HIPAA Cheat Sheet 2026

The 30 highest-yield HIPAA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

75 questions
90 min time limit
70% to pass
  1. An EHR system must transmit patient data to a referring specialist. Which HIPAA requirement applies to this transmission? Encryption must be used to protect ePHI during transmission over open networks
  2. Which of the following items must be removed under HIPAA's Safe Harbor de-identification method? ZIP codes with populations less than 20,000
  3. Which of the following is NOT an example of a business associate under HIPAA? A janitorial service that does not have access to PHI
  4. In which of the following scenarios is a covered entity permitted to disclose PHI without the patient's authorization? To a public health authority for disease surveillance purposes as required by law.
  5. Under HIPAA, what document must be executed before a covered entity can share a Limited Data Set? A Data Use Agreement (DUA)
  6. Which of the following data elements, when combined with a patient's medical condition, would NOT be considered Protected Health Information (PHI) under HIPAA? The initial three digits of a zip code for a geographic area containing 25,000 people
  7. A covered entity wants to interface their EHR with a health information exchange (HIE). What HIPAA consideration applies? A BAA must be executed with the HIE, and the interface must maintain ePHI security
  8. Which HIPAA Security Rule standard directly addresses the integrity of electronic PHI in EHR systems? Integrity Controls
  9. Under HITECH, what additional breach notification obligation applies when a breach affects 500 or more individuals in a single state? Prominent media outlets serving the affected state or jurisdiction must be notified
  10. Under HIPAA, which of the following is a primary requirement for electronic health record systems handling Protected Health Information (PHI)? Implementing access controls that limit PHI access to authorized users
  11. A patient requests access to their EHR records. Under HIPAA, what is the covered entity's obligation? The covered entity must provide access within 30 days, with a possible 30-day extension
  12. A covered entity discovers that their EHR vendor experienced a data breach. Under HIPAA, when must the covered entity notify affected patients? Within 60 days of discovery of the breach
  13. Under HIPAA, what must a covered entity provide to patients at first service delivery? A Notice of Privacy Practices describing how the covered entity uses and discloses PHI
  14. Under HIPAA, an EHR system's audit log must capture which of the following? User activity including access, modifications, and disclosures of PHI
  15. What is the HIPAA requirement for workforce training on EHR security? All workforce members with access to EHR systems must receive security awareness training
  16. What is the purpose of the HIPAA Security Rule? To establish national standards for protecting electronic PHI (ePHI)
  17. Which HITECH provision specifically addressed the problem of organizations that lacked proper safeguards but had never been investigated by HHS? The mandate for HHS to conduct periodic audits of covered entities and business associates
  18. What does the HITECH Act stand for and when was it enacted? Health Information Technology for Economic and Clinical Health, 2009
  19. If the Secretary of Health and Human Services (HSS) validates a complaint my practice: It may result in a compliance review
  20. Which of the following best explains why disclosures to healthcare providers for treatment are exempt from the Minimum Necessary Standard? Complete clinical information is often critical for safe and effective treatment decisions
  21. When a patient requests access to his/her medical records: B and C
  22. Under HITECH, what is the maximum penalty per violation for 'willful neglect' that is NOT corrected within 30 days of discovery? $50,000 per violation
  23. Under HIPAA Safe Harbor de-identification, how must ages over 89 be handled? They may be aggregated into a single category of '90 or older'
  24. Under the HITECH Act, who became directly subject to HIPAA's Security Rule obligations for the first time? Business associates, including EHR vendors and IT contractors handling PHI
  25. The Health Insurance Portability and Accountability Act (HIPAA): All of the above
  26. When implementing role-based access control (RBAC) in an EHR under HIPAA, what principle should govern access assignments? Grant access based on minimum necessary requirements for each role
  27. Under the Minimum Necessary Standard, what must a covered entity do when it routinely requests PHI from another covered entity? Establish standard protocols or criteria limiting requests to the minimum needed
  28. What HIPAA safeguard addresses the process of verifying that ePHI has not been altered without authorization in an EHR? Integrity controls including checksums and hash verification
  29. Under the HIPAA Privacy Rule, which of the following is NOT considered Protected Health Information (PHI)? A de-identified health summary used for a statistical study.
  30. A practice can refuse to amend the record: Under specific circumstances
Turn these facts into recall: