Help
Options
Question
Access controls
click to flip
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't know
Question
Administrative safeguard
Remaining cards (137)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
HI150
Chapter 12: Privacy & Security
| Question | Answer |
|---|---|
| Access controls | are the technical policies and procedures used to control access to ePHI |
| Administrative safeguard | are standards designed to manage the security of ePHI through a comprehensive security program & to direct the actions of the facility workforce. |
| Administrative simplification | is to improve the efficiency and effectiveness of the business processes of healthcare by standardizing the electronic data interchange of administrative and financial transactions. It was also designed to protect the privacy and security of PHI |
| ASC X12 standard | which it is used are: claims, encounters, & coordination of benefits, remittance advice, eligibility inquiry & response, precertification & referral authorization, enrollment in a health plan, premium payment |
| Audit controls | one component of this monitoring program. Mechanisms that record and examine activity in information systems |
| Audit reduction tool | review the audit trail and compare it to facility-specific criteria and eliminate routine entries such as the periodic backups |
| Audit trail | are the record of these system activities such as login, logout, unsuccessful logins, print, query, and other actions. It also records user identification information and the date and time of the activity. |
| Biometrics | use information about the person in order to access the data center, an information system, or other secured area. |
| Business associate | individuals or organizations who perform work on behalf of the covered entity that requires access to PHI |
| Certified in Healthcare Privacy and Security (CPHS) | designed specifically for healthcare. credential is an area of specialization and is much more advanced than the privacy and security skills of the Registered Health Information Administrator or Registered Health Information Technician examinations |
| Certified Information Systems Security Professional (CISSP) | is a general security certification. certification is sponsored by the International Information Systems Security Certification Consortium [(ISC)2]. It is a generic security certification and therefore is not healthcare specific. |
| Code sets | a set of codes used to encode data elements. These codes record medical diagnoses, procedures, drugs, dental procedures, and other data elements. |
| Contingency plan | policies and procedures that identify how a healthcare facility will react in the event of an information system emergency such as power failure, natural disaster or a system failure. |
| Covered entity | a health plan, healthcare clearinghouse, or healthcare provider that transmits any health information in electronic form for one of the covered transactions |
| Data recovery | process of recouping lost data or reconciling conflicting data after the system fails. |
| Degausssing | is application of a magnetic field to the media to render the data on it useless |
| Denial of service | is a type of malware that is designed to overload a Web site or other information system so that the system cannot handle the load and eventually shuts down |
| Designated standard maintenance organizations (DSMO) are responsible for developing & maintaining standards | Accredited standards committee X12, Dental Contact Committee of the american Dental Association, Health Level 7, National Council for Prescription Drug Programs, National Uniform Billing Committee, National Uniform Claim Committee |
| Electronic data interchange | the transfer of data from one point to another without human intervention which can significantly improve the efficiency of healthcare |
| Electronic protected health information (ePHI) | |
| Encryption | converts data from a readable form to unintelligible text |
| Facility access controls | limit physical access to authorized information system staff to the data centers where the hardware and software for the electronic information systems are held. |
| Firewall | are designed to control access to a network from the outside or to control access to the outside from the facility |
| Forensics | is the process used to gather intact and validated evidence and is the process that should be used to gather evidence of the security incident. |
| Health Insurance Portability and Accountability Act of 1996 (HIPAA) | impacts many areas of healthcare such as insurance portability, code sets, privacy, security, and national identifier standards. |
| Information system activity review | the periodic review of the security controls |
| Integrity | is the security principle that protects data from inappropriate modification or corruption. |
| Intrusion detection and response | “is the act of monitoring systems or networks for unauthorized users or unauthorized activities and the actions taken for correction to these acts.” |
| Malicious software | is designed to harm a computer. |
| Mitigation | is the process of attempting to reduce or eliminate harmful effects of the breach |
| Network security | is using technology to protect the data transmitted across the network and includes fire walls, encryption, and data integrity. |
| One-factor authentication | Passwords are commonly used in conjunction with a username or identifier. it only utilizes something you know |
| Passwords | should contain at least 7 characters, upper and lower case, special character |
| Person or entity authentication | is required to prove a person's identity |
| Phishing | is an e-mail that appears from a legitimate business that asks for account number or other personal information. |
| Physical safeguards | physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion |
| Privacy | is the right of a patient to control disclosure of personal information |
| Privacy rule | controls how covered entities may use PHI |
| Protected health information (PHI) | is individually identifiable health information that covered entities or their business associates transmit or maintain in any form or format. |
| Redundancy | is duplication of data, hardware, cables, or other components |
| Risk analysis | is the analysis and documentation of potential threats to data security |
| Security 1st definition | to control access & protect information from accidental or intentional disclosure to unauthorized persons & from unauthorized alteration, destruction, or loss. |
