Citi Hipaa Training
73 community-sourced questions and answers. Free — no login.
In the US, privacy protections for health information come from:
Privacy protections come from all of these sources - both federal and state law, as well as the requirements of private certification organizations.
Privacy, in the health information context discussed here, refers to:
The rules about who can access health information, and under what circumstances.
Under the federal HIPAA regulations, state health privacy laws:
Remain in effect if more stringent than what HIPAA provides.
What kinds of persons and organizations are affected by HIPAA's requirements?
Health care providers, health plans, and health information clearinghouses, their business associates, and the workers for those organizations.
HIPAA privacy protections cover identifiable personal information about the "past, present or future physical or mental health condition." What does that include?
Health information in any form or medium, as long as it is identified (or identifiable) as a particular person's information.
When patients receive a copy of an organization's Privacy Notice, they are asked to sign an acknowledgment. Why?
It shows they received it.
Organizations covered by the federal HIPAA privacy law are expected to
Protect the health information under their control, train their workers in how to protect information, and help patients exercise their rights under the law.
Which of these is not a right under HIPAA?
To control all disclosures of information in the health record.
What does HIPAA's "minimum necessary" standard require of health care workers?
Use or disclose only the minimum necessary amount of health information to accomplish a task.
HIPAA's "incidental uses and disclosures" provision excuses deviations from the minimum necessary standard. What is excused?
Truly accidental "excess" uses and disclosures, where reasonable caution was otherwise used and there was no negligence.
When a privacy problem is discovered, which of the following is/are true?
All of the above
HIPAA allows health care organizations to control many information decisions. But where the patient retains control, which of the following is/are true?
If a person has a right to make a health care decision, then he/she has a right to control information associated with that decision.
With respect to permissions for uses and disclosures, HIPAA divides up health information into three categories. Into which category does information related to" treatment, payment and health care operations" go?
Uses or disclosures that generally require oral agreement only.
With respect to permissions for uses and disclosures, HIPAA divides up health information into three categories. Into which category do discussions with family members go?
Uses or disclosures that require generally oral agreement only.
With respect to permissions for uses and disclosures, HIPAA divides up health information into three categories. Into which category does information related to research, marketing and fundraising go?
Uses or disclosures that generally require specific written authorization.
Which of the following are organizations required to do under HIPAA?
Appoint a Privacy Officer to administer HIPAA rules.
HIPAA allows healthcare organizations to control many information decisions. However, where the patient retains control, which of the following is true?
If a person has a right to make a healthcare decision, then generally that person has a right to control information associated with the decision.
Which of these is not generally a good practice for telephone use?
Using voicemail systems and answering machines that do not require a password or PIN for access.
Which of these is not generally a good practice for fax machine use?
Sensitive faxes -- inbound or outbound -- are left sitting in or around the machine.
Which of these is not a good practice for physical security?
To preserve good customer relations, visitors are generally allowed access to all areas of a facility unless it appears they are doing something suspicious.
Which of these is generally not a good practice with respect to oral communications (that is, talking) in organizations like healthcare facilities?
Use of full names in public areas or on intercom/paging systems, because there is no security issue with identifying persons in public areas and using full names helps avoid misidentification.
Information security's goals are sometimes described by the letters "CIA." Which of the following is correct definition of C, I, or A?
All the above
Which of the following is true?
The "minimum necessary" standard applies to treatment-related uses, but not treatment-related disclosures, so as to avoid any interference with information exchanges among practitioners.
When a patient enters a clinical facility, they must inevitably surrender control of their information for a broad range of uses and disclosures. In the circumstances where the patient retains control of information, which of the following is true?
If the person controls a decision about treatment, he/she controls information about the information associated with it.
Patients must be provided with federally-mandated Privacy Notices when they first encounter direct treatment providers. Which of the following is an implication of that for clinicians?
The provision of the notice just before receiving treatment means clinicians will receive some questions about privacy issues. There is an obligation to know the answers, or to be able to direct the patient to someone who does.
Which category of health information does HIPAA extend "extra" protections, with a requirement for separate authorization?
Psychotherapy notes
Which best describes the role of the clinician in managing privacy matters?
How clinicians handle information inevitably sets the tone for everyone else, so the example they set is critical.
When required, the information provided to the data subject in a HIPAA disclosure accounting ...
must be more detailed for disclosures that involve fewer than 50 subject records.
The HIPAA "minimum necessary" standard applies...
To all human subjects research that uses PHI without an authorization from the data subject.
HIPAA protects a category of information known as protected health information (PHI). PHI covered under HIPAA includes:
Identifiable health information that is created or held by covered entities and their business associates.
A covered entity may use or disclose PHI without an authorization, or documentation of a waiver or an alteration of authorization, for all of the following EXCEPT:
Data that does not cross state lines when disclosed by the covered entity.
If you're unsure about the particulars of HIPAA research requirements at your organization or have questions, you can usually consult with:
An organizational IRB or Privacy Board, privacy official ("Privacy Officer"), or security official ("Security Officer"), depending on the issue.
HIPAA includes in its definition of "research," activities related to:
Development of generalizable knowledge.
A HIPAA authorization has which of the following characteristics:
Uses "plain language" that the data subject can understand, similar to the requirement for an informed consent document.
HIPAA's protections for health information used for research purposes...
Supplement those of the Common Rule and FDA.
How are the ethical standards for student uses and disclosures of patients' health information different from those for regular members of the healthcare workforce?
