HCISPP 2

Question 1

Refers to preventing the disclosure of information to unauthorized individuals or systems. Necessary for maintaining the privacy of the people whose personal information is held in the system.

Answer 1

Confidentiality

Question 2

Two types: 1) the person whom the actual data pertains, i.e. the patient receiving the treatment. this is the individual who has the final determination for how the data is used and by whom the data can be used or disclosed. 2) the healthcare organization who provides the treatment services for the patient and captures information during treatment services.

Answer 2

Data Owners

Question 3

the principle that states that should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and., where appropriate, with the knowledge or consent of the data subject.

Answer 3

Collection Limitation Principle

Question 4

a security principle stating that a user should have access only to the data he or she needs to perform a particular function.

Answer 4

Need to know

Question 5

Assets with a physical presence

Answer 5

Tangible Assets

Question 6

(CPT) codes are published by the American Medical Association. It is a five (5) digit numeric code that is used to describe medical, surgical, laboratory, anesthesiology, and evaluation management services of physicians, hospitals, and other healthcare providers. There are approximately 7800. Two digit modifiers may be appended when appropriate to clarify or modify the description of the procedure.

Answer 6

Current Procedural Terminology

Question 7

HSM is one type of DLM product. It represents different types of storage media, such as redundant array of independent disk (RAID) systems, optical storage, or tape, each type representing a different level of cost and speed of retrieval when access is needed. An administrator can establish state guidelines for how often different kinds of files are to be copied to a backup storage device. Once a guideline has been set, the software manages everything automatically.

Answer 7

Hierarchal Storage Management

Question 8

the principle that states that personal data should not be disclosed, made, available, or otherwise used for purposes other than those specified in accordance with the purpose specification principle

Answer 8

use limitation principle

Question 9

the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred

Answer 9

risk mitigation

Question 10

controls that capture things such as who is responsible for information security at the third party, what types of processes the third party has in place to request access to data, and also would include ensuring that the third party has appropriate security policies, procedures, and standards

Answer 10

Administrative Controls

Question 11

the principle that states that a data controller should be accountable for complying with measures

Answer 11

Accountability principle

Question 12

the world’s largest standards organization, with more than 30 standards addressing information security practices and audit, and each of the standards is constantly reviewed and updated, which requires consistent attention for keeping up with the latest standard changes.

Answer 12

ISO

Question 13

Part of the US Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the US federal Govt

Answer 13

NIST

Question 14

Govt Funded health care: a program funded by the US federal and state govts that pays the medical expenses of people who are unable to pay some or all of their own medical expenses.

Answer 14

Medicaid

Question 15

the uninvolved vendors, business partners, or other data sharing associates. The first party is the patient himself/herself or the person, such as the parent, responsible for the patient’s health bill. The second party is the physician, clinic, hospital, nursing home, or other health care entity rendering the care. These second parties are often called providers because they provide health care.

Answer 15

Third Parties

Question 16

the activities undertaken by either a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or a covered healthcare provider or health plan to obtain or provide reimbursement for the provision of healthcare.

Answer 16

Payment

Question 17

a plan that takes the output of the risk assessment and identifies tasks needing to be accomplished to mitigate

Answer 17

corrective action plan

Question 18

controls that encompass areas such as facility access, fire protection, and visitor procedures

Answer 18

Physical controls

Question 19

determines what protections need to be in place to guard data based on its sensitivity and value as well as the risk of exposure

Answer 19

security

Question 20

How the organizational representatives identify the most critical data to be given the highest protection

Answer 20

Data Categorization

Question 21

systems that assign a distinct numeric value to medical diagnosis, procedures and surgery, signs and symptoms of disease and ill-defined conditions, poisoning, adverse effects of drugs, complications of surgery, and medical care. The assigned codes and other patient data are processed by the grouper software to determine a DRG for the episode of care which is used for funding and reimbursement.

Answer 21

Medical Coding

Question 22

Very similar to the BAA in which the recipient of the data set would agree to limit the use of the data for the purposes for which it was given to ensure the security of the data and not to identify the information or use it to contact any individual.

Answer 22

Data Use Agreement

Question 23

Includes the technologies, tools, and methods used to capture, manage, store, preserve, and deliver content across an enterprise.

Answer 23

Enterprise Content Management

Question 24

the primary liaison for the CIO to the organizations authorizing officials, information system owners, common control providers, and information system security officers.

Answer 24

Senior Information Security Officer

Question 25

a unit of the US Department of Labor and addresses safety and protection of workers in organizations that involve hazards and hazardous wastes as potential sources of injuries and health related problems

Answer 25

Occupational Safety and Health Administration

Question 26

an organizational official responsible for designating a senior information security officer and developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements

Answer 26

chief information officer

Question 27

is an initiative by health care professionals and industry to improve the way computer systems in health care share information. IHE promotes the coordinated use of established standards such as DICOM and HL7 to address specific clinical needs in support of optimal patient care. Systems developed in accordance with IHE communicate with one another better, are easier to implement, and enable care providers to use information more effectively.

Answer 27

Integrating the Healthcare Enterprise

Question 28

generated at various points in the records management lifecycle, providing underlying data to describe the document, specify access controls and rights, provide retention and disposition instructions, and maintain the record history and audit trail.

Answer 28

Metadata

Question 29

Means the provision coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare and by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one provider to another.

Answer 29

Treatment

Question 30

Create a feedback loop to measure whether the security strategy and program are on target or need refinement

Answer 30

Key Performance Indicators

Question 31

controls that deter, detect, and or reduce impacts to the system

Answer 31

Preventative controls

Question 32

States that an individual should have the right: • To obtain from a data controller, or otherwise, confirmation of whether the data controller has data relating to him • To have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him • To be given reasons if a request made under subparagraph (a) and (b) is denied, and to be able to challenge such denial • To challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed, or amended.

