Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Health & Medicine

HIPAA Quiz: phi includes all except - know what is not PHI

Quick, free protected health information quiz. Instant results.

Editorial: Review CompletedCreated By: Maryam BuhamadUpdated Aug 24, 2025
Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
Paper art illustration for free HIPAA knowledge quiz covering PHI ePHI security standards on sky blue background

This quiz helps you practice what counts as PHI and ePHI under HIPAA, so you can spot what is not PHI in common scenarios. See related topics with our HIPAA security rule quiz and protected health information safeguards quiz, or explore gray areas in a HIPAA incidental disclosure quiz. Get quick feedback and learn as you go.

What does PHI stand for in HIPAA regulations?
Private Health Insurance
Personal Health Index
Public Health Initiative
Protected Health Information
PHI stands for Protected Health Information and refers to any identifiable health information related to an individual. It encompasses a wide range of data points such as medical records and billing information. HIPAA's Privacy Rule establishes standards for protecting the privacy of PHI.
What does the "e" in ePHI represent?
External
Electronic
Encrypted
Enhanced
The "e" in ePHI stands for Electronic Protected Health Information, meaning PHI created, stored, transmitted or received in electronic form. ePHI is subject to the HIPAA Security Rule's administrative, physical, and technical safeguards. Proper controls must be in place to protect ePHI from unauthorized access.
Which of the following is NOT considered Protected Health Information under HIPAA?
Employment status
Medical record number
Social Security number
Patient diagnosis
Employment status alone is not considered PHI unless it is linked with an individual's health information. PHI covers any health-related data only when it identifies or can be used to identify the person. HIPAA's Privacy Rule defines 18 identifiers that render information as PHI.
Which entity is considered a HIPAA covered entity?
A health plan
A software developer
A patient's family member
A janitorial service
Under HIPAA, covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. These entities must comply with HIPAA's Privacy and Security Rules. Others may become business associates if they handle PHI.
Which part of HIPAA governs the safeguarding of electronic PHI?
Enforcement Rule
Security Rule
Privacy Rule
Breach Notification Rule
The HIPAA Security Rule specifically addresses the protection of electronic PHI (ePHI). It sets standards for administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability of ePHI. The Privacy Rule covers both electronic and non-electronic PHI.
Which U.S. department enforces HIPAA regulations?
Federal Trade Commission
Department of Education
Department of Health and Human Services
Department of Justice
The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services enforces HIPAA's Privacy and Security Rules. OCR investigates complaints, conducts compliance reviews, and can impose civil monetary penalties. Other agencies may enforce related issues, but HIPAA enforcement lies with HHS.
Under the HIPAA Privacy Rule, patients have the right to:
Access and obtain a copy of their PHI
Destroy their PHI on demand
Transfer their PHI to a foreign government
Sell their PHI
HIPAA gives patients the right to access and obtain copies of their PHI maintained by covered entities. They can also request corrections or amendments to their records. These rights are core to patient control over their health information.
How many identifiers must be removed to de-identify data using the Safe Harbor method?
18
25
15
10
The Safe Harbor method requires removal of 18 types of identifiers from the data set to be considered de-identified under HIPAA. Once all 18 identifiers are removed, the data is no longer PHI and is not subject to HIPAA. This includes names, geographic subdivisions smaller than a state, and full-face photos.
Which of these identifiers is considered PHI under HIPAA?
Hair color
Favorite food
Patient's zip code
Eye color
Patient zip codes are one of the 18 identifiers that link information to an individual, making it PHI. Even partial zip codes can be sensitive depending on population size. Other demographic details like hair or eye color alone are not PHI unless combined with identifiers.
The Minimum Necessary rule requires covered entities to:
Retain all PHI for at least six years
Use only the least amount of PHI needed for a purpose
Encrypt all PHI
Share PHI freely within the organization
HIPAA's Minimum Necessary standard dictates that only the minimum amount of PHI needed to accomplish an intended purpose should be used or disclosed. This helps limit unnecessary exposure of sensitive information. Exceptions apply for treatment purposes and disclosures required by law.
The Expert Determination method for de-identification requires:
Statistical analysis showing very small risk of re-identification
Patient consent
Encryption of the data set
Safe Harbor removal of 18 identifiers
Expert Determination involves a qualified expert using statistical and scientific principles to determine that the risk of re-identifying individuals is very small. Unlike Safe Harbor, it does not require removal of a fixed list of identifiers. Documentation of the methods and analysis is necessary.
A business associate is:
A state licensing board
An entity that performs services using PHI on behalf of a covered entity
A patient representative
An insurer's underwriter
A business associate performs certain functions or activities that involve the use or disclosure of PHI on behalf of a covered entity, such as billing, claims processing, or data storage. They must sign a Business Associate Agreement (BAA) to ensure HIPAA compliance. BAAs outline responsibilities for safeguarding PHI.
Which of the following actions typically requires patient authorization under HIPAA?
