been exposed. How is the facility to manage this breach within
, HIPAA rules? - ANSWER-They have to write a report, then place the written information
in each medical record that is associated with the incident, then send a letter to each
patient letting each one know what happened and how they were affected
The security rule requires that all policies be accessible for review either in electronic
policy form or on paper in a location that is readily available to all employees. These
policies are to be reviewed on a regular basis to ensure compliance. How long are the
policies and procedures to be kept even if the wording has been changed or eliminated?
- ANSWER-6 years
It appears that most entities have taken the actions required for compliance. AHIMA
reported the most common problems were found as policies and procedures were
developed for HIPAA. List three of the problems: - ANSWER-accounting for release of
PHI;
obtaining PHI from other providers;
access AND releasee of information to relatives or spouses;
complying with BA provisions;
confusion by individuals regarding the Notice of Privacy Practices;
access AND release of information to law enforcement.
True/False--Healthcare plans do not need a unique identifier to go along with the
identifiers for each healthcare provider and employer that uses standardized
transactions. - ANSWER-False
Presently there are 5 situational uses of the standard unique employer identifier in
electronic transactions; name 3 uses: - ANSWER-healthcare eligibility benefit inquiry
and response;
healthcare claim status request/response;
benefit enrollment and maintenance in a health plan;
health plan premium payments;
healthcare claim (dental, professional or institutional.
Several organizations are developing plans to establish a unique identifier for patients
for possible future use. There are seven possible systems - list 3 different types: -
ANSWER-standard guide for properties of a universal health identifier UHID;
social security number SSN;
biometrics ID;
directory service;
personal immutable properties;
patient identification system based on existing MR number and practitioner prefix;
public key - private key cryptology method
Obtaining by theft or deception of personal medical information, such as one's address,
social security number or health insurance information for use in submitting false claims
or seeking medical care or goods is called: - ANSWER-medical identity theft