Answer 32

Individual Participation Principle

Question 33

the data collected about a specific person potentially across a number of treatment services from a number of healthcare organizations

Answer 33

Health Information

Question 34

The activities that identify and locate the stores of organizational data on networked devices, including servers and workstations

Answer 34

Data Discovery

Question 35

the technology, policy, and procedures for its use that safeguard electronic protected health information and control access to ePHI.

Answer 35

Technical Safeguards

Question 36

A basis for obtaining federal stores of information that are seen as publicly accessible, and is frequently used by private citizens for political or legal issues

Answer 36

Freedom of Information Act

Question 37

Is necessary to obtain a true understanding of the health care organization. Can occur at the individual level, the household level, the business or corporate level, the supplier level, or some other combination of attributes. Requires powerful matching technology that can locate less obvious members of a related group.

Answer 37

Data Integration

Question 38

The HIPAA regulations adopted certain standard transactions for EDI of healthcare data. These transactions are: claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment, and disenrollment, referrals and authorizations, coordination of benefits, and premium payment.

Answer 38

Electronic data Interchange

Question 39

the current state after applying a risk response strategies

Answer 39

residual risk

Question 40

refers to a hierarchical system. comprises vocabulary and terms; in turn, vocabulary is made up of terms, or names, at the most basic level. The major advantage is simplicity; if there is one, then there is the assumption that everyone is or will be made aware of it, understands the vocabulary and classifications, accepts it, and utilizes the known.

Answer 40

Taxonomy

Question 41

Any proposal relating to human subjects including healthy volunteers that cannot be considered as an element of accepted clinical management or public health practice and that involves either physical or psychological intervention or observation, or the collection, storage, and dissemination of information relation to individuals. This definition relates not only to planned trials involving human subjects but to researching which environmental factors are manipulated in a way that could incidentally expose individuals to undue risks

Answer 41

Human Research

Question 42

Eliminates barriers to data sharing by providing direct data access; data translation tools; and the ability to build complex spatial extraction, transformation and loading processes. Standardize data messaging facilitates __________ between health information systems regardless of database models employed by individual health care enterprises. There are three levels: Foundational, Structural, and Semantic.

Answer 42

Data Interoperability

Question 43

A vendor, as a recipient of PHI from healthcare organizations. As defined in HIPAA and regulations promulgated by the US Department of health and human services (DHHS) to implement certain provisions. All must agree in writing to certain mandatory provisions regarding, among other things, the use and disclosure of PHI.

Answer 43

Business Partners

Question 44

the set of activities that ensures data is not lost from an organization

Answer 44

Data Loss prevention

Question 45

A public or private entity that processes or facilitates the processing of non standard data elements of health information into standard data elements. The entity receives healthcare transactions from healthcare providers or other entities, translates the data from a given format into one acceptable to the intended payer or payers, and forwards the processed transaction to appropriate payers

Answer 45

Healthcare Clearinghouse

Question 46

Once records are created, they must be maintained in such a way that they are accessible and retrievable. Components of this phase include functions, rules, and protocols for indexing, searching, retrieving, processing, routing, and distributing.

Answer 46

Record Maintenance and Use

Question 47

an individual, group or organization responsible for conducting information system security engineering activities.

Answer 47

Information System Security Engineer

Question 48

(DICOM) the international standard for medical images and related information. It defines the formats for medical images that can be exchanged with the data and quality necessary for clinical use. Implemented in almost every radiology, imaging, and radiotherapy device, and increasingly in devices in other medical domains such as ophthalmology and dentistry. With thousands of imaging devices in use, it is one of the most widely deployed healthcare messaging standards in the world

Answer 48

Digital Imaging and Communications in Medicine

Question 49

Provide the capability to electronically move clinical information between disparate healthcare information systems while maintaining the meaning of the information being exchanged. HIEs also provide the infrastructure for secondary use of clinical data for purposes such as public health, clinical, biomedical, and consumer health informatics research as well as institution and provider quality assessment and improvement.

Answer 49

Health Information Exchange Organizations

Question 50

Any organization or corporation that directly handles PHI or PHRs. They include public clinics, nursing homes, pharmacies, specialty hospitals, homecare programs, home meal programs, hospice, and durable medical equipment suppliers.

Answer 50

Covered Entity

Question 51

the person who is the subject of the PHI

Answer 51

Individual

Question 52

review plans for research involving human subjects. Institutions that accept research funding from the federal government must have an IRB to review all research involving human subjects. The FDA and the Office for Human Research Protections (OHRP) (part of the National Institutes of Health) set the guidelines and regulations governing human subject’s research and IRBs

Answer 52

Institutional Review Board

Question 53

An organizational official that acts on behalf of an authorizing official to coordinate and conduct the required day to day activities associated with the security authorization process

Answer 53

Authorizing Official Designated representative

Question 54

Health information that meets the standard and implementation specifications under 45 C.F.R. § 164.514 (a) and (b).

Answer 54

De- Identified Information

Question 55

(BA) The privacy rule, allows covered providers and health plans to disclose protected health information to services of a variety of businesses that have access to their patients’ PHI. Such as billing services, attorneys, accountants and consultants.

Answer 55

Business Associates

Question 56

means PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual

Answer 56

Limited data set

Question 57

the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations

Answer 57

Risk sharing

Question 58

physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion.

