FREE CHPC HIPAA and Healthcare Privacy Standards Questions and Answers
Which of the following is considered Protected Health Information (PHI) under HIPAA?
Please select 3 correct answers
PHI includes any identifiable health information related to a patient’s physical or mental health, healthcare provision, or payment for healthcare. This includes medical record numbers, email addresses, and ages over 89 (considered identifiers under HIPAA due to the small population size). However, general state of residence alone is not PHI unless combined with other identifiers.
What is the main purpose of the HIPAA Privacy Rule?
The HIPAA Privacy Rule sets national standards for protecting patients' medical records and PHI. It ensures that individuals have rights over their health information, including rights to access, amend, and restrict the disclosure of their PHI.
A healthcare organization experiences a data breach involving the exposure of unencrypted PHI. What steps must they take according to the HIPAA Breach Notification Rule?
Please select 3 correct answers
Under the HIPAA Breach Notification Rule, organizations must:
Notify affected individuals within 60 days.
Report the breach to the OCR.
Notify the media if more than 500 individuals are affected.
Law enforcement notification is not mandatory unless required by other regulations or circumstances.
Which of the following scenarios would NOT be considered a HIPAA violation?
Under HIPAA, PHI can be shared with a business associate if there is a signed Business Associate Agreement (BAA) ensuring the associate complies with HIPAA requirements. The other options involve unauthorized access or disclosure, which would be considered HIPAA violations.
What rights does a patient have under the HIPAA Privacy Rule?
Please select 3 correct answers
Access and obtain copies of their medical records. Request amendments to their records if they believe information is incorrect. Receive an accounting of disclosures (a list of when their PHI was shared outside treatment, payment, and operations). However, patients cannot request deletion of PHI under HIPAA, as healthcare organizations are legally required to maintain certain records.