Healthcare Compliance and Patient Safety Practice Questions and
Answers Updated 2026 | Complete Healthcare Quality, Regulatory
Compliance & Patient Safety Study Guide with Verified Questions, Detailed
Rationales, HIPAA Regulations, Risk Management, Accreditation
Standards, Quality Improvement, Incident Reporting, Infection
Prevention, Patient Rights, Healthcare Ethics & Certification Exam Prep
Question 1: Which federal law primarily governs the privacy and security of
protected health information (PHI) in the United States?
A. The Affordable Care Act
B. The Health Insurance Portability and Accountability Act (HIPAA)
C. The Emergency Medical Treatment and Labor Act (EMTALA)
D. The Patient Safety and Quality Improvement Act
CORRECT ANSWER: B. The Health Insurance Portability and Accountability Act
(HIPAA)
Rationale: HIPAA, enacted in 1996, establishes national standards for the protection of
individually identifiable health information. The Privacy Rule and Security Rule under
HIPAA specifically regulate how covered entities and business associates must handle
PHI, making it the cornerstone legislation for healthcare information privacy and
security compliance in the U.S.
Question 2: A "never event" in patient safety refers to which of the following?
A. An adverse event that occurs less than once per year in a facility
B. A preventable serious incident that should never occur under any circumstances
C. An event that is reported but never investigated
D. A near-miss that is documented but does not reach the patient
CORRECT ANSWER: B. A preventable serious incident that should never occur
under any circumstances
Rationale: Never events are egregious, preventable errors such as surgery on the wrong
body part or retained foreign objects after surgery. These events are considered so
serious and preventable that their occurrence signals a fundamental breakdown in
safety systems, prompting mandatory reporting and root cause analysis under most
healthcare accreditation standards.
Question 3: Under the False Claims Act, which element is NOT required to
establish liability for submitting a fraudulent healthcare claim?
A. Knowledge that the claim was false or fraudulent
B. Submission of the claim to a federal healthcare program
C. Intent to personally profit from the fraudulent submission
D. Materiality of the false statement to the government's payment decision
,CORRECT ANSWER: C. Intent to personally profit from the fraudulent submission
Rationale: The False Claims Act imposes liability on any person who knowingly submits,
or causes to be submitted, a false or fraudulent claim for payment to the federal
government. Personal profit is not a required element; liability can attach to individuals
or entities acting with reckless disregard or deliberate ignorance of the truth, regardless
of whether they personally benefited financially.
Question 4: Which component is essential for an effective healthcare compliance
program according to the U.S. Office of Inspector General (OIG)?
A. Mandatory overtime policies for compliance staff
B. Written policies and procedures tailored to the organization's specific risks
C. Outsourcing all compliance monitoring to third-party vendors
D. Limiting compliance training to executive leadership only
CORRECT ANSWER: B. Written policies and procedures tailored to the
organization's specific risks
Rationale: The OIG's compliance program guidance consistently emphasizes that
effective programs must include written standards of conduct and policies addressing
identified risk areas. These documents must be specific to the organization's services,
size, and operational context to ensure practical implementation and staff
understanding.
Question 5: The primary purpose of a root cause analysis (RCA) in patient safety is
to:
A. Assign individual blame for an adverse event
B. Identify underlying system failures that contributed to an incident
C. Calculate financial penalties for the involved department
D. Expedite the closure of incident reports for regulatory submission
CORRECT ANSWER: B. Identify underlying system failures that contributed to an
incident
Rationale: RCA is a structured, retrospective method used to investigate serious
adverse events. Its core purpose is to uncover latent system weaknesses—such as
workflow design, communication breakdowns, or equipment issues—rather than
focusing on individual error, thereby enabling sustainable improvements to prevent
recurrence.
Question 6: Which scenario BEST exemplifies a violation of the Anti-Kickback
Statute?
