HCCA CHC 2026 TEST PAPER QUESTIONS AND
ANSWERS GUARANTEE A+
✔✔Give examples of administrative safeguards - ✔✔• Policies and procedures
• Training and education
• Designation of individuals (Ex. Security Officer)
• Contingency Planning
✔✔Give examples of physical safeguards - ✔✔• Facility security or access plan
• Disposal processes and media reuse
• Data backup and storage
✔✔Give examples of technical safeguards - ✔✔• Passwords
• Encryption
• Auto Log Off
• Unique User Identification
✔✔HIPAA "consent" and "authorization" have key differences, what are they? -
✔✔Consent is voluntary for TPO, while authorization is required by the Privacy Rule for
use and disclosure of PHI
https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-
consent-and-authorization/index.html
✔✔What is the primary difference between HIPAA authorization and Right of Access?
(regarding disclosure) - ✔✔HIPAA authorization is a PERMITTED disclosure.
and
Right of Access is a REQUIRED disclosure
https://www.law.cornell.edu/cfr/text/45/164.524
✔✔What is excluded from the Right of Access? - ✔✔1. any information that is not part
of the Designated Records Set
2. Psychotherapy notes/records (see 45 CFR 164.524(a)(1)(i) and 164.501)
3. Records gathered in anticipation of, or for use in, a civil, criminal, or administrative
action or proceeding (45 CFR 164.524(a)(1)(ii))
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
✔✔HIPAA Civil Penalties - ✔✔Did not know: $100 to $50K
Reasonable cause: $1000 to $50K
Willful neglect, correct in 30 days: $10K to $50K
Willful neglect, not corrected in 30 days: $50K: Max per year: $1.5 million
,✔✔HIPAA Criminal Penalties - ✔✔Committed offense Knowingly - up to 1 year in prison
+ $50,000
Committed offense under False Pretense: 5 years + $100,000
Committed offense with Intent, Harm/Personal Gain: 10 years + $250,000
✔✔HIPAA of 1996, examples of criminal offense - ✔✔Makes it a criminal offense to
submit claims based on incorrect codes or medically unnecessary services and the
government has the power to exclude the organization from Medicare, Medicaid, and a
long list of other government programs.
✔✔Security Rule Documentation requirements: how long does the CE must maintain
written records for? - ✔✔at least 6 years from date records was created or effective
date
✔✔Risk Assessment to determine LoProCo: - ✔✔1. Nature and extent of PHI involved
including type of identifiers and likelihood of reidentification;
2. The unauthorized person who used the PHI or to whom the disclosure was made;
3. Whether the PHI was actually acquired or viewed; and
4. The extent to which the risk to the PHI has been mitigated.
✔✔HITECH is part of what? - ✔✔American Recovery and Reinvestment Act (ARRA)
✔✔How long is PHI protected after the person's death? - ✔✔50 years
✔✔How many identifiers are listed in the HIPAA Privacy Rules? - ✔✔18
✔✔Laser Discs medical records are destroyed by - ✔✔Pulverizing
✔✔Levels of Confidentiality - ✔✔Confidential
Anonymous
Need to Know
✔✔Magnetic Tape medical records are destroyed by - ✔✔Demagnetizing
✔✔Methods to de-identify PHI - ✔✔Expert Determination (Statistical) de-identification
Safe harbor method
✔✔Microfilm medical records are destroyed by - ✔✔Recycling and pulverizing
✔✔Name the process of identifying potential security risks and determining the
probability of occurrence and magnitude of risks. - ✔✔Risk Analysis
✔✔Path or 7 steps to HIPAA Compliance: - ✔✔1. Perform comprehensive risk and
security analysis
,2. Identify threats and vulnerabilities
3. Select and develop safeguards
4. Create policies, procedures, and practices
5. Train the staff
6. Implement all safeguards
7. Manage, monitor, and modify
✔✔Paper medical records are destroyed by - ✔✔Burning, shredding, pulverizing, and
pulping
✔✔Permissions and Required under the HIPAA rule are NOT the same thing. Explain -
✔✔"Permissions" can still be denied, and "Required" is mandatory
✔✔PHI or protected health information that is collected by an individual or received by a
covered entity can be used or disclosed by these four areas. Name them. - ✔✔1- TPO
(Tx, Pymt, Healthcare Operations)
2- public interest/public crisis or emergency
3-with an opportunity to object
4-authorization, permission granted
✔✔Privacy incident categories - ✔✔Unintentional or inadvertent violation (accidental);
Failure to follow established policies and procedures;
Deliberate or purposeful violation without harmful intent;
Willful and malicious violation with harmful intent.
