Chapter 11 - Data Privacy, Confidentiality, And Secruity

Question 1

Accept the risk

Answer 1

Understanding the residual risk would exist as no additional controls would be implemented leaving some risk to the organization

Question 2

Accounting of disclosures

Answer 2

An individual has a right to receive an accounting of disclosures of PHU made by a CE in the six years prior to the date on which the accounting is requested, except for disclosures (I) To carry out treatment, payment, and health care operations as provided in 164.506 (ii) To individuals to PHI about them as provided in 164.502 (iii) Incident to a use of disclosure otherwise permitted or required by this subpart (iv) Pursuant to an authorization as provided in 164.508 (v) For the facility directory or to persons involved in the persons care or other notification purposes as provided (vi) For national security or intelligence purposes as provided (vii)To correctional institutions or law enforcement officials as provided (viii) As part of limited data set in accordance. (xi) That occurred prior to the compliance date for the CE

Question 3

Addressable standards

Answer 3

As amended by HITECH the implementation specification of the HIPPA Security Rule that are designated “addressable” rather than “required” to be in compliance with the rule, the covered entity must implement the speciation as written, implement an alternative, implementation specification was provided either does not exist in the organization, or exists with a negligible probability of occurrence

Question 4

Administrative safeguards

Answer 4

Under HIPAA, are administrative actions and policies and procedures to manage the selection, development and measures to protect electronic protected information and to manage the conduct od the covered entity i.e., business associate’s workforce in relation to the protection of that information

Question 5

Assessment

Answer 5

The systematic collection and recure if the information pertaining to an individual who wants to receive health care services or renter into the health care setting

Question 6

Audit

Answer 6

A function that allows retrospective reconstruction of events, including who executed the events in question, and what changes were made as a result. 2. To conduct an independent review of electronic system records and activities in order to test the adequacy and effectiveness if data security procedures and to ensure compliance with established policies and procedure.

Question 7

Audit log

Answer 7

A chronological record of electronic system activities that enables the reconstruction, review, and examination of the sequence of events surrounding or leading to each event or transaction from its beginning to end. Includes who performed what event and when it occurred.

Question 8

Authorization

Answer 8

As amendment by HITECH, except as otherwise specified, a covered entity may not use or disclose PHI without a valid authorization. When a CE receives a valid authorization, such use or disclosure must be consistent with the authorization.

Question 9

Biometric authentication

Answer 9

Allows a user to be user to be uniquely identified and access the system based on more or more biometric traits such as f ingerprints, hand geometry, retinal pattern or voice waves

Question 10

Breach

Answer 10

Under HITECH, the acquisition, use, access or disclosure of protected health information in a manner not permitted under subpart E of this part that compromises the security or privacy of the protected health information

Question 11

Breach notification

Answer 11

A Covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured information has been or is reasonably believed to the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach

Question 12

Breach notification rule

Answer 12

Requires covered entities and business associated to establish policies and procedures to investigate an unauthorized use or disclosure of PHI to determine if a breach has occurred, conclude the investigation, and notify affected individuals and the secretary of the Department of Health and Human Services within 60 days of the date of discovery

Question 13

Bring your own device

Answer 13

Refers to the personal devices that are allowed to be used within a healthcare organization and the interact with electronic protected health information (ePHI)

Question 14

Business associate (BA)

Answer 14

A person or org other than a member of the covered entity’s workforce that preforms functions or activities on behalf of or affecting a covered entity that involve the use or disclosure of individually identifiable health information. 2. With respect to the covered entity, a person who creates, receives, maintains, or transmits PHI for a function of activity regulated by HIPAA, including claims processing or administrations, data analysis, utilization review, quality assurance, Billing, benefit management, practice management, or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services

Question 15

Business associate agreement (BAA)

Answer 15

A contact between the covered entity and BA must establish the permitted and required uses and disclosures of PHI by the BA and provides specific content requirements of the agreement. The contract may not authorize the BA to use or further disclose the information in a manner that would violate the requirements of HIPAA, and requires the termination of the contract if the covered entity or BS are aware of noncompliant activities of the other

Question 16

Cipher text

Answer 16

A text message that has been encrypted, or converted into code, to make it unreadable in order to conceal its meaning

Question 17

Compound authorization

Answer 17

An authorization for use or disclosure of PHI may not be combined with any other document to create a compound authorization. Expect as follows: (i) an authorization for the use of PHI for research may be combined with any other type of written permission for the same or another research. (ii) an authorization for the use or disclosure of psychotherapy noted may only be combined with another authorization for a use or disclosure of psychotherapy notes (iii) when a CE has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits under this section on the provision of one of the authorizations

Question 18

Confidentiality

Answer 18

A legal and ethical concept that established the healthcare providers responsibility for protecting health records and other personal and private information from unauthorized use or disclosure. 2. As Amended by HITECH, the practice that data of information is not disclosed to unauthorized persons or processes

Question 19

Contingency plan

Answer 19

A comprehensive plan that highlights potential vulnerabilities and threats as well as identify the approaches to either prevent them or at least minimize the impact; there are three major categories: natural threats, technical or manmade: intentional acts

Question 20

Contrary

Answer 20

State law cannot be complied with when 1CE determines that it is impossible to comply with both federal and state privacy regulations. 2. Compliance with the state law would create a barrier to compliance with the federal regulations under HIPAA

Question 21

Covered entity (CE)

Answer 21

As Amended by HITECH: A health plans 2. A health clearing house. 3. A healthcare provider who transmits any healthcare information in electronic form in connection with a transaction covered by this subchapter

Question 22

Criticality analysis

Answer 22

Consists of evaluating each od the different systems in the organization to determine how crucial the information in the system is to day-to-day healthcare operations and patient care

Question 23

Cryptographic Key

Answer 23

Tool applied to the data in order to turn the information into cipher text as well as converting the text from cipher text back to plain text.