A. A hospital provides free coffee to physicians who refer patients
B. A pharmaceutical company offers a physician stock options in exchange for
prescribing its drug
,C. A clinic donates medical supplies to a community health fair
D. A laboratory offers discounted rates to all patients regardless of referral source
CORRECT ANSWER: B. A pharmaceutical company offers a physician stock options
in exchange for prescribing its drug
Rationale: The Anti-Kickback Statute prohibits offering, paying, soliciting, or receiving
remuneration to induce referrals of items or services payable by federal healthcare
programs. Stock options tied to prescribing volume constitute illegal remuneration
because they create a direct financial incentive influencing clinical decision-making,
unlike nominal gifts or broadly available discounts that may fall under safe harbors.
Question 7: What is the minimum retention period for adult patient medical
records under typical state regulations and accreditation standards?
A. 3 years from the date of last service
B. 5 years from the date of last service
C. 7 to 10 years from the date of last service, or longer for minors
D. Indefinitely, without exception
CORRECT ANSWER: C. 7 to 10 years from the date of last service, or longer for
minors
Rationale: While specific requirements vary by state, most jurisdictions and accrediting
bodies like The Joint Commission mandate retention of adult records for 7–10 years
after the last encounter. For minors, records must typically be kept until the patient
reaches the age of majority plus the standard retention period (e.g., age 18 + 10 years =
28 years), ensuring legal and clinical continuity.
Question 8: Which practice is MOST effective in preventing wrong-site, wrong-
procedure, or wrong-person surgery?
A. Relying solely on the surgeon's memory and experience
B. Conducting a preoperative verification process, marking the surgical site, and
performing a time-out
C. Delegating site verification exclusively to nursing staff
D. Completing the surgical consent form after the procedure begins
CORRECT ANSWER: B. Conducting a preoperative verification process, marking the
surgical site, and performing a time-out
Rationale: The Universal Protocol, endorsed by The Joint Commission, requires three
critical steps: preoperative verification of documents and imaging, marking the
procedural site with patient involvement, and a time-out immediately before starting to
confirm patient identity, procedure, and site. This multi-layered approach significantly
reduces wrong-site errors through standardized communication and verification.
Question 9: Under HIPAA, when is a covered entity permitted to disclose PHI
without patient authorization for treatment purposes?
, A. Only when the patient is unconscious
B. When the disclosure is to another covered entity for the recipient's treatment of the
patient
C. Only if the disclosure is documented in the patient's chart within 24 hours
D. When the requesting provider is in the same healthcare system
CORRECT ANSWER: B. When the disclosure is to another covered entity for the
recipient's treatment of the patient
Rationale: HIPAA's Privacy Rule permits covered entities to use and disclose PHI for
treatment, payment, and healthcare operations without patient authorization. This
includes sharing information with other providers involved in the patient's care,
regardless of organizational affiliation, as long as the disclosure supports the recipient's
treatment activities.
Question 10: Which element is a cornerstone of a "just culture" approach to patient
safety?
A. Automatic termination for any staff member involved in an error
B. Distinguishing between human error, at-risk behavior, and reckless conduct when
responding to incidents
C. Prohibiting all incident reporting to avoid legal liability
D. Focusing exclusively on system redesign while ignoring individual accountability
CORRECT ANSWER: B. Distinguishing between human error, at-risk behavior, and
reckless conduct when responding to incidents
Rationale: A just culture framework promotes psychological safety for reporting by fairly
evaluating incidents based on behavioral choices. It recognizes that human error
warrants system improvements, at-risk behavior requires coaching and barrier removal,
and reckless conduct merits disciplinary action—balancing accountability with learning
to enhance overall safety.
Question 11: What is the primary function of a Corporate Integrity Agreement (CIA)
imposed by the OIG?
A. To provide tax incentives for compliant healthcare organizations
B. To monitor and enforce corrective actions following findings of fraud or abuse
C. To exempt organizations from routine audits for five years
D. To standardize billing codes across all healthcare providers
CORRECT ANSWER: B. To monitor and enforce corrective actions following findings
of fraud or abuse
Rationale: A CIA is a legally binding agreement between the OIG and a healthcare entity
that has engaged in misconduct. It mandates specific compliance measures—such as
independent reviews, training, and reporting—for a defined period (typically 5 years) to
ensure adherence to federal program requirements and prevent recurrence of
violations.
