CPSS TEST- OPHTHALMOLOGY EXAM
QUESTIONS AND ANSWERS. VERIFIED
2026.
HIPAA stands for
a. Health Information Portability and Accountability Act
b. Health Insurance Portability and Accountability Act
c. Health Insurance Protection and Activity Act
d. Home Information Protection and Accountability Act. - ANS b. Health Insurance Portability
and Accountability Act
One primary change included in the HIPAA Omnibus Final Rule of 2013 requires a business
associate of the covered entity (physician practice) to sign a Business Associate Agreement with:
a. Subcontractors of professional associations
b. Subcontractors of business associates
c. Subcontractors of optometrists
d. Subcontractors of affiliated hospitals - ANS b. Subcontractors of business associates
T/F. According to the regulations contained in the Omnibus Final Rule of 2013, a patient has the
right to receive a copy of his or her medical record in an electronic format if the associated
provider utilizes electronic health records. - ANS True
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,Covered entities under HIPAA include:
a. Lawyers
b. Health care providers
c. Health care facilities
d. Librarians
e. a and d.
f. b and c. - ANS b and c.
Health care providers and Health care facilities
Protected Health Information (PHI) includes:
a. Demographic information on individuals
b. Insurance eligibility and coverage information
c. Billing records, claims data, referral authorizations
d. Medical records, diagnosis, genetic information, and testing
e. c and d
f. All of the above. - ANS f. All of the above.
T/F. Entities covered under HIPAA are required to develop a Notice of Privacy Practices (NPP)
and must make these available to individuals accessing services through the entity. -
ANS True
Which of the following disclosures require signed permission from the individual whose PHI is
being requested?
a. Referrals to physicians
b. Consultations between physicians treating individuals
c. Information requested by an attorney without a subpoena
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,d. Information requested by insurance companies for payment purposes. - ANS c.
Information requested by an attorney without a subpoena
T/F. Patient names on a sign-in form are considered an intentional breach of PHI. - ANS False;
incidental breach
T/F. Under the HITECH Act, the Breach Notification Act does NOT require notification to HHS of
the intentional or unintentional disclosure of PHI to unapproved entities on an annual basis
unless the breach has affected more than 500 individuals. - ANS False
Notice of Privacy Practices (NPP) must be updated in 2013 to include which of the following?
a. Names of the owners of the covered entity
b. Names of companies that have access to PHI
c. Patient's right to restrict disclosures of PHI to a health plan when the patient pays out of
pocket and in full for the health care item or service.
d. Profitability of the covered entity. - ANS c. Patient's right to restrict disclosures of PHI to a
health plan when the patient pays out of pocket and in full for the health care item or service.
If an individual or staff member has a complaint regarding the use of PHI, the individual must
speak with the facility's:
a. Manager
b. Owner
c. Maintenance coordinator
d. Privacy Officer
e. Chief Physician - ANS d. Privacy officer.
Which of the following is NOT an administrative safeguard requirement?
a. Designating a privacy officer
3 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, b. Developing a cost analysis of HIPAA requirements.
c. Obtaining HIPAA-compliant business associate agreements for subcontractors
d. Establishing procedures to prevent terminated employees from obtaining access to
confidential information after termination - ANS b. Developing a cost analysis of HIPAA
requirements.
Physical safeguards do NOT include which of the following?
a. Posting PHI on a white board in the facility
b. Storage of PHI in a secure place
c. Shredding of PHI
d. Use of surge-protectors - ANS a. Posting PHI on a white board in the facility
Technical safeguards include which of the following?
a. Encryption of data
b. Computer system log-ins and passwords
c. Anti-virus software and firewalls
d. Information technology (IT) certification review
e. All of the above - ANS e. All of the above
"Safe" computing includes which of the following?
a. Sharing passwords with other staff members
b. Remaining "logged on" always, to save time
c. Using email and the internet ONLY as allowed by practice protocols
d. Installing personal software on the computer - ANS c. Using email and the internet ONLY as
allowed by practice protocols
4 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
QUESTIONS AND ANSWERS. VERIFIED
2026.
