Unit 5: Privacy and Security of Health Information

Question 1

Privacy

Answer 1

The right of an individual to limit access to information about themselves unless it contradicts federal or state law

Question 2

Confidentiality

Answer 2

The expectation that information shared with a healthcare provider will be used only for its intended purpose

Question 3

Security

Answer 3

The protective measures and tools for safeguarding information in a system

ex: user names and passwords

Question 4

2009 HITECH Act

Answer 4

made laws safeguarding patient information more stringent due to the increased use and access to patient healthcare information

Question 5

Ohio Revised Code

Answer 5

more stringent than 1996 HIPAA

Question 6

RED Flag Rules

Answer 6

for providers that collect credit card information. Laws regard suspicions of medical identity fraud

Question 7

Covered Entity CE

Answer 7

Health plan, healthcare clearing house, or healthcare provider that transmits any health information in electronic form

Question 8

Protected Health Information PHI

Answer 8

individually identifiable health information held or transmitted by a CE or its business associate, electronic, paper, or verbal

Question 9

Designated Record Set DRS

Answer 9

a group of records maintained by the CE (typically a healthcare provider) that may include payment and medical information

Question 10

Use

Answer 10

PHI is used internally; quality department determines whether appropriate care was given

Question 11

Disclosure

Answer 11

PHI is disseminated from the CE (healthcare provider) and sent to an external source such as an attorney, insurance company, or another hospital

Question 12

Minimum Necessary

Answer 12

Limit the PHI disclosed to the least amount required to accomplish the intended purpose for which the information was requested

Question 13

PHI Identifiers subject to HIPAA

Answer 13

Name
Postal address
Telephone numbers
Fax numbers
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
License numbers
Vehicle identifiers (vin or plate)
Medical device identifiers
Biometrics
Full face photographs

Question 14

TPO Treatment, payment, operations

Answer 14

the times when PHI can be used

Question 15

AARA Requirements

Answer 15

Certification of EHRs
Mandated HIPAA Audits
Increased penalty severity
Business associates also subject to privacy and security regulations

Question 16

Internal security threats

Answer 16

hardware
Environment
Employees: human error, exploiting access, malice or gain

Question 17

External security threats

Answer 17

External humans who access data or steal hardware

Natural disasters: necessitates use of backup servers in an alternate location

Question 18

Confidentiality

Answer 18

only giving ePHI access to those who need it

Question 19

Integrity

Answer 19

Making sure data isn’t altered during transmission or storage

Question 20

Availability

Answer 20

Information must be available when needed for patient care and other uses to authorized users

Question 21

Administrative safeguards

Answer 21

people focused: training, policies, assessment

Question 22

Physical safeguards

Answer 22

mechanisms to protect hardware, software, and data
like locks on the door to the server room
should protect against fire, theft, etc

Question 23

Technical safeguards

Answer 23

use technology to protect data and control access

Question 24

Access controls

Answer 24

a computer software program designed to prevent unauthorized use of an information resource

Must have policies on who can view, create, and modify data

Question 25

Types of authentication

Answer 25

Role-based
User-based
Context-based
Emergency access procedure

Question 26

Role Based authentication

Answer 26

rights to read or edit are determined by role

Coders can read but not edit, wile nurses can add clinical information

Question 27

User Based

Answer 27

more specific and tailored than role based, but can be more difficult to manage and program

Question 28

Context based

Answer 28

combines role and context for data access

useful for nurses that may work in multiple unit with different data access needs

Question 29

Emergency access procedure

Answer 29

“break the glass”
usually occurs during a medical emergency
Need to be able to track who activated emergency access and why

Question 30

One factor authentication

Answer 30

like a user name and password, two things you know, one type of information

Question 31

Two factor authentication

Answer 31

combines two categories of access, such as something you know and something you have

Question 32

Token

Answer 32

physical device for security
Like an ID card
However these can be lost which is problematic

Question 33

Biometrics

Answer 33

retina scan, finger prints, voice prints, etc.

Very secure and difficult to forge

Question 34

Telephone callback

Answer 34

often used by remote employees to dial into the system with an approved phone number

Question 35

Automatic logoff

Answer 35

logs the use off after a specified amount of inactivity

should be paired with quick acting screensaver to hide patient info from people passing by

Question 36

Audit controls

Answer 36

mechanisms that record and examine activity in information systems

Hold users accountable for their actions
identify the causes of problems, extent, and how to fix
real time monitoring to identify breaches
Monitor for intrusions to prevent breaches

Question 37

Audit trails

Answer 37

record of audit system activities

system activities: log in and out
application level: what systems are used, what was seen and done
user level: actions of the user, and resources accessed

Question 38

Triggers

Answer 38

identify the need for a closer inspection

Question 39

Breach

Answer 39

unauthorized use, access, or disclosure of private health information that compromises privacy and security

Question 40

500 or more in breach

Answer 40

media is notified to increase patients awareness of potential medical fraud

Question 41

Medical identity theft

Answer 41

someone steals your identity and receives healthcare services under your name

someones information could end up in your chart and eff up your care as well as use up your insurance