CITI Training Exam Study Guide | 210
Questions with 100% Correct Answers
Privacy, in the health information context, refers to: Correct Answer: The rules about who can
access health information, and under what circumstances.
In the U.S., privacy protections for health information come from: Correct Answer: Federal,
state, local, and private certification organizations' requirements
With respect to permissions for uses and disclosures, HIPAA divides health information into
three categories. Into which category do discussions with family members go? Correct Answer:
Uses or disclosures that generally require oral agreement only.
Under HIPAA, an organization is required to do which of the following? Correct Answer:
Appoint a Privacy Officer to administer HIPAA rules.
When patients receive a copy of an organization's privacy notice, why are they asked to sign an
acknowledgment? Correct Answer: It shows they received it.
Which of these is not a right under HIPAA? Correct Answer: To control all disclosures of
information in the health record.
HIPAA's "incidental uses and disclosures" provision excuses deviations from the minimum
necessary standard. What is excused? Correct Answer: Truly accidental "excess" uses and
disclosures, where reasonable caution was otherwise used and there was no negligence.
When a privacy problem is discovered, which of the following is true? Correct Answer:
Healthcare workers and patients are protected from intimidation or retaliation for reporting.
What kinds of persons and organizations are affected by HIPAA's requirements? Correct
Answer: Healthcare providers, health plans, and health information clearinghouses, as well as
their business associates and by extension the workers for those organizations.
With respect to permissions for uses and disclosures, HIPAA divides health information into
three categories. Into which category does information related to research, marketing, and
fundraising go? Correct Answer: Uses or disclosures that generally require specific written
authorization.
With respect to permissions for uses and disclosures, HIPAA divides health information into
three categories. Into which category does information related to "treatment, payment and health
care operations" go? Correct Answer: Uses or disclosures that can generally occur without any
specific permission from the patient.
,HIPAA privacy protections cover identifiable personal information about the "past, present or
future physical or mental health condition." What does that include? Correct Answer: Health
information in any form or medium, as long as it is identified (or identifiable) as a particular
person's information.
Under the federal HIPAA regulations, state health privacy laws: Correct Answer: Can remain in
force if "more stringent" than HIPAA, complementing HIPAA's foundation of protections,
provided there is no direct conflict in requirements.
What does HIPAA's "minimum necessary" and related standards require of healthcare workers?
Correct Answer: Use or disclose only the minimum necessary amount of health information to
accomplish a task.
HIPAA includes in its definition of "research," activities related to: Correct Answer:
Development of generalizable knowledge.
If you're unsure about the particulars of HIPAA research requirements at your organization or
have questions, you can usually consult with: Correct Answer: An organizational IRB or
Privacy Board, privacy official ("Privacy Officer"), or security official ("Security Officer"),
depending on the issue.
Recruiting into research ... Correct Answer: Can qualify as an activity "preparatory to research,"
at least for the initial contact, but data should not leave the covered entity.
Under HIPAA, a "disclosure accounting" is required: Correct Answer: For all human subjects
research that uses PHI without an authorization from the data subject, except for limited data
sets.
HIPAA's protections for health information used for research purposes... Correct Answer:
Supplement those of the Common Rule and FDA.
Under HIPAA, "retrospective research" (a.k.a., data mining) on collections of PHI generally ...
Correct Answer: Is research, and so requires either an authorization or meeting one of the
criteria for a waiver of authorization.
When required, the information provided to the data subject in a HIPAA disclosure accounting ...
Correct Answer: must be more detailed for disclosures that involve fewer than 50 subject
records.
The HIPAA "minimum necessary" standard applies... Correct Answer: To all human subjects
research that uses PHI without an authorization from the data subject.
A HIPAA authorization has which of the following characteristics: Correct Answer: Uses "plain
language" that the data subject can understand, similar to the requirement for an informed
consent document.
, A covered entity may use or disclose PHI without an authorization, or documentation of a waiver
or an alteration of authorization, for all of the following EXCEPT: Correct Answer: Data that
does not cross state lines when disclosed by the covered entity.
