QCM Certification Exam ACTUAL
EXAM 2026/2027 | Complete Exam-Style
Questions | Verified Q&A | Pass
Guaranteed - A+ Graded
Section 1: Regulatory & Accreditation Standards — CMS, Joint Commission, DNV, HIPAA (13 Questions)
Q1: A hospital receives a CMS complaint survey following a patient fall that resulted in a fractured hip.
The surveyor requests access to the hospital's internal peer review committee minutes related to this
fall. What is the QCM professional's correct response?
A. Provide full access immediately to demonstrate transparency and cooperation.
B. Deny all access, citing federal peer review privilege protection.
C. Provide access only to the fall investigation report but not committee deliberations. [CORRECT]
D. Require the surveyor to obtain a subpoena before releasing any documents.
Correct Answer: C
Rationale: CMS surveyors have authority to review quality-related documents under 42 CFR 488.12, but
peer review privileged materials (committee deliberations) remain protected under state peer review
statutes and federal Healthcare Quality Improvement Act (HCQIA). The QCM professional must balance
regulatory cooperation with privilege protection. Distractor A waives peer review privilege
unnecessarily, exposing committee members to discovery in litigation; B is incorrect because CMS has
statutory access to certain quality records and obstructing an immediate jeopardy investigation risks
enforcement action; D is overly adversarial—CMS does not require subpoenas for complaint surveys and
this response could escalate to immediate jeopardy findings. (CMS State Operations Manual §5015;
HCQIA 42 U.S.C. §11101 et seq.; NAHQ Domain 1: Regulatory Compliance.)
Q2: During a Joint Commission triennial survey, a surveyor cites a deficiency under the 2026 National
Patient Safety Goal for Patient Identification. The hospital's current practice uses room number plus
date of birth for two-identifier verification. Which action must the QCM professional prioritize?
A. Add a third identifier (medical record number) to the existing two identifiers.
B. Replace room number with patient name and continue using date of birth. [CORRECT]
,C. Implement barcode scanning for all medication administrations within 30 days.
D. Retrain all staff on the current policy since room number and date of birth meet minimum
requirements.
Correct Answer: B
Rationale: Joint Commission NPSG.01.01.01 (2026 update) explicitly prohibits using room number as an
identifier because room assignments change and create identification errors. The standard requires two
patient identifiers, neither of which can be the patient's room number or physical location. Distractor A
adds an unnecessary third identifier without addressing the prohibited use of room number; C conflates
medication administration verification (NPSG.03.04.01) with patient identification and imposes an
unrealistic 30-day implementation timeline; D is factually incorrect—room number does not meet
minimum requirements and retraining on a noncompliant policy perpetuates the deficiency. (Joint
Commission NPSG.01.01.01, 2026 Update; NAHQ Domain 1: Accreditation Standards.)
Q3: A DNV-accredited hospital is preparing for its annual ISO 9001:2015 surveillance audit. The QCM
professional discovers that the hospital has not conducted management review of quality objectives in
14 months. Which ISO 9001 clause is directly violated, and what is the required frequency?
A. Clause 9.3; management review must occur at least annually. [CORRECT]
B. Clause 8.5.1; management review must occur at least quarterly.
C. Clause 7.1.5; management review must occur at least semiannually.
D. Clause 10.2.1; management review must occur at least biennially.
Correct Answer: A
Rationale: ISO 9001:2015 Clause 9.3 requires top management to review the organization's quality
management system at planned intervals, with industry standard interpretation requiring at minimum
annual review. DNV accreditation integrates ISO 9001:2015, making this clause binding. Distractor B
misidentifies the clause (8.5.1 covers production and service provision controls, not management
review) and overstates frequency; C incorrectly cites clause 7.1.5 (monitoring and measuring resources)
and prescribes semiannual review without ISO basis; D misidentifies clause 10.2.1 (nonconformity and
corrective action) and permits biennial review, which falls below minimum acceptable frequency and
would trigger a major nonconformity. (ISO 9001:2015 Clause 9.3; DNV NIAHO Accreditation
Requirements.)
Q4: A hospital's Business Associate (BA) notifies the Privacy Officer that a laptop containing unencrypted
PHI of 600 patients was stolen from a BA employee's vehicle. Under the HIPAA Breach Notification Rule
(2024 enforcement updates), what is the QCM professional's first required action?
A. Notify affected individuals within 60 days and document the breach in a risk assessment log.
,B. Conduct a risk assessment to determine whether the breach poses a low probability of compromise.
