CMOM – PRACTICE MANAGEMENT INSTITUTE EXAM
COMPREHENSIVE MULTIPLE-CHOICE QUESTIONS WITH 100%
RATED CORRECT ANSWERS 2025/2026 LATEST UPDATED GET IT
CORRECT
Question 1
Which of the following is one of the three major areas addressed in the HIPAA Privacy
Regulation?
A) Enforcement of payment collection.
B) Use and disclosure of Protected Health Information (PHI).
C) Regulation of advertising for healthcare services.
D) Standardization of medical procedures.
E) Setting physician fees.
Correct Answer: B) Use and disclosure of PHI
Rationale: The HIPAA Privacy Regulation primarily addresses three key areas: the proper
use and disclosure of Protected Health Information (PHI), patient rights regarding their
health information, and administrative and physical security safeguards.
Question 2
Which of the following entities can be held directly accountable by federal or state authority for
failure to comply with HIPAA statutory regulations?
A) Patients.
B) Business Associates.
C) Pharmaceutical companies.
D) Medical device manufacturers.
E) All individuals involved in healthcare.
Correct Answer: B) Business Associates
Rationale: Business Associates (e.g., IT techs, cleaning services, vendors, collection agencies,
consultants, and billing services) are now directly liable for HIPAA compliance under
federal and state authority, meaning they can face penalties for violations.
Question 3
Which of the following entities are considered Covered Entities under HIPAA?
A) IT technicians.
B) Janitors.
C) Doctors, hospitals, and pharmacies.
D) Consultants.
E) Billing services.
Correct Answer: C) doctors, hospitals, pharmacy
Rationale: Covered Entities under HIPAA are healthcare providers, health plans, and
healthcare clearinghouses. Examples include doctors, hospitals, and pharmacies, as they
,[Type here]
transmit health information electronically in connection with transactions for which HHS
has adopted standards.
Question 4
An unauthorized acquisition, access, use, or disclosure of protected health information is
formally defined as a:
A) Misdemeanor.
B) Fraud.
C) Breach.
D) Abuse.
E) Violation.
Correct Answer: C) Breach
Rationale: A breach is precisely defined as an unauthorized acquisition, access, use, or
disclosure of Protected Health Information (PHI), which compromises the security or
privacy of the information.
Question 5
Which of the following is NOT considered a breach under HIPAA?
A) An unintentional acquisition, access, or use of health information that occurs within the scope
of employment and the information does not go any further.
B) An unauthorized disclosure of health information to an unauthorized person outside the
covered entity.
C) The malicious hacking of a patient database.
D) The intentional theft of patient records.
E) The intentional disclosure of PHI for financial gain.
Correct Answer: A) 1. Where an authorized person who received the health info. cannot
reasonably have been able to retain it. 2. If an unintentional acquisition, access, or use
occurs within the scope of employ. and info doesn't go any further. 3. If it is an inadvertent
disclosure that occurs within a facility, and the information does not go any further.
Rationale: The provided information lists specific scenarios that are not considered
breaches: unintentional acquisition/access/use within scope of employment (information
not going further), unintentional retention by an authorized person (unable to retain), and
inadvertent disclosure within a facility (information not going further).
Question 6
What is the tiered increase in Civil Monetary Penalties for HIPAA violations, starting at a
minimum per violation and an annual maximum?
A) $10,000 per violation, $100,000 annual maximum.
B) $50,000 per violation and an annual maximum of $1.5 million.
C) $100,000 per violation, $5 million annual maximum.
,[Type here]
D) $1,000 per violation, $25,000 annual maximum.
E) $500 per violation, $50,000 annual maximum.
Correct Answer: B) HIPPA violation at $50,000 per violation and an annual maximum of
$1.5million.
Rationale: HIPAA penalties are structured in tiers, with significant fines for violations. The
highest tier of civil monetary penalties is $50,000 per violation, with an annual maximum of
$1.5 million.
Question 7
Which of the following scenarios would not typically result in a HIPAA violation by the DHHS
(Department of Health and Human Services) if reasonable safeguards are in place?
A) Overheard phone or nursing station conversation.
B) Discussing patient information loudly in a public hallway.
C) Calling out patient names in reception areas.
D) Using joint treatment areas with cubicles and curtains.
E) Both A and C.
Correct Answer: E) Both A and C.
Rationale: Overheard conversations (if efforts are made to speak quietly), calling names in
reception areas, using sign-in sheets, and joint treatment areas with cubicles/curtains are
generally considered incidental disclosures that are permitted if reasonable safeguards (like
speaking quietly, asking patients to step back, or using dividers) are in place. These are not
typically grounds for a HIPAA violation by DHHS as long as the minimum necessary rule is
applied.
