Certified Healthcare Privacy and

Security (CHPS) Exam Preparation

Updated 2024

1. A patient has requested three accounting-of-disclosures

reports in the past month. Which of the following statements
is true regarding the accounting of disclosure?
- Correct Answer - The CE is allowed to charge a
reasonable, cost-based fee for the second and third request
for accounting disclosures and must inform the patient prior.

2. In the final HIPAA Omnibus Rule of 2013, which of the

following was added to the regulations regarding patient
access? - Correct Answer - A patient has a right to receive
his or her designated record set electronically, if maintained
electronically.

3. If a state requires that all medical records are disclosed

within 15 days from the request, and HIPAA requires for
disclosures to be completed within 30 days from the request,
 which timeline should be followed? - Correct Answer - State
law because it is more stringent than HIPAA.

4. if a patient put in a request for an amendment to his or her

medical record on July 20, 2020, when would be the last
possible day that the CE would need to provide outcome
information on the amendment or notification of a 30-day
extension? - Correct Answer - September 20, 2020

5. If a patient chooses to make a complaint against a CE to the

Secretary of Health and Human Services, the complaint
must be made in _____ days from the date the complaint
was known or should have been known. - Correct Answer -
180

6. A patient made a request for an accounting of disclosure on

March 31, 2020. What is the date range that must be
provided on the accounting-of-disclosure document? -
Correct Answer - March 31, 2015 -March 31, 2020. 6 years
prior.
7. What was the compliance date for all covered entities and
business associates to bring all of the grandfathered
business associate agreements into compliance with the
final Omnibus Rule of 2013? - Correct Answer - September
23, 2014

8. The HIPAA Security Rule allows flexibility with

implementation based on reasonableness and
appropriateness safeguards. This means that covered
entities can - Correct Answer - implement based on
organizational assessment

9. What group was granted authority to bring civil actions

against healthcare organizations and business associates
based on alleged HIPAA violations? - Correct Answer -
State attorney general

10. To place a patient in a facility directory, a covered entity

- Correct Answer - must obtain the patient's verbal
agreement.
11. The Privacy Rule permits charging patients for labor
and supply costs associated with copying health records.
Hospital is located in a state where state law allows charging
a patients a $100 search fee associated with locating
records that have been requested. - Correct Answer - The
Privacy Rule will preempt state law in this situation.

12. What does it mean to state the regulation in the HIPAA

Security Rule is addressable? - Correct Answer - The
organization can implement an alternate safeguard of
equivalent protections.

13. A healthcare provider that provided a copy of an

individual's medical record to a nursing home that the patient
will be transferred to is an example of using protected health
information for what purpose? - Correct Answer -
Treatment

14. A payment from a drug company to a covered entity to

promote a new medication for treatment of acne is referred
to as - Correct Answer - direct.
15. Which of the following is considered to be part of
healthcare operations and uses deidentified health
information pr a limited data set and benefits the covered
entity? - Correct Answer - Fundraising

16. Providing a copy of an emergency room visit report to a

primary care provider is an example of which of the following
under HIPAA? - Correct Answer - Disclosure of protected
health information

17. Which of the following is a goal of the minimum

necessary requirement under the HIPAA Privacy Rule? -
Correct Answer - Ensure that all workforce members have
the same access to PHI within an organization.

18. A patient is checking in at the registration desk and

overhears a conversation between another patient and the
billing specialist regarding a specific diagnosis that is not
being covered under the patient's insurance. This is an
 example of what type of disclosure? - Correct Answer -
Incidental

19. Which of the following is the only scenario where

breach notification can be delayed past the 60-day
notification requirement? - Correct Answer - When law
enforcement requests a delay due to open criminal
investigation.

20. During a recent change in a computer system's access,

an organization determined that they were going to create
role-based access defined on the need for each job type
within the organization. This is an example of application of
which of the following: - Correct Answer - Minimum
necessary

21. An organization just finished updating the minimum

necessary policy and procedure. The new policy took effect
on February 12, 2016. How long do they have to maintain
the previous version of the policy? - Correct Answer -
February 12, 2020
22. Which of the following is considered a patient's right
under the HIPAA Privacy Rule? - Correct Answer -
Accounting of disclosure (AOD)

23. How long does a covered entity have to respond to an

accounting of disclosure request? - Correct Answer - 30
days with one 30 day extension.

