Two providers are discussing a patient’s diagnosis in a crowded hospital elevator. One mentions the patient’s full name. Which is true?

• a) Not a violation if family isn't present.

• b) Acceptable if providers are on duty.

• c) Violation: PHI was disclosed in a public space.

• d) Only applies to electronic records

Insight: Even verbal disclosures of PHI in public areas like elevators, cafeterias, or hallways constitute a HIPAA violation.

A caller asks if a specific person is admitted to your behavioral health facility. What is the correct response?

• a) Confirm admission and room number.

• b) Patch the caller through to the patient.

• c) State that you cannot confirm or deny if they are at the facility.

• d) Advise the caller to check social media.

Insight: To protect patient privacy, especially in sensitive care areas, staff should never verify a patient's presence without explicit authorization.

Under HIPAA, what is the best definition of a "Business Associate"?

• a) A patient currently admitted.

• b) A worker who handles physical paper only.

• c) An entity performing functions for a covered entity involving PHI.

• d) Open-source software from the internet.

Insight: Business Associates include vendors, consultants, or subcontractors who have access to PHI while providing services to a healthcare provider.

What is the primary objective of the HIPAA law?

• a) To help insurers deny claims.

• b) To give politicians oversight of records.

• c) To protect privacy while allowing the flow of data for quality care.

• d) To create a permanent public record.

Insight: HIPAA balances the need for data security with the necessity of sharing information for effective patient treatment.

Are two nurses allowed to discuss a patient’s care plan during their lunch break?

• a) No, HIPAA prohibits talk while "off the clock."

• b) Yes, if they work for the same department.

• c) Yes, if in a private area and necessary for the patient's care.

• d) Yes, but only if shared as casually.

Insight: Care coordination can happen at any time, provided it occurs in a secure environment and follows the "Need to Know" principle.

What does the "Minimum Necessary" standard refer to?

• a) Doing the least amount of work to avoid notice.

• b) Using/disclosing only the PHI needed to accomplish a task.

• c) Setting patient phone volumes to the lowest level.

• d) Reporting the minimum number of open beds.

Insight: This rule requires covered entities to take reasonable steps to limit the use of PHI to the specific amount required for the intended purpose.

Which of the following is classified as Protected Health Information (PHI)?

• a) A driver’s license photo.

• b) Blood type combined with a home address.

• c) A name and date of birth.

• d) All of the above.

Insight: PHI is any information that can be used to identify a patient and relates to their past, present, or future health condition.

You must step away from a computer with an active patient record while movers are in the office. What do you do?

• a) Leave it open so data isn't lost.

• b) Use a mouse jiggler to keep the screen active.

• c) Save work, log off the EHR, and lock the workstation.

• d) Leave it open; maintenance staff are "authorized."

Insight: Workstation security is a key "Technical Safeguard." Never leave PHI visible to unauthorized individuals, even for a moment.

If a facility suffers a cyber-attack and PHI is breached, what is the legal obligation?

• a) No action is required.

• b) Follow the Breach Notification Rule and alert affected individuals and HHS.

• c) Change passwords but keep the event confidential.

• d) Reload the workstations and continue.

Insight: Federal law requires notification of breaches to ensure patients can take steps to protect their identity and information.

Which is considered an "Administrative Safeguard" under the HIPAA Security Rule?

• a) Implementing security management and staff training.

• b) Using common and simple passwords like 123456.

• c) Having unwritten and informal policies.

• d) Only securing Teams meetings for sensitive topics.

Insight: Administrative safeguards involve the "people and process" side of security, such as policies, training, and risk analysis.