HIPAA Security Rule

Question 1

2 purposes of the Security Rule

Answer 1

1. implement appropriate security safeguards to protect ePHI
2. Protect an indv health info

Question 2

What does the Security Rule protect?

Answer 2

electronic PHI

Question 3

Difference between Privacy and Security Rules

Answer 3

Privacy: protects PHI regardless of medium

Security: ePHI

Question 4

Which office enforces the security rule?

Answer 4

Office for Civil Rights of HHS

Question 5

What does it mean to “protect” the data?

Answer 5

CEs must ensure integrity and confidentiality

Question 6

What is integrity?

Answer 6

Lack of alteration of destruction in an unauthorized manner

Question 7

What is a key characteristic of the Security Rule?

Answer 7

It must be flexible

(NOTE: small orgs cannot implement the same as large orgs).

Question 8

Security Rule: Required (R) implementation

Answer 8

Must be implemented as laid out

Question 9

Security Rule: Addressable (A) implementation

Answer 9

Must be implemented as laid out OR in an alternate manner OR documented if not needed

Question 10

Can addressable implementation specifications be ignored?

Answer 10

No

Question 11

5 components of HIPAA Security Rule

Answer 11

A. General Requirements
B. Flexibility of Approach
C. Standards
D. Implementation Specifications
E. Maintenance

Question 12

HIPAA Security Rule: A- General Requirements (4)

Answer 12

• ensure confidentiality and integrity
• protect ePHI from threats
• protect against reasonably anticipated ePHI uses/disclosures
• ensure workforce compliance

Question 13

HIPAA Security Rule: B- Flexibility of Approach (4)

Answer 13

• CE size and complexity
• security capabilities
• cost of security measures
• risk management

Question 14

HIPAA Security Rule: C- Standards Safeguards (5)

Answer 14

1. Administrative
2. Physical
3. Technical
4. Org Requirements
5. Policies, Procedures and Documentation

Question 15

Admin Safeguards (Security management process)

Answer 15

Implement procedures to prevent, detect, contain, and correct security violations

Ex:
- Risk analysis (R)
- Risk management (R)
- Sanction policy (R)
- Info system activity review (R)

Question 16

Admin Safeguards (Security management process) - Sanction Policy

Answer 16

(R) Apply sanctions for non-compliance

Question 17

Admin Safeguards (Security management process) - Info System Activity Review

Answer 17

(R) regular procedures to review system activity

Question 18

Admin Safeguards (Assigned Security Responsibility)

Answer 18

(R) identifying security official to develop and implement security policies

Question 19

Admin Safeguards (Workforce Security)

Answer 19

Policies to ensure appropriate access to ePHI

Ex:
- Authorization/Supervision (A)
- Clearance procedures (A)
- Termination procedures (A)

Question 20

Administrative Safeguards: Info Access Management

Answer 20

Procedures authorizing access to ePHI

ex:
- Isolate clearinghouse functions (R)
- access authorization (A)
- access establishments & modifications (A)

Question 21

Administrative Safeguards: Security Awareness Training

Answer 21

Implementing a security and awareness training program for workforce members

Ex:
- security reminders (A)
- login monitoring (A)
- Password management (A)

Question 22

Administrative Safeguards: Security Incident Reporting

Answer 22

policies to address security incidents

Ex:
- Response & reporting (R)

Question 23

Administrative Safeguards: Contingency Plan

Answer 23

Policies for responding to an emergency or other occurrence that may damage ePHI

Ex:
- Data backup plan (R)
- Disaster recovery (R)
- Emergency mode operation (R)
- Testing & revision procedures (A)
- Application and data criticality analysis (A)

Question 24

Administrative Safeguards: Evaluation

Answer 24

Performing periodic technical and non-technical evaluations (R)

Question 25

Administrative Safeguards: BA Contracts & Other Arrangements

Answer 25

CEs permit BAs to deal with ePHI on their behalf in a written contract

Question 26

Three instances where BA cannot transmit ePHI

Answer 26

1. transmission to provider for treatment 2. transmission to a health plan 3. transmission when CE is a gov health plan providing public benefits

