HIPAA Cheat Sheet 2026
The 30 highest-yield HIPAA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
75 questions
90 min time limit
70% to pass
- An EHR system must transmit patient data to a referring specialist. Which HIPAA requirement applies to this transmission? → Encryption must be used to protect ePHI during transmission over open networks
- Which of the following items must be removed under HIPAA's Safe Harbor de-identification method? → ZIP codes with populations less than 20,000
- Which of the following is NOT an example of a business associate under HIPAA? → A janitorial service that does not have access to PHI
- In which of the following scenarios is a covered entity permitted to disclose PHI without the patient's authorization? → To a public health authority for disease surveillance purposes as required by law.
- Under HIPAA, what document must be executed before a covered entity can share a Limited Data Set? → A Data Use Agreement (DUA)
- Which of the following data elements, when combined with a patient's medical condition, would NOT be considered Protected Health Information (PHI) under HIPAA? → The initial three digits of a zip code for a geographic area containing 25,000 people
- A covered entity wants to interface their EHR with a health information exchange (HIE). What HIPAA consideration applies? → A BAA must be executed with the HIE, and the interface must maintain ePHI security
- Which HIPAA Security Rule standard directly addresses the integrity of electronic PHI in EHR systems? → Integrity Controls
- Under HITECH, what additional breach notification obligation applies when a breach affects 500 or more individuals in a single state? → Prominent media outlets serving the affected state or jurisdiction must be notified
- Under HIPAA, which of the following is a primary requirement for electronic health record systems handling Protected Health Information (PHI)? → Implementing access controls that limit PHI access to authorized users
- A patient requests access to their EHR records. Under HIPAA, what is the covered entity's obligation? → The covered entity must provide access within 30 days, with a possible 30-day extension
- A covered entity discovers that their EHR vendor experienced a data breach. Under HIPAA, when must the covered entity notify affected patients? → Within 60 days of discovery of the breach
- Under HIPAA, what must a covered entity provide to patients at first service delivery? → A Notice of Privacy Practices describing how the covered entity uses and discloses PHI
- Under HIPAA, an EHR system's audit log must capture which of the following? → User activity including access, modifications, and disclosures of PHI
- What is the HIPAA requirement for workforce training on EHR security? → All workforce members with access to EHR systems must receive security awareness training
- What is the purpose of the HIPAA Security Rule? → To establish national standards for protecting electronic PHI (ePHI)
- Which HITECH provision specifically addressed the problem of organizations that lacked proper safeguards but had never been investigated by HHS? → The mandate for HHS to conduct periodic audits of covered entities and business associates
- What does the HITECH Act stand for and when was it enacted? → Health Information Technology for Economic and Clinical Health, 2009
- If the Secretary of Health and Human Services (HSS) validates a complaint my practice: → It may result in a compliance review
- Which of the following best explains why disclosures to healthcare providers for treatment are exempt from the Minimum Necessary Standard? → Complete clinical information is often critical for safe and effective treatment decisions
- When a patient requests access to his/her medical records: → B and C
- Under HITECH, what is the maximum penalty per violation for 'willful neglect' that is NOT corrected within 30 days of discovery? → $50,000 per violation
- Under HIPAA Safe Harbor de-identification, how must ages over 89 be handled? → They may be aggregated into a single category of '90 or older'
- Under the HITECH Act, who became directly subject to HIPAA's Security Rule obligations for the first time? → Business associates, including EHR vendors and IT contractors handling PHI
- The Health Insurance Portability and Accountability Act (HIPAA): → All of the above
- When implementing role-based access control (RBAC) in an EHR under HIPAA, what principle should govern access assignments? → Grant access based on minimum necessary requirements for each role
- Under the Minimum Necessary Standard, what must a covered entity do when it routinely requests PHI from another covered entity? → Establish standard protocols or criteria limiting requests to the minimum needed
- What HIPAA safeguard addresses the process of verifying that ePHI has not been altered without authorization in an EHR? → Integrity controls including checksums and hash verification
- Under the HIPAA Privacy Rule, which of the following is NOT considered Protected Health Information (PHI)? → A de-identified health summary used for a statistical study.
- A practice can refuse to amend the record: → Under specific circumstances
Turn these facts into recall: