HIT 101 Exam 3 – Lessons 9, 10, and 11 – Health Information Technology – 2026
– Study and Practice Guide
True or false. In all cases, a covered entity may deny an individual's request to restrict the use or
disclosure of his or her PHI. - correct answer ✔✔ False
True or false. A notice of privacy practices should include a statement explaining that individuals
may complain to the Secretary of the Department of Health and Human Services if they believe
that their privacy rights have been violated. - correct answer ✔✔ True
What types of health records are subject to the HIPAA Privacy Rule? - correct answer ✔✔
Health records in any format
What does the acronym PHI stand for? - correct answer ✔✔ Protected health information
Which of the following statements is true of the notice of privacy practices? - correct answer
✔✔ It must be provided to every individual at the first time of contact or service with the
covered entity.
Mary's PHI was breached by her physician office when it was disclosed in error to another
patient. Which of the following breach notification statements is correct regarding the physician
office's required action? - correct answer ✔✔ It must report the breach to HHS within 60 days
after the end of the calendar year in which the breach occurred
ARRA and HITECH granted which of the following the ability to bring civil actions in federal
district court on behalf of residents believed to have been affected by a HIPAA violation? -
correct answer ✔✔ State attorneys general
A valid authorization requires which of the following? - correct answer ✔✔ An expiration date
or event
,In which of the following circumstances does the patient have an opportunity to agree or
object? - correct answer ✔✔ Whether the patient should be in the facility directory
Which of the following statements is true? - correct answer ✔✔ State law preempts HIPAA
True or false. Stricter state statutes that provide greater confidentiality of healthcare
information take precedence over the provisions of the HIPAA Privacy Rule. - correct answer
✔✔ True
Under the HIPAA Privacy Rule, when an individual asks to see his or her own health information,
a covered entity _______________. - correct answer ✔✔ Can deny access to psychotherapy
notes
In which of the following situations must a covered entity provide an appeal process for denials
to requests from individuals to see their own health information? - correct answer ✔✔ When a
licensed healthcare professional has determined that access to PHI would likely endanger
the life or safety of the individual
Which of the following provides a complete description to patients about how PHI is used in a
healthcare facility? - correct answer ✔✔ Notice of privacy practices
Which of the following is true of the Health Insurance Portability and Accountability Act
(HIPAA)? - correct answer ✔✔ Provides a federal floor for healthcare privacy
Under the HIPAA Privacy Rule, which of the following is a covered entity category? - correct
answer ✔✔ Healthcare clearinghouse
, Under the HIPAA Privacy Rule, an impermissible use or disclosure should be presumed to be a
breach unless the covered entity or business associate demonstrates that the probability the
PHI has been compromised is ___________. - correct answer ✔✔ Low
Under usual circumstances, a covered entity must act on a patient's request to review or copy
his or her health information within what time frame? - correct answer ✔✔ 30 days
The HIPAA Privacy Rule requires that covered entities limit use, access, and disclosure of PHI to
the least amount necessary to accomplish the intended purpose. What concept is this? - correct
answer ✔✔ Minimum necessary
Which of the following should be included in a covered entity's notice of privacy practices? -
correct answer ✔✔ Description with one example of disclosures made for treatment purposes
Description with one example of disclosures made for treatment purposes - correct answer ✔✔
It must be posted in a prominent place
Which of the following statements is true?
a. An authorization must contain an expiration date or event
b. A consent for use and disclosure of information must be obtained from every patient.
c. An authorization must be obtained for uses and disclosures for treatment, payment, and
operations.
d. A notice of privacy practices must give tenexamples of a use or disclosure for healthcare
operations. - correct answer ✔✔ a. An authorization must contain an expiration date or event
In which of the following instances must patient authorization be obtained prior to disclosure? -
correct answer ✔✔ To the patient's attorney
– Study and Practice Guide
True or false. In all cases, a covered entity may deny an individual's request to restrict the use or
disclosure of his or her PHI. - correct answer ✔✔ False
True or false. A notice of privacy practices should include a statement explaining that individuals
may complain to the Secretary of the Department of Health and Human Services if they believe
that their privacy rights have been violated. - correct answer ✔✔ True
What types of health records are subject to the HIPAA Privacy Rule? - correct answer ✔✔
Health records in any format
What does the acronym PHI stand for? - correct answer ✔✔ Protected health information
Which of the following statements is true of the notice of privacy practices? - correct answer
✔✔ It must be provided to every individual at the first time of contact or service with the
covered entity.
Mary's PHI was breached by her physician office when it was disclosed in error to another
patient. Which of the following breach notification statements is correct regarding the physician
office's required action? - correct answer ✔✔ It must report the breach to HHS within 60 days
after the end of the calendar year in which the breach occurred
ARRA and HITECH granted which of the following the ability to bring civil actions in federal
district court on behalf of residents believed to have been affected by a HIPAA violation? -
correct answer ✔✔ State attorneys general
A valid authorization requires which of the following? - correct answer ✔✔ An expiration date
or event
,In which of the following circumstances does the patient have an opportunity to agree or
object? - correct answer ✔✔ Whether the patient should be in the facility directory
Which of the following statements is true? - correct answer ✔✔ State law preempts HIPAA
True or false. Stricter state statutes that provide greater confidentiality of healthcare
information take precedence over the provisions of the HIPAA Privacy Rule. - correct answer
✔✔ True
Under the HIPAA Privacy Rule, when an individual asks to see his or her own health information,
a covered entity _______________. - correct answer ✔✔ Can deny access to psychotherapy
notes
In which of the following situations must a covered entity provide an appeal process for denials
to requests from individuals to see their own health information? - correct answer ✔✔ When a
licensed healthcare professional has determined that access to PHI would likely endanger
the life or safety of the individual
Which of the following provides a complete description to patients about how PHI is used in a
healthcare facility? - correct answer ✔✔ Notice of privacy practices
Which of the following is true of the Health Insurance Portability and Accountability Act
(HIPAA)? - correct answer ✔✔ Provides a federal floor for healthcare privacy
Under the HIPAA Privacy Rule, which of the following is a covered entity category? - correct
answer ✔✔ Healthcare clearinghouse
, Under the HIPAA Privacy Rule, an impermissible use or disclosure should be presumed to be a
breach unless the covered entity or business associate demonstrates that the probability the
PHI has been compromised is ___________. - correct answer ✔✔ Low
Under usual circumstances, a covered entity must act on a patient's request to review or copy
his or her health information within what time frame? - correct answer ✔✔ 30 days
The HIPAA Privacy Rule requires that covered entities limit use, access, and disclosure of PHI to
the least amount necessary to accomplish the intended purpose. What concept is this? - correct
answer ✔✔ Minimum necessary
Which of the following should be included in a covered entity's notice of privacy practices? -
correct answer ✔✔ Description with one example of disclosures made for treatment purposes
Description with one example of disclosures made for treatment purposes - correct answer ✔✔
It must be posted in a prominent place
Which of the following statements is true?
a. An authorization must contain an expiration date or event
b. A consent for use and disclosure of information must be obtained from every patient.
c. An authorization must be obtained for uses and disclosures for treatment, payment, and
operations.
d. A notice of privacy practices must give tenexamples of a use or disclosure for healthcare
operations. - correct answer ✔✔ a. An authorization must contain an expiration date or event
In which of the following instances must patient authorization be obtained prior to disclosure? -
correct answer ✔✔ To the patient's attorney
