HCCA CHC LATEST 2026 EXAM QUESTIONS AND
ANSWERS GUARANTEE A+
✔✔Re: HIPAA Authorization
When my patients are being treated for car accident injuries, we often receive requests
for PHI from lawyers. I am not sure if we should provide the information and don't know
how to decide whether the request is legitimate.
How do we validate the request is legitimate? - ✔✔Ensure is a valid HIPAA
authorization:
MUST have the authorization 6 core elements and 3 key statements as per 45 CFR §
164.508 (c)(1) and (2)
https://www.law.cornell.edu/cfr/text/45/164.508
✔✔Re: HIPAA Authorization
One of my long term (dental) patients was recently diagnosed with cancer. His new
oncologist's assistant called to request his PHI from our files. I don't know if the patient
knows or has authorized this.
Can the request be fulfilled? - ✔✔YES, no authorization is required for purposes of
TPO.
But, ensure the request is in writing including:
Covered Entity's name;
Patient's name;
Date of the event/time of treatment; and
Reason for the request.
https://thehipaaetool.com/hipaa-authorization-required/
✔✔Re: HIPAA Authorization (suspected domestic violence)
I strongly suspect that a patient is a victim of domestic violence, although the patient
has not confided in me. The abuse seems to be escalating, judging by the injuries I've
seen.
May I do anything? - ✔✔You may, this may be an exception to the HIPAA Privacy Rule.
IF you reasonably believe the patient to be a victim of adult abuse, neglect or violence,
you may report to the appropriate government agency.
You may also obtain patient's agreement, but not required.
✔✔ARRA passed in 2009, key items to know: - ✔✔ARRA - also known as "Obama
Stimulus" in response to the 2008 recession
ARRA mandated government spending, tax cuts, and loan guarantees for financial relief
to families.
ARRA required hospitals to computerize medical records and modernize HIT systems
(HITECH).
,And breach notification provision implemented under HITECH
https://en.wikipedia.org/wiki/American_Recovery_and_Reinvestment_Act_of_2009
https://www.hhs.gov/hipaa/for-professionals/breach-notification/laws-regulations/final-
rule-update/hitech/index.html
✔✔IIHI - ✔✔Individually Identifiable Health Information
It's any part of an individual's health information, including demographic information
(e.g. address, date of birth) collected from the individual
✔✔PHI - ✔✔Protected Health Information
Info transmitted by electronic media, maintained in electronic media, or transmitted or
maintained in any other form or medium. (PHI excludes IIHI education records covered
by FERPA)
✔✔What is de-identified information? - ✔✔Removing the HIPAA individual identifiable
information. This is accomplish by two methods:
Expert Determination: de-identification of PHI by an expert (statistical or scientific
principles)
Safe Harbor: removing the 18 identifiers
https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-
identification/index.html
✔✔What is re-identification? - ✔✔CE may assign a number for re-identification;
however, the creation of the numbering system should not be based on the information
and the CE is forbidden from disclosing the e-identification scheme.
https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-
identification/index.html
✔✔What's the Minimum Necessary? - ✔✔Use/disclose limited PHI to accomplish the
intended purpose of the use, disclosure, or request.
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
✔✔The Minimum Necessary DOES NOT apply to? - ✔✔does not apply to:
TPO
To the individual directly
To the HHS Secretary or required by law
When authorization is granted
,✔✔Where does Minimum Necessary link to in the Security rule? - ✔✔Role Based
Access - can content filters be used to support the privacy concept
✔✔Who can Deceased Individuals information be released to at anytime? - ✔✔coroners
or medical examiners (and Funeral Directors as necessary to carry out their duties with
respect to the decedent)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-
164.512
✔✔Preemption under HIPAA means - ✔✔Federal law states that it preempts or
overrides (supersedes) state law on a particular issue, then federal law is the law that
must be followed.
In general, HIPAA preempts state law that is "contrary" to the federal rule.
In many cases, complying with the stronger standard (more stringent) will allow you to
comply with both state law and HIPAA.
Example 1: if state law gives a provider 10 days to respond to a patient's request for a
copy of his medical records, and HIPAA allows 30 days, you can comply with both state
and federal law by responding within 10 days.
