T or F. Under HIPAA, a person or entity that provides services to a CE that do not involve the
use or disclosure of PHI would be considered a BA. Correct Answer: False
Do Betty's actions in this scenario constitute a HIPAA Privacy Rule violation? Correct Answer:
Yes, because John is not a physician and therefore is not entitled to review any medical files.
A friend of Phillip Livingston, a military service member who is being treated for a broken leg at
Valley Forge MTF, asked what room Phillip is in so that he can visit.
Which of the following is required? Correct Answer: The patient must be given the opportunity
to agree or object to the use or disclosure.
The Chief Medical Officer for Valley Forge MTF utilizing PHI is conducting monthly physician
peer review operations exercise.
Which of the following is required? Correct Answer: Neither an authorization not an
opportunity to agree or object is required.
Abigail Adams is a TRICARE beneficiary and patient at Valley Forge MTF and is applying for
Sun Life Insurance. Sun Life has requested some of Abigail's medical records in order to
evaluate her application.
Which of the following is required? Correct Answer: An authorization is required.
Dr Jefferson sends a patient's medical record to the surgeon's office in support of a referral for
treatment he made for the patient.
Which of the following is required? Correct Answer: Neither an authorization nor an
opportunity to agree or object is required.
Valley Forge MTF discloses a patient's information in response to a request from his HHS in the
investigation of a patient complaint.
Which of the following is required? Correct Answer: Neither an authorization nor an
opportunity to agree or object is required.
How should John advise the staff member to proceed? Correct Answer: Both B and C
Was this a violation of HIPAA security safeguards? Correct Answer: Yes
What enforcement actions may occur based on Janet's conduct? Correct Answer: All of the
above.
How should John respond? Correct Answer: Yes. Privacy Act Statements and a SORN should
both be considered prior to initiating the research project.
Which HHS Office is charged with protecting an individual patient's health information privacy
and security through the enforcement of HIPAA? Correct Answer: Office for Civil Rights
(OCR)