Question 8
Protected Health Information (PHI) includes any information, whether oral or recorded in any
form or medium, that is created or received by a healthcare provider, health plan, employer, life
insurer, school or university, or healthcare clearinghouse, and related to:
A) Only the patient's current physical health.
B) Only the patient's future mental health.
C) The past, present, or future physical or mental health or condition of an individual.
D) Only billing and insurance information.
E) Only demographic information.
Correct Answer: C) the past, present or future physical or mental health or condition.
Rationale: PHI is broadly defined to include information related to the past, present, or
future physical or mental health or condition of an individual, covering a wide range of
data points and formats.
Question 9
Which of the following is considered an "Identifier" under HIPAA, contributing to Individual
, [Type here]
Identifiable Health Information (IIHI)?
A) Medical record number.
B) Full face photograph.
C) Social Security number.
D) Vehicle identifier.
E) All of the above.
Correct Answer: E) All of the above.
Rationale: HIPAA lists 18 direct identifiers that, when associated with health information,
make it individually identifiable. These include names, geographic subdivisions, dates,
telephone/fax numbers, email addresses, social security numbers, medical record numbers,
health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle
identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, and full-face
photographs. The provided list covers many of these.
Question 10
The Notice of Privacy Practices (NPP) should be:
A) Only available upon request.
B) Given verbally to the patient.
C) In a written language, tape, or video that the patient understands, clearly posted in the practice
or facility, and, if applicable, on the practice website.
D) Updated only every 5 years.
E) Signed by the patient as acknowledgment of receipt.
Correct Answer: C) In a written language, tape, or video that the patient understands, be
clearly posted in the practice or facility, and if applicable, on the practice website.
Rationale: The NPP must be provided in a clear, understandable manner (including
alternative formats for accessibility), clearly posted in a prominent location in the facility,
and made available on the practice's website if they have one. Patients must be offered a
copy and acknowledge receipt, but the posting and availability are ongoing requirements.
Question 11
Which of the following actions is an example of healthcare "fraud"?
A) Charging in excess for services or supplies.
B) Providing medically unnecessary services.
C) The intentional deception or misrepresentation that an individual knows to be false or does
not believe to be true, and makes, knowingly that the deception could result in some
unauthorized benefit.
D) Using an incorrect or inappropriate provider number in error.
E) Billing for services that were documented but not performed due to oversight.
Correct Answer: C) the intentional deception or misrepresentation that an individual knows
to be false or does not believe to be true and makes, knowingly that the deception could
COMPREHENSIVE MULTIPLE-CHOICE QUESTIONS WITH 100%
RATED CORRECT ANSWERS 2025/2026 LATEST UPDATED GET IT
CORRECT
Question 1
Which of the following is one of the three major areas addressed in the HIPAA Privacy
Regulation?
A) Enforcement of payment collection.
B) Use and disclosure of Protected Health Information (PHI).
C) Regulation of advertising for healthcare services.
D) Standardization of medical procedures.
E) Setting physician fees.
Correct Answer: B) Use and disclosure of PHI
Rationale: The HIPAA Privacy Regulation primarily addresses three key areas: the proper
use and disclosure of Protected Health Information (PHI), patient rights regarding their
health information, and administrative and physical security safeguards.
Question 2
Which of the following entities can be held directly accountable by federal or state authority for
failure to comply with HIPAA statutory regulations?
A) Patients.
B) Business Associates.
C) Pharmaceutical companies.
D) Medical device manufacturers.
E) All individuals involved in healthcare.
Correct Answer: B) Business Associates
Rationale: Business Associates (e.g., IT techs, cleaning services, vendors, collection agencies,
consultants, and billing services) are now directly liable for HIPAA compliance under
federal and state authority, meaning they can face penalties for violations.
Question 3
Which of the following entities are considered Covered Entities under HIPAA?
A) IT technicians.
B) Janitors.
C) Doctors, hospitals, and pharmacies.
D) Consultants.
E) Billing services.
Correct Answer: C) doctors, hospitals, pharmacy
Rationale: Covered Entities under HIPAA are healthcare providers, health plans, and
healthcare clearinghouses. Examples include doctors, hospitals, and pharmacies, as they
,[Type here]
transmit health information electronically in connection with transactions for which HHS
has adopted standards.
Question 4
An unauthorized acquisition, access, use, or disclosure of protected health information is
formally defined as a:
A) Misdemeanor.
B) Fraud.
C) Breach.
D) Abuse.
E) Violation.
Correct Answer: C) Breach
Rationale: A breach is precisely defined as an unauthorized acquisition, access, use, or
disclosure of Protected Health Information (PHI), which compromises the security or
privacy of the information.
Question 5
Which of the following is NOT considered a breach under HIPAA?
A) An unintentional acquisition, access, or use of health information that occurs within the scope
of employment and the information does not go any further.
