Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Health & Medicine

HIPAA Required Safeguards Quiz: Privacy & Security

Quick, free security rule quiz for teams and pros. Instant results.

Editorial: Review CompletedCreated By: Martin TazUpdated Aug 28, 2025
Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
Paper art quiz design on teal background for HIPAA security privacy business associate contracts admin simplification

Use this HIPAA Required Safeguards quiz to check how well you handle privacy and security controls in everyday work. For more practice on the Security Rule, try our HIPAA security rule quiz. For PHI basics and workforce learning, see the protected health information quiz and the hipaa quiz for employees.

What does the acronym HIPAA stand for?
Health Insurance Portability and Accountability Act
Healthcare Insurance Protection and Accountability Act
Health Information Policy and Accessibility Act
Health Information Privacy and Accountability Act
HIPAA stands for the Health Insurance Portability and Accountability Act, enacted in 1996 to protect patient health information and improve portability of insurance coverage. It includes Privacy, Security, and Breach Notification Rules that set national standards. Its provisions apply to covered entities and business associates.
Which of the following is considered Protected Health Information (PHI)?
Non - identifiable aggregate health data
Company financial projections
Patient medical record number
Public health statistics with no identifiers
PHI includes any individually identifiable health information transmitted or maintained in any form. A medical record number is a direct identifier tied to an individual. Aggregate or de-identified data is not PHI.
Who must sign a Business Associate Agreement (BAA)?
Only between two covered entities
Any two healthcare providers, even if no PHI is exchanged
Patients and hospitals
A covered entity and any vendor handling PHI
BAAs are required between covered entities and business associates who create, receive, maintain, or transmit PHI on their behalf. It sets out permitted uses and safeguards. Vendors without PHI handling are not business associates.
Which rule of HIPAA focuses on safeguarding electronic PHI (ePHI)?
The Transactions Rule
The Security Rule
The Privacy Rule
The Enforcement Rule
The Security Rule sets national standards to protect ePHI through administrative, physical, and technical safeguards. The Privacy Rule governs PHI in any form. Transactions and Enforcement Rules address other aspects.
Which federal agency enforces HIPAA compliance?
The Centers for Disease Control and Prevention (CDC)
The Office for Civil Rights (OCR) in HHS
The Food and Drug Administration (FDA)
The Department of Justice (DOJ)
The HHS Office for Civil Rights enforces the HIPAA Privacy and Security Rules, investigates complaints, and levies civil penalties. DOJ handles criminal prosecutions. Other agencies regulate different areas.
What is the HIPAA Minimum Necessary Standard?
Encrypting all PHI at rest
Limiting PHI disclosure to the minimum needed for a purpose
Destroying PHI after 30 days
Sharing all PHI with any treating provider
The Minimum Necessary Standard requires covered entities to limit PHI use, disclosure, and requests to the minimum needed to accomplish the intended purpose. Exceptions include treatment purposes. It reduces overexposure of sensitive data.
What type of safeguard is a unique user ID and password?
Administrative safeguard
Physical safeguard
Organizational safeguard
Technical safeguard
Technical safeguards are technology and policies protecting ePHI and controlling access, including user authentication like unique IDs and passwords. Administrative safeguards are policies and procedures. Physical safeguards protect building access.
Which of these is NOT one of the HIPAA Privacy Rule's core standards?
Requiring BAAs with business associates
Setting limits on uses of PHI
Providing patients with rights over their PHI
Enabling electronic claims transactions
Enabling electronic claims transactions is part of the Transactions Rule, not the Privacy Rule. The Privacy Rule focuses on use and disclosure limits, patient rights, and BAAs. Other rules address transactions.
By default, how quickly must a HIPAA breach be reported?
Within 7 days of discovery
Within 30 days of discovery
Within 90 days of discovery
Within 60 days of discovery
HIPAA requires covered entities to issue breach notifications to affected individuals and OCR without unreasonable delay and no later than 60 days after discovery. Some states may impose shorter deadlines. Timely notification mitigates harm.
Which provision requires workforce training on HIPAA policies?
Administrative Safeguards
Physical Safeguards
Privacy Rule Notices
Security Incident Procedures
Administrative safeguards require covered entities to train all workforce members on HIPAA policies and procedures. This ensures personnel understand privacy and security obligations. Training must be documented.
What is ePHI?
Electronic Protected Health Information
Emergency Patient Health Instruction
Encrypted Personal Health Identification
External Public Health Information
ePHI refers to any PHI that is created, stored, transmitted, or received in electronic form. It is subject to the HIPAA Security Rule's safeguards. Non-electronic PHI is covered by the Privacy Rule.
Which of these is a physical safeguard under the Security Rule?
Security management process
Facility access controls
Workforce clearance procedures
User authentication
Physical safeguards include measures like facility access controls, workstation security, and device/media controls to protect against unauthorized physical access. User authentication is a technical safeguard. Clearance procedures are administrative.
What tool is recommended to document an organization's HIPAA risks?
Employee waiver form
Business impact analysis
Encryption key list
Risk analysis report
A risk analysis report documents potential threats and vulnerabilities to ePHI and is required under the Security Rule. It drives risk management decisions. Encryption keys and impact analyses serve other functions.
Which administrative safeguard addresses responding to security incidents?
Access control policy
Security incident procedures
Contingency planning
Workforce training
The Security Rule requires documented procedures to address security incidents, including identifying and responding to suspected breaches. Contingency planning focuses on data recovery. Access control and training are separate standards.
