HIPAA Compliance Test: Check Your Privacy and Security Know-How
This hipaa privacy compliance quiz targets the HIPAA Privacy Rule and HIPAA Security Rule decisions that trigger OCR audits: permitted disclosures, minimum necessary, ePHI safeguards, and breach risk assessment. OCR enforcement can require corrective action plans and civil money penalties that are inflation-adjusted annually and can reach tens of thousands per violation with million‑dollar annual caps. Use this hipaa test online free as privacy and hipaa focused training pre test answers for real workflows.
True / False
True / False
True / False
Select all that apply
Select all that apply
True / False
Put in order
Select all that apply
Put in order
Select all that apply
Select all that apply
Put in order
Put in order
Disclaimer
This quiz is for educational and training purposes only. It does not constitute professional certification or legal compliance verification.
Most-Common HIPAA Misses: Privacy Rule vs Security Rule, Minimum Necessary, and Breach Triggers
High scores on a HIPAA exam often come down to classifying the rule first (Privacy, Security, or Breach Notification), then applying the right exception, safeguard, or timeline. These are the patterns that repeatedly drive incorrect answers and real-world findings.
1) Treating a Privacy Rule disclosure as an “IT problem”
Mistake: Assuming passwords/encryption automatically make an impermissible disclosure “okay.” Avoid it: Decide whether the use/disclosure was permitted; then evaluate whether ePHI safeguards were reasonable and documented.
2) Misusing “minimum necessary”
Mistake: Sending full charts for routine requests, or limiting a patient’s own access by citing minimum necessary. Avoid it: Apply minimum necessary to most non-treatment disclosures and internal access; remember it generally does not apply to disclosures for treatment or disclosures to the individual.
3) Over-expanding TPO (Treatment/Payment/Operations)
Mistake: Labeling employer calls, marketing outreach, or “FYI” disclosures as operations. Avoid it: Map the purpose to a defined pathway; when it’s not clearly TPO or a specific regulatory permission, expect to need a valid authorization.
4) Weak identity and authority verification
Mistake: Releasing PHI to a family member, new email address, or “personal representative” without confirming authority and patient preference. Avoid it: Use standardized verification steps and document why the disclosure was allowed.
5) Vendor tools used before a Business Associate Agreement (BAA)
Mistake: Uploading PHI into scheduling, analytics, texting, AI transcription, or cloud storage tools without confirming business associate status and signing a BAA. Avoid it: Maintain a PHI vendor inventory and a “no BAA, no PHI” control.
6) Delayed incident escalation and weak documentation
Mistake: Waiting for certainty before escalating, or skipping the written breach risk assessment. Avoid it: Escalate immediately, preserve logs/messages, and document the risk assessment and notification decision.
HIPAA Privacy + Security + Breach Notification Quick Reference (Print/Save as PDF)
Printable tip: Print this cheat sheet or save it as a PDF for point-of-disclosure checks (before you click “send”).
PHI vs ePHI
- PHI: individually identifiable health information in any form (spoken, paper, electronic) held by a covered entity or business associate.
- ePHI: PHI transmitted or maintained electronically; triggers Security Rule safeguards.
Privacy Rule: permitted pathways (start here)
- TPO: Treatment, Payment, Health Care Operations (apply role/purpose logic; do not stretch it to marketing or employer curiosity).
- To the individual: patient access and copies; confirm identity; provide in the requested form/format when readily producible.
- Required/Permitted by law: specific public health, abuse/neglect, oversight, law enforcement, and other enumerated disclosures—match the fact pattern to the category.
- Authorization: required for many non-routine disclosures (e.g., most marketing, many third-party releases not covered by a permission).
Minimum necessary (common exam trap)
- Use role-based access and purpose-based templates for routine disclosures.
- Generally does not apply to disclosures for treatment or disclosures to the individual.
Security Rule: safeguard checklist
- Administrative: risk analysis + risk management, workforce training, incident procedures, contingency planning, periodic evaluation.
- Physical: facility access controls, workstation/device controls, secure disposal and media re-use.
