Home/HIPAA Training

HIPAA Training

HIPAA Learning Resources

When you have studied the above material, please proceed to quiz portion of the module below.

*-Please do not print this page-*

Print out only the below “Blank Answer Sheet” to send to your HIPAA Compliance Officer.

Use the below Quiz to complete your “blank answer sheet.”

HIPAA Certification Quiz

HIPAA Certification Quiz

1.     The Health Insurance Portability and Accountability Act (HIPAA):

a.      protects health insurance coverage for workers and their families when they change or lose their job

b.     requires national standards for electronic health care transactions

c.      addresses security and privacy of health data

d.     all of the above


2.     The Privacy Act limits the collection of information about individuals to that which is legally relevant and necessary.

a.      True

b.     False


3.     Patients, for the most part, may gain access to any information pertaining to them that is contained in any system of records.

a.      True

b.     False


4.                  According to the video, Which refers to information that can provide significant harm?

a.      PHI/PII

b.     ePHI

c.      sPII/sPHI

d.     iPHI

e.      None of the above



5.     If the patient wants access to their record, they must provide in writing a valid reason for wanting to see their record.

a.      True

b.     False


6.     A patient is being transferred to contract nursing home for further care. The nursing home may be provided with individually identifiable healthcare information for the purposes of providing medical care to the patient that will be housed in its facility.

a.      True

b.     False


7.     A patient must provide a signed authorization for release of information to third parties that are not part of the continuity of care.

a.      True

b.     False


8.     Disclosure of individually identifiable health information to an outside healthcare provider (physician, hospital, nursing home) even for treatment purposes requires a written authorization by the patient.

a.      True

b.     False


9.                  Information Blocking Rule is part of the CURES Act.

a.      True

b.     False


10.                  Information Blocking REQUIRES a Medical Provider to share with other providers and push all available info to portal for access as not to interfere with, prevent or discourage access, exchange or use of Electronic Health Information.

a.      True

b.     False


11.                  The “No Surprises Act” is the portion of the ACA that maintains that providers must provide good faith estimates at or before the time of service to all uninsured and self-pay patients.

a.      True

b.     False



12.                  There is no set Max flat fee charge for medical records for personal use.

a.      True

b.     False


13.                  Medical Practices may choose a flat fee charge, an average cost charge, or a charge based on the actual cost to produce medical records to patients for personal use. These charges can be different for 3rd Party vendors.

a.      True

b.     False


14.                  When a patient requests that records be sent to them via unencrypted email, we:

a.      Must provide explanation of security risks of transit from sender to receiver

b.     Only can provide at the patient’s direct request

c.      Can send directly to the patient at the email provided

d.     Must verify the identity of the patient

e.      All of the above

f.       None of the above


15.                  According to the rules to verify identity of the patient, the patient must provide a signature in person at the office.

a.      True

b.     False


16.                  How many days does a Practice have to produce Medical Records requests to the requesting patient?

a.      3

b.     14

c.      21

d.     30

e.      60


17.                  Under the Information Blocking rule, the only exception to providing immediate access to medical records is:

a.      Preventing Harm to patient or another person

b.     Protect an individual’s privacy

c.      Protect the security of information

d.     Limit content to scope of Practice

e.      Protect value of innovations and royalties

f.       All the above

g.     A & B only


18.                  Patient has the right to request to amend their chart.

a.      True

b.     False



19.     Patient conditions can be declared to insurance carriers for to obtain payment for services even if a financial waiver (assignment of benefits) is not in the patient chart.

a.      True

b.     False


20.     A violation of the HIPAA laws can include fines and jail time for employees responsible for breaches.

a.      True

b.     False


21.                  When a patient requests access to his/her medical records:

a.      I always have to provide the complete record, with few exceptions

b.     I can provide a summary with redactions if it is too difficult for the patient to interpret

c.      Provide only encounter notes from only our doctors, not including outside labs or imaging.

d.     B and C only

e.      None of the above


22.                  An authorization can be revoked by the patient:

a.      Only within 30 days of the original authorization

b.     By telephone request

c.      Under no circumstances-once authorization is given, it cannot be revoked

d.     If the requested action has NOT already taken place


23.                  Patient complaints must first be filed with the physician's office.

a.      True

b.     False


24.                  If the Secretary of Health and Human Services (HSS) validates a complaint my practice:

a.      Only receives recommendations to the provider from The Secretary of HSS

b.     Nothing will happen unless harm to patient is proven

c.      May have a compliance review and individual fines per incident of exposure/violation


25.                  My practice can respond to a request to amend a record:

a.      As soon as we can get to it

b.     Within 90 days

c.      Only if deemed to affect a patient's care

d.     Within 60 days


26.                  A practice can refuse to amend the record:

a.      Under NO circumstances

b.     If you do not find it necessary for patient care

c.      Only if it doesn't affect insurance coverage

d.     Under specific circumstances after providing a refusal form to the patient indicating the reason for rejection of the amendment request.


27.                  The Notice of Privacy Practices (NPP) must be:

a.      Given to each patient at the first visit & at least every 3 years after

b.     Posted on the Practice’s website

c.      Posted in the office

d.     All of the above


28.                  If I forget to give a Notice of Privacy Practices (NPP) to a patient:

a.      It's no big deal

b.     I can give it to him at the next visit

c.      I can give it to a friend to take to him

d.     I have to mail it immediately and document my actions


29.                  Once the Notice of Privacy Practices (NPP) is written:

a.      It can’t be changed

b.     It can be changed but entity has to notify patients promplty and redistribute when any material changes made

c.      It has to be updated at least every year

d.     I don't have to worry about it any more


30.                  If a non-authorized disclosure of protected health information (PHI) is made:

a.      I must keep a record of this for six years

b.     I must give the patient a full accounting upon proper request

c.      There is no such thing as a non-authorized request

d.     A and B


31.                  If a patient wants to request a restriction on the disclosure of his/her protected health information (PHI):

a.      It must be in writing stating what PHI is being restricted

b.     Can be retroactive to cover information already released

c.      The patient cannot restrict disclosure of PHI


32.                  Staff must be trained:

a.      Annually

b.     Initially at hire

c.      Once every 3 years after hire

d.     A and B only


33.                  Other than office staff:

a.      No one else needs to be trained about HIPAA

b.     Casual employees do not need to be trained about HIPAA

c.      Contract staff, such as cleaning crews, do not need to be trained about HIPAA

d.     Everyone who works in my office, including unpaid volunteers, contract employees, and casual laborers, must be trained or show documentation of training about HIPAA


34.                  A privacy officer should conduct the following steps:

a.      Identify the internal and external risks of disclosure of protected health information (PHI)

b.     Create, implement, & maintain a security plan to reduce risks

c.      Train all personnel on the practice's privacy and security of PHI

d.     Monitor & enforce security policies in place

e.      All of the above

f.       A, B, and D only


35.                  If an individual authorizes release of protected health information (PHI) that includes psychotherapy notes:

a.      I can release this PHI

b.     I don't have to consult with the patient about what information to release

c.      I can condition coverage or treatment on an authorization to use or disclose psychotherapy notes

d.     I am required to respond to an authorization for psychotherapy notes but I may use some discretion

e.      None of the above

f.       A, B, and D only


36.                  The Minimum Necessary Standard restricts covered entities and their business associates to restrict the use and disclosure of PHI as permitted by the HIPAA privacy rules to only information that is needed for patient care in the scope of the Provider receiving the shared information.

a.      True

b.     False


37.                  I don't need a business associate agreement for:

a.      My employees

b.     My cleaning service

c.      My corporate attorney

d.     Contracted employees such as a physical therapist who perform a substantial portion of their work at my practice

e.      None of the above

f.       A, B, and D only


38.                  The Privacy Rule requires the return or destruction of all protected health information (PHI) at the termination of a business associate agreement contract only where feasible or permitted by law:

a.      True

b.     False



39.                  HIPAA security Rule – Cyber Security – only applies to IT personnel and automated security software scanning at the Practice.

a.      True

b.     False


40.                  HIPAA Security Rule Addresses malicious use for:

a.      Ransomware

b.     Medicare Fraud

c.      Banking Viruses

d.     Exfiltration of pt Records

e.      Identity Theft

f.       Cryptomining

g.     All of the Above


41.                  Individual employees can be held liable for exposing the network to Security breaches.

a.      True

b.     False



42.                  NPPES is the agency that receives reports regarding reports of ePHI network intrusions within Medical facilities and practices.

a.      True

b.     False