HIPAA NCLEX-RN Practice Questions

HIPAA NCLEX-RN Practice Questions

Preparing for the NCLEX-RN requires strong command of HIPAA principles within Management of Care. This practice set focuses on real-world applications nurses face daily—protecting patient privacy, using the minimum necessary standard, verifying consent, and knowing when disclosure is permitted without authorization. You will navigate scenarios involving bedside report, electronic charting, family requests, public health reporting, psychotherapy notes, and breach notifications. As M. Pharma students collaborating in clinical teams, you’ll also sharpen interprofessional judgment: handling subpoenas, research data, directory information, and social media risks. Each question is crafted at NCLEX level to reinforce safe, ethical decision-making and compliance under the HIPAA Privacy and Security Rules. Review carefully, note rationales mentally, and build confidence for exam day.

Q1. A nurse prepares to give a bedside shift report for a semi-private room. Which action best upholds HIPAA’s minimum necessary standard while ensuring safe handoff?

• Conduct the full verbal report at the nurses’ station and skip bedside safety checks to avoid disclosure
• Provide a focused clinical update at the bedside using lowered voice and privacy curtains, avoiding unnecessary identifiers
• Ask the roommate to leave the room during report, regardless of their condition
• Decline bedside reporting for all semi-private rooms due to HIPAA restrictions

Correct Answer: Provide a focused clinical update at the bedside using lowered voice and privacy curtains, avoiding unnecessary identifiers

Q2. A patient requests a copy of their medical records. Under HIPAA, what is the maximum time the organization generally has to provide access?

• 7 calendar days, no extensions allowed
• 14 calendar days, one 14-day extension allowed
• 30 calendar days, with one 30-day extension if needed
• 60 calendar days, no extensions allowed

Correct Answer: 30 calendar days, with one 30-day extension if needed

Q3. The nurse receives a phone call from a person claiming to be a patient’s spouse asking for test results. What is the most appropriate response?

• Provide the results if the caller knows the patient’s date of birth
• Decline to provide information over the phone under any circumstances
• Verify the caller’s identity and the patient’s preference, then share limited information based on professional judgment
• Request the caller to send a text message to confirm identity before disclosing

Correct Answer: Verify the caller’s identity and the patient’s preference, then share limited information based on professional judgment

Q4. Which disclosure is permitted without patient authorization under HIPAA?

• Sharing full medical records with a friend who brought the patient to the hospital
• Reporting a suspected communicable disease case to the public health department
• Sending psychotherapy notes to a specialist for treatment coordination
• Releasing lab results to an employer upon the employer’s request

Correct Answer: Reporting a suspected communicable disease case to the public health department

Q5. A nurse wants to post a “learning case” on a private social media group, removing the patient’s name but keeping rare diagnosis and exact admission date. What is the best action?

• Proceed; identifiers were removed
• Proceed only if the group is healthcare professionals
• Obtain written authorization from the patient before posting
• Post without details, stating “interesting case” with no clinical data

Correct Answer: Obtain written authorization from the patient before posting

Q6. During rounds, a nursing student needs to review PHI to prepare a care plan. Which statement is correct?

• Students may access only de-identified data
• Students may access PHI as part of the covered entity’s workforce training with need-to-know and safeguards
• Students cannot access PHI without the patient’s written authorization
• Students may freely take PHI offsite for study as long as they return it

Correct Answer: Students may access PHI as part of the covered entity’s workforce training with need-to-know and safeguards

Q7. A patient pays out-of-pocket in full for a medication and requests the nurse to restrict disclosure to their health plan. What should the nurse ensure?

• The request cannot be honored because plans require complete claims data
• The provider must honor the restriction for that item when paid in full out-of-pocket
• The restriction can be applied only if the patient signs a notarized document
• The restriction applies to all past and future services, regardless of payment

Correct Answer: The provider must honor the restriction for that item when paid in full out-of-pocket

Q8. Which scenario represents incidental disclosure permitted under HIPAA?

