Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Compliance > HIPAA Lesson 10 > Flashcards

HIPAA Lesson 10 Flashcards

1
Q

The Privacy Rule requires covered entities to put in place physical safeguards to protect the confidentiality of all PHI. Here are some examples:

A
  • Locks on filing cabinets to protect paper PHI
  • Privacy screens on computer monitors to protect electronic PHI
  • Privacy curtains to protect visual PHI (for instance, in the emergency room)
  • Paper shredders to protect paper PHI
  • Quiet conversations to protect oral PHI
  • Access control to areas with any kind of PHI
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

There are three main issues to consider relating to physical safeguards:

A
  1. How environmental issues affect systems
  2. How individuals enter an environment that may include sensitive systems or sensitive data
  3. Which types of physical security solutions are effective in identifying individuals and the extent of their access to facility areas
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Physical security is one area where the __________ need to work together to find solutions.

A

Privacy and Security Officer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When the privacy and security officer put their heads together, they need to ask these questions:

A
  • Is access to the building controlled?
  • Is access to the computing facility controlled?
  • Does the organization require additional controls for access after hours?
  • Is there an audit log that records the individuals who enter the building, including the location of access and the time of access?
  • Has the team adequately protected systems from theft?
  • Are adequate procedures in place for disposal of protected health information in accordance with HIPAA requirements?
  • Do team members make sure to secure their workstations during and after hours?
  • Is someone monitoring and controlling the activities of cleaning crews?
  • Has the organization developed and tested a plan for operating in the event of an emergency?
  • Do team members send data backups to an off-site location for safe storage?
  • Has the organization developed procedures for testing and revising applications and systems?
  • Have members of the workforce received training on key security issues?
  • Has a disaster recovery plan been developed and tested to accommodate the possibility of damage to all or part of the facility?
  • Are procedures in place to retrieve facility access devices (keys, swipe cards, and so on) when members of the workforce are terminated or no longer need access to the facility?
  • What’s the procedure when a member of the workforce no longer requires access to the facility? Are access-management processes in place to change locks, change external combinations, deactivate access cards, and so on?
  • What steps are in place to protect against exposure if someone (such as a terminated employee or a vendor) inappropriately gains access to a facility? Has the team established access management for keys, security tokens, or fobs?
  • Has the team established safeguards to protect PHI from inadvertent exposure to the public?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

List the four standards of Physical Safeguards:

A
  1. Facility Access Controls
  2. Workstation Use
  3. Workstation Security
  4. Device & Media Controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

List the four implementation specifications for Facility Access Controls:

A
  1. Contingency operations (A)
  2. Facility security plan (A)
  3. Access control and validation procedures (A)
  4. Maintenance records (A)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the implementation specifications for the Workstation Use and Workstation Security standards?

A

None

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

List the implementation specifications for Device and Media Controls:

A
  1. Disposal (R)
  2. Media reuse (R)
  3. Accountability (A)
  4. Data backup and storage (A)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Implement policies and procedures to limit physical access to electronic information systems and areas where sensitive paper documents are stored and any facilities in which they are housed, while ensuring authorized access.

A

Facility Access Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Covered entities must make plans to include access to the covered entity’s own facility or to an alternate facility in the case of an emergency.

A

Contingency Operations (A)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

This implementation specification requires covered entities to address policies and procedures to safeguard facilities and equipment. The plan should prevent unauthorized physical access, tampering, PHI viewing, and theft.

A

Facility Security Plan (A)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Covered entities should address implementing policies and procedures to control access to facilities. You should base access on a person’s role or function. And your policies should include visitor control and access to software programs for testing and revision.

A

Access Controls and Validation Procedures (A)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Covered entities should address implementing policies and procedures to fully document repairs and modifications to the physical components of a facility that relate to security. Think in terms of hardware: walls, doors, locks, external keypads to doors, and alarms.

A

Maintenance Records (A)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A ________ is an electronic computing device.

A

Workstation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can be used to access EPHI.

A

Workstation Use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The workstation use standard also requires that workstation locations be secure, such as:

A
  • Physical attributes of the surroundings
  • Sensitivity of data that’s accessible from a site
  • Monitor positioning (screens turned away to prevent public viewing)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Implement physical safeguards for all workstations that can be used to access EPHI, to restrict access to authorized users.

A

Workstation Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Workstation security is about preventing _______ of workstations.

A

Theft

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Implement policies and procedures that govern the receipt and removal of hardware and electronic media and devices that contain EPHI into and out of a worksite or facility, and the movement of these items within the worksite or facility.

A

Device and Media Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

It requires covered entities to have policies and procedures to address the final disposition of electronic protected health information and the hardware or electronic media on which it’s stored. This specification covers archiving and retention of EPHI and the ultimate destruction of EPHI.

A

Disposal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

_______, which is directing a strong magnetic field to media and erases data completely and makes the media (usually a hard drive) unusable.

