HIPAA Competency Test

Approved & Edited by ProProfs Editorial Team

The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.

Learn about Our Editorial Process

| By Questrecords

Questrecords

Community Contributor

Quizzes Created: 1 | Total Attempts: 1,897

Questions: 50 | Attempts: 1,897 | Updated: Mar 22, 2023

Questions

Settings

Feedback

During the Quiz End of Quiz

Play as

Quiz Flashcard

Create your own Quiz

Designed to test your knowledge about HIPAA and Release of Information!

Questions and Answers

1.

What does the HIPAA acronym stand for?
- A.
  
  Health Identification Privacy and Affordability Act
- B.
  
  Health Information Portability and Affordability Act
- C.
  
  Health Information Privacy and Accountability Act
- D.
  
  Health Insurance Portability and Accountability Act
Correct Answer
D. Health Insurance Portability and Accountability Act

Explanation
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Rate this question:
2.

Can a provider in your organization use the database to access the medical record of a patient who was seen by another provider in the organization?
- A.
  
  No, he/she must create a new record for the patient based on his/her personal interactions with the patient.
- B.
  
  No, he/she must obtain written consent from the patient.
- C.
  
  Yes, as long as he/she will be treating that patient or the provider is assisting another provider with the coordination of the patient’s care.
- D.
  
  Yes, he/she can access any information available in the database.
Correct Answer
C. Yes, as long as he/she will be treating that patient or the provider is assisting another provider with the coordination of the patient’s care.

Explanation
A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities.19 A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship.

Rate this question:
3.

A covered entity must obtain an individual’s written authorization for use or disclosure of protected health information in which of the following scenarios?
- A.
  
  A coder must review a patient’s chart to code a recent hospital stay.
- B.
  
  A consulting physician needs to access a patient’s record to inform his/her opinion.
- C.
  
  A hospital administrator needs to access patient data to create a report about how many patients were treated for diabetes in the last six months.
- D.
  
  None of the above
Correct Answer
D. None of the above

Explanation
All of these examples fall under the category of TPO (Treatment, Payment, Operations) and would not require written authorization.

Rate this question:
4.

Patients can request a copy of billing records associated with their care.
- A.
  
  True
- B.
  
  False
Correct Answer
A. True

Explanation
The Privacy Rule gives you, with few exceptions, the right to inspect, review, and receive a copy of your medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule.

Rate this question:
5.

Which division of The Department of Health and Human Services (HHS) is responsible for administering and enforcing HIPAA privacy and security standards?
- A.
  
  Centers of Medicare and Medicaid Services (CMS)
- B.
  
  Office of Civil Rights (OCR)
- C.
  
  Office of Inspector General (OIG)
- D.
  
  Office of the National Coordinator for Health Information Technology (ONC)
Correct Answer
B. Office of Civil Rights (OCR)

Explanation
The Office for Civil Rights (OCR) ensures equal access to certain health and human services and protects the privacy and security of health information.

Rate this question:
6.

Any healthcare provider, regardless of size, is considered a covered entity under the HIPAA Privacy Rule, so long as the provider:
- A.
  
  Demonstrates meaningful use of electronic health records (EHR)
- B.
  
  Electronically transmits health information in connection with certain transactions
- C.
  
  Handles health information in any way
- D.
  
  Receives reimbursement from a government health program
Correct Answer
B. Electronically transmits health information in connection with certain transactions

Explanation
This includes providers such as:
•Doctors
•Clinics
•Psychologists
•Dentists
•Chiropractors
•Nursing Homes
•Pharmacies

...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

Rate this question:
7.

All of the following pieces of information are considered individually identifiable health information, EXCEPT:
- A.
  
  Birth Date
- B.
  
  Diagnosis
- C.
  
  Name
- D.
  
