HIPS Series > Overview of Federal and State Data Security Requirements > Quiz + Answers

The questions, answers and explanations are provided below. If you disagree with our answer, or have additional questions, please send email to pdpp@miami.edu. Include the text of the quiz question(s) with which you disagree in your correspondence.

•  •  •  •  •

1. Which of these statements is/are correct?

A. HIPAA's Security Rule adds a federal floor (minimum level) of health data requirements to existing state laws.

B. HIPAA's security requirements replace those of private certification organizations.

C. HIPAA's security regulations are divided into three types of safeguards -- administrative, technical and physical.

D. All HIPAA's safeguards are mandatory.

A and C are correct. B and D are false.

•  •  •  •  •

2. Which of these statements is/are correct?

A. HIPAA's Security Rule applies to identifiable health data in "any form or medium"

B. HIPAA's Security Rule applies only to electronic health data.

C. The reach of HIPAA's Security Rule depends on the state in which the covered entity is operating.

D. The reach of HIPAA's Security Rule depends on whether the covered entity receives federal funds.

B is correct. It should be noted that the HIPAA Privacy Rule does apply to identifiable health data in any form or medium.

•  •  •  •  •

3. With respect to the technical requirements of the Security Rule, which of these is/are correct?

A. Specific technical measures for security are mandated, regardless of an entity's size.

B. The Rule is "technology neutral" to allow for changes as technologies evolve.

C. A covered entity can implement any technology it feels is appropriate, as long as there is a business justification.

D. Technical measures must be "reasonable and appropriate" for the circumstances.

B and D are correct. A and C are false.

•  •  •  •  •

4. Which of these is the most important goal of the Security Rule?

A. Confidentiality of health data.

B. Integrity of health data.

C. Availability of health data.

D. All are important; it is difficult to say which is most important.

D is correct. And we don't care what anyone else says.

•  •  •  •  •

5. Which of these are required by the Security Rule?

A. Periodic assessment of "potential risks and vulnerabilities" to health information.

B. Development of appropriate security measures, given those anticipated risks.

C. Documentation of measures taken (or not taken).

D. Workforce training.

All of these are required.

•  •  •  •  •

6. The two most-commonly used adjectives in the Security Rule, used to describe its requirements, are:

A. Cost-effective and efficient.

B. Cutting-edge and out-of-the-box.

C. Kinder and gentler.

D. Reasonable and appropriate.

D is correct, though you might be able to make a case for C.

•  •  •  •  •