Answer 58

Physical Safeguards

Question 59

a governance structure where the authority, responsibility and decision-making power are vested solely within central bodies

Answer 59

centralized governance structure

Question 60

Assets that are not physical

Answer 60

Intangible Assets

Question 61

dictates what needs to be protected

Answer 61

Privacy

Question 62

HITECH, ARRA, the privacy rule, the security rule, enforcement rule, and breach notification rule.

Answer 62

Health Insurance Portability and Accountability Act of 1996

Question 63

the senior person in charge of managing the data systems used in capturing storing or analyzing the PHI of patients under care of the organization. They have the responsibility for maintaining the integrity of the data system and for authorizing access of internal and external workforce members to the data system and its included PHI

Answer 63

Data controller/manager

Question 64

the channel through which information is transmitted. The main forms include auditory, visual and tactile.

Answer 64

Modality

Question 65

typically employs a set of methods, principles, or rules for assessing risk based on non numerical categories or levels

Answer 65

Qualitative Assessment

Question 66

Covers essential health benefits but has a very high deductible. This means it provides a kind of “safety net” coverage in case the patient has an accident or serious illness. Usually do not provide coverage for services such as prescription drugs or shots.

Answer 66

Catastrophic Health Insurance Plan

Question 67

an effort led by CMS and the office of the National Coordinator for Health IT (ONC) is the set of standards defined by the CMS Incentive Programs that governs the use of electronic health records and allows eligible providers and hospitals to earn incentive payments by meeting specific criteria.

Answer 67

Meaningful Use

Question 68

This phase includes creating, editing, and reviewing work in process as well as capture of content (e.g., through document imaging technology) or receipt of content (e.g., through a health information exchange). Every organization must establish business rules for determining when content or documents become records

Answer 68

Record Creation, Capture, or Receipt

Question 69

the federal agency with HHS with oversight over HIPAA privacy, security and breach notification requirements, established a comprehensive audit protocol that physician practices may wish to consider as they review and update their HIPAA compliance plans. The OCR audit protocol contains 170 audit areas. The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH act audit mandate.

Answer 69

Office of Civil Rights

Question 70

Assist in the organizational risk process by striving to identify and close as many vulnerabilities as possible

Answer 70

Information Security Professionals

Question 71

a governance structure where the authority , responsibility, and decision making power are distributed between a central body and individual subordinate organizations

Answer 71

Hybrid information security governance structure

Question 72

may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance

Answer 72

Risk avoidance

Question 73

A methodology where an organization manages and direction an information security risk evaluation for their organization

Answer 73

OCTAVE

Question 74

in health care generally refers to entities other than the patient that finance or reimburse the cost of health services.

Answer 74

Payer

Question 75

assessment focused on the technology aspects of an organization, such as the network or applications

Answer 75

Vulnerability assessments

Question 76

HCPCS is used to report hospital outpatient procedures and physician services These coding systems serve an important function for physician reimbursement, hospital payments, quality review, benchmarking measurement, and the collection of general medical statistical data.

Answer 76

Healthcare common procedure coding system

Question 77

an activity of a covered entity intended to raise funds to benefit the covered entity or an institutionally related foundation that has as its mission to benefit the covered entity

Answer 77

Fundraising

Question 78

Use technology and human efforts to provide protection of and control access to the data and information that is considered private

Answer 78

Security Professionals

Question 79

the process of determining the impact of the loss of confidentiality, integrity, or availability of the information to an organization

Answer 79

categorization

Question 80

An employee welfare benefit plan, including insured and self insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance reimbursement

Answer 80

Group Health Plan

Question 81

The Trust Taxonomy provides a conceptual framework to facilitate governance of inter-entity exchange through transparency into trust policies and practices based on Identity, Policy and Contractual attributes. When utilizing the taxonomy, all trading partners would use a consistent approach to the classification of trust attribute definitions along with consistent representations as to how these trust attributes are implemented.

Answer 81

Governance Framework

Question 82

means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

Answer 82

Use

Question 83

(ARRA) was enacted on 02/17/09 and includes many measure to modernize our nations infrastructure, one of which is the “Health Information Technology for Economic and Clinical Health” (HITECH) The HITECH act supports the concept of Meaningful Use (MU) of Health Information Technology (IT) and healthcare reform to help the healthcare organizations to meet its clinical and business objectives vial HIE. MU requirements consist of payment approaches that stress care coordination, and federal financial incentives are driving the interest and demand for HIE

Answer 83

American Reinvestment and Recovery Act

Question 84

The patient can go to the doctor of his/her choice, and the patient, the patients doctor, or the patients hospital submits a claim to the patients insurance company for reimbursement.

Answer 84

Indemnity Plan

Question 85

the record life cycle from creation through final disposition.

Answer 85

Records Management Lifecycle

Question 86

Establishes how connectivity will occur to and from the primary entity with the third party

Answer 86

Connection Agreement

Question 87

The organization’s “health record” that meets all statutory, regulatory, and professional requirements for clinical purposes as well as for business purposes. If the record does not qualify as a legal record, it becomes hearsay and there fore is much less legally valid for business or for medical legal purposes. Unless the practice intends to maintain separate paper records that comply with legal requirements, its EHR, ,must conform to the same requirements as health records in general and for business records on computers more specifically.

Answer 87

Legal Medical Record

Question 88

The principle that states that there should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller

Answer 88

Openness Principle

Question 89

A technical basis for an international agreement among member countries The targets of the standards, and the methodology is how the standards are achieved, all according to the arrangement among the members

Answer 89

Common Criteria

Question 90

predefined topical areas that can put an organization at risk

Answer 90

threats

Question 91

NeHC has convened the national HIE governance forum at the office of the national coordinator for HITs request through ONCs cooperative agreement. One of the ONCs governance goals for nationwide HIE is to increase trust among all potential exchange participants in order to mobilize trusted exchange to support patient health and care.