What is a Business Associate?
A family member accessing records
An entity performing functions involving PHI on behalf of a covered entity
A patient's legal representative
A medical device manufacturer with no PHI exposure
A business associate performs activities or functions involving PHI on behalf of a covered entity, such as billing or data analysis. Non-PHI vendors are not business associates. Patient representatives and family members do not qualify.
Which of the following is NOT a technical safeguard?
Audit controls
Encryption
Access controls
Security awareness training
Security awareness training is an administrative safeguard. Technical safeguards include encryption, access controls, and audit controls to protect ePHI. Training addresses workforce behavior.
Which element is required in a Notice of Privacy Practices?
Emergency contact numbers only
Description of patients' rights and covered entity's duties
Detailed department salary information
Marketing plan details
A Notice of Privacy Practices must describe patients' rights regarding PHI and the covered entity's legal duties under HIPAA, including how to file a complaint. It cannot include unrelated organizational details.
What is the purpose of a contingency plan under HIPAA?
Encrypt data at rest
Authorize business associates
Train workforce on privacy policies
Ensure availability of ePHI during emergencies
A contingency plan ensures the availability, integrity, and access to ePHI during emergencies or system failures. It includes data backup and disaster recovery. Training and encryption are separate safeguards.
Which of these qualifies as a reasonable safeguard for PHI privacy?
Posting PHI on social media
Discussing patient data loudly in public
Locking file cabinets containing paper records
Leaving charts open on a nurse's station
Reasonable safeguards protect PHI from unauthorized access. Locking cabinets is a physical safeguard. Leaving charts open or public discussions violate privacy rules.
Which authentication method is stronger under HIPAA recommendations?
Multi-factor authentication
IP address filtering alone
Single shared system password
Username and simple password only
Multi-factor authentication combines two or more credentials verifying identity. HIPAA encourages strong technical safeguards. Simple or shared passwords and IP filtering alone provide weaker protection.
Which of the following is an example of de-identified data?
Dataset stripped of all 18 HIPAA identifiers
Patient name and exact birthdate removed but zip code kept
Patient photo with no name
Dataset containing unique MRNs
De-identified data under HIPAA must remove all 18 identifiers. Retaining zip code or MRN still risks re-identification. Photos are a direct identifier.
What does the HIPAA Breach Notification Rule require?
Notify individuals, OCR, and media of breaches affecting 500+
Notify only internal security staff
Destroy breached records immediately
Notify law enforcement only
The Breach Notification Rule requires covered entities to notify affected individuals, OCR, and the media if a breach affects 500 or more individuals. Smaller breaches require OCR and individual notifications but not media.
Which aspect of the Security Rule ensures data integrity?
Workforce clearance procedures
Facility access controls
Encryption at rest only
Integrity controls to verify ePHI has not been altered
Integrity controls are technical safeguards that verify ePHI has not been improperly altered or destroyed. Encryption protects confidentiality but not necessarily integrity checks. Physical controls protect facility access.
Which rule requires BAAs to include termination clauses?
Privacy Rule original 2000
HITECH Act
Transactions Rule
HIPAA Omnibus Rule
The Omnibus Rule of 2013 strengthened BAA requirements, including termination clauses if the business associate violates HIPAA. The HITECH Act expanded breach notifications but didn't specify termination language.
What must a covered entity do before disclosing PHI for research?
Publish the research protocol publicly
Obtain patient authorization or an IRB waiver
Notify OCR in advance
Encrypt the data after release
Disclosures of PHI for research require patient authorization or an Institutional Review Board waiver/alteration under the Privacy Rule. Notification of OCR or encryption alone is insufficient without proper authorization.
Which is an acceptable method of disposing of paper PHI?
Cross-cut shredding
Recycling without shredding
Burning in open area
Throwing in unlocked trash cans
Cross-cut shredding renders paper PHI unreadable and is a Physical Safeguard standard. Recycling without shredding or open burning may expose PHI. Trash disposal must ensure destruction.
Which federal statute expanded HIPAA breach notification requirements and strengthened penalties?
Sarbanes-Oxley Act
HITECH Act
Affordable Care Act
PATRIOT Act
The HITECH Act of 2009 expanded breach notification requirements, introduced meaningful use incentives, and increased penalties for HIPAA violations. It also applied certain Security Rule requirements directly to business associates.
Under the HIPAA Privacy Rule, how long must covered entities retain patient records?
Ten years
As required by state law or six years under HIPAA
One year
Forever
HIPAA requires covered entities to retain documentation for six years from the date of creation or last effective date, unless state law mandates a longer period. Records older than six years may be destroyed if allowed.
What does 45 CFR § 164.308(a)(1) require?
Security management process including risk analysis and management
Physical facility access controls only
Workforce sanctions policy exclusively
Encryption of all ePHI at rest
45 CFR § 164.308(a)(1) mandates a security management process, including risk analysis, risk management, and sanction policies to address identified risks. Encryption and physical controls are separate standards.
Which de-identification method requires expert determination under HIPAA?
Statistical expert certifying recipient risk of re-identification is very small
Masking Social Security numbers only
Public posting of limited data set
Simple removal of names only
The expert determination method relies on a qualified individual using statistical and scientific principles to certify minimal re-identification risk. Simply removing identifiers is the Safe Harbor method, not expert determination.
