Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Health & Medicine

HIPAA compliance quiz: Test your knowledge of PHI rules

Quick, free HIPAA test with instant results and brief explanations.

Editorial: Review CompletedCreated By: Venic TournamentsUpdated Aug 25, 2025
Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
Paper art illustration for HIPAA compliance quiz coral background testing PHI rules penalties spotting errors

This HIPAA compliance quiz helps you check what you know about PHI, privacy, and security. Answer quick questions, spot false statements, and get instant feedback to reinforce key rules. For more practice, try the hipaa practice test, review basics in the protected health information quiz, or focus on safeguards with the security rule quiz.

What does PHI stand for in the context of HIPAA?
Patient Health Index
Private Health Information
Protected Health Information
Personal Health Identifier
PHI stands for Protected Health Information, which includes any information about health status, provision of healthcare, or payment for healthcare that can be linked to an individual. Under the HIPAA Privacy Rule, PHI must be safeguarded to protect patient privacy. This term is foundational to understanding HIPAA compliance requirements.
Which of the following entities is considered a Covered Entity under HIPAA?
Healthcare providers, health plans, and healthcare clearinghouses
Healthcare providers only
Government agencies only
Business associates only
HIPAA defines Covered Entities as health plans, healthcare clearinghouses, and healthcare providers who transmit any health information in electronic form. These entities are directly regulated by HIPAA rules to protect patient information. Business associates work on behalf of covered entities but are not themselves covered entities.
Which of the following best describes a Business Associate under HIPAA?
A government organization enforcing HIPAA
An entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity
Any healthcare provider treating patients
A patient who authorizes access to their PHI
A Business Associate is any person or organization, other than a member of the Covered Entity's workforce, that performs certain functions or activities involving PHI on behalf of a Covered Entity. Examples include billing companies, transcription services, and cloud storage providers. Business Associates must sign a Business Associate Agreement to ensure HIPAA compliance.
Which HIPAA rule specifically addresses the protection of electronic PHI (ePHI)?
Breach Notification Rule
Omnibus Rule
Security Rule
Privacy Rule
The HIPAA Security Rule establishes standards to protect individuals' electronic protected health information (ePHI) that is created, received, used, or maintained by a Covered Entity. It includes administrative, physical, and technical safeguards. While the Privacy Rule covers all forms of PHI, the Security Rule is focused on electronic data.
Which of the following is an example of Protected Health Information (PHI)?
A patient's X-ray image with their name visible
Aggregate hospital occupancy rates without names
Public health statistics without individual identifiers
A clinical protocol document with no patient identifiers
PHI is any health information that can be linked to a specific individual. An X-ray image with the patient's name directly identifies that person's medical information. Aggregated or de-identified data does not fall under PHI protection. Safeguarding identifiable health data is a core HIPAA requirement.
Which scenario constitutes a reportable breach of PHI under HIPAA?
Encrypting health data at rest
Calling a patient to confirm their appointment
An employee accidentally emails PHI to the wrong external recipient
Using de-identified data for internal research
Sending PHI to an unauthorized external recipient is considered an impermissible disclosure and is presumed to be a breach unless a risk assessment shows low probability of compromise. De-identified data and normal confirmation calls are allowed uses, and encryption at rest is a safeguard. Covered Entities must notify affected individuals when a breach occurs.
What is the maximum amount of time a Covered Entity has to notify individuals after discovering a breach of unsecured PHI?
60 days
30 days
90 days
120 days
Under the Breach Notification Rule, Covered Entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery of a breach. This 60-day deadline helps ensure timely communication and mitigation. Extensions are not permitted for individual notifications.
What does the Minimum Necessary Standard require for PHI disclosures?
Provide de-identified data to all requesters
Disclose only the minimum PHI needed to accomplish the intended purpose
Limit disclosures to name and date of birth only
Share the full medical record at all times
The Minimum Necessary Standard mandates that Covered Entities make reasonable efforts to disclose only the minimum amount of PHI needed for a particular purpose. It applies to workforce members, business associates, and requests for information. Full records may be shared with patient authorization or for treatment.
Under the HIPAA Privacy Rule, a patient has the right to access and receive a copy of their PHI within how many days of a request?
30 days
20 days
60 days
45 days
Covered Entities must respond to a patient's request for access to PHI within 30 days. An extension of up to 30 additional days is allowed if the entity provides a written statement of reasons. Failure to comply can result in enforcement actions.
Which safeguard category under the HIPAA Security Rule includes mechanisms like access controls and encryption?
Managerial safeguards
Physical safeguards
Administrative safeguards
Technical safeguards
Technical safeguards are the technology and related policies that protect ePHI and control access to it. Examples include access controls, audit controls, integrity controls, and transmission security such as encryption. Administrative safeguards refer to policies and procedures. Physical safeguards protect the actual hardware and facilities.
Which statement best describes the HIPAA Omnibus Rule of 2013?
It revised the Privacy Rule only
It implemented HITECH Act changes
It did all of the above
It expanded liability to Business Associates
The Omnibus Rule implemented provisions of the HITECH Act, strengthened privacy and security protections, expanded liability to Business Associates, and increased penalties for noncompliance. It modified the Privacy, Security, Enforcement, and Breach Notification Rules. It also revised breach definitions and patient rights.
Which of the following is NOT a required element of a risk analysis under the HIPAA Security Rule?
Identifying potential threats and vulnerabilities
Conducting periodic audits of policies and procedures
Implementing security measures to reduce risks
Training the workforce on privacy policies
A risk analysis under the Security Rule involves identifying potential threats/vulnerabilities, assessing current security measures, determining the level of risk, and documentation. While workforce training is required under Security Management Process, it is not part of the formal risk analysis process. Audit controls, however, are a tool for risk assessment.
Is encryption of ePHI mandatory under HIPAA?
Only required for PHI at rest
Optional for all entities
No, it is an addressable specification
Yes, it is a required specification
