Certified in Healthcare Privacy and
Security (CHPS) Exam Preparation
ACTUAL QUESTIONS AND CORRECT
ANSWERS
Which of the following is a goal of the minimum necessary requirement under the HIPAA
Privacy Rule? - CORRECT ANSWERS✅✅Ensure that all workforce members have the
same access to PHI within an organization.
A patient is checking in at the registration desk and overhears a conversation between another
patient and the billing specialist regarding a specific diagnosis that is not being covered under
the patient's insurance. This is an example of what type of disclosure? - CORRECT
ANSWERS✅✅Incidental
Which of the following is the only scenario where breach notification can be delayed past the
60-day notification requirement? - CORRECT ANSWERS✅✅When law enforcement
requests a delay due to open criminal investigation.
During a recent change in a computer system's access, an organization determined that they
were going to create role-based access defined on the need for each job type within the
organization. This is an example of application of which of the following: - CORRECT
ANSWERS✅✅Minimum necessary
An organization just finished updating the minimum necessary policy and procedure. The
new policy took effect on February 12, 2016. How long do they have to maintain the previous
version of the policy? - CORRECT ANSWERS✅✅February 12, 2020
Which of the following is considered a patient's right under the HIPAA Privacy Rule? -
CORRECT ANSWERS✅✅Accounting of disclosure (AOD)
How long does a covered entity have to respond to an accounting of disclosure request? -
CORRECT ANSWERS✅✅30 days with one 30 day extension.
,A patient has requested three accounting-of-disclosures reports in the past month. Which of
the following statements is true regarding the accounting of disclosure? - CORRECT
ANSWERS✅✅The CE is allowed to charge a reasonable, cost-based fee for the second and
third request for accounting disclosures and must inform the patient prior.
In the final HIPAA Omnibus Rule of 2013, which of the following was added to the
regulations regarding patient access? - CORRECT ANSWERS✅✅A patient has a right to
receive his or her designated record set electronically, if maintained electronically.
If a state requires that all medical records are disclosed within 15 days from the request, and
HIPAA requires for disclosures to be completed within 30 days from the request, which
timeline should be followed? - CORRECT ANSWERS✅✅State law because it is more
stringent than HIPAA.
Which of the following is allowed under the applicable fees and charges when charging for a
copy of medical records? - CORRECT ANSWERS✅✅Labor cost
if a patient put in a request for an amendment to his or her medical record on July 20, 2020,
when would be the last possible day that the CE would need to provide outcome information
on the amendment or notification of a 30-day extension? - CORRECT
ANSWERS✅✅September 20, 2020
If a patient chooses to make a complaint against a CE to the Secretary of Health and Human
Services, the complaint must be made in _____ days from the date the complaint was known
or should have been known. - CORRECT ANSWERS✅✅180
A patient made a request for an accounting of disclosure on March 31, 2020. What is the date
range that must be provided on the accounting-of-disclosure document? - CORRECT
ANSWERS✅✅March 31, 2015 -March 31, 2020. 6 years prior.
What was the compliance date for all covered entities and business associates to bring all of
the grandfathered business associate agreements into compliance with the final Omnibus
Rule of 2013? - CORRECT ANSWERS✅✅September 23, 2014
, The HIPAA Security Rule allows flexibility with implementation based on reasonableness
and appropriateness safeguards. This means that covered entities can - CORRECT
ANSWERS✅✅implement based on organizational assessment
What group was granted authority to bring civil actions against healthcare organizations and
business associates based on alleged HIPAA violations? - CORRECT ANSWERS✅✅State
attorney general
To place a patient in a facility directory, a covered entity - CORRECT ANSWERS✅✅must
obtain the patient's verbal agreement.
The Privacy Rule permits charging patients for labor and supply costs associated with
copying health records. Hospital is located in a state where state law allows charging a
patients a $100 search fee associated with locating records that have been requested. -
CORRECT ANSWERS✅✅The Privacy Rule will preempt state law in this situation.
What does it mean to state the regulation in the HIPAA Security Rule is addressable? -
CORRECT ANSWERS✅✅The organization can implement an alternate safeguard of
equivalent protections.
A healthcare provider that provided a copy of an individual's medical record to a nursing
home that the patient will be transferred to is an example of using protected health
information for what purpose? - CORRECT ANSWERS✅✅Treatment
A payment from a drug company to a covered entity to promote a new medication for
treatment of acne is referred to as - CORRECT ANSWERS✅✅direct.
