Question 1

Which definition most accurately describes privacy?&#10;A) The means to ensure health record privacy and confidentiality&#10;B) Accuracy and completeness of health information&#10;C) The rights of individuals to control access to their person or information about themselves&#10;D) An act that has the potential to cause harm to an informational asset

Accepted Answer

Privacy is the rights of individuals to control access to their person or information about themselves. Security is defined as the means to ensure health record privacy and confidentiality. Data integrity is defined as the accuracy and completeness of health information. A threat is an act that has the potential to cause harm to an informational asset.

Question 2

A healthcare provider forgets to update a patient's medications. Which fair information principle is being violated?&#10;A) Correction&#10;B) Openness and transparency&#10;C) Data quality and integrity&#10;D) Safeguards

Accepted Answer

By not keeping a patient's records current and up-to-date, the healthcare provider is violating the fair information principle of data quality and integrity. Correction involves allowing individuals to dispute the accuracy of their information, openness and transparency involve keeping patients informed on policies regarding PHI, and safeguards are actions implemented to protect sensitive data.

Question 3

Which organization works on an international level to improve information privacy?&#10;A) Health and Human Services Office of Civil Rights&#10;B) Health Information Security and Privacy Collaboration (HISPC)&#10;C) Department of Health and Human Services (DHHS)&#10;D) Electronic Frontier Foundation (EFF)

Accepted Answer

The Electronic Frontier Foundation (EFF) maintains a website listing international privacy-related accords and agreements. The Health and Human Services Office of Civil Rights, Health Information Security and Privacy Collaboration (HISPC), and Department of Health and Human Services (DHHS) are all examples of federal and/or state organizations.

Question 4

What is the difference between the safe harbor and expert determination methods of de-identifying data?&#10;A) The safe harbor method involves removal of 18 types of identifiers, and the expert determination method involves the application of statistical or scientific models.&#10;B) The safe harbor method involves the application of statistical or scientific models, and the expert determination method involves removal of 18 types of identifiers.&#10;C) The safe harbor method involves removal of all identifiers, and the expert determination method involves the removal of 18 types of identifiers.&#10;D) The safe harbor method involves securing identifiers in an encrypted database, and the expert determination specifically determines the riskiest identifiers to remove.

Accepted Answer

The safe harbor method involves removal of 18 types of identifiers, and the expert determination method involves the application of statistical or scientific models to de-identify data. None of the other options accurately describes these two methods.

Question 5

What is a negative impact of the increased use of mobile devices in transmitting health data?&#10;A) They support increased health data access for providers.&#10;B) They increase the risk of a security breach.&#10;C) They decrease productivity.&#10;D) They increase the number of medication errors.

Accepted Answer

The largest downfall to the increased use of mobile devices is the increased risk for a security breach. The increased access for providers is a positive impact. Mobile devices have been proven to increase productivity rather than decrease it, and there is no evidence supporting an increase in medication errors due to mobile devices.

Question 6

Which example constitutes an internal security event?&#10;A) Servers containing clinical data were stolen from a facility.&#10;B) A person hacks into a facility's server and steals PHI electronically.&#10;C) A person installs a malicious code past a facility's firewall.&#10;D) A system administrator installed a new server without any security measures.

Accepted Answer

Internal events are those perpetrated (usually accidentally) by people within an institution. A system administrator not taking proper security measures would be an example of this. The remaining examples are all external events.

Question 7

An organization implements a policy on installing software service packs on all its computers. This is an example of which type of control?&#10;A) Administrative&#10;B) Technical&#10;C) Physical&#10;D) Electronic

Accepted Answer

Administrative controls include establishing and adhering to security policies and procedures as well as dedicating resources to security. Implementing a policy on installing and updating service packs would be an example of administrative controls. Physical controls are actual physical methods to protect inappropriate access to PHI. Technical controls are using technology to protect against inappropriate access to PHI. Electronic controls is not an accurate term.

Question 8

What are some examples of indirect costs to organizations that have security breaches? (Select all that apply.)&#10;A) Lost productivity&#10;B) Expensive fines&#10;C) Damaged public trust&#10;D) Remediation costs&#10;E) Repeating medical procedures

Accepted Answer

Indirect costs to an organization with security breaches are lost productivity, damaged public trust, and remediation costs. Fines are a direct penalty. Security breaches don't generally cause a need for an organization's healthcare workers to redo or repeat medical procedures.

Question 9

Which are examples of secondary use of health information? (Select all that apply.)&#10;A) Treatment&#10;B) Surveillance&#10;C) Research&#10;D) Marketing&#10;E) Prevention

Accepted Answer

The three most common secondary uses of personal health information include public health monitoring or surveillance, research, and marketing. Treatment for and prevention of illness would be primary uses of health information.

Question 10

Which principles are included in IMIA's Code of Ethics for informatics? (Select all that apply.)&#10;A) Information-Privacy and Disposition&#10;B) Openness&#10;C) Elimination of Threats&#10;D) Legitimate Infringement&#10;E) Accountability

Accepted Answer

IMIA's Code of Ethics for informatics includes Information-Privacy and Disposition, Openness, Security, Access, Legitimate Infringement, Least Intrusive Alternative, and Accountability. While threat elimination is a worthy goal, it is not a specific principle.

Deck 26: Privacy and Security