HCCA CHPC COMPREHENSIVE TEST
PAPER 2026 FULL QUESTIONS AND
VERIFIED SOLUTIONS GRADED A+
⩥Valid Authorization 3 key statements (see 45 CFR § 164.508(c)(2)):
Answer: The statements are to be included in a valid Authorization:
• A statement of the person's right to revoke the authorization, exceptions
to this right, and a description of how to revoke:
• A statement that treatment, payment, enrollment or eligibility for
benefits may NOT be conditioned upon signing the authorization;
• A statement regarding the potential that the information disclosed
pursuant to the authorization may be re-disclosed by the recipient and, if
so, it may no longer be protected by a federal confidentiality law;
Note: the person signing the authorization has the right to (or will
receive) a copy of the authorization.
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-
164/subpart-E/section-164.508
⩥Fill in the blanks: The three types of AUTHORIZATION:
VALID - must have all the 6 required core elements and 3
statements/notices
,D_______ - lacks any of the required elements/statements, or expiration
date has passed, or revoked, etc.
C_______ - typically allowed in research studies, this authorization may
be combined with another written permission IF it's for the same
research related studies Answer: Defective; Compound
⩥Request for Restrictions Answer: patient has the right to request
restrictions on the U&D of information, even for the TPO exception.
Provider must determine if it is reasonable, accommodate request, and
abide to agreement.
Ref § 164.520 - Notice of privacy practices for protected health
information.
⩥Request for Confidential Communication Answer: Patient may request
other communication channels not typical for the entity, such as email,
or meeting in off-site locations.
⩥Which subpart of HIPAA part 164 sets limits on how PHI can be used
and shared with others and gives patients rights over their information
a. Part 164 Subpart E (Privacy Rule)
b. Part 164 Subpart C (Security Rule) Answer: a. Part 164 Subpart E
(Privacy Rule)
,Subpart C (Security Rule) sets the security standards (administrative,
technical, and physical safeguards) to protect the confidentiality,
integrity and availability of ePHI
⩥What is the difference between HIPAA security and privacy? Answer:
Security - covers ePHI
Privacy - covers all forms (electronic, oral, written)
⩥45 CFR 164 - Subpart C outlines the three safeguards to ensure the
_____, ____, ____ of ePHI that both, CE and BA must implement to
ensure compliance and protect against anticipated threats, and/or
reasonably anticipated uses/disclosures
(incidental/inadvertent/unintentional) Answer: Confidentiality, integrity,
availability
Note: Accidental - must be reported. An accidental HIPAA violation
refers to the unauthorized disclosure of PHI (protected health
information) without intent. Despite having safeguards and protective
measures in place, there is still a possibility of breaching HIPAA
regulations. These types of violations could include an employee
accidentally seeing a different patient's medical records, an email being
sent to the wrong person or the loss or theft of a personal device that
contains PHI. https://www.hipaajournal.com/accidental-hipaa-violation/
⩥Research HIPAA Waiver criteria: Answer: Research Waiver
, In order for research to be conducted, it must meet a minimum set of
waiver criteria elements. Elements that must be met to meet wavier
criteria are:
1) the use or disclosure for the research involved minimum risk to the
patient;
2) the research could not be conducted without proper access to the
waiver being approved; and
3) the research could not be conducted without proper access to the use
of the PHI. 45 CFR 164.512 (i)(2)
⩥What's malicious software? Answer: malware, is software that is used
to control or take over applications, workstations, or servers,
damage/disrupt a system.
See Security Rule, definitions - 45 CFR 164.304
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-
164/subpart-C/section-164.304
⩥A covered entity may use or disclose PHI for TPO...what does TPO
stand for Answer: Treatment
Payment
Health Care Operations
⩥True or False:
PAPER 2026 FULL QUESTIONS AND
VERIFIED SOLUTIONS GRADED A+
⩥Valid Authorization 3 key statements (see 45 CFR § 164.508(c)(2)):
Answer: The statements are to be included in a valid Authorization:
• A statement of the person's right to revoke the authorization, exceptions
to this right, and a description of how to revoke:
• A statement that treatment, payment, enrollment or eligibility for
benefits may NOT be conditioned upon signing the authorization;
• A statement regarding the potential that the information disclosed
pursuant to the authorization may be re-disclosed by the recipient and, if
so, it may no longer be protected by a federal confidentiality law;
Note: the person signing the authorization has the right to (or will
receive) a copy of the authorization.
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-
164/subpart-E/section-164.508
⩥Fill in the blanks: The three types of AUTHORIZATION:
VALID - must have all the 6 required core elements and 3
statements/notices
,D_______ - lacks any of the required elements/statements, or expiration
date has passed, or revoked, etc.
C_______ - typically allowed in research studies, this authorization may
be combined with another written permission IF it's for the same
research related studies Answer: Defective; Compound
⩥Request for Restrictions Answer: patient has the right to request
restrictions on the U&D of information, even for the TPO exception.
Provider must determine if it is reasonable, accommodate request, and
abide to agreement.
Ref § 164.520 - Notice of privacy practices for protected health
information.
⩥Request for Confidential Communication Answer: Patient may request
other communication channels not typical for the entity, such as email,
or meeting in off-site locations.
⩥Which subpart of HIPAA part 164 sets limits on how PHI can be used
and shared with others and gives patients rights over their information
a. Part 164 Subpart E (Privacy Rule)
b. Part 164 Subpart C (Security Rule) Answer: a. Part 164 Subpart E
(Privacy Rule)
,Subpart C (Security Rule) sets the security standards (administrative,
technical, and physical safeguards) to protect the confidentiality,
integrity and availability of ePHI
⩥What is the difference between HIPAA security and privacy? Answer:
Security - covers ePHI
Privacy - covers all forms (electronic, oral, written)
⩥45 CFR 164 - Subpart C outlines the three safeguards to ensure the
_____, ____, ____ of ePHI that both, CE and BA must implement to
ensure compliance and protect against anticipated threats, and/or
reasonably anticipated uses/disclosures
(incidental/inadvertent/unintentional) Answer: Confidentiality, integrity,
availability
Note: Accidental - must be reported. An accidental HIPAA violation
refers to the unauthorized disclosure of PHI (protected health
information) without intent. Despite having safeguards and protective
measures in place, there is still a possibility of breaching HIPAA
regulations. These types of violations could include an employee
accidentally seeing a different patient's medical records, an email being
sent to the wrong person or the loss or theft of a personal device that
contains PHI. https://www.hipaajournal.com/accidental-hipaa-violation/
⩥Research HIPAA Waiver criteria: Answer: Research Waiver
, In order for research to be conducted, it must meet a minimum set of
waiver criteria elements. Elements that must be met to meet wavier
criteria are:
1) the use or disclosure for the research involved minimum risk to the
patient;
2) the research could not be conducted without proper access to the
waiver being approved; and
3) the research could not be conducted without proper access to the use
of the PHI. 45 CFR 164.512 (i)(2)
⩥What's malicious software? Answer: malware, is software that is used
to control or take over applications, workstations, or servers,
damage/disrupt a system.
See Security Rule, definitions - 45 CFR 164.304
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-
164/subpart-C/section-164.304
⩥A covered entity may use or disclose PHI for TPO...what does TPO
stand for Answer: Treatment
Payment
Health Care Operations
⩥True or False:
