HIPAA and Privacy Act Training Exam
Questions and Correct Answers
Question 1
A Privacy Impact Assessment (PIA) is an analysis of how information is handled:
Correct Answer
Physical measures, including policies and procedures that are used to protect
electronic information systems and related buildings and equipment, from natural
and environmental hazards, and unauthorized intrusion
(correct)
Question 2
HIPAA allows the use and disclosure of PHI for treatment, payment, and health care
operations (TPO) without the patient's consent or authorization.
Correct Answer
True
Question 3
Which of the following would be considered PHI?
Correct Answer
An individual's first and last name and the medical diagnosis in a physician's
progress report
Question 4
Q: Which of the following situations describe proper techniques for protecting a
patient's privacy and confidentiality?
Correct Answer
(1.) A doctor brings a patient into an unused room to discuss the patient's medical
condition
(2.) A doctor who is reviewing a patient's record leaves the folder in the doctor's
lounge to review later
Page 1 of 37
,Question 5
It has been the practice to leave the records system open and logged on at the
central office computer until the end of the day. This saves time during for staff that
needs to retrieve
recoras.
Q: Is this an appropriate method of protecting patient information?
Correct Answer
A: Although it may seem to be a timesaver, this practice is equivalent to sharing a
password.
Remember that when others are allowed to access the system under your password,
there can be no way to audit who sees the records. Never stay logged on to the
system beyond the time
you use it
Question 6
Select the best answer. Which of the following are fundamental objectives of
information security?
Correct Answer
Confidentiality
B. Integrity
C. Availability
D. All of the above
Page 2 of 37
,Question 7
The minimum necessary standard:
Correct Answer
All of the above (ANSWER)
Limits uses, disclosures, and requests for PHI to the minimum necessary amount of
PHI needed to carry out the intended purposes of the use or disclosure
Does not apply to exchanges between providers treating a patient
Does not apply to uses or disclosures made to the individual or pursuant to the
individual's authorization
Question 8
A member of the clergy enters the facility and asks for the census listing. He is
provided the list.
Q: What could be done under HIPAA?
Correct Answer
A: For community clergy lists of patients can be provided. The current standard
register form for Conditions of Admission explains that the patient name may be
released to local religious organizations. The lists should consist of the patient
name, room/location, and may include the condition in general terms.
Question 9
Which of the following statements about the Privacy Act are true?
Correct Answer
All of the above (answer)
a). Balances the privacy rights of individuals with the Government's need to collect
and maintain information
b). Regulates how federal agencies solicit and collect personally identifiable
information (PII)
c). Sets forth requirements for the maintenance, use, and disclosure of PII
Page 3 of 37
, Question 10
In which of the following circumstances must an individual be given the opportunity
to agree or object to the use and disclosure of their PHI?
Correct Answer
A and C (answer)
a). Before their information is included in a facility directory
b). Before PHI directly relevant to a person's involvement with the individual's care
or payment of health care is shared with that person
Question 11
You are just comina oft a double shift at the hospital. and a physician has asked vou
to fax his patient's lab test results to his office fax. The results are ready, but it's after
hours in his office. and none of his oftice stat are available to receive the tax.
Q: What do you do?
Correct Answer
A: Don't send the fax to an unattended machine unless vou have been assured that
it is in a locked room or has a locked cover. You have no wav to ensure that
someone will not see the fax besides the physician or staff. Talk with the incoming
shift about handling the fax during office hours, and leave a message with the
physician's office asking them to call for a fax of the results that were requested.
Make sure not to leave the patient's name or other identifying intormation on the
message
Question 12
Which of the following are examples of personally identifiable information (PII)?
Correct Answer
All of the above
Question 13
A breach as defined by the DoD is broader than a HIPAA breach (or breach defined by
HHS).
Correct Answer
True
Page 4 of 37
Questions and Correct Answers
Question 1
A Privacy Impact Assessment (PIA) is an analysis of how information is handled:
Correct Answer
Physical measures, including policies and procedures that are used to protect
electronic information systems and related buildings and equipment, from natural
and environmental hazards, and unauthorized intrusion
(correct)
Question 2
HIPAA allows the use and disclosure of PHI for treatment, payment, and health care
operations (TPO) without the patient's consent or authorization.
Correct Answer
True
Question 3
Which of the following would be considered PHI?
Correct Answer
An individual's first and last name and the medical diagnosis in a physician's
progress report
Question 4
Q: Which of the following situations describe proper techniques for protecting a
patient's privacy and confidentiality?
Correct Answer
(1.) A doctor brings a patient into an unused room to discuss the patient's medical
condition
(2.) A doctor who is reviewing a patient's record leaves the folder in the doctor's
lounge to review later
Page 1 of 37
,Question 5
It has been the practice to leave the records system open and logged on at the
central office computer until the end of the day. This saves time during for staff that
needs to retrieve
recoras.
Q: Is this an appropriate method of protecting patient information?
Correct Answer
A: Although it may seem to be a timesaver, this practice is equivalent to sharing a
password.
Remember that when others are allowed to access the system under your password,
there can be no way to audit who sees the records. Never stay logged on to the
system beyond the time
you use it
Question 6
Select the best answer. Which of the following are fundamental objectives of
information security?
Correct Answer
Confidentiality
B. Integrity
C. Availability
D. All of the above
Page 2 of 37
,Question 7
The minimum necessary standard:
Correct Answer
All of the above (ANSWER)
Limits uses, disclosures, and requests for PHI to the minimum necessary amount of
PHI needed to carry out the intended purposes of the use or disclosure
Does not apply to exchanges between providers treating a patient
Does not apply to uses or disclosures made to the individual or pursuant to the
individual's authorization
Question 8
A member of the clergy enters the facility and asks for the census listing. He is
provided the list.
Q: What could be done under HIPAA?
Correct Answer
A: For community clergy lists of patients can be provided. The current standard
register form for Conditions of Admission explains that the patient name may be
released to local religious organizations. The lists should consist of the patient
name, room/location, and may include the condition in general terms.
Question 9
Which of the following statements about the Privacy Act are true?
Correct Answer
All of the above (answer)
a). Balances the privacy rights of individuals with the Government's need to collect
and maintain information
b). Regulates how federal agencies solicit and collect personally identifiable
information (PII)
c). Sets forth requirements for the maintenance, use, and disclosure of PII
Page 3 of 37
, Question 10
In which of the following circumstances must an individual be given the opportunity
to agree or object to the use and disclosure of their PHI?
Correct Answer
A and C (answer)
a). Before their information is included in a facility directory
b). Before PHI directly relevant to a person's involvement with the individual's care
or payment of health care is shared with that person
Question 11
You are just comina oft a double shift at the hospital. and a physician has asked vou
to fax his patient's lab test results to his office fax. The results are ready, but it's after
hours in his office. and none of his oftice stat are available to receive the tax.
Q: What do you do?
Correct Answer
A: Don't send the fax to an unattended machine unless vou have been assured that
it is in a locked room or has a locked cover. You have no wav to ensure that
someone will not see the fax besides the physician or staff. Talk with the incoming
shift about handling the fax during office hours, and leave a message with the
physician's office asking them to call for a fax of the results that were requested.
Make sure not to leave the patient's name or other identifying intormation on the
message
Question 12
Which of the following are examples of personally identifiable information (PII)?
Correct Answer
All of the above
Question 13
A breach as defined by the DoD is broader than a HIPAA breach (or breach defined by
HHS).
Correct Answer
True
Page 4 of 37
