1|Page
CAHIMS PRACTICE EXAM WITH REVIEW QUESTIONS
NEWEST 2025 ALL700 QUESTIONS AND CORRECT
DETAILED ANSWERS
From a regulatory perspective, what are the differences between what
a BA is required to adhere to when it comes to the HIPAA rules and
what a CE must adhere to?
A. There are no differences.
B. The BA is required to adhere to the HIPAA Privacy, Security, and
Breach
Notification Rules, but the CE is not required to adhere to any of them.
C. The BA is required to adhere to the use and disclosure provisions of
the HIPAA Privacy Rule and the full Security and Breach Notification
Rules, and the CE is required to adhere to the Privacy, Security, and
Breach Notification Rules and the other HIPAA Administrative
Simplification provisions.
D. The BA is required to adhere to the full Security and Breach
Notification Rules, and the CE is required to adhere to the Privacy,
Security, and Breach Notification Rules and the other HIPAA
Administrative Simplification provisions. - ANSWER-C. The business
associate is required to adhere to the use and disclosure provisions of
the HIPAA Privacy Rule and the complete Security and Breach
Notification Rules, and the covered entity is required to adhere to the
,2|Page
Privacy, Security, and Breach Notification Rules and the other HIPAA
Administrative Simplification provisions.
What standard can be used to harmonize different identity and
authentication systems?
A. WS-Trust
B. WAP
C. Wi-Fi
D. WEP - ANSWER-A. WS-Trust is the standard used to harmonize
different identity and authentication systems.
What authentication standard is best paired with FHIR®?
A. SOAP
B. kAuth
C. OAuth
D. Password - ANSWER-C. OAuth is considered the best security
protocol for use with HL7 FHIR® along with HTTPS. Note that client
certificates and SAML are also used.
What is it called when one system asks another to enforce a policy
fragment?
,3|Page
A. Liability
B. Obligation
C. Commitment
D. Permission - ANSWER-B. When a sending system needs a
receiving system to enforce a policy fragment, and it knows that the
receiving system can enforce this policy fragment, then it would convey
the policy fragment using an obligation. An obligation might be explicit
or implied.
What is the critical fact about healthcare data that separates it from
other data?
A. It is large.
B. It is detailed.
C. It can't be changed or revoked.
D. There is nothing special about healthcare data. - ANSWER-C.
Healthcare data can't be changed or revoked, thus it is extra important
to protect against inappropriate disclosure. Healthcare data also are
often used to make life-critical or lifesaving decisions.
What type of security information is time of day?
, 4|Page
A. Permission
B. Role
C. Label
D. Context - ANSWER-D. Time of day is part of the context of the
transaction.
Which of the following is not a principle of privacy?
A. The purpose for data collection should be known, limited, and stated.
B. An individual (patient) should have the right to see the data that has
beencollected and correct it if it is found to be inaccurate.
C. The data should be controlled against any inappropriate use or
access.
D. The data must be digitally signed. - ANSWER-D. Digital signatures
are not a principle of privacy. Digital signatures are used to provide
proof of provenance, or proof of action. They might be used to sign a
privacy consent.
What enforcement action can OCR take if a CE violates provisions of
HIPAA's Administrative Simplification provisions?
A. OCR has no enforcement authority.
CAHIMS PRACTICE EXAM WITH REVIEW QUESTIONS
NEWEST 2025 ALL700 QUESTIONS AND CORRECT
DETAILED ANSWERS
From a regulatory perspective, what are the differences between what
a BA is required to adhere to when it comes to the HIPAA rules and
what a CE must adhere to?
A. There are no differences.
B. The BA is required to adhere to the HIPAA Privacy, Security, and
Breach
Notification Rules, but the CE is not required to adhere to any of them.
C. The BA is required to adhere to the use and disclosure provisions of
the HIPAA Privacy Rule and the full Security and Breach Notification
Rules, and the CE is required to adhere to the Privacy, Security, and
Breach Notification Rules and the other HIPAA Administrative
Simplification provisions.
D. The BA is required to adhere to the full Security and Breach
Notification Rules, and the CE is required to adhere to the Privacy,
Security, and Breach Notification Rules and the other HIPAA
Administrative Simplification provisions. - ANSWER-C. The business
associate is required to adhere to the use and disclosure provisions of
the HIPAA Privacy Rule and the complete Security and Breach
Notification Rules, and the covered entity is required to adhere to the
,2|Page
Privacy, Security, and Breach Notification Rules and the other HIPAA
Administrative Simplification provisions.
What standard can be used to harmonize different identity and
authentication systems?
A. WS-Trust
B. WAP
C. Wi-Fi
D. WEP - ANSWER-A. WS-Trust is the standard used to harmonize
different identity and authentication systems.
What authentication standard is best paired with FHIR®?
A. SOAP
B. kAuth
C. OAuth
D. Password - ANSWER-C. OAuth is considered the best security
protocol for use with HL7 FHIR® along with HTTPS. Note that client
certificates and SAML are also used.
What is it called when one system asks another to enforce a policy
fragment?
,3|Page
A. Liability
B. Obligation
C. Commitment
D. Permission - ANSWER-B. When a sending system needs a
receiving system to enforce a policy fragment, and it knows that the
receiving system can enforce this policy fragment, then it would convey
the policy fragment using an obligation. An obligation might be explicit
or implied.
What is the critical fact about healthcare data that separates it from
other data?
A. It is large.
B. It is detailed.
C. It can't be changed or revoked.
D. There is nothing special about healthcare data. - ANSWER-C.
Healthcare data can't be changed or revoked, thus it is extra important
to protect against inappropriate disclosure. Healthcare data also are
often used to make life-critical or lifesaving decisions.
What type of security information is time of day?
, 4|Page
A. Permission
B. Role
C. Label
D. Context - ANSWER-D. Time of day is part of the context of the
transaction.
Which of the following is not a principle of privacy?
A. The purpose for data collection should be known, limited, and stated.
B. An individual (patient) should have the right to see the data that has
beencollected and correct it if it is found to be inaccurate.
C. The data should be controlled against any inappropriate use or
access.
D. The data must be digitally signed. - ANSWER-D. Digital signatures
are not a principle of privacy. Digital signatures are used to provide
proof of provenance, or proof of action. They might be used to sign a
privacy consent.
What enforcement action can OCR take if a CE violates provisions of
HIPAA's Administrative Simplification provisions?
A. OCR has no enforcement authority.