• Discussing a case loudly in a cafeteria
• Calling out a patient’s full name and diagnosis in a crowded waiting room
• Using a sign-in sheet with limited information visible to others
• Leaving a chart open on a public workstation

Correct Answer: Using a sign-in sheet with limited information visible to others

Q9. A nurse receives a subpoena (not a court order) requesting a patient’s record. What is the best next step?

• Immediately fax the entire record to the requestor
• Refuse to respond to all subpoenas
• Consult legal/health information management to ensure proper authorization or acceptable assurances before disclosure
• Release only labs and omit physician notes

Correct Answer: Consult legal/health information management to ensure proper authorization or acceptable assurances before disclosure

Q10. Which requires the patient’s separate written authorization under HIPAA?

• Disclosure for treatment, payment, and healthcare operations
• Disclosure to a public health authority for immunization registries
• Disclosure of psychotherapy notes for purposes other than treatment by the same provider
• Disclosure to a coroner following death

Correct Answer: Disclosure of psychotherapy notes for purposes other than treatment by the same provider

Q11. A nurse needs to leave a voicemail for a patient about a follow-up appointment. What is the best practice?

• Include diagnosis and test results to ensure clarity
• Leave a brief message with callback number and minimal details
• Avoid leaving any voicemail due to HIPAA
• Discuss all care details if the patient provided their phone number

Correct Answer: Leave a brief message with callback number and minimal details

Q12. Which meets HIPAA’s de-identification safe harbor requirement?

• Removing name and address but keeping full date of service and medical record number
• Removing all 18 identifiers or having a qualified expert certify very small re-identification risk
• Masking the last name only
• Removing the name while retaining full face photographic images

Correct Answer: Removing all 18 identifiers or having a qualified expert certify very small re-identification risk

Q13. A visitor requests a patient’s location and general condition at the front desk. The patient has not opted out of the facility directory. What is appropriate?

• Provide location and specific diagnosis
• Provide location and “general condition” (e.g., stable), without diagnosis
• Decline all information because of HIPAA
• Require a written authorization form

Correct Answer: Provide location and “general condition” (e.g., stable), without diagnosis

Q14. A nurse prints patient reports and leaves them at the shared printer while responding to an urgent alarm. Which HIPAA safeguard was breached?

• Technical safeguard—encryption
• Administrative safeguard—sanction policy
• Physical safeguard—secure handling of paper PHI
• None; this is incidental disclosure

Correct Answer: Physical safeguard—secure handling of paper PHI

Q15. Which best describes the “minimum necessary” standard?

• Applies to all disclosures, including for treatment
• Requires limiting PHI use/disclosure to the least amount needed to accomplish the purpose, excluding treatment disclosures
• Prohibits sharing any PHI without written authorization
• Applies only to electronic PHI

Correct Answer: Requires limiting PHI use/disclosure to the least amount needed to accomplish the purpose, excluding treatment disclosures

Q16. After discovering an unencrypted laptop with PHI is missing, what is the nurse leader’s priority action under breach notification rules?

• Wait 6 months to confirm loss before notifying
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery
• Notify only the media
• Do not report if the intent was not malicious

Correct Answer: Notify affected individuals without unreasonable delay and no later than 60 days after discovery

Q17. A patient’s adult daughter holds a valid healthcare power of attorney. She requests access to the patient’s chart. What should the nurse do?

• Decline; only the patient can access their PHI
• Verify documentation of the daughter’s authority and provide access in accordance with the scope of representation
• Provide full access without verification
• Require a court order for any access

Correct Answer: Verify documentation of the daughter’s authority and provide access in accordance with the scope of representation

Q18. Which is the best method for disposing of paper records containing PHI?

• Place in regular trash once patient is discharged
• Recycle after removing the first page
• Shred or use approved secure destruction
• Store indefinitely in an unlocked cabinet

Correct Answer: Shred or use approved secure destruction

Q19. A nurse is asked to email discharge instructions to a patient. Which action aligns with HIPAA Security Rule safeguards?