Example 2: if state law requires longer period for record keeping than the federal law,
then go with the longer period.
https://library.ahima.org/doc?oid=59816#.YlTLkOjMI2w
✔✔Valid Authorization core elements (see 45 CFR § 164.508(c)(1)): - ✔✔1. meaningful
description of the information to be disclosed
2. name of the individual/person authorized to make the requested disclosure
3. name or other identification of the recipient of the information
4. description of each purpose of the disclosure
5. expiration date for the authorization
6. signature and date of the individual or their personal representative (someone
authorized to make health care decisions on behalf of the individual)
https://www.law.cornell.edu/cfr/text/45/164.508
and
https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-
preparedness/authorization/index.html
✔✔Valid Authorization 3 key statements (see 45 CFR § 164.508(c)(2)): - ✔✔The
statements are to be included in a valid Authorization:
• A statement of the person's right to revoke the authorization, exceptions to this right,
and a description of how to revoke:
• A statement that treatment, payment, enrollment or eligibility for benefits may NOT be
conditioned upon signing the authorization;
• A statement regarding the potential that the information disclosed pursuant to the
authorization may be re-disclosed by the recipient and, if so, it may no longer be
protected by a federal confidentiality law;
, Note: the person signing the authorization has the right to (or will receive) a copy of the
authorization.
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-
164.508
✔✔Fill in the blanks: The three types of AUTHORIZATION:
VALID - must have all the 6 required core elements and 3 statements/notices
D_______ - lacks any of the required elements/statements, or expiration date has
passed, or revoked, etc.
C_______ - typically allowed in research studies, this authorization may be combined
with another written permission IF it's for the same research related studies -
✔✔Defective; Compound
✔✔Request for Restrictions - ✔✔patient has the right to request restrictions on the U&D
of information, even for the TPO exception.
Provider must determine if it is reasonable, accommodate request, and abide to
agreement.
Ref § 164.520 - Notice of privacy practices for protected health information.
✔✔Request for Confidential Communication - ✔✔Patient may request other
communication channels not typical for the entity, such as email, or meeting in off-site
locations.
✔✔Which subpart of HIPAA part 164 sets limits on how PHI can be used and shared
with others and gives patients rights over their information
a. Part 164 Subpart E (Privacy Rule)
b. Part 164 Subpart C (Security Rule) - ✔✔a. Part 164 Subpart E (Privacy Rule)
Subpart C (Security Rule) sets the security standards (administrative, technical, and
physical safeguards) to protect the confidentiality, integrity and availability of ePHI
✔✔What is the difference between HIPAA security and privacy? - ✔✔Security - covers
ePHI
Privacy - covers all forms (electronic, oral, written)
✔✔45 CFR 164 - Subpart C outlines the three safeguards to ensure the _____, ____,
____ of ePHI that both, CE and BA must implement to ensure compliance and protect
against anticipated threats, and/or reasonably anticipated uses/disclosures
(incidental/inadvertent/unintentional) - ✔✔Confidentiality, integrity, availability
ANSWERS GUARANTEE A+
✔✔Re: HIPAA Authorization
When my patients are being treated for car accident injuries, we often receive requests
for PHI from lawyers. I am not sure if we should provide the information and don't know
how to decide whether the request is legitimate.
How do we validate the request is legitimate? - ✔✔Ensure is a valid HIPAA
authorization:
MUST have the authorization 6 core elements and 3 key statements as per 45 CFR §
164.508 (c)(1) and (2)
https://www.law.cornell.edu/cfr/text/45/164.508
✔✔Re: HIPAA Authorization
One of my long term (dental) patients was recently diagnosed with cancer. His new
oncologist's assistant called to request his PHI from our files. I don't know if the patient
knows or has authorized this.
Can the request be fulfilled? - ✔✔YES, no authorization is required for purposes of
TPO.
But, ensure the request is in writing including:
Covered Entity's name;
Patient's name;
Date of the event/time of treatment; and
Reason for the request.
https://thehipaaetool.com/hipaa-authorization-required/
✔✔Re: HIPAA Authorization (suspected domestic violence)
I strongly suspect that a patient is a victim of domestic violence, although the patient
has not confided in me. The abuse seems to be escalating, judging by the injuries I've
seen.
May I do anything? - ✔✔You may, this may be an exception to the HIPAA Privacy Rule.
IF you reasonably believe the patient to be a victim of adult abuse, neglect or violence,
you may report to the appropriate government agency.
You may also obtain patient's agreement, but not required.
✔✔ARRA passed in 2009, key items to know: - ✔✔ARRA - also known as "Obama
Stimulus" in response to the 2008 recession
ARRA mandated government spending, tax cuts, and loan guarantees for financial relief
to families.
ARRA required hospitals to computerize medical records and modernize HIT systems
(HITECH).
