HIPAA compliance MCQs With Answer

HIPAA Compliance MCQs With Answer

HIPAA is central to health data governance in the United States, and M. Pharm students in Regulatory Affairs (MPH 104T) must understand how it protects patient privacy while enabling legitimate healthcare and research uses. This quiz set focuses on core HIPAA components—the Privacy Rule, Security Rule, and Breach Notification Rule—along with HITECH and Omnibus updates. You will test your knowledge of PHI, minimum necessary standards, patient rights, business associate obligations, de-identification pathways, research permissions, and enforcement. Each question reflects practical scenarios encountered in hospitals, CROs, pharmacies, and health-tech. Use these MCQs to sharpen compliance reasoning, reduce regulatory risk, and align pharmaceutical practice with ethical and legal obligations.

Q1. Under HIPAA, which best describes Protected Health Information (PHI)?

• Individually identifiable health information held or transmitted by a covered entity or business associate
• Any health-related data, whether identifiable or not
• Anonymized datasets with all identifiers removed
• Information contained in public records

Correct Answer: Individually identifiable health information held or transmitted by a covered entity or business associate

Q2. Which activity may be performed without a patient’s written authorization under HIPAA?

• Treatment, payment, and healthcare operations
• Marketing communications with financial remuneration
• Sale of PHI to third parties
• Most interventional research uses

Correct Answer: Treatment, payment, and healthcare operations

Q3. The HIPAA “minimum necessary” standard primarily applies to:

• Disclosures for treatment
• Disclosures to the individual
• Most uses, disclosures, and requests for PHI, except specific permitted situations
• Disclosures to the U.S. Department of Health and Human Services (HHS)

Correct Answer: Most uses, disclosures, and requests for PHI, except specific permitted situations

Q4. The HIPAA Security Rule requires which categories of safeguards?

• Administrative, physical, and technical
• Financial, operational, and clinical
• Legal, ethical, and procedural
• Structural, managerial, and academic

Correct Answer: Administrative, physical, and technical

Q5. Under the Breach Notification Rule, affected individuals must be notified without unreasonable delay and no later than:

• 15 calendar days after discovery
• 30 calendar days after discovery
• 60 calendar days after discovery
• 90 calendar days after discovery

Correct Answer: 60 calendar days after discovery

Q6. The HITECH Act primarily strengthened HIPAA by:

• Eliminating penalties for noncompliance
• Creating mandatory breach notification and expanding business associate liability
• Exempting small entities from the Security Rule
• Removing the minimum necessary standard

Correct Answer: Creating mandatory breach notification and expanding business associate liability

Q7. Which best describes a business associate under HIPAA?

• An employee of the covered entity
• A person or entity performing services for a covered entity that involve PHI
• A patient’s family member assisting in care
• A public health authority receiving required reports

Correct Answer: A person or entity performing services for a covered entity that involve PHI

Q8. HIPAA’s Safe Harbor de-identification method requires removal of how many types of identifiers?

• 12
• 16
• 18
• 21

Correct Answer: 18

Q9. A limited data set (LDS) under HIPAA may include which of the following?

• Dates of service and city/state information
• Names and full postal address
• Full-face photographs
• Email addresses

Correct Answer: Dates of service and city/state information

Q10. Within how many days must a covered entity respond to an individual’s request for access to PHI (excluding a permitted one-time extension)?

• 10 days
• 15 days
• 30 days
• 60 days

Correct Answer: 30 days

Q11. Which U.S. federal office primarily enforces HIPAA rules?

• Office of the National Coordinator for Health IT (ONC)
• U.S. Food and Drug Administration (FDA)
• Office for Civil Rights (OCR)
• Office of Inspector General (OIG)

Correct Answer: Office for Civil Rights (OCR)

Q12. An accounting of disclosures must include which type of disclosure?

• Disclosures for treatment
• Disclosures made with the patient’s written authorization
• Public health reporting made without patient authorization
• Disclosures to the individual

Correct Answer: Public health reporting made without patient authorization

Q13. Unique user identification and transmission security are examples of which safeguard category?

• Administrative
• Physical
• Technical
• Organizational requirements

Correct Answer: Technical

Q14. Under the Security Rule, encryption of ePHI is best characterized as:

• A universally required control in all environments
• An addressable implementation specification that is strongly recommended
• Optional and offers no compliance benefit
• Prohibited for data backups

Correct Answer: An addressable implementation specification that is strongly recommended

Q15. A breach risk assessment must consider which of the following factors?

• The nature and extent of PHI involved, including sensitivity and likelihood of re-identification
• The wealth of the affected patient
• The size of the hospital
• The organization’s annual profit

Correct Answer: The nature and extent of PHI involved, including sensitivity and likelihood of re-identification

Q16. Which statement about psychotherapy notes is true under HIPAA?

• They are treated the same as all other PHI for all purposes
• They may be used for marketing without authorization
• They generally require a specific authorization for most uses/disclosures beyond limited exceptions
• They can be freely disclosed for payment and operations

Correct Answer: They generally require a specific authorization for most uses/disclosures beyond limited exceptions

Q17. Which communication is considered marketing that generally requires patient authorization?

• Face-to-face recommendation of an over-the-counter vitamin
• Population-based care coordination communications
• A paid third-party promotion of a new drug with remuneration to the covered entity
• A refill reminder with reasonable, cost-based remuneration

Correct Answer: A paid third-party promotion of a new drug with remuneration to the covered entity

Q18. How does HIPAA interact with state privacy laws?

• HIPAA overrides all state privacy laws
• HIPAA yields to all state laws regardless of content
• HIPAA sets a federal floor; more stringent state privacy protections remain in effect
• Only federal privacy law applies in healthcare

Correct Answer: HIPAA sets a federal floor; more stringent state privacy protections remain in effect

Q19. Which is a required provision in a Business Associate Agreement (BAA)?

• The business associate may sell PHI for profit
• The business associate owns the covered entity’s PHI
• The business associate must report breaches of unsecured PHI to the covered entity
• The business associate is exempt from the Security Rule

Correct Answer: The business associate must report breaches of unsecured PHI to the covered entity

Q20. Which research-related activity can occur without individual authorization?

• Publishing a case report containing identifiers
• Accessing PHI to design a study under “preparatory to research” without removing PHI from the premises
• Using PHI for an interventional trial by a third party without authorization or waiver
• Disclosing PHI to a sponsor for marketing

Correct Answer: Accessing PHI to design a study under “preparatory to research” without removing PHI from the premises

Download