| Security awareness training | provides employees of the covered entities with information and basic knowledge of security policies and procedures of the organization. |
| Security event | are poor security practices that have not led to harm. |
| Security incident | attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interface with system operations in an information system |
| Security management plan | to reduce the risk of the incidents. Must include the policies required to prevent, identify, control, and resolve security incidents |
| Security official aka chief security officer (CSO)is responsible for | developing the security goals & objectives, determining how the goals & objectives will be met. advising administration regarding information security. determining reporting procedures. conducting adequate risk assessment & determining the appropriate lev |
| security rule | defines the minimum that a covered entity must do to protect ePHI which is PHI that is 'created, received, or transmitted b covered entities |
| Spoliation | unintentional destruction or alteration of evidence |
| Spyware | may be used to track keystrokes and passwords, monitor Web sites visited, or other actions, and report these actions back to the creator of the spyware. |
| Technical safeguard | the technology and the policy and procedures for its use that protect electronic protected health information and control access to it |
| Telephone callback procedures | The user dials into the system and the system requests the phone number from which the call originates. If the phone number is an authorized number, the user is allowed into the system. |
| Termination process | changes to the access level as the individual's role changes in the organization. |
| Token | are used in conjunction with a password to provide two-factor authentication something you know and something you have |
| Transactions and Code Sets rule | was designed to standardize transactions performed by healthcare organizations. The standards apply to electronic transactions only. |
| Transmission security | is mechanisms designed to protect ePHI while the data are being transmitted between two points. |
| Trigger | The security audit process should include __ that identify the need for a closer inspection. |
| Two-factor authentication | example is username and password |
| Username | is usually based on the individual’s name, but it could be some other assigned user identification. |
| Virus | are designed to do a variety of destructive behaviors. |
| Workforce clearance procedure | ensures that each member of the workforce's level of access is appropriate |
| Worm | installs itself onto a computer attached to a computer network and then moves to all computers on a network. |
| Security 2nd definition | physical protection of facilities & equipment from theft, damage, or unauthorized access; collectively, the policies, procedures, and safeguards designed to protect confidentiality of information, maintain the integrity & availability of information syste |
| Healthcare clearinghouse | collects billing data and process it for the healthcare provider. Then submits the claim to the health plan for payment. |
| The covered transactions that HIPAA addresses are | health plan premium payments, enrollment or disenrollment in a health plan, eligibility, referral certification and authorization, claims, payment & remittance advice, claim status, coordination of benefits, health claims attachment, 1st report of injury |
| Exceptions to the HIPAA covered entity rule | such as small providers who bill the Medicare fiscal intermediary but have less than 25 full-time employees. |
| The American Recovery & Reinvestment Act was passed in Feb 200 which | created greater privacy and security restrictions. At this time publication, specific standards were not available for inclusion |
| HIPAA mandates the use of certain coding systems in the reporting of diagnoses, procedures, drugs, and more on medical and dental claims. The standards are | ICD-9, CPT 4th edition, HCPCS, CDT-2 "code on dental procedures & nonmenclature 2nd edition, NDC |
| PHI identifiers | name, address, #, Fax #, email, SSN, record #, insurance plan #, acct #, certificate/license #, VIN/ser #, license plate #, device #, URLs, IP, Biometrics, images full face |
| To be subject to HIPAA, an organization must meet the definition of a | covered entity |
| One of the purposes of the administrative simplification title is to; | improve efficiency & effectiveness of healthcare business processes |
| which of the following is an example of the designated code set? | icd-9-cm |
| Which of the following would make patient information phi? | account number |
| The document that tells patients how phi is used is called: | notice of privacy practices |
| The goals of HIPAA security rule are to | ensure the comfidentiality, integrity, & availability of the ePHI |
| Confidentiality is | providing access to ePHI to only those who need it |
| Integrity is | ensuring that data are not altered either during transmission across a network or during storage |
| Availability is | ensuring that ePHI is available to authorized users whenever it is needed |
| Scalable means | the DHHS allows covered entities to take into consideration the size, complexity, & capabilities of the organization when developing the compliance strategy |
| Security rule was developed to be | technology neutral and scalable. |
| Security threats come from three sources: | human, environmental, natural disasters |
| the security rule is designed to ensure that ephi remains | confidential & is protected from unauthorized disclosure, alteration, or destruction |
| security rule utilizes | administraive as well as technical safeguards in order to protect the ephi |
| security rule has standards related to | administrative safeguards, physical safeguards, technical safeguards, |
| Administrative safeguards are people-focused and | include requirements such as training assignment of an individual responsible for security |
| physical safeguards are | mechanisms in place to protect hardware, software, and data |
| technical safeguards use | technology to protect data & to control access to the data |
| the portion of the security rule that provides direction to the covered entity in compliance is called | implementation specification |
| a healthcare organization can consider size & complexity of the organization when developing the security plan. This is called: | scalable |
| What type of safeguard is more people-focused in nature? | administrative |
