HIPAA Lesson 9

Question 1

List the Security Rule three types of safeguards:

Answer 1

Administrative, physical, and technical.

Question 2

Administrative actions, policies, and procedures to manage a covered entity’s security choices and the conduct of its workforce in relation to electronic protected health information.

Answer 2

Administrative Safeguards

Question 3

List the nine administrative safeguard standards of the Security Rule:

Answer 3

1. Security management process
2. Assigned security responsibility
3. Workforce security
4. Information access management
5. Security awareness and training
6. Security incident procedures
7. Contingency plan
8. Evaluation
9. Business associate contracts and other arrangements

Question 4

Implement policies and procedures to prevent, detect, contain, and correct security violations.

Answer 4

Security management process

Question 5

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Answer 5

Risk analysis

Question 6

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule.

Answer 6

Risk management

Question 7

Apply appropriate penalties against workforce members who fail to comply with the entity’s security policies and procedures.

Answer 7

Sanction policy

Question 8

Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Answer 8

Information system activity review

Question 9

Identify the security official who is responsible for the development and implementation of the policies and procedures required by this Rule for the entity.

Answer 9

Assigned security responsibility

Question 10

Implement policies and procedures to ensure that all members of [the] workforce have appropriate access to electronic protected health information, as provided under the Information Access Management standard, and to prevent those workforce members who do not have access from obtaining access.

Answer 10

Workforce security

Question 11

Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

Answer 11

Authorization and/or supervision

Question 12

Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

Answer 12

Workforce clearance procedure

Question 13

Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in the Workforce Clearance Procedure of this Rule.

Answer 13

Termination procedures

Question 14

Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part [the Privacy Rule].

Answer 14

Information access management

Question 15

If a healthcare clearinghouse is part of a larger organization, the clearinghouse operation must implement policies and procedures that protect the EPHI of the clearinghouse from unauthorized access by the larger organization.

Answer 15

Isolating healthcare clearinghouse function

Question 16

Implement policies and procedures for granting access to electronic protected health information—for example, through access to a workstation, transaction, program, process, or other mechanism.

Answer 16

Access authorization

Question 17

Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.

Answer 17

Access establishment and modification

Question 18

Implement a security awareness and training program for all members of [the] workforce (including management).

Answer 18

Security awareness and training

Question 19

Provide periodic security updates to members of the workforce.

Answer 19

Security reminders

Question 20

Implement procedures for guarding against, detecting, and reporting malicious software.

Answer 20

Protection from malicious software

Question 21

Implement procedures for monitoring login attempts and reporting discrepancies.

Answer 21

Login monitoring

Question 22

Implement procedures for creating, changing, and safeguarding passwords.

Answer 22

Password management

Question 23

Implement policies and procedures to address security incidents.

Answer 23

Security incident procedures

Question 24

Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents known to the covered entity; and document security incidents and their outcomes.

Answer 24

Response and reporting

Question 25

Establish (and implement as needed) policies and procedures for responding to emergencies and other occurrences that can damage data and systems containing EPHI.

Answer 25

Contingency plan

Question 26

Establish and implement procedures to create and maintain retrievable exact copies of EPHI.

Answer 26

Data backup and recovery plan

Question 27

Establish (and implement as needed) procedures to restore any loss of data.

Answer 27

Disaster recovery plan

Question 28

The emergency mode operation plan requires covered entities to establish (and implement as needed) procedures to enable continuation of critical business processes, while maintaining the security of EPHI while operating in emergency mode.

Answer 28

Emergency mode operation plan

Question 29

Implement procedures for periodic testing and revision of contingency plans.

Answer 29

Testing and revision procedures

Question 30

Assess the relative criticality of specific applications and data in support of other contingency plan components.

Answer 30

Applications and data criticality analysis

Question 31

Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].

Answer 31

Evaluation

Question 32

A business associate [may] create, receive, maintain, or transmit EPHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.

Answer 32

Business associate contracts and other arrangements

Question 33

List the Security Management Process Implementation Specifications;

Answer 33

Risk analysis (R)
Risk management (R)
Sanction policy (R)
Information system activity review (R)

Question 34

List the Workforce Security Implementation Specifications:

Answer 34

Authorization and/or supervision (A)
Workforce clearance procedure (A)
Termination procedures (A)

Question 35

List the Information Access Management Implementation Specifications:

Answer 35

Isolating healthcare clearinghouse function (R)
Access authorization (A)
Access establishment and modification (A)

Question 36

List the Security Awareness and Training Implementation Specifications:

Answer 36

Security reminders (A) 
Protection from malicious software (A) 
Login monitoring (A) 
Password management (A)

Question 37

List the Security Incident Procedures Implementation Specifications:

Answer 37

Response and reporting (R)

Question 38

List the Contingency Plan Implementation Specifications:

Answer 38

Data backup plan (R)
Disaster recovery plan (R)
Emergency mode operation plan (R)
Testing and revision procedure (A)
Applications and data criticality analysis (A)

Question 39

List the Business Associate Contracts and Other Arrangements Implementation Specifications:

Answer 39

Written contract or other arrangements (R)

Question 40

Which of these implementation specifications is part of the security management process standard? 
o Risk management. 
o Password management. 
o Disaster recovery plan. 
o Access authorization.

Answer 40

Risk management.

Question 41

What is a sanction policy?
o Penalties for failing to comply with security policies.
o A procedure to regularly review access reports.
o An assessment of potential risks and vulnerabilities.
o Security measures that reduce risks and vulnerabilities.

Answer 41

Penalties for failing to comply with security policies.

Question 42

Which administrative safeguard standard encompasses the concept of "minimum necessary"? 
o Contingency plans. 
o Assigned security responsibility. 
o Evaluation. 
o Workforce security.

Answer 42

Workforce security.

Question 43

What is the purpose of the security and awareness training standard?
o To establish policies and procedures for granting access to electronic protected health information.
o To isolate healthcare clearinghouse functions.
o To establish a contingency plan in case of an emergency.
o To train everyone in your workforce about good security practices.

Answer 43

To train everyone in your workforce about good security practices.

Question 44

"An attempted or successful unauthorized use of system operations" is the definition of which of the following? 
o Evaluation. 
o Security reminder. 
o Security incident. 
o Assigned security responsibility.

Answer 44

Security incident.

Question 45

These requirements seem vague to me. I work for a small provider, and we don’t have a lot of money to spend on lawyers and IT staff. How do I know if my organization is compliant?

Answer 45

HIPAA compliance is an ongoing activity. You’re never going to say, “Okay, I’m done with HIPAA now!” You’ll continually need to evaluate your organization and make common-sense decisions about what you can do better.

Question 46

Some of these requirements seem like they’re the same. Why are there six implementation specifications all about appropriate access?

Answer 46

Keep in mind that the Security Rule supports the Privacy Rule. “Minimum necessary” is a big part of the Privacy Rule, and that’s reflected in the Security Rule. Workforce security and information access management are similar standards, but they cover different aspects of ensuring overall appropriate access. By the way, appropriate access is just another phrase that means minimum necessary.