CAS-003 Question #642: Real Exam Question with Answer & Explanation

The correct answer is B: Anonymize identifiable information using keyed strings. Anonymizing patient data using keyed strings (pseudonymization) means that even if the data is breached or misused by researchers, individual patients cannot be re-identified. This directly mitigates the primary risk-exposure of protected health information (PHI)-and aligns with

Question

A healthcare company wants to increase the value of the data it collects on its patients by making the data available to third-party researchers for a fee. Which of the following BEST mitigates the risk to the company?

Options

ALog all access to the data and correlate with the researcher
BAnonymize identifiable information using keyed strings
CEnsure all data is encrypted in transit to the researcher
DEnsure all researchers sign and abide by non-disclosure agreements
ESanitize date and time stamp information in the records.

Explanation

Anonymizing patient data using keyed strings (pseudonymization) means that even if the data is breached or misused by researchers, individual patients cannot be re-identified. This directly mitigates the primary risk-exposure of protected health information (PHI)-and aligns with HIPAA de-identification requirements. Answer A (logging access) is a detective control; it identifies misuse after the fact but does not prevent it. Answer C (encryption in transit) protects data during transmission but not from misuse by the researcher once received. Answer D (NDAs) is a legal control that does not prevent technical misuse of identifiable data. Answer E (sanitizing timestamps) alone is insufficient for full de-identification. Pseudonymization removes the risk at the data level.

Community Discussion

No community discussion yet for this question.

Full CAS-003 Practice