CHPC Privacy Risk Management Questions and Answers

Question 1

A large health system is planning to implement a new enterprise-wide electronic health record (EHR) system.
To proactively identify and mitigate potential privacy risks before the system goes live, which of the following tools is MOST appropriate to use?

Accepted Answer

A Privacy Impact Assessment (PIA)

Answer

A breach risk assessment

Answer

A security risk analysis

Answer

A business continuity plan

Question 2

A compliance officer is explaining the distinction between HIPAA's Risk Analysis and Risk Management requirements to a new privacy analyst. Which statement BEST summarizes the relationship between these two components?

Accepted Answer

Risk Analysis is the process of identifying and evaluating potential risks and vulnerabilities, whereas Risk Management is the process of implementing measures to reduce those identified risks.

Answer

Risk Analysis is the process of purchasing insurance to transfer risk, while Risk Management is the process of accepting residual risk.

Answer

Risk Analysis involves implementing security controls, and Risk Management is the process of documenting those controls.

Answer

Risk Analysis and Risk Management are interchangeable terms for the same ongoing process of vulnerability scanning.

Question 3

A hospital employee accidentally faxes a patient's discharge summary, which includes their name, diagnosis, and treatment plan, to a local grocery store instead of the correct post-acute care facility. When conducting the mandatory four-factor breach risk assessment, which factor is most significantly elevated by the recipient being a grocery store?

Accepted Answer

The unauthorized person who received the PHI.

Answer

The nature and extent of the PHI involved.

Answer

Whether the PHI was actually acquired or viewed.

Answer

The extent to which the risk to the PHI has been mitigated.

Question 4

Which of the following frameworks, while not mandatory for all healthcare organizations, provides a voluntary, risk-based approach with core functions like 'Identify, Protect, Detect, Respond, Recover' that is widely recognized and cross-walked to the HIPAA Security Rule?

Accepted Answer

NIST Cybersecurity Framework (CSF)

Answer

ISO 27001

Answer

HITRUST CSF

Answer

COBIT Framework

Question 5

A privacy officer is performing a breach risk assessment after an unencrypted laptop was stolen from an employee's car. The laptop contained a spreadsheet with the names, medical record numbers, and birth dates of 200 patients. Which of the following, if true, would be the STRONGEST mitigating factor in this assessment?

Accepted Answer

The laptop was remotely wiped within an hour of the theft, and the wipe was confirmed successful.

Answer

The employee immediately reported the theft to the police and the privacy officer.

Answer

The organization has a policy requiring encryption, which the employee violated.

Answer

The laptop was password-protected at the operating system level.

Question 6

The NIST Privacy Framework is designed to help organizations manage privacy risk. It is distinct from but complementary to cybersecurity frameworks. What is a primary focus of the NIST Privacy Framework?

Accepted Answer

Managing risks arising from authorized data processing activities, such as collection, use, and disclosure.

Answer

Mandating specific encryption standards for data at rest and in transit.

Answer

Exclusively managing risks from unauthorized access by external hackers.

Answer

Certifying that an organization is fully compliant with all state and federal privacy laws.