[CORRECT]
C. Immediately report the breach to HHS OCR and notify local media outlets.
D. Terminate the Business Associate Agreement and require encryption of all future devices.
Correct Answer: B
Rationale: The HIPAA Breach Notification Rule (45 CFR §§164.400-414) requires a covered entity or
business associate to first conduct a risk assessment using the four-factor test (nature/extent of PHI,
unauthorized person who acquired it, whether PHI was actually acquired/viewed, and extent of risk
mitigation) to determine if there is a "low probability of compromise." Only if the risk assessment does
not support a low probability finding are notifications triggered. Distractor A reverses the sequence—
notification timing requirements apply only after the risk assessment determines a reportable breach; C
is premature—OCR reporting is required only for breaches affecting 500+ individuals (media notification
threshold) and only after the risk assessment is complete; D is punitive and procedurally incorrect—
termination of a BAA requires documented repeated violations, and encryption is an addressable, not
required, implementation specification under the Security Rule. (45 CFR §164.402, §164.404; HHS OCR
Breach Notification Guidance 2024 Update.)
Q5: A hospital is cited by CMS during a validation survey for failing to meet the 2026 discharge planning
CoP update requirements. The hospital's current process provides discharge instructions only on the day
of discharge. Which element of the updated CMS CoP is violated?
A. Requirement to provide discharge planning evaluation within 24 hours of admission for all patients.
B. Requirement to include a post-discharge contact within 48 hours for high-risk patients.
C. Requirement to begin discharge planning upon admission and reassess throughout the stay.
[CORRECT]
D. Requirement to conduct medication reconciliation only by a pharmacist before discharge.
Correct Answer: C
Rationale: The 2026 CMS discharge planning CoP update (42 CFR §482.43) requires hospitals to begin
discharge planning upon admission (or preadmission for scheduled procedures) and reassess throughout
the hospitalization, not merely provide instructions on the discharge day. This update emphasizes
continuity of care and reduction of readmissions. Distractor A is incorrect—CMS requires discharge
planning evaluation within 24 hours only for inpatients, not "all patients" (outpatients have different
requirements); B conflates the CoP with a recommended best practice (post-discharge contact is
encouraged but not a specific 48-hour regulatory mandate in the CoP itself); D is incorrect—medication
reconciliation must be conducted but not exclusively by a pharmacist; the interdisciplinary team may
, perform this function. (42 CFR §482.43; CMS State Operations Manual Appendix A, Tag A-0797; NAHQ
Domain 1: Regulatory Compliance.)
Q6: A Joint Commission surveyor cites the hospital for a deficiency under the 2026 NPSG for
Anticoagulant Therapy. The hospital uses warfarin but does not require baseline INR testing before
initiation. Which specific NPSG requirement is violated?
A. NPSG.03.05.01 requires baseline laboratory studies before initiating anticoagulants. [CORRECT]
B. NPSG.03.04.01 requires pharmacy review of all anticoagulant orders within 2 hours.
C. NPSG.03.06.01 requires patient education on dietary restrictions before discharge.
D. NPSG.02.03.01 requires medication reconciliation for all high-alert medications.
Correct Answer: A
Rationale: NPSG.03.05.01 (2026) specifically requires baseline laboratory studies (including INR for
warfarin, aPTT for heparin, and renal function for direct oral anticoagulants) before initiating
anticoagulant therapy to establish a baseline and prevent dosing errors. Distractor B misidentifies the
standard (NPSG.03.04.01 covers medication labeling and verification, not pharmacy review timing) and
imposes a nonexistent 2-hour requirement; C misidentifies the standard (NPSG.03.06.01 addresses
clinical alarm safety, not patient education) and conflates anticoagulation management with discharge
education; D misidentifies the standard (NPSG.02.03.01 covers anticoagulation therapy but focuses on
communication during care transitions, not baseline testing). (Joint Commission NPSG.03.05.01, 2026
Update; NAHQ Domain 1: Patient Safety Standards.)
Q7: During a HIPAA compliance audit, the QCM professional discovers that nursing staff are accessing
their own electronic health records through the hospital's EHR system. Which statement accurately
reflects HIPAA regulations regarding self-access?
A. Self-access is permitted under HIPAA if the employee provides written authorization.
B. Self-access is prohibited under HIPAA because employees are not "patients" of the facility.
C. Self-access is permitted if the information is used for treatment purposes, but access for curiosity is a
violation. [CORRECT]
D. Self-access is always permitted because employees have a right to review their own medical records.
Correct Answer: C
Rationale: HIPAA permits workforce members to access their own PHI if the access is for treatment
purposes (e.g., seeking care at the facility where employed). However, accessing one's own records out
of curiosity, to review documentation, or for non-treatment purposes violates the minimum necessary
standard and constitutes unauthorized access under 45 CFR §164.502(b) and §164.530(c). Distractor A is
incorrect—written authorization is not the governing standard; treatment purpose is; B is overly broad
EXAM 2026/2027 | Complete Exam-Style
Questions | Verified Q&A | Pass
Guaranteed - A+ Graded
Section 1: Regulatory & Accreditation Standards — CMS, Joint Commission, DNV, HIPAA (13 Questions)
Q1: A hospital receives a CMS complaint survey following a patient fall that resulted in a fractured hip.
The surveyor requests access to the hospital's internal peer review committee minutes related to this
fall. What is the QCM professional's correct response?
A. Provide full access immediately to demonstrate transparency and cooperation.
B. Deny all access, citing federal peer review privilege protection.
C. Provide access only to the fall investigation report but not committee deliberations. [CORRECT]
D. Require the surveyor to obtain a subpoena before releasing any documents.
Correct Answer: C
Rationale: CMS surveyors have authority to review quality-related documents under 42 CFR 488.12, but
peer review privileged materials (committee deliberations) remain protected under state peer review
statutes and federal Healthcare Quality Improvement Act (HCQIA). The QCM professional must balance
regulatory cooperation with privilege protection. Distractor A waives peer review privilege
unnecessarily, exposing committee members to discovery in litigation; B is incorrect because CMS has
statutory access to certain quality records and obstructing an immediate jeopardy investigation risks
enforcement action; D is overly adversarial—CMS does not require subpoenas for complaint surveys and
this response could escalate to immediate jeopardy findings. (CMS State Operations Manual §5015;
HCQIA 42 U.S.C. §11101 et seq.; NAHQ Domain 1: Regulatory Compliance.)
Q2: During a Joint Commission triennial survey, a surveyor cites a deficiency under the 2026 National
Patient Safety Goal for Patient Identification. The hospital's current practice uses room number plus
date of birth for two-identifier verification. Which action must the QCM professional prioritize?
A. Add a third identifier (medical record number) to the existing two identifiers.
B. Replace room number with patient name and continue using date of birth. [CORRECT]
,C. Implement barcode scanning for all medication administrations within 30 days.
D. Retrain all staff on the current policy since room number and date of birth meet minimum
requirements.
Correct Answer: B
Rationale: Joint Commission NPSG.01.01.01 (2026 update) explicitly prohibits using room number as an
identifier because room assignments change and create identification errors. The standard requires two
patient identifiers, neither of which can be the patient's room number or physical location. Distractor A
adds an unnecessary third identifier without addressing the prohibited use of room number; C conflates
medication administration verification (NPSG.03.04.01) with patient identification and imposes an
unrealistic 30-day implementation timeline; D is factually incorrect—room number does not meet
minimum requirements and retraining on a noncompliant policy perpetuates the deficiency. (Joint
Commission NPSG.01.01.01, 2026 Update; NAHQ Domain 1: Accreditation Standards.)
Q3: A DNV-accredited hospital is preparing for its annual ISO 9001:2015 surveillance audit. The QCM
professional discovers that the hospital has not conducted management review of quality objectives in
14 months. Which ISO 9001 clause is directly violated, and what is the required frequency?
A. Clause 9.3; management review must occur at least annually. [CORRECT]
B. Clause 8.5.1; management review must occur at least quarterly.
C. Clause 7.1.5; management review must occur at least semiannually.
D. Clause 10.2.1; management review must occur at least biennially.
Correct Answer: A
Rationale: ISO 9001:2015 Clause 9.3 requires top management to review the organization's quality
management system at planned intervals, with industry standard interpretation requiring at minimum
annual review. DNV accreditation integrates ISO 9001:2015, making this clause binding. Distractor B
misidentifies the clause (8.5.1 covers production and service provision controls, not management
review) and overstates frequency; C incorrectly cites clause 7.1.5 (monitoring and measuring resources)
and prescribes semiannual review without ISO basis; D misidentifies clause 10.2.1 (nonconformity and
corrective action) and permits biennial review, which falls below minimum acceptable frequency and
would trigger a major nonconformity. (ISO 9001:2015 Clause 9.3; DNV NIAHO Accreditation
Requirements.)
Q4: A hospital's Business Associate (BA) notifies the Privacy Officer that a laptop containing unencrypted
PHI of 600 patients was stolen from a BA employee's vehicle. Under the HIPAA Breach Notification Rule
(2024 enforcement updates), what is the QCM professional's first required action?
A. Notify affected individuals within 60 days and document the breach in a risk assessment log.
,B. Conduct a risk assessment to determine whether the breach poses a low probability of compromise.
[CORRECT]
C. Immediately report the breach to HHS OCR and notify local media outlets.
D. Terminate the Business Associate Agreement and require encryption of all future devices.
Correct Answer: B
Rationale: The HIPAA Breach Notification Rule (45 CFR §§164.400-414) requires a covered entity or
business associate to first conduct a risk assessment using the four-factor test (nature/extent of PHI,
unauthorized person who acquired it, whether PHI was actually acquired/viewed, and extent of risk
mitigation) to determine if there is a "low probability of compromise." Only if the risk assessment does
not support a low probability finding are notifications triggered. Distractor A reverses the sequence—
notification timing requirements apply only after the risk assessment determines a reportable breach; C
is premature—OCR reporting is required only for breaches affecting 500+ individuals (media notification
threshold) and only after the risk assessment is complete; D is punitive and procedurally incorrect—
termination of a BAA requires documented repeated violations, and encryption is an addressable, not
required, implementation specification under the Security Rule. (45 CFR §164.402, §164.404; HHS OCR
Breach Notification Guidance 2024 Update.)
Q5: A hospital is cited by CMS during a validation survey for failing to meet the 2026 discharge planning
CoP update requirements. The hospital's current process provides discharge instructions only on the day
of discharge. Which element of the updated CMS CoP is violated?
A. Requirement to provide discharge planning evaluation within 24 hours of admission for all patients.
B. Requirement to include a post-discharge contact within 48 hours for high-risk patients.
C. Requirement to begin discharge planning upon admission and reassess throughout the stay.
[CORRECT]
D. Requirement to conduct medication reconciliation only by a pharmacist before discharge.
Correct Answer: C
Rationale: The 2026 CMS discharge planning CoP update (42 CFR §482.43) requires hospitals to begin
discharge planning upon admission (or preadmission for scheduled procedures) and reassess throughout
the hospitalization, not merely provide instructions on the discharge day. This update emphasizes
continuity of care and reduction of readmissions. Distractor A is incorrect—CMS requires discharge
planning evaluation within 24 hours only for inpatients, not "all patients" (outpatients have different
requirements); B conflates the CoP with a recommended best practice (post-discharge contact is
encouraged but not a specific 48-hour regulatory mandate in the CoP itself); D is incorrect—medication
reconciliation must be conducted but not exclusively by a pharmacist; the interdisciplinary team may
, perform this function. (42 CFR §482.43; CMS State Operations Manual Appendix A, Tag A-0797; NAHQ
Domain 1: Regulatory Compliance.)
Q6: A Joint Commission surveyor cites the hospital for a deficiency under the 2026 NPSG for
Anticoagulant Therapy. The hospital uses warfarin but does not require baseline INR testing before
initiation. Which specific NPSG requirement is violated?
A. NPSG.03.05.01 requires baseline laboratory studies before initiating anticoagulants. [CORRECT]
B. NPSG.03.04.01 requires pharmacy review of all anticoagulant orders within 2 hours.
C. NPSG.03.06.01 requires patient education on dietary restrictions before discharge.
D. NPSG.02.03.01 requires medication reconciliation for all high-alert medications.
Correct Answer: A
Rationale: NPSG.03.05.01 (2026) specifically requires baseline laboratory studies (including INR for
warfarin, aPTT for heparin, and renal function for direct oral anticoagulants) before initiating
anticoagulant therapy to establish a baseline and prevent dosing errors. Distractor B misidentifies the
standard (NPSG.03.04.01 covers medication labeling and verification, not pharmacy review timing) and
imposes a nonexistent 2-hour requirement; C misidentifies the standard (NPSG.03.06.01 addresses
clinical alarm safety, not patient education) and conflates anticoagulation management with discharge
education; D misidentifies the standard (NPSG.02.03.01 covers anticoagulation therapy but focuses on
communication during care transitions, not baseline testing). (Joint Commission NPSG.03.05.01, 2026
Update; NAHQ Domain 1: Patient Safety Standards.)
Q7: During a HIPAA compliance audit, the QCM professional discovers that nursing staff are accessing
their own electronic health records through the hospital's EHR system. Which statement accurately
reflects HIPAA regulations regarding self-access?
A. Self-access is permitted under HIPAA if the employee provides written authorization.
B. Self-access is prohibited under HIPAA because employees are not "patients" of the facility.
C. Self-access is permitted if the information is used for treatment purposes, but access for curiosity is a
violation. [CORRECT]
D. Self-access is always permitted because employees have a right to review their own medical records.
Correct Answer: C
Rationale: HIPAA permits workforce members to access their own PHI if the access is for treatment
purposes (e.g., seeking care at the facility where employed). However, accessing one's own records out
of curiosity, to review documentation, or for non-treatment purposes violates the minimum necessary
standard and constitutes unauthorized access under 45 CFR §164.502(b) and §164.530(c). Distractor A is
incorrect—written authorization is not the governing standard; treatment purpose is; B is overly broad
