HIPAA - (Healthcare Providers) - Page 1

Which federal agency enforces HIPAA’s Privacy, Security, and Breach Notification Rules?

A

Office for Civil Rights (OCR) at HHS

B

Centers for Disease Control and Prevention (CDC)

C

Department of Justice (DOJ) only

D

Centers for Medicare & Medicaid Services (CMS)

How soon must affected individuals be notified after discovery of a breach of unsecured PHI?

A

Within 15 calendar days

B

Without unreasonable delay and no later than 60 calendar days

C

Within 90 calendar days

D

Only if more than 500 individuals are affected

For breaches affecting fewer than 500 individuals, when must the covered entity report to HHS?

A

Within 10 business days of discovery

B

Within 60 days of discovery

C

No later than 60 days after the end of the calendar year

D

Reporting is optional

A breach affecting 500 or more residents of a state or jurisdiction requires:

A

No additional steps beyond individual notice

B

Notice to prominent media and HHS within 60 days

C

Only a report to local police

D

Posting a sign at the front desk

Which statement best describes HIPAA civil and criminal penalties?

A

Only civil penalties apply; no criminal penalties exist

B

Civil penalties are tiered by culpability; criminal penalties can include fines and imprisonment for wrongful disclosures

C

Penalties apply only to hospitals, not individuals

D

Penalties are fixed dollar amounts with no discretion

Under the HIPAA Privacy Rule, which activities generally do NOT require patient authorization?

A

Treatment, payment, and healthcare operations (TPO)

B

Marketing communications with remuneration

C

Sale of PHI

D

Most uses of psychotherapy notes

What is the standard time frame to fulfill a patient’s request for access to their PHI?

A

15 days, no extensions

B

30 days, with one additional 30-day extension if needed

C

45 days, no extensions

D

60 days, unlimited extensions allowed

Which HIPAA rule sets requirements for risk analysis, access controls, audit controls, and transmission security for ePHI?

A

Privacy Rule

B

Security Rule

C

Breach Notification Rule

D

Omnibus Rule only

Which statement best captures the Minimum Necessary standard?

A

Applies to all disclosures, including treatment

B

Applies to most uses/disclosures except those for treatment and certain other exceptions

C

Applies only to paper records

D

Applies only to mental health PHI

Properly encrypted ePHI (per NIST guidance) on a stolen laptop with no key compromise generally:

A

Still requires breach notification

B

Is considered unsecured PHI

C

Qualifies for safe harbor and typically does not require notification

D

Requires notifying only the media

A physician wants to send PHI through a new telehealth platform. What must be in place if the vendor creates/receives/maintains/transmits ePHI?

A

Only a posted website privacy policy

B

A Business Associate Agreement (BAA) with the vendor

C

Verbal assurance from the vendor

D

Nothing; telehealth is exempt from HIPAA

A patient pays in full out-of-pocket and requests that the provider not disclose the related information to their health plan. Under HIPAA the provider must:

A

Deny the request—plans must always be billed

B

Honor the restriction for that item/service

C

Notify the plan anyway for coordination of benefits

D

Wait until year end to decide

Which of the following is generally permitted without authorization when consistent with law and professional judgment?

A

Disclosure to prevent or lessen a serious and imminent threat

B

Sale of PHI to a third party

C

Marketing a non-care app using patient lists

D

Sharing entire charts with a friend of the patient

Which example is an allowable incidental disclosure when reasonable safeguards are in place?

A

Discussing a patient’s diagnosis in a crowded elevator

B

Using a sign-in sheet with limited information at reception

C

Leaving a full chart open in a public hallway

D

Posting a surgery schedule with full names in the lobby

A nurse receives a phone request for results from a person claiming to be the patient’s spouse. The nurse should first:

A

Read the results to the caller

B

Verify the caller’s identity and authority per policy before disclosure

C

Refuse all phone disclosures

D

Ask the caller to send a text message

Which situation requires written patient authorization rather than relying on TPO or an exception?

A

Consulting with another treating clinician

B

Reporting suspected child abuse to authorities

C

Using PHI for paid marketing of a wellness product

D

Submitting claims to a health plan

A patient requests an electronic copy of their EHR in a readily producible format. The provider should:

A

Deny the request; only paper is allowed

B

Provide an electronic copy if readily producible and at a reasonable, cost-based fee

C

Charge any fee the clinic sets

D

Require the patient to pick up a CD only

A provider’s workstation faces a hallway. To comply with HIPAA, the BEST action is to:

A

Do nothing; it’s inside the clinic

B

Use privacy screens, position monitors away from public view, and enable automatic logoff

C

Turn off passwords to speed care

D

Tape paper over the screen

Family and friends are present during a patient’s visit. When is it generally permissible to share relevant PHI with them?

A

Only with a signed authorization

B

When the patient agrees or does not object, and it is in the patient’s best interests

C

Never—family cannot receive PHI

D

Only after discharge

A resident physician posts a de-identified case on a professional forum. Which element must be true for HIPAA de-identification?

A

Remove a few identifiers but keep ZIP+DOB

B

Strip all 18 HIPAA identifiers or apply expert determination so that risk of re-identification is very small

C

Change only the patient’s name

D

Add a disclosure that it is for education

You're almost there! Complete the form to save your progress and continue your FREE CPR course

Auto Generate