Use of PHI for treatment
Use of PHI for payment
Use of PHI for healthcare operations
Use of PHI for marketing purposes
Using PHI for marketing purposes generally requires specific patient authorization under HIPAA unless it qualifies as a limited case or is part of a face-to-face communication. Treatment, payment, and healthcare operations (TPO) do not require separate authorization. Marketing authorizations must be obtained in writing.
Under HIPAA, a covered entity must report a breach of unsecured PHI within how many days of discovery?
60 days
30 days
120 days
90 days
The Breach Notification Rule requires covered entities to notify affected individuals, the HHS Secretary, and in certain cases the media, within 60 days of discovering a breach of unsecured PHI. Timely reporting ensures transparency and timely mitigation. Extensions may apply only under extraordinary circumstances.
Which safeguard category includes facility access controls under the HIPAA Security Rule?
Physical Safeguards
Administrative Safeguards
Organizational Requirements
Technical Safeguards
Physical Safeguards under the HIPAA Security Rule focus on physical access to electronic information systems and related buildings and equipment. Facility access controls, workstation security, and device/record disposal are examples. These controls protect ePHI from unauthorized physical access.
What is an example of an administrative safeguard under the HIPAA Security Rule?
Locked filing cabinets
Encryption of data at rest
Conducting a risk analysis
Firewall configurations
Administrative safeguards include policies and procedures designed to clearly show how the entity will comply with the act. Conducting a risk analysis is the first step in implementing required security measures. It identifies vulnerabilities and potential threats to ePHI.
Under Safe Harbor, which date may be retained after de-identification?
Exact dates of service
Admission and discharge year
Full date of birth
Date of death
Under the Safe Harbor method, specific dates such as birth, admission, discharge and death dates must be removed except the year can be retained. Retaining only the year helps preserve some research utility while protecting privacy. Full dates would allow re-identification.
What is an example of an incidental use of PHI that does NOT violate HIPAA?
Posting patient photos on social media
Overhearing a patient's name during check-in
Leaving a chart in a nurse's station during shift change
Discussing patient information in a crowded elevator
Incidental use or disclosure is secondary to an otherwise permitted use or disclosure and cannot reasonably be prevented. Overhearing a name at check-in is considered incidental and allowed. Covered entities must apply reasonable safeguards to minimize incidental disclosures.
Which section of HIPAA covers Breach Notification requirements?
Security Rule
Privacy Rule
Enforcement Rule
Breach Notification Rule
The Breach Notification Rule was added by the HITECH Act and requires covered entities and business associates to notify individuals, HHS, and in certain cases the media of breaches of unsecured PHI. It operates alongside the Privacy and Security Rules. Notification must occur within specific timeframes.
Under a Limited Data Set, which piece of information may be disclosed with a Data Use Agreement?
Email addresses
Social Security number
Dates of service
Patient full address
A Limited Data Set may include certain dates (e.g., service dates) and city, state, and zip code. Identifiers like full address, SSN, and email must be removed. A Data Use Agreement must be in place before sharing a Limited Data Set.
What is the primary purpose of a Notice of Privacy Practices under HIPAA?
To inform patients of data breach procedures
To notify the media of privacy policies
To certify that an entity is HIPAA compliant
To inform patients about how their PHI will be used and disclosed
The Notice of Privacy Practices explains how a covered entity may use and disclose PHI, patients' rights regarding their information, and the entity's legal duties. It must be provided to patients on first service and posted publicly. It ensures transparency and compliance.
Under HIPAA, patients may request an amendment of their PHI within what time frame?
90 days
30 days
45 days
60 days
HIPAA requires covered entities to act on a patient's request to amend their PHI within 60 days of receipt. One 30-day extension is allowed if the entity provides a written explanation. Patients can request corrections to ensure accuracy.
Which of the following is an example of an administrative safeguard under the HIPAA Security Rule?
Conducting regular security risk assessments
Encryption of ePHI
Locked server room doors
Automatic log-off for inactive sessions
Administrative safeguards include policies and procedures for managing the selection and execution of security measures. Conducting periodic security risk assessments identifies vulnerabilities and maintains compliance. Technical and physical safeguards address system and facility protections, respectively.
In the event of a conflict between HIPAA and a more stringent state privacy law, which standard should a covered entity follow?
The more stringent law
HIPAA only
Either law at the covered entity's discretion
State law only
When state law is more stringent than HIPAA, the state law prevails to provide greater protection of PHI. Covered entities must comply with the law that offers the highest level of privacy. This rule ensures individuals receive the maximum available protection.
0
{"name":"What does PHI stand for in HIPAA regulations?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What does PHI stand for in HIPAA regulations?, What does the \"e\" in ePHI represent?, Which of the following is NOT considered Protected Health Information under HIPAA?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Identify PHI Exceptions -

    Distinguish which data elements are not considered protected health information in HIPAA protected health information quiz scenarios.

  2. Differentiate ePHI Components -

    Analyze various electronic health information elements and recognize exceptions in ePHI contexts using HIPAA ePHI regulations trivia insights.

  3. Recall HIPAA Security Standards -

    Summarize core requirements from the HIPAA security standards quiz to safeguard patient data effectively.

  4. Evaluate Compliance Scenarios -

    Apply quiz-based case studies to determine HIPAA compliance and handle sensitive information appropriately.

  5. Apply Privacy Rule Principles -

    Interpret key privacy rules governing PHI disclosures and operationalize them in real-world healthcare settings.

  6. Strengthen Data Handling Practices -

    Formulate best practices for managing both PHI and ePHI under HIPAA regulations to enhance data security.

Cheat Sheet

  1. Core Components of PHI: 18 HIPAA Identifiers -

    Protected Health Information (PHI) covers any data that can identify an individual in a medical context, including names, dates, and account numbers. HIPAA outlines 18 specific identifiers (45 CFR ยง 164.514); use the mnemonic "ID-PHI" (Identifiers Define PHI) to remember them quickly.

  2. phi includes all of the following except: Recognizing De-Identified Data -

    Under the Privacy Rule's Safe Harbor method, data stripped of all 18 identifiers is not PHI. Remember "DAD: De-Identification Always De-PHI" to recall that aggregate or fully de-identified datasets fall outside PHI protections.

  3. Understanding ePHI: All of the Following Can Be Considered ePHI Except -

    Electronic Protected Health Information (ePHI) is any PHI created, stored, or transmitted electronically, such as email or EHR entries, but printed paper records and purely verbal communications don't qualify. To ace the HIPAA ePHI regulations trivia, think of "e for electronic only" to distinguish digital files from non-electronic formats.

  4. Privacy Rule vs Security Rule: Distinct Mandates -

    The HIPAA Privacy Rule governs use and disclosure of all PHI, while the Security Rule specifically protects the CIA triad (confidentiality, integrity, availability) of ePHI. Use the acronym "PIC" (Privacy for All PHI, Information Security for ePHI's CIA) to keep their scopes straight.

  5. Avoiding Overexposure: Minimum Necessary Principle -

    HIPAA's Minimum Necessary Standard mandates accessing only the least amount of PHI needed for a purpose, minimizing the risk of unnecessary disclosures. Recall "Less is More" as a mental cue when taking the HIPAA protected health information quiz to ensure compliance with disclosure limitations.

Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Diseases & Conditions Quizzes

Powered by: Quiz Maker