HIPAA protects a category of information known as protected health information (PHI). PHI
covered under HIPAA includes: Correct Answer: Identifiable health information that is created
or held by covered entities and their business associates.
Which of these is not generally a good practice for fax machine use? Correct Answer: Sensitive
faxes -- inbound or outbound -- are left sitting in or around the machine.
Which of these is not a good practice for physical security? Correct Answer: To preserve good
customer relations, visitors are generally allowed access to all areas of a facility unless it appears
they are doing something suspicious.
Which of these is generally not a good practice with respect to oral communications (that is,
talking) in organizations like healthcare facilities? Correct Answer: Use of full names in public
areas or on intercom/paging systems, because there is no security issue with identifying persons
in public areas and using full names helps avoid misidentification.
Which of the following is a correct statement about the balance among prevention, detection, and
response (PDR)? Correct Answer: The greater the sensitivity and quantity of the data at issue,
the more carefully the balance among these three must be evaluated.
Which of these is not generally a good practice for telephone use? Correct Answer: Using
voicemail systems and answering machines that do not require a password or PIN for access.
Fines and jail time (occasionally) for information security failures are: Correct Answer:
Generally, only applied for serious, deliberate misuse, where someone intentionally accesses data
in order to do harm or for personal gain.
Information security's goals are sometimes described by the letters "CIA." Which of the
following is correct definition of C, I, or A? Correct Answer: All of the above
Security measures are sometimes described as a combination of physical, technical, and
administrative (PTA) safeguards. Which of these would be considered a technical safeguard?
Correct Answer: Measures including device data encryption, anti-malware software, and
communications encryption.
Which of the following is a good practice if one wishes to avoid "social engineering" attacks?
Correct Answer: All of the above
Which of these is not a good practice for protecting computing devices? Correct Answer: Login
and screen-saver passwords, or token or biometric mechanisms, are disabled to make it easier to
use the device quickly.
Questions with 100% Correct Answers
Privacy, in the health information context, refers to: Correct Answer: The rules about who can
access health information, and under what circumstances.
In the U.S., privacy protections for health information come from: Correct Answer: Federal,
state, local, and private certification organizations' requirements
With respect to permissions for uses and disclosures, HIPAA divides health information into
three categories. Into which category do discussions with family members go? Correct Answer:
Uses or disclosures that generally require oral agreement only.
Under HIPAA, an organization is required to do which of the following? Correct Answer:
Appoint a Privacy Officer to administer HIPAA rules.
When patients receive a copy of an organization's privacy notice, why are they asked to sign an
acknowledgment? Correct Answer: It shows they received it.
Which of these is not a right under HIPAA? Correct Answer: To control all disclosures of
information in the health record.
HIPAA's "incidental uses and disclosures" provision excuses deviations from the minimum
necessary standard. What is excused? Correct Answer: Truly accidental "excess" uses and
disclosures, where reasonable caution was otherwise used and there was no negligence.
When a privacy problem is discovered, which of the following is true? Correct Answer:
Healthcare workers and patients are protected from intimidation or retaliation for reporting.
What kinds of persons and organizations are affected by HIPAA's requirements? Correct
Answer: Healthcare providers, health plans, and health information clearinghouses, as well as
their business associates and by extension the workers for those organizations.
With respect to permissions for uses and disclosures, HIPAA divides health information into
three categories. Into which category does information related to research, marketing, and
fundraising go? Correct Answer: Uses or disclosures that generally require specific written
authorization.
With respect to permissions for uses and disclosures, HIPAA divides health information into
three categories. Into which category does information related to "treatment, payment and health
care operations" go? Correct Answer: Uses or disclosures that can generally occur without any
specific permission from the patient.
,HIPAA privacy protections cover identifiable personal information about the "past, present or
future physical or mental health condition." What does that include? Correct Answer: Health
information in any form or medium, as long as it is identified (or identifiable) as a particular
person's information.