| There are some standards where a covered entity can determine whether or not those standards are reasonable and appropriate. This concept is called; | addressable |
| Construction workers accidently cut the power to the data center. This is an example of; | human error |
| Administrative safeguards include | security management, assigned security responsibility, workforce security, information access management, security awareness & training, security incident procedures, contingency plan, evaluation, & business associate contract and other arrangements |
| Administrative actions, & policies & procedures, to manage the selection, development, implementation, & maintenance of security measure to protect electronic protected health information and to manage the conduct of the covered entity's workforce in rel | administrative safeguards |
| the risk analysis includes | estimating the potential costs associated with security breaches and how much it would cost to develop safeguards to prevent these incidents from happening. |
| The document that includes policies ans procedures to prevent, identify, control, and resolve security incidents is called | security management plan |
| employees who violate HIPAA are subject to what policy? | sanctiom |
| Security controls should be monitored periodically for effectiveness. This review is called; | information system activity review |
| The individual assigned the responsibility of managing the security process is called; | security official |
| The face-to-face training classes should be supported with periodic security reminders, which could take formats, including | screen savers with security reminders, periodic e-mail with security reminder, articles or statements in an example newsletter, notices posted in public area such as the cafeteria |
| Documentation of the training "security awareness" must be retained for | 6 years |
| Forensics steps | documentation of the investigation conducted, protection and preservation of any evidence found, the logs reviewed, and reports, documentation of the chain of custody (who had access), the use of an exact copy of the media in the investigation |
| During the course of forensics investigation a number of steps may be taken such as | recovering deleted files, recovering passwords, analyzing file access creation and modification times, analyzing system and application logs, determining user and application activity on a system |
| Poor security practices that do not lead to disclosure of ePHI are called; | security events |
| A security breach has been reported. What concept describes the process used to gather evidence | Forensics |
| If the EHR crashes, what plan should be implemented? | contingency |
| Security awareness training must be provided to | all members of the workforce |
| HIPAA calls an organization that conducts business on behalf of the covered entity and requires access to PHI to perform this work an | business associate |
| Using a magnet to destroy data on a magnetic disk is called | degaussing |
| An example of a facility access control is | escorting visitors in the data center |
| Which statement is true | Physical safeguards include not only hardware but data as well |
| Backup disks should be stored: | in an area that would not be subjected to the same natural disasters as the original data |
| Physical safeguards include: | hardware, software, and backup tapes |
| Technical safeguards standards are | access control, audit controls, integrity, person or entity authentication, transmission security |
| HIPAA technical safeguards | access control, audit controls, integrity, person or entity authentication, transmission security |
| An emergency access procedure must be in place so that the individual can access the ePHI required.This situation occurs during a medical emergency. This access is frequently called | break the glass |
| Audit controls 4 purposes | hold individual users personally responsible for their actions, use an investigation tool to identify cause of problem, how bad the problem is, and how to restore the system back to normal operations. Use real-time monitoring to identify breaches, technic |
| Methods of authentication | something the individual knows, such as a password or personal identifcation number. Something the individual has, such as a smart card or token. Something unique to the individual such as biometrics. |
| An example of a technical safeguard is | Policy and procedure |
| Verifying that the data sent is the same as the data received is called: | Integrity |
| bob.smith is an example of: | Username |
| A token is an example of: | Something you have |
| The phrase “break the glass” refers to: | Emergency access procedure |
| Examples of triggers are | user has same last name as patient • patient is a celebrity, employee, or other public figure • access to sensitive diagnoses • care providers accessing a patient in whose care they were not involved |
| packet filtering | The term used to describe the data passing through the firewall |
| Symmetric encryption | assigns a secret key to data. The computer sending the data uses the key to turn the message into the unintelligible format. |
| In asymmetric encryption, also known as public key infrastructure, | two keys are used. The sending computer uses a private key to convert the data. The public key is provided to the computer with whom the sender is communicating. This public key converts the data into readable format. |
| An activity, based on facility standards, that should be reviewed to determine whether or not it is a security incident is a(n): | trigger |
| What audit control tracks when a user logs in and out of the system? | audit trail |
| Audit trails should be stored: | On a different computer from the data |
| A type of network security is: | Encryption |
| The network security method of monitoring data entering and leaving the network is called: | firewall |
| Masqueraders | give the appearance of being exactly what the user needs, but when activated actually perform malicious actions. |
| An e-mail that looks legitimate but is actually trying to obtain personal information is called: | phishing |
| The term used to describe viruses and spyware is called: | malicious software |
| The security rule is enforced by: | Centers for Medicare and Medicaid Services |
| Policies and procedures related to HIPAA must be retained for _____ years. | 6 |
| For civil violations of HIPAA, what is the maximum financial penalty that a covered entity could be awarded for each requirement violated? | $25,000.00 |
Created by:
adlb2014