24. Authorizations are required for all disclosures except -

Correct Answer - Treatment, payment, and healthcare
operations

25. Which of the following terms refers to the direct or

indirect payment from a third party whose product or service
is being described by the covered entity? - Correct Answer
- Financial remuneration

26. A health plan uses a month's worth of diagnosis codes

from member;s bills submitted to evaluate new services that
can be created to support health-plan member education.
 This is an example of using protected health information for
what purpose? - Correct Answer - Healthcare operations

27. How many years after an individual passes away is

medical information no longer considered protected health
information and is no longer protected by HIPAA
regulations? - Correct Answer - 50

28. A health plan must provide a copy of NOPP to

individuals covered - Correct Answer - once every three
years.

29. Which of the following is allowed under the applicable

fees and charges when charging for a copy of medical
records? - Correct Answer - Labor cost

30. If a covered entity maintains a website for their

organization, which of the following are true? - Correct
Answer - The covered entity needs to prominently post the
notice of privacy practices on the website.
31. If a request to a health plan is made for alternative
locations of confidential communication with an insured
individual due to concerns with endangerment to the
individual, the health plan must - Correct Answer - permit
and accommodate reasonable requests for confidential
communication.

32. A covered entity provided training to their workforce in

an all-staff meeting on October 11, 2020. The privacy officer
has a copy of the presentation along with all the individuals
present. What is the earliest date the privacy officer can
destroy the training documentation? - Correct Answer -
After 6 years.

33. Which of the following does a covered entity need to

include in HIPAA education as they are considered part of
the workforce? - Correct Answer - Health information
student intern

34. An authorization for disclosure is signed and received

by a healthcare organization on December 14, 2020. Upon
review of the request for disclosure, the date of the signature
 is missing? What should the CE do? - Correct Answer -
Deny the request and ask the individual to complete the the
date of signature.

35. A patient requested a restriction of his/her health

information to a former provider as there is no longer a
patient/provider relationship between the two. How long
does the CE have to respond to the request for the
restriction? - Correct Answer - Set by the organizational
policy.

36. During an office visit, a patient overhears a

conversation between the provider and another patient in the
room next door as the walls are very thin and it is easy to
hear the conversation between visit rooms. Both doors are of
the patient rooms are close during the time of the disclosure.
This is an example of a(n) - Correct Answer - Incidental
disclosure

37. The date September 23, 2013 represents what? -

Correct Answer - The compliance date of the HIPAA
Omnibus Rule
38. A privacy officer is reviewing all of the third-party
vendors that are used to support business operation. Which
of the following would be considered a business associate? -
Correct Answer - Data conversion consultant

39. A covered entity hired a new business associate.

During the evaluation of the business associates agreement,
the business associate requested that the covered entity
sign the vendor- supplied agreement. Is this acceptable
practice? - Correct Answer - Yes, the covered entity must
review the documentation in the business associate
agreement and agree to it.

40. In which of the following scenarios would a CE need to

get a written patient authorization to release records? -
Correct Answer - A patient attorney receiving a copy of the
patient's stay for the purpose of litigation.

41. If a patient request a copy of his/her medical records,

how long does the covered entity have to respond to the
 request? - Correct Answer - 30 days, with one 30 day
extension.

42. When distributing the NOPP, the following individual

does not have rights to receive a cop of the NOPP. - Correct
Answer - Inmate

43. To which requirement under the HIPAA Privacy Rule do

the following exceptions apply: 1) to carry out treatment,
payment and healthcare operations, 2) to individuals of
protected health information and about them, and 3) incident
to use or disclose otherwise permitted or required? - Correct
Answer - Accounting of disclosure

44. Which of he following organizations is able to request a

temporary suspension in the individual's right to access an
accounting of disclosures? - Correct Answer - Law
enforcement
45. Which of the following has to be included in an
accounting of disclosures? - Correct Answer - Disclosures
for mandated state reporting

46. During an investigation into a criminal complaint, a law

enforcement officer called the HIPAA privacy officer and
requested that the organization suspend the rights of a
patient to know where his/her health information was being
sent. How long is this temporary suspension of rights to an
AOD valid? - Correct Answer - 30 days

47. When designing a HIPAA privacy and security training

program, a CE should create a training program that
educates all - Correct Answer - workforce members.