Encryption is classified as an addressable implementation specification under the Security Rule. This means Covered Entities must assess whether encryption is reasonable and appropriate, implement it if so, or document an alternative approach. Addressable does not mean optional; it requires evaluation and documentation.
What is the minimum penalty per violation for an unknowing HIPAA violation under Tier 1?
$10,000
$1,000
$100
$50,000
Tier 1 civil monetary penalties apply to violations where the Covered Entity was unaware and could not have avoided the violation even with reasonable diligence. The minimum penalty for each violation in Tier 1 is $100. The maximum per-year aggregate penalty for Tier 1 is $25,000.
Which element must be included in every Business Associate Agreement?
Obligation to report PHI breaches to the Covered Entity
Permitted uses and disclosures of PHI
All of the above
Requirement to implement safeguards for PHI
A Business Associate Agreement must outline the permitted and required uses and disclosures of PHI by the Business Associate, specify safeguards to protect PHI, and require the Business Associate to report any breaches of unsecured PHI. It formalizes HIPAA responsibilities offloaded to Business Associates.
What is the primary goal of the HIPAA Privacy Rule?
Protect personal health information while allowing data flow needed for healthcare operations
Enforce standardized medical billing codes
Regulate health insurance premium rates
Ensure confidentiality of all employment records
The Privacy Rule is designed to protect individuals' medical records and other personal health information while allowing the flow of information needed to provide quality health care and to protect the public's health and well-being. It tries to balance privacy concerns with the need for coordinated care. It applies to all forms of PHI, electronic or otherwise.
Which of the following is an example of an administrative safeguard under the HIPAA Security Rule?
Implementing a firewall
Conducting security awareness training for employees
Installing a locked door on the server room
Encrypting data at rest
Administrative safeguards are policies and procedures designed to clearly show how the entity will comply with the act. Security awareness training is a key administrative safeguard. Encryption and firewalls are technical safeguards, and locked doors are physical safeguards.
Which activity is directly required by the Security Rule's Audit Controls specification?
Maintaining a locked file cabinet for paper records
Implementing password complexity requirements
Providing annual HIPAA training to staff
Reviewing records of information system activity, such as audit logs
The Audit Controls specification requires Covered Entities to implement hardware, software, and procedural mechanisms that record and examine activity in information systems containing or using ePHI. Reviewing audit logs and access reports is a direct requirement. Training and password policies are other security measures but not audit controls.
Under the HITECH Act, what additional notification is required when a breach affects more than 500 individuals?
Notify only the Office for Civil Rights
No additional notification is required
Notify the media in addition to individuals and HHS
Notify only the affected individuals
The HITECH Act requires Covered Entities to notify the Secretary of HHS, affected individuals, and, if 500 or more individuals are affected, prominent media outlets serving the state or jurisdiction. This additional media notice enhances transparency and public awareness.
Which of the following is a permitted disclosure of PHI without patient authorization?
Selling PHI to a third-party broker
Reporting suspected child abuse to a public health authority
Disclosing PHI to an employer for hiring decisions
Using PHI for direct marketing purposes
HIPAA allows disclosures without patient authorization for certain public health activities, including reporting suspected child abuse or neglect to authorities. Marketing uses, employment decisions, and selling PHI are not permitted without specific authorization. Public health exceptions are defined in the Privacy Rule.
For how long must Covered Entities retain HIPAA-related policies, procedures, and documentation?
3 years
10 years
5 years
6 years
HIPAA requires that policies and procedures, and other required documentation, be retained for six years from the date of creation or last effective date. This retention period ensures that records are available for audits and investigations. Shorter periods are not compliant.
What is the key difference between a de-identified dataset and a limited data set under the HIPAA Privacy Rule?
De-identified data may include patient names, limited data sets cannot
A limited data set must be encrypted, de-identified data does not
De-identified data requires a Data Use Agreement, limited data sets do not
A limited data set may include dates and zip codes, whereas de-identified data cannot include any identifiers
Under the Privacy Rule's Safe Harbor method, de-identified data must have all 18 identifiers removed. A limited data set can include certain identifiers like dates and geographic data (city, state, ZIP code) but excludes direct identifiers. Limited data sets require a Data Use Agreement.
Which framework is specifically recommended by HHS for conducting a HIPAA Security Rule risk analysis?
ITIL
NIST Special Publication 800-30
COBIT 5
ISO/IEC 27001
HHS recommends using the NIST Special Publication 800-30 guide for conducting risk assessments under the Security Rule. This publication provides a structured methodology for assessing threats, vulnerabilities, and risks to ePHI. While other frameworks exist, NIST SP 800-30 directly aligns with HIPAA requirements.
How does HIPAA interact with state laws that are more stringent on privacy protections?
HIPAA and state laws never conflict
HIPAA always preempts any state law on privacy
State laws that are more stringent prevail over HIPAA
HIPAA only defers to federal statutes, not state laws
HIPAA sets a federal floor of privacy protections but allows states to impose stricter privacy laws. When state law is more stringent than HIPAA, the state law prevails. HIPAA preempts less protective state laws only to the extent of the conflict.
Which of the following statements about psychotherapy notes under HIPAA is correct?
They require a specific patient authorization for most disclosures and are kept separate from the rest of the medical record
They may be sold to third parties for research without consent
They can be disclosed for treatment without any authorization
They are treated identically to other PHI under all circumstances
Psychotherapy notes receive enhanced protection under HIPAA. They are kept separate from the medical record and generally require a specific patient authorization for disclosure, except for limited circumstances such as defending the therapist in legal proceedings. They are not treated the same as other PHI and certainly cannot be sold without explicit consent.
0
{"name":"What does PHI stand for in the context of HIPAA?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What does PHI stand for in the context of HIPAA?, Which of the following entities is considered a Covered Entity under HIPAA?, Which of the following best describes a Business Associate under HIPAA?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Identify HIPAA Compliance Requirements -