• Send from personal email to save time
• Use secure messaging or encryption per facility policy
• Copy the instructions to a USB drive without encryption
• Text a photo of the instructions to the patient

Correct Answer: Use secure messaging or encryption per facility policy

Q20. A patient requests an amendment to their record. The provider denies it based on accuracy. What must occur next?

• No further action is required
• The patient must be allowed to submit a statement of disagreement appended to the record
• The entire record must be deleted
• The denial requires court approval

Correct Answer: The patient must be allowed to submit a statement of disagreement appended to the record

Q21. In a disaster, the patient is incapacitated. To whom may the nurse disclose relevant PHI to identify, locate, or notify family?

• Only to law enforcement
• To disaster relief organizations like the Red Cross as necessary
• To the media with full details
• No disclosures are allowed

Correct Answer: To disaster relief organizations like the Red Cross as necessary

Q22. Which information can be disclosed to an organ procurement organization without patient authorization?

• Data necessary to facilitate organ or tissue donation
• Full psychiatric history
• Social media usernames
• Employment records

Correct Answer: Data necessary to facilitate organ or tissue donation

Q23. A nurse accidentally sends one page of PHI to the wrong internal fax number but retrieves it immediately, with no further access. This is best described as:

• A breach requiring media notification
• A security incident that may qualify as a low-risk incident after risk assessment
• No incident because it was internal
• Criminal disclosure

Correct Answer: A security incident that may qualify as a low-risk incident after risk assessment

Q24. A minor consents to treatment for a sexually transmitted infection per state law. The parent requests results. What should the nurse consider first?

• HIPAA always allows parents full access
• State minor consent laws may grant minor control over related PHI
• Release results if the parent shows ID
• Send results only by mail

Correct Answer: State minor consent laws may grant minor control over related PHI

Q25. Which is appropriate when giving telephone orders that include PHI?

• Use speakerphone in a hallway for efficiency
• Confirm the recipient’s identity and speak in a private area when possible
• Allow visitors to listen to ensure transparency
• Document later without read-back

Correct Answer: Confirm the recipient’s identity and speak in a private area when possible

Q26. A nurse sees a coworker’s login badge at a workstation and uses it to quickly access a patient chart. What is the HIPAA-compliant approach?

• Use the badge if the patient is yours
• Proceed if you log out immediately after
• Never use another person’s credentials; access only with your own authenticated login
• Use shared credentials posted at the desk

Correct Answer: Never use another person’s credentials; access only with your own authenticated login

Q27. When is authorization NOT required for research use of PHI?

• When the researcher is a physician
• When an Institutional Review Board or Privacy Board issues a waiver based on minimal risk and impracticability
• When the patient is deceased
• When PHI is emailed to the research team

Correct Answer: When an Institutional Review Board or Privacy Board issues a waiver based on minimal risk and impracticability

Q28. Which disclosure requires providing the patient an accounting of disclosures upon request?

• Disclosures for treatment
• Disclosures made directly to the patient
• Disclosures required by law to a public health authority
• Disclosures for healthcare operations

Correct Answer: Disclosures required by law to a public health authority

Q29. The nurse caring for a patient with substance use disorder records receives a request from another unit for the full chart. What is the safest action considering stricter confidentiality laws may apply?

• Send the full chart as an internal disclosure
• Confirm need-to-know for treatment and whether additional consents are required under applicable law before disclosure
• Refuse all disclosures
• Post the chart in a shared drive for convenience

Correct Answer: Confirm need-to-know for treatment and whether additional consents are required under applicable law before disclosure

Q30. A patient opts out of the facility directory. A friend asks about the patient’s location. What should the nurse say?

• Provide location but not condition
• State that there is no information available about a patient by that name
• Ask the friend to prove their relationship and then disclose
• Disclose only the room number

Correct Answer: State that there is no information available about a patient by that name

Download