Understanding HIPAA Legislation and Compliance, Exams of Nursing

Download Understanding HIPAA Legislation and Compliance and more Exams Nursing in PDF only on Docsity! 2024 CHPSE Final Test New Latest Version with All Questions from Actual Past Exam and 100% Correct Answers Which transaction is appropriate for replying to X12 syntax errors that affect the entire transaction set? a. 835 b. 277 c. 997 d. 999 --------- Correct Answer --------- d. 999 Which two transactions form the Electronic Remittance Advice (ERA)? a. 997 and 277 b. 837 and 835 c. 997 and 835 d. 835 and 277 --------- Correct Answer --------- d. 835 and 277 The taxonomy is a required data element on which transaction? a. 837 institutional claim b. 837 professional claim c. 278 prior authorization d. All of the above --------- Correct Answer --------- d. All of the above How many taxonomy codes does a provider have? a. It depends on the provider's specialty b. One only c. A maximum of 3 d. None of the above --------- Correct Answer --------- c. A maximum of 3 What is the X12834 format used to establish? a. Claims Attachment b. Referral certification or authorization c. Communication between the sponsor of a health benefit and the health plan d. Health plan enrollment or disenrollment --------- Correct Answer --------- d. Health plan enrollment or disenrollment What does Transaction Set 997 do? a. It is used to make a premium payment for insurance products. b. It is used to inquire about the health care benefits and eligibility associated with a subscriber or dependent c. It is used to enroll members to a payer d. It is used to define the control structures for a set of acknowledgments to indicate the results of the syntactical analysis of the electronically encoded documents --------- Correct Answer --------- d. It is used to define the control structures for a set of acknowledgments to indicate the results of the syntactical analysis of the electronically encoded documents An Explanation of Payments (EOP) can only be used by a health plan to send remittance advice to a provider a. True b. False --------- Correct Answer --------- a. True Is there a limit to the allowable transmission size of an X12 transaction? a. Yes b. No --------- Correct Answer --------- b. No Is a payer required to send a response to an 837 transaction using EDI? a. Yes b. No --------- Correct Answer --------- b. No If a provider requests a health plan to conduct a transaction as a HIPAA compliant standard transaction, does the health plan have to do so? a. Yes, but the plan can require the provider to submit a minimum number of transactions usually 200 per month b. Yes, and also send the 835 RA in the electronic version c. No, if the provider's billing system is not on the plan's approved listing d. None of the above --------- Correct Answer --------- b. Yes, and also send the 835 RA in the electronic version 1. The following health plans are required to adhere to the HIPAA Privacy Rule: --------- Correct Answer ---------- a) Workers compensation b) Medicare c) Life insurance d) Malpractice 2. Why did Congress pass HIPAA in 1996? a) To make sure patient information was not shared with anyone for any reasons b) To penalize physicians who are guilty of malpractice c) To simplify health information exchange d) To prevent pharmaceutical companies from accessing any identifiable patient information --------- Correct Answer ---------- c) To simplify health information exchange What do HIPAA security standards require attention to? a) Confidentiality b) Integrity c) Availability d) All of the above --------- Correct Answer ---------- d) All of the above b) Review the HIPAA administrative simplification title c) Review non-compliance penalties (civil and criminal) d) All of the above --------- Correct Answer --------- d) All of the above Chapter 1: HIPAA Basics 8. The HIPAA act of 1996 resulted in substantial investment in e-health initiatives and deployment of security technology in the healthcare industry a) True b) False --------- Correct Answer --------- a) True Chapter 1: HIPAA Basics 9. What was not addressed in the HIPAA act of 1996? a) Insurance portability b) Fraud c) Administrative simplification d) Worker's Compensation case information --------- Correct Answer --------- d) Worker's Compensation case information Chapter 1: HIPAA Basics 10. Simplification of clinical data exchange was one of the goals of the HIPAA law a) True b) False --------- Correct Answer --------- b) False Chapter 1: HIPAA Basics 11. The HIPAA act impacted all except which of the following a) Standardization of electronic healthcare transaction b) PHI privacy c) Health insurance qualifications and underwriting d) Security standards protecting the availability, confidentiality, and integrity of individually identifiable health information --------- Correct Answer --------- c) Health insurance qualifications and underwriting Chapter 1: HIPAA Basics 12. Which of these covered entities are impacted by the HIPAA a) Health plans or health insurances b) Health providers (those involved in exchange of HIPAA covered transactions) c) Healthcare clearing houses d) All of the above --------- Correct Answer --------- d) All of the above Chapter 1: HIPAA Basics 13. Business associates of covered entities CANNOT be subject to HIPAA civil and criminal penalties because the rules apply to Covered Entities only a) True b) False --------- Correct Answer --------- b) False Chapter 1: HIPAA Basics 14. Which of the following technologies is not a method used for protection of PHI a) Firewalls b) Smart phones c) Virtual Private Networks (VPN) d) Smartcards --------- Correct Answer --------- b) Smart phones Chapter 1: HIPAA Basics 15. Under Civil penalties, there are how many tiers of penalties effective 2/18/2010? a) Two b) Three c) Four d) Five --------- Correct Answer --------- c) Four Chapter 1: HIPAA Basics 16. Informed intentional neglect on the part of the covered entity which is not corrected when identified is a violation of the HIPAA law a) True b) False --------- Correct Answer --------- a) True Chapter 1: HIPAA Basics 17. Viewing or accessing PHI of someone else without their authorization is not a violation of the HIPAA rule a) True b) False --------- Correct Answer --------- a) True Chapter 1: HIPAA Basics 18. HIPAA regulatory organizations include a) Federal Trade Commission (FTC) (regulates PHRs and RFR enforcement) b) American National Standards Institute (ANSI) (regulates transactions) c) Office of Civil Rights (OCR) (enforces privacy and security rules) d) All of the above --------- Correct Answer --------- d) All of the above Chapter 1: HIPAA Basics 19. Which among the below is one of the standards organization that that is designated to take care of maintenance of the HIPAA law a) Workgroup for Electronic Data Interchange (WEDI) - advisory for EDI data exchange mechanisms b) National Council for Vital and Health Statistics (NCVHS) Prescription drug programs (NCPDP) - advisory for pharma c) Office of Civil Rights (OCR) - DHHS enforcer of Security and Privacy rules d) American Medical Association (AMA)- DSMO keeper of CPT code set (Only DSMO here) --------- Correct Answer --------- d) American Medical Association (AMA)- DSMO keeper of CPT code set (Only DSMO here) Chapter 1: HIPAA Basics 20. Why did Congress include the HIPAA Administrative Simplification Provisions as part of HIPAA in 1996? a) To make sure patient information was always kept confidential and they had complete control over how their information was exchanged b) To penalize physicians who are guilty of malpractice c) To standardize health information exchange through standardized transactions and national identifiers d) To prevent pharmaceutical companies from accessing any identifiable patient information --------- Correct Answer --------- a) To make sure patient information was always kept confidential and they had complete control over how their information was exchanged Chapter 1: HIPAA Basics 21. The HIPAA Privacy and Security Rules require: a) The appointment of a HIPAA compliance officer b) The development and implementation of policies and procedures c) Special training for senior management d) All of the above --------- Correct Answer --------- d) All of the above Chapter 1: HIPAA Basics 22. All business associates are required to: a) Use & disclose PHI as stipulated in the business associate contract and as required by law b) Require all employees sign a confidentiality agreement c) Account for all disclosures made for treatment, payment and health care operations d) All of the above --------- Correct Answer --------- a) Use & disclose PHI as stipulated in the business associate contract and as required by law Chapter 1: HIPAA Basics 23. The HIPAA Privacy Rule: Chapter 1: HIPAA Basics 33. Combating fraud, waste and abuse is not one of the primary objectives of HIPAA a) True b) False --------- Correct Answer --------- a) True Chapter 1: HIPAA Basics 34. Minimum Necessary describes an amount of information needed that is always less than the total medical record. a) True b) False --------- Correct Answer --------- b) False Chapter 1: HIPAA Basics 35. Government agencies are not required to practice the security and privacy protections that HIPAA requires of healthcare providers since they are publicly funded. a) True b) False --------- Correct Answer --------- b) False Chapter 1: HIPAA Basics 36. In 2010, the HITECH Act required all Business Associates to do all things required of Covered Entities except a) Report all incidents and breaches to CMS and OCR b) Document all security incidents and breaches c) Comply with all Security and Privacy Rules d) Ensure all workforces members were properly trained in HIPAA requirements --------- Correct Answer --------- a) Report all incidents and breaches to CMS and OCR Chapter 1: HIPAA Basics 37. To comply with HIPAA, security programs need to concentrate on electronic protected health information. a) True b) False --------- Correct Answer --------- b) False Chapter 1: HIPAA Basics 38. Covered entities and business associates need to view the development of a sound privacy and security compliance program as meeting: a) Regulatory requirements b) Organizational strategic objectives c) Legal risk mitigation d) All of the above --------- Correct Answer --------- d) All of the above Chapter 1: HIPAA Basics 39. Policies and procedures: a) Must be developed for each compliance standard outlined in the HIPAA Privacy and Security Rules b) Must be stored in the manager or supervisor's office c) Must be updated periodically and reported to CMS when they are d) Must be retained for a minimum of eight years following the last date the policy was in effect --------- Correct Answer --------- a) Must be developed for each compliance standard outlined in the HIPAA Privacy and Security Rules Chapter 1: HIPAA Basics 40. If a privacy breach occurs: a) It is always because a workforce member did not comply with policy b) It is reportable only if it was intentional no matter how many records are involved c) The US Department of Health and Human Services must be notified immediately if the records exposed total 500 or more d) All of the