CHPC Privacy Program Management Questions and Answers

Question 1

A healthcare organization is conducting its annual HIPAA Security Rule risk analysis. Which of the following is the PRIMARY objective of this process?

Accepted Answer

To identify and implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Answer

To eliminate all possible threats to electronic protected health information (ePHI).

Answer

To satisfy the Meaningful Use core objective for protecting electronic health information.

Answer

To purchase a certified Electronic Health Record (EHR) technology.

Question 2

As part of managing a privacy program, the Privacy Officer is responsible for developing and implementing policies and procedures. According to the HIPAA Privacy Rule, which of the following areas requires a specific policy that identifies which workforce members need access to PHI to carry out their duties?

Accepted Answer

The 'Minimum Necessary' standard for internal access and use.

Answer

Patient's right to request an amendment of their PHI.

Answer

The process for reporting a breach to the media.

Answer

The technical specifications for encrypting data at rest.

Question 3

A hospital's Privacy Officer receives a verbal complaint from a patient who believes their PHI was impermissibly shared. What is the most appropriate FIRST step the Privacy Officer or their designee should take in handling this complaint?

Accepted Answer

Ask the patient to submit the complaint in writing and begin an internal investigation.

Answer

Immediately report the potential breach to the Office for Civil Rights (OCR).

Answer

Offer the patient a financial settlement to resolve the issue quickly.

Answer

Discipline the employee accused of the impermissible sharing.

Question 4

Which of the following is a critical, non-technical component of an effective privacy training and awareness program within a healthcare organization?

Accepted Answer

Establishing a sanction policy for workforce members who fail to comply with privacy policies.

Answer

Implementing multi-factor authentication for all systems containing ePHI.

Answer

Conducting annual penetration testing of the organization's network.

Answer

Deploying an intrusion detection system to monitor for malicious activity.

Question 5

A Privacy Officer is tasked with ensuring their organization's audit controls are compliant with the HIPAA Security Rule. Which of the following best describes the function of 'audit controls' in this context?

Accepted Answer

Implementing mechanisms to record and examine activity in information systems that contain or use ePHI.

Answer

Preventing unauthorized physical access to facilities where ePHI is stored.

Answer

Assigning a unique name or number for identifying and tracking user identity.

Answer

The formal, external review of financial records by a certified public accountant.

Question 6

When developing a comprehensive privacy program, a Privacy Officer must create numerous policies and procedures. For which of the following documents must the organization retain a copy for at least six years from the date of its creation or the date when it last was in effect, whichever is later?

Accepted Answer

The organization's Notice of Privacy Practices.

Answer

Individual employee training completion certificates for a single year.

Answer

A patient's signed authorization for a one-time disclosure of PHI.

Answer

Monthly reports from the network intrusion detection system.