  Social Security Number
Correct Answer
B. Diagnosis

Explanation
A subset of health information that identifies the individual or can reasonably be used to identify the individual; HIPAA protects individually identifiable health information. Common individual identifiers include name, address, and social security number, but may also include date of birth, Zip Code, or county location. If the information is not individually identifiable, such as healthcare research information that only identifies a particular population, not individuals, then it is not protected by HIPAA. In research, this can get complicated, and further inquiry should be made when seeking a determination on a small population. IIHI only becomes PHI when a covered entity creates, receives, or maintains the information.

Rate this question:
8.

Which of the following scenarios is considered an incidental disclosure?
- A.
  
  A member of the housekeeping staff overhears two physicians discussing a case in the break room
- B.
  
  A nurse practitioner leaves a laptop containing protected health information on the subway
- C.
  
  A nurse tells a 10-year-old patient’s parents the details of their child’s case
- D.
  
  A physician tells his or her spouse that he saw their neighbor in the hospital
Correct Answer
A. A member of the housekeeping staff overhears two pHysicians discussing a case in the break room

Explanation
An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule.

Rate this question:
9.

What kind of personally identifiable health information is protected by HIPAA privacy rule?
- A.
  
  Paper
- B.
  
  Electronic
- C.
  
  Spoken word
- D.
  
  All of the above
Correct Answer
D. All of the above

Explanation
The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral.

Rate this question:
10.

It would be appropriate to release patient information to:
- A.
  
  The patient’s (non-attending) physician brother
- B.
  
  Personnel from the hospital the patient transferred from 2 days ago checking on the patient
- C.
  
  The respiratory therapy personnel doing an ordered procedure
- D.
  
  A retired physician who is a friend of the family
Correct Answer
C. The respiratory therapy personnel doing an ordered procedure

Explanation
The respiratory therapy personnel that are doing an ordered procedure is the only example that can receive and use patient information without written authorization because it is covered under TPO (treatment, payment, operations).

Rate this question:
11.

If a person has the ability to access facility or company systems or applications, they have a right to view any information contained in that system or application.
- A.
  
  True
- B.
  
  False
Correct Answer
B. False

Explanation
The “need to know” rule states protected health information should only be used or disclosed as necessary to perform your job duties.

Rate this question:
12.

Copies of patient information may be disposed of in any garbage can in the facility.
- A.
  
  True
- B.
  
  False
Correct Answer
B. False

Explanation
Covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. •For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.

Rate this question:
13.

The criminal penalties for improperly disclosing patient health information can be as high as fines of $250,000 and prison sentences of up to 10 years.
- A.
  
  True
- B.
  
  False
Correct Answer
A. True

Explanation
Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

Rate this question:
14.

Which of the following if the appropriate person with whom to share patient information even if the patient has NOT specifically authorized the release of information to the individual?
- A.
  
  A former physician of the patient who is concerned about the patient
- B.
  
  A colleague who needs information about the patient to provide proper care
- C.
  
  A friend of the patient
- D.
  
  A pharmaceutical salesman who is offering a fee for a list of patients to who he could send a free sample of his product.
Correct Answer
B. A colleague who needs information about the patient to provide proper care

Explanation
The only example that falls under TPO (Treatment, Payment, Operations) is when a colleague needs information about the patient to provide proper care. All other examples need a written authorization to release information.

Rate this question:
15.

Patients have a right to access their health information.
- A.
  
  True
- B.
  
  False
Correct Answer
A. True

Explanation
The Privacy Rule gives you, with few exceptions, the right to inspect, review, and receive a copy of your medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule.
Only you or your personal representative has the right to access your records.

Rate this question:
16.

When is the patient’s written authorization to release information required?
- A.
  
  A. In most cases, when patient information is going to be shared with anyone for reasons other than treatment, payment, or health care operations.
- B.
  
  B. Upon admission to a hospital
- C.
  
  C. When patient information is to be shared among two or more clinicians.
- D.
  
  D. When patient information is used for billing a private insurer.
Correct Answer
A. A. In most cases, when patient information is going to be shared with anyone for reasons other than treatment, payment, or health care operations.

