HIPAA - Health Insurance Portability and Accountability Act Technical & Physical Safeguards Questions and Answers

Question 1

A hospital is decommissioning several old servers that once stored ePHI. The data has been backed up according to the contingency plan. According to the HIPAA Security Rule's Physical Safeguards, which of the following actions is a required and appropriate final step for the physical server media before it leaves the hospital's control?

Accepted Answer

Degaussing or physically destroying the hard drives to render the ePHI unrecoverable.

Answer

The Device and Media Controls standard under Physical Safeguards includes a required implementation specification for 'Disposal.' This requires covered entities to implement policies and procedures for the final disposition of ePHI and the hardware it is stored on. Simply deleting files is insufficient, as the data can often be recovered. The ePHI must be rendered unrecoverable, which methods like degaussing (for magnetic media) or physical destruction (shredding, pulverizing) achieve.

Question 2

A covered entity implements a system that assigns a unique username and number to each member of its workforce for tracking user identity and activity within the EHR system. This measure directly addresses which REQUIRED Technical Safeguard implementation specification?

Accepted Answer

Unique User Identification

Answer

The Access Control standard within the Technical Safeguards has a required implementation specification for 'Unique User Identification.' This safeguard mandates assigning a unique name and/or number to each user to ensure that the actions of an individual within a system can be tracked and they can be held accountable.

Question 3

A busy hospital nursing station has several computer workstations that are accessible in a high-traffic area. Which of the following is a key Physical Safeguard that must be implemented to protect ePHI at these workstations?

Accepted Answer

Implementing policies and procedures that specify how to secure workstations to prevent unauthorized access.

Answer

The Workstation Security standard is a Physical Safeguard that requires covered entities to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users. This includes creating policies and procedures to physically secure workstations, such as positioning screens away from public view or using privacy filters. While the other options are good security practices, they fall under Technical Safeguards (encryption, passwords) or general security management (antivirus).

Question 4

A medical lab needs to electronically transmit a patient's lab results, containing ePHI, to a specialist at another clinic over the internet. To comply with the HIPAA Security Rule, which Technical Safeguard is most critical to protect this data while it is in transit?

Accepted Answer

Encryption

Answer

The Transmission Security standard requires covered entities to implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network. Encryption is an addressable implementation specification under this standard that renders ePHI unusable, unreadable, or indecipherable to unauthorized individuals during transmission. While not strictly mandatory in all cases, it is the most appropriate and effective control for protecting data in transit over a public network.

Question 5

The HIPAA Security Rule requires covered entities to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. This requirement is known as:

Accepted Answer

Audit Controls

Answer

This question directly defines the Audit Controls standard (§ 164.312(b)) under the Technical Safeguards. The purpose of these controls is to create a record or log of system activity, such as who accessed what data and when, which can be used to detect and investigate security incidents. Information System Activity Review is a related, but separate, Administrative Safeguard.

HIPAA - Health Insurance Portability and Accountability Act Practice Test

HIPAA - Health Insurance Portability and Accountability Act Practice Test

HIPAA - Health Insurance Portability and Accountability Act Technical & Physical Safeguards Questions and Answers