CHAPTER 11 HIPAA PRIVACY RULE PART
II HIMT 1200 2026 ACTUAL QUESTIONS
WITH VERIFIED ANSWERS.
CE's and BA's must document Training - correct answer-And all
steps to ensure compliance
Show that Privacy traininghas occurred
Signed statement by workforce members
Workforce members should complete nondisclosure
agreements- commitment to Privacy of patient info and
compliance with Privacy Rule
Mitigation - correct answer-CE's must mitigate harmful effects
that result from wrongful use/disclosure of PHI
CE determine possible courses of action
Mitigation Includes - correct answer-Apology
,Disciplinary action against the responsible employee or
employees
Repair of the process that resulted in the breach
Payment of a bill or financial loss that resulted from the
infraction
Gestures of goodwill and good public relations (awarding gift
certificates)
Data Safeguards - correct answer-CE's must have
administrative, technical, and physical safeguards to protect
privacy of PHI from intentional and unintentional use/disclosure
Limit incidental uses/disclosures
Include shredding of paper documents that contain PHI, limiting
access to areas containing PHI through keycards, passwords,
or locks.
Retaliation and Waiver - correct answer-CE's may not retaliate
against anyone who exercises his/her rights under the privacy
rule, assists in an investigation by HHS or other appropriate
,investigative authority, opposes an act or practice that the
person believes is a violation of Privacy Rule
Individuals cannot be required to waive the rights they hold
under the privacy rule in order to obtain treatment, payment or
enrollment/benefits eligibility.
Documentation and Record Retention - correct answer-Privacy
Rule: 6 years for Privacy Related Documents
Date document was created, last effective date of the
document
Policies and Procedures, NPP, complaint dispositions, other
actions, activities, and designation per Privacy Rule
requirements.
Penalties and Enforcement - correct answer-HIPAA
Enforcement Rule (2006)
•Penalties for non-compliance apply to both CEs and BAs -
Civil+Criminal
, Penalty categories - correct answer--Unknowing
-Due to reasonable cause and not willful neglect
-Due to willful neglect/corrected within 30 days of discovery
-Due to willful neglect and not corrected as required
Enforcement per HITECH - correct answer-•HHS contracts with
a private entity to conduct random audits (no longer complaint-
driven only)
•State attorneys general may bring civil actions in federal court
representing citizens affected by HIPAA violations
•Individuals can now be individually prosecuted
•Recommendations for compensating individuals harmed by
violations
Resolution Agreements - correct answer-Settlements
compelling them to perform obligations per the agreements
(including payments) and to submit reports to HHS for three
years.
II HIMT 1200 2026 ACTUAL QUESTIONS
WITH VERIFIED ANSWERS.
CE's and BA's must document Training - correct answer-And all
steps to ensure compliance
Show that Privacy traininghas occurred
Signed statement by workforce members
Workforce members should complete nondisclosure
agreements- commitment to Privacy of patient info and
compliance with Privacy Rule
Mitigation - correct answer-CE's must mitigate harmful effects
that result from wrongful use/disclosure of PHI
CE determine possible courses of action
Mitigation Includes - correct answer-Apology
,Disciplinary action against the responsible employee or
employees
Repair of the process that resulted in the breach
Payment of a bill or financial loss that resulted from the
infraction
Gestures of goodwill and good public relations (awarding gift
certificates)
Data Safeguards - correct answer-CE's must have
administrative, technical, and physical safeguards to protect
privacy of PHI from intentional and unintentional use/disclosure
Limit incidental uses/disclosures
Include shredding of paper documents that contain PHI, limiting
access to areas containing PHI through keycards, passwords,
or locks.
Retaliation and Waiver - correct answer-CE's may not retaliate
against anyone who exercises his/her rights under the privacy
rule, assists in an investigation by HHS or other appropriate
,investigative authority, opposes an act or practice that the
person believes is a violation of Privacy Rule
Individuals cannot be required to waive the rights they hold
under the privacy rule in order to obtain treatment, payment or
enrollment/benefits eligibility.
Documentation and Record Retention - correct answer-Privacy
Rule: 6 years for Privacy Related Documents
Date document was created, last effective date of the
document
Policies and Procedures, NPP, complaint dispositions, other
actions, activities, and designation per Privacy Rule
requirements.
Penalties and Enforcement - correct answer-HIPAA
Enforcement Rule (2006)
•Penalties for non-compliance apply to both CEs and BAs -
Civil+Criminal
, Penalty categories - correct answer--Unknowing
-Due to reasonable cause and not willful neglect
-Due to willful neglect/corrected within 30 days of discovery
-Due to willful neglect and not corrected as required
Enforcement per HITECH - correct answer-•HHS contracts with
a private entity to conduct random audits (no longer complaint-
driven only)
•State attorneys general may bring civil actions in federal court
representing citizens affected by HIPAA violations
•Individuals can now be individually prosecuted
•Recommendations for compensating individuals harmed by
violations
Resolution Agreements - correct answer-Settlements
compelling them to perform obligations per the agreements
(including payments) and to submit reports to HHS for three
years.