Explanation
Three of the examples describe uses of information related to TPO (Treatment, Payment, Operations) and do not require a written authorization. For the most part, any other uses beyond TPO will need a written authorization.

Rate this question:
17.

Signed authorizations for release of information are considered invalid if there is no expiration date.
- A.
  
  True
- B.
  
  False
Correct Answer
A. True

Explanation
The Privacy Rule requires that an Authorization contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. For example, an Authorization may expire "one year from the date the Authorization is signed," "upon the minor’s age of majority," or "upon termination of enrollment in the health plan."

Rate this question:
18.

What does “minimum necessary” mean?
- A.
  
  I am only expected to complete the minimum requirements of my job.
- B.
  
  A workforce member’s access to PHI is limited to only what is needed to perform his/her responsibilities.
- C.
  
  Requests for and disclosures of PHI are limited to what is needed to perform the task.
- D.
  
  A medical center is no longer allowed to provide information about patients to the media under any circumstances.
- E.
  
  B and C
Correct Answer
E. B and C

Explanation
The HIPAA Privacy Rule states the Minimum Necessary Standard applies when using or disclosing protected health information (PHI), or when requesting PHI from others, a covered entity must take reasonable steps to limit uses and disclosures of PHI to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."

Rate this question:
19.

Under HIPAA, a patient has the following right:
- A.
  
  To receive a Notice of Privacy Practices
- B.
  
  To see or receive a copy of his/her protected health information (PHI).
- C.
  
  To request that his/her PHI be corrected.
- D.
  
  To ask for PHI to be sent to him/her at a different address or a different way.
- E.
  
  To request limits on how his/her PHI is used and disclosed.
- F.
  
  To receive a list of disclosures
- G.
  
  All of the above.
Correct Answer
G. All of the above.

Explanation
Under HIPAA, patients have the following rights:
Notice of Privacy Practices.
Right to Access.
Right to Accounting of Disclosures.
Right to Amendment.
Right to Request Confidential Communications.
Right to Restrictions. Information on your right to restrict certain disclosures of your health information.
Right to Restrict Disclosure to Health Plan. Information on your right to request restrictions on disclosure of your health information when you paid for service out-of-pocket in full.
Right to Complain for Privacy Rights Violations.
Using and Disclosing Your Health Information.

Rate this question:
20.

The Notice of Privacy Practices:
- A.
  
  Explains how the medical center will use or disclose patients’ protected health information.
- B.
  
  Is a list of private physicians who practice at the medical center.
- C.
  
  Describes how the medical center will protect the privacy of employee records.
- D.
  
  All of the above.
Correct Answer
A. Explains how the medical center will use or disclose patients’ protected health information.

Explanation
The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information.

Rate this question:
21.

Consents and Authorizations are the same?
- A.
  
  True
- B.
  
  False
Correct Answer
B. False

Explanation
Consents are used to get the patient’s permission to use or disclose health information for treatment, payment, or business operations. Authorizations are used to obtain permission to disclose PHI for activities outside the realm of treatment, payment, or operations.

Rate this question:
22.

Using pHI for patient registration or coding purposes would fall under which portion of the allowed purposes for release of pHI?
- A.
  
  Operations
- B.
  
  Payment
- C.
  
  Treatment
- D.
  
  Administration
Correct Answer
B. Payment

Explanation
•“Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.

Rate this question:
23.

________________ is defined as an impermissible disclosure of pHI that compromises the security or privacy of the patient.
- A.
  
  Breach
- B.
  
  Data dictionary
- C.
  
  Notice of Privacy Practices
- D.
  
  Disclosure
Correct Answer
A. Breach

Explanation
Definition of Breach. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

Rate this question:
24.

