1.) The minimum fine for a minor HIPAA violation is $100; the maximum fine for a serious HIPAA violation is $50,000. What is the maximum of total violation fines per year?

(a) $500,000

(b) $750,000

(c) $1,500,000

(d) $2,500,000


2.) The Privacy Rule requires an “Authorization” form to be completed for:

(a) use and disclosure of PHI for specified purposes other than treatment, payment, or health care operations.

(b) use and disclosure of PHI for research purposes.

(c) disclosure to a third party specified by the individual.

(d) all of the above


3.) For PHI disclosures where there is personal gain or for malicious purposes, federal penalties can include up to _____ year(s) in prison.

(a) 1

(b) 5

(c) 10

(d) 20


4.) The Privacy Rule states that the release of PHI may be done, without authorization, for which purposes only?

(a) Treatment, Payment and Operations

(b) Administration, Coding and Billing

(c) Healthcare Research

(d) None of the above


5.) A covered entity must act upon a request for access to PHI no later than _____ days after receipt of the request.

(a) 10

(b) 15

(c) 20

(d) 30


6.) The amount of time elapsed since the date of occurrence in which it is permissible to report a violation of the Privacy Rule:

(a) 60 days

(b) 90 days

(c) 180 days

(d) 360 days


7.) Under the Breech Notification Rules, how often is a covered entity required to submit logs of PHI breaches to the Secretary of HHS?

(a) Quarterly

(b) Annually

(c) Semi-Annually

(d) Monthly


8.) Which of the following safeguards does the Security Rule require covered entities to maintain to ensure the confidentiality, integrity, and security of ePHI.

(a) Administrative

(b) Technical

(c) Physical

(d) All of the above


9.) What does the abbreviation NPP stand for?

(a) Notice of Privacy Practices

(b) Notice of Practice Problems

(c) Notice of Patient Practices

(d) Notice of Patient Privacy


10.) When is it allowable to use or disclose PHI electronically (e-PHI) via email or other electronic devices, including smartphones?

(a) Always

(b) After obtaining authorization from a patient as their preferred means of communication

(c) After a covered entity has implemented policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI

(d) Both b and c




Comments are closed.