HIPAA Training for Healthcare Students
Study online at https://quizlet.com/_hxebt1
1. What does HIPAA stand for?: Health Insurance Portability and Accountability Act
2. Where does HIPAA apply?: In all 50 states and U.S. territories
3. Which agency is responsible for enforcing HIPAA compliance?: HHS' Office for Civil
Rights (OCR)
4. Which of the following entities are not covered by HIPAA?: Journalists
5. Which HIPAA rule gives patients the right to view and obtain a copy of their
healthcare data?: The HIPAA Privacy Rule
6. HIPAA has many functions, but which of these is not an objective if HIPAA?: -
Ensuring all Americans have health insurance
7. What is a HIPAA authorization?: Consent given by a patient for their PHI to be used or shared for a
reason not permitted by the HIPAA Privacy Rule
8. What is a business associate?: A third-party that performs a function or activity on behalf of a covered
entity that requires access to PHI
9. What is protected health information?: Health information that includes one or more of the 18
identifiers that allows an individual to be identified from the health data
10. Which of these is not a HIPAA identifier?: Mother's maiden name
11. HITECH Stands for...: Health Information Technology for Economic and Clinical Health
12. Which of these was NOT one of the aims of the HITECH Act?: To give public health
agencies more access to healthcare data
13. Which of the following was not mandatory until the HITECH Act was intro-
duced?: Notifications for patients whose PHI was exposed in a data breach
14. What was the purpose of HIPAA Omnibus Rule?: To implement changes to HIPAA required
by the HITECH Act
15. Which of these are NOT part of the Administrative Simplification Rules?: Elim-
ination of complex rules for healthcare administrators
16. What was the purpose of the Security Rule?: To set minimum standards for safeguarding
protected health information
17. Why was the Enforcement Rule introduced?: To allow the Office for Civil Rights to impose
financial penalties on CEs for HIPAA violations
18. Which of these were not part of the HIPAA Omnibus Rule?: Mandatory use of electronic
health records
1/6
, HIPAA Training for Healthcare Students
Study online at https://quizlet.com/_hxebt1
19. Before the Omnibus Rule was introduced, which of these was not possible?-
: Issue fines to business associates for HIPAA violations
20. Before PHI is disclosed to a third party for a reason other than treatment,
payment, or for healthcare operations, healthcare employees must...: Obtain
written authorization from the patient
21. What is the Minimum Necessary Rule?: Only disclosing the minimum amount of PHI to achieve
the purpose for which it is disclosed
22. The HIPAA Privacy Rule protects what?: Individually identifiable health information
23. Which of these is NOT part of the HIPAA Privacy Rule?: Mandatory safeguards to ensure
the confidentiality, integrity, and availability of healthcare data
24. What is the main purpose of the HIPAA Security Rule?: To set minimum standards for
security to ensure the confidentiality, integrity, and availability of ePHI
25. Which of these is covered in the HIPAA Security Rule?: Physical controls to secure physica
PHI
26. Which of these is not one of the patient rights under HIPAA?: The right to sue
healthcare providers for data breaches
27. A parent of a 15-year-old child wants to see their child's medical records.
Which of the following is true?: The parent can submit a request in writing and the healthcare provider
must give the parent a copy of their child's medical records
28. When a patient submits a request to access their PHI, a healthcare provider
should...?: All of the above
29. When can PHI be disclosed to friends and family members? (Several possible
answers): •When, using professional judgment, a healthcare professional determines that the patient would be
unlikely to object
•When it is determined that it is in the best interest of a patient when the patient is incapacitated
30. When are healthcare employees permitted to disclose PHI for reasons other
than treatment, payment, or healthcare operations?: All of the above
31. Can limited PHI about a patient be shared with a person that is not a friend
or family member?: Yes, provided the healthcare professional is reasonably sure that the patient wants the
person to be involved and it is believed to be in the best interest of the patient
32. A HIPAA covered entity can disclose PHI in which of the following situations?-