48. A covered entity just implemented a new policy and

procedure for use and disclosure of protected health
information. Which of the following should the organization
do to make sure the policy and procedure is effective? -
Correct Answer - Conduct an ongoing evaluation of the
adherence to the policy and procedure
49. The HIPAA security officer provided an email update to
the workforce regarding the importance of logging out of any
system with PHI when leaving a workstation. Which term
best describes the email? - Correct Answer - Security
update

50. An independent physician providing care in a hospital

may enter into which of the following agreements in order to
easily share protected health information between the
entities? - Correct Answer - Organized healthcare
arrangement

51. An example of an organization that would need a

business associate agreement is - Correct Answer - The
billing service that the healthcare organization uses

52. A patient called the privacy officer and asked to no

longer receive communication regarding fundraising for the
organization. The HIPAA privacy officer should - Correct
 Answer - treat the request as a revocation and remove the
patient from all fundraising from the organization

53. When creating a report for an organization's foundation

for fundraising purposes, the CE can provide which of the
following information on the report without an authorization?
- Correct Answer - Treating physician

54. Barb is completing her required high school community

service hours by serving as a volunteer at the local hospital.
Bard is a - Correct Answer - workforce member

55. When deidentifying a data set, the year from date of

birth can be left in the data set except when the patient is
over_________ years old - Correct Answer - 89

56. Which document can be used to request the use of

disclosure of health information in a research study and also
is combined with other types of written permissions and
authorizations for the same study? - Correct Answer -
Compound authorization
57. Which document from the Institutional Review Board
(IRB) allows fro a covered entity to use or disclose protected
health information with an authorization? - Correct Answer -
Waiver

58. A waiver for research to use protected health

information without authorization for the patient needs to be
approved by - Correct Answer - a privacy board or the
Institutional Review Board (IRB)

59. A research company uses a data set that has 16 data

elements removed and signs a data agreement; this is
referring to the use of - Correct Answer - limited data set

60. What two identifiers are part of a limited data set and
deidentified information? - Correct Answer - Geographic
subdivision and elements of date

61. If a heal insurance company is making a

communication to a member promoting a vehicle insurance
 product offered by the same company, the organization
needs - Correct Answer - authorization for disclosure for
marketing purposes.

62. Which document is used to establish the permitted use

and disclosure, established who is permitted to use or
receive the data set, and ensure the recipient will not use the
information outside the intent and use appropriate
safeguards to protect the data set? - Correct Answer - Data
use agreement

63. A request for an electronic copy of protected health

information was received at an organization. The
organization has to provide a copy of protected health
information from the designated record set from what
system(s)? - Correct Answer - All electronic systems.

64. A healthcare organization must comply with a restriction

when a patient receives a service, pays out of pocket, and
requests that information is not sent to his/her - Correct
Answer - health insurance company
65. If a covered entity denies a request for an amendment
of protected health information, what is one of the reasons
that a covered entity may deny the request? - Correct
Answer - The information is not part of the organization's
designated record set.

66. Which of the following would be considered an

exception under the marketing and would not need an
authorization for disclosure for marketing? - Correct Answer
- Providing refill reminders to a patient on a specific drug.

67. If a covered entity denies a request for an amendment

of protected health information, the request for the
amendment and denial letter must be - Correct Answer -
linked to specific protected health information subject to
request and appropriately disclosed.

68. Documentation of an alarm system being used, locking

of the organization's doors, and video surveillance cameras
 used within the organization can be found within the facility -
Correct Answer - security plan

69. Some of the requirements of which document include

describing the permitted and required uses and disclosures
of PHI, prohibiting an organization from further using or
disclosing information, requiring appropriate safeguards be
implemented, requiring assurances from subcontractors for
protections of PHI, conducting a risk analysis, and having
risk management program? - Correct Answer - Business
associate agreement

70. Business associates must comply with the following

requirements under HIPAA: - Correct Answer - All of the
HIPAA Security Rule and parts of the HIPAA Privacy Rule

71. The right to access, copy, request restrictions, and

complain is all described in what document? - Correct
Answer - Notice of Privacy Practices (NOPP)
72. The minimum necessary requirements apply to which of
the following scenarios? - Correct Answer - Disclosures for
business associates activities

73. When requesting an amendment of protected health

information, the amendment request can only pertain to
health information defined in the - Correct Answer -
Designated record set

74. Which of the following information would not be

provided to a patient when requesting a copy of his/her
medical record - Correct Answer - Psychotherapy notes

75. Federal subpoenas are examples of which type of

document that mandates the release of health records for
judicial proceeding? - Correct Answer - Court order

76. During a regular assessment of the computer systems,

an organization determined that on of the workforce's
computers downloaded a file with a virus on it. The
 organization should follow what documentation to resolve
the matter? - Correct Answer - Security incident procedure

77. During a recent evaluation of the organization's

computers and laptops, it was uncovered that two providers
have patient information stored on the hard drives of the
laptops and that the laptops travel with them between clinics
and personal residences. What is the best method of
protection to prevent unauthorized access or disclosure? -
Correct Answer - Implement full-disk encryption to the
laptops

78. The use of role-based access is an example of -

Correct Answer - access control.