Under the HIPAA Omnibus Rule, patients can ask for and receive copies of their medical records in an electronic form.
- A.
  
  True
- B.
  
  False
Correct Answer
A. True

Explanation
In the final Omnibus rule, Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

Rate this question:
25.

Under HIPAA, a patient has the right to request an amendment to his/her medical record, and the hospital has a duty to comply.
- A.
  
  True
- B.
  
  False
Correct Answer
B. False

Explanation
Under HIPAA, the patient has a right to request an amendment to the medical record, but the hospital doesn't have to comply. They have an obligation to review the request for amendment and consider it but are under no obligation to comply.

Rate this question:
26.

If a patient is deceased, a covered entity may disclose to a family member who was involved in the patient’s care or payment for healthcare prior to the death, pHI of the deceased unless there is an expressed statement to the contrary.
- A.
  
  True
- B.
  
  False
Correct Answer
A. True

Explanation
The Privacy Rule permits a covered entity to disclose protected health information about a decedent to a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity. This may include disclosures to spouses, parents, children, domestic partners, other relatives, or friends of the decedent, provided the information disclosed is limited to that which is relevant to the person’s involvement in the decedent’s care or payment for care.

Rate this question:
27.

A covered entity must act upon a request for access to pHI no later than ______ days after receipt of the request, under normal circumstances.
- A.
  
  15
- B.
  
  30
- C.
  
  14
- D.
  
  45
Correct Answer
B. 30

Explanation
In providing access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part (if certain access may be denied as explained below), no later than 30 calendar days from receiving the individual’s request.

Rate this question:
28.

For pHI disclosures in which there is personal gain, or for malicious purposes, federal penalties can include up to _________ year(s) in prison.
- A.
  
  5
- B.
  
  1
- C.
  
  15
- D.
  
  10
Correct Answer
D. 10

Explanation
Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

Rate this question:
29.

Which of the following would be considered a Business Associate?
- A.
  
  Healthcare provider
- B.
  
  Government agency
- C.
  
  Quest Records
- D.
  
  Covered Entity
Correct Answer
C. Quest Records

Explanation
As defined by the Health Information Portability and Accountability Act (HIPAA), a business associate is any organization or person working in association with or providing services to a covered entity who handles or discloses Personal Health Information (PHI) or Personal Health Records (PHR).

Rate this question:
30.

When patients pay for their healthcare bills “out of their own pocket”, they can have information kept private from their health insurance plan.
- A.
  
  True
- B.
  
  False
Correct Answer
A. True

Explanation
The Omnibus rule states that when individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.

Rate this question:
31.

Members of the workforce who are not involved in a patient’s care are allowed to review the patient’s chart out of curiosity.
- A.
  
  True
- B.
  
  False
Correct Answer
B. False

Explanation
Viewing a medical record for the sake of curiosity is not allowed under HIPAA. Only those healthcare providers involved in the patient’s care should review the record, as needed for that care.

Rate this question:
32.

If a breach of pHI involves more than _______ patient(s), a press release must be issued to the major media informing the public of the breach.
- A.
  
  100
- B.
  
  500
- C.
  
  1
- D.
  
  250
Correct Answer
B. 500

Explanation
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.

Rate this question:

1
0
33.

Patients who believe that their pHI has been compromised by the hospital have the right to make a complaint to the federal government.
- A.
  
  True
- B.
  
  False
Correct Answer
A. True

Explanation
If the patient feels their rights are being denied or the health information isn't being protected, they can file a complain with the provider and also with HHS, OCR division.

Rate this question:
34.

pHI can be recorded on paper or verbally. The electronic documentation of pHI is not covered under the HIPAA rules.
- A.
  
  True
- B.
  
  False
Correct Answer
B. False

Explanation
The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information (PHI)2.

Rate this question:
35.

The monetary penalties for improperly disclosing patient health information can be as high as:
- A.
  
  $125,000
- B.
  
  $250,000
- C.
  