Answer 91

National eHealth Collaborative

Question 92

either 1) intent and method targeted at the intentional exploitation of a vulnerability or 2) a situation and method that may accidentally trigger a vulnerability

Answer 92

Threat source

Question 93

incorporates risk management processes to ensure alignment of IT with business objectives, and a control framework

Answer 93

COBIT

Question 94

means that the records are used rarely but must be retained for reference or to meet the full retention requirement. Inactive records usually involve a patient who has not sought treatment for a period of time or one who completed his or her course of treatment.

Answer 94

Records, Inactive

Question 95

Described as a contract in which the parties agree to electronically exchange data to protect the transmitted data. The sender and receiver are required to depend on each other to maintain the integrity and confidentiality of the transmitted information.

Answer 95

Chain of Trust Agreement

Question 96

administrative actions, policies, and procedures to manage the selection, development, implementation and maintenance of security measures to safeguard ePHI and manage the conduct of the covered entity’s workforce in relation to the protection of that information.

Answer 96

Administrative Safeguards

Question 97

Targets merchants who accept product and service payments from customers using specific credit cards.

Answer 97

Payment Card Industry Data Security Standard

Question 98

a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source

Answer 98

Vulnerability

Question 99

Has been a champion of patient safety by helping healthcare organizations to improve the quality and safety of the care they provide. Evaluates and accredits healthcare organizations and programs in the US and is the nation’s predominant standards setting and accrediting body in healthcare. The National Patient Safety Goals (NPSGs) required to be implemented by all accredited organizations to improve the safety and quality of care, are updated annually.

Answer 99

Joint Commission

Question 100

A type of medical savings account that allows the patient to save money to pay for the current and future medical expenses on a tax-free basis. The patient must be covered by a high-deductible plan and not have any other health insurance. a good option for individuals who want to protect themselves from catastrophic health care costs but don’t anticipate many day to day medical costs.

Answer 100

Health Savings Account

Question 101

assumes a small percentage of threats from purposeful cyber attacks will be successful by compromising organizational information systems through the supply chain by defeating the initial safeguards and counter measures

Answer 101

Agile Defense

Question 102

state what needs to be done

Answer 102

policies

Question 103

typically employs a set of methods principles or rules for assessing risk based on the use of numbers

Answer 103

quantitative assessments

Question 104

typically employs a set of methods, principles, or rules for assessing risk that uses bins, scales or representative numbers whose values and meanings are not maintained in other contexts

Answer 104

Semi quantitative assessments

Question 105

a senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations and assets, individuals, other organizations and the nation

Answer 105

authorizing official

Question 106

any of the following activities of the covered entity to the extent that the activities are related to covered functions, and : conducting quality assessment and improvement activities; reviewing the competence or qualifications of healthcare professions; underwriting premium rating; conducting or arranging for medical review; legal services, and auditing functions, including fraud and abuse detection and compliance programs; business planning; business management and general administrative activities of the entity.

Answer 106

Healthcare Operations

Question 107

the health care term that refers to the compensation or repayment for health care services. Reimbursement is being repaid or compensated for expenses already incurred or, as in the case of health care, for services that have already been provided.

Answer 107

Reimbursement

Question 108

GCP is a process that incorporates established ethical and scientific quality standards for the design, conduct, recording, and reporting of clinical research involving the participation of human subjects. Compliance provides public assurance that the rights, safety, and well-being of research subjects are protected and respected and ensures the integrity of clinical research data.

Answer 108

Good Clinical Research Practice

Question 109

The HIPAA privacy rule also permits providers that typically provide health care to a common set of patients to designate themselves as an OHCA for purposes of HIPAA. For example, an academic medical center often includes university-affiliated physicians and a hospital or health system.

Answer 109

Organized Health Care Arrangement

Question 110

means that the records are consulted or used on a routine basis. Routine functions may include activities such as release of information requests, revenue integrity audits, or quality reviews.

Answer 110

Records, Active

Question 111

a governance structure where the authority, responsibility, and decision making power are vested in and delegated to individual subordinate organizations with the parent organization

Answer 111

decentralized information security governance structure

Question 112

controls that reduce the risk of exposing sensitive personal and health information

Answer 112

detective controls

Question 113

The amount of information that is transmitted over a period of time. A process of learning or education could necessitate a higher _______________ than a quick status update.

Answer 113

Bandwidth

Question 114

Individuals assigned the responsibilities involved with the privacy policy/ standard/ procedure structures

Answer 114

Privacy Professionals

Question 115

(DLM) is a policy-based approach to managing the flow of an information systems data through is lifecycle. DLM products automate the processes involved, typically organizing data into separate tiers according to specified policies, and automating data migration from one tier to another based on those criteria. As a rule, newer data and data that must be accessed more frequently is stored on faster, but more expensive storage media, while less critical data is stored on cheaper, but slower material.

Answer 115

Data Lifecycle Management

Question 116

an assessment designed to recognize the current security posture of your organization and set realistic expectations of the targeted security posture

Answer 116

gap analysis

Question 117

Requires physician practices to implement a number of administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI

Answer 117

Security Rule

Question 118

A group of records maintained by or for a covered entity that includes the medical records and billing records about individuals maintained by or for a covered healthcare provider; the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or used in whole or in part, by or for the covered entity to make decisions about individuals.

Answer 118

Designated record set

Question 119

any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure or modification of information, and/ or denial of service

Answer 119

Threat

Question 120

offer suggestions or directions for satisfying the policies

Answer 120

Guidelines

Question 121

protects the interests of share holders and ensures that management does not act in a manner that is inconsistent with the interest of stakeholders

Answer 121

Governance

Question 122

the enforcement of due care policy and provisions to ensure that the due care steps taken to protect assets are working effectively

Answer 122

Due Diligence

Question 123

The removal of the set of characteristics so that the document, is no longer PHI. This practice is frequently associated with research projects involving health trends conducted by hospitals or universities.