79. When a healthcare organization purchases

cybersecurity insurance due to the increased risk of
cybersecurity attacks, this is an example of what type of risk
management? - Correct Answer - Risk transfer
80. A policy containing information regarding the functions
that may be performed on computers and laptops within an
organization is an example of - Correct Answer -
workstation use.

81. When evaluating safeguards around how information is

used, an organization should be focused on - Correct
Answer - who is accessing information for business needs
within the organization.

82. An organization just implemented a new policy that

defines how the organization is protecting the physical space
of the five clinics that the organization owns. This is an
example of a(n) - Correct Answer - facility security plan.

83. A workforce member changes positions within the same

healthcare organization. In the new position, the workforce
member will not need as much access to patient information.
What is the best policy to review in order to determine the
steps for what to do with the employee's access? - Correct
Answer - Access establishment and modifications
84. If an organization still has risk after a new control is
implemented, that risk is considered to be - Correct Answer
- residual.

85. During risk mitigation, a covered entity decided to stop

the autofaxing process from the electronic health record due
to the number of incorrect faxes being sent with protected
health information. This is an example of what type of risk
management? - Correct Answer - Risk avoidance.

86. An organization determines that the cost of a security

control outweighs the risk and selects to not take additional
steps to reduce the risk. This is referred to as what type of
risk management? - Correct Answer - Risk acceptance.

87. Which of the following is an example of two-factor

authentication? - Correct Answer - Fingerprint and token.

88. A healthcare organization just implemented a new

system that provides detailed audit reports within the
 electronic health record. This type of security control is
known as - Correct Answer - detective.

89. During the risk analysis, a covered entity assigns a

monetary value to each of the risks identified. This type of
risk analysis is known as - Correct Answer - quantitative
risk analysis.

90. Theft of equipment is what type of threat? - Correct

Answer - Acts of man.

91. Which of the following is the process for ongoing

technical and nontechnical review of adherence to polices
and procedures, documentation of the results of monitoring
activities, and implementation of improvements in policies
and procedures? - Correct Answer - Evaluation

92. What is the safeguard of ensuring that protected health

information is not inappropriately altered or destroyed? -
Correct Answer - Integrity
93. Policies and procedures that define the process for
granting access to PHI would be defined in which of the
following HIPAA standards? - Correct Answer - Access
authorization

94. Which of the following restores critical data as quickly

as possible after an event? - Correct Answer - Disaster
recovery mode

95. Which step of risk analysis identifies information assets

that need protection? - Correct Answer - System
characterization

96. Based on the risk analysis findings, a CE is going to

implement full disk encryption on all laptops and computers
that are owned by the CE. This is an example of what type of
risk management? - Correct Answer - Risk mitigation

97. Policies and procedures, HIPAA training programs,

proper hiring practices, strong authentication processes, and
 use of encryption are examples of what type of security
control? - Correct Answer - Preventive

98. Data are sent in encrypted forms from one computer to

another. Which of the following terms describes the date
after the encryption algorithm has been applied? - Correct
Answer - Device controls

99. A university health system has a laptop-sharing

program that allows users to request laptop computers for
short-term projects. Many of the projects involve the use of
ePHI. When the laptops are returned to the office, they are
often immediately recirculated to another user in the system.
This is an example of a violation of which of the following
aspects of the Security Rule? - Correct Answer - Device
and media controls

100. How often does the HIPAA Security Rule require that
passwords be updated? - Correct Answer - By
organizational policy
101. A(n)__________ is defined as an attempted or
successful unauthorized access, use, disclosure,
modification, or destruction of PHI. - Correct Answer -
security incident

102. When an encryption software uses the same key for

encryption and decryption of the data, the key is known as
a(n) - Correct Answer - symmetric key.

103. Common threats to e-mail security include using the

transmission data to send viruses, worms, Trojan horses,
and spyware. This type of software is referred to as -
Correct Answer - malicious.