Some would say it is higher, because patients do not always benefit from students' access to their data.
For health information privacy and security, are the legal and regulatory requirements for students different from those for regular members of the healthcare workforce?
No, students must meet the same standards as a regular member of the workforce performing the same tasks.
Use of social media tools and other new technologies to facilitate training-related communications is:
Depends on the organization's policies, so you should check with your organization's officials about what is allowed or prohibited.
In regard to reporting privacy or security problems, are the requirements for students the same as for regular workers?
Yes. Like any other member of the workforce, students are obligated to report problems they are not in a position to correct.
Patients have to provide an additional, specific authorization for training uses and disclosures of their information.
False
Which of the following is a good practice if one wishes to avoid "social engineering" attacks?
All of the above
Which of these is not a good practice for controlling computer access?
Logging into systems with a shared user-ID or password
Which of these is not a good practice for protecting computing devices?
Login and screen-saver passwords, or token or biometric mechanisms, are disabled to make it easier to use the device quickly.
Which of the following are important for protecting computing devices and systems?
All of the above
Which of these is not a good security practice for web browsing?
Browsing to sites using links sent in emails without taking steps to assure the destination is safe.
Desktop computers are often provided in the workplace by organizations, and laptops may be as well. However, portable devices (such as tablets and smartphones) may more commonly be allowed on a BYOD basis. For a BYOD (personally-owned) device:
Organizations may have requirements about how BYOD devices may be configured or used, as a condition of accessing the organization's information resources.
Secure disposal of a desktop or laptop computer at the end of its service life is:
Generally considered essential for all computing and storage devices. One should not assume there is no sensitive personal or organizational data on a device or accessible by it.
Supplemental security software (such as anti-virus [anti-malware]) is:
Increasingly common for smartphones and tablets, and can include protections like remote-locate, remote-disable, and remote-data-wipe.
Secure communications, like those provided by "encrypted" web connections using https or a virtual private network (VPN), are:
Generally considered essential.
When choosing the security measures needed for a desktop or laptop computer:
The more security measures applied, the more secure a computer will be. However, it is impossible to have a uniform set of rules for all circumstances.
Ensuring data backups for data stored on a portable device is generally considered:
Necessary when the device would otherwise be the only source of hard-to-replace data, but the backup mechanism must also be secure
External labeling with a physical label, or configuring a device to display the owner's name and contact information on a login screen, is:
Generally considered a good idea, because it allows the device to be returned to its owner when found. However, always check organizational policies about the practice.
Enabling a device login password or PIN, and an inactivity timeout to force (re)login with that password or PIN after the device is idle for a defined period, is generally considered:
Generally considered essential for any portable device.
Compared to fixed location (desktop) computers, physical security for portable devices is:
Generally more necessary, because portable devices tend to be used in physical environments that are inherently less secure.
Which of these is a greater risk "off site" than when a computer is used in a protected office environment?
All the above
What "administrative" measures do you usually need to take?
All the above
What "technical measures" do you usually need to take with an off-site computer?
All the above
What "physical" security measures do you usually need to take for an off-site computer?
All the above
Under HIPAA, an organization is required to do which of the following?
Appoint a Privacy Officer to administer HIPAA rules.
Recruiting into research ...
Can qualify as an activity "preparatory to research," at least for the initial contact, but data should not leave the covered entity.
Fines and jail time (occasionally) for information security failures are:
Generally, only applied for serious, deliberate misuse, where someone intentionally accesses data in order to do harm or for personal gain.
Which of these is not a good security practice for portable devices?
Disabling any remote-locate, remote-shutdown, and remote-erase capabilities because these can accidentally erase data.
Which of the following is generally allowed in most organizations?
Social networking if done for approved business-related purposes.
Enabling encryption of all data on a desktop or laptop computer is generally considered:
Essential for any computer. Only data on computers that are guaranteed to contain no sensitive information, or where the physical and technical security of the device is assured, can safely be left unencrypted.
Software on a desktop or laptop computer should be:
Installed or updated only from trusted sources to be certain that it is a legitimate version.
Devices used purely for storage, like USB flash ("thumb") drives and external hard drives:
May expose large amounts of data if compromised, so should also use protections like access passwords or PINs and whole-device data encryption.
Secure disposal of a portable device at the end of its service life is:
Generally considered essential for all devices. One should not assume there is no sensitive personal or organizational data on a device or accessible by it.
Secure communications, like that provided by "encrypted" web connections using https or a Virtual Private Network (VPN), are:
Generally considered essential for smartphones and tablets, because time sensitive information is being accessed, received, or transmitted.
Under HIPAA, "retrospective research" (a.k.a., data mining) on collections of PHI generally ...
Is research, and so requires either an authorization or meeting one of the criteria for a waiver of authorization.
Which of the following is a correct statement about the balance among prevention, detection, and response (PDR)?
The greater the sensitivity and quantity of the data at issue, the more carefully the balance among these three must be evaluated.
Which of these is not a good security practice for email?
Sending sensitive information in email messages or in attachments to such messages, as long as a legally-binding confidentiality notice is included.
Physical security for fixed location (desktop) computers is:
Necessary to consider, because physical security is always something that must be evaluated. Very few locations are guaranteed to be secure.
Enabling encryption of all data on a portable device is generally considered:
Essential for any portable device.
Looking for a different version?
CBTs get updated every year. Search for the exact version you're taking (e.g. "cyber awareness 2025").
Search all study materials