above --------- Correct Answer --------- c) The US Department of Health and Human Services must be notified immediately if the records exposed total 500 or more Chapter 1: HIPAA Basics 41. "Use" includes all of the following except a) Transferring information to a business associate b) Evaluating claims data to determine if more information is needed before the claim can be paid c) Verbally discussing a patient's case with a colleague at another clinic d) Sharing protected health information between an organization's alcohol and chemical dependency treatment facility and the organization's employment services department -- ------- Correct Answer --------- d) Sharing protected health information between an organization's alcohol and chemical dependency treatment facility and the organization's employment services department Chapter 1: HIPAA Basics 42. Use of PHI for payment purposes includes all of the following except: a) Paid claims review for quality assurance purposes b) Case management c) Underwriting activity d) Preauthorization --------- Correct Answer --------- a) Paid claims review for quality assurance purposes Chapter 1: HIPAA Basics 43. Covered entities are required to: a) Honor all requests for restriction of access to patient or health plan member PHI b) Make any medical or claims record amendments requested by a patient or health plan member c) Provide an accounting of disclosures upon request d) In a direct care setting require all patients sign an acknowledgement of receipt of the Notice of Privacy Practices --------- Correct Answer --------- c) Provide an accounting of disclosures upon request Chapter 1: HIPAA Basics 44. A "Covered Entity" and a "Healthcare Provider" are always the same thing a) True b) False --------- Correct Answer --------- b) False Chapter 1: HIPAA Basics 45. Individually Identifiable Health Information (IIHI), Protected Health Information (PHI), and Patient Identifiable Information (PII) are different names for the same set of data. a) True b) False --------- Correct Answer --------- b) False Chapter 1: HIPAA Basics 1. A pended claim means: a) A health care claim that has been approved and paid b) A health care claim that needs to be manually processed because of a problem with the health plan's adjudication system c) A health care claim that is not rejected or processed by the health plan&#8217s adjudication system because of a potential problem or missing information d) A health care claim waiting to be sent by the provider to the health plan --------- Correct Answer --------- c) A health care claim that is not rejected or processed by the health plan&#8217s adjudication system because of a potential problem or missing information Chapter 2: Transactions and Code Sets Overview 2. "DDE" means: a) An electronic transaction that is not a HIPAA covered transaction b) An electronic transaction that includes all of the data elements of a HIPAA covered transaction c) The entry of PHI directly into a provider claims and billing system d) The direct transmission of clinical data between providers or between providers and health plans --------- Correct Answer --------- c) The entry of PHI directly into a provider claims and billing system c) Radiologist d) All of the above --------- Correct Answer --------- d) All of the above Chapter 2: Transactions and Code Sets Overview 14. What does this mean - "Real time transactions?" a) Transactions which are processed immediately as and when received b) Transactions that are sent immediately as services to patients are rendered c) Transactions that are received and paid immediately d) Paper transactions that takes a few days to get processed --------- Correct Answer ---- ----- b) Transactions that are sent immediately as services to patients are rendered Chapter 2: Transactions and Code Sets Overview 15. A claim that is not completely adjudicated by the health plan is called: a) Pended b) Rejected c) Batch d) Loop --------- Correct Answer --------- a) Pended Chapter 2: Transactions and Code Sets Overview 16. Which of the following cannot be a reason for a claim being rejected after processing? a) Incomplete data availability b) Not in proper format c) Proprietary data in the situational fields d) Incomplete investigation and adjudication by the health plan --------- Correct Answer - -------- d) Incomplete investigation and adjudication by the health plan Chapter 2: Transactions and Code Sets Overview 1. HIPAA covered transaction formats are maintained by: a) NCPDP b) ANSI ASC X12 c) CMS d) AMA --------- Correct Answer --------- b) ANSI ASC X12 Chapter 3: Transactions Code Sets Advanced 2. The 834 transaction is used for: a) Authorization b) Benefit premium payment c) Benefit enrollment and maintenance d) Eligibility determination --------- Correct Answer --------- c) Benefit enrollment and maintenance Chapter 3: Transactions Code Sets Advanced 3. The current version of the X12 transactions health plans and health care providers are required to use is the: a) 5010 version b) 4050 version c) 4010 version d) 4010a1 version --------- Correct Answer --------- a) 5010 version Chapter 3: Transactions Code Sets Advanced 4. The 278 is: a) Is used for certification, authorization and referral b) Is part of a unknown transaction c) Is used to determine the status of a claim d) Is used as an acknowledgement transaction when any of the HIPAA covered transactions have been received and includes any issues with that transaction --------- Correct Answer --------- a) Is used for certification, authorization and referral Chapter 3: Transactions Code Sets Advanced 5. ASC X12 transactions are made up of a series of loops a) True b) False --------- Correct Answer --------- a) True Chapter 3: Transactions Code Sets Advanced 6. In the Transmission Envelope Schematic, "Communication Transport Protocol" includes: a) Interchange Control Header/Trailer b) Financial Group Header/Trailer c) Transaction Set Header/Trailer d) All of the above --------- Correct Answer --------- d) All of the above Chapter 3: Transactions Code Sets Advanced 7. 837 Basic Transaction Flow would NOT be used for a) A hospital's claim for reimbursement of room charges b) Claims made by a pediatrician after examining a child c) A Dental claim d) Coverage verification --------- Correct Answer --------- d) Coverage verification Chapter 3: Transactions Code Sets Advanced 8. A transaction switch service is an agency that processes non-standard format claims a) True b) False --------- Correct Answer --------- b) False Chapter 3: Transactions Code Sets Advanced 9. A 270/271 Basic transaction is a bi-directional flow that goes out it inquire a health plan to confirm the patient's a) Health condition b) Wellness c) Background d) Eligibility with that insurance company or health plan --------- Correct Answer --------- d) Eligibility with that insurance company or health plan Chapter 3: Transactions Code Sets Advanced 10. If the provider and the payer have their own clearing houses, which one of the following applies (270/271 Multiple Intermediary Transaction Flow) a) Provider - Transaction switch service (Provider) - Transaction switch service (Payer) - Payer b) Provider - Transaction switch service (Payer) - Transaction switch service (Provider) - Payer c) Transaction switch service (Provider) - Payer d) Provider - Transaction switch service (Payer) --------- Correct Answer --------- a) Provider - Transaction switch service (Provider) - Transaction switch service (Payer) - Payer Chapter 3: Transactions Code Sets Advanced 11. In case of 276 and 277 transaction, which one of the following is NOT a HIPAA covered transaction? a) Payer acknowledgement b) Request for Additional Information c) Claim Status Request d) Claim Status Response --------- Correct Answer --------- a) Payer acknowledgement Chapter 3: Transactions Code Sets Advanced 12. Which of the following is included in the 278 Basic Transaction Flow? a) Referral of one provider to another b) Certification c) Pre-Authorization d) All of the above --------- Correct Answer --------- d) All of the above Chapter 3: Transactions Code Sets Advanced b) Medical procedures c) Medical concepts d) Medical supplies --------- Correct Answer --------- b) Medical procedures Chapter 4: Code sets and National identifiers 9. Which of the following conditions does not require Medical Coding? a) Diseases b) Injuries c) Health related problems d) Financial problems --------- Correct Answer --------- d) Financial problems Chapter 4: Code sets and National identifiers 10. Which of the following conditions does not require ICD Coding? a) Diseases b) Dental implants c) Health related conditions d) Psychological conditions --------- Correct Answer --------- b) Dental implants Chapter 4: Code sets and National identifiers 11. Which of the following conditions are not covered in the CPT Code set? a) Physician Services b) Radiological Services c) Durable medical equipment (Uses HCPCS coding) d) All of the above --------- Correct Answer --------- c) Durable medical equipment (Uses HCPCS coding) Chapter 4: Code sets and National identifiers 12. What are the current Medical Concepts and Supplies that are NOT included in the CPT and CDT Code sets? Come under HCPCS code set a) Prescriptions/Medication b) Laboratory test c) Hearing and Vision test d) Physical and Occupational therapy services --------- Correct Answer --------- a) Prescriptions/Medication Chapter 4: Code sets and National identifiers 13. Durable Medical Equipment (wheel chairs, hearing aids, etc.) use which of the following code set for Medical coding a) CPT Code set b) ICD 9 Code set c) HCPCS Code set d) None of the above --------- Correct Answer --------- c) HCPCS Code set Chapter 4: Code sets and National identifiers 14. Which one of the following is used as a National Identifier for only employers? a) National Provider Identifier b) National Provider Plan Identifier c) Tax Identification Number (Tax ID or EIN) d) National Health Identifier for Individuals --------- Correct Answer --------- c) Tax Identification Number (Tax ID or EIN) Chapter 4: Code sets and National identifiers 15. The national identifier of the provider institution submitting the claim would be a) Type 1 or individual NPI b) Type 2 or subpart NPI c) Can be any of them d) Neither of them --------- Correct Answer --------- b) Type 2 or subpart NPI Chapter 4: Code sets and National identifiers 16. What are some of the other uses of the NPI a) The health plan use it in their internal provider files to process transactions b) The HHS uses it to cross reference healthcare providers in fraud and abuse files c) Used by healthcare clearing houses to communicate with providers and payers d) All of the above --------- Correct Answer --------- d) All of the above Chapter 4: Code sets and National identifiers 17. Who provides the NPI to the provider a) Health insurance company b) DHHS c) Enumerator d) Third Party Agency --------- Correct Answer --------- c) Enumerator Chapter 4: Code sets and National identifiers 18. Which one of the following method CANNOT be used by the provider to apply for the NPI a) Online application b) Paper application c) By writing an email to the Government