Answer 123

De-Identification

Question 124

responsible for documenting the organization identified common controls in a security plan

Answer 124

Common control providers

Question 125

(APGs) were developed to encompass the full range of ambulatory settings, including same day surgery units, hospital emergency rooms, and outpatient clinics. They are a patient classification system designed to explain the amount and type of resources used in an ambulatory visit. Patients in each have similar clinical characteristics and similar resource use and cost. Similar resource use means that the resources used are relatively constant across the patients within each APG.

Answer 125

Ambulatory Patient Groups

Question 126

The release, transfer, provision of access to, or divulging in any other manner of protected health information outside the entity holding the information

Answer 126

Disclosure

Question 127

Provides an independent view of the design, effectiveness, and implementation of controls

Answer 127

Auditor

Question 128

Insurance against the risk of incurring medical expenses among individuals. By estimating the overall risk of healthcare and health system expenses, among a targeted group, an insurer can develop a routine finance structure, such as a monthly premium or payroll tax, to ensure that money is available to pay for the healthcare benefits specified in the insurance agreement.

Answer 128

Health insurance

Question 129

a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network

Answer 129

Exposure

Question 130

EPOs are similar to PPOs but they reimburse members for services rendered by providers in their network only. Like PPOs, the patient pays a percentage of every medical bill up to a certain level. Some EPOs allow the patient to forgo a primary care physician and refer themselves to a specialist as long as that provider is in the network. May limit coverage to providers inside their network.

Answer 130

Exclusive Provider Organizations

Question 131

Provides the framework to describe the comprehensive management of health information across computerized systems and its secure exchange between consumers, providers, government and quality entities, and insurers. Computers and telecommunications are used for storing, retrieving, and sending information with the goal of bringing about an age of patient and public centered health information and services

Answer 131

Health Information Technology

Question 132

An Individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organizations core missions and business processes are adequately addressed in all aspects of enterprise architecture

Answer 132

Information Security Architect

Question 133

Encompasses such activities as frequency and basic statistic reports, table relationships, phrase and element analysis and business rule discovery. It is primarily done before any data-oriented initiative and often can be used to pinpoint where further efforts need to be focused

Answer 133

Data Profiling

Question 134

A classical definition is a person who helps in identifying or preventing or treating illness or disability. A classical definition is a person who helps in identifying or preventing or treating illness or disability.

Answer 134

Provider

Question 135

Identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives

Answer 135

COSO

Question 136

Any information that allows positive identification of an individual, usually as a combination of several characteristics

Answer 136

Personally Identifiable Information

Question 137

a software program, or the computer on which that program runs, that provides a specific kind of service to client software running on the computers on a network.

Answer 137

Server

Question 138

provides a common language that enables a consistent language that enables a consistent way of capturing, sharing, and aggregating health data across specialties and sites of care. It is highly detailed terminology designed for input, not reporting.

Answer 138

SNOMED-CT

Question 139

the entity that has the relationship with the patient. That could be a doctor, hospital, pharmacy, or insurance company

Answer 139

Primary Entity

Question 140

Information that may be individually identifiable health information- summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan. from which the identifiers of the individual or of relatives, employers or household members of the individuals.

Answer 140

Summary health information

Question 141

an entity with whom the primary entity does business. In the US, this relationship would be defined under HIPAA as the covered entity, and business associate

Answer 141

Third Party

Question 142

means maintaining and assuring the accuracy and consistency of data over its entire life cycle. This means that data cannot be modified in an unauthorized or undetected manner. It is violated when a message is actively modified in transit.

Answer 142

Integrity

Question 143

performed by the plan sponsor of a group health plan on behalf of the group health plan and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor

Answer 143

Plan Administration Functions

Question 144

Not for profit, ANSI-accredited standards developing organization dedicated to providing a comprehensive framework and related standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practice and the management, delivery, and evaluation of health services.

Answer 144

Health Level Seven International

Question 145

communication occurs when two parties exchange messages across a communication channel at the same time (e.g., face-to-face, telephone, online chat). The primary advantage is the ability for immediate feedback and clarification when necessary.

Answer 145

Synchronicity

Question 146

NUBC is a voluntary committee whose work is coordinated through the offices of the American Hospital Association (AHA) and includes participation of all the major national provider and payer organizations. The committee was originally formed to develop a single standard billing format and data set to be used nationwide by institutional providers and payers for handling healthcare claims. Today the committee monitors and manages the utilization of this standard (UB) and data set used throughout the industry for billing transactions.

Answer 146

National Uniform Billing Committee

Question 147

persistent personal attention

Answer 147

Assiduity

Question 148

Legislation that was created to stimulate the adoption of EHR and supporting technology in the US. Signed into law on 02/17/09 as part of the American Recovery and Reinvestment Act of 2009 an economic stimulus bill. It stipulates that, beginning 2011, healthcare providers will be offered financial incentives for demonstrating meaningful use of EHR. Incentives were offered until 2015, after which time penalties may be levied for failing to demonstrate such use. The act also establishes grants for training centers for the personnel required to support a health IT infrastructure.

Answer 148

HITECH

Question 149

controls that could include requirements such as encrypting data in transit and at rest and intrusion detection and prevention capabilities

Answer 149

technical controls

Question 150

the appropriate risk response when the identified risk is within the organizational risk tolerance

Answer 150

Risk acceptance

Question 151

Is an architecture that divides processing between clients and servers that can run on the same machine or on different machines on the same network. It is a major element of the modern operating system and network design. End users access workstation computers and other physical automated equipment directly while performing healthcare functions.