What must be included in a BAA under the Omnibus Rule?
Unlimited use of PHI for marketing
Requirement for BA to report breaches of unsecured PHI
Ownership of PHI by the BA
Guaranteed lifetime data access
The Omnibus Rule added provisions requiring business associates to report breaches of unsecured PHI to covered entities. It prohibits BA ownership of PHI and restricts marketing uses. It enhances accountability.
Which is the correct definition of a Limited Data Set?
PHI with names and SSNs only removed
Any de-identified record set
PHI excluding 16 direct identifiers, usable under data use agreement
Fully identified PHI under BAA
A Limited Data Set excludes 16 of the 18 HIPAA identifiers but may include city, dates, and codes under a data use agreement for research or public health. It is not fully de-identified.
Which HIPAA rule addresses electronic transactions and code sets?
The Breach Notification Rule
The Privacy Rule
The Transactions and Code Sets Rule
The Security Rule
The Transactions and Code Sets Rule standardizes electronic healthcare transactions and national code sets to improve efficiency. The Privacy and Security Rules focus on PHI protection. Breach Notification covers breach reporting.
What is the role of the OCR's HIPAA audit program?
To perform routine financial audits of providers
To manage state licensing boards
To issue patient privacy complaints directly to individuals
To assess compliance through periodic audits
The OCR's audit program assesses covered entities' and business associates' compliance with HIPAA Rules via on-site or desk audits. It does not handle licensing or financial audits. Complaints are handled separately.
Under HIPAA, who is responsible for conducting a security risk analysis?
Covered entity or business associate leadership
Individual patients
Any third-party with no HIPAA training
Only the IT department
Covered entity or business associate leadership is ultimately responsible for ensuring a thorough security risk analysis is conducted. While IT may implement tools, accountability rests with the organization. Patients do not conduct it.
Which of these is a required component of Workforce Clearance Procedures?
Determining levels of access appropriate for workforce members
Encrypting all hard drives
Sharing passwords for emergency access
Posting PHI disposal logs
Workforce clearance procedures ensure that workforce members have appropriate access based on role and necessity. Encryption of hard drives is a technical safeguard. Password sharing violates security controls.
What must an entity do if it uses cloud storage for ePHI?
Provide vendor with unrestricted PHI access
Store only non - identifiable data
Enter into a BAA with the cloud vendor
Ensure data is publically accessible
Using cloud storage for ePHI requires a Business Associate Agreement with the vendor to ensure HIPAA compliance and safeguards. Public accessibility or unrestricted vendor access violates HIPAA. Non-identifiable data alone is not sufficient.
Which of these is NOT required by the HIPAA Security Rule?
Risk management processes
Annual independent financial audits
Conducting risk analysis
Access control implementation
The Security Rule does not mandate financial audits. It requires risk analysis, risk management, and access controls to protect ePHI. Financial audits fall outside HIPAA scope.
Which action best demonstrates compliance with Data Backup and Storage Requirements?
Deleting ePHI after 24 hours
Regularly backing up ePHI off-site and testing restoration
Storing backups unencrypted on local drives
Archiving old ePHI in locked cabinets
HIPAA requires covered entities to implement data backup plans, including off-site storage and periodic testing of restoration. Archiving paper records is unrelated. Immediate deletion and unencrypted storage violate rules.
According to NIST SP 800-66, which control family maps to HIPAA's Technical Safeguards?
Awareness and Training only
Contingency Planning and System Acquisition only
Access Control, Audit and Accountability, Integrity, and Transmission Protection
Media Protection and Physical Access Control only
NIST SP 800-66 maps HIPAA's Technical Safeguards to NIST families: Access Control, Audit and Accountability, Integrity, and Transmission Protection. Other families correspond to administrative or physical safeguards.
Under 45 CFR §164.312(e)(1), what must covered entities implement?
Marketing use restrictions
Mechanisms to authenticate electronic PHI source
Facility access control entrances only
Minimum necessary administrative policies
45 CFR §164.312(e)(1) requires entities to implement authentication mechanisms verifying that a person or process seeking access to ePHI is the one claimed. Facility controls are physical safeguards.
Which HIPAA provision allows limited data sets with a Data Use Agreement?
Transactions Rule §162.1002
Security Rule §164.312
Breach Notification Rule §164.404
Privacy Rule §164.514(e)
Privacy Rule §164.514(e) permits disclosures of limited data sets for research, public health, or health care operations under a Data Use Agreement. Other sections address technical or administrative requirements.
Which advanced measure best protects ePHI in transit over public networks?
Physical courier delivery
TLS encryption with mutual authentication
Simple password protection
VPN without encryption
TLS encryption with mutual authentication ensures data confidentiality and authenticity when ePHI traverses public networks. Simple passwords or unencrypted VPNs offer weak protection. Courier delivery is impractical for real-time data.
What is the OCR's position on encryption as a safe harbor for breach notification?
If ePHI is encrypted per NIST standards, a breach need not be reported
Encryption only delays the breach notification deadline
Only physical media encryption qualifies
Encryption does not affect breach notification requirements
OCR states that breaches of encrypted ePHI do not require notification if NIST-approved methods were used and keys are not compromised. Encryption serves as a safe harbor under the Breach Notification Rule.
0
{"name":"What does the acronym HIPAA stand for?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What does the acronym HIPAA stand for?, Which of the following is considered Protected Health Information (PHI)?, Who must sign a Business Associate Agreement (BAA)?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Understand Security vs. Privacy Distinctions -