,And breach notification provision implemented under HITECH
https://en.wikipedia.org/wiki/American_Recovery_and_Reinvestment_Act_of_2009
https://www.hhs.gov/hipaa/for-professionals/breach-notification/laws-regulations/final-
rule-update/hitech/index.html
✔✔IIHI - ✔✔Individually Identifiable Health Information
It's any part of an individual's health information, including demographic information
(e.g. address, date of birth) collected from the individual
✔✔PHI - ✔✔Protected Health Information
Info transmitted by electronic media, maintained in electronic media, or transmitted or
maintained in any other form or medium. (PHI excludes IIHI education records covered
by FERPA)
✔✔What is de-identified information? - ✔✔Removing the HIPAA individual identifiable
information. This is accomplish by two methods:
Expert Determination: de-identification of PHI by an expert (statistical or scientific
principles)
Safe Harbor: removing the 18 identifiers
https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-
identification/index.html
✔✔What is re-identification? - ✔✔CE may assign a number for re-identification;
however, the creation of the numbering system should not be based on the information
and the CE is forbidden from disclosing the e-identification scheme.
https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-
identification/index.html
✔✔What's the Minimum Necessary? - ✔✔Use/disclose limited PHI to accomplish the
intended purpose of the use, disclosure, or request.
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
✔✔The Minimum Necessary DOES NOT apply to? - ✔✔does not apply to:
TPO
To the individual directly
To the HHS Secretary or required by law
When authorization is granted
,✔✔Where does Minimum Necessary link to in the Security rule? - ✔✔Role Based
Access - can content filters be used to support the privacy concept
✔✔Who can Deceased Individuals information be released to at anytime? - ✔✔coroners
or medical examiners (and Funeral Directors as necessary to carry out their duties with
respect to the decedent)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-
164.512
✔✔Preemption under HIPAA means - ✔✔Federal law states that it preempts or
overrides (supersedes) state law on a particular issue, then federal law is the law that
must be followed.
In general, HIPAA preempts state law that is "contrary" to the federal rule.
In many cases, complying with the stronger standard (more stringent) will allow you to
comply with both state law and HIPAA.
Example 1: if state law gives a provider 10 days to respond to a patient's request for a
copy of his medical records, and HIPAA allows 30 days, you can comply with both state
and federal law by responding within 10 days.
Example 2: if state law requires longer period for record keeping than the federal law,
then go with the longer period.
https://library.ahima.org/doc?oid=59816#.YlTLkOjMI2w
✔✔Valid Authorization core elements (see 45 CFR § 164.508(c)(1)): - ✔✔1. meaningful
description of the information to be disclosed
2. name of the individual/person authorized to make the requested disclosure
3. name or other identification of the recipient of the information
4. description of each purpose of the disclosure
5. expiration date for the authorization
6. signature and date of the individual or their personal representative (someone
authorized to make health care decisions on behalf of the individual)
https://www.law.cornell.edu/cfr/text/45/164.508
and
https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-
preparedness/authorization/index.html
✔✔Valid Authorization 3 key statements (see 45 CFR § 164.508(c)(2)): - ✔✔The
statements are to be included in a valid Authorization:
• A statement of the person's right to revoke the authorization, exceptions to this right,
and a description of how to revoke:
• A statement that treatment, payment, enrollment or eligibility for benefits may NOT be
conditioned upon signing the authorization;
• A statement regarding the potential that the information disclosed pursuant to the
authorization may be re-disclosed by the recipient and, if so, it may no longer be
protected by a federal confidentiality law;
, Note: the person signing the authorization has the right to (or will receive) a copy of the
authorization.
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-
164.508
✔✔Fill in the blanks: The three types of AUTHORIZATION:
VALID - must have all the 6 required core elements and 3 statements/notices
D_______ - lacks any of the required elements/statements, or expiration date has
passed, or revoked, etc.
C_______ - typically allowed in research studies, this authorization may be combined
with another written permission IF it's for the same research related studies -
✔✔Defective; Compound
✔✔Request for Restrictions - ✔✔patient has the right to request restrictions on the U&D
of information, even for the TPO exception.
Provider must determine if it is reasonable, accommodate request, and abide to
agreement.
Ref § 164.520 - Notice of privacy practices for protected health information.
✔✔Request for Confidential Communication - ✔✔Patient may request other
communication channels not typical for the entity, such as email, or meeting in off-site
locations.
✔✔Which subpart of HIPAA part 164 sets limits on how PHI can be used and shared
with others and gives patients rights over their information
a. Part 164 Subpart E (Privacy Rule)
b. Part 164 Subpart C (Security Rule) - ✔✔a. Part 164 Subpart E (Privacy Rule)
Subpart C (Security Rule) sets the security standards (administrative, technical, and
physical safeguards) to protect the confidentiality, integrity and availability of ePHI
✔✔What is the difference between HIPAA security and privacy? - ✔✔Security - covers
ePHI
Privacy - covers all forms (electronic, oral, written)
✔✔45 CFR 164 - Subpart C outlines the three safeguards to ensure the _____, ____,
____ of ePHI that both, CE and BA must implement to ensure compliance and protect
against anticipated threats, and/or reasonably anticipated uses/disclosures
(incidental/inadvertent/unintentional) - ✔✔Confidentiality, integrity, availability