: All of the above
2/6
Study online at https://quizlet.com/_hxebt1
1. What does HIPAA stand for?: Health Insurance Portability and Accountability Act
2. Where does HIPAA apply?: In all 50 states and U.S. territories
3. Which agency is responsible for enforcing HIPAA compliance?: HHS' Office for Civil
Rights (OCR)
4. Which of the following entities are not covered by HIPAA?: Journalists
5. Which HIPAA rule gives patients the right to view and obtain a copy of their
healthcare data?: The HIPAA Privacy Rule
6. HIPAA has many functions, but which of these is not an objective if HIPAA?: -
Ensuring all Americans have health insurance
7. What is a HIPAA authorization?: Consent given by a patient for their PHI to be used or shared for a
reason not permitted by the HIPAA Privacy Rule
8. What is a business associate?: A third-party that performs a function or activity on behalf of a covered
entity that requires access to PHI
9. What is protected health information?: Health information that includes one or more of the 18
identifiers that allows an individual to be identified from the health data
10. Which of these is not a HIPAA identifier?: Mother's maiden name
11. HITECH Stands for...: Health Information Technology for Economic and Clinical Health
12. Which of these was NOT one of the aims of the HITECH Act?: To give public health
agencies more access to healthcare data
13. Which of the following was not mandatory until the HITECH Act was intro-
duced?: Notifications for patients whose PHI was exposed in a data breach
14. What was the purpose of HIPAA Omnibus Rule?: To implement changes to HIPAA required
by the HITECH Act
15. Which of these are NOT part of the Administrative Simplification Rules?: Elim-
ination of complex rules for healthcare administrators
16. What was the purpose of the Security Rule?: To set minimum standards for safeguarding
protected health information
17. Why was the Enforcement Rule introduced?: To allow the Office for Civil Rights to impose
financial penalties on CEs for HIPAA violations
18. Which of these were not part of the HIPAA Omnibus Rule?: Mandatory use of electronic
health records
1/6
, HIPAA Training for Healthcare Students
Study online at https://quizlet.com/_hxebt1
19. Before the Omnibus Rule was introduced, which of these was not possible?-
: Issue fines to business associates for HIPAA violations
20. Before PHI is disclosed to a third party for a reason other than treatment,
payment, or for healthcare operations, healthcare employees must...: Obtain
written authorization from the patient
21. What is the Minimum Necessary Rule?: Only disclosing the minimum amount of PHI to achieve
the purpose for which it is disclosed
22. The HIPAA Privacy Rule protects what?: Individually identifiable health information
23. Which of these is NOT part of the HIPAA Privacy Rule?: Mandatory safeguards to ensure
the confidentiality, integrity, and availability of healthcare data
24. What is the main purpose of the HIPAA Security Rule?: To set minimum standards for
security to ensure the confidentiality, integrity, and availability of ePHI
25. Which of these is covered in the HIPAA Security Rule?: Physical controls to secure physica
PHI
26. Which of these is not one of the patient rights under HIPAA?: The right to sue
healthcare providers for data breaches
27. A parent of a 15-year-old child wants to see their child's medical records.
Which of the following is true?: The parent can submit a request in writing and the healthcare provider
must give the parent a copy of their child's medical records
28. When a patient submits a request to access their PHI, a healthcare provider
should...?: All of the above
29. When can PHI be disclosed to friends and family members? (Several possible
answers): •When, using professional judgment, a healthcare professional determines that the patient would be
unlikely to object
•When it is determined that it is in the best interest of a patient when the patient is incapacitated
30. When are healthcare employees permitted to disclose PHI for reasons other
than treatment, payment, or healthcare operations?: All of the above
31. Can limited PHI about a patient be shared with a person that is not a friend
or family member?: Yes, provided the healthcare professional is reasonably sure that the patient wants the
person to be involved and it is believed to be in the best interest of the patient
32. A HIPAA covered entity can disclose PHI in which of the following situations?-
: All of the above
2/6