- Technical: unique user IDs, access control, audit controls/logs, integrity controls, transmission security (encryption where appropriate).
- “Addressable” ≠ optional: implement or document why an alternative meets the standard.
Breach Notification: decision workflow
- Was there an impermissible use/disclosure of unsecured PHI? If yes, it’s presumed a breach unless low probability of compromise is shown.
- Document the 4-factor risk assessment: (1) nature/extent of PHI, (2) who received it, (3) was it actually acquired/viewed, (4) mitigation.
- Timelines: notify affected individuals without unreasonable delay and no later than 60 days from discovery; report to HHS on the required schedule (immediate for large breaches; annual log for smaller ones); business associates notify the covered entity without unreasonable delay (and no later than the regulatory outer limit).
Documentation retention (practice-ready)
- Keep policies/procedures, training evidence, risk analyses, and breach assessments for the required retention period (commonly 6 years under HIPAA documentation rules).
HIPAA Decision Drills: Disclosures, Safeguards, and Breach Calls You’ll See on the Quiz
Use these mini-scenarios to practice the same judgment calls the 100 questions target. For each, identify: (1) which rule applies, (2) the allowed pathway, and (3) what to document.
Disclosure + minimum necessary
- A clinic sends a full chart to a payer when only dates of service and a problem list are requested for a routine audit. What should have been limited, and how could templates prevent repeat errors?
- A patient requests their entire record by email. Can you deny the request due to “minimum necessary,” and what security steps are reasonable before sending?
TPO vs authorization
- A vendor offers “wellness outreach” calls on behalf of the clinic using appointment history. Is this operations or marketing, and what contract/permission is required?
- An employer calls asking whether an employee “kept their appointment” after a workplace injury. What pathway (if any) allows this disclosure?
Family, friends, and personal representatives
- A spouse requests lab results over the phone and says the patient “always shares everything.” What verification and patient-preference steps are required before discussing results?
- A parent requests an adult child’s information and claims to be the personal representative. What documentation or authority must be confirmed?
Security incidents and breach notification
- A laptop with ePHI is stolen from a car. What facts determine whether the PHI is “secured” and whether notification is required?
- A staff member emails PHI to the wrong patient with no encryption. What immediate mitigation steps matter for the breach risk assessment?
- Ransomware encrypts a shared drive with scheduling files. Which Security Rule safeguards should already exist (backups, incident procedures), and what documentation must follow?
Business associates
- A team uploads visit summaries to a new transcription/AI tool “just for speed” before contracting. Is a BAA needed, and what should procurement block by default?
Five High-Yield HIPAA Skills This 100-Question Exam Reinforces
- Classify first: decide whether the issue is a Privacy Rule permission problem, a Security Rule safeguard problem, or a Breach Notification decision—then apply the right test.
- Use “minimum necessary” correctly: limit non-treatment disclosures and internal access by role and purpose, but don’t use it to restrict a patient’s own access request.
- Don’t stretch TPO: when the purpose is marketing, employer curiosity, or a third party’s “information only” request, stop and validate the exact legal pathway or authorization requirement.
- Make risk analysis operational: tie Security Rule safeguards (MFA, logging, backups, device controls) to documented risks, and update when systems or workflows change.
- Document breach decisions end-to-end: preserve evidence, perform the four-factor assessment, record mitigation, and meet the 60-day outer limit for required notifications.
HIPAA Privacy + Security Glossary (With Usage Examples)
- PHI (Protected Health Information)
- Individually identifiable health information held by a covered entity or business associate in any form. Example: A voicemail that includes a patient’s name and diagnosis is PHI.
- ePHI
- PHI created, received, maintained, or transmitted electronically. Example: A lab result stored in an EHR database is ePHI.
- TPO (Treatment, Payment, Health Care Operations)
- Core categories that permit many routine uses/disclosures without authorization. Example: Sending a medication list to a consulting specialist for treatment is TPO.
