10 legal regulations.docx

8/11/2019 10 Legal Regulations.docx

http://slidepdf.com/reader/full/10-legal-regulationsdocx 1/27

10-Legal

Multiple Choice Identify the choice that best completes the statement or answers the question.

1. In the public sector, as opposed to the private sector, due care is usually determined bya. Minimum standard requirements. c. Insurance rates. b. Legislative requirements. d. Potential for litigation.

ANSWER: B

POINTS: 0 / 1

2. What is the minimum and customary practice of responsible protection of assets thataffects a community or societal norm?a. Due diligence c. Asset protection

b. Risk mitigation d. Due care

ANSWER: D

POINTS: 0 / 1

3. Under the standard of due care, failure to achieve the minimum standards would beconsidereda. Negligent c. Abusive b. Unethical d. Illegal

ANSWER: A

POINTS:0 / 1

4. Under the principle of culpable negligence, executives can be held liable for lossesthat result from computer system breaches if:a. the company is not a multi-national company b. they have not exercised due care protecting computing resourcesc. they have failed to properly insure computer resources against lossd. the company does not prosecute the hacker that caused the breach

ANSWER: B

POINTS: 0 / 1

5. The criteria for evaluating the legal requirements for implementing safeguards is toevaluate the cost (C) of instituting the protection versus the estimated loss (L)resulting from the exploitation f the corresponding vulnerability. Therefore, a legalliability exists when?a. C < L c. C > L b. C < L - (residual risk) d. C > L - (residual risk)

ANSWER: A



6. When companies come together to work in an integrated manner such as extranets,

special care must be taken to ensure that each party promises to provide thenecessary level of protection, liability and responsibility.These aspects should be defined in the contracts that each party signs. What

describes this type of liability?a. Cascade liabilities c. Down-flow liabilities b. Downstream liabilities d. Down-set liabilities

ANSWER: B

POINTS: 0 / 1

7. The typical computer felons are usually persons with which of the followingcharacteristics?a. The have had previous contact with law enforcement b. The conspire with others

c. They hold a position of trustd. They deviate from the accepted norms of security

ANSWER: D

POINTS: 0 / 1

8. Which of the following is responsible for the most security issues?a. Outside espionage c. Personnel b. Hackers d. Equipment Failure

ANSWER: C

POINTS: 0 / 1

9. Hackers are most often interested in:a. Helping the community in securing their networks b. Seeing how far their skills wll take themc. Getting recognition for their actionsd. Money

ANSWER: B

POINTS: 0 / 1

10. Which of the following categories of hackers poses the greatest threat?a. Disgruntled employees c. Criminal hackers b. Student hackers d. Corporate spies

ANSWER: A

POINTS: 0 / 1



ANSWER: B

POINTS: 0 / 1

17. Once evidence is seized, a law enforcement officer should emphasize which of the

following?a. chain of command c. chain of control b. chain of custody d. chain of communications

ANSWER: B

POINTS: 0 / 1

18. Which of the following rules is less likely to allow computer evidence to beadmissible in court?a. It must prove a fact that is material to the case b. Its reliability must be proven

c. The process for producing it must be documentedd. The chain of custody of evidence must show who collected, security,controlled, handled, transported, and tampered with the evidence

ANSWER: C

POINTS: 0 / 1

19. A copy of evidence or oral description of its contents; not reliable as best evidence iswhat type of evidence?a. Direct evidence c. Hearsay evidence b. Circumstantial evidence d. Secondary evidence

ANSWER: D

POINTS: 0 / 1

20. What is defined as inference of information from other, intermediate, relevant facts?a. Secondary evidence c. Hearsay evidence b. Conclusive evidence d. Circumstantial evidence

ANSWER: D

POINTS: 0 / 1

21. In order to be able to successfully prosecute an intruder:a. A point of contact should be designated to be responsible for communicating

with law enforcement andother external agencies.

b. A proper chain of custody of evidence has to be preservedc. Collection of evidence has to be done following predefined proceduresd. Whenever possible, analyze, a replica of the compromised resource, not the

original, thereby avoiding



inadvertently tamping with evidence

ANSWER: B

POINTS: 0 / 1

22. Which of the following proves or disproves a specific act through oral testimony based on information gathered through the witness's five senses?a. direct evidence c. conclusive evidence b. best evidence d. hearsay evidence

ANSWER: A

POINTS: 0 / 1

23. In order to preserver a proper chain of custody of evidence?a. Evidence has to be collected following predefined procedures in accordance

with all laws and legal

regulations b. Law enforcement officials should be contacted for advice on how and whento collect critical information

c. Verifiable documentation indicating the sequence of individuals who havehandled a piece of evidenceshould be available.

d. Log files containing information regarding an intrusion are retained for atleast as long as normal businessrecords, and longer in the case of an ongoing investigation.

