CHPC Privacy Risk Management Questions and Answers

Question 1

A large health system is planning to implement a new enterprise-wide electronic health record (EHR) system. To proactively identify and mitigate potential privacy risks before the system goes live, which of the following tools is MOST appropriate to use?

Accepted Answer

A Privacy Impact Assessment (PIA)

Answer

A Privacy Impact Assessment (PIA) is a systematic process used to identify and mitigate potential privacy risks associated with new projects, systems, or technologies before they are implemented. A security risk analysis focuses on vulnerabilities to ePHI, a breach risk assessment is conducted after an impermissible disclosure occurs, and a business continuity plan addresses operational recovery, not proactive privacy risk identification.

Question 2

A compliance officer is explaining the distinction between HIPAA's Risk Analysis and Risk Management requirements to a new privacy analyst. Which statement BEST summarizes the relationship between these two components?

Accepted Answer

Risk Analysis is the process of identifying and evaluating potential risks and vulnerabilities, whereas Risk Management is the process of implementing measures to reduce those identified risks.

Answer

The HIPAA Security Rule requires two distinct but related actions: risk analysis and risk management. Risk analysis is the 'diagnostic' phase of identifying and evaluating risks to ePHI. Risk management is the subsequent 'treatment' phase, where the organization implements security measures to reduce the identified risks to a reasonable and appropriate level.

Question 3

A hospital employee accidentally faxes a patient's discharge summary, which includes their name, diagnosis, and treatment plan, to a local grocery store instead of the correct post-acute care facility. When conducting the mandatory four-factor breach risk assessment, which factor is most significantly elevated by the recipient being a grocery store?

Accepted Answer

The unauthorized person who received the PHI.

Answer

Under the four-factor breach risk assessment, the identity of the unauthorized recipient is a critical factor. A recipient like a grocery store has no obligation to protect the PHI, increasing the risk of compromise compared to another HIPAA-covered entity that has its own legal and ethical duties to safeguard the information.

Question 4

Which of the following frameworks, while not mandatory for all healthcare organizations, provides a voluntary, risk-based approach with core functions like 'Identify, Protect, Detect, Respond, Recover' that is widely recognized and cross-walked to the HIPAA Security Rule?

Accepted Answer

NIST Cybersecurity Framework (CSF)

Answer

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a voluntary framework that provides a structured, risk-based approach to cybersecurity. Its core functions ('Identify, Protect, Detect, Respond, Recover') are widely adopted in healthcare, and HHS has provided a crosswalk to demonstrate how its use can help support compliance with the HIPAA Security Rule.

Question 5

A privacy officer is performing a breach risk assessment after an unencrypted laptop was stolen from an employee's car. The laptop contained a spreadsheet with the names, medical record numbers, and birth dates of 200 patients. Which of the following, if true, would be the STRONGEST mitigating factor in this assessment?

Accepted Answer

The laptop was remotely wiped within an hour of the theft, and the wipe was confirmed successful.

Answer

The fourth factor of a HIPAA breach risk assessment is the extent to which the risk has been mitigated. Successfully and verifiably wiping the device remotely ensures that the data was destroyed and could not be acquired or viewed, which is the most effective mitigation strategy among the choices. While reporting and passwords are good practices, they do not eliminate the risk that the data was accessed like a confirmed remote wipe does.

CHPC - Certified in Healthcare Privacy Compliance Practice Test

CHPC - Certified in Healthcare Privacy Compliance Practice Test

CHPC Privacy Risk Management Questions and Answers