Under the federal HIPAA regulations, state health privacy laws: Correct Answer: Can remain in
force if "more stringent" than HIPAA, complementing HIPAA's foundation of protections,
provided there is no direct conflict in requirements.
What does HIPAA's "minimum necessary" and related standards require of healthcare workers?
Correct Answer: Use or disclose only the minimum necessary amount of health information to
accomplish a task.
HIPAA includes in its definition of "research," activities related to: Correct Answer:
Development of generalizable knowledge.
If you're unsure about the particulars of HIPAA research requirements at your organization or
have questions, you can usually consult with: Correct Answer: An organizational IRB or
Privacy Board, privacy official ("Privacy Officer"), or security official ("Security Officer"),
depending on the issue.
Recruiting into research ... Correct Answer: Can qualify as an activity "preparatory to research,"
at least for the initial contact, but data should not leave the covered entity.
Under HIPAA, a "disclosure accounting" is required: Correct Answer: For all human subjects
research that uses PHI without an authorization from the data subject, except for limited data
sets.
HIPAA's protections for health information used for research purposes... Correct Answer:
Supplement those of the Common Rule and FDA.
Under HIPAA, "retrospective research" (a.k.a., data mining) on collections of PHI generally ...
Correct Answer: Is research, and so requires either an authorization or meeting one of the
criteria for a waiver of authorization.
When required, the information provided to the data subject in a HIPAA disclosure accounting ...
Correct Answer: must be more detailed for disclosures that involve fewer than 50 subject
records.
The HIPAA "minimum necessary" standard applies... Correct Answer: To all human subjects
research that uses PHI without an authorization from the data subject.
A HIPAA authorization has which of the following characteristics: Correct Answer: Uses "plain
language" that the data subject can understand, similar to the requirement for an informed
consent document.
, A covered entity may use or disclose PHI without an authorization, or documentation of a waiver
or an alteration of authorization, for all of the following EXCEPT: Correct Answer: Data that
does not cross state lines when disclosed by the covered entity.
HIPAA protects a category of information known as protected health information (PHI). PHI
covered under HIPAA includes: Correct Answer: Identifiable health information that is created
or held by covered entities and their business associates.
Which of these is not generally a good practice for fax machine use? Correct Answer: Sensitive
faxes -- inbound or outbound -- are left sitting in or around the machine.
Which of these is not a good practice for physical security? Correct Answer: To preserve good
customer relations, visitors are generally allowed access to all areas of a facility unless it appears
they are doing something suspicious.
Which of these is generally not a good practice with respect to oral communications (that is,
talking) in organizations like healthcare facilities? Correct Answer: Use of full names in public
areas or on intercom/paging systems, because there is no security issue with identifying persons
in public areas and using full names helps avoid misidentification.
Which of the following is a correct statement about the balance among prevention, detection, and
response (PDR)? Correct Answer: The greater the sensitivity and quantity of the data at issue,
the more carefully the balance among these three must be evaluated.
Which of these is not generally a good practice for telephone use? Correct Answer: Using
voicemail systems and answering machines that do not require a password or PIN for access.
Fines and jail time (occasionally) for information security failures are: Correct Answer:
Generally, only applied for serious, deliberate misuse, where someone intentionally accesses data
in order to do harm or for personal gain.
Information security's goals are sometimes described by the letters "CIA." Which of the
following is correct definition of C, I, or A? Correct Answer: All of the above
Security measures are sometimes described as a combination of physical, technical, and
administrative (PTA) safeguards. Which of these would be considered a technical safeguard?
Correct Answer: Measures including device data encryption, anti-malware software, and
communications encryption.
Which of the following is a good practice if one wishes to avoid "social engineering" attacks?
Correct Answer: All of the above
Which of these is not a good practice for protecting computing devices? Correct Answer: Login
and screen-saver passwords, or token or biometric mechanisms, are disabled to make it easier to
use the device quickly.