B) An unauthorized disclosure of health information to an unauthorized person outside the
covered entity.
C) The malicious hacking of a patient database.
D) The intentional theft of patient records.
E) The intentional disclosure of PHI for financial gain.
Correct Answer: A) 1. Where an authorized person who received the health info. cannot
reasonably have been able to retain it. 2. If an unintentional acquisition, access, or use
occurs within the scope of employ. and info doesn't go any further. 3. If it is an inadvertent
disclosure that occurs within a facility, and the information does not go any further.
Rationale: The provided information lists specific scenarios that are not considered
breaches: unintentional acquisition/access/use within scope of employment (information
not going further), unintentional retention by an authorized person (unable to retain), and
inadvertent disclosure within a facility (information not going further).
Question 6
What is the tiered increase in Civil Monetary Penalties for HIPAA violations, starting at a
minimum per violation and an annual maximum?
A) $10,000 per violation, $100,000 annual maximum.
B) $50,000 per violation and an annual maximum of $1.5 million.
C) $100,000 per violation, $5 million annual maximum.
,[Type here]
D) $1,000 per violation, $25,000 annual maximum.
E) $500 per violation, $50,000 annual maximum.
Correct Answer: B) HIPPA violation at $50,000 per violation and an annual maximum of
$1.5million.
Rationale: HIPAA penalties are structured in tiers, with significant fines for violations. The
highest tier of civil monetary penalties is $50,000 per violation, with an annual maximum of
$1.5 million.
Question 7
Which of the following scenarios would not typically result in a HIPAA violation by the DHHS
(Department of Health and Human Services) if reasonable safeguards are in place?
A) Overheard phone or nursing station conversation.
B) Discussing patient information loudly in a public hallway.
C) Calling out patient names in reception areas.
D) Using joint treatment areas with cubicles and curtains.
E) Both A and C.
Correct Answer: E) Both A and C.
Rationale: Overheard conversations (if efforts are made to speak quietly), calling names in
reception areas, using sign-in sheets, and joint treatment areas with cubicles/curtains are
generally considered incidental disclosures that are permitted if reasonable safeguards (like
speaking quietly, asking patients to step back, or using dividers) are in place. These are not
typically grounds for a HIPAA violation by DHHS as long as the minimum necessary rule is
applied.
Question 8
Protected Health Information (PHI) includes any information, whether oral or recorded in any
form or medium, that is created or received by a healthcare provider, health plan, employer, life
insurer, school or university, or healthcare clearinghouse, and related to:
A) Only the patient's current physical health.
B) Only the patient's future mental health.
C) The past, present, or future physical or mental health or condition of an individual.
D) Only billing and insurance information.
E) Only demographic information.
Correct Answer: C) the past, present or future physical or mental health or condition.
Rationale: PHI is broadly defined to include information related to the past, present, or
future physical or mental health or condition of an individual, covering a wide range of
data points and formats.
Question 9
Which of the following is considered an "Identifier" under HIPAA, contributing to Individual
, [Type here]
Identifiable Health Information (IIHI)?
A) Medical record number.
B) Full face photograph.
C) Social Security number.
D) Vehicle identifier.
E) All of the above.
Correct Answer: E) All of the above.
Rationale: HIPAA lists 18 direct identifiers that, when associated with health information,
make it individually identifiable. These include names, geographic subdivisions, dates,
telephone/fax numbers, email addresses, social security numbers, medical record numbers,
health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle
identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, and full-face
photographs. The provided list covers many of these.
Question 10
The Notice of Privacy Practices (NPP) should be:
A) Only available upon request.
B) Given verbally to the patient.
C) In a written language, tape, or video that the patient understands, clearly posted in the practice
or facility, and, if applicable, on the practice website.
D) Updated only every 5 years.
E) Signed by the patient as acknowledgment of receipt.
Correct Answer: C) In a written language, tape, or video that the patient understands, be
clearly posted in the practice or facility, and if applicable, on the practice website.
Rationale: The NPP must be provided in a clear, understandable manner (including
alternative formats for accessibility), clearly posted in a prominent location in the facility,
and made available on the practice's website if they have one. Patients must be offered a
copy and acknowledge receipt, but the posting and availability are ongoing requirements.
Question 11
Which of the following actions is an example of healthcare "fraud"?
A) Charging in excess for services or supplies.
B) Providing medically unnecessary services.
C) The intentional deception or misrepresentation that an individual knows to be false or does
not believe to be true, and makes, knowingly that the deception could result in some
unauthorized benefit.
D) Using an incorrect or inappropriate provider number in error.
E) Billing for services that were documented but not performed due to oversight.
Correct Answer: C) the intentional deception or misrepresentation that an individual knows
to be false or does not believe to be true and makes, knowingly that the deception could