Answer 151

Server: Client-Server

Question 152

AKA episode based payment. Is defined as the reimbursement of healthcare providers (such as hospitals and physicians) “on the bases of expected costs for clinically defined episodes of care” The middle ground between fee-for-service and capitation

Answer 152

Bundled Payment

Question 153

An individuals permission for a covered entity to use or disclose PHI for a certain purpose, such as a research study.

Answer 153

Authorization

Question 154

Technical research reports targeting specialized audiences, including interim and final reports. These are for information technology and security specialists who wish to keep abreast with the latest research within the CSD

Answer 154

NIST Interagency Reports

Question 155

A govt program of hospitalization insurance and voluntary medical insurance for persons aged 65 and over, and for certain disabled persons under 65

Answer 155

Medicare

Question 156

An action or practice that closes a vulnerability or a weakness that would allow a threat to protected information to be actualized. for example the protected personal information is lost or misused

Answer 156

Control

Question 157

A contract with a covered entity that meets the HIPAA Privacy Rule’s applicable contract requirements

Answer 157

Business Associates Agreement

Question 158

the process of submitting and following up on claims with health insurance companies in order to receive payment for services rendered by a healthcare provider. The same process is used for most insurance companies or govt sponsored programs. The process is an interaction between a healthcare provider and the insurance company (payer) The entirety of this interaction is known as the billing or revenue cycle. This can take anywhere from several days to several months to complete and requires several interactions before a resolution is reached.

Answer 158

Medical billing

Question 159

Standardize and verify data is to use a reference database or a defined set of business rules and corporate standards. The quality building block includes technologies that encompass parsing, transformation, verification, and validation.

Answer 159

Data Quality

Question 160

a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.

Answer 160

Payment Card Industry

Question 161

a branch of the chemical industry that manufactures drugs. The industry comprises enterprises that produce synthetic and plant-derived preparations, antibiotics, vitamins, blood substitutes, and hormone preparations derived from animal organs, and drugs in various dosages (including injection solutions in ampules, tablets, lozenges, capsules, pills, and suppositories), as well as ointments, emulsions, aerosols, and plasters. Are allowed to deal in generic and/or brand medications and medical devices. They are subject to a variety of laws and regulations regarding the patenting, testing, and ensuring safety and efficacy and marketing of drugs.

Answer 161

Pharmaceutical Industry

Question 162

a system designed to ensure information is marked in such a way that only those with an appropriate level of clearance can have access to the information

Answer 162

classification system

Question 163

FFS is a payment model where services are unbundled and paid for separately. Doctors and hospitals got paid for each service they performed. It gives an incentive for physicians to provide more treatments because payment is dependent on the quantity of care, rather than the quality of care.

Answer 163

Fee for Service

Question 164

the most widely recognized medical classification maintained by the World Health Organization. Its primary purpose is to categorize diseases for morbidity and mortality reporting. The united states has used a clinical modification for the additional purposes of reimbursement. The CM in the name means clinical modification. It is used by hospitals and other facilities to describe any health challenges a patient has, from his diagnosis symptoms to outcomes from treatment, to causes of death. ICD-10-CM and PCS group together similar diseases and procedures and organize related entities for easy retrieval.

Answer 164

International Classification of Disease

Question 165

“value-based purchasing,” is an emerging movement in health insurance. Providers under this arrangement are rewarded for meeting pre-established targets for delivery of health care services. This is a fundamental change from fee-for-service payment.

Answer 165

Pay for Performance

Question 166

an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system.

Answer 166

Information Systems Owner

Question 167

a set of self- assessment steps to enable UK healthcare organizations to comply with the Department of Health Information Governance policies and standards

Answer 167

IG Toolkit

Question 168

Is the electronic management of digital and analog records contained in IT systems using computer equipment and software according to accepted principles and practices of records management. Is the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of analog and digital records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.

Answer 168

Electronic Records Management

Question 169

Refers to all individually identifiable health information a covered entity or business associate creates, receives, maintains or transmits in electronic form.

Answer 169

Electronic Patient Health Information

Question 170

the government provides its own health insurance, but private insurance companies continue to provide insurance as another option for citizens. Proponents point to private insurance’s inability to provide for every single person, often leaving people without health care coverage, which can result in avoidance of care and even bankruptcy.

Answer 170

Public Health Insurance

Question 171

a confederation of stakeholders at the forefront of HIE, including federal agencies; state, regional, and local health information organizations; integrated delivery networks, and private organizations.

Answer 171

Nationwide Health Information Network Exchange

Question 172

An initiative by healthcare professionals and industry to improve the way computer systems in healthcare share information. IHE promotes the coordinated use of established standards such as DICOM and HL7 to address specific clinical needs in support of optimal patient

Answer 172

Integrating the Healthcare Enterprise

Question 173

individually identifiable information that is held or transmitted by a covered entity or business associate in any form or media — whether electronic, paper, or oral — that relates to the past, present, or future physical or mental health of an individual, health care services, or payment for health care.

Answer 173

Protected Health Information

Question 174

Typically feature lower premiums and higher deductibles than traditional insurance plans.

Answer 174

High Deductible Health Plans

Question 175

a hosted service offering that acts as an intermediary between business partners such as hospitals and insurance payers. A VAN simplifies the communications process by reducing the number of parties with which a company needs to facilitate electronic data interchange (EDI). VANs provide a number of services, e.g., HIPAA compliance checking, acknowledgements, retransmitting documents, providing third-party audit information, acting as a gateway for different transmission methods, and handling telecommunications support.