    Recognize the primary rules and standards that entities must follow to safeguard PHI and comply with federal regulations.

  2. Differentiate Correct and Incorrect HIPAA Statements -

    Analyze quiz items to spot misleading or false claims and reinforce your ability to distinguish accurate HIPAA guidance.

  3. Assess Personal and Organizational Obligations Under HIPAA -

    Clarify when and how HIPAA requires me to comply with its rules using real-world examples and criteria for covered entities and business associates.

  4. Evaluate Potential Penalties for HIPAA Violations -

    Outline the range of civil and criminal penalties that can result from non-compliance, including fines and legal repercussions.

  5. Apply Best Practices for PHI Handling -

    Implement safeguards and procedures to protect patient information during storage, transmission, and access.

  6. Test Your HIPAA Knowledge Through Scenarios -

    Engage with targeted questions in the HIPAA compliance quiz to evaluate your understanding and identify areas for improvement.

Cheat Sheet

  1. Covered Entities and Business Associates -

    Under 45 CFR §160.103, "covered entities" (e.g., healthcare providers, health plans, and clearinghouses) and any business associate handling PHI must comply with HIPAA. Remember: if you touch, store, or transmit PHI, HIPAA requires me to comply with you too - so every link in the chain shares responsibility. A quick mnemonic: "CPB" (Covered, Partnered, Bound) to recall who falls under HIPAA.

  2. Defining Protected Health Information (PHI) -

    PHI includes any identifiable health data tied to the 18 HIPAA identifiers (like name, birth date, SSN), as outlined in 45 CFR §164.514. Use the "AID-MAPS" memory trick - Address, ID numbers, Dates, Medical info, Account numbers, Phone, Social - and you'll ace the question "which statement is incorrect regarding HIPAA compliance."

  3. Privacy Rule and Minimum Necessary -

    The Privacy Rule (45 CFR §164.500 - 534) sets limits on uses/disclosures and grants patients rights over their data, including access and amendment. Always apply the "minimum necessary" principle: only share what's essential for the task at hand. When you test your HIPAA knowledge in a compliance quiz, spotting over-disclosure scenarios becomes a breeze.

  4. Security Rule Safeguards -

    NIST SP 800-66 categorizes safeguards into Administrative (policies/training), Physical (facility access controls), and Technical (encryption, audit logs). Recall "APT" to remember these three control types and ensure your ePHI is shielded. Regular risk assessments are key to meeting HIPAA compliance requirements and preventing breaches.

  5. Enforcement and Penalties -

    OCR enforces HIPAA through tiered civil penalties ranging from $117 to $1.76 million per violation category per year (45 CFR §160.404). Criminal penalties can include fines and imprisonment when willful neglect or malicious intent is proven. Stay sharp on enforcement trends by reviewing annual HHS breach reports so you're ready for any HIPAA compliance quiz challenge.

Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Politics & Civics Quizzes

Powered by: Quiz Maker