ANSWER: A

POINTS: 0 / 1

24. What is the primary reason for the chain of custody of evidence?a. To ensure that no evidence is lost b. To ensure that all possible evidence is gatheredc. To ensure that it will be admissible in courtd. To ensure that incidents were handled with due care and due diligence

ANSWER: C

POINTS: 0 / 1

25. Which element must computer evidence have to be admissible in court?a. It must be relevant c. It must be printed b. It must be annotated d. t must contain source code

ANSWER: A

POINTS: 0 / 1



ANSWER: B

POINTS: 0 / 1

32. Evidence corroboration is achieved bya. Creating multiple logs using more than one utility.

b. Establishing secure procedures for authenticating users.c. Maintaining all evidence under the control of an independent source.d. Implementing disk mirroring on all devices where log files are stored.

ANSWER: C

POINTS: 0 / 1

33. You are documenting a possible computer attack.Which one of the following methods is NOT appropriate for legal record keeping?a. A bound paper notebook. b. An electronic mail document.

c. A personal computer in "capture" mode that prints immediately.d. Microcassette recorder for verbal notes

ANSWER: D

POINTS: 0 / 1

34. Which one of the following is NOT a requirement before a search warrant can beissued?a. There is a probable cause that a crime has been committed. b. There is an expectation that evidence exists of the crime.c. There is probable cause to enter someone's home or business.d. There is a written document detailing the anticipated evidence.

ANSWER: D

POINTS: 0 / 1

35. Once a decision is made to further investigate a computer crime incident, which oneof the following is NOT employed?a. Identifying what type of system is to be seized. b. Identifying the search and seizure team members.c. Identifying the cost of damage and plan for their recover.d. Determining the risk that the suspect will destroy evidence.

ANSWER: C

POINTS: 0 / 1

36. From a legal perspective, which of the following rules must be addressed wheninvestigating a computer crime?a. Search and seizure c. Engagement b. Data protection d. Evidence



ANSWER: D

POINTS: 0 / 1

37. Which of the following is not a problem regarding computer investigation issues?

a. Information is intangible b. Evidence is difficult to gatherc. Computer-generated records are only considered secondary evidence, thus are

no as reliable as bestEvidence

d. In many instances, an expert or specialist is required

ANSWER: D

POINTS: 0 / 1

38. Why is the investigation of computer crime involving malicious damage especially

challenging?a. Information stored in a computer is intangible evidence. b. Evidence may be destroyed in an attempt to restore the system.c. Isolating criminal activity in a detailed audit log is difficult.d. Reports resulting from common user error often obscure the actual violation.

ANSWER: B

POINTS: 0 / 1

39. After law enforcement is informed of a computer crime, the organization'sinvestigators constraints area. removed. c. increased. b. reduced. d. unchanged.

ANSWER: C

POINTS: 0 / 1

40. To understand the "whys" in crime, many times it is necessary to understand MOM.Which of the following is not a component of MOM?a. Opportunities c. Motivation b. Methods d. Means

ANSWER: B

POINTS: 0 / 1

41. What category of law deals with regulatory standards that regulate performance andconduct? Government agencies create these standards, which are usually applied tocompanies and individuals within those companies.a. Standards law c. Compliance law b. Conduct law d. Administrative law



ANSWER: D

POINTS: 0 / 1

42. Something that is proprietary to that company and importance for its survival and

profitability is what type of intellectual property law?a. Trade Property c. Patent b. Trade Asset d. Trade Secret

ANSWER: D

POINTS: 0 / 1

43. Which of the following statements regarding trade secrets is false?a. For a company to have a resource qualify as a trade secret, it must provide the

company with some type of competitive value or advantage b. The Trade Secret Law normally protects the expression of the idea of the

resource.c. Many companies require their employees to sign nondisclosure agreementsregarding the protection oftheir trade secrets

d. A resource can be protected by law if it is not generally known and if itrequires special skill, ingenuity, and/or expenditure of money and effort todevelop it

ANSWER: B

POINTS: 0 / 1

44. Which category of law is also referenced as a Tort law?a. Civil law c. Administrative law b. Criminal law d. Public law

ANSWER: A

POINTS: 0 / 1

45. Which of the following European Union (EU) principles pertaining to the protectionof information on private individuals is incorrect?a. Data collected by an organization can be used for any purpose and for as long

as necessary, as long as it is never communicated outside of the organization by which it was collected

b. Individuals have the right to correct errors contained in their personal datac. Transmission of personal information to locations where "equivalent"

personal data protection cannot be assured is prohibited.d. Records kept on an individual should be accurate and up to date