Question 24

Data at rest

Answer 24

Data is in a storage within a database or on s server where it is no longer being used or accessed

Question 25

Data backup plan

Answer 25

A plan that ensures the recovery of information that has been lost or become inaccessible

Question 26

Data in motion

Answer 26

Data that are in the process of being transmitted from one location to another location such as email

Question 27

Data security

Answer 27

The process of keeping data, both in transit and at res, safe from unauthorized access, alteration or destructions

Question 28

Decryption

Answer 28

The process of transforming the information from cipher text to plain text

Question 29

Deidentification

Answer 29

The act of removing from a health records or data set any information that could be used to identify the individual to whom the data apply in order to protect their confidentiality. 2. To remove the names or principal investigator, Coinvestigator, and affiliated organizations to allow reviews to maintain objectivity

Question 30

Designated records set

Answer 30

A group of records maintained by or for a CE that is (i)The medical records and billing records about individual maintained by or for the covered healthcare provider (ii) The enrollment, payment. Claims adjustment, and case or medical management record systems maintained by or for a health plan or (iii) used in whole or in about individuals. 2. For purposes of this paragraph, the term means any item, collection, or grouping of information that includes PHI is maintained, collected, used, or disseminated by or for the CE

Question 31

Disaster recovery plan

Answer 31

The document that defines the resources, actions, tasks, and data required to manage the businesses recovery process in the event of a business interruption

Question 32

Disclosure

Answer 32

As amended by Hi-tech, the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information

Question 33

Emergency mode operation plan

Answer 33

A plan that defines the processes and controls that will be followed until the operations are fully restored

Question 34

Encryption

Answer 34

The process of transforming text into the unintelligible string of character that can be transmitted via communications media with a high degree of security and then decrypted when it reaches a secure destination

Question 35

Expert determination method

Answer 35

Data elements that could identify the person are removed from the data then an expert, such as a statistician, applies scientific methodology to determine the likelihood of identification of the person: the expert that an org hires to statistically analyze the info provides documentation of the probability

Question 36

Health information exchange

Answer 36

The exchange of health info electronically between the provider and the others with the same level of interoperability, such as labs and pharmacy

Question 37

Health insurance portability and accountability act (HIPAA) of 1996

Answer 37

The federal legislation enacted to provide continuity of health coverage, control fraud and abuse in healthcare, reduce healthcare costs, and guarantee the security and privacy of health information; limits exclusion for pre-existing medical conditions, prohibits discrimination against employees and depends based on health status, guarantees health insurance to small employers and guarantees renewability od insurance to all employees regardless of size; requires CE to transmit healthcare claims in a specific format and to develop, implement, and comply with the standards of the privacy rile and the Security rule’ and mandates that covered entities apply for and utilize national identifiers in HIPPA transactions

Question 38

HITECH-HIPAA omnibus Privacy act

Answer 38

Includes some of the most significant changes to patient privacy since HIPAA was first enacted in 2003; it went into effect March 26, 2013 -and CE were to ensure compliance by September 23, 2013. Also known as the Omnibus Rules, this strengthens the privacy and security of PHI, modifies the breach notification tiles, strengthens privacy protections for genetic information by prohibiting health plans from using or disclosing such information for underwriting, making BA of CE liable for compliance, strengthens limitation on the use and disclosures of PHI for marking, research and fundraising, and allows patients increased restrictions rights

Question 39

Individually identifiable health information

Answer 39

As amended by HITECH, information that is a subset of health information, including demographic information collected from an individual, and 1. Is created or received by a healthcare provider, health plan, employer, or healthcare clearing house 2. Related to the past, present, or future physical or mental health of an individual and (I) That identifies the individual (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual

Question 40

Logic bombs

Answer 40

Malware that will execute a program, or a string of code, when a certain event happens

Question 41

Malware

Answer 41

Any program that causes harm to systems by unauthorized access, unauthorized disclosure, destruction, or loss of integrity of any information

Question 42

Minimum necessary

Answer 42

Privacy rule standard that requires that a CE or BA make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, it is meant to disclosure of PHI so that it is only used or disclosed to carry out necessary functions for treatment, payment, and healthcare operations

Question 43

Mitigate the risk

Answer 43

The process of reducing or eliminating a risk by implementing a control

Question 44

Notice of privacy practices (NPP)