Answer 175

Value-added Network (VAN)

Question 176

Define limitations or boundaries to the how

Answer 176

Standards

Question 177

the form of managed care closest to an indemnity plan, which typically allows you to see any doctor, any time. Negotiates discounts with doctors, hospitals, and other providers, who then become part of the network.

Answer 177

Preferred Provider Organization

Question 178

involves activities that result in false claims to insurers or programs such as Medicare in the United States or equivalent state programs for financial gain to a pharmaceutical company.

Answer 178

Pharmaceutical Fraud

Question 179

(ACE) legally separate covered entities that are affiliated may designate themselves as a single covered entity for the purposes of the HIPAA privacy rule. Under this affiliation, the organizations need only develop and disseminate one privacy official, administer common training programs and use one business associate contract.

Answer 179

Affiliated Covered Entity

Question 180

Sometimes doctors reach an agreement with a managed care organization where the doctor is paid per person. Under this agreement, doctors accept members of the plan for a certain set price per member, no matter how often the member sees the doctor.

Answer 180

Capitation

Question 181

the systematic use of data and related business insights developed through applied analytical disciplines (e.g. statistical, contextual, quantitative, cognitive, etc.) to drive fact based decision making for planning, management, measurement and learning. They may be descriptive, predictive, or prescriptive. Can provide the mechanism to sort through this torrent of complexity and data, and help healthcare organizations deliver on these demands.

Answer 181

Analytics

Question 182

When using or disclosing PHI or when requesting PHI from other covered entity, a covered entity general must make reasonable efforts to limit PHI to the _________________ to accomplish the intended purpose of the use, disclosure, or request.

Answer 182

Minimum necessary

Question 183

regulations are divided into four Standards or Rules: (1) Privacy, (2) Security, (3) Identifiers, and (4) Transactions and Code Sets (TCS). The TCS Standard/Rule was first released in August 2000 and updated in May 2002; it took effect on 16 October 2003 for all covered entities. Regulations associated with the TCS Rule mandate uniform electronic interchange formats for all covered entities. It is this standardization along with the introduction of uniform identifiers for plans, providers, employers, and patients under the Identifier Rule that is expected to produce the efficiency savings of “administrative simplification.”

Answer 183

The HIPAA Transaction and Code Sets Standard/Rule (TCS)

Question 184

must protect the computer network and its services from unauthorized modification, destruction, or disclosure.

Answer 184

Network Security

Question 185

the principle that states that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data

Answer 185

Security safeguards principle

Question 186

electronic systems that store a patients health information, such as the patient’s history of diseases and which medications the patient is taking. Provide information even after doctor’s office is closed.

Answer 186

Electronic Health Records

Question 187

the principle that states that the purposes for which personal data is collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not compatible with those purposes and as are specified on each occasion of change and purpose

Answer 187

Purpose specification principle

Question 188

controls that relate to those activities required when addressing a security incident

Answer 188

corrective controls

Question 189

The highest level senior official or executive within an organization with the overall responsibility to provide information security protections

Answer 189

Head of agency

Question 190

Publications that specifically target US federal agencies and are currently the approved standards for compliance with the Information Technology Reform Act of 1996 and FISMA of 2002

Answer 190

Federal Information Processing Standards

Question 191

formal, documented policies and procedures for granting different levels of access to healthcare information

Answer 191

Information Access Control

Question 192

combines elements of both a Health Maintenance Organization (HMO) and a Preferred Provider Organization (PPO). The plan allows you to use a primary care physician to coordinate your care, or you can self- direct your care at the “point of service.”

Answer 192

Point-of-Service Plan

Question 193

an identification system that identifies a human from a measurement of a physical feature or repeatable action of the individual, such as hand geometry, retinal scan, iris scan, fingerprint patterns, facial characteristics, dna sequence characteristics, voice prints, and hand written signature

Answer 193

Biometric Identification

Question 194

state how the policies are meant to be implemented

Answer 194

Procedures

Question 195

is a network that provides shared communications and resources in a relatively small area.

Answer 195

Local Area Network

Question 196

Potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization

Answer 196

Risk

Question 197

includes demographic, geographic, and credit information. Can also encompass data management algorithms and methodologies that combat unique clinical data problems.

Answer 197

Data Augmentation

Question 198

The practice of using a network of remote servers hosted on the internet to store, manage, and process data, rather than a local server or personal computer. Offered indifferent forms: Public, Private and Hybrid.

Answer 198

Cloud Computing

Question 199

the principle that states that personal data should be relevant to the purposes for which it is to be used, and to the extent necessary for those purposes , should be accurate, complete, and kept up to date

Answer 199

Data quality principle

Question 200

A Weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability

Answer 200

Likelihood

Question 201

The life cycle of records management begins when information is created and ends when the information is destroyed.

Answer 201

Records Retention

Question 202

means a single legal entity that is a covered entity and who’s covered functions are not its primary function

Answer 202

Hybrid entity

Question 203

The interdisciplinary study of the design, development, adoption, and application of IT based innovations in healthcare services delivery, management, and planning. Law deals with evolving and sometimes complex legal principles as they apply information technology in health-related fields. It addresses the privacy, ethical, and operational issues that invariably arise when electronic tools, information, and media are used in healthcare delivery. Also applies to all matters that involve technology, health care, and the interaction of information. It deals with the circumstances under which data and records are shared with other fields or areas that support and enhance patient care

Answer 203

Health informatics

Question 204

specific technical staff who are involved in implementing the software systems that support health information processing

Answer 204

Data Processors

Question 205

a type of fee-for-service because the patients or the guarantors (responsible persons such as the parents for children) pay a specific amount for each service received. The patients or guarantors make such payments themselves to the providers, such as physicians, clinics, or hospitals, then render each service. The patients or guarantors then seek reimbursement for their private health insurance or the governmental agency that covers their health benefits.