✔✔The Social Security Act Section 1128C(a), as established by the ___ ___ ___ and
___ Act, created the Health Care Fraud and Abuse Control Program, a far reaching
program to combat fraud and abuse in health care, including both public and private
health plans - ✔✔Health Insurance Portability and Accountability (HIPAA)
✔✔The two instances PHI does not require authorization: - ✔✔1 - directly to patient
2 - to government or HHS for investigation of alleged privacy violation
✔✔True or False
A vendor that stores encrypted copies of files from a CE is not a Business Associate of
that CE because the ePHI is unreadable, unusable, and indecipherable. - ✔✔FALSE -
the vendor is a Business Associate as it is maintaining (through its storage functions)
the encrypted ePHI.
✔✔True or False
Covered Entities and their Business Associates must comply with all of the Security and
Privacy Rules - ✔✔FALSE - Business Associates are not required to comply with all of
the Privacy Rules.
, ✔✔True or False
Encryption is required under HIPAA - ✔✔FALSE - it is an addressable implementation
specification.
✔✔True or False
The designated privacy official and the designated security official under HIPAA must
be different individuals - ✔✔FALSE - the same official may be designated both roles.
✔✔True of False:
Certificates of Confidentiality (Certificate or CoC) protect the privacy of research
participants by prohibiting disclosure of identifiable, sensitive research information to
anyone not connected to the research except when the participant consents or in a few
other specific situations. - ✔✔TRUE
https://grants.nih.gov/policy/humansubjects/coc/information-protected-CoC.htm
✔✔True or False:
Protection of human subjects in research at 45CFR 46 Subpart A - Common Rule, list
the protections for all research involving human subjects - ✔✔TRUE
https://www.hhs.gov/ohrp/regulations-and-policy/regulations/45-cfr-46/index.html
✔✔Re: Privacy and Reproductive Health Care
An individual goes to a hospital emergency department while experiencing
complications related to a miscarriage during the tenth week of pregnancy. A hospital
workforce member suspects the individual of having taken medication to end their
pregnancy. State or other law prohibits abortion after six weeks of pregnancy.
Is the hospital required to report individuals to law enforcement?
a. yes, hospital is required to do so IF state law expressly requires such reporting
b. no, this would be impermissible and constitute a breach regardless of state law
requirements - ✔✔a. yes, hospital is required to do so IF state law expressly requires
such reporting.
For instance Louisiana is one of 28 states that require the reporting of abortion
complications, even if the procedure was done legally for medical reasons.
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-
health/index.html#footnote10_jc1ucm2
✔✔Re: Privacy and Reproductive Health Care
A law enforcement official goes to a reproductive health care clinic and requests records
of abortions performed at the clinic.
Would the clinic be required to fulfill the request?
ANSWERS GUARANTEE A+
✔✔Give examples of administrative safeguards - ✔✔• Policies and procedures
• Training and education
• Designation of individuals (Ex. Security Officer)
• Contingency Planning
✔✔Give examples of physical safeguards - ✔✔• Facility security or access plan
• Disposal processes and media reuse
• Data backup and storage
✔✔Give examples of technical safeguards - ✔✔• Passwords
• Encryption
• Auto Log Off
• Unique User Identification
✔✔HIPAA "consent" and "authorization" have key differences, what are they? -
✔✔Consent is voluntary for TPO, while authorization is required by the Privacy Rule for
use and disclosure of PHI
https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-
consent-and-authorization/index.html
✔✔What is the primary difference between HIPAA authorization and Right of Access?
(regarding disclosure) - ✔✔HIPAA authorization is a PERMITTED disclosure.
and
Right of Access is a REQUIRED disclosure
https://www.law.cornell.edu/cfr/text/45/164.524
✔✔What is excluded from the Right of Access? - ✔✔1. any information that is not part
of the Designated Records Set
2. Psychotherapy notes/records (see 45 CFR 164.524(a)(1)(i) and 164.501)
3. Records gathered in anticipation of, or for use in, a civil, criminal, or administrative
action or proceeding (45 CFR 164.524(a)(1)(ii))
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
✔✔HIPAA Civil Penalties - ✔✔Did not know: $100 to $50K
Reasonable cause: $1000 to $50K
Willful neglect, correct in 30 days: $10K to $50K
Willful neglect, not corrected in 30 days: $50K: Max per year: $1.5 million
,✔✔HIPAA Criminal Penalties - ✔✔Committed offense Knowingly - up to 1 year in prison
+ $50,000
Committed offense under False Pretense: 5 years + $100,000
Committed offense with Intent, Harm/Personal Gain: 10 years + $250,000
✔✔HIPAA of 1996, examples of criminal offense - ✔✔Makes it a criminal offense to
submit claims based on incorrect codes or medically unnecessary services and the
government has the power to exclude the organization from Medicare, Medicaid, and a
long list of other government programs.
✔✔Security Rule Documentation requirements: how long does the CE must maintain
written records for? - ✔✔at least 6 years from date records was created or effective
date
✔✔Risk Assessment to determine LoProCo: - ✔✔1. Nature and extent of PHI involved
including type of identifiers and likelihood of reidentification;
2. The unauthorized person who used the PHI or to whom the disclosure was made;
3. Whether the PHI was actually acquired or viewed; and
4. The extent to which the risk to the PHI has been mitigated.
✔✔HITECH is part of what? - ✔✔American Recovery and Reinvestment Act (ARRA)
✔✔How long is PHI protected after the person's death? - ✔✔50 years
✔✔How many identifiers are listed in the HIPAA Privacy Rules? - ✔✔18
✔✔Laser Discs medical records are destroyed by - ✔✔Pulverizing
✔✔Levels of Confidentiality - ✔✔Confidential
Anonymous
Need to Know
✔✔Magnetic Tape medical records are destroyed by - ✔✔Demagnetizing
✔✔Methods to de-identify PHI - ✔✔Expert Determination (Statistical) de-identification
Safe harbor method
✔✔Microfilm medical records are destroyed by - ✔✔Recycling and pulverizing
✔✔Name the process of identifying potential security risks and determining the
probability of occurrence and magnitude of risks. - ✔✔Risk Analysis
✔✔Path or 7 steps to HIPAA Compliance: - ✔✔1. Perform comprehensive risk and
security analysis
,2. Identify threats and vulnerabilities
3. Select and develop safeguards
4. Create policies, procedures, and practices
5. Train the staff
6. Implement all safeguards
7. Manage, monitor, and modify
✔✔Paper medical records are destroyed by - ✔✔Burning, shredding, pulverizing, and
pulping
✔✔Permissions and Required under the HIPAA rule are NOT the same thing. Explain -
✔✔"Permissions" can still be denied, and "Required" is mandatory
✔✔PHI or protected health information that is collected by an individual or received by a
covered entity can be used or disclosed by these four areas. Name them. - ✔✔1- TPO
(Tx, Pymt, Healthcare Operations)
2- public interest/public crisis or emergency
3-with an opportunity to object
4-authorization, permission granted
✔✔Privacy incident categories - ✔✔Unintentional or inadvertent violation (accidental);
Failure to follow established policies and procedures;
Deliberate or purposeful violation without harmful intent;
Willful and malicious violation with harmful intent.
✔✔The Social Security Act Section 1128C(a), as established by the ___ ___ ___ and
___ Act, created the Health Care Fraud and Abuse Control Program, a far reaching
program to combat fraud and abuse in health care, including both public and private
health plans - ✔✔Health Insurance Portability and Accountability (HIPAA)
✔✔The two instances PHI does not require authorization: - ✔✔1 - directly to patient
2 - to government or HHS for investigation of alleged privacy violation
✔✔True or False
A vendor that stores encrypted copies of files from a CE is not a Business Associate of
that CE because the ePHI is unreadable, unusable, and indecipherable. - ✔✔FALSE -
the vendor is a Business Associate as it is maintaining (through its storage functions)
the encrypted ePHI.
✔✔True or False
Covered Entities and their Business Associates must comply with all of the Security and
Privacy Rules - ✔✔FALSE - Business Associates are not required to comply with all of
the Privacy Rules.
, ✔✔True or False
Encryption is required under HIPAA - ✔✔FALSE - it is an addressable implementation
specification.
✔✔True or False
The designated privacy official and the designated security official under HIPAA must
be different individuals - ✔✔FALSE - the same official may be designated both roles.
✔✔True of False:
Certificates of Confidentiality (Certificate or CoC) protect the privacy of research
participants by prohibiting disclosure of identifiable, sensitive research information to
anyone not connected to the research except when the participant consents or in a few
other specific situations. - ✔✔TRUE
https://grants.nih.gov/policy/humansubjects/coc/information-protected-CoC.htm
✔✔True or False:
Protection of human subjects in research at 45CFR 46 Subpart A - Common Rule, list
the protections for all research involving human subjects - ✔✔TRUE
https://www.hhs.gov/ohrp/regulations-and-policy/regulations/45-cfr-46/index.html
✔✔Re: Privacy and Reproductive Health Care
An individual goes to a hospital emergency department while experiencing
complications related to a miscarriage during the tenth week of pregnancy. A hospital
workforce member suspects the individual of having taken medication to end their
pregnancy. State or other law prohibits abortion after six weeks of pregnancy.
Is the hospital required to report individuals to law enforcement?
a. yes, hospital is required to do so IF state law expressly requires such reporting
b. no, this would be impermissible and constitute a breach regardless of state law
requirements - ✔✔a. yes, hospital is required to do so IF state law expressly requires
such reporting.
For instance Louisiana is one of 28 states that require the reporting of abortion
complications, even if the procedure was done legally for medical reasons.
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-
health/index.html#footnote10_jc1ucm2
✔✔Re: Privacy and Reproductive Health Care
A law enforcement official goes to a reproductive health care clinic and requests records
of abortions performed at the clinic.
Would the clinic be required to fulfill the request?
