HIPAA ACTUAL EXAM EXAM STUDY SHEET
EXAM Q&A 2026 GRADED A+.
◍ Under HIPAA, a covered entity (CE) is defined as:
A. A health plan.
B. A health care clearinghouse.
C. A health care provider engaged in standard electronic transactions
covered by HIPAA
D. All of the above Answer: The correct answer is D. Under HIPAA,
a CE is a health plan, a health care clearinghouse, or a health care
provider engaged in standard electronic transactions covered by
HIPAA.
◍ Select the best answer. The HIPAA Privacy Rule applies to which
of the following?
A. PHI transmitted orally
B. PHI in paper form
C. PHI transmitted electronically
D. All of the above Answer: The correct answer is D. The HIPAA
Privacy Rule applies to PHI that is transmitted or maintained by a
covered entity or a business associate in any form or medium.
,◍ An incidental use or disclosure is not a violation of the HIPAA
Privacy Rule if the covered entity (CE) has:
A. Implemented the minimum necessary standard
B. Established appropriate administrative safeguards
C. Established appropriate physical and technical safeguards
D. All of the above Answer: The correct answer is D. An incidental
use or disclosure is an unintended use or disclosure that occurs as a
result of another use or disclosure that is permitted by the HIPAA
Privacy Rule. Uses or disclosures that occur when carrying out a use
or disclosure that is permitted or required by HIPAA are not
considered a violation of the HIPAA Privacy Rule, provided that the
CE has implemented the minimum necessary standard and established
appropriate administrative, physical, and technical safeguards
◍ Select the best answer. Which of the following are true statements
about limited data sets?
A. A limited data set is PHI that excludes 16 specific direct identifiers
of the individual or relatives, employers or household members of the
individual, as set forth in the HIPAA Privacy Rule and DoD 's
implementing issuance
B. A limited data set can be used or disclosed only for the purposes of
research, public health or health care operations
C. When disclosing a limited data set, covered entities (CEs)/MTFs
are required to obtain satisfactory assurances, in the form of a Data
Use Agreement (DUA), signed by the recipient
, D. All of the above Answer: The correct answer is D. A limited data
set is PHI that excludes specific direct identifiers of the individual or
relatives, employers or household members of the individual. It can
be used or disclosed only for the purposes of research, public health
or health care operations. When disclosing a limited data set,
CEs/MTFs are required to obtain satisfactory assurances, in the form
of a DUA, signed by the recipient.
◍ How should John advise the staff member to proceed?
A. John should advise the staff member to take the man's word for it
and allow him to enter.
B. John should advise the staff member to deny the man's request and
indicate that access cannot be gained without his ID badge
C. John should advise the staff member to have the man contact the
help desk to assist him in gaining a temporary access card or another
approved alternative means of access.
D. Both B and C Answer: The correct answer is D. This scenario
illustrates a good example of a physical safeguard in the form of an
access control to a secure area of the Valley Forge MTF. Pursuant to
the HIPAA Security Rule, covered entities must maintain secure
access (for example, facility door locks) in areas where PHI is
located. Allowing an unidentified individual to bypass a security
entrance in this scenario violates the HIPAA Security Rule and
exposes the MTF and its patients to a potential breach situation.
◍ Was this a violation of HIPAA security safeguards?
EXAM Q&A 2026 GRADED A+.
◍ Under HIPAA, a covered entity (CE) is defined as:
A. A health plan.
B. A health care clearinghouse.
C. A health care provider engaged in standard electronic transactions
covered by HIPAA
D. All of the above Answer: The correct answer is D. Under HIPAA,
a CE is a health plan, a health care clearinghouse, or a health care
provider engaged in standard electronic transactions covered by
HIPAA.
◍ Select the best answer. The HIPAA Privacy Rule applies to which
of the following?
A. PHI transmitted orally
B. PHI in paper form
C. PHI transmitted electronically
D. All of the above Answer: The correct answer is D. The HIPAA
Privacy Rule applies to PHI that is transmitted or maintained by a
covered entity or a business associate in any form or medium.
,◍ An incidental use or disclosure is not a violation of the HIPAA
Privacy Rule if the covered entity (CE) has:
A. Implemented the minimum necessary standard
B. Established appropriate administrative safeguards
C. Established appropriate physical and technical safeguards
D. All of the above Answer: The correct answer is D. An incidental
use or disclosure is an unintended use or disclosure that occurs as a
result of another use or disclosure that is permitted by the HIPAA
Privacy Rule. Uses or disclosures that occur when carrying out a use
or disclosure that is permitted or required by HIPAA are not
considered a violation of the HIPAA Privacy Rule, provided that the
CE has implemented the minimum necessary standard and established
appropriate administrative, physical, and technical safeguards
◍ Select the best answer. Which of the following are true statements
about limited data sets?
A. A limited data set is PHI that excludes 16 specific direct identifiers
of the individual or relatives, employers or household members of the
individual, as set forth in the HIPAA Privacy Rule and DoD 's
implementing issuance
B. A limited data set can be used or disclosed only for the purposes of
research, public health or health care operations
C. When disclosing a limited data set, covered entities (CEs)/MTFs
are required to obtain satisfactory assurances, in the form of a Data
Use Agreement (DUA), signed by the recipient
, D. All of the above Answer: The correct answer is D. A limited data
set is PHI that excludes specific direct identifiers of the individual or
relatives, employers or household members of the individual. It can
be used or disclosed only for the purposes of research, public health
or health care operations. When disclosing a limited data set,
CEs/MTFs are required to obtain satisfactory assurances, in the form
of a DUA, signed by the recipient.
◍ How should John advise the staff member to proceed?
A. John should advise the staff member to take the man's word for it
and allow him to enter.
B. John should advise the staff member to deny the man's request and
indicate that access cannot be gained without his ID badge
C. John should advise the staff member to have the man contact the
help desk to assist him in gaining a temporary access card or another
approved alternative means of access.
D. Both B and C Answer: The correct answer is D. This scenario
illustrates a good example of a physical safeguard in the form of an
access control to a secure area of the Valley Forge MTF. Pursuant to
the HIPAA Security Rule, covered entities must maintain secure
access (for example, facility door locks) in areas where PHI is
located. Allowing an unidentified individual to bypass a security
entrance in this scenario violates the HIPAA Security Rule and
exposes the MTF and its patients to a potential breach situation.
◍ Was this a violation of HIPAA security safeguards?