d) Apply by Bulk enumeration --------- Correct Answer --------- c) By writing an email to the Government Chapter 4: Code sets and National identifiers 19. An EIN (Employer Identification Number) is used ONLY by an employer as a sponsor of a health plan a) True b) False --------- Correct Answer --------- a) True Chapter 4: Code sets and National identifiers 1. To comply with HIPAA, security programs need to concentrate only on electronic protected health information. a) True b) False --------- Correct Answer --------- b) False Chapter 5: HIPAA and Health Data - Security and Privacy Requirements 2. Covered entities and business associates need to view the development of a sound privacy and security compliance program as meeting: a) Regulatory requirements b) Organizational strategic objectives c) Legal risk mitigation d) All of the above --------- Correct Answer --------- d) All of the above Chapter 5: HIPAA and Health Data - Security and Privacy Requirements 3. The HIPAA Privacy and Security Rules require all of the following except: a) The hiring of a HIPAA compliance officer b) The development and implementation of policies and procedures c) Executing data sharing agreements with trading partners d) Special training for senior management --------- Correct Answer --------- a) The hiring of a HIPAA compliance officer Chapter 5: HIPAA and Health Data - Security and Privacy Requirements 4. The risk analysis is all of the following except: a) Must be conducted annually per the HIPAA security rule b) Examines threats and vulnerabilities to hardware, software, staffing and facilities c) Is an addressable part of the HIPAA program requirements d) Identifies risks to the organization and all identified risks need to be mitigated --------- Correct Answer --------- c) Is an addressable part of the HIPAA program requirements Chapter 5: HIPAA and Health Data - Security and Privacy Requirements a) They should address all rules related to Privacy or Security b) They must be accurate, update, complete and communicated c) They must be reviewed and updated regularly to ensure it is current d) All of the above --------- Correct Answer --------- d) All of the above Chapter 5: HIPAA and Health Data - Security and Privacy Requirements 15. HIPAA Privacy policies, procedures and other documentation need to be created and maintained for a minimum of how many years? a) Four years b) Five years c) Six years d) Seven years --------- Correct Answer --------- c) Six years Chapter 5: HIPAA and Health Data - Security and Privacy Requirements 16. If a PHI needs to be sent from a covered entity to any other entity (another covered entity, a non-covered entity or a business associate), it is required to be encrypted a) True b) False --------- Correct Answer --------- a) True Chapter 5: HIPAA and Health Data - Security and Privacy Requirements 17. Which one of the following is not required to be followed to ensure HIPAA Privacy compliance? a) Assign Privacy responsibility b) Revising existing Privacy policies and procedures c) Adjusting to the organizational processes to address risks d) Covered Entities must audit their Business Associates annually --------- Correct Answer --------- d) Covered Entities must audit their Business Associates annually Chapter 5: HIPAA and Health Data - Security and Privacy Requirements 18. If an organization maintains a website, they need not mention about HIPAA Privacy rules in that site a) True b) False --------- Correct Answer --------- b) False Chapter 5: HIPAA and Health Data - Security and Privacy Requirements 19. Which one of the below is NOT one of the important things for a small organization's compliance with HIPAA privacy rule a) Mitigation b) Gap analysis and report c) Conferencing d) Regular annual compliance review --------- Correct Answer --------- c) Conferencing Chapter 5: HIPAA and Health Data - Security and Privacy Requirements 20. What is the most important requirement of the HIPAA Security rule a) Confidentiality b) Availability c) Integrity d) All of the above --------- Correct Answer --------- d) All of the above Chapter 5: HIPAA and Health Data - Security and Privacy Requirements 21. Security of PHI DOES NOT require which one of the following? a) Securing hardware, software, other devices b) Securing the storage of PHI in any form (mobile, CD, etc.) c) Locking the patient's home d) Having an enterprise encryption solution --------- Correct Answer --------- c) Locking the patient's home Chapter 5: HIPAA and Health Data - Security and Privacy Requirements 22. Some of the administrative safeguards that can be incorporated for PHI security are: a) Risk analysis and management b) Authorization, access control c) Ongoing workforce and senior management training d) All of the above --------- Correct Answer --------- d) All of the above Chapter 5: HIPAA and Health Data - Security and Privacy Requirements 23. Which one of the following is the most appropriate for physical safeguards of PHI a) Securing patient's home with a key and lock b) Locking the healthcare organization c) To avoid web based transactions d) Destruction of electronic and non-electronic PHI at the end of its useful life --------- Correct Answer --------- d) Destruction of electronic and non-electronic PHI at the end of its useful life Chapter 5: HIPAA and Health Data - Security and Privacy Requirements 1. Business associates are required to: a) Distribute a Notice of Privacy Practice to the patients or health plan members of covered entities they contract with b) Comply with the use and disclosure provisions of the Privacy Rule by statute effective February 2010 c) Notify individuals if the business associate is not HIPAA compliant. d) Report breaches of 500 individuals or more to the US Department of Health and Human Services --------- Correct Answer --------- b) Comply with the use and disclosure provisions of the Privacy Rule by statute effective February 2010 Chapter 6 HIPAA Privacy Rule 2. The HIPAA Privacy Rule: a) Modified already existing federal health care privacy regulations b) Preempts all state privacy laws c) Should be followed unless state privacy law or other federal privacy laws are more stringent d) Allows covered entities to disclose the part of the medical or claims record created by the covered entity only when a request of a copy of an individual&#8217s record is received --------- Correct Answer --------- c) Should be followed unless state privacy law or other federal privacy laws are more stringent Chapter 6 HIPAA Privacy Rule 3. A patient or health plan member has the right to: a) Request restricted access to any portion of their medical or claims record and the covered entity is required to adhere to such all restriction requests b) Request an amendment to his or her medical or claims record and the covered entity must honor all amendment requests c) File a privacy complaint with the Center for Medicare and Medicaid Services d) Request to view their medical record or claims history and the covered entity cannot charge for the service --------- Correct Answer --------- d) Request to view their medical record or claims history and the covered entity cannot charge for the service Chapter 6 HIPAA Privacy Rule 4. If a privacy breach occurs: a) It is often the result of a security breach b) It is reportable whether accidental or intentional no matter how many records are involved c) The US Department of Health and Human Services must be notified immediately Chapter 6 HIPAA Privacy Rule 14. Is accidental breach of HIPAA Privacy laws considered legal and is subject to penalty a) True b) False --------- Correct Answer --------- a) True Chapter 6 HIPAA Privacy Rule 15. To whom is the BA (Business Associate) expected to give notice about any occurrence of a breach of HIPAA Privacy law within a maximum of 60 days a) The affected Covered Entity b) Patients c) Health Plan d) Government --------- Correct Answer --------- a) The affected Covered Entity Chapter 6 HIPAA Privacy Rule 1. Privacy training is required for: a) New employees and business associates only b) Paid workforce members only c) All staff members including senior management d) Contractors, temporaries and volunteers --------- Correct Answer --------- c) All staff members including senior management Chapter 7 Privacy Rule - Organizational and Individual Relationships 2. The following documents must be retained for six years: a) Medical and claims records b) General employees' manual and confidentiality agreement signed by each employee c) Policies and training material d) Business associate contracts and vendor contact logs --------- Correct Answer --------- a) Medical and claims records Chapter 7 Privacy Rule - Organizational and Individual Relationships 3. Covered entities must comply with: a) The Clinical Laboratory Improvement Amendments (CLIA) unless they conflict with HIPAA Privacy Rule requirements b) The Gram-Leach-Bliley Act c) The HIPAA Privacy Rule in all cases relating to patient or health plan member PHI d) State privacy laws that are more stringent than the HIPAA Privacy Rule --------- Correct Answer --------- d) State privacy laws that are more stringent than the HIPAA Privacy Rule Chapter 7 Privacy Rule - Organizational and Individual Relationships 4. Covered entities are required to: a) Honor all requests for restriction of access to patient or health plan member PHI b) Make any medical or claims record amendments requested by a patient or health plan member c) Provide an accounting of disclosures upon request d) In a direct care setting require all patients sign an acknowledgement of receipt of the Notice of Privacy Practices --------- Correct Answer --------- c) Provide an accounting of disclosures upon request Chapter 7 Privacy Rule - Organizational and Individual Relationships 5. Sanctions can include: a) Termination of employment or contract b) Verbal reprimand c) Notification of law enforcement d) All of the above --------- Correct Answer --------- d) All of the above Chapter 7 Privacy Rule - Organizational and Individual Relationships 6. If a patient or health plan member requests a copy of his or her medical record: a) The covered entity can withhold any part of the record that was restricted by a promise of confidentiality b) Psychotherapy notes must be included unless the provider who wrote the psychotherapy notes has placed a restriction on their release c) Provide a copy of the record and a bill for the copy at the same time d) All portions of the record must be made available to the patient or health plan member --------- Correct Answer --------- a) The covered entity can withhold any part of the record that was restricted by a promise of confidentiality Chapter 7 Privacy Rule - Organizational and Individual Relationships 7. What does OHCA mean? a) Optimum Health Care Arrangement b) Organized Health Care Arrangement c) Organized Health Care Association d) None of them --------- Correct Answer --------- b) Organized Health Care Arrangement Chapter 7 Privacy Rule - Organizational and Individual Relationships 8. Which of the following can be classified as types of OHCAs? a) Arrangement between a group health plan and health insurer or HMO b) Arrangement