HIPAA stands for
a. Health Information Portability and Accountability Act
b. Health Insurance Portability and Accountability Act
c. Health Insurance Protection and Activity Act
d. Home Information Protection and Accountability Act. - ANS b. Health Insurance Portability
and Accountability Act
One primary change included in the HIPAA Omnibus Final Rule of 2013 requires a business
associate of the covered entity (physician practice) to sign a Business Associate Agreement with:
a. Subcontractors of professional associations
b. Subcontractors of business associates
c. Subcontractors of optometrists
d. Subcontractors of affiliated hospitals - ANS b. Subcontractors of business associates
T/F. According to the regulations contained in the Omnibus Final Rule of 2013, a patient has the
right to receive a copy of his or her medical record in an electronic format if the associated
provider utilizes electronic health records. - ANS True
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,Covered entities under HIPAA include:
a. Lawyers
b. Health care providers
c. Health care facilities
d. Librarians
e. a and d.
f. b and c. - ANS b and c.
Health care providers and Health care facilities
Protected Health Information (PHI) includes:
a. Demographic information on individuals
b. Insurance eligibility and coverage information
c. Billing records, claims data, referral authorizations
d. Medical records, diagnosis, genetic information, and testing
e. c and d
f. All of the above. - ANS f. All of the above.
T/F. Entities covered under HIPAA are required to develop a Notice of Privacy Practices (NPP)
and must make these available to individuals accessing services through the entity. -
ANS True
Which of the following disclosures require signed permission from the individual whose PHI is
being requested?
a. Referrals to physicians
b. Consultations between physicians treating individuals
c. Information requested by an attorney without a subpoena
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,d. Information requested by insurance companies for payment purposes. - ANS c.
Information requested by an attorney without a subpoena
T/F. Patient names on a sign-in form are considered an intentional breach of PHI. - ANS False;
incidental breach
T/F. Under the HITECH Act, the Breach Notification Act does NOT require notification to HHS of
the intentional or unintentional disclosure of PHI to unapproved entities on an annual basis
unless the breach has affected more than 500 individuals. - ANS False
Notice of Privacy Practices (NPP) must be updated in 2013 to include which of the following?
a. Names of the owners of the covered entity
b. Names of companies that have access to PHI
c. Patient's right to restrict disclosures of PHI to a health plan when the patient pays out of
pocket and in full for the health care item or service.
d. Profitability of the covered entity. - ANS c. Patient's right to restrict disclosures of PHI to a
health plan when the patient pays out of pocket and in full for the health care item or service.
If an individual or staff member has a complaint regarding the use of PHI, the individual must
speak with the facility's:
a. Manager
b. Owner
c. Maintenance coordinator
d. Privacy Officer
e. Chief Physician - ANS d. Privacy officer.
Which of the following is NOT an administrative safeguard requirement?
a. Designating a privacy officer
3 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, b. Developing a cost analysis of HIPAA requirements.
c. Obtaining HIPAA-compliant business associate agreements for subcontractors
d. Establishing procedures to prevent terminated employees from obtaining access to
confidential information after termination - ANS b. Developing a cost analysis of HIPAA
requirements.
Physical safeguards do NOT include which of the following?
a. Posting PHI on a white board in the facility
b. Storage of PHI in a secure place
c. Shredding of PHI
d. Use of surge-protectors - ANS a. Posting PHI on a white board in the facility
Technical safeguards include which of the following?
a. Encryption of data
b. Computer system log-ins and passwords
c. Anti-virus software and firewalls
d. Information technology (IT) certification review
e. All of the above - ANS e. All of the above
"Safe" computing includes which of the following?
a. Sharing passwords with other staff members
b. Remaining "logged on" always, to save time
c. Using email and the internet ONLY as allowed by practice protocols
d. Installing personal software on the computer - ANS c. Using email and the internet ONLY as
allowed by practice protocols
4 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