  $500,000
- D.
  
  $1,500,000
Correct Answer
D. $1,500,000

Explanation
The monetary penalties for violating HIPAA are broken into a tier system as follows:
1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.
$100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year

2. The HIPAA violation had a reasonable cause and was not due to willful neglect.
$1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year

3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.
$10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year

4. The HIPAA violation was due to willful neglect and was not corrected.
$50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year

Rate this question:
36.

You have received a request from the mother of a 17 year-old married patient to release his medical records. The parents consented for the 17 year-old to marry and marriage is grounds for emancipation in the state. The mother wants the records to complete the personal health record she has compiled and wishes to give to her son. You:
- A.
  
  Copy the records for the mom because when the patient was a child, the mom was listed as next of kin.
- B.
  
  Copy the records because the age of majority in the state is 18.
- C.
  
  Tell the mom that her son must sign the authorization now that he is an emancipated minor.
- D.
  
  Tell the mom that her son’s wife must sign the authorization now that she is the next of kin.
Correct Answer
C. Tell the mom that her son must sign the authorization now that he is an emancipated minor.

Explanation
The following patients are considered adults regardless of their age for purposes of consenting to medical care and access to their medical care records regardless of the type of care they receive:
◾Married individuals
Since this individual is considered an adult by marriage, he would need to request his own medical records.

Rate this question:
37.

A “valid” authorization must contain specific elements including:
- A.
  
  A patient’s right to revoke
- B.
  
  A re-disclosure statement
- C.
  
  Signed and dated by the patient or representative
- D.
  
  All of the above
Correct Answer
D. All of the above

Explanation
Under HIPAA, an authorization must contain the following elements in order to be valid:
1) Authorization is written in plain language.
2) Authorization identifies the name of the patient whose PHI is being disclosed.
3) Authorization identifies the type of information to be disclosed.
4) Authorization identifies the names or classes of persons or types of healthcare providers authorized to make the disclosure.
5) Authorization identifies the names or classes of persons or types of healthcare providers authorized to whom the organization may make the disclosure.
6) Authorization identifies the purpose of the disclosure.
7) Authorization contains the signature of the patient or patient's authorized legal representative.
8) If signed by an authorized legal representative, the authorization identifies the relationship of that person to the patient.
9) Authorization includes the date on which the authorization is signed.
10) Authorization identifies the time period for which the authorization is effective and expiration date or event.
11) Authorization contains a statement informing the individual regarding the right to revoke the authorization in writing and a description how to do so.
12) Authorization contains a statement informing the individual about the organization's ability or inability to condition treatment, payment, enrollment or eligibility for benefits.
13) Authorization contains a statement informing the individual about the potential for information to be redisclosed and no longer protected by the federal privacy rule.
14) Authorization contains a statement that if an organization is seeking the authorization, a copy must be provided to the individual signing the authorization.
15) Authorization contains statement that the individual may inspect or copy the health information disclosed.

Rate this question:

1
0
38.

A non-custodial parent requests a copy of their child’s medical record. The parent provides documentation that she is indeed the child’s parent. The non-custodial parent has a right to access the medical record in Missouri.
- A.
  
  True
- B.
  
  False
Correct Answer
A. True

Explanation
Check your current state guidelines. According to Missouri:
Unless a parent has been denied custody rights pursuant to this section or visitation rights under section 452.400, both parents shall have access to records and information pertaining to a minor child, including, but not limited to, medical, dental, and school records. If the parent without custody has been granted restricted or supervised visitation because the court has found that the parent with custody or the child has been the victim of domestic violence, as defined in section 455.200, RSMo, by the parent without custody, the court may order that the reports and records made available pursuant to this subsection not include the address of the parent with custody or the child. Unless a parent has been denied custody rights pursuant to this section or visitation rights under section 452.400, any judgment of dissolution or other applicable court order shall specifically allow both parents access to such records and reports.

