Page 1 of 175
RESEARCH AND HIPAA PRIVACY
PROTECTIONS TEST ACCURATE TEST
2025/2026 COMPLETE REAL QUESTIONS
WITH WELL ELABORATED ANSWERS
(VERIFIED ANSWERS) A NEW UPDATED
VERSION |GUARANTEED PASS.
1. Which of the following best defines Protected Health
Information (PHI) under HIPAA?
A) Any health information maintained by a researcher
B) Individually identifiable health information held or
transmitted by a covered entity or business associate
C) All medical records regardless of identifiers
D) Health information that has been de-identified
,Page 2 of 175
Answer: B
Rationale: 45 CFR 160.103 defines PHI as individually
identifiable health information held by a covered entity (or
BA) in any form.
2. A researcher receives a dataset containing only ages (in
years), sex, and dates of service. No direct identifiers. This is:
A) PHI because dates of service are present
B) Not PHI because names are missing
C) Always de-identified
D) PHI only if the researcher knows the patients
Answer: A
Rationale: Dates of service are considered identifiers under
HIPAA unless removed under Safe Harbor (45 CFR
164.514(b)). Alone, they make data PHI.
3. A “covered entity” includes:
A) A university IRB
B) A health insurance company, a hospital, and a doctor who
,Page 3 of 175
bills electronically
C) Any researcher receiving federal funds
D) A pharmaceutical company conducting clinical trials
Answer: B
Rationale: Health plans, healthcare clearinghouses, and
healthcare providers who transmit health information
electronically are covered entities (45 CFR 160.103).
4. A “hybrid entity” is:
A) An entity that is both a covered entity and a business
associate
B) A single legal entity with both covered and non-covered
functions
C) An entity that mixes research and clinical care
D) A covered entity that outsources all PHI handling
Answer: B
Rationale: 45 CFR 164.103 allows a hybrid entity to
designate healthcare components separately.
, Page 4 of 175
5. Which of the following is NOT considered PHI?
A) A patient’s name, room number, and diagnosis
B) An MRI image with a visible patient name
C) A dataset with ZIP code, date of birth, and lab results
D) Heart rate data from a consumer smartwatch not linked to
a covered entity
Answer: D
Rationale: PHI requires that the information be created or
received by a covered entity. Consumer data not from a
covered entity is not PHI under HIPAA.
6. Scenario: A researcher works at a university with a hospital.
The researcher’s study uses only hospital billing data. The
researcher’s department (public health) does not provide
treatment. Under HIPAA:
A) The entire university is a covered entity
B) The hospital is a covered component; the researcher must
follow HIPAA for hospital data
C) The researcher is never bound by HIPAA
RESEARCH AND HIPAA PRIVACY
PROTECTIONS TEST ACCURATE TEST
2025/2026 COMPLETE REAL QUESTIONS
WITH WELL ELABORATED ANSWERS
(VERIFIED ANSWERS) A NEW UPDATED
VERSION |GUARANTEED PASS.
1. Which of the following best defines Protected Health
Information (PHI) under HIPAA?
A) Any health information maintained by a researcher
B) Individually identifiable health information held or
transmitted by a covered entity or business associate
C) All medical records regardless of identifiers
D) Health information that has been de-identified
,Page 2 of 175
Answer: B
Rationale: 45 CFR 160.103 defines PHI as individually
identifiable health information held by a covered entity (or
BA) in any form.
2. A researcher receives a dataset containing only ages (in
years), sex, and dates of service. No direct identifiers. This is:
A) PHI because dates of service are present
B) Not PHI because names are missing
C) Always de-identified
D) PHI only if the researcher knows the patients
Answer: A
Rationale: Dates of service are considered identifiers under
HIPAA unless removed under Safe Harbor (45 CFR
164.514(b)). Alone, they make data PHI.
3. A “covered entity” includes:
A) A university IRB
B) A health insurance company, a hospital, and a doctor who
,Page 3 of 175
bills electronically
C) Any researcher receiving federal funds
D) A pharmaceutical company conducting clinical trials
Answer: B
Rationale: Health plans, healthcare clearinghouses, and
healthcare providers who transmit health information
electronically are covered entities (45 CFR 160.103).
4. A “hybrid entity” is:
A) An entity that is both a covered entity and a business
associate
B) A single legal entity with both covered and non-covered
functions
C) An entity that mixes research and clinical care
D) A covered entity that outsources all PHI handling
Answer: B
Rationale: 45 CFR 164.103 allows a hybrid entity to
designate healthcare components separately.
, Page 4 of 175
5. Which of the following is NOT considered PHI?
A) A patient’s name, room number, and diagnosis
B) An MRI image with a visible patient name
C) A dataset with ZIP code, date of birth, and lab results
D) Heart rate data from a consumer smartwatch not linked to
a covered entity
Answer: D
Rationale: PHI requires that the information be created or
received by a covered entity. Consumer data not from a
covered entity is not PHI under HIPAA.
6. Scenario: A researcher works at a university with a hospital.
The researcher’s study uses only hospital billing data. The
researcher’s department (public health) does not provide
treatment. Under HIPAA:
A) The entire university is a covered entity
B) The hospital is a covered component; the researcher must
follow HIPAA for hospital data
C) The researcher is never bound by HIPAA