between multiple group health plans maintained by the same sponsor c) Quality assessment and group health activities d) All of the above --------- Correct Answer --------- d) All of the above Chapter 7 Privacy Rule - Organizational and Individual Relationships 9. A jointly administered government program IS NOT a HIPAA-covered entity type, but a method to help determine the extent of compliance across government agencies that cooperate to operate a particular covered program. a) True b) False --------- Correct Answer --------- a) True Chapter 7 Privacy Rule - Organizational and Individual Relationships 10. Which one of the following IS NOT one of the organizational requirement of covered entities under the HIPAA Privacy Rule a) Designating a privacy official and privacy contact b) Regularly training the patients regarding this rule c) Regular training of the workforce, reminding and updating them on the rules d) Implementing administrative physical and technical safeguards to protect health information --------- Correct Answer --------- b) Regularly training the patients regarding this rule Chapter 7 Privacy Rule - Organizational and Individual Relationships 11. Which one of the following is severe breach of the HIPAA Privacy rule that can result in serious consequences a) Developing and using contracts and agreements for business associates b) Establishing privacy policies, procedures, and practices c) No documentation maintained regarding the rule and its implications d) Developing a system of sanctions for members of the workforce and business associates who violate the entity's policies --------- Correct Answer --------- c) No documentation maintained regarding the rule and its implications Chapter 7 Privacy Rule - Organizational and Individual Relationships c) Inform patients and health plan members that covered entities cannot share any PHI for any purpose without the specific permission from the patient or health plan member d) Inform patients and health plan members they have the right to file a complaint with the Center for Medicare and Medicaid Services --------- Correct Answer --------- b) Inform patients and health plan members about their privacy rights Chapter 8 Privacy Rule - Notice of Privacy Practices 2. If a patient or health plan member requests to view his or her designated record set, the covered entity can charge for: a) Copying and mailing costs b) To view or inspect the patient or health plan member's record c) Staff time to compile the copy d) The cost to retrieve parts of the record that have been archived --------- Correct Answer --------- a) Copying and mailing costs Chapter 8 Privacy Rule - Notice of Privacy Practices 3. A direct care provider does not include: a) Dentists b) Surgeons c) Radiologists d) Psychiatric nurse practitioners --------- Correct Answer --------- c) Radiologists Chapter 8 Privacy Rule - Notice of Privacy Practices 4. A covered entity can require a patient sign an authorization: a) For health care that will be provided b) If treatment is part of a research project c) For treatment, payment and healthcare operations d) If the state or federal government issues a notice requiring the patient&#8217s information --------- Correct Answer --------- b) If treatment is part of a research project Chapter 8 Privacy Rule - Notice of Privacy Practices 5. An authorization is considered defective if: a) Not all of the required elements were included b) The covered entity knows the authorization had been revoked c) The authorization has expired d) All of the above --------- Correct Answer --------- d) All of the above Chapter 8 Privacy Rule - Notice of Privacy Practices 6. Informed consent covers: a) Release of PHI for treatment, payment and healthcare operations only b) Release of health information specially protected by state or other federal privacy law c) Allows the provider to treat the individual d) Is required pursuant to the HIPAA Privacy Rule --------- Correct Answer --------- c) Allows the provider to treat the individual Chapter 8 Privacy Rule - Notice of Privacy Practices 7. What is the role of Notice of Privacy Practices a) Provides a general explanation of the individual's HIPAA Privacy rights b) Provides a short description of how a covered entity will use and disclose PHI c) Summarizes a covered entity's privacy policies and practices d) All of the above --------- Correct Answer --------- d) All of the above Chapter 8 Privacy Rule - Notice of Privacy Practices 8. Which one of the following is NOT included in the Notice of Privacy rights a) Information regarding how an individual can file a complaint with the covered entity b) Information about HIPAA Security c) Information regarding the complaint number d) Information regarding the procedure to make the complaint --------- Correct Answer --- ------ b) Information about HIPAA Security Chapter 8 Privacy Rule - Notice of Privacy Practices 9. Which one of the following is NOT one of the mandatory requirements of filing a complaint regarding breach of HIPAA Privacy practice a) Notice must be written in plain, simple language b) Must prominently include a certain language of the letter (header) c) Notice must be clear and concise d) Notice can be emailed or sent online --------- Correct Answer --------- d) Notice can be emailed or sent online Chapter 8 Privacy Rule - Notice of Privacy Practices 10. Once the individual is treated and is out of the hospital and claim sent to the health plan, do they have the right to obtain a copy of their health record at a certain expense a) True b) False --------- Correct Answer --------- a) True Chapter 8 Privacy Rule - Notice of Privacy Practices 11. What are the covered entity's legal obligations in the Notice of Privacy rights a) Provide the notice of Privacy Practices b) Abide by the terms of notice c) Both d) Neither --------- Correct Answer --------- c) Both Chapter 8 Privacy Rule - Notice of Privacy Practices 12. Which one of the following NEED NOT be an obligation for the covered entity towards notice of HIPAA Privacy rights a) Periodically remind the individual of the availability of the notice b) Send a copy of the Notice to health plan members every 3 years c) Provide a copy of the notice upon request d) Interfere with other covered entity's Privacy rights --------- Correct Answer --------- d) Interfere with other covered entity's Privacy rights Chapter 8 Privacy Rule - Notice of Privacy Practices 13. Covered entities are permitted to which one of the following? a) Reminding the individual about their appointments b) Providing alternative treatment options c) Providing information about health related benefits and services that may be of interest to the individuals d) All of the above --------- Correct Answer --------- d) All of the above Chapter 8 Privacy Rule - Notice of Privacy Practices 14. Healthcare Providers with direct a direct treatment relationship with an individual are NOT required to a) Post the notice or the summary of the notice on their website b) Make an attempt to obtain a written acknowledgement of the receipt of the notice from the individual c) Provide a copy to the individual to take it with them d) Email the notice to the individual --------- Correct Answer --------- d) Email the notice to the individual Chapter 8 Privacy Rule - Notice of Privacy Practices d) Authorization from the victim is required in all cases when the reporter is involved in the investigatory process --------- Correct Answer --------- b) If the abuse or neglect involves alcohol or chemical dependency related information Chapter 9 Privacy Use and Disclosure of PHI 6. If an Institutional Review Board (IRB) approves a research project allowing the use of PHI without individual authorization: a) The researcher needs to secure the PHI and can use the PHI for an expansion of the research project as long as it is related to the initial project plan b) The IRB needs to have determined prior to approval that obtaining individual authorization would be too costly c) The researcher needs to request approval from the IRB if the researcher intends to use the PHI for a related research project d) The researcher needs to statistically de-identify the PHI before sharing it with any research assistants --------- Correct Answer --------- c) The researcher needs to request approval from the IRB if the researcher intends to use the PHI for a related research project Chapter 9 Privacy Use and Disclosure of PHI 7. A "Disclosure" is a HIPAA term that is used when PHI is shared between employees of the same entity a) True b) False --------- Correct Answer --------- b) False Chapter 9 Privacy Use and Disclosure of PHI 8. "Disclosure" is a HIPAA term that is also called a) Release b) Transfer c) Provision of access to d) All of the above --------- Correct Answer --------- d) All of the above Chapter 9 Privacy Use and Disclosure of PHI 9. To which of the following the "Disclosure" CANNOT be made by the covered entity a) To the individual who is the subject of the information b) To the individual's friend who is not legally authorized to know that information c) To the Secretary of the Department of Health and Human Services (HHS) d) To the Office of Civil Rights (OCR) for the enforcement of Privacy and Security Rules --------- Correct Answer --------- b) To the individual's friend who is not legally authorized to know that information Chapter 9 Privacy Use and Disclosure of PHI 10. The Privacy Rule permits some disclosures without authorization under certain conditions. Which among the following CANNOT be an example of that a) Treatment, payment, and health care operations b) Public health activities c) Research, if approved by an Intuitional Review Board (IRB) d) Divulging the information to anybody who is not related to the patient --------- Correct Answer --------- d) Divulging the information to anybody who is not related to the patient Chapter 9 Privacy Use and Disclosure of PHI 11. "Minimum Necessary" applies to which one of the following point? a) Use and disclosure to the healthcare provider for treatment purposes b) Giving the entire or a part of patient's Medical Records for processing of claims c) Disclosure to the individual who is the subject of the information d) To healthcare oversight agencies --------- Correct Answer --------- b) Giving the entire or a part of patient's Medical Records for processing of claims Chapter 9 Privacy Use and Disclosure of PHI 12. One method for using and disclosing health information is to remove all potentially identifying information from PHI beforehand. Once all potential identifiers have been removed, the information is no longer considered PHI and isn't subject to the Privacy Rule. Therefore, it can be freely used and disclosed without condition or restriction. a) True b) False --------- Correct Answer --------- a) True Chapter 9 Privacy Use and Disclosure of PHI 13. Which one of the following does NOT fall under the De-identification safe harbor list a) Patient's name and social security number b) Telephone numbers and email ids c) Patient's employer details and financial information d) Web Universal Resource Locators (URLs) --------- Correct Answer --------- c) Patient's employer details and financial information Chapter 9 Privacy Use and Disclosure of PHI 14. Which one of the following is the most common payment activity when claims are sent to the health plan for processing, adjudication and payment a) Determining if the patient is safe b) Determining if the patient is healthy c) Determining individual eligibility for coverage under a plan d) Determining if patient needs any further financial help --------- Correct Answer --------- c) Determining individual eligibility for coverage under a plan Chapter 9 Privacy Use and Disclosure of PHI 15. Which one of the following are other few common payment activity when claims are sent to the health plan for processing, adjudication and payment a) Medical review b) Utilization review c) Case management d) All of the above --------- Correct Answer --------- d) All of the above Chapter 9 Privacy Use and Disclosure of PHI 16. What is IIHI? a) Individually Identifiable Health Information b) Identifiable Individual Health Information c) Same as PHI d) None of the above --------- Correct Answer --------- a) Individually Identifiable Health Information Chapter 9 Privacy Use and Disclosure of PHI 1. The HIPAA Privacy Rule requires implementation of safeguards that protect: a) Electronic PHI only b) Electronic and non-electronic PHI d) Secure transmission of PHI --------- Correct Answer --------- d) Secure transmission of PHI Chapter 10 Privacy Rule Safeguards 11. Technical safeguard standards include a) Access control b) Audit control c) Entity authentication d) All of the above --------- Correct Answer --------- d) All of the above Chapter 10 Privacy Rule Safeguards 12. A conversation over heard by another patient in a semi private room in a hospital while the physician is reviewing patient information with the nurse - can this be a case of "Incidental disclosure of PHI"? a) True b) False --------- Correct Answer --------- a) True Chapter 10 Privacy Rule Safeguards 13. Which one of the following is true about "Incidental disclosure of PHI"? a) It is not considered as violation of the HIPAA Privacy Rule b) Hospitals need not take any measures to control this happening c) Discussion between doctor and nurse about patient PHI in public areas d) None of the above --------- Correct Answer --------- a) It is not considered as violation of the HIPAA Privacy Rule Chapter 10 Privacy Rule Safeguards 14. Which of the following action is mandatory in protecting paper form of PHI a) Safely locking all the papers that contain PHI b) Locking the computers c) Never use papers and print any PHI d) None of the above --------- Correct Answer --------- a) Safely locking all the papers that contain PHI Chapter 10 Privacy Rule Safeguards 15. Which of the following action is mandatory for the electronic form of PHI a) Implementing a clean desk properly by not leaving any papers containing PHI around b) Safely locking all the papers that contain PHI c) Encryption of any PHI sent over an open network like the internet. d) Properly shred all papers containing PHI --------- Correct Answer --------- c) Encryption of any PHI sent over an open network like the internet. Chapter 10 Privacy Rule Safeguards 1. Security is directly related to: a) Risk b) Documented practices that provide appropriate levels of security c) Access control d) None of above --------- Correct Answer --------- a) Risk Chapter 11 HIPAA Security Rule - Overview 2. What are the three types of threats that can harm an organization? a) Hackers, internal staff, technical malfunctions b) Unintentional, active, passive c) Administrative, physical, technical d) Malicious software, environmental, agents --------- Correct Answer --------- b) Unintentional, active, passive Chapter 11 HIPAA Security Rule - Overview 3. To comply with the security rule, addressable implementation specifications, an entity must: a) Implement the specification as noted in the rule b) Implement an alternative security control that is equivalent to the control specified in the implementation specification c) Document why an implementation specification will not be implemented not using cost as the sole factor for not implementing d) All of the above --------- Correct Answer --------- d) All of the above Chapter 11 HIPAA Security Rule - Overview 4. HIPAA related documentation must be retained for a minimum of: a) The period of time set by Medicare and Medicaid b) For a period defined in state statutes c) Seven years d) Eight years --------- Correct Answer --------- c) Seven years Chapter 11 HIPAA Security Rule - Overview 5. Security awareness training: a) Is required before applying for a job with covered entity. b) Must occur on a regular basis c) Is required for business associates d) Is only required for new workforce members --------- Correct Answer --------- b) Must occur on a regular basis Chapter 11 HIPAA Security Rule - Overview 6. The two implementation specifications associated with the transmission security standard are: a) Encryption and traffic padding b) Encryption and end point data controls c) Encryption and data integrity d) All of Above --------- Correct Answer --------- c) Encryption and data integrity Chapter 11 HIPAA Security Rule - Overview 7. What are the major reasons for increased security of PHI and to create HIPAA security rule a) Increased civil penalties for rule violations b) Continued increase in legal risk c) Need to protect healthcare business assets d) All of the above --------- Correct Answer --------- d) All of the above Chapter 11 HIPAA Security Rule - Overview 8. Theft of proprietary external or internal information is one of the major type of attack threat to the security of PHI a) True b) False --------- Correct Answer --------- b) False Chapter 11 HIPAA Security Rule - Overview 9. Which one of the following does the Health care provider does not need to focus on as far as Security Rule is concerned a) They need not identify theft and medical identity theft b) Need not inform the patient or health plan about their Security arrangements c) Neither 19. The implementation specifications for security awareness and training DOES NOT include: a) Protection from malicious software (viruses) b) Log-in monitoring c) Locking of systems d) Security reminders --------- Correct Answer --------- c) Locking of systems Chapter 11 HIPAA Security Rule - Overview 20. Contingency planning includes the following implementation specifications: a) Data backup plan b) Disaster recovery plan c) Emergency mode operation plan d) All of the above --------- Correct Answer --------- d) All of the above Chapter 11 HIPAA Security Rule - Overview 21. The transmission security standard requires covered entities to implement procedures to verify that a person or entity seeking access to EPHI is the one claimed. a) True b) False --------- Correct Answer --------- b) False Chapter 11 HIPAA Security Rule - Overview 22. To comply with the security rule, addressable implementation specifications, an entity must: a) Implement the specification as noted in the rule b) Implement an alternative security control that is equivalent to the control specified in the implementation specification c) Document why an implementation specification will not be implemented not using cost as the sole factor for not implementing d) All of the above --------- Correct Answer --------- d) All of the above Chapter 11 HIPAA Security Rule - Overview 23. HIPAA related documentation that does not contain PHI must be retained for a minimum of: a) The period of time set by Medicare and Medicaid b) For a period defined in state statutes c) Six years d) Eight years --------- Correct Answer --------- c) Six years Chapter 11 HIPAA Security Rule - Overview 24. Security awareness training: a) Is required for new employees b) Must occur on a regular basis c) Is required for business associates d) Is only required for new workforce members --------- Correct Answer --------- b) Must occur on a regular basis Chapter 11 HIPAA Security Rule - Overview 25. Threats and vulnerabilities are primarily associated with: a) Technology deficiencies b) External agents c) People d) Environmental hazards --------- Correct Answer --------- c) People Chapter 11 HIPAA Security Rule - Overview 26. The purpose of login monitoring is to: a) Determine if workforce members are inappropriately accessing PHI b) Track and evaluate unsuccessful login attempts c) Evaluate the effectiveness of system authentication requirements d) Block hackers from using automated password cracking tools to access the network - -------- Correct Answer --------- b) Track and evaluate unsuccessful login attempts Chapter 11 HIPAA Security Rule - Overview 27. The security incident response team must: a) Manage any individual breach notification b) Include a static group of workforce members who have been properly trained c) Report to law enforcement notification if such notice is required d) Investigate, mitigate, recommend or implement new or changed security controls and document --------- Correct Answer --------- d) Investigate, mitigate, recommend or implement new or changed security controls and document Chapter 11 HIPAA Security Rule - Overview 28. Security controls are: a) The implementation of a thorough program of controls and control mechanisms b) A regulatory mandate and a good insurance policy c) Defined as standards in the HIPAA Security Rule d) Considered a subset of ISO standards --------- Correct Answer --------- b) A regulatory mandate and a good insurance policy Chapter 11 HIPAA Security Rule - Overview 29. Group logins used by more than one person are acceptable under HIPAA. a) True b) False --------- Correct Answer --------- b) False Chapter 11 HIPAA Security Rule - Overview 30. Law suits can be filed against a covered entity or business associate for HIPAA violations. a) True b) False --------- Correct Answer --------- a) True Chapter 11 HIPAA Security Rule - Overview 31. Paper PHI: a) Must be secured per the HIPAA Privacy Rule b) Requires protection secondary to electronic PHI c) Must be secured per the HIPAA Security Rule d) Must be locked up at all times --------- Correct Answer --------- a) Must be secured per the HIPAA Privacy Rule Chapter 11 HIPAA Security Rule - Overview 32. The most important security safeguards that need to be implemented and enforced to prevent security and privacy incidents are: a) Technical safeguards b) Physical safeguards c) Administrative safeguards d) Policies, procedures and documentation --------- Correct Answer --------- d) Policies, procedures and documentation Chapter 11 HIPAA Security Rule - Overview 33. Authentication addressed in the security rule includes a) Single factor authentication b) False --------- Correct Answer --------- b) False Chapter 11 HIPAA Security Rule - Overview 43. The HIPAA Security Rule includes references to: a) Multi-factor authentication b) Audit report construction c) Password management and strong authentication d) Use of security or authentication tokens --------- Correct Answer --------- c) Password management and strong authentication Chapter 11 HIPAA Security Rule - Overview 44. The disaster recovery plan: a) Must be tested quarterly using a full disaster recovery