104. Which of the following is the organization that maintains

and issues public keys certificates for use in encryption? -
Correct Answer - Certificate authorities

105. Which of the following are records of sequential

activities that occur that occur within a system or
application? - Correct Answer - Audit log
106. Which of the following defines the study of encryption
and decryption techniques? - Correct Answer -
Cryptography

107. The process of reviewing the activity to determine if

ePHI is being used or disclosed in an appropriate manner is
the process of which HIPAA requirement? - Correct Answer
- Information system activity review

108. Business associates and covered entities need to have

processes in place to identify and respond to known or
suspected technology incidents, mitigate the potential harm,
and document the incident and the outcomes. This process
will be defined in the organization's - Correct Answer -
security incident plan

109. Which of the following regulations define the process of

implementing a series of policies and procedures to provide
protection to the security of the credit, debit, and cash card
 transactions? - Correct Answer - Payment Card Industry
Data Security Standard (PCD DDS)

110. Which of the following documents defines procedures

that allow access to a facility to assist with support and
restoration of lost data defined in the disaster-recovery plan.
- Correct Answer - Contingency plan

111. The implementation of a visitor check in process is an

example of which of the following requirements? - Correct
Answer - Facility security plan

112. The two types of processes that allow for PHI to be

considered unusable, unreadable, or indecipherable are -
Correct Answer - encryption and destruction

113. An organization implements a process where the EHR

will terminate access after 15 minutes of inactivity. This is an
example of - Correct Answer - automatic logoff
114. If a data breach at a hospital occurred on September
25,02015, that impacted 245 individuals, when is the latest
possible date that the hospital can inform the Department of
Health and Human Services of the data breach? - Correct
Answer - February 29, 2016

115. Anytown Clinic had a data breach that occurred on

March 2, 2016 that impacted 756 individuals. What is the
latest possible date that the hospital can inform the
Department of Health and Human Services regarding the
date breach? - Correct Answer - May 1, 2016

116. During a breach investigation, which of the following

questions must be answered during the breach risk
assessment? - Correct Answer - The unauthorized
individual who used the PHI or whom it was disclosed to

117. After conduction a breach investigation, it was

determined that a workforce member was the root cause to
the date breach. The best course of action would be to -
Correct Answer - Apply appropriate sanctions to the
workforce member
118. ABC Hospital was providing notification for a data
breach that impacted 783 people. During the notification
processes, it was determined that the organization had
outdated contract information on 29 of the individuals. What
is the next process for the covered entity? - Correct Answer
- Post the breach on the company website

119. The HIPAA privacy officer was just informed of a

potential data involving a workforce member looking through
a patient record with no business need. What should be the
first step to determine if access happened? - Correct
Answer - Run an audit report

120. A business associate discovered a potential data

breach on July 15, 2015, and confirmed it was a data breach
on August 18, 2015. When is the business associate
required to notify the covered entity of the data breach? -
Correct Answer - Without unreasonable delay and no later
than 60 dates from the date of discovery
121. A law enforcement officer has requested in writing that
a covered entity delay notification of a data breach as it
might impede in an investigation. How long should the
covered entity delay the notification? - Correct Answer - By
the amount time specified in the request.

122. An organization just finished notification about a data

breach and was informed that four individuals' contact
information was out of date. How should the organization
provide notification to the individuals? - Correct Answer -
They can provide an alternative form of notice such as
telephone or other means.

123. When conducting the risk assessment during a breach

investigation, which of the following must be determined? -
Correct Answer - Extent to which the risk to PHI has been
mitigated.

124. Evaluating effectiveness of a new technology three

months after implementation is an example of - Correct
Answer - evaluation
125. Written notification to individuals regarding a breach
that occured must be completed no late than 60 days from
the date of discovery by - Correct Answer - first class mail
or e-mail

126. A workforce member discovered a potential data

breach on June 2, 2016, and notified the HIPAA security
officer on June 23, 2016. When is the last day when
notification to the individual(s) can occur in the event of a
data breach? - Correct Answer - August 1, 2016

127. If a data breach occurred, a covered entity would keep

a copy of a letter used for notification, a list of all individuals
notified , and the date of notification. This is example of -
Correct Answer - burden of proof

128. Which type of protected health information means that it

is not rendered unused, unreadable, or indecipherable to an
unauthorized person(s) through the use of a technology or
 methodology defined by the secretary of HHS? - Correct
Answer - Unsecured

129. A HIPAA privacy officer was contacted by phone from

the local law enforcement organization and requested to
delay the notification of the current health data breach as the
have an open investigation, and notification may impede the
investigation. What should the HIPAA privacy officer do? -
Correct Answer - Honor the request and allow a 30-day
notification delay.