ANSWER: A

POINTS: 0 / 1



46. A country that fails to legally protect personal data in order to attract companies

engaged in collection of such data is referred to as aa. data pirate c. country of convenience b. data haven d. sanctional nation

ANSWER: B

POINTS: 0 / 1

47. Which of the following requires all communications carriers to make wiretaps possible?a. 1994 US Communications Assistance for Law Enforcement Act b. 1996 US Economic and Protection of Property Information Actc. 1996 US National Information Infrastructure Protection Actd. 1986 US Computer Security Act

ANSWER: APOINTS: 0 / 1

48. Which of the following U.S. federal government laws/regulations was the first torequire the development of computer security plan?a. Privacy Act of 1974 b. Computer Security Act of 1987c. Federal Information Resources Management Regulationsd. Office of Management & Budget Circular A-130

ANSWER: B

POINTS: 0 / 1

49. Which U.S. act places responsibility on senior organizational management for prevention and detection programs with fines of up to $290 million fornonperformance?a. The 1987 U.S. Computer Security Act b. The 1986 U.S. Computer Fraud and Abuse Actc. The 1991 U.S. Federal Sentencing Guidelinesd. The 1996 U.S. National Information Infrastructure Protection Act

ANSWER: C

POINTS: 0 / 1

50. What document made theft no longer restricted to physical constraints?a. The Electronic Espionage Act of

1996c. The Computer Security Act of 1987

b. The Gramm Leach Bliley Act of1999

d. The Federal Privacy Act of 1974



ANSWER: A

POINTS: 0 / 1

51. In the US, HIPPA addresses which of the following?a. Availability and Accountability c. Security and Availability

b. Accuracy and Privacy d. Security and Privacy

ANSWER: D

POINTS: 0 / 1

52. Which of the following placed requirements of federal government agencies toconduct security-related training, to identify sensitive systems, and to develop asecurity plan for those sensitive systems?a. 1987 U.S. Computer Security Act b. 1996 U.S. Economic and Protection of Proprietary Information Actc. 1994 U.S. Computer Abuse Amendments Act

d. 1986 (Amended in 1996) U.S. Computer Fraud and Abuse Act

ANSWER: A

POINTS: 0 / 1

53. Which of the following cannot be undertaken in conjunction with computer incidenthandling?a. system development activity c. system backup function b. help-desk function d. risk management process

ANSWER: A

POINTS: 0 / 1

54. What is the primary goal of incident handling?a. Successfully retrieve all evidence that can be used to prosecute b. Improve the company's ability to be prepared for threats and disastersc. Improve the company's disaster recovery pland. Contain and repair any damage caused by an event

ANSWER: D

POINTS: 0 / 1

55. Which one of the following is NOT a factor to consider when establishing a coreincident response team?a. Technical knowledge c. The recovery capability b. Communication skills d. Understanding business policy

ANSWER: C

POINTS: 0 / 1



56. Which of the following specifically addresses cyber attacks against an organization's

IT systems?a. Continuity of support plan c. Incident response plan b. Business continuity plan d. Continuity of operations plan

ANSWER: CPOINTS: 0 / 1

57. When should a post-mortem review meeting be held after an intrusion has been properly taken care of?a. Within the first three months after the investigation of the intrusion is

completed b. Within the first week after prosecution of intruders have taken place, weather

successful or notc. Within the first month after the investigation of the intrusion is completedd. Within the first week of completing the investigation of the intrusion

ANSWER: D

POINTS: 0 / 1

58. During a review of system logs of the enterprise, a security manager discovers that acolleague working on an exercise ran a job to collect confidential information on thecompany's clients. The colleague who ran the job has since left the company to workfor a competitor. Based on the (ISC) Code of Ethics, which one of the followingstatements is MOST correct?a. The manager should call the colleague and explain what has been discovered.

The manager should then ask for the return of the information in exchange forsilence.

b. The manager should warn the competitor that a potential crime has beencommitted that could put their company at risk.

c. The manager should inform his or her appropriate company management, andsecure the results of the recover exercise for future review.

d. The manager should call the colleague and ask the purpose of running the job prior to informing his or her company management of the situation.

ANSWER: C

POINTS: 0 / 1

59. In what way could the use of "cookies" violate a person's privacy?a. When they are used to tie together a set of unconnected requests for web

pages to cause an electronic map of where one has been. b. When they are used to keep logs of who is using an anonymizer to access a

site instead of their regular userid.c. When the e-mail addresses of users that have registered to access the web site

are sold to marketing firms.



