kkt2352's version from 2017-04-11 02:37

Section 1

Question Answer
the right of an individual to limit access to information about his or her person.Privacy
Physician may not disclose any medical information revealed by a patient or discovered by the physician in connection with the treatment of care.Confidentiality
The protection measures and tools for safeguarding information and information systems.Security
1. Management practices 2. Physical Safeguards 3. Technical MeasuresInformation Security Protective Measures
Ex. Prohibiting employees from sharing their passwordsManagement Practices
Ex. Ensuring doors to areas that house major computer systems are locked or otherwise secured to keep out unauthorized.Physical Safeguards

Section 2

Question Answer
Ex. Ensuring that only certain passwords allow an individual access to patient dataTechnical Measure measures
1. Protecting the privacy of data 2. Ensuring the integrity of data 3. Ensuring the availabilityMain elements of a security program
Defending or safeguarding access to the information ( only individuals who need to know the info have access to it)Protecting the privacy of data
Data is complete, accurate, consistent, and up-to-date. Data that has not been altered or destroyed in an unauthorized manner.Ensuring the integrity of data
Data is accessible whenever, wherever it’s needed, without error.Ensuring the availability of data
Charged with oversight for the Privacy and Security Rule and monitors and investigates reports of breaches -theft -hacking -loss (laptop, media)Office of Civil Rights
A violation of policy or standards developed to ensure securitySecurity Breaches
A persons healthcare information is misrepresented and used in an unauthorized way.Medical Identity theft

Section 3

Question Answer
1. Threats from insiders who make unintentional mistakesEmployee accident, human error
2. Threats from insiders who abuse their access privileges to informationAn employee who discloses confidential info on purpose of snooping or to help others snoop
3. Threats from insiders who abuse information or computer systems for spite or profitEmployees who seek information for purpose of committing fraud or theft.
4. Threats from intruders who attempt to access information or steal physical resources.Individual comes onto property to steal physical stuff, i.e. laptop, printer, records…
5. Threats from vengeful employees or outsides who mount attacks on the organization information systemPhysically destroy property, delete/ alter data maliciously
Threats caused by environmental and hardware/software factors-natural disasters -utility, software, and hardware failures - electrical outages, power surges. - intentional software intrusion (malware)

Section 4

Question Answer
software designed to invade another person/businesses computer system with malicious intentMalware
A program that reproduces itself and attaches itself to legitimate programs on a computerComputer viruses
A program that copies itself and spreads throughout a network (doesn’t need to attach itself to a legitimate program)Computer worms
A program that gains unauthorized access to a computer and hides as a useful function and copies confidential filesTrojan horse
Program that tracks user’s activity (ex. Cookies)Spyware
Program that bypasses normal authentication process and gives access to computer systemBackdoor program
Gains unauthorized access to a computer and gains control over the operating systemRootkit

Section 5

Question Answer
Chief Security Officer. Coordinates the development of security policies and to ensure that they are followed.CSO
-developing a business continuity plan -conduction risk assessment of enterprise information system - Coordinating employee security trainingCommon functions of a CSO
Encompasses the identification, management, and control of an unfavorable event. Incident detection (identifies both accidental and malicious events)Component of a security program 1 Risk management
Being able to identify which employees should have access to what data. Employees should only have access to data they need to do their job Access Controls (identification, authentication, and authorization)Component of a security program 2. Access Safeguards
Username/ user numberIdenification
Something you know (password), something you have (smart card), or something you are (biometrics)Authentication
Right or permission given to an individual to use a computer resource or access specific dataAuthorization
Physical protection of information resources such as doors, locks, keypads, cameras, and alarms Administrative safeguards (policies and procedures that address the management of computer resources)Component of a security program 4. Physical safeguards
Controls contained in the application software or computer program. Audit trail ( software program that tracks every single access to data in the computer system)Component of a security program 5. Software application safeguard

Section 6

Question Answer
Strategy to guard against security breaches within or external to the organization.Network Safeguards
Designed to block unauthorized access while permitting authorized communicationTypes of Network Safeguards 1. Firewall
Method of encoding data so they are not understood by persons who do not have key to transform data to its original form.Types of Network Safeguards 2. Encryption
Allows an organization to handle an unexpected computer shutdown caused by an intentional or unintentional event or during a natural disasterBusiness Continuity Plan (BCP) aka Contingency and disaster planning
was passed in 1996 aka Public Law 104-191 In July 2009, enforcement moved from CMS to the OCRHIPAA (Health Insurance Portability and Accountability Act)
Under ARRA mandated improved enforcement of the Privacy Rule and Security RuleHITECH Act
- Creation of a Chief Privacy Officer position within the ONC - Prohibits the sale of e-PHI without patient authorizationHighlight of ARRA
A person or organization other than a member of a covered entity’s workforce, that performs functions or activities on behalf of or for a covered entity that involve the use or disclosure of protected health information. (ex. Consultants, billing companies, transcription companies) BA agreement or contract is a safeguardBusiness Associate

Section 7

Question Answer
Employees with audit responsibilities (Managers, directors, CSO) to review access logs, audit trails, failed logins, and other reports generated to monitor compliance with policies and procedures. Looking for employees viewing: - VIP records - Other employee records - Files of minorsTrigger events
-Administrative Safeguards -Physical Safeguards -Technical Safeguards -Organizational requirements -Policies and procedures and documentation requirementsHIPAA Security Provisions Security Rule Standards
Privacy Rule applies to all forms of patients’ protected health information (electronic, written or oral) Security Rule covers only protected health information that is electronic form.Electronic vs Oral and Paper Privacy Rule vs. Security Rule
HITECH Act addition that requires both HIPAA- covered entities and noncovered entites (PHR venders) that have custody of e-PHI to identify e-PHI breaches and make appropriate notifications.Breach Notification
HIPAA data security provision that provides the objective and scope for the HIPAA Security Rule as a whole. Specifies that covered entities must develop a security program that includes a range of security safeguards that protect PHI maintained or transmitted in electronic form.General Rules

Section 8

Question Answer
They require the facility to establish a security management process. Detail how the security program should be managed from the organization’s prospective. Each covered entity must assign a CSO to develop and implement policies and procedures required by HIPAA Security Rule.Administrative Safeguards
Protection of computer systems from natural and environmental hazards and intrusions (ex. Locks and badges) Physical Safeguards
The provisions include those things that can be implemented from a technical standpoint using computer software. (ex. Access control, Audit Control, Integrity Control, Person or entity Authentication, Transmission Security)Technical Safeguards
-BA or other contracts: Covered entities must obtain a written contract with BA or other entities (hybrid or other) who handle e-PHI. -Covered entity responsibilities: must monitor the practices of its BA and other similar arrangements and take responsible steps to prevent breaches.Organizational Requirements
Covered entities and BA must implement and maintain policies and procedures in written form, in compliance with HIPAA security standards. Documentation must be maintained for 6 years from the date of its creation or the date when it last was in effect, whichever is later.Policies, Procedures, and Documentation Requirements