130. Determining the nature and extent of the PHI that

improperly disposed of takes place in what part of the breach
investigation process? - Correct Answer - Risk assessment

131. As part of the breach investigation, a covered entity

discovered that the PHI was faxed to a local coffee shop and
the owner discovered the fax. Which of the risk assessment
factors does this answer? - Correct Answer - The
unauthorized person who used the PHI or to whom the
disclosure was made.
132. Which of the following does a covered entity need to
determine during a breach investigation as part of the risk
assessment to determine if there is low probability that the
information was compromised? - Correct Answer - If the
PHI was viewed or acquired

133. During the notification process of a breach, some of the

individuals impacted were deceased individuals and the next
of kin could not be reached. What is the organization's next
step? - Correct Answer - No further action is required.

134. Proactive audits of health information for security

purposes can assist an organization in - Correct Answer -
helping to detect unauthorized access.

135. The privacy officer at an organization just finished

conducting a proactive audit of all workforce members who
accessed charts that had the "break the glass" functionality
implemented. The documentation from the outcome of the
audit was presented to the board of directors. The HIPAA
 privacy officer should keep a copy of the report and audit log
for a minimum of - Correct Answer - 6 years

136. An organization should have an ongoing evaluation of

authentication reviews into system(s) with PHI and a process
for reporting any discrepancies. This process is known as -
Correct Answer - log-in monitoring

137. An organization lost a USB drive hat contained

sensitive patient information. The USB drive was encrypted.
Should a date breach investigation be done? - Correct
Answer - No, the data is secure since the USB was
encrypted.

138. Of the Office for Civil Rights determines that a covered

entity failed to comply with HIPAA and knew the act or
omission violated the regulations but did not act with neglect,
it would be considered - Correct Answer - reasonable
cause
139. A date breach occurred in the healthcare system that
spans across two different states. After the investigation, it
was determined that a total of 752 were impacted, 364 from
one state and 388 from the other state. Does the
organization have to notify the media? - Correct Answer -
No, because less than 500 people were impacted in each
state.

140. If an individual has an approved agreement with the

hospital that communication will only happen through the
phone conversation and the individual is individual in a data
breach, what steps should the covered entity take? - Correct
Answer - Call the patient and request that the patient come
and pick-up the breach notification letter.

141. Determining the individual who obtained the protected

health information is part of which step in the breach
notification process? - Correct Answer - Risk assessment

142. During a breach investigation into unauthorized access

in an electronic health record, it was determined that the
individual who gained access only observed the information.
 This is an example of the finding for which of the breach
assessment factors? - Correct Answer - Whether the
protected health information was actually acquired or
viewed.

143. The outcome of the breach risk assessment and

investigation determines that there is good faith to believe
that the information could not have been retained and a data
breach did not occur. This is an example of a
breach__________. - Correct Answer - exclusion.

144. When imposing a civil monetary penalty, the highest tier

in the penalty structure is caused by conscious and
intentional acts and knowingly violated the HIPAA privacy
and security regulations. this is also known as - Correct
Answer - willful neglect

145. A data breach occurred from an organization that was

using a limited data set from a healthcare facility. What
statement is correct? - Correct Answer - A breach
investigation would need to be conducted as there is no
exception for limited data sets.
146. Which of the following is the first date that an
organization knew, or should have known, about an
impressible use or disclosure of protected health
information? - Correct Answer - Date of discovery

147. A healthcare organization determines that a breach did

not occur from an authorized disclosure of protected health
information. An example of the burden of proof would be -
Correct Answer - a breach risk assessment.

148. A data breach occurred in one state and impacted

1,420 individuals, so the covered entity needs to provide
notification of the breach to - Correct Answer - a local
media outlet, the Secretary of the Department of Health and
Human Services, and the individuals impacted.

149. An act or omission by a covered entity or a business

associate that was known or should have been known to
violate the HIPAA requirements but was not done with
 malice or personal gain is known as - Correct Answer -
reasonable cause

150. A system is set to lock a user out of a system after

three unsuccessful log-in attempts in three minutes. This is
an example of - Correct Answer - log-in monitoring