Question 27

4 categories of physical safeguards

Answer 27

1. Facility Access Controls 2. Workstation Use 3. Workstation Security 4. Device and Media Controls

Question 28

Physical Safeguards: Facility Access Controls

Answer 28

Limiting physical access to e-info and facilities where they are housed Ex: - Contingency Operations (A) - Facility Security Plan (A) - Access Control and Validation Procedures (A) - Maintenance Records (A)

Question 29

Physical Safeguards: Workstation Use

Answer 29

Policies that specify the proper work functions (R)

Question 30

Physical Safeguards: Workstation Security

Answer 30

Physical safeguards for workstations that access ePHI (R)

Question 31

Physical Safeguards: Device and Media Controls

Answer 31

Policies that govern the receipt/removal of hardware and e-media containing ePHI Ex: - Disposal (R) - Media Re-Use (R) - Accountability (A) - Data Backup and Storage (A)

Question 32

5 categories of Technical Safeguards

Answer 32

1. Access Control 2. Audit Controls 3. Integrity 4. Person or Entity Authentication 5. Transmission Security

Question 33

Technical Safeguards: Access Control

Answer 33

Implementing measures so ePHI is only accessed by those with access Ex: - Unique User Identification (R) - Emergency Access Procedures (R) - Automatic Logoff (A) - Encryption and Decryption (A)

Question 34

Technical Safeguards: Audit Controls

Answer 34

Measures that record/examine activity

Question 35

Technical Safeguards: Integrity

Answer 35

Measures that protect ePHI from improper alteration or destruction Ex: - Mechanism to authenticate ePHI (A)

Question 36

Technical Safeguards: Person or Entity Authentication

Answer 36

Measures to validate person/vendor seeking access (R)

Question 37

Technical Safeguards: Transmission Security

Answer 37

Measures to guard against unauthorized access to ePHI transmitted over electronic communication network Ex: - Integrity controls (A) - Encryption (A)

Question 38

Two Categories of Organizational Requirements

Answer 38

1. BA Contracts or other arrangements 2. Group Health Plans

Question 39

Organizational Requirements: BA Contracts or other arrangements Must Have.... (3)

Answer 39

- BA compliance - subcontractors compliance - reporting to CE of security incidents

Question 40

Organizational Requirements: Group Health Plans

Answer 40

Requires plan sponsor to reasonably and appropriately safeguard ePHI Ex: - Plan Document (R)

Question 41

Can policies and procedures be changed?

Answer 41

Yes, as long as the changes are documented

Question 42

HHS Recommended Implementation Steps

Answer 42

1. Assess current security and risks/gaps 2. Develop a plan 3. Implement solutions 4. Document decisions

Question 43

HIPAA Security Rule:Security Officer Designation

Answer 43

Individual assigned to be responsible for overseeing the information security program

Question 44

HIPAA Security Rule: Part (e) - Maintenance

Answer 44

a continuing review of the reasonableness and appropriateness of a CE's or BA’s (or subcontractor’s) security measures

Question 45

Patient Matching Errors

Answer 45

info is mismatched or not included in a pt's record

Question 46

Types of Security Threats (3)

Answer 46

- Human (internal vs external) - Natural - Environmental (internal vs external)

Question 47

Examples of internal threats (2)

Answer 47

- lack of MFA - victims of phishing

Question 48

Examples of external threats (1)

Answer 48

- identity theft

Question 49

Types of Medical Identity Theft (2)

Answer 49

1. use w/out consent to obtain medical services 2. Use to obtain money by falsifying claims

Question 50

HITECH Act and Medical ID Theft Red Flags

Answer 50

Red flags to capture medical identity theft

Question 51

Common Security Mechanisms (4)

Answer 51

- biometric identification - automatic log off - termination access - audit trail

Question 52

Firewall protection

Answer 52

A hardware or software that examines traffic entering and leaving a network

Question 53

Viruses: File Infectors

Answer 53

Attach to program files

Question 54

Viruses: System or Boot-Record Infectors

Answer 54

Infect areas of hard disks or diskettes

Question 55

Viruses: Macro Viruses

Answer 55

Infects Microsoft Word application, inserting unwanted words or phrases

Question 56

Viruses: Worm

Answer 56

Stores and replicates itself

Question 57

Viruses: Trojan Horse

Answer 57

Destructive programming code that hides itself in another piece of programming code