Rate this question:
39.

A patient is deceased. A friend of the family has requested records. What type of documentation is needed in order to comply with the request?
- A.
  
  A letter from the family that it is okay to release records.
- B.
  
  A Power of Attorney listing the friend as Power of Attorney.
- C.
  
  Death Certificate listing the friend as the informant.
- D.
  
  Executor/Administrator of the Estate paper listing the friend as the Exector/Administrator.
- E.
  
  Either a OR b
- F.
  
  Either c OR d
Correct Answer
F. Either c OR d

Explanation
The HIPAA Privacy Rule recognizes that a deceased individual’s protected health information may be relevant to a family member’s health care. The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative.

First, disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative.

Second, a covered entity must treat a deceased individual’s legally authorized executor or administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased individual or his estate, as a personal representative with respect to protected health information relevant to such representation.

Rate this question:
40.

The daughter of a patient had requested records and she provides a Limited Financial Power of Attorney for documentation. This is sufficient to process the request.
- A.
  
  True
- B.
  
  False
Correct Answer
B. False

Explanation
An individual that has been given a health care power of attorney will have the right to access the medical records of the individual related to such representation to the extent permitted by the HIPAA Privacy Rule at 45 CFR 164.524.

Rate this question:
41.

A request from a law office comes in with a subpoena attached. It does not have a patient’s authorization. The subpoena is signed by the lawyer. It is okay to release records.
- A.
  
  True
- B.
  
  False
Correct Answer
B. False

Explanation
A subpoena issued by someone other than a judge, such as a court clerk or an attorney in a case, is different from a court order.

A HIPAA-covered provider or plan may disclose information to a party issuing a subpoena only if the notification requirements of the Privacy Rule are met. Before responding to the subpoena, the provider or plan should receive evidence that there were reasonable efforts to:
•Notify the person who is the subject of the information about the request, so the person has a chance to object to the disclosure, or
•Seek a qualified protective order for the information from the court.

Rate this question:

1
0
42.

You receive a request from a worker’s compensation carrier requesting records relating to the injured body part. It does not contain a signed authorization for the patient. You reject the request because it is lacking an authorization.
- A.
  
  True
- B.
  
  False
Correct Answer
B. False

Explanation
Disclosures Without Individual Authorization. The Privacy Rule permits covered entities to disclose protected health information to workers’ compensation insurers, State administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization:
•As authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault. This includes programs established by the Black Lung Benefits Act, the Federal Employees’ Compensation Act, the Longshore and Harbor Workers’ Compensation Act, and the Energy Employees’ Occupational Illness Compensation Program Act. See 45 CFR 164.512(l).
•To the extent the disclosure is required by State or other law. The disclosure must comply with and be limited to what the law requires. See 45 CFR 164.512(a).
•For purposes of obtaining payment for any health care provided to the injured or ill worker. See 45 CFR 164.502(a)(1)(ii) and the definition of “payment” at 45 CFR 164.501.

Rate this question:

1
0
43.

A 16-year old patient in Missouri was tested for a sexually transmitted disease. Her tests came back negative. The mother of the patient has requested a copy of these records. You are allowed to release those records to the mother.
- A.
  
  True
- B.
  
  False
Correct Answer
B. False

Explanation
Please always check individual state guidelines!
Missouri law permits, but does not require, healthcare providers to inform a parent or guardian if their minor child has been
diagnosed with or treated for pregnancy, STD, or drug or alcohol abuse. Such disclosure should only be made when doing so is consistent with the confidentiality policies of the practice setting and with professional ethical guidelines, and when it is in the minor’s best interest. The law does not permit healthcare providers to disclose any information if the minor patient is found not to be pregnant, afflicted with an STD, or suffering from drug or alcohol abuse.

Rate this question:
44.

A patient can request an accounting of disclosures as far back as _____ years before the time of the request.
- A.
  
