HIPAA - (Mental Healthcare Providers) - Page 1

Which federal agency enforces HIPAA’s Privacy, Security, and Breach Notification Rules?

A

Office for Civil Rights (OCR) at HHS

B

Centers for Medicare & Medicaid Services (CMS)

C

Department of Justice (DOJ)

D

Federal Trade Commission (FTC)

How soon must affected individuals be notified after discovery of a breach of unsecured PHI?

A

Within 15 calendar days

B

Without unreasonable delay and no later than 60 calendar days

C

Within 90 calendar days

D

By the end of the fiscal year

For breaches affecting 500 or more residents of a state or jurisdiction, which extra step is required?

A

Notify local police only

B

Post a notice on the office door

C

Notify prominent media and report to HHS within 60 days

D

No extra steps are required

For breaches affecting fewer than 500 individuals, when must the report be submitted to HHS?

A

Within 10 business days

B

Within 60 calendar days of discovery

C

No later than 60 days after the end of the calendar year

D

Reporting is optional

Civil HIPAA penalties use a four-tier system. Which statement is MOST accurate?

A

Penalties are flat and not tiered

B

Civil monetary penalties scale by culpability (from lack of knowledge to willful neglect)

C

Only criminal penalties apply to HIPAA violations

D

Penalties apply to patients, not organizations

Criminal HIPAA penalties for obtaining/disclosing PHI with intent to sell, transfer, or use it for personal gain or malicious harm can include imprisonment of up to:

A

1 year

B

5 years

C

10 years

D

20 years

Under the HIPAA Privacy Rule, which of the following does NOT require patient authorization?

A

Treatment, payment, and healthcare operations (TPO)

B

Marketing communications with remuneration

C

Most uses of psychotherapy notes

D

Sale of PHI

What is the standard time limit to respond to a patient’s request for access to their PHI?

A

15 days, no extension

B

30 days, with one 30-day extension if needed

C

45 days, no extension

D

60 days, with unlimited extensions

Which HIPAA rule establishes requirements for risk analysis, access controls, audit controls, and transmission security for ePHI?

A

Privacy Rule

B

Security Rule

C

Breach Notification Rule

D

Omnibus Rule only

Which statement best describes the Minimum Necessary standard?

A

It applies to all uses/disclosures including treatment

B

It applies to most uses/disclosures except those for treatment and certain other exceptions

C

It applies only to paper records

D

It applies only to psychotherapy notes

Psychotherapy notes under HIPAA are:

A

The entire mental health record

B

Process notes kept separate from the medical record and given special protection

C

Medication lists only

D

Subject to the same rules as all PHI without exceptions

A patient asks for copies of the clinician’s separate psychotherapy notes. Under HIPAA the provider should:

A

Provide them within 30 days

B

Provide them only in electronic form

C

Deny the request because psychotherapy notes are excluded from the access right

D

Charge double the standard fee

Which is TRUE about using psychotherapy notes?

A

They can be used for most purposes without authorization

B

They generally require the patient’s authorization for use/disclosure beyond the originator’s own use for treatment

C

They are automatically shared with family on request

D

They must be de-identified before any clinical use

You plan to use a third-party teletherapy video platform. What is required before using it with patients?

A

Nothing, because video is not PHI

B

Only a privacy policy posted on your website

C

A Business Associate Agreement (BAA) with the vendor if it handles ePHI

D

Verbal assurance from the vendor about security

A patient authorizes you to email session summaries to their personal email. Which is BEST practice?

A

Send without safeguards because the patient accepted risk

B

Use reasonable safeguards (verify address, consider encryption) and honor the request

C

Refuse because email is banned by HIPAA

D

CC their employer for documentation

A patient expresses an imminent, serious threat of harm to an identifiable person. Under HIPAA you may disclose relevant PHI:

A

Only with a court order

B

To law enforcement or a person who can lessen the threat, consistent with law and professional judgment

C

Never; mental health PHI is absolutely confidential

D

Only after 30 days

A parent requests their 16-year-old’s therapy records in a state where minors can consent to mental health treatment. Under HIPAA:

A

Parents always have full access

B

Access depends on state law; more stringent state protections prevail

C

HIPAA forbids all disclosures to parents

D

Only the school decides

Which scenario MOST likely requires written patient authorization (not just consent/notice)?

A

Coordinating care with another treating provider

B

Reporting suspected abuse to authorities as required by law

C

Using PHI for marketing of a commercial app unrelated to care

D

Billing a health plan for therapy

You participate in a federally assisted substance use disorder (SUD) treatment program. Compared with HIPAA, 42 CFR Part 2 generally:

A

Allows broader sharing without consent

B

Has similar or less strict rules

C

Is stricter and typically requires written patient consent for disclosures, with limited exceptions

D

Applies only to paper records

After misdirecting a therapy summary to the wrong patient portal account, what is the FIRST appropriate step?

A

Delete the record and move on

B

Wait to see if anyone reports it

C

Immediately mitigate (e.g., revoke access/recover), report internally, and initiate a risk assessment

D

Notify the media directly

You're almost there! Complete the form to save your progress and continue your FREE CPR course

Auto Generate