CITI – SoCRA Researchers

HIPAA allows healthcare organizations to control many information decisions. However, where the patient retains control, which of the following is true?

If a person has a right to make a healthcare decision, then generally that person has a right to control information associated with the decision.

HIPAA’s "incidental uses and disclosures" provision excuses deviations from the minimum necessary standard. What is excused?

Truly accidental "excess" uses and disclosures, where reasonable caution was otherwise used and there was no negligence.

Privacy, in the health information context, refers to:

The rules about who can access health information, and under what circumstances.

Under the federal HIPAA regulations, state health privacy laws:

Can remain in force if "more stringent" than HIPAA, complementing HIPAA’s foundation of protections, provided there is no direct conflict in requirements.

With respect to permissions for uses and disclosures, HIPAA divides health information into three categories. Into which category does information related to "treatment, payment and health care operations" go?

Information related to treatment, payment, and healthcare operations may generally be used or disclosed without any specific permission, at least under HIPAA. State law may set a higher standard.

Which of the following is a correct statement about the balance among prevention, detection, and response (PDR)?

The greater the sensitivity and quantity of the data at issue, the more carefully the balance among these three must be evaluated.

Which of these is not generally a good practice for telephone use?

Using voicemail systems and answering machines that do not require a password or PIN for access.

Which of these is generally not a good practice with respect to oral communications (that is, talking) in organizations like healthcare facilities?

Use of full names in public areas or on intercom/paging systems, because there is no security issue with identifying persons in public areas and using full names helps avoid misidentification.

Which of these is not generally a good practice for fax machine use?

Sensitive faxes — inbound or outbound — are left sitting in or around the machine.

Fines and jail time (occasionally) for information security failures are:

Generally, only applied for serious, deliberate misuse, where someone intentionally accesses data in order to do harm or for personal gain.

Which of the following are important for protecting computing devices and systems?

– Physical safeguards like a secure space protected by locked doors, etc. – Technical safeguards like passwords, encryption, and protective software. – Administrative safeguards like rules against sharing passwords.

Which of these is not a good security practice for web browsing?

Browsing to sites using links sent in emails without taking steps to assure the destination is safe.

Which of the following is a good practice if one wishes to avoid "social engineering" attacks?

– Taking appropriate steps to confirm a person’s (or site’s) identity for any transaction that involves sensitive data. – Not opening attachments or clicking on links in messages, emails, or on websites unless absolutely sure of the source’s authenticity. – Using strict procedures when it is necessary to exchange an authentication credential like a password, PIN, account number, or other personal data that is critical to establishing personal identity. – Being cautious any time someone asks for sensitive information, whether by phone, fax, email, or even in person. It could be a phishing scam.

Which of these is not a good practice for protecting computing devices?

Login and screen-saver passwords, or token or biometric mechanisms, are disabled to make it easier to use the device quickly.

Which of these is not a good security practice for email?

Sending sensitive information in email messages or in attachments to such messages, as long as a legally-binding confidentiality notice is included.