ANSWER: A

POINTS: 0 / 1

60. Which of the following is the BEST way to prevent software license violations?a. Implementing a corporate policy on copyright infringements and software use

b. Requiring that all PC's be diskless workstationsc. Installing metering software on the LAN so applications can be accessedthrough the metered software

d. Regularly scanning used PC's to ensure that unauthorized copies of softwarehave not been loaded on the PC

ANSWER: D

POINTS: 0 / 1

61. The ISC2 Code of Ethics does not include which of the following behaviors for aCISSP:

a. moral c. legal b. ethical d. control

ANSWER: D

POINTS: 0 / 1

62. Where can the phrase "Discourage unsafe practice" be found?a. Computer Ethics Institute commandments b. (ISC)2 Code of Ethicsc. Internet Activities Board's Ethics and the Internet (RFC1087)d. CIAC Guidelines

ANSWER: B

POINTS: 0 / 1

63. One of the offences an individual or company can commit is decompiling vendorcode. This is usually done in the hopes of understanding the intricate details of itsfunctionality. What best describes this type of non-ethical engineering?a. Inverse Engineering c. Subvert Engineering b. Backward Engineering d. Reverse Engineering

ANSWER: D

POINTS: 0 / 1

64. Which one of the following is an ethical consideration of computer technology?a. Ownership of proprietary software. c. Service level agreements. b. Information resource management. d. System implementation and design.

ANSWER: A

POINTS: 0 / 1



65. The Internet Activities Board characterizes which of the following as unethical

behavior for Internet users?a. Writing computer viruses c. Westing computer resources b. Monitoring data traffic d. Concealing unauthorized accesses

ANSWER: D

POINTS: 0 / 1

66. Which of the following is a potential problem when creating a message digest forforensic purposes?a. The process if very slow. b. The file's last access time is changed.c. The message digest is almost as long as the data string.d. One-way hashing technology invalidates message digest processing.

ANSWER: DPOINTS: 0 / 1

67. A forensic examination should inspect slack space because ita. Contains system level access control kernel. b. Can contain a hidden file or data.c. Can contain vital system information.d. Can be defeted to avoid detection.

ANSWER: B

POINTS: 0 / 1

68. Forensic imaging of a workstation is initiated bya. Booting the machine with the installed operating system. b. Booting the machine with an operating system diskette.c. Removing the hard drive to view the output of the forensic imaging software.d. Directing the output of the forensic imaging software to the small computer

system interface (SCSI).

ANSWER: D

POINTS: 0 / 1

69. A disk image backup is used for forensic investigation because ita. Is based on secured hardware technology. b. Creates a bit level copy of the entire disk.c. Time stamps the files with the date and time of the copy operation.d. Excludes areas that have never been used to store data.

ANSWER: B

POINTS: 0 / 1



70. When it comes to magnetic media sanitization, what difference can be made between

clearing and purging information?a. Clearing completely erases the media whereas purging only remote file

headers, allowing the recovery of files

b. Clearing renders information unrecoverable by a keyboard attack and purgingrenders informationunrecoverable against laboratory attack

c. They both involve rewriting the mediad. Clearing renders information unrecoverable against a laboratory attack and

purging renders information unrecoverable to a keyboard attack

ANSWER: B

POINTS: 0 / 1

71. What is HIPPA?

a. The Home Insurance Portability & Accountability Act of 1996 (August 21),Public Law 104-191, whichamends the Internal Revenue Service Code of 1986. Also known as theKennedy-Kassebaum Act.

b. The Public Health Insurance Portability & Accountability Act of 1996(August 21), Public Law 104-191,which amends the Internal Revenue Service Code of 1986. Also known as theKennedy-Kassebaum Act.

c. )The Health Insurance Privacy & Accountability Act of 1996 (August 2), public law 104-191, which amends the Internal Revenue Service Code of1986. Also known as the Kennedy-Kassebaum Act.

d. The Health Insurance Privacy & Accountability Act of 1996 (August 2),Public Law 104-191, which amends the Internal Revenue Service Code of1986. Also known as the Kennedy-Kassebaum Act.

ANSWER: B

POINTS: 0 / 1

72. The privacy provisions of the federal law, the Health Insurance Portability andAccountability Act of 1996 (HIPPA),a. apply to certain types of critical health information created or maintained by

health care providers whoengage in certain electronic transactions, health plans, and health careclearinghouses.

b. apply to health information created or maintained by health care providerswho engage in certain electronic transactions, health plans, and health careclearinghouses.

c. apply to health information created or maintained by some large health care providers who engage incertain electronic transactions, health plans, and health care clearinghouses.



d. apply to health information created or maintained by health care providersregardless of whether theyengage in certain electronic transactions, health plans, and health careclearinghouses.