Answer 44

As amended by HITECH, a statement issued by a healthcare organization that informs individuals of the uses and disclosures of patient identifiable information that may be used by the organization’s legal duties with respect to that information

Question 45

Organizational safeguards

Answer 45

Measures like business associate agreements so arrangements are made to protect electronic protected health information between organization

Question 46

Physical safeguards

Answer 46

As amended by HITECH, security rule measures such as locking doors to safeguard data and various media from unauthorized access and exposures, including facility access controls, workstation use, workstation security, and device and media controls

Question 47

Plaintext

Answer 47

A message that is not encrypted; a form of text that does not support text formatting such as bold, italic, or underline, most efficient way to store text

Question 48

Privacy

Answer 48

The quality or state of being hidden from, or undisturbed by, the observation or activities of other persons, or freedom from unauthorized intrusion; in healthcare- related contexts, the right of a patient to control disclosure of PHI

Question 49

Privacy rule

Answer 49

The federal regulation created to implement the privacy requirements of the simplification subtitle of HIPAA of 1996; effective in 2002, afforded patients certain rights to and about their protected health information

Question 50

Protected Health Information (PHI)

Answer 50

As amended by HITECH, individually identifiable health information: Except as provided in paragraph two of this definition, that (i)transmitted by electronic media (ii) maintained in electronic media; or (iii)transmitted or maintained in any other form or medium. 2. PHI excludes individually identifiable health information (i)in education records covered by the Family Educational Rights and Privacy Act (ii)in records described at 20 USC (iii)in employment records held by a covered entity in its role as employer and (iv)regarding a person who has been deceased for more than 50 years

Question 51

Reasonable cause

Answer 51

An act of omission in which is CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which that CE or BA did not act with willful neglect

Question 52

Reidentification

Answer 52

An organization can apply a specific code, or other means, to the data for future identification purposes; however, the specific code cannot be derived from any type of data elements that come from the patient’s health information

Question 53

Required standards

Answer 53

Under the security rule are implementation specifications which are detailed instruction specification which are detailed instructions for implementing a particular standard, which in turn are generally composed of specifications that are required. If a specification is required, the CE must implement policies and procedures that meet what the implementation requires

Question 54

Residual risk

Answer 54

Risk that remains after no additional controls are implemented

Question 55

Risk analysis

Answer 55

The process of identifying possible security threats to the organization’s data and identifying which risks should be proactively addressed and which risks are lower in priority

Question 56

Risk Management

Answer 56

A compromise program of activates intending to minimize the potential for injuries to occur in a facility and to anticipate and respond to ensure liabilities for those injuries that do occur. The processes in place to identify, evaluate, and control risk, defined as the organization’s risk of accidental financial liability

Question 57

Rootkit

Answer 57

Thinking that attempts to explain how people adopt specific roles, including leadership roles

Question 58

Safe harbor Method

Answer 58

Deidentification method that required the CE or BA to remove 18 data elements from the health information; the data elements are defined as the following: names, geographic subdivisions smaller than state, all elements of date excluding year. Rootkit Safe harbor Method If over 89 years of age, all elements of dates including year, phone number, fax number, SSN, medical record number, insurance information, account numbers, license and vehicle identification numbers, device numbers, URL, IP address, biometric identifiers, full face photographs; any other unique identifiable number, characters, or code

Question 59

Secure information

Answer 59

Unreadable, unusable, and indecipherable encryption information

Question 60

Security

Answer 60

The means to control access and protect information from accidental or intentional disclosures to unauthorized alteration, destruction, or loss. 2. The physical protection of facilities and equipment from theft, damage, or unauthorized access; collectively, the policies, procedures, and safeguards designed to protect the confidentiality of information, maintain the integrity and availability of information systems, and control access to the content of these systems

Question 61

Security Rule

Answer 61

The federal regulations created to implement the security requirements of HIPAA

Question 62

Stringent

Answer 62

State law is considered stringent if the law prohibits or restricts use or disclosure in circumstances under which such us or disclosure would be permitted under the federal law. State law is considered to be more stringent if it gives an individual greater rights to acquire, copy, or amend their PHI; further prohibits the use and disclosure of PHI; provides the individual greater rights of access to information; requires greater authorization requirements for compliance; requires more privacy protections; requires more privacy sensitive notes such as mental health or HIV status

Question 63

Technical Safeguards

Answer 63

The Security rules means the technology and the policy and procedures for its use that protect ePHI and control access to it

Question 64

Transfer the risk

Answer 64

Outsourcing or insuring the risk against any potential loss to the organization

Question 65

Trojan horse

Answer 65

A destructive piece of programming code hidden in another piece of programming code that looks harmless

Question 66

Use

Answer 66

With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information

Question 67

User Authentication

Answer 67

The process where an end user logs into an electronic system using specific credentials defined by the organizations

Question 68

Virus

Answer 68

A computer program, typically hidden, that attaches itself to the other programs and has the ability to replicate and cause various forms of harm to the data

Question 69

Willful neglect

Answer 69

Conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated

Question 70

Worm

Answer 70

A special type of virus, usually transferred from computer to computer via e-mail, that can replicate itself and use memory but cannot attach itself to other programs