CPHIMS Healthcare Privacy and Security Questions and Answers

Question 1

A hospital contracts with a third-party cloud storage provider to archive its electronic health records (EHR). The provider guarantees the data will be encrypted at rest. Under HIPAA, what is the most critical document the hospital must have in place with this vendor before transferring any Protected Health Information (PHI)?

Accepted Answer

Business Associate Agreement (BAA)

Answer

A Business Associate Agreement (BAA) is a contract required by HIPAA between a covered entity and a business associate. It establishes the vendor's responsibility to protect PHI in accordance with HIPAA guidelines. While an SLA, NDA, or DUA may also be used, the BAA is the specific, legally mandated contract for this relationship.

Question 2

A healthcare organization is discovered to have had a breach of its electronic health record system where the unencrypted PHI of over 600 patients was acquired by an unauthorized party. According to the HIPAA Breach Notification Rule, which of the following MUST be notified?

Accepted Answer

The affected individuals, the Secretary of HHS (via OCR), and prominent media outlets

Answer

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals without unreasonable delay (and within 60 days). For breaches affecting more than 500 individuals in a state or jurisdiction, the entity must also notify the Secretary of Health and Human Services (HHS) and prominent media outlets serving that area.

Question 3

A health system's security policy states that a user's access rights and permissions to systems containing ePHI should be limited to only what is strictly required to perform their job responsibilities. What security principle does this policy enforce?

Accepted Answer

Least Privilege Principle

Answer

The Principle of Least Privilege dictates that a user should be given only the minimum levels of access—or permissions—needed to perform their job functions. This is a fundamental concept in information security designed to limit the potential damage from a compromised account or insider threat.

Question 4

A data center that houses servers for a multi-hospital health system implements security guards, badge-controlled access doors, and video surveillance. These measures are primarily examples of which category of safeguards required by the HIPAA Security Rule?

Accepted Answer

Physical Safeguards

Answer

Physical Safeguards are the physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural hazards and unauthorized intrusion. Facility access controls like guards, badges, and surveillance fall directly under this category.

Question 5

According to the HIPAA Security Rule, which of the following is the foundational and first step an organization must take when developing its security compliance program?

Accepted Answer

Conduct a security risk analysis

Answer

The HIPAA Security Rule mandates that a covered entity must first conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This risk analysis is foundational, as it informs all other security decisions and safeguard implementations.

CPHIMS Exam Practice Test

CPHIMS Exam Practice Test

CPHIMS Healthcare Privacy and Security Questions and Answers