Answers Updated 2026 | Complete Healthcare Quality, Regulatory
Compliance & Patient Safety Study Guide with Verified Questions, Detailed
Rationales, HIPAA Regulations, Risk Management, Accreditation
Standards, Quality Improvement, Incident Reporting, Infection
Prevention, Patient Rights, Healthcare Ethics & Certification Exam Prep
Question 1: Which federal law primarily governs the privacy and security of
protected health information (PHI) in the United States?
A. The Affordable Care Act
B. The Health Insurance Portability and Accountability Act (HIPAA)
C. The Emergency Medical Treatment and Labor Act (EMTALA)
D. The Patient Safety and Quality Improvement Act
CORRECT ANSWER: B. The Health Insurance Portability and Accountability Act
(HIPAA)
Rationale: HIPAA, enacted in 1996, establishes national standards for the protection of
individually identifiable health information. The Privacy Rule and Security Rule under
HIPAA specifically regulate how covered entities and business associates must handle
PHI, making it the cornerstone legislation for healthcare information privacy and
security compliance in the U.S.
Question 2: A "never event" in patient safety refers to which of the following?
A. An adverse event that occurs less than once per year in a facility
B. A preventable serious incident that should never occur under any circumstances
C. An event that is reported but never investigated
D. A near-miss that is documented but does not reach the patient
CORRECT ANSWER: B. A preventable serious incident that should never occur
under any circumstances
Rationale: Never events are egregious, preventable errors such as surgery on the wrong
body part or retained foreign objects after surgery. These events are considered so
serious and preventable that their occurrence signals a fundamental breakdown in
safety systems, prompting mandatory reporting and root cause analysis under most
healthcare accreditation standards.
Question 3: Under the False Claims Act, which element is NOT required to
establish liability for submitting a fraudulent healthcare claim?
A. Knowledge that the claim was false or fraudulent
B. Submission of the claim to a federal healthcare program
C. Intent to personally profit from the fraudulent submission
D. Materiality of the false statement to the government's payment decision
,CORRECT ANSWER: C. Intent to personally profit from the fraudulent submission
Rationale: The False Claims Act imposes liability on any person who knowingly submits,
or causes to be submitted, a false or fraudulent claim for payment to the federal
government. Personal profit is not a required element; liability can attach to individuals
or entities acting with reckless disregard or deliberate ignorance of the truth, regardless
of whether they personally benefited financially.
Question 4: Which component is essential for an effective healthcare compliance
program according to the U.S. Office of Inspector General (OIG)?
A. Mandatory overtime policies for compliance staff
B. Written policies and procedures tailored to the organization's specific risks
C. Outsourcing all compliance monitoring to third-party vendors
D. Limiting compliance training to executive leadership only
CORRECT ANSWER: B. Written policies and procedures tailored to the
organization's specific risks
Rationale: The OIG's compliance program guidance consistently emphasizes that
effective programs must include written standards of conduct and policies addressing
identified risk areas. These documents must be specific to the organization's services,
size, and operational context to ensure practical implementation and staff
understanding.
Question 5: The primary purpose of a root cause analysis (RCA) in patient safety is
to:
A. Assign individual blame for an adverse event
B. Identify underlying system failures that contributed to an incident
C. Calculate financial penalties for the involved department
D. Expedite the closure of incident reports for regulatory submission
CORRECT ANSWER: B. Identify underlying system failures that contributed to an
incident
Rationale: RCA is a structured, retrospective method used to investigate serious
adverse events. Its core purpose is to uncover latent system weaknesses—such as
workflow design, communication breakdowns, or equipment issues—rather than
focusing on individual error, thereby enabling sustainable improvements to prevent
recurrence.
Question 6: Which scenario BEST exemplifies a violation of the Anti-Kickback
Statute?
A. A hospital provides free coffee to physicians who refer patients
B. A pharmaceutical company offers a physician stock options in exchange for
prescribing its drug
,C. A clinic donates medical supplies to a community health fair
D. A laboratory offers discounted rates to all patients regardless of referral source
CORRECT ANSWER: B. A pharmaceutical company offers a physician stock options
in exchange for prescribing its drug
Rationale: The Anti-Kickback Statute prohibits offering, paying, soliciting, or receiving
remuneration to induce referrals of items or services payable by federal healthcare
programs. Stock options tied to prescribing volume constitute illegal remuneration
because they create a direct financial incentive influencing clinical decision-making,
unlike nominal gifts or broadly available discounts that may fall under safe harbors.
Question 7: What is the minimum retention period for adult patient medical
records under typical state regulations and accreditation standards?
A. 3 years from the date of last service
B. 5 years from the date of last service
C. 7 to 10 years from the date of last service, or longer for minors
D. Indefinitely, without exception
CORRECT ANSWER: C. 7 to 10 years from the date of last service, or longer for
minors
Rationale: While specific requirements vary by state, most jurisdictions and accrediting
bodies like The Joint Commission mandate retention of adult records for 7–10 years
after the last encounter. For minors, records must typically be kept until the patient
reaches the age of majority plus the standard retention period (e.g., age 18 + 10 years =
28 years), ensuring legal and clinical continuity.
Question 8: Which practice is MOST effective in preventing wrong-site, wrong-
procedure, or wrong-person surgery?
A. Relying solely on the surgeon's memory and experience
B. Conducting a preoperative verification process, marking the surgical site, and
performing a time-out
C. Delegating site verification exclusively to nursing staff
D. Completing the surgical consent form after the procedure begins
CORRECT ANSWER: B. Conducting a preoperative verification process, marking the
surgical site, and performing a time-out
Rationale: The Universal Protocol, endorsed by The Joint Commission, requires three
critical steps: preoperative verification of documents and imaging, marking the
procedural site with patient involvement, and a time-out immediately before starting to
confirm patient identity, procedure, and site. This multi-layered approach significantly
reduces wrong-site errors through standardized communication and verification.
Question 9: Under HIPAA, when is a covered entity permitted to disclose PHI
without patient authorization for treatment purposes?
, A. Only when the patient is unconscious
B. When the disclosure is to another covered entity for the recipient's treatment of the
patient
C. Only if the disclosure is documented in the patient's chart within 24 hours
D. When the requesting provider is in the same healthcare system
CORRECT ANSWER: B. When the disclosure is to another covered entity for the
recipient's treatment of the patient
Rationale: HIPAA's Privacy Rule permits covered entities to use and disclose PHI for
treatment, payment, and healthcare operations without patient authorization. This
includes sharing information with other providers involved in the patient's care,
regardless of organizational affiliation, as long as the disclosure supports the recipient's
treatment activities.
Question 10: Which element is a cornerstone of a "just culture" approach to patient
safety?
A. Automatic termination for any staff member involved in an error
B. Distinguishing between human error, at-risk behavior, and reckless conduct when
responding to incidents
C. Prohibiting all incident reporting to avoid legal liability
D. Focusing exclusively on system redesign while ignoring individual accountability
CORRECT ANSWER: B. Distinguishing between human error, at-risk behavior, and
reckless conduct when responding to incidents
Rationale: A just culture framework promotes psychological safety for reporting by fairly
evaluating incidents based on behavioral choices. It recognizes that human error
warrants system improvements, at-risk behavior requires coaching and barrier removal,
and reckless conduct merits disciplinary action—balancing accountability with learning
to enhance overall safety.
Question 11: What is the primary function of a Corporate Integrity Agreement (CIA)
imposed by the OIG?
A. To provide tax incentives for compliant healthcare organizations
B. To monitor and enforce corrective actions following findings of fraud or abuse
C. To exempt organizations from routine audits for five years
D. To standardize billing codes across all healthcare providers
CORRECT ANSWER: B. To monitor and enforce corrective actions following findings
of fraud or abuse
Rationale: A CIA is a legally binding agreement between the OIG and a healthcare entity
that has engaged in misconduct. It mandates specific compliance measures—such as
independent reviews, training, and reporting—for a defined period (typically 5 years) to
ensure adherence to federal program requirements and prevent recurrence of
violations.