  1
- B.
  
  3
- C.
  
  6
- D.
  
  10
Correct Answer
C. 6

Explanation
Individual may request accounting of disclosures as far back as six years before the time of the request.

Rate this question:
45.

Accounting of Disclosures Does Not Include Disclosures For:
- A.
  
  Short term disability claims
- B.
  
  Patient requests
- C.
  
  Attorney requests
- D.
  
  Treatment, Payment, or health care operations
Correct Answer
D. Treatment, Payment, or health care operations

Explanation
Accounting of Disclosures Does Not Include Disclosures For:
Treatment (to persons involved in the individual’s care), payment or health care operations.
Individual subject of PHI.
Incident to an otherwise permitted disclosure.
Disclosure based on individual’s signed authorization.
For facility directory.
For national security or intelligence purposes.
To correctional facilities or law enforcement on behalf of inmates.
As part of a limited data set (see 45 CFR s. 164.514).

Rate this question:
46.

A breach is treated as discovered:
- A.
  
  The moment that the breach occurs.
- B.
  
  On the first day the breach is known to the covered entity, or in the exercise of reasonable diligence, it should have been known to the covered entity.
- C.
  
  The moment the patient discovers the breach.
- D.
  
  After the organization has notified all parties of the breach.
Correct Answer
B. On the first day the breach is known to the covered entity, or in the exercise of reasonable diligence, it should have been known to the covered entity.

Explanation
A breach is treated as discovered:
On first day the breach is known to the covered entity, or
In the exercise of reasonable diligence, it should have been known to the covered entity.
Notification time period for a breach begins when the organization did or should have known it existed

Rate this question:
47.

A step-parent has sent in a request for her stepchild's medical records. Because she is married to the parent and the parent has joint custody, she is allowed access to the records.
- A.
  
  True
- B.
  
  False
Correct Answer
B. False

Explanation
Unless the step-parent is a legal guardian and the provider has the guardianship papers on file, or a legal guardian has provided authorization. Step-parents may call to schedule appointments, but do not have access to their stepchildren’s PHI without authorization by a legal guardian.

Rate this question:
48.

A high profile case is happening in the area and you have been contacted by a news outlet for information regarding the medical records of one of the individuals involved. Since it's a well known media news outlet and you think it's important for the public to know about it, you process their request.
- A.
  
  True
- B.
  
  False
Correct Answer
B. False

Explanation
You are not allowed to release PHI without a signed HIPAA compliant authorization from the patient. Releasing the records without the proper authorization is grounds for immediate disciplinary action and may result in civil and criminal penalties.

Rate this question:
49.

What does pHI stand for?
- A.
  
  Peoples Health Insurance
- B.
  
  Probable Hospital Intake
- C.
  
  Protected Health Information
- D.
  
  Personal Home Information
Correct Answer
C. Protected Health Information

Explanation
PHI stands for Protected Health Information.

Rate this question:
50.

What does IIHI stand for?
- A.
  
  Individually Identifiable Health Information
- B.
  
  Individually Identified Homeowners Insurance
- C.
  
  Important Insurance Hospitalization Information
- D.
  
  Included Insurance Health Information
Correct Answer
A. Individually Identifiable Health Information

Explanation
HIPAA defines “individually identifiable health information” as information that is a subset of health information, including demographic information collected from an individual, and:
1.Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2.Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
1.That identifies the individual; or
2.With respect to which there is reasonable basis to believe the information can be used to identify the individual.

Rate this question:

Quiz Review Timeline +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

Current Version
Mar 22, 2023

Quiz Edited by
ProProfs Editorial Team
Jan 08, 2016

Quiz Created by
Questrecords

HIPAA Competency Test

What does the HIPAA acronym stand for?

Can a provider in your organization use the database to access the medical record of a patient who was seen by another provider in the organization?

A covered entity must obtain an individual’s written authorization for use or disclosure of protected health information in which of the following scenarios?