    Understand within HIPAA how security differs from privacy by exploring the unique goals, scope, and safeguards of each rule in protecting patient information.

  2. Identify Required Business Associate Contract Provisions -

    Identify a business associate contract must specify the following key elements, such as permitted uses, disclosure rules, and breach notifications to ensure compliance.

  3. Explain Optimal HIPAA Awareness Strategies -

    Explain when you should promote HIPAA awareness within your organization to maintain a culture of compliance and reduce risks of non”compliance.

  4. Recognize Administrative Simplification Standards -

    Recognize that the administrative simplification section of HIPAA consists of standards like transaction code sets, unique identifiers, and privacy rules to streamline healthcare operations.

  5. Evaluate HIPAA Security Provisions -

    Evaluate which of the following is true regarding HIPAA security provisions by examining required safeguards, risk assessments, and implementation specifications.

  6. Assess Broader Objectives of the Security Rule -

    Assess the overarching objectives of the HIPAA Security Rule in safeguarding electronic protected health information against unauthorized access, use, and loss.

Cheat Sheet

  1. Understanding Security vs. Privacy -

    Within HIPAA how does security differ from privacy? Privacy sets the rules for PHI use and disclosure, while security implements technical, physical, and administrative safeguards to protect that PHI. Remember "PRIVACY = Permissions, SECURITY = Safeguards" as a mnemonic to keep them straight (HHS.gov).

  2. Key Elements of a Business Associate Contract -

    A business associate contract must specify the following: permitted uses and disclosures of PHI, the associate's safeguard obligations, and breach notification duties. For example, include clear language on encryption requirements and a 60-day breach reporting timeline (45 C.F.R. § 164.502(e)).

  3. Timing for Promoting HIPAA Awareness -

    When should you promote HIPAA awareness? Staff training should occur at onboarding, annually, and whenever policies change to reinforce compliance. Use an "EAR" strategy (Employee Awareness & Refresher) to ensure continuous engagement and retention (NIST SP 800-66).

  4. Administrative Simplification Standards -

    The administrative simplification section of HIPAA consists of standards for electronic transactions, code sets, unique identifiers, privacy, and security rules. Recall the acronym "TECPS" (Transactions, Identifiers, Code sets, Privacy, Security) to cover all five pillars (HITECH Act).

  5. True Statements on HIPAA Security Provisions -

    Which of the following is true regarding HIPAA security provisions? They require a risk-based approach, incorporating administrative, physical, and technical safeguards that are scalable to an organization's size. For instance, encryption is an "addressable" specification, meaning entities must assess its applicability (45 C.F.R. § 164.312).

Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Business & Industry Quizzes

Powered by: Quiz Maker