ANSWER: BPOINTS: 0 / 1

73. Gap analysis does not apply toa. Transactions c. Privacy b. availability d. Security

ANSWER: B

POINTS: 0 / 1

74. A gap analysis for Privacy refers

a. to the practice of identifying the policies and procedures you currently havein place regarding theavailability of protected health information.

b. to the practice of identifying the policies and procedures you currently havein place regarding theconfidentiality of protected health information.

c. to the practice of identifying the policies and procedures you currently havein place regarding theauthenticity of protected health information.

d. to the practices of identifying the legislation you currently have in placeregarding the confidentiality of protected health information.

ANSWER: B

POINTS: 0 / 1

75. A gap analysis for Privacya. includes a comparison of your proposed policies and procedures and the

requirements established in the Security and Privacy Regulation in order toidentify any necessary modifications in existing policies to satisfy HIPPAregulations when they are stricter than state privacy laws.

b. includes a comparison of your current policies and procedures and therequirements established in theSecurity and Privacy Regulation in order to identify any necessarymodifications in existing policies to satisfy HIPPA regulations when they arestricter than state privacy laws

c. includes a comparison of your ideal policies and procedures and therequirements established in theSecurity and Privacy Regulation in order to identify any necessarymodifications in existing policies to satisfy HIPPA regulations when they are



stricter than state privacy laws.d. includes a comparison of your exceptional policies and procedures and the

requirements established in the Security and Privacy Regulation in order toidentify any necessary modifications in existing policies to satisfy HIPPAregulations when they are stricter than state privacy laws

ANSWER: B

POINTS: 0 / 1

76. What is a gap analysis in relationship to HIPPA?a. In terms of HIPPA, a gap analysis cannot be defined. b. In terms of HIPPA, a gap analysis defines what an organization currently is

doing in a specific area of their organization and compares current operationsto other requirements mandated by ethical standards.

c. In terms of HIPPA, a gap analysis defines what an organization currently isdoing in a specific area of their organization and compares current operations

to other requirements mandated by state or federal lawd. In terms of HIPPA, a gap analysis defines what an organization proposes to be doing in a specific area of their organization and compares proposedoperations to other requirements mandated by state or federal law.

ANSWER: C

POINTS: 0 / 1

77. The privacy provisions of the federal law, the Health Insurance Portability andAccountability Act of 1996 (HIPPA), apply to certain types of health informationcreated or maintained by health care providersa. who engage in certain electronic transactions, health plans, and health care

clearinghouses b. who do not engage in certain electronic transactions, health plans, and health

care clearinghousesc. regardless of whether they engage in certain electronic transactions, health

plans, and health careclearinghouses

d. if they engage for a majority of days in a year in certain electronictransactions, health plans, and health care clearinghouses.

ANSWER: A

POINTS: 0 / 1

78. HIPPA preempts state lawsa. except to the extent that the state law is less stringent b. regardless of the extent that the state law is more stringentc. except to the extent that the state law more stringentd. except to the extent that the state law is legislated later than HIPPA



ANSWER: C

POINTS: 0 / 1

79. The Implementation Guidesa. are referred to in the Static Rule c. are referred to in the Transitional

Rule b. are referred to in the TransactionRule

d. are referred to in the Acquision Rule

ANSWER: B

POINTS: 0 / 1

80. The HIPPA task force must firsta. inventory the organization's systems, processes, policies, procedures and data

to determine whichelements are critical to patient care and central to the organization's business

b. inventory the organization's systems, processes, policies, procedures and datato determine whichelements are non critical to patient care and central to the organization's business

c. inventory the organization's systems, processes, policies, procedures and datato determine whichelements are critical to patient complaints and central to the organization's peripheral businesses

d. modify the organization's systems, processes, policies, procedures and data todetermine which elements are critical to patient care and central to theorganization's business

ANSWER: A

POINTS: 0 / 1

81. A covered healthcare provider which a direct treatment relationship with anindividual need not:a. provide the notice no later than the date of the first service delivery, including

service deliveredelectronically

b. have the notice available at the service delivery site for individuals to requestand keep

c. get a acknowledgement of the notice from each individual on stamped paperd. post the notice in a clear and prominent location where it is reasonable to

expect individuals seekingservice from the covered healthcare provider to be able to read it

ANSWER: C

POINTS: 0 / 1



82. A health plan may conduct its covered transactions through a clearinghouse, and may

require a provider to conduct covered transactions with it through a clearinghouse.The incremental cost of doing so must be bornea. by the HIPPA authorities c. by any other entity but the health

plan

b. by the health plan d. by insurance companies

ANSWER: B

POINTS: 0 / 1

83. Covered entities (certain health care providers, health plans, and health careclearinghouses) are not required to comply with the HIPPA Privacy Rule until thecompliance date. Covered entities may, of course, decide to:a. unvoluntarily protect patient health information before this date b. voluntarily protect patient health information before this datec. after taking permission, voluntarily protect patient health information before

this dated. compulsorily protect patient health information before this date

ANSWER: B

POINTS: 0 / 1

84. The confidentiality of alcohol and drug abuse patient records maintained by this program is protected by federal law and regulations. Generally, the program may notsay to a person outside the program that a patient attends the program, or discloseany information identifying a patient as an alcohol or drug abuser even if:a. The person outside the program gives a written request for the information b. the patient consent in writingc. the disclosure is allowed by a court orderd. the disclosure is made to medical personnel in a medical emergency or to

qualified personnel forresearch, audit, or program evaluation.

ANSWER: D

POINTS: 0 / 1

85. What is a Covered Entity? The term "Covered Entity" is defined in 160.103 of theregulation.a. The definition is complicate and long. b. The definition is referred to in the Secure Computing Actc. The definition is very detailed.d. The definition is deceptively simple and short

ANSWER: D

POINTS: 0 / 1



86. Are employers required to submit enrollments by the standard transactions?

a. Though Employers are not CEs and they have to send enrollment usingHIPPA standard transactions.However, the employer health plan IS a CE and must be able to conductapplicable transactions using the HIPPA standards

b. Employers are not CEs and do not have to send enrollment using HIPPAstandard transactions. However, the employer health plan IS a CE and must be able to conduct applicable transactions using the HIPPA standards.

c. Employers are CEs and have to send enrollment using HIPPA standardtransactions.However, the employer health plan IS a CE and must be able to conductapplicable transactions using the HIPPA standards.

d. Employers are CEs and do not have to send enrollment using HIPPA standardtransactions. Further, the employer health plan IS also a CE and must be ableto conduct applicable transactions using the HIPPA standards.

ANSWER: BPOINTS: 0 / 1

87. Employersa. often advocate on behalf of their employees in benefit disputes and appeals,

answer questions with regard to the health plan, and generally help themnavigate their health benefits.

b. sometimes advocate on behalf of their employees in benefit disputes andappeals, answer questions with regard to the health plan, and generally helpthem navigate their health benefits.

c. never advocate on behalf of their employees in benefit disputes and appeals,answer questions withregard to health plan, and generally help them navigate their health benefits.

d. are prohibited by plan sponsors from advocating on behalf of group health plan participants or providing assistance in understanding their health plan.

ANSWER: A

POINTS: 0 / 1

88. Employersa. are covered entities if they do not use encryption b. are covered entitiesc. are not legal entitiesd. are not covered entities

ANSWER: D

POINTS: 0 / 1

89. The HIPPA task force must inventory the organization's systems, processes, policies, procedures and data to determine which elements are critical to patient care and



central to the organizations business. All must be inventoried and listed bya. by priority as well as encryption levels, authenticity, storage-devices,

availability, reliability, access and use. The person responsible for criticalityanalysis must remain mission-focused and carefully document all the criteriaused.

b. by priority and cost as well as availability, reliability, access and use. The person responsible for criticality analysis must remain mission-focused andcarefully document all the criteria used.

c. by priority as well availability, reliability, access and use. The personresponsible for criticality analysismust remain mission-focused but need not document all the criteria used.

d. by priority as well as availability, reliability, access and use. The personresponsible for criticality analysis must remain mission-focused and carefullydocument all the criteria used.

ANSWER: D

POINTS: 0 / 1

90. Are there penalties under HIPPA?a. No penalties b. HIPPA calls for severe civil and criminal penalties for noncompliance,

including: -- fines up to $25k formultiple violations of the same standard in a calendar year -- fines up to$250k and/or imprisonment up to10 years for knowing misuse of individually identifiable health information.

c. HIPPA calls for severe civil and criminal penalties for noncompliance,includes: -- fines up to 50k formultiple violations of the same standard in a calendar year -- fines up to$500k and/or imprisonment up to10 years for knowing misuse of individually identifiable health information

d. HIPPA calls for severe civil and criminal penalties for noncompliance,including: -- fines up to $100 formultiple violations of the same standard in a calendar year -- fines up to$750k and/or imprisonment up to20 years for knowing misuse of individually identifiable health information

ANSWER: B

POINTS: 0 / 1

91. HIPPA gave the option to adopt other financial and administrative transactionsstandards, "consistent with the goals of improving the operation of health care systemand reducing administrative costs" toa. ASCA prohibits HHS from paying Medicare claims that are not submitted

electronically after October 16, 2003. b. ASCA prohibits HHS from paying Medicare claims that are not submitted on

paper after October 16, 2003



c. ASCA prohibits HHS from paying Medicare claims that are not submittedelectronically after October 16, 2003, unless the Secretary grants a waiverfrom this requirement

d. No


92. May a health plan require a provider to use a health care clearinghouse to conduct aHIPPA-coveredtransaction, or must the health plan acquire the ability to conduct the transactiondirectly with those providers. capable of conducting direct transactions?a. A health plan may conduct its covered transactions through a clearinghouse,

and may require a provider to conduct covered transactions with it through aclearinghouse. But the incremental cost of doing so must be borne by thehealth plan. It is a cost-benefit decision on the part of the health plan whether

to acquire the ability to conduct HIPPA transactions directly with otherentities, or to require use of a clearinghouse. b. A health plan may not conduct it's covered transactions through a

clearinghousec. A health plan may after taking specific permission from HIPPA authorities

conduct its covered transactions through a clearinghoused. is not as per HIPPA allowed to require provider to conduct covered

transactions with it through aclearinghouse

ANSWER: A

POINTS: 0 / 1

93. Business Associate Agreements are required by the regulation whenever a businessassociate relationship exists. This is true even when the business associates are bothcovered entities.a. There are no specific elements which must be included in a Business

Associate Agreement. Howeversome recommended but not compulsory elements are listed in 164.504(e) (2)

b. There are specific elements which must be included in a Business AssociateAgreement. These elements are listed Privacy Legislation

c. There are no specific elements which must be included in a BusinessAssociate Agreement.

d. There are specific elements which must be included in a Business AssociateAgreement. These elements are listed in 164.504(e) (2)

ANSWER: D

POINTS: 0 / 1

94. The implementation Guides



a. are referred to in the TransactionRule

c. are referred to in the ComplianceRules

b. are not referred to in the TransactionRule

d. are referred to in the ConfidentialityRule

ANSWER: APOINTS: 0 / 1

95. Business Associatesa. are entities that perform services that require the use of Protected Health

Information on behalf of Covered Entities. One covered entity may be a business partner of another covered entity

b. are entities that do not perform services that require the use of ProtectedHealth Information on behalf of Covered Entities. One covered entity may bea business partner of another covered entity

c. are entities that perform services that require the use of Encrypted Insurance

Information on behalf ofCovered Entities. One covered entity may be a business partner of anothercovered entity

d. are entities that perform services that require the use of Protected HealthInformation on behalf of Covered Entities. One covered entity cannot be a business partner of another covered entity.

ANSWER: A

POINTS: 0 / 1

96. Health Care Providers, however,a. become the business associates of health plans even without joining a

network b. become the business associates of health plans by simply joining a networkc. do not become the business associates of health plans by simply joining a

networkd. do not become the HIPPA associates of health plans by simply joining a

network

ANSWER: C

POINTS: 0 / 1

97. In terms of HIPPA what an organization currently is doing in a specific area of theirorganization and compared current operations to other requirements mandated bystate or federal law is calleda. HIPPA status analysis c. comparison analysis b. gap analysis d. stop-gap analysis

ANSWER: B

POINTS: 0 / 1



98. Group Health Plans sponsored or maintained by employers, however,

a. ARE SOMETIMES covered entities. c. ARE covered entities b. ARE NOT covered entities. d. ARE called uncovered entities


99. Employers often advocate on behalf of their employees in benefit disputes andappeals, answer questions with regard to the health plan, and generally help themnavigate their health benefits. Is this type of assistance allowed under the regulation?a. The final rule does nothing to hinder or prohibit plan sponsors from

advocating on behalf of group health plan participants or providing assistancein understanding their health plans.

b. The final rule prohibits plan sponsors from advocating on behalf of grouphealth plan participants or

providing assistance in understanding their health plansc. The final rule does hinder but does not prohibit plan sponsors fromadvocating on behalf of group health plan participants or providing assistancein understanding their health plans

d. The final rule does no advocating on behalf of group health plan participantsor provide assistance inunderstanding their health plan.

ANSWER: A

POINTS: 0 / 1

100. HIPPA does not call for:a. Standardization of electronic patient health, administrative and financial data b. Unique health identifiers for individuals, employers, health plans, and health

care providers.c. Common health identifiers for individuals, employers, health plans and health

care providers.d. Security standards protecting the confidentiality and integrity of "individually

identifiable health information,"past, present or future.

ANSWER: C

POINTS: 0 / 1

101. A gap analysis for the Transactions set refer to the practice of identifying the datacontent you currently have availablea. through your medical software c. through competing unit medical

software b. through your accounting software d. based on the statutory authorities

report



ANSWER: A

POINTS: 0 / 1

102. A gap analysis for the Transactions set does not refer toa. the practice of identifying the data content you currently have available

through your medical software b. the practice of and comparing that content to what is required by HIPPA, andensuring there is a match.

c. and requires that you study the specific format of a regulated transaction toensure that the order of theinformation when sent electronically matches the order that is mandated inthe Implementation Guides.

d. but does not require that you study the specific format of a regulatedtransaction to ensure that the order of information when sent electronicallymatches the order that is mandated in the Implementation Guides.

ANSWER: DPOINTS: 0 / 1

103. Health Information Rights although your health record is the physical property of thehealthcare practitioner orfacility that compiled it, the information belongs to you. You do not have the right to:a. obtain a paper copy of the notice of information practices upon request

inspect and obtain a copy of your health record as provided for in 45 CFR164.524

b. request a restriction on certain uses and disclosures of your informationoutside the terms as provided by 45 CFR 164.522

c. amend your health record as provided in 45 CFR 164.528 obtain anaccounting of disclosures of yourhealth information as provided in 45 CFR 164.528

d. revoke your authorization to use or disclose health information except to theextent that action has already been taken

ANSWER: B

POINTS: 0 / 1

104. Employers often advocate on behalf of their employees in benefit disputes andappeals, answer questions withregard to the health plan, and generally help them navigate their health benefits. Isindividual consent required?a. No c. Yes b. Sometimes d. The answer is indeterminate

ANSWER: C

POINTS: 0 / 1



105.

Who enforces HIPPA?a. The Office of Civil Rights of the Department of Confidentiality Services is

responsible for enforcement of these rules b. The Office of Civil Rights of the Department of Health and Human Services

is responsible for enforcement of these rules

c. The Office of Health Workers Rights of the Department of Health andHuman Services in responsible for enforcement of these rulesd. The Department of Civil Rights of the Office of Health and Human Services

is responsible for enforcement of these rules

ANSWER: B

POINTS: 0 / 1

106. Gap analysis does not apply toa. Transactions c. Privacy b. availability d. Security

ANSWER: B

POINTS: 0 / 1

107. A gap analysis for Securitya. refers to the practice of trusting the security policies and practices currently in

place in your organization designed to protect all your data from unauthorizedaccess, alternation or inadvertent disclose.

b. refers to the practice of modifying the security policies and practicescurrently in place in your organization designed to protect all your data fromunauthorized access, alteration or inadvertent disclosure.

c. refers to the practice of identifying the security policies and practicescurrently in place in your organization designed to protect all your data fromunauthorized access, alteration or inadvertent disclosure.

d. refers to the practice of improving the security policies and practicescurrently in place in your organization designed to protect all your data fromunauthorized access alteration or inadvertent disclosure.

ANSWER: C

POINTS: 0 / 1

108. The Implementation Guides are referred to in the Transaction Rule. The manuals area. non-technical in nature and do not specifically state what the data content

should be for each HIPPAtransaction. They also do not state the order in which this data must appearwhen transmitted electronically.

b. theoretical in nature and specifically state what the data content should be foreach HIPPA transaction.They also state the order in which this data must appear when transmittedelectronically.



c. technical in nature and specifically state what the data content should be foreach HIPPA transaction. They do not state the order in which this data mustappear when transmitted electronically.

d. technical in nature and specifically state what the data content should be foreach HIPPA transaction. They also state the order in which this data must

appear when transmitted electronically.

ANSWER: D

POINTS: 0 / 1

109. Title II of HIPPA includes a section, Administrative Simplification, not requiring:a. Improved efficiency in healthcare delivery by standardizing electronic data

interchange b. Protection of confidentiality of health data through setting and enforcing

standardsc. Protection of security of health data through setting and enforcing standards

d. Protection of availability of health data through setting and enforcingstandards

ANSWER: D

POINTS: 0 / 1

110. Who is not affected by HIPPA?a. clearing houses c. universities b. banks d. billing agencies

ANSWER: B

POINTS: 0 / 1

111. HIPPA results ina. sweeping changed in some healthcare transaction and administrative

information systems b. sweeping changes in most healthcare transaction and administrative

information systemsc. minor changes in most healthcare transaction and administrative information

systemsd. no changes in most healthcare transaction and minor changes in

administrative information systems

ANSWER: B

POINTS: 0 / 1

10 legal regulations.docx

Documents