CHC - Certified in Healthcare Compliance HIPAA Privacy and Security Questions and Answers

Question 1

A covered entity discovers that a business associate has experienced a breach of unsecured protected health information (PHI) affecting 450 individuals.
The business associate notified the covered entity 50 days after discovering the breach.
According to the HIPAA Breach Notification Rule, what is the covered entity's primary notification responsibility?

Accepted Answer

Notify the affected individuals and the Secretary of HHS annually, as the breach affects fewer than 500 individuals.

Answer

Notify prominent media outlets in the state within 10 days of being notified by the business associate.

Answer

Notify the Secretary of HHS of the breach on the same day it notifies the affected individuals.

Answer

Notify the affected individuals without unreasonable delay, but no later than 60 days from when the covered entity was informed of the breach.

Question 2

Which of the following is a key distinction between the HIPAA Privacy Rule and the HIPAA Security Rule?

Accepted Answer

The Privacy Rule establishes standards for how PHI can be used and disclosed, while the Security Rule sets standards for safeguarding electronic PHI.

Answer

The Security Rule applies to all forms of PHI, while the Privacy Rule only applies to electronic PHI (ePHI).

Answer

The Security Rule is optional for small providers, whereas the Privacy Rule is mandatory for all covered entities.

Answer

The Privacy Rule is enforced by the Office of the National Coordinator for Health IT (ONC), while the Security Rule is enforced by the Office for Civil Rights (OCR).

Question 3

A hospital's fundraising foundation wants to send a mailing to former patients. Under HIPAA, which of the following pieces of information may the hospital disclose to its foundation for fundraising purposes without obtaining prior patient authorization?

Accepted Answer

Dates of service, demographic information, and health insurance status.

Answer

Patient diagnosis and treatment details.

Answer

The patient's entire medical record.

Answer

Information about the patient's specific treating physician and outcome.

Question 4

A patient reviews their medical record and finds an error in their diagnosis history. Under the HIPAA Privacy Rule, the patient has the right to request an amendment to their PHI. What is the covered entity's obligation after receiving this request?

Accepted Answer

Act on the request within a reasonable time, typically within 60 days, by either making the amendment or providing a written denial.

Answer

Immediately delete the incorrect information from the record as requested by the patient.

Answer

Inform the patient that medical records cannot be changed once they are finalized.

Answer

Require the patient to obtain a court order before any amendment can be considered.

Question 5

A research institution wants to use a hospital's patient database for a study. To comply with HIPAA, they plan to de-identify the data. They choose the 'Safe Harbor' method. Which of the following is one of the 18 identifiers that MUST be removed under this method?

Accepted Answer

All geographic subdivisions smaller than a state, including ZIP codes.

Answer

The state of the patient's residence.

Answer

The patient's year of birth.

Answer

The patient's age expressed in years.

Question 6

Which of the following is an example of a required 'Technical Safeguard' under the HIPAA Security Rule?

Accepted Answer

Implementing audit controls to record and examine activity in information systems.

Answer

Implementing policies for the proper use of workstations.

Answer

Developing a security awareness and training program for the workforce.

Answer

Establishing a contingency plan for data backup and disaster recovery.