HIPAA & PATIENT CONFIDENTIALITY
COMPLIANCE EXAM STUDY GUIDE 2026 | 200+
VERIFIED PRACTICE QUESTIONS & ANSWERS
WITH DETAILED RATIONALES | PHI PROTECTION,
PRIVACY & SECURITY RULES, BREACH RESPONSE
& HEALTHCARE ETHICS
• This study guide contains 200 verified practice questions covering all key HIPAA
and Patient Confidentiality compliance topics — use it to test yourself section by
section, review EXPERT RATIONALE after each answer, and revisit any questions
you got wrong for maximum retention.
• Each question includes 5 options (A–E), a clearly highlighted correct answer, and a
detailed EXPERT RATIONALE — making it a complete self-study tool for
certification prep, compliance training, or professional review.
HIPAA & PATIENT CONFIDENTIALITY COMPLIANCE EXAM STUDY GUIDE 2026
SECTION 1: HIPAA FUNDAMENTALS & OVERVIEW
1. What does HIPAA stand for?
A. Health Insurance Portability and Privacy Accountability Act
B. Health Information Protection and Accountability Act
C. Health Insurance Portability and Accountability Act
D. Healthcare Institutional Privacy and Accountability Act
E. Health Information Portability and Assurance Act
Correct Answer: C. Health Insurance Portability and Accountability Act
EXPERT RATIONALE: HIPAA stands for the Health Insurance Portability and
Accountability Act, enacted by the U.S. Congress in 1996. It establishes national
standards for protecting sensitive patient health information from being disclosed
without the patient's consent or knowledge.
,2. In what year was HIPAA enacted?
A. 1990
B. 1994
C. 2000
D. 2003
E. 1996
Correct Answer: E. 1996
EXPERT RATIONALE: HIPAA was signed into law by President Bill Clinton on
August 21, 1996. It was later strengthened by the HITECH Act in 2009 and the
Omnibus Rule in 2013.
3. Which federal agency enforces HIPAA compliance?
A. Centers for Medicare & Medicaid Services (CMS)
B. Food and Drug Administration (FDA)
C. Office for Civil Rights (OCR)
D. Department of Justice (DOJ)
E. National Institutes of Health (NIH)
Correct Answer: C. Office for Civil Rights (OCR)
EXPERT RATIONALE: The Office for Civil Rights (OCR), within the U.S.
Department of Health and Human Services (HHS), is the primary federal agency
responsible for enforcing the HIPAA Privacy and Security Rules.
4. Which of the following is NOT one of the main rules under HIPAA?
A. Privacy Rule
,B. Security Rule
C. Breach Notification Rule
D. Marketing Rule
E. Enforcement Rule
Correct Answer: D. Marketing Rule
EXPERT RATIONALE: HIPAA consists of the Privacy Rule, Security Rule, Breach
Notification Rule, Enforcement Rule, and Omnibus Rule. There is no standalone
"Marketing Rule" under HIPAA, though marketing uses of PHI are regulated within
the Privacy Rule.
5. Which act significantly expanded HIPAA's reach and introduced new
penalties?
A. Affordable Care Act
B. Health Information Technology for Economic and Clinical Health (HITECH)
Act
C. Medicare Modernization Act
D. Patient Safety and Quality Improvement Act
E. Genetic Information Nondiscrimination Act
Correct Answer: B. Health Information Technology for Economic and
Clinical Health (HITECH) Act
EXPERT RATIONALE: The HITECH Act of 2009 expanded HIPAA's scope,
increased penalties for violations, and extended compliance requirements to
business associates directly, not just covered entities.
SECTION 2: PROTECTED HEALTH INFORMATION (PHI)
, 6. What is Protected Health Information (PHI)?
A. Any medical information stored digitally
B. Information only related to billing and insurance
C. Health information shared only between physicians
D. Individually identifiable health information held or transmitted by a
covered entity
E. Medical research data collected anonymously
Correct Answer: D. Individually identifiable health information held or
transmitted by a covered entity
EXPERT RATIONALE: PHI is any information that relates to a person's health
condition, provision of healthcare, or payment for healthcare that can be used to
identify the individual, whether transmitted electronically, on paper, or verbally.
7. Which of the following is an example of PHI?
A. De-identified statistical health data
B. Anonymous survey results about hospital satisfaction
C. A patient's name combined with their diagnosis
D. General population health statistics
E. Aggregated insurance claims data with no identifiers
Correct Answer: C. A patient's name combined with their diagnosis
EXPERT RATIONALE: PHI includes any health information linked to an individual
identifier such as name, address, date of birth, or Social Security number. A
patient's name combined with a diagnosis directly identifies the individual and their
health status.
COMPLIANCE EXAM STUDY GUIDE 2026 | 200+
VERIFIED PRACTICE QUESTIONS & ANSWERS
WITH DETAILED RATIONALES | PHI PROTECTION,
PRIVACY & SECURITY RULES, BREACH RESPONSE
& HEALTHCARE ETHICS
• This study guide contains 200 verified practice questions covering all key HIPAA
and Patient Confidentiality compliance topics — use it to test yourself section by
section, review EXPERT RATIONALE after each answer, and revisit any questions
you got wrong for maximum retention.
• Each question includes 5 options (A–E), a clearly highlighted correct answer, and a
detailed EXPERT RATIONALE — making it a complete self-study tool for
certification prep, compliance training, or professional review.
HIPAA & PATIENT CONFIDENTIALITY COMPLIANCE EXAM STUDY GUIDE 2026
SECTION 1: HIPAA FUNDAMENTALS & OVERVIEW
1. What does HIPAA stand for?
A. Health Insurance Portability and Privacy Accountability Act
B. Health Information Protection and Accountability Act
C. Health Insurance Portability and Accountability Act
D. Healthcare Institutional Privacy and Accountability Act
E. Health Information Portability and Assurance Act
Correct Answer: C. Health Insurance Portability and Accountability Act
EXPERT RATIONALE: HIPAA stands for the Health Insurance Portability and
Accountability Act, enacted by the U.S. Congress in 1996. It establishes national
standards for protecting sensitive patient health information from being disclosed
without the patient's consent or knowledge.
,2. In what year was HIPAA enacted?
A. 1990
B. 1994
C. 2000
D. 2003
E. 1996
Correct Answer: E. 1996
EXPERT RATIONALE: HIPAA was signed into law by President Bill Clinton on
August 21, 1996. It was later strengthened by the HITECH Act in 2009 and the
Omnibus Rule in 2013.
3. Which federal agency enforces HIPAA compliance?
A. Centers for Medicare & Medicaid Services (CMS)
B. Food and Drug Administration (FDA)
C. Office for Civil Rights (OCR)
D. Department of Justice (DOJ)
E. National Institutes of Health (NIH)
Correct Answer: C. Office for Civil Rights (OCR)
EXPERT RATIONALE: The Office for Civil Rights (OCR), within the U.S.
Department of Health and Human Services (HHS), is the primary federal agency
responsible for enforcing the HIPAA Privacy and Security Rules.
4. Which of the following is NOT one of the main rules under HIPAA?
A. Privacy Rule
,B. Security Rule
C. Breach Notification Rule
D. Marketing Rule
E. Enforcement Rule
Correct Answer: D. Marketing Rule
EXPERT RATIONALE: HIPAA consists of the Privacy Rule, Security Rule, Breach
Notification Rule, Enforcement Rule, and Omnibus Rule. There is no standalone
"Marketing Rule" under HIPAA, though marketing uses of PHI are regulated within
the Privacy Rule.
5. Which act significantly expanded HIPAA's reach and introduced new
penalties?
A. Affordable Care Act
B. Health Information Technology for Economic and Clinical Health (HITECH)
Act
C. Medicare Modernization Act
D. Patient Safety and Quality Improvement Act
E. Genetic Information Nondiscrimination Act
Correct Answer: B. Health Information Technology for Economic and
Clinical Health (HITECH) Act
EXPERT RATIONALE: The HITECH Act of 2009 expanded HIPAA's scope,
increased penalties for violations, and extended compliance requirements to
business associates directly, not just covered entities.
SECTION 2: PROTECTED HEALTH INFORMATION (PHI)
, 6. What is Protected Health Information (PHI)?
A. Any medical information stored digitally
B. Information only related to billing and insurance
C. Health information shared only between physicians
D. Individually identifiable health information held or transmitted by a
covered entity
E. Medical research data collected anonymously
Correct Answer: D. Individually identifiable health information held or
transmitted by a covered entity
EXPERT RATIONALE: PHI is any information that relates to a person's health
condition, provision of healthcare, or payment for healthcare that can be used to
identify the individual, whether transmitted electronically, on paper, or verbally.
7. Which of the following is an example of PHI?
A. De-identified statistical health data
B. Anonymous survey results about hospital satisfaction
C. A patient's name combined with their diagnosis
D. General population health statistics
E. Aggregated insurance claims data with no identifiers
Correct Answer: C. A patient's name combined with their diagnosis
EXPERT RATIONALE: PHI includes any health information linked to an individual
identifier such as name, address, date of birth, or Social Security number. A
patient's name combined with a diagnosis directly identifies the individual and their
health status.