test b) Addresses the recovery of assets in priority order c) Outlines how an organization will meet mission critical requirements during a disaster d) Is related to the recovery of the technical infrastructure --------- Correct Answer -------- - b) Addresses the recovery of assets in priority order Chapter 11 HIPAA Security Rule - Overview 45. All covered entities and business associates are required to install a firewall on all networks whether they are attached to the Internet or not. a) True b) False --------- Correct Answer --------- b) False Chapter 11 HIPAA Security Rule - Overview 1. Security controls are: a) Not required under HIPAA rules b) A regulatory mandate and a good insurance policy c) Defined as standards in the HIPAA Privacy Rule d) Considered a subset of ISO standards --------- Correct Answer --------- b) A regulatory mandate and a good insurance policy Chapter 12 HIPAA Security Rule - Threats and technology options 2. Threats and vulnerabilities are primarily associated with: a) Technology flaws and deficiencies b) External agents c) People d) Environmental hazards --------- Correct Answer --------- a) Technology flaws and deficiencies Chapter 12 HIPAA Security Rule - Threats and technology options 3. Types of attacks to prevent against include: a) DOS b) Malicious software c) Phishing d) All of the above --------- Correct Answer --------- d) All of the above Chapter 12 HIPAA Security Rule - Threats and technology options 4. Paper PHI: a) Must be secured per the HIPAA Privacy Rule b) Requires protection secondary to electronic PHI c) Must be secured per the HIPAA Security Rule d) Must be locked up at all times --------- Correct Answer --------- a) Must be secured per the HIPAA Privacy Rule Chapter 12 HIPAA Security Rule - Threats and technology options 5. Law suits can be filed against a covered entity or business associate for HIPAA violations. a) True b) False --------- Correct Answer --------- b) False Chapter 12 HIPAA Security Rule - Threats and technology options 6. The most important security safeguards that need to be implemented and enforced to prevent security and privacy incidents are: a) Technical safeguards b) Physical safeguards c) Administrative safeguards d) None of above --------- Correct Answer --------- c) Administrative safeguards Chapter 12 HIPAA Security Rule - Threats and technology options 7. Security controls are not required for which of the following threats related to HIPAA Security Policy a) Good and sufficient documentation b) Lack of risk analyses c) Lack of audits d) Insufficient training --------- Correct Answer --------- a) Good and sufficient documentation Chapter 12 HIPAA Security Rule - Threats and technology options 8. Business Associates of covered entities need not determine any threats or vulnerabilities to the organization or safeguard them a) True b) False --------- Correct Answer --------- b) False Chapter 12 HIPAA Security Rule - Threats and technology options 9. People are generally the most significant threat to an organization and most threats are from within the organization (than any external threat) a) True b) False --------- Correct Answer --------- a) True Chapter 12 HIPAA Security Rule - Threats and technology options 10. There are many different types of attacks that may be launched by hackers and members of the workforce on the enterprise. This DOES NOT include which one of the following: a) Denial of service (DoS) attacks b) Spoofing or masquerading c) Effort by a patient to hack other's information d) Malicious software --------- Correct Answer --------- c) Effort by a patient to hack other's information Chapter 12 HIPAA Security Rule - Threats and technology options 11. Which one of the following are steps that can be taken by the healthcare organization to ensure password management a) Passwords of a minimum length (ideally, eight characters or more) b) Alphanumeric combinations (both letters and numerals) c) Prevention of password re-use d) All of the above --------- Correct Answer --------- d) All of the above Chapter 12 HIPAA Security Rule - Threats and technology options a) Must be tested quarterly using a full disaster recovery test b) Addresses the recovery of assets in priority order c) Outlines how an organization will meet mission critical requirements during a disaster d) Is related to the recovery of the technical infrastructure --------- Correct Answer -------- - b) Addresses the recovery of assets in priority order Chapter 13 - Advanced administrative safeguards 6. When documenting a business associate relationship, "other written arrangements" include: a) A formal agreement between the business associate and the covered entity that both entities will adhere to the privacy and security rule b) Arrangements occasionally used between non-profit covered entities and business associates c) Memos of understanding, statute and rule d) All of Above --------- Correct Answer --------- c) Memos of understanding, statute and rule Chapter 13 - Advanced administrative safeguards 7. The Security Awareness and Training standard requires covered entities to implement a security awareness and training program for all members of its workforce a) True b) False --------- Correct Answer --------- a) True Chapter 13 - Advanced administrative safeguards 8. Which among the below is NOT true regarding implementation of security measures a) Security reminders b) Login monitoring c) Keeping the patient informed about the security measures d) Password management --------- Correct Answer --------- c) Keeping the patient informed about the security measures Chapter 13 - Advanced administrative safeguards 9. A security awareness training session for all members of the workforce NEED NOT include a) Training on Security Rule overview b) Security policies and procedures c) Physical and administrative safeguards d) About HIPAA Privacy rules --------- Correct Answer --------- d) About HIPAA Privacy rules Chapter 13 - Advanced administrative safeguards 10. While conducting Security Awareness workforce training, they need to be thought about their individual responsibilities, such as: a) Acceptable use of PHI and organizational hardware and software b) Remote access and use of wireless networks c) Both the above d) None of the above --------- Correct Answer --------- c) Both the above Chapter 13 - Advanced administrative safeguards 11. Virus checking is the act of running a computer program that identifies and disables: a) A virus program, typically hidden, that attaches itself to other programs and has the ability to replicate b) A code fragment (not an independent program) that reproduces by attaching to another program c) A code embedded within a program that causes a copy of it to be inserted in one or more other programs. d) All of the above --------- Correct Answer --------- d) All of the above Chapter 13 - Advanced administrative safeguards 12. In the HIPAA Security rule, there should NOT be any data backup plan or activities to ensure that the data is not stolen a) True b) False --------- Correct Answer --------- b) False Chapter 13 - Advanced administrative safeguards 13. Which of the following is TRUE about the Emergency Mode Operations Plan? a) Document how to address mission critical activities during a disaster b) Need not identify alternative locations in case of an emergency c) Need not get into acquisitions of any emergency supplies d) Need not test and update any emergency contacts --------- Correct Answer --------- a) Document how to address mission critical activities during a disaster Chapter 13 - Advanced administrative safeguards 14. The standard evaluation audit should address a) Privacy requirements (HIPAA, state and federal privacy laws) b) Administrative, physical and technical safe guards c) Policies, procedures and their relevant documents d) All of the above --------- Correct Answer --------- d) All of the above Chapter 13 - Advanced administrative safeguards 15. Business Associate contracts are not required by which one of the following a) Transmission of PHI by a covered entity to a health care provider for treatment purposes b) Transmission of PHI between tribal health entities and other covered entities for the purposes of treatment, payment or other health care operations c) Both the above d) None of the above --------- Correct Answer --------- c) Both the above Chapter 13 - Advanced administrative safeguards 1. Responsibility for securing leased office space: a) Is the responsibility of the building owner b) Is the responsibility of the CEO or owner of the covered entity or business associate c) Is the responsibility of the designated official or officials who are workforce members of the covered entity or business associate d) Is the responsibility of the facilities department or designee --------- Correct Answer --- ------ c) Is the responsibility of the designated official or officials who are workforce members of the covered entity or business associate Chapter 14-Physical Safeguards Overview 2. Open chart racks should be: a) Replaced with locking chart racks b) Monitored at all times by designated workforce member(s) during business hours c) Stored in a locked room away from all points of access or traffic in a facility d) Covered with a tarp or other material to limit chart viewing and access --------- Correct Answer --------- b) Monitored at all times by designated workforce member(s) during business hours Chapter 14-Physical Safeguards Overview 3. Copiers: a) Often have hard drives that store PHI which needs to be destroyed before machine replacement a) Only patient b) Healthcare Provider c) Health plan d) Patient's employer --------- Correct Answer --------- a) Only patient Chapter 14-Physical Safeguards Overview 1. Facility access control should: a) Include identifying one or more workforce member with the authority to grant access to the facility and a separate person to grant that access b) Require all doors used to enter a facility and enter areas of a facility be locked at all times except the door to the reception area when the entity is open for business c) Include installation of an alarm on internal and external doors of a facility d) All of above --------- Correct Answer --------- a) Include identifying one or more workforce member with the authority to grant access to the facility and a separate person to grant that access Unit 15-Advanced physical safeguards 2. Cleaning and janitorial staff: a) If not employed by the covered entity, are considered business associates b) Should not be allowed access to any area where PHI is stored c) Need to be protected against incidental disclosure of PHI such as through a clean desk policy d) Are not considered a threat and it is permissible to leave paper files that store PHI on desks if they will be needed the next day by the workforce member --------- Correct Answer --------- c) Need to be protected against incidental disclosure of PHI such as through a clean desk policy Unit 15-Advanced physical safeguards 3. Data backup tapes or optical media: a) Can be stored at a workforce member's home if adequately protected b) Can be stored in a fire proof safe at the facility for small organizations c) Should be stored in a locking file cabinet or desk within a facility d) Should never be stored on-site at an organization's facility --------- Correct Answer ---- ----- b) Can be stored in a fire proof safe at the facility for small organizations Unit 15-Advanced physical safeguards 4. One of the key individuals who should be notified in the event a workforce member is involuntarily terminated is: a) Senior management b) Receptionist c) Facilities manager d) IT workforce members --------- Correct Answer --------- b) Receptionist Unit 15-Advanced physical safeguards 5. All workstations must be physically attached or locked to a table or desk to prevent theft: a) True b) False --------- Correct Answer --------- b) False Unit 15-Advanced physical safeguards 6. Which among the following is a method of physical safeguard? a) Facility access controls b) Proper utilization of workstation c) Device and media control d) All of the above --------- Correct Answer --------- d) All of the above Unit 15-Advanced physical safeguards 7. Which among the following is not a security question addressed by physical safeguard? a) Is access to the building controlled? b) Is there a computer back up for all computers in the organization? c) Is access to the computing facility controlled? d) Are workstations secured after hours? --------- Correct Answer --------- b) Is there a computer back up for all computers in the organization? Unit 15-Advanced physical safeguards 8. The objective of Facility Access Control standard is to implement policies and procedures to limit patient entry to the hospital a) True b) False --------- Correct Answer --------- b) False Unit 15-Advanced physical safeguards 9. Which among the following is not a specified implementation tool for the Facility Access Controls standard a) Contingency operations b) Maintenance records c) Emergency mode operation plan d) Access control and validation procedures --------- Correct Answer --------- c) Emergency mode operation plan Unit 15-Advanced physical safeguards 10. The Workstation Use-related policies and procedures a) Document the actual function to be performed b) Does not require any documentation c) Document and clearly specify how that function is to be performed d) Document how workstations are protected against unauthorized use --------- Correct Answer --------- b) Does not require any documentation Unit 15-Advanced physical safeguards 11. Policies should be established that clearly define security requirements and expected employee behaviors, such as a) Prohibiting the lending of keycards to other, even authorized, individuals b) Allowing only expected and cleared visitors into the facility c) Both the above d) Neither of the above --------- Correct Answer --------- c) Both the above Unit 15-Advanced physical safeguards 12. It is required that computing operations areas be equipped with a vestibule or anteroom for deliveries and pickups of reports and other materials without requiring entry to the main equipment area. a) True b) False --------- Correct Answer --------- b) False Unit 15-Advanced physical safeguards 13. In developing a backup schedule which of the below factor should be considered? a) Prohibiting the lending of keycards to other, even authorized, individuals b) Check and analyze what data should be backed up c) Both the above d) Neither of the above --------- Correct Answer --------- b) Check and analyze what data should be backed up Unit 15-Advanced physical safeguards Unit 17 - General Technical Safeguards: 3. Automatic logoff: a. Must be available for all applications, networks and technical systems b. Should be set to log off applications after a period of five minutes of inactivity c. Does not apply to remote login activity d. Can be accomplished by requiring all workforce members to use password protected screen savers --------- Correct Answer --------- d. Can be accomplished by requiring all workforce members to use password protected screen savers Unit 17 - General Technical Safeguards: 4. From a practical perspective, transmission encryption is an addressable implementation specification. a. True b. False --------- Correct Answer --------- b. False Unit 17 - General Technical Safeguards: 5. Audit logs should be generated for: a. All system related activity, both technical and user related b. Systems supporting critical user activities or with access to PHI c. Firewalls, VPNs and other technical related activities d. User activities related to PHI access --------- Correct Answer --------- b. Systems supporting critical user activities or with access to PHI Unit 17 - General Technical Safeguards: 6. The HIPAA Security Rule includes reference to: a. Multi-factor authentication b. Audit report construction c. Password management and use for technical authentication d. Use of security or authentication tokens --------- Correct Answer --------- c. Password management and use for technical authentication Unit 17 - General Technical Safeguards: 1. One method of protecting the integrity of data is the use of encryption in data transmission as long as: a. The data is encrypted before leaving a closed network and unencrypted after receipt inside a closed network b. The encrypted data is transmitted through any web site c. The data is not intercepted and cracked by a hacker d. Check sum digits are validated at the send and receive points --------- Correct Answer --------- a. The data is encrypted before leaving a closed network and unencrypted after receipt inside a closed network Unit 18 - Advanced Technical Safeguards: 2. When inventorying data exchange points, the following needs to be considered: a. User/system interfaces b. Application to application interfaces c. Entity to application interfaces d. All of the above --------- Correct Answer --------- d. All of the above Unit 18 - Advanced Technical Safeguards: 3. Security patches should be: a. Applied as soon as they are available b. Applied only after testing the patch in a test environment c. Applied in batches d. Installed directly to the application, device or operating system immediately --------- Correct Answer --------- b. Applied only after testing the patch in a test environment Unit 18 - Advanced Technical Safeguards: 4. Network administrators with domain level authority: a. Should all work in the same department b. Should be closely monitored at all times c. Should be assigned a lower level user profile and a higher level user profile to be used when domain level access is appropriate d. Should be prohibited from accessing any PHI --------- Correct Answer --------- c. Should be assigned a lower level user profile and a higher level user profile to be used when domain level access is appropriate Unit 18 - Advanced Technical Safeguards: 5. All covered entities and business associates are required to install a hardware firewall on any closed network? a. True b. False --------- Correct Answer --------- b. False Unit 18 - Advanced Technical Safeguards: 6. The Windows XP/ Vista guest account should be: a. Disabled after initial configuration b. Assigned a unique password only known to one or two designated workforce members c. Should be used for all network maintenance d. Should be accessible only to the CIO and the security officer for emergency access of data when necessary --------- Correct Answer --------- a. Disabled after initial configuration Unit 18 - Advanced Technical Safeguards: 7. Protecting the integrity of data-in-transit requires that: a) The data is encrypted any time it will traverse an untrusted network b) The encrypted data is transmitted through any web site c) The data is not intercepted and cracked by a hacker d) Check sum digits are validated at the send and receive points --------- Correct Answer --------- a) The data is encrypted any time it will traverse an untrusted network Unit 18 - Advanced Technical Safeguards: 8. The Windows guest account should be: a) Disabled after initial configuration b) Assigned a unique password only known to one or two designated workforce members c) Should be used for all network maintenance d) Should be accessible only to the CIO and the security officer for emergency access of data when necessary --------- Correct Answer --------- a) Disabled after initial configuration Unit 18 - Advanced Technical Safeguards: 1. Digital signatures: a. Are regulated by the HIPAA Security Rule b. Are the equivalent to a digital signature c. Can provide non-repudiation d. Are scanned-in image of an individual's signature --------- Correct Answer --------- c. Can provide non-repudiation Unit 19 - Digital Signatures and Certificates: 2. A digital signature requires: a. Binding the digital signature to the electronic file b. Generating the signature using the sender's public key c. The use of a secure envelop to transmit the digital signature d. All of above --------- Correct Answer --------- a. Binding the digital signature to the electronic file Unit 19 - Digital Signatures and Certificates: b. False --------- Correct Answer --------- a. True Unit 20 - Security Policy: 1. Most provisions of Title XIII, Subpart D take effect: a. 180 days from the date the American Recovery and Reinvestment Act (ARRA) was signed into law b. February 17, 2010 c. February 17, 2009 d. At the time the US Department of Health and Human Services (HHS) issues the pertinent new and revised rules --------- Correct Answer --------- b. February 17, 2010 Unit 21 - ARRA: 2. Secure paper PHI includes: a. PHI that is locked in a secure room b. PHI that is maintained in a secure area of a business associate or covered entity's facility c. PHI that has been shredded or destroyed d. PHI that is placed face down on desks in a secure area of a facility --------- Correct Answer --------- c. PHI that has been shredded or destroyed Unit 21 - ARRA: 3. Personal health record (PHR) vendors: a. Are considered business associates if they provide PHRs or support PHRs on behalf of a covered entity b. Are now required to adhere to the HIPAA security rule and the use and disclosure provisions of the privacy rule c. All of the above d. None of the above --------- Correct Answer --------- c. All of the above Unit 21 - ARRA: 4. Disclosure accountings: a. Must include disclosures made for all purposes included treatment, payment and healthcare operations b. Only need to be documented for a three year period rather than a six year period c. Must be made available to individuals upon request and must be electronic d. From electronic health or medical records will need to include disclosures for all purposes --------- Correct Answer --------- d. From electronic health or medical records will need to include disclosures for all purposes Unit 21 - ARRA: 5. Marketing is considered healthcare operations as long as: a. The product or service marketed is the same as the patient is already taking or using b. Is of nominal value and provided in a face-to-face encounter c. Any compensation received by the covered entity is less than $1,000 d. Marketing of services to patients or health plan members with certain conditions as determined from data analysis and through an appropriate vendor --------- Correct Answer --------- b. Is of nominal value and provided in a face-to-face encounter Unit 21 - ARRA: 6. There are four tiers of civil penalties associated with violations of increasing severity and the penalties are specifically set for each level of security or privacy rule violation. a. True b. False --------- Correct Answer --------- b. False Unit 21 - ARRA: 7. Which of the following is a Business Associate type added by ARRA? a) Data Aggregation services b) Security Management Outsource c) Electronic Pharmacy d) EMR/EHR/Personal Health Record (PHR) vendors --------- Correct Answer --------- d) EMR/EHR/Personal Health Record (PHR) vendors Unit 21 - ARRA: 8. Define "unsecured PHI". a) Unencrypted electronic PHI, either in motion or at rest. b) Paper-based PHI not shredded by cross-cut/diamond-cut device c) PHI spoken by a workforce member when others can hear clearly d) All of the above --------- Correct Answer --------- d) All of the above Unit 21 - ARRA: 9. What from the consumer's point of view would be the most important aspect of Breach Notification communications? a) A brief synopsis of the event, including the date the event occurred and the date it was discovered b) What information was disclosed and to whom c) What the consumers affected should do for self-protection d) What the Covered Entity is doing about the event --------- Correct Answer --------- c) What the consumers affected should do for self-protection Unit 21 - ARRA: 10. A new audit program is expected from CMS OCR. When is it to be effective? a) 1Q 0f 2011 b) 2Q of 2010 c) 4Q of 2010 d) 2Q of 2012 --------- Correct Answer --------- b) 2Q of 2010 Unit 21 - ARRA: 11. How far back will the EMR system are required to store disclosures prior to requests received from patients for accounting reports? a) 2 years b) 3 years c) 6 years d) 7 years --------- Correct Answer --------- b) 3 years Unit 21 - ARRA: 1. The Omnibus Rules are a set of regulations approved by Congress and issued by the Department of Health and Human Services. a) True b) False --------- Correct Answer --------- b) False Unit 22 - Omnibus Rule 2. When a Covered Entity discovers a breach has occurred, they must always a) Notify the affected individuals b) Determine the date the breach actually occurred and start their resolution process from that date c) Estimate the possible harm that could have resulted from the breach and include this estimate in their notification d) Conduct a risk analysis on the event to determine whether or not the breached information was actually compromised --------- Correct Answer --------- d) Conduct a risk analysis on the event to determine whether or not the breached information was actually compromised Unit 22 - Omnibus Rule 3. Under the original rules, the PHI of decedents could not be considered for release until 50 years after their passing. The current rule allows a release sooner than this if a) No objection of the decedent or family members has been raised a) True b) False --------- Correct Answer --------- a) True Unit 23 - Electronic Health Records & Meaningful Use Incentives: 1. The Red Flag Rule was enforced by the FTC for the healthcare industry: a. November 1, 2009 b. August 1, 2009 c. May 1, 2009 d. February 18, 2010 --------- Correct Answer --------- a. November 1, 2009 Unit 24 - Red Flag Rule and Healthcare: 2. A covered account is: a. A financial account or billing account maintained by banks, physicians, credit card companies, etc. b. An account where multiple financial transactions occur related to a single event c. Health plan premium accounts for health plan members d. An account that is managed by multiple entities --------- Correct Answer --------- b. An account where multiple financial transactions occur related to a single event Unit 24 - Red Flag Rule and Healthcare: 3. A "red flag": a. Indicates identity theft may occurring or will soon occur b. Indicates medical identity or identity theft is occurring c. Indicates a security breach has occurred d. Is the same as a security incident --------- Correct Answer --------- a. Indicates identity theft may occurring or will soon occur Unit 24 - Red Flag Rule and Healthcare: 4. The Red Flag Rule Umbrella policy: a. Must be reviewed at least annually b. Must be approved by the highest authority in the organization c. Require regular program monitoring and that any material changes be approved by senior management d. All of the above --------- Correct Answer --------- d. All of the above Unit 24 - Red Flag Rule and Healthcare: 5. "Red flag" investigation: a. Always includes mitigation activity that must be documented b. Should be assigned to the security incident response team c. Requires patient notification d. Generally indicates a security or privacy breach has occurred --------- Correct Answer --------- b. Should be assigned to the security incident response team Unit 24 - Red Flag Rule and Healthcare: 6. The Red Flag Rule program: a. Should be separate and distinct from other compliance programs b. Includes no significant changes to what is already required by the HIPAA security rule c. Should be harmonized with the existing security program through expanded policies, procedures and practices d. Is administratively burdensome --------- Correct Answer --------- c. Should be harmonized with the existing security program through expanded policies, procedures and practices Unit 24 - Red Flag Rule and Healthcare: 7. Define the basic Red Flag Rule. a) A pattern of events that indicates a breach of protected information that has resulted in identity theft b) A pattern of events that indicates an insider is looking at patient files without authorization c) A pattern of behavior that shows a workforce member is not complying with HIPAA requirements d) A pattern of events that require investigation --------- Correct Answer --------- a) A pattern of events that indicates a breach of protected information that has resulted in identity theft Unit 24 - Red Flag Rule and Healthcare: 8. Which of the following is a Red Flag indicator? a) Notification of an active court case involving medical fraud in the local newspaper b) A patient or their family failing to provide proper identity documents when entering the Emergency Room c) Substantial inconsistencies between file information and identity documents presented by a patient d) Returned mail indicating non-deliverability after charges have stopped --------- Correct Answer --------- c) Substantial inconsistencies between file information and identity documents presented by a patient Unit 24 - Red Flag Rule and Healthcare: 9. What should be considered during a Risk Assessment with regard to RFR? a) Sample RFR examples lists provided by the Federal Depository Insurance Corporation. b) Types of patient accounts be offered and the interest rates on them being too high c) Account creation and charging methods arranged to be handled in a single transaction d) Existence of adequate separation of duties amongst those handling patient accounts --------- Correct Answer --------- d) Existence of adequate separation of duties amongst those handling patient accounts Unit 24 - Red Flag Rule and Healthcare: 1. A risk analysis: a. Must be conducted to comply with the HIPAA security rule and the Red Flag rule b. Is considered the foundation of a sound and robust security program c. Is necessary to identify risks that need to be mitigated to avoid significant tangible and intangible damage to the organization d. All of the above --------- Correct Answer --------- d. All of the above Unit 25 - HIPAA Solutions Part 1: 2. Before conducting a risk analysis: a. An inventory of all assets needs to be conducted b. Assets need to be defined and assets generally include hardware, software and data c. The financial value of each asset needs to be determined or calculated taking into account depreciation d. A compliance audit should be conducted --------- Correct Answer --------- a. An inventory of all assets needs to be conducted Unit 25 - HIPAA Solutions Part 1: 3. If a risk is considered acceptable, mitigation is not required but documentation is: a. True b. False --------- Correct Answer --------- a. True Unit 25 - HIPAA Solutions Part 1: 4. The HIPAA security rule requires a review of the complete security program and in the rule it is referred to as a: a. Security controls b. Business continuity plan c. Evaluation d. Annual security program assessment --------- Correct Answer --------- c. Evaluation Unit 25 - HIPAA Solutions Part 1: 5. A periodic audit: d) All workforce members and trading partners --------- Correct Answer --------- a) All workforce members when hired and periodically thereafter Unit 26 - HIPAA Solutions Part 2: 5. The purpose of a disaster recovery plan is to: a) Define how the covered entity will operate during an emergency or disaster b) Define how the covered entity will recover mission critical functions c) Define how the covered entity will recover from a disaster and return to normal business/clinical operations d) Define how the technical infrastructure will be recovered and returned to normal business/clinical operations --------- Correct Answer --------- c) Define how the covered entity will recover from a disaster and return to normal business/clinical operations Unit 26 - HIPAA Solutions Part 2: 6. The disaster recovery and emergency mode operations plans: a) Must be fully tested semi-annually b) Must be updated at least quarterly c) Must be updated when key organizational changes occur d) Must account for all assets of the covered entity --------- Correct Answer --------- c) Must be updated when key organizational changes occur Unit 26 - HIPAA Solutions Part 2: 7. Which is an acceptable form for the encrypted transmission of PHI? a) Encrypted FAX b) Wireless network connections using WEP and the RC4 algorithm c) Digitally signed email d) Delivery of an encrypted USB memory stic --------- Correct Answer --------- a) Encrypted FAX Unit 26 - HIPAA Solutions Part 2: 8. Which service does a digital signature provide? a) Identification of the receiving individual b) Accuracy of the information contained in the message c) Validation of the digital certificate provider d) Non-repudiation (the inability of the sender to deny sending) --------- Correct Answer - -------- d) Non-repudiation (the inability of the sender to deny sending) Unit 26 - HIPAA Solutions Part 2: 9. What is the greatest threat source to the protection of PHI? e) Hackers (less than 2% of the time) f) Employees (more than 75% of the time) g) Unencrypted transmission (happens infrequently but really grabs headlines) h) Lack of policy or procedure (no - covered under the doctrine of the "Prudent Man" rule) --------- Correct Answer --------- h) Lack of policy or procedure (no - covered under the doctrine of the "Prudent Man" rule) Unit 26 - HIPAA Solutions Part 2: 10. Which is the correct records retention requirement? a) Policies: 6 years from last effective date b) Maintenance Records: 2 years from date of execution c) Protected health information: 10 years d) Audit and other evaluation records and corrective action plans: 3 years --------- Correct Answer --------- a) Policies: 6 years from last effective date Unit 26 - HIPAA Solutions Part 2: