HCCA – CHPC PRIVACY AND SECURITY REGULATIONS EXAM 2025
|160 QUESTIONS WITH VERIFIED CORRECT ANSWERS
1. What is one example of a situation that requires authorization for the use
or disclosure of protected health information (PHI)?
Treatment
Healthcare operations
Payment
Marketing
2. Describe the significance of 42 CFR Part 2 in relation to privacy in
substance use disorder treatment programs.
42 CFR Part 2 establishes confidentiality protections for
individuals receiving treatment for substance use disorders.
42 CFR Part 2 provides guidelines for the ethical treatment of
patients in clinical trials.
42 CFR Part 2 regulates the marketing practices of substance use
disorder treatment facilities.
42 CFR Part 2 outlines the funding requirements for substance use
disorder programs.
3. Describe the primary role of an Institutional Review Board (IRB) in
research involving human subjects.
The primary role of an IRB is to approve all research without any
modifications.
The primary role of an IRB is to review proposed research to
ensure the protection of the privacy and welfare of human
subjects.
The primary role of an IRB is to oversee the marketing of research
findings.
, The primary role of an IRB is to manage funding for research
projects.
4. The requirements of the Privacy Rule of the Health Insurance Portability
and Accountability Act (HIPAA):
Take precedence over state laws when the state law provides
less privacy protection
Never take precedence over state laws
Are enforceable only in the absence of state or other applicable
federal laws
Always take precedence over state laws
5. Describe the main purpose of HIPAA in relation to patient health
information.
HIPAA allows unrestricted access to patient records for research
purposes.
HIPAA is a law that applies only to electronic health records.
HIPAA focuses solely on preventing health care fraud.
HIPAA is designed to protect the privacy and security of a
patient's health information.
6. Describe the difference between OHCAs and ACEs regarding their
ability to produce a joint Notice of Privacy Practice.
Both OHCAs and ACEs are required to produce separate NPPs
regardless of their structure.
Both OHCAs and ACEs can produce a joint NPP as they are both
integrated systems.
OHCAs cannot produce a joint NPP, but ACEs can because they
work together.
, OHCAs can produce a joint NPP due to their integrated system,
while ACEs cannot because they are separate entities.
7. What is the definition of an incidental disclosure of PHI according to
HIPAA?
A disclosure made without patient consent.
A secondary use or disclosure that cannot reasonably be
prevented.
Any unauthorized access to personal health information.
A use or disclosure that occurs due to negligence.
8. What are the three safeguards outlined in the HIPAA Security Rule for
protecting electronic protected health information (ePHI)?
Confidentiality, Integrity, Availability
Confidentiality, Privacy, Security
Privacy, Security, Accessibility
Protection, Integrity, Availability
9. What is the name of law that covers consumer financial privacy?
GLBA 1999 Gramm-Leach-Bliley Act
FERPA 1974 Family Educational Rights and Privacy Act (FTC)
HIPAA 1996 Health Insurance Portability and Accountability Act
COPPA 1998 Children's Online Privacy Protection Act (FTC)
10. What from the consumer's point of view would be the most important
aspect of Breach Notification communications?
A brief synopsis of the event, including the date the event
occurred and the date it was discovered
What the Covered Entity is doing about the event
, What information was disclosed and to whom
What the consumers affected should do for self-protection
11. A covered entity must provide notification of PHI breach to:
individual affected
HHS secretary
media
A and B
All of the above
12. What document is provided to patients at their first visit to inform them
about their privacy rights under HIPAA?
HIPAA Compliance Manual
Provider's Notice of Privacy Practices
Patient Rights Handbook
Health Information Privacy Guide
13. Hitech act final rule protects PHI...
Until the patient is 50 years old
For 50 years since the patient's last appointment
For 50 years after the death of a patient
Indefinitely
14. How does an incidental disclosure differ from an accidental disclosure
of PHI?
There is no difference; both terms mean the same thing.
|160 QUESTIONS WITH VERIFIED CORRECT ANSWERS
1. What is one example of a situation that requires authorization for the use
or disclosure of protected health information (PHI)?
Treatment
Healthcare operations
Payment
Marketing
2. Describe the significance of 42 CFR Part 2 in relation to privacy in
substance use disorder treatment programs.
42 CFR Part 2 establishes confidentiality protections for
individuals receiving treatment for substance use disorders.
42 CFR Part 2 provides guidelines for the ethical treatment of
patients in clinical trials.
42 CFR Part 2 regulates the marketing practices of substance use
disorder treatment facilities.
42 CFR Part 2 outlines the funding requirements for substance use
disorder programs.
3. Describe the primary role of an Institutional Review Board (IRB) in
research involving human subjects.
The primary role of an IRB is to approve all research without any
modifications.
The primary role of an IRB is to review proposed research to
ensure the protection of the privacy and welfare of human
subjects.
The primary role of an IRB is to oversee the marketing of research
findings.
, The primary role of an IRB is to manage funding for research
projects.
4. The requirements of the Privacy Rule of the Health Insurance Portability
and Accountability Act (HIPAA):
Take precedence over state laws when the state law provides
less privacy protection
Never take precedence over state laws
Are enforceable only in the absence of state or other applicable
federal laws
Always take precedence over state laws
5. Describe the main purpose of HIPAA in relation to patient health
information.
HIPAA allows unrestricted access to patient records for research
purposes.
HIPAA is a law that applies only to electronic health records.
HIPAA focuses solely on preventing health care fraud.
HIPAA is designed to protect the privacy and security of a
patient's health information.
6. Describe the difference between OHCAs and ACEs regarding their
ability to produce a joint Notice of Privacy Practice.
Both OHCAs and ACEs are required to produce separate NPPs
regardless of their structure.
Both OHCAs and ACEs can produce a joint NPP as they are both
integrated systems.
OHCAs cannot produce a joint NPP, but ACEs can because they
work together.
, OHCAs can produce a joint NPP due to their integrated system,
while ACEs cannot because they are separate entities.
7. What is the definition of an incidental disclosure of PHI according to
HIPAA?
A disclosure made without patient consent.
A secondary use or disclosure that cannot reasonably be
prevented.
Any unauthorized access to personal health information.
A use or disclosure that occurs due to negligence.
8. What are the three safeguards outlined in the HIPAA Security Rule for
protecting electronic protected health information (ePHI)?
Confidentiality, Integrity, Availability
Confidentiality, Privacy, Security
Privacy, Security, Accessibility
Protection, Integrity, Availability
9. What is the name of law that covers consumer financial privacy?
GLBA 1999 Gramm-Leach-Bliley Act
FERPA 1974 Family Educational Rights and Privacy Act (FTC)
HIPAA 1996 Health Insurance Portability and Accountability Act
COPPA 1998 Children's Online Privacy Protection Act (FTC)
10. What from the consumer's point of view would be the most important
aspect of Breach Notification communications?
A brief synopsis of the event, including the date the event
occurred and the date it was discovered
What the Covered Entity is doing about the event
, What information was disclosed and to whom
What the consumers affected should do for self-protection
11. A covered entity must provide notification of PHI breach to:
individual affected
HHS secretary
media
A and B
All of the above
12. What document is provided to patients at their first visit to inform them
about their privacy rights under HIPAA?
HIPAA Compliance Manual
Provider's Notice of Privacy Practices
Patient Rights Handbook
Health Information Privacy Guide
13. Hitech act final rule protects PHI...
Until the patient is 50 years old
For 50 years since the patient's last appointment
For 50 years after the death of a patient
Indefinitely
14. How does an incidental disclosure differ from an accidental disclosure
of PHI?
There is no difference; both terms mean the same thing.
