Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Aspects of Health Law > HIPAA Security Rule > Flashcards

HIPAA Security Rule Flashcards

You may prefer our related Brainscape-certified flashcards:
MBE flashcards MPRE flashcards Civil Procedure 1L flashcards
1
Q

2 purposes of the Security Rule

A
  1. implement appropriate security safeguards to protect ePHI
  2. Protect an indv health info
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does the Security Rule protect?

A

electronic PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Difference between Privacy and Security Rules

A

Privacy: protects PHI regardless of medium

Security: ePHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which office enforces the security rule?

A

Office for Civil Rights of HHS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does it mean to “protect” the data?

A

CEs must ensure integrity and confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is integrity?

A

Lack of alteration of destruction in an unauthorized manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a key characteristic of the Security Rule?

A

It must be flexible

(NOTE: small orgs cannot implement the same as large orgs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security Rule: Required (R) implementation

A

Must be implemented as laid out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Security Rule: Addressable (A) implementation

A

Must be implemented as laid out OR in an alternate manner OR documented if not needed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Can addressable implementation specifications be ignored?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

5 components of HIPAA Security Rule

A

A. General Requirements
B. Flexibility of Approach
C. Standards
D. Implementation Specifications
E. Maintenance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

HIPAA Security Rule: A- General Requirements (4)

A
  • ensure confidentiality and integrity
  • protect ePHI from threats
  • protect against reasonably anticipated ePHI uses/disclosures
  • ensure workforce compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

HIPAA Security Rule: B- Flexibility of Approach (4)

A
  • CE size and complexity
  • security capabilities
  • cost of security measures
  • risk management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

HIPAA Security Rule: C- Standards Safeguards (5)

A
  1. Administrative
  2. Physical
  3. Technical
  4. Org Requirements
  5. Policies, Procedures and Documentation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Admin Safeguards (Security management process)

A

Implement procedures to prevent, detect, contain, and correct security violations

Ex:
- Risk analysis (R)
- Risk management (R)
- Sanction policy (R)
- Info system activity review (R)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Admin Safeguards (Security management process) - Sanction Policy

A

(R) Apply sanctions for non-compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Admin Safeguards (Security management process) - Info System Activity Review

A

(R) regular procedures to review system activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Admin Safeguards (Assigned Security Responsibility)

A

(R) identifying security official to develop and implement security policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Admin Safeguards (Workforce Security)

A

Policies to ensure appropriate access to ePHI

Ex:
- Authorization/Supervision (A)
- Clearance procedures (A)
- Termination procedures (A)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Administrative Safeguards: Info Access Management

A

Procedures authorizing access to ePHI

ex:
- Isolate clearinghouse functions (R)
- access authorization (A)
- access establishments & modifications (A)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Administrative Safeguards: Security Awareness Training

A

Implementing a security and awareness training program for workforce members

Ex:
- security reminders (A)
- login monitoring (A)
- Password management (A)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Administrative Safeguards: Security Incident Reporting

A

policies to address security incidents

Ex:
- Response & reporting (R)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Administrative Safeguards: Contingency Plan

A

Policies for responding to an emergency or other occurrence that may damage ePHI

Ex:
- Data backup plan (R)
- Disaster recovery (R)
- Emergency mode operation (R)
- Testing & revision procedures (A)
- Application and data criticality analysis (A)

24
Q

Administrative Safeguards: Evaluation

A

Performing periodic technical and non-technical evaluations (R)

25
Q

Administrative Safeguards: BA Contracts & Other Arrangements

A

CEs permit BAs to deal with ePHI on their behalf in a written contract

26
Q

Three instances where BA cannot transmit ePHI

A
  1. transmission to provider for treatment
  2. transmission to a health plan
  3. transmission when CE is a gov health plan providing public benefits
27
Q

4 categories of physical safeguards

A
  1. Facility Access Controls
  2. Workstation Use
  3. Workstation Security
  4. Device and Media Controls
28
Q

Physical Safeguards: Facility Access Controls

A

Limiting physical access to e-info and facilities where they are housed

Ex:
- Contingency Operations (A)
- Facility Security Plan (A)
- Access Control and Validation Procedures (A)
- Maintenance Records (A)

29
Q

Physical Safeguards: Workstation Use

A

Policies that specify the proper work functions (R)

30
Q

Physical Safeguards: Workstation Security

A

Physical safeguards for workstations that access ePHI (R)

31
Q

Physical Safeguards: Device and Media Controls

A

Policies that govern the receipt/removal of hardware and e-media containing ePHI

Ex:
- Disposal (R)
- Media Re-Use (R)
- Accountability (A)
- Data Backup and Storage (A)

32
Q

5 categories of Technical Safeguards

A
  1. Access Control
  2. Audit Controls
  3. Integrity
  4. Person or Entity Authentication
  5. Transmission Security
33
Q

Technical Safeguards: Access Control

A

Implementing measures so ePHI is only accessed by those with access

Ex:
- Unique User Identification (R)
- Emergency Access Procedures (R)
- Automatic Logoff (A)
- Encryption and Decryption (A)

34
Q

Technical Safeguards: Audit Controls

A

Measures that record/examine activity

35
Q

Technical Safeguards: Integrity

A

Measures that protect ePHI from improper alteration or destruction

Ex:
- Mechanism to authenticate ePHI (A)

36
Q

Technical Safeguards: Person or Entity Authentication

A

Measures to validate person/vendor seeking access (R)

37
Q

Technical Safeguards: Transmission Security

A

Measures to guard against unauthorized access to ePHI transmitted over electronic communication network

Ex:
- Integrity controls (A)
- Encryption (A)

38
Q

Two Categories of Organizational Requirements

A
  1. BA Contracts or other arrangements
  2. Group Health Plans
39
Q

Organizational Requirements: BA Contracts or other arrangements Must Have…. (3)

A
  • BA compliance
  • subcontractors compliance
  • reporting to CE of security incidents
40
Q

Organizational Requirements: Group Health Plans

A

Requires plan sponsor to reasonably and appropriately safeguard ePHI

Ex:
- Plan Document (R)

41
Q

Can policies and procedures be changed?

A

Yes, as long as the changes are documented

42
Q

HHS Recommended Implementation Steps

A
  1. Assess current security and risks/gaps
  2. Develop a plan
  3. Implement solutions
  4. Document decisions
43
Q

HIPAA Security Rule:Security Officer Designation

A

Individual assigned to be responsible for overseeing the information security program

44
Q

HIPAA Security Rule: Part (e) - Maintenance

A

a continuing review of the reasonableness and appropriateness of a CE’s or BA’s (or subcontractor’s) security measures

45
Q

Patient Matching Errors

A

info is mismatched or not included in a pt’s record

46
Q

Types of Security Threats (3)

A
  • Human (internal vs external)
  • Natural
  • Environmental (internal vs external)
47
Q

Examples of internal threats (2)

A
  • lack of MFA
  • victims of phishing
48
Q

Examples of external threats (1)

A
  • identity theft
49
Q

Types of Medical Identity Theft (2)

A
  1. use w/out consent to obtain medical services
  2. Use to obtain money by falsifying claims
50
Q

HITECH Act and Medical ID Theft Red Flags

A

Red flags to capture medical identity theft

51
Q

Common Security Mechanisms (4)

A
  • biometric identification
  • automatic log off
  • termination access
  • audit trail
52
Q

Firewall protection

A

A hardware or software that examines traffic entering and leaving a network

53
Q

Viruses: File Infectors

A

Attach to program files

54
Q

Viruses: System or Boot-Record Infectors

A

Infect areas of hard disks or diskettes

55
Q

Viruses: Macro Viruses

A

Infects Microsoft Word application, inserting unwanted words or phrases

56
Q

Viruses: Worm

A

Stores and replicates itself

57
Q

Viruses: Trojan Horse

A

Destructive programming code that hides itself in another piece of programming code

Aspects of Health Law (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions