Which of the following is the BEST reason for writing an information security policy?
- A . To support information security governance
- B . To reduce the number of audit findings
- C . To deter attackers
- D . To implement effective information security controls
When assessing an organization’s security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined?
- A . Only when assets are clearly defined
- B . Only when standards are defined
- C . Only when controls are put in place
- D . Only procedures are defined
Provides assistance, advice and information to the patient.
- A . Coder
- B . Consultant
- C . Medical Transcriptionist
Clients need to receive a copy of Notice of Privacy Practices.
- A . True
- B . False
A health plan may conduct its covered transactions through a clearinghouse, and may require a provider to conduct covered transactions with it through a clearinghouse. The incremental cost of doing so must be borne
- A . by the HIPPA authorities
- B . by the health plan
- C . by any other entity but the health plan
- D . by insurance companies
Was known for identifying anthrax.
- A . Robert Koch
- B . Edward Jenner
- C . Louis Pasteur
Helps people with low incomes get the necessary medical help or need. Varies from state to state.
- A . Medicare
- B . Medicaid
- C . Chips
Children under age 18 comprise approximately, what percentage of the homeless population?
- A . 40%
- B . 30%
- C . 35%
- D . 45%
True or False? Globalization of health care has produced positive effects in both developed and developing countries.
- A . True
- B . False
Which of the following actions will reduce risk to a laptop before traveling to a high risk area?
- A . Examine the device for physical tampering
- B . Implement more stringent baseline configurations
- C . Purge or re-image the hard disk drive
- D . Change access codes
A Governing board is also known as the___________.
- A . Medical Staff
- B . Administration
- C . Board of Trustees
Excessive health care is a concern because it is.
- A . Wasteful
- B . Costly
- C . Potentially harmful
- D . All of the above
True or false: For people with Medicaid coverage, access to health care is guaranteed.
- A . True
- B . False
What data-related concept identifies or characterizes entities and events in a manner that facilitates an administrative process?
- A . Non-medical or Administrative Code Sets
- B . Data Mapping
- C . Medical or Clinical Code Sets
- D . Data Elements
A
Explanation:
Non-medical or Administrative Code Sets identify or characterize entities and events in a manner that facilitates an administrative process.
Which is not a "painless" cost control strategy?
- A . Reduction of administrative waste
- B . Use of cost-effective analysis to limit care
- C . Elimination of inappropriate care
- D . Elimination of ineffective care
For most privately insured Americans, health insurance is:
- A . Employer-based
- B . Financed by the government
- C . Privately purchased
- D . None of the above
What mandates all privacy in hospital administration?
- A . HIPPA
- B . JCAH
- C . Medicare
Which of the following is the MOST significant benefit to implementing a third-party federated identity architecture?
- A . Attribute assertions as agencies can request a larger set of attributes to fulfill service delivery
- B . Data decrease related to storing personal information
- C . Reduction in operational costs to the agency
- D . Enable business objectives so departments can focus on mission rather than the business of identity management
What type of hospital is an Government Hospital?
- A . For Profit
- B . Not For Profit
Jackson broke his ankle while performing with his band 100 Monkeys. Jackson was rushed to the E.R and from there he was referred to a bone specialist.
What type of care is Jackson in?
- A . Quaternary
- B . Primary
- C . Secondary
The Hippocratic Oath was in the Medieval time period.
- A . True
- B . False
The adequacy of the health profession workforce (ie. supply and demand) can be determined by.
- A . Market demand of health professions
- B . Population need of health professions
- C . Neither A nor B are determinants
- D . Both A and B are determinants
They create and vote on bylaws
- A . Medical Staff
- B . Administration
- C . Governing Board
Surgeons usually receive a single payment for the surgery and postoperative care. This bundling, or payment per episode, gives surgeons an economic incentive to.
- A . Limit both the number of surgeries they perform and the number of post operative visits they make.
- B . Increase both the number of surgeries and the number of post operative visits.
- C . Limit the number of surgeries and increase the number of post operative visits.
- D . Increase the number of surgeries and limit the number of post operative visits.
What is impact of the HITECH Act in relation to HIPAA requirements and maintaining client records electronically?
- A . There is a push toward paper records to prevent the hacking and electronic violation of electronic records, which is easily done without detection
- B . Providers must now maintain client records electronically, but may continue to provide clients a paper copy when access is requested
- C . There is no requirement to maintain client records electronically, but clients have the right to insist on electronic access to an electronic health record, if it exists
- D . Electronic records now face intensified scrutiny, requiring practitioners to implement more sophisticated software and detailed accounting of records
Your
C
Explanation:
The impact of the HITECH Act in relation to HIPAA requirements and maintaining client records electronically is that there is no requirement yet to maintain client records electronically, but clients have the right to insist on electronic access to an electronic health record, if it exists.
Business Associate Agreements are required by the regulation whenever a business associate relationship exists. This is true even when the business associates are both covered entities.
- A . There are no specific elements which must be included in a Business Associate Agreement. However some recommended but not compulsory elements are listed in 164.504(e) (2)
- B . There are specific elements which must be included in a Business Associate
Agreement. These elements are listed Privacy Legislation - C . There are no specific elements which must be included in a Business Associate Agreement.
- D . There are specific elements which must be included in a Business Associate Agreement. These elements are listed in 164.504(e) (2)
What does the federal Ryan White CARE Act fund?
- A . Care for underserved rural and urban populations
- B . Skin cancer screening programs
- C . School-based health services in predominantly minority neighborhoods
- D . Development of treatment and care options for persons with HIV and AIDS
Who believed that the only was to understand a disease was to examine the cells of the affected body?
- A . Lister
- B . Flemming
- C . Koch
- D . Virchow
___________ is one of the main objectives of HIPAA.
- A . Secrecy
- B . Accountability
- C . Anonymity
- D . Complexity
B
Explanation:
The main objectives of HIPAA are Accountability (reduce waste, fraud, and abuse; new penalties will be imposed), Insurance Reform (continuity and portability of health insurance, providing limits on pre-
existing provisions), and Administrative simplification (standards on electronic data transactions in a confidential and secure manner).
Private health insurance coverage has decreased over the past decades because of.
- A . The rising cost of health care.
- B . An increase in non-unionized jobs
- C . A shift from manufacturing jobs to service industry jobs
- D . All of the above
The CQI approach of producing health care "report cards," specifically HEDIS is a tool to encourage health care consumers to choose high-quality caregivers, but often.
- A . these report cards are inaccurate
- B . cost, not quality is the driving motivator for employers to choose health care plans for their employees
- C . HEDIS includes only a limited number of quality performance indicators
- D . None of the above
Substance abuse regulations do not allow disclosure with a subpoena unless a court has issued an order following a show cause hearing.
- A . True
- B . False
Marcus is responsible for security management within a HIPAA-covered entity. He is reviewing administrative safeguards and examining the organization’s risk analysis.
Which element is NOT part of risk analysis?
- A . Developing adequate communication with all contractors, interns, and staff in relation to the agency’s security policies
- B . Assessing vulnerabilities of integrity and availability of electronic personal health information
- C . Determining how client electronic personal health information confidentiality may be compromised
- D . Determining barriers in existence to needed client electronic personal health information
A
Explanation:
Developing communication is not a function of risk analysis.
Courtesy allows doctors to admit an occasional patient to the hospital.
- A . True
- B . False
They examine cost of claims to determine whether it is a reasonable or necessary, according to diagnosis.
- A . Coders
- B . Billers
- C . Health Insurance Specialist
Critics of the United States health care system find fault with all of the following EXCEPT:
- A . its lack of organizational coherence
- B . its tertiary care organization
- C . its over reliance on primary care
- D . its specialist orientation
HIPAA guidelines say employers that sponsor employee group health plans must maintain privacy of which __________________ in secured locations, if kept in the office?
- A . Information related to lawsuits again employers
- B . Enrollment and claim information
- C . Workman’s Compensation claims
- D . Deidentified information
B
Explanation:
Enrollment and claim information must be kept locked and secured if maintained in office spaces.
What is a Covered Entity? The term "Covered Entity" is defined in 160.103 of the regulation.
- A . The definition is complicate and long.
- B . The definition is referred to in the Secure Computing Act
- C . The definition is very detailed.
- D . The definition is deceptively simple and short
Acts on reports and recommendations from medical staff committees.
- A . Joint
- B . Credentials
- C . Ethics
- D . Executive
This type of hospital is privately owned.
- A . For Profit
- B . Not for Profit
What was the function of a pest house in the preindustrial period?
- A . To house people who had a contagious disease.
- B . To provide refuge to those who were threatened by pests.
- C . To eradicate pests.
- D . To treat contagious diseases.
Which racial/ethnic group is growing the fastest?
- A . White
- B . Black or African American
- C . Asian or Pacific Islander
- D . Hispanic
If you go and get a physical exam.
What type of care did you just receive?
- A . Primary
- B . Secondary
- C . Tertiary
- D . Quanternary
Which one of these risk factors would be the LEAST important consideration in choosing a building site for a new computer facility?
- A . Vulnerability to crime
- B . Adjacent buildings and businesses
- C . Proximity to an airline flight path
- D . Vulnerability to natural disasters
Confidentiality means that data is not to be made available to unauthorized persons.
- A . True
- B . False
The Flexner Report, published in 1910, reported on.
- A . Disease trends
- B . Standards of training in medical schools
- C . Rates of deaths in U.S. hospitals
- D . The state of medical specialization
Part of Administrative Safeguards under HIPAA is Workforce Security measures.
Which is NOT a key element of a Workforce Security Element?
- A . Identification of barriers to client electronic Personal Health Information
- B . Clearance Procedures
- C . Termination Procedures
- D . Authorization and Supervision
A
Explanation:
Identification of barriers to client electronic Personal Health Information is more indicative of Risk Assessment, not Workforce Security.
Regulatory strategies for health insurance financing seek to control public expenditures for health care by.
- A . Implementing tax-financed health insurance or limiting premiums
- B . Limiting the annual use of services among patients
- C . Increasing competition among health insurance plans
- D . Only A and C
Breach notification exceptions are provided to all, EXCEPT:
- A . Business associates who access information by good faith, unintentional means and do not further disclose information
- B . Unintentional, good faith access by employees of covered entities if the information was not further disclosed
- C . If the information impacted less than 500 people within a single demographic area
- D . Inadvertent disclosure made individual to individual within a covered entity who is authorized to access protected health information
C
Explanation:
Information impacting less than 500 individuals, regardless of their demographic area, is regarded as a breach unless one of the other three qualifiers is met.
Which is NOT consistent with Personnel Clearance Procedures needed to comply with HIPAA Administrative Safeguards?
- A . Current database of what personnel has access to buildings, offices, filing cabinets, computers, and databases
- B . New employees, contractors, and unpaid staff have references checked
- C . Appropriate exit interviews for outgoing personnel
- D . Discretion given to who does and does not have access to secure office spaces or keys/door codes
C
Explanation:
Appropriate exit interviews for outgoing personnel is least consistent with personnel clearance procedures needed to comply with Administrative Safeguards.
The HIPPA task force must first
- A . inventory the organization’s systems, processes, policies, procedures and data to determine which elements are critical to patient care and central to the organization’s business
- B . inventory the organization’s systems, processes, policies, procedures and data to determine which elements are non critical to patient care and central to the organization’s business
- C . inventory the organization’s systems, processes, policies, procedures and data to determine which elements are critical to patient complaints and central to the organization’s peripheral businesses
- D . modify the organization’s systems, processes, policies, procedures and data to determine which elements are critical to patient care and central to the organization’s business
Which is NOT one of the three major categories of Security Safeguards identified by HIPAA in the regulations?
- A . Administrative
- B . Professional
- C . Physical
- D . Technical
B
Explanation:
The three identified major categories of Security Safeguards are administrative, physical, and technical.
The criminal penalties for improperly disclosing patient health information can be as high as fines of $250,000 and prison sentences of up to 10 years.
- A . True
- B . False
What is the primary purpose of the National Health Service Corps?
- A . To recruit physicians to provide services in physician shortage areas in the U.S.
- B . To recruit physicians from abroad to work in the United States
- C . To send U.S. physicians to developing countries to provide services to the indigent
- D . To recruit physicians into the military
This hospital is owned by corporations and makes up 15% of hospitals in the United States.
- A . Government
- B . Volunteer
- C . Teaching
- D . Proprietary
Which one of the following is NOT a fundamental component of a Regulatory Security Policy?
- A . What is to be done.
- B . When it is to be done.
- C . Who is to do it.
- D . Why is it to be done
C
Explanation:
Regulatory Security policies are mandated to the organization but it up to them to implement it.
"Regulatory – This policy is written to ensure that the organization is following standards set by a specific industry and is regulated by law. The policy type is detailed in nature and specific to a type of industry. This is used in financial institutions, health care facilities, and public utilities."
Approximately how many Americans are uninsured?
- A . 16 million
- B . 26 million
- C . 46 million
- D . 66 million
What is the meaning of the term ‘Access’?
- A . All citizens have health insurance coverage
- B . Ability to get health care when needed
- C . Availability of services
- D . Employer-based health insurance
Which of the following information is generally considered confidential?
- A . Demographics
- B . Diagnosis
- C . Billing Information
- D . Dates of Service
- E . All of the Above
A risk assessment report recommends upgrading all perimeter firewalls to mitigate a particular finding.
Which of the following BEST supports this recommendation?
- A . The inherent risk is greater than the residual risk.
- B . The Annualized Loss Expectancy (ALE) approaches zero.
- C . The expected loss from the risk exceeds mitigation costs.
- D . The infrastructure budget can easily cover the upgrade costs.
Assembly and analysis of a discharged patients record chart.
- A . Record Circulation
- B . Incomplete Record Porcessing
Copies of patient information may be disposed of in any garbage can in the facility.
- A . True
- B . False
He discovered X-Rays.
- A . Lister
- B . Flemming
- C . Koch
- D . Roentgen
Is an interpretation of a law that is written by the responsible regulatory agency.
- A . Joint Conference
- B . Regulations
- C . Licenses
Which of the following is a potential risk when a program runs in privileged mode?
- A . It may serve to create unnecessary code complexity
- B . It may not enforce job separation duties
- C . It may create unnecessary application hardening
- D . It may allow malicious code to be inserted
A covered healthcare provider which a direct treatment relationship with an individual need not:
- A . provide the notice no later than the date of the first service delivery, including service delivered electronically
- B . have the notice available at the service delivery site for individuals to request and keep
- C . get a acknowledgement of the notice from each individual on stamped paper
- D . post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered healthcare provider to be able to read it
A medical intervention lying on a steeper portion of the aggregate cost-benefit curve indicates a major benefit for a relatively modest cost.
An example of such an intervention would be:
- A . childhood immunizations.
- B . lung transplants.
- C . care for an anencephalic infant.
- D . purchasing MRI scanners to supplement CT scanners.
The management of a rare and complex disorder such as pituitary tumors would be considered an example of.
- A . Primary care
- B . Secondary care
- C . Tertiary care
- D . Both A and B
The inception of _____ was used as a trial balloon for the idea of government-sponsored universal health insurance.
- A . workers’ compensation
- B . trade unions
- C . public health
- D . health care for the veterans
Is a list of all items of business to be discussed.
- A . Minutes
- B . Agenda
Which is not an underlying assumption of a theoretical model of costs and health outcomes?
- A . The relevant outcome is the overall health of a population rather than of an individual.
- B . It is possible to quantify health at a population level.
- C . It is necessary to focus on health outcomes, those aspects of health status directly under the influence of health care.
- D . It is impossible to reduce cost without also reducing health outcomes.
The confidentiality of alcohol and drug abuse patient records maintained by this program is protected by federal law and regulations. Generally, the program may not say to a person outside the program that a patient attends the program, or disclose any information identifying a patient as an alcohol or drug abuser even if:
- A . The person outside the program gives a written request for the information
- B . the patient consent in writing
- C . the disclosure is allowed by a court order
- D . the disclosure is made to medical personnel in a medical emergency or to qualified personnel for research, audit, or program evaluation.
D
Explanation:
Incident handling is not related to disaster recovery, it is related to security incidents.
In a free market who would pay for the delivery of health care services?
- A . numerous health insurance companies
- B . patients
- C . government
- D . multiple payers
A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, is preparing a companywide Business Continuity Planning (BCP).
Which of the following failures should the IT manager be concerned with?
- A . Application
- B . Storage
- C . Power
- D . Network
Health Information Rights although your health record is the physical property of the healthcare practitioner or facility that compiled it, the information belongs to you.
You do not have the right to:
- A . obtain a paper copy of the notice of information practices upon request inspect and obtain a copy of your health record as provided for in 45 CFR 164.524
- B . request a restriction on certain uses and disclosures of your information outside the terms as provided by 45 CFR 164.522
- C . amend your health record as provided in 45 CFR 164.528 obtain an accounting of disclosures of your health information as provided in 45 CFR 164.528
- D . revoke your authorization to use or disclose health information except to the extent that action has already been taken
Covered entities (certain health care providers, health plans, and health care clearinghouses) are not required to comply with the HIPPA Privacy Rule until the compliance date.
Covered entities may, of course, decide to:
- A . unvoluntarily protect patient health information before this date
- B . voluntarily protect patient health information before this date
- C . after taking permission, voluntarily protect patient health information before this date
- D . compulsorily protect patient health information before this date
Which of the following trust services principles refers to the accessibility of information used by the systems, products, or services offered to a third-party provider’s customers?
- A . Security
- B . Privacy
- C . Access
- D . Availability
C
Explanation:
Reference: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf
Which of the following is an overarching goal of Healthy People 2010?
- A . Decrease health care costs
- B . Create a more coordinated health care system
- C . Establish a national health insurance program
- D . Increase quality and years of healthy life
Which of the following are some common features designed to protect confidentiality of health information contained in patient medical records?
- A . Locks on medical records rooms
- B . Passwords to access computerized records
- C . Rules that prohibit employees from looking at records unless they have a need to know
- D . All of the above
The role of the government in the U.S. healthcare system is:
- A . Regulator
- B . Major financer
- C . Medicare and Medicaid reimbursement rate-setter
- D . All of the above
DRAG DROP
Place in order, from BEST (1) to WORST (4), the following methods to reduce the risk of data remanence on magnetic media.
The First Blue Cross plan was given to teachers at Baylor University allowing them 21 days of hospital care at six dollars a year.
- A . True
- B . False
A multiple payer system is more cumbersome than a single payer system for all of the following reasons except:
- A . There are numerous health plans, which is difficult for providers to handle
- B . Payments are not standardized across health plans
- C . Some healthcare services are covered for people in the north, but not in the south
- D . Government programs required extensive documentation proving services were provided before paying providers
Are there penalties under HIPPA?
- A . No penalties
- B . HIPPA calls for severe civil and criminal penalties for noncompliance, including:
— fines up to $25k for multiple violations of the same standard in a calendar year
— fines up to $250k and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information. - C . HIPPA calls for severe civil and criminal penalties for noncompliance, includes:
— fines up to 50k for multiple violations of the same standard in a calendar year
— fines up to $500k and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information - D . HIPPA calls for severe civil and criminal penalties for noncompliance, including:
— fines up to $100 for multiple violations of the same standard in a calendar year
— fines up to $750k and/or imprisonment up to 20 years for knowing misuse of individually identifiable health information
Handled the first bioterrorism attack in the mail. Also replaced Health Care Financing Administration.
- A . Joint Commission
- B . CMS
- C . HIPPA
Business Associates
- A . are entities that perform services that require the use of Protected Health Information on behalf of Covered Entities. One covered entity may be a business partner of another covered entity
- B . are entities that do not perform services that require the use of Protected Health Information on behalf of Covered Entities. One covered entity may be a business partner of another covered entity
- C . are entities that perform services that require the use of Encrypted Insurance Information on behalf of Covered Entities. One covered entity may be a business partner of another covered entity
- D . are entities that perform services that require the use of Protected Health Information on behalf of Covered Entities. One covered entity cannot be a business partner of another covered entity.
If a state or federal law or regulation grants the client greater access to their PHI, then it will preempt HIPAA.
- A . True
- B . False
You are approached by an individual who tells you that he is here to work on the computers and wants you to open a door for him or point the way to a workstation.
How do you respond to this request?
- A . Provide him with the information or access he needs.
- B . Ask him who at the facility has hired him and refer him to that person for assistance.
- C . Call the police.
The primary objectives of a healthcare system include all of the following except:
- A . Enabling all citizens to receive healthcare services
- B . Delivering healthcare services that are cost-effective
- C . Delivering healthcare services using the most current technology, regardless of cost
- D . Delivering healthcare services that meet established standards of quality
Which of the following is a PRIMARY benefit of using a formalized security testing report format and structure?
- A . Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken
- B . Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability
- C . Management teams will understand the testing objectives and reputational risk to the organization
- D . Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels
Hospitals in the United States evolved from
- A . alms houses
- B . sick homes
- C . pest houses
- D . inns
Which of the following forces remains relatively stable, and major shifts in this area would be necessary to bring about any fundamental change in the US health care delivery system?
- A . Economic forces
- B . Political change
- C . Beliefs and values
- D . Social forces
DRAG DROP
During the risk assessment phase of the project the CISO discovered that a college within the University is collecting Protected Health Information (PHI) data via an application that was developed in-house. The college collecting this data is fully aware of the regulations for Health Insurance Portability and Accountability Act (HIPAA) and is fully compliant.
What is the best approach for the CISO?
Below are the common phases to creating a Business Continuity/Disaster Recovery (BC/DR) plan. Drag the remaining BCDR phases to the appropriate corresponding location.
Which racial/ethnic group has the highest rate of uninsurance?
- A . White
- B . Hispanic
- C . Asian or pacific islander
- D . Black or African American
Believed that germs caused death and founded aseptic surgery.
- A . Lister
- B . Koch
- C . Flemming
A continuous information security monitoring program can BEST reduce risk through which of the following?
- A . Collecting security events and correlating them to identify anomalies
- B . Facilitating system-wide visibility into the activities of critical user accounts
- C . Encompassing people, process, and technology
- D . Logging both scheduled and unscheduled system changes
The intent of patient cost sharing at the point of receiving health care services is to.
- A . Discourage the overuse of services among patients.
- B . Discourage physicians from overcharging patients.
- C . Encourage patients to utilize more health care services.
- D . Encourage physicians to provide more effective health care services.
Who monitors the purity of foods and safety of medicines?
- A . Joint Commission
- B . CMS
- C . Medicare
- D . FDA