Answer 205

Self-Pay

Question 206

similar to DRGs in concept. Each facility is paid a daily rate based on the needs of individual Medicare patients, with an adjustment for local labor cost.

Answer 206

Resource Utilization Groups

Question 207

Organizations leadership exercise the care which ordinarily prudent and reasonable persons would exercise under the same circumstances

Answer 207

Due Care

Question 208

The staff responsible for the maintenance and integrity of the data system - software and hardware- that house and process data containing PHI. This will include keeping the systems updated, backing up stored data, and maintaining and monitoring network activity for potential vulnerabilities.

Answer 208

Data Custodian

Question 209

Restricts covered entities and business associates use and disclosure of an individual’s PHI

Answer 209

HIPAA Privacy Rule

Question 210

(DRG) is a capitation approach by focusing on hospitalization. Price is set based on categories of illnesses. The DRG classification of diseases is a nominal scale used to describe the illness leading to hospitalization.

Answer 210

Diagnosis related groups

Question 211

is intended for the use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals. Types include self-care, electronic, diagnostic, surgical, durable medical equipment, acute care, emergency and trauma, long-term care, storage, and transport.

Answer 211

Medical device

Question 212

an impermissible use or disclosure under the privacy rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

Answer 212

Breach

Question 213

allow for extra barriers between unauthorized users and the protected information resources

Answer 213

Compensating controls

Question 214

Often called group health insurance, the employer is responsible for a significant portion of the healthcare expenses. Group health plans are also guarantee issue, meaning that a carrier must cover all applicants whose employment qualifies them for coverage. In addition, employer-sponsored plans typically are able to include a range of plan options from HMO and PPO plans to additional coverage such as dental, life, and short and long term disability.

Answer 214

Employer Sponsored insurance

Question 215

the set of standards aimed at the general IS audience within or without the federal govt. These are the most public set of standards documents and represent outreach and collaborative efforts with information technical specialists in govt, private organizations and higher education.

Answer 215

Special Publications

Question 216

Utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organization

Answer 216

Health Information Trust Alliance HITRUST Common Security Framework CSF Assurance Program

Question 217

Must manage organizational information so that it is timely, accurate, complete, cost-effective, accessible, and useable. An effective program addresses both creation control, and records retention, thus stabilizing the growth of records in all formats.

Answer 217

Healthcare Records Management

Question 218

a store where medicinal drugs are dispensed or compounded and sold. It can also be defined as a branch of health sciences that deals with the preparation, dispensing, and utilization of drugs. Involves the process through which a pharmacist cooperates with a patient and other professionals in designing, implementing, and monitoring a therapeutic plan that will produce specific therapeutic outcomes for the patient.

Answer 218

Pharmacy

Question 219

This technical report catalogs nearly 100 implemented and proposed payment reform programs, classifies each of these programs into one of 11 payment reform models, and identifies the performance measurement needs associated with each model. A synthesis of the results suggests near-term priorities for performance measure development and identifies pertinent challenges related to the use of performance measures as a basis for payment reform. The report is also intended to create a shared framework for analysis of future performance measurement opportunities. This report is intended for the many stakeholders tasked with outlining a national quality strategy in the wake of health care reform legislation.

Answer 219

Patient Protection and Affordable Care Act of 2010

Question 220

monitors network performance and identifies attacks and failures. Mechanisms include components that enable network administrators to monitor restrict resource access.

Answer 220

Network Management

Question 221

the PII involved with the healthcare and treatment of an individual

Answer 221

Personal Health Information

Question 222

an individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the information system owner

Answer 222

Information System Security Officer

Question 223

Information can flow between the supplier and the recipient directly, or through and information technology. Mediated require some use of technology information to allow information to flow, while unmediated do not require information technology to transfer the information.

Answer 223

Flow Paths

Question 224

The individuals permission to participate in the research. Provides research subjects with a description of the study and of its anticipated risks and/or benefits, and a description of how the confidentiality of records will be protected, among other things.

Answer 224

Informed Consent

Question 225

a set of principles determined jointly by the American institute of certified public accountants (AICPA) The principles are based on commonly accepted privacy standards for protecting personal information.

Answer 225

Generally Accepted Privacy Principles

Question 226

A program that looks at the different types of data an organization handles, classifies those pieces of data based on sensitivity, and establishes procedures to make sure each of these pieces of information is treated properly. The big picture rationale of a data classification program is to reduce risk and bring enterprise wide consistency to data handling.

Answer 226

Data Classification

Question 227

an organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal

Answer 227

Information Owner

Question 228

an individual or group within an organization that helps to ensure that risk related considerations for individual information systems, to include authorization decisions are viewed from an organization wide perspective

Answer 228

Risk Executive

Question 229

a tool to streamline, automate, and re-engineer business processes.

Answer 229

Workflow Management Systems (WfMSs)

Question 230

an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls

Answer 230

security control assessor

Question 231

a system in which individuals are responsible for securing their own health insurance coverage, although employers in many cases provide all or some of the funding. Supporters of the system say that it encourages freedom of choice for health insurance and provides the best possible quality of care.

Answer 231

Private Health Insurance

Question 232

a combination name/number assigned and maintained in security procedures for identifying and tracking individual user identity

Answer 232

Unique user identifier

Question 233

Allows healthcare professionals and patients to appropriately access and securely share a patients vital information electronically.

Answer 233

Health Information Exchange

Question 234

the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability

Answer 234

Impact