A

Degaussing

22
Q

This implementation specification requires covered entities to have procedures for complete removal of electronic protected health information from electronic media before reusing it.

A

Media Reuse

23
Q

_______ is about recordkeeping. Covered entities should maintain a record of how hardware and electronic media move around in the workplace. This specification is to track the movement of all copies of EPHI, including its destruction.

A

Accountability

24
Q

Covered entities should address how to create a retrievable, exact copy of electronic protected health information.

A

Data Backup and Storage

25
Q

_______ refers to the technology and related policies, procedures, and practices that control access to electronic protected health information.

A

Technical Safeguards

26
Q

List the five Technical Safeguard standards:

A
  1. Access Control
  2. Audit Controls
  3. Integrity
  4. Person or Entity Authentication
  5. Transmission Security
27
Q

List the four implementation specifications for Access Control:

A
  1. Unique User Identification
  2. Emergency Access Procedure
  3. Automatic Logoff
  4. Encryption & Decryption
28
Q

List the implementation specification for Integrity:

A

Mechanism to Authenticate ePHI

29
Q

List the two implementation specifications for Transmission Security:

A
  1. Integrity Controls

2. Encryption

30
Q

What are the implementation specifications for Audit Controls and Person or Entity Authentication?

A

None

31
Q

Implement technical policies and procedures for electronic information systems that maintain EPHI. These policies and procedures should contain access protocols that will establish and enforce the entity’s other access policies, and allow access only to those persons or software programs that have been granted access rights.

A

Access Control

32
Q

The ________ implementation specification requires covered entities to assign a unique identifier for each user. This is a required implementation specification.

A

Unique User Identification

33
Q

A unique identifier is a ________ characteristic for identifying and tracking user _______.

A
  1. Name, Number, or Physical

2. Identity

34
Q

List examples of an unique identifier:

A
  • Digital signature: a means to provide signature verification by using a specially encrypted key assigned to an individual
  • Smart card: a card similar to a credit card that has unique user data embedded in the metallic strip
  • Soft token: a device that authorizes the use of laptops, PDAs, mobile phones, or other devices
  • Password: a unique series of letters and numbers that authenticate a user’s identity
  • Biometrics: a type of user authentication employing biological elements, such as thumbprints or retinal scans
35
Q

Covered entities must establish procedures for obtaining necessary electronic protected health information during an emergency.

A

Emergency Access Procedure

36
Q

Covered entities should address procedures for terminating an electronic session after a predetermined time of inactivity.

A

Automatic Logoff

37
Q

Unreadable information is inaccessible information!

A

Encryption and Decryption.

38
Q

________ is an acceptable method of denying access to information in files or directories and provides a way to ensure confidentiality, which is a form of access control.

A

File Encryption

39
Q

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI.

A

Audit Controls

40
Q

List some types of audit logs:

A
  • User logon and logoff times
  • User changes to files
  • Failed logon attempts
  • Attempts to access restricted files
  • System crashes or failures
41
Q

Implement policies and procedures to protect EPHI at rest, meaning stored on organizational systems and applications, from improper alteration or destruction.

A

Integrity

42
Q

This is an addressable implementation specification. Covered entities should have electronic mechanisms to confirm that no one and nothing has altered or destroyed electronic protected health information that’s at rest. “At rest” means stored somewhere in your organization’s electronic records.

A

Mechanism to Authenticate Electronic PHI

43
Q

______ technology is an error-detection scheme in which each transmitted message comes with a numerical value.

A

Checksum

44
Q

Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed.

A

Person or Entity Authentication

45
Q

Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network.

A

Transmission Security

46
Q

Covered entities should make sure that electronic protected health information isn’t modified or destroyed until someone has either received it or disposed of it properly.

A

Integrity Controls

47
Q

Covered entities should have a mechanism to _______ transmitted EPHI.

A

Encrypt

48
Q 
Which of these physical safeguards does the Security Rule require? 
o Locks on filing cabinets. 
o A workstation use policy. 
o Privacy curtains. 
o Paper shredder.
A

A workstation use policy

49
Q 
Of the following implementation specifications, which one is applicable to the device and media controls standard? 
o Facility security plan. 
o Disposal. 
o Contingency operations. 
o Maintenance records.
A

Disposal

50
Q 
Which of these is an example of a workstation as defined by HIPAA? 
o An electronic computing device. 
o An office. 
o An exam room. 
o A desk.
A

An electronic computing device

51
Q 
"Encryption and decryption" is an implementation specification for which technical safeguard standard? 
o Access control. 
o Audit controls. 
o Integrity. 
o Person or entity authentication.
A

Access control

52
Q

In the field of information security, what does “wiping” a disk mean?
o Physically destroying a disk.
o Keeping a disk clean to preserve the integrity of its data.
o Overwriting data on a disk.
o Reformatting a disk.

A

Overwriting data on a disk

Compliance (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions