1. HIPAA HITECH does not require a disaster recovery plan.:
    • a. True
    • b. False
  2. Which document is at the core of HIPAA compliance?
    • a. Security Incident Report
    • b. Breach Risk Assessment
    • c. Risk Analysis
    • d. HIPAA training
  3. If a device such as a laptop or mobile device has all its data encrypted to NIST standards. If the device is off and is stolen, reporting a breach to the OCR or patient(s) is not necessary.
    • a. True
    • b. False
  4. Signed Business Associate agreements and organizational HIPAA policies and procedures must be kept for at least:
    • a. 3 years
    • b. 4 years
    • c. 5 years
    • d. 6 years
  5. If a breach risk assessment assessment determines there is a breach that affects 500 or more patients in one state, which of the following must occur:
    • a. Notify the OCR within 60 days.
    • b. Notify the patients in writing within 60 days, preferably earlier.
    • c. Notify the press via a press release within 60 days.
    • d. All of the above