HIPAA - (Insurance Brokers and Agents) - Page 1

Which federal agency enforces HIPAA’s Privacy, Security, and Breach Notification Rules?

A

Office for Civil Rights (OCR) at HHS

B

Centers for Medicare & Medicaid Services (CMS)

C

Department of Justice (DOJ) only

D

Federal Trade Commission (FTC)

How soon must affected individuals be notified after discovery of a breach of unsecured PHI?

A

Within 15 calendar days

B

Without unreasonable delay and no later than 60 calendar days

C

Within 90 calendar days

D

Only if more than 500 people are affected

A breach affecting 500 or more residents of a state/jurisdiction requires the covered entity to:

A

Notify only OCR by year-end

B

Notify prominent media and report to HHS within 60 days

C

Notify local police only

D

Post a lobby sign for 30 days

For breaches affecting fewer than 500 individuals, when must the covered entity report to HHS?

A

Within 10 business days of discovery

B

Within 60 calendar days of discovery

C

No later than 60 days after the end of the calendar year

D

Reporting is optional

Which statement best describes HIPAA penalties?

A

Only civil penalties exist

B

Civil penalties are tiered by culpability; criminal penalties can include fines and imprisonment

C

Penalties apply only to hospitals

D

Penalties are fixed dollar amounts without discretion

What is the standard time frame to fulfill an individual’s request for access to their PHI?

A

15 days, no extensions

B

30 days, with one additional 30-day extension if needed

C

45 days, no extensions

D

60 days, unlimited extensions

Which HIPAA rule sets requirements for risk analysis, access controls, audit controls, and transmission security for ePHI?

A

Privacy Rule

B

Security Rule

C

Breach Notification Rule

D

Omnibus Rule only

Which statement best captures the Minimum Necessary standard?

A

Applies to all disclosures including treatment

B

Applies to most uses/disclosures except those for treatment and certain other exceptions

C

Applies only to paper records

D

Applies only to mental health PHI

A stolen laptop contained ePHI encrypted to NIST-recommended standards and the key was not compromised. Breach notification is:

A

Required in all thefts

B

Not required because properly encrypted data isn’t “unsecured” PHI

C

Required only if >50 records

D

Required only if personally owned

De-identification under HIPAA generally requires:

A

Removing the name only

B

Changing the ZIP code

C

Removing all 18 identifiers or using expert determination with very small re-ID risk

D

Keeping DOB but removing address

An insurance broker accesses member PHI to help a health plan enroll and manage coverage. Under HIPAA the broker is typically a:

A

Covered entity

B

Business associate of the health plan

C

Conduit

D

Personal representative

Before a broker handles PHI for a health plan, what must be in place?

A

A generic NDA with the patient

B

A Business Associate Agreement (BAA) with the plan

C

Only verbal assurances of confidentiality

D

Nothing—brokers are exempt

A broker wants to use member lists to market a non-plan product from a third party. What is generally required?

A

No action—this is health care operations

B

Patient authorization (especially if financial remuneration is involved)

C

Only a posted privacy notice

D

A verbal consent noted in the file

Communicating with current enrollees about plan benefits, case management, or plan replacements offered by the same plan is generally:

A

Marketing that always needs authorization

B

A sale of PHI

C

Permitted as health care operations (no authorization)

D

Prohibited disclosure

Regarding genetic information, which is TRUE for underwriting by health plans/insurers under HIPAA (as amended) and related law?

A

Genetic information may be used freely for underwriting

B

Use or disclosure of genetic information for underwriting purposes is prohibited

C

Only whole-genome data is restricted

D

Restrictions apply only to minors

A broker discovers an email with member PHI was sent to the wrong employer contact. As a business associate, the broker must:

A

Delete the email quietly

B

Notify the covered entity without unreasonable delay and no later than 60 days, providing required details

C

Notify affected individuals directly without telling the plan

D

Wait for the annual report to HHS

Which action best aligns with the Minimum Necessary standard for brokers?

A

Collect complete medical records for every applicant

B

Access only data needed for enrollment, eligibility, and premium rating tasks

C

Ask for full psychiatric histories for all members

D

Retain PHI indefinitely for future sales

An employer plan sponsor asks for information to obtain premium bids or modify the plan. HIPAA allows disclosure of:

A

Full medical records of all employees

B

Summary health information with identifiers removed except limited data (e.g., ZIP, dates) as permitted

C

Names and SSNs only

D

Only de-identified aggregate national data

A member requests their PHI from the plan via the broker. The broker should:

A

Refuse; brokers can’t help with access requests

B

Provide access immediately from personal files

C

Verify identity, route through plan’s process, and support timely (30-day) fulfillment

D

Charge any fee the broker chooses

Which law prevails if a state insurance privacy law is more stringent than HIPAA for a particular issue?

A

HIPAA always preempts state law

B

More stringent state law controls

C

Neither law applies

D

The broker can choose which to follow

You're almost there! Complete the form to save your progress and continue your FREE CPR course

Auto Generate