Which of the following is considered to be part of healthcare operations and uses deidentified
health information pr a limited data set and benefits the covered entity? - CORRECT
ANSWERS✅✅Fundraising
Providing a copy of an emergency room visit report to a primary care provider is an example
of which of the following under HIPAA? - CORRECT ANSWERS✅✅Disclosure of
protected health information
Security (CHPS) Exam Preparation
ACTUAL QUESTIONS AND CORRECT
ANSWERS
Which of the following is a goal of the minimum necessary requirement under the HIPAA
Privacy Rule? - CORRECT ANSWERS✅✅Ensure that all workforce members have the
same access to PHI within an organization.
A patient is checking in at the registration desk and overhears a conversation between another
patient and the billing specialist regarding a specific diagnosis that is not being covered under
the patient's insurance. This is an example of what type of disclosure? - CORRECT
ANSWERS✅✅Incidental
Which of the following is the only scenario where breach notification can be delayed past the
60-day notification requirement? - CORRECT ANSWERS✅✅When law enforcement
requests a delay due to open criminal investigation.
During a recent change in a computer system's access, an organization determined that they
were going to create role-based access defined on the need for each job type within the
organization. This is an example of application of which of the following: - CORRECT
ANSWERS✅✅Minimum necessary
An organization just finished updating the minimum necessary policy and procedure. The
new policy took effect on February 12, 2016. How long do they have to maintain the previous
version of the policy? - CORRECT ANSWERS✅✅February 12, 2020
Which of the following is considered a patient's right under the HIPAA Privacy Rule? -
CORRECT ANSWERS✅✅Accounting of disclosure (AOD)
How long does a covered entity have to respond to an accounting of disclosure request? -
CORRECT ANSWERS✅✅30 days with one 30 day extension.
,A patient has requested three accounting-of-disclosures reports in the past month. Which of
the following statements is true regarding the accounting of disclosure? - CORRECT
ANSWERS✅✅The CE is allowed to charge a reasonable, cost-based fee for the second and
third request for accounting disclosures and must inform the patient prior.
In the final HIPAA Omnibus Rule of 2013, which of the following was added to the
regulations regarding patient access? - CORRECT ANSWERS✅✅A patient has a right to
receive his or her designated record set electronically, if maintained electronically.
If a state requires that all medical records are disclosed within 15 days from the request, and
HIPAA requires for disclosures to be completed within 30 days from the request, which
timeline should be followed? - CORRECT ANSWERS✅✅State law because it is more
stringent than HIPAA.
Which of the following is allowed under the applicable fees and charges when charging for a
copy of medical records? - CORRECT ANSWERS✅✅Labor cost
if a patient put in a request for an amendment to his or her medical record on July 20, 2020,
when would be the last possible day that the CE would need to provide outcome information
on the amendment or notification of a 30-day extension? - CORRECT
ANSWERS✅✅September 20, 2020
If a patient chooses to make a complaint against a CE to the Secretary of Health and Human
Services, the complaint must be made in _____ days from the date the complaint was known
or should have been known. - CORRECT ANSWERS✅✅180
A patient made a request for an accounting of disclosure on March 31, 2020. What is the date
range that must be provided on the accounting-of-disclosure document? - CORRECT
ANSWERS✅✅March 31, 2015 -March 31, 2020. 6 years prior.
What was the compliance date for all covered entities and business associates to bring all of
the grandfathered business associate agreements into compliance with the final Omnibus
Rule of 2013? - CORRECT ANSWERS✅✅September 23, 2014
, The HIPAA Security Rule allows flexibility with implementation based on reasonableness
and appropriateness safeguards. This means that covered entities can - CORRECT
ANSWERS✅✅implement based on organizational assessment
What group was granted authority to bring civil actions against healthcare organizations and
business associates based on alleged HIPAA violations? - CORRECT ANSWERS✅✅State
attorney general
To place a patient in a facility directory, a covered entity - CORRECT ANSWERS✅✅must
obtain the patient's verbal agreement.
The Privacy Rule permits charging patients for labor and supply costs associated with
copying health records. Hospital is located in a state where state law allows charging a
patients a $100 search fee associated with locating records that have been requested. -
CORRECT ANSWERS✅✅The Privacy Rule will preempt state law in this situation.
What does it mean to state the regulation in the HIPAA Security Rule is addressable? -
CORRECT ANSWERS✅✅The organization can implement an alternate safeguard of
equivalent protections.
A healthcare provider that provided a copy of an individual's medical record to a nursing
home that the patient will be transferred to is an example of using protected health
information for what purpose? - CORRECT ANSWERS✅✅Treatment
A payment from a drug company to a covered entity to promote a new medication for
treatment of acne is referred to as - CORRECT ANSWERS✅✅direct.
Which of the following is considered to be part of healthcare operations and uses deidentified
health information pr a limited data set and benefits the covered entity? - CORRECT
ANSWERS✅✅Fundraising
Providing a copy of an emergency room visit report to a primary care provider is an example
of which of the following under HIPAA? - CORRECT ANSWERS✅✅Disclosure of
protected health information