Patients can request a copy of billing records associated with their care.

Which division of The Department of Health and Human Services (HHS) is responsible for administering and enforcing HIPAA privacy and security standards?

Any healthcare provider, regardless of size, is considered a covered entity under the HIPAA Privacy Rule, so long as the provider:

All of the following pieces of information are considered individually identifiable health information, EXCEPT:

Which of the following scenarios is considered an incidental disclosure?

What kind of personally identifiable health information is protected by HIPAA privacy rule?

It would be appropriate to release patient information to:

If a person has the ability to access facility or company systems or applications, they have a right to view any information contained in that system or application.

Copies of patient information may be disposed of in any garbage can in the facility.

The criminal penalties for improperly disclosing patient health information can be as high as fines of $250,000 and prison sentences of up to 10 years.

Which of the following if the appropriate person with whom to share patient information even if the patient has NOT specifically authorized the release of information to the individual?

Patients have a right to access their health information.

When is the patient’s written authorization to release information required?

Signed authorizations for release of information are considered invalid if there is no expiration date.

What does “minimum necessary” mean?

Under HIPAA, a patient has the following right:

The Notice of Privacy Practices:

Consents and Authorizations are the same?

Using pHI for patient registration or coding purposes would fall under which portion of the allowed purposes for release of pHI?

________________ is defined as an impermissible disclosure of pHI that compromises the security or privacy of the patient.

Under the HIPAA Omnibus Rule, patients can ask for and receive copies of their medical records in an electronic form.

Under HIPAA, a patient has the right to request an amendment to his/her medical record, and the hospital has a duty to comply.

If a patient is deceased, a covered entity may disclose to a family member who was involved in the patient’s care or payment for healthcare prior to the death, pHI of the deceased unless there is an expressed statement to the contrary.

A covered entity must act upon a request for access to pHI no later than ______ days after receipt of the request, under normal circumstances.

For pHI disclosures in which there is personal gain, or for malicious purposes, federal penalties can include up to _________ year(s) in prison.

Which of the following would be considered a Business Associate?

When patients pay for their healthcare bills “out of their own pocket”, they can have information kept private from their health insurance plan.

Members of the workforce who are not involved in a patient’s care are allowed to review the patient’s chart out of curiosity.

If a breach of pHI involves more than _______ patient(s), a press release must be issued to the major media informing the public of the breach.

Patients who believe that their pHI has been compromised by the hospital have the right to make a complaint to the federal government.

pHI can be recorded on paper or verbally. The electronic documentation of pHI is not covered under the HIPAA rules.

The monetary penalties for improperly disclosing patient health information can be as high as:

A “valid” authorization must contain specific elements including:

A non-custodial parent requests a copy of their child’s medical record. The parent provides documentation that she is indeed the child’s parent. The non-custodial parent has a right to access the medical record in Missouri.

A patient is deceased. A friend of the family has requested records. What type of documentation is needed in order to comply with the request?

The daughter of a patient had requested records and she provides a Limited Financial Power of Attorney for documentation. This is sufficient to process the request.

A request from a law office comes in with a subpoena attached. It does not have a patient’s authorization. The subpoena is signed by the lawyer. It is okay to release records.

You receive a request from a worker’s compensation carrier requesting records relating to the injured body part. It does not contain a signed authorization for the patient. You reject the request because it is lacking an authorization.

A 16-year old patient in Missouri was tested for a sexually transmitted disease. Her tests came back negative. The mother of the patient has requested a copy of these records. You are allowed to release those records to the mother.

A patient can request an accounting of disclosures as far back as _____ years before the time of the request.

Accounting of Disclosures Does Not Include Disclosures For:

A breach is treated as discovered:

A step-parent has sent in a request for her stepchild's medical records. Because she is married to the parent and the parent has joint custody, she is allowed access to the records.

What does pHI stand for?

What does IIHI stand for?