- Minimum Necessary
- Requirement to limit PHI used/disclosed/requested to what’s needed for the purpose (with key exceptions). Example: Billing staff should access only codes and dates of service, not psychotherapy notes.
- Business Associate (BA)
- A vendor that creates, receives, maintains, or transmits PHI for a covered entity. Example: A cloud document platform storing referral packets containing PHI is typically a BA.
- BAA (Business Associate Agreement)
- Contract requiring the BA to safeguard PHI and comply with HIPAA obligations. Example: Execute a BAA before enabling a third-party scheduling tool to ingest appointment notes containing PHI.
- Breach (of unsecured PHI)
- An impermissible use/disclosure presumed to be a breach unless a documented assessment shows a low probability of compromise. Example: A misdirected email with diagnoses to an external recipient triggers a breach analysis.
- Addressable (Security Rule specification)
- A safeguard you must implement or adopt an equivalent alternative and document the rationale. Example: If a specific encryption method isn’t reasonable, document the compensating control that achieves the standard.
Authoritative HIPAA Study Sources (Official Guidance and Standards)
- HHS OCR: Health Information Privacy (HIPAA) — Central hub for HIPAA rules, compliance guidance, FAQs, and enforcement information.
- HHS OCR: Minimum Necessary Requirement — Detailed explanation of when minimum necessary applies and practical expectations for routine vs non-routine disclosures.
- HHS OCR: Security Rule Guidance Material — Official Security Rule educational materials and topics like risk analysis, remote access, mobile devices, and ransomware.
- HHS: HIPAA Breach Notification Rule — Definitions, presumption-of-breach concept, and notification requirements and timelines.
- NIST SP 800-66 Rev. 2 (February 2024) — Implementation guidance mapping HIPAA Security Rule standards to widely used cybersecurity practices.
HIPAA Compliance Test FAQ: What the Quiz Is Really Measuring
What’s the fastest way to decide if a disclosure is allowed under the HIPAA Privacy Rule?
Start by classifying the purpose: Treatment, Payment, Health Care Operations, or a specifically permitted/required category (such as certain public health or oversight disclosures). If it doesn’t clearly fit a permission, assume you need a valid HIPAA authorization or another documented legal basis, and verify identity/authority before releasing PHI.
When does the “minimum necessary” standard apply (and when does it not)?
Minimum necessary generally applies to most routine disclosures outside treatment and to many internal access decisions. It generally does not apply to disclosures for treatment or to disclosures to the individual. Quiz questions often hinge on recognizing that a patient access request cannot be reduced solely by citing minimum necessary; the correct approach is identity verification plus reasonable safeguards for the delivery method.
What’s the difference between a Privacy Rule incident and a Security Rule incident?
A Privacy Rule issue is about whether PHI was used or disclosed along a permitted pathway and with appropriate limitations (like minimum necessary). A Security Rule issue focuses on protecting ePHI through administrative, physical, and technical safeguards (risk analysis, access controls, audit logs, backups, device security). Many real incidents involve both—misdirected access plus weak controls.
Is every impermissible disclosure automatically a reportable breach?
No, but it is presumed to be a breach unless the organization documents a risk assessment showing a low probability that PHI was compromised (using the required factors, plus mitigation). The exam typically expects immediate escalation, evidence preservation, and a written analysis—not “wait and see.”
How do BAAs show up on HIPAA quiz questions?
Look for any vendor that creates, receives, maintains, or transmits PHI on the organization’s behalf (cloud storage, texting platforms, analytics, transcription, billing support). The tested control is often operational: no BAA, no PHI, plus vendor inventory and security due diligence. If your team also needs broader security practice, pair this with the Cyber Security Quiz for Employees - Free Online to reinforce day-to-day controls (phishing, access, device hygiene).
What should be documented to be “audit-ready” for OCR?
At minimum: policies/procedures, training evidence, a current Security Rule risk analysis and risk management plan, access control and logging practices, incident response and contingency planning, BAAs/vendor inventory, and documented breach risk assessments and notifications when applicable. The strongest answers on this quiz consistently include what you did, when, why, and where it’s recorded.