HIPAA and Harassment Training
Questions and Answers | Latest Version
| 2025/2026 | Correct & Verified
What is the primary purpose of HIPAA?
✔✔To protect patients’ health information and ensure privacy and security.
What type of information is considered Protected Health Information (PHI)?
✔✔Any information that can identify a patient and relates to their health, treatment, or payment.
Can employees access PHI of friends or family members without authorization?
✔✔No, accessing PHI without authorization or work-related need is a violation.
What is the minimum necessary rule in HIPAA?
✔✔Only the minimum amount of PHI needed to complete a task should be accessed or shared.
Can PHI be shared for research purposes without patient consent?
✔✔Only if the information is de-identified or approved by an Institutional Review Board.
1
,What should an employee do if they suspect a HIPAA violation?
✔✔Report it immediately to the supervisor or privacy officer.
How should paper medical records be securely disposed of?
✔✔By shredding or using another secure destruction method.
Can PHI be shared with family members if the patient is unable to consent?
✔✔Yes, if sharing is in the patient’s best interest and allowed by law.
What is a Business Associate under HIPAA?
✔✔A person or entity that performs services for a covered entity and has access to PHI.
What is the purpose of a Business Associate Agreement (BAA)?
✔✔To ensure the business associate protects PHI according to HIPAA regulations.
Can PHI be emailed without safeguards?
✔✔No, PHI must be encrypted or transmitted securely.
2
,What is considered a HIPAA breach?
✔✔Unauthorized access, use, or disclosure of PHI.
Can patient information be discussed in public areas?
✔✔No, PHI must only be discussed in private, secure areas.
What is a physical safeguard for PHI?
✔✔Locking file cabinets, controlling facility access, and using security cameras.
What is an administrative safeguard for PHI?
✔✔Policies, procedures, and training to ensure workforce compliance.
What is a technical safeguard for PHI?
✔✔Access controls, passwords, encryption, and audit logs.
Can employees post PHI on social media?
✔✔No, sharing PHI on social media is strictly prohibited.
3
, What should an employee do if their electronic login credentials are compromised?
✔✔Report it immediately and follow password reset procedures.
Can PHI be shared for payment purposes?
✔✔Yes, as necessary to process claims and collect payment.
What is the Breach Notification Rule?
✔✔Requires notification to affected individuals and regulatory authorities after a PHI breach.
Can patients revoke authorization for PHI disclosure?
✔✔Yes, patients can revoke consent in writing, except for actions already taken.
What is the purpose of role-based access to PHI?
✔✔To ensure only authorized personnel access information needed for their job duties.
Can employees take PHI home on personal devices?
✔✔Only if approved by policy and proper security measures are applied.
4
Questions and Answers | Latest Version
| 2025/2026 | Correct & Verified
What is the primary purpose of HIPAA?
✔✔To protect patients’ health information and ensure privacy and security.
What type of information is considered Protected Health Information (PHI)?
✔✔Any information that can identify a patient and relates to their health, treatment, or payment.
Can employees access PHI of friends or family members without authorization?
✔✔No, accessing PHI without authorization or work-related need is a violation.
What is the minimum necessary rule in HIPAA?
✔✔Only the minimum amount of PHI needed to complete a task should be accessed or shared.
Can PHI be shared for research purposes without patient consent?
✔✔Only if the information is de-identified or approved by an Institutional Review Board.
1
,What should an employee do if they suspect a HIPAA violation?
✔✔Report it immediately to the supervisor or privacy officer.
How should paper medical records be securely disposed of?
✔✔By shredding or using another secure destruction method.
Can PHI be shared with family members if the patient is unable to consent?
✔✔Yes, if sharing is in the patient’s best interest and allowed by law.
What is a Business Associate under HIPAA?
✔✔A person or entity that performs services for a covered entity and has access to PHI.
What is the purpose of a Business Associate Agreement (BAA)?
✔✔To ensure the business associate protects PHI according to HIPAA regulations.
Can PHI be emailed without safeguards?
✔✔No, PHI must be encrypted or transmitted securely.
2
,What is considered a HIPAA breach?
✔✔Unauthorized access, use, or disclosure of PHI.
Can patient information be discussed in public areas?
✔✔No, PHI must only be discussed in private, secure areas.
What is a physical safeguard for PHI?
✔✔Locking file cabinets, controlling facility access, and using security cameras.
What is an administrative safeguard for PHI?
✔✔Policies, procedures, and training to ensure workforce compliance.
What is a technical safeguard for PHI?
✔✔Access controls, passwords, encryption, and audit logs.
Can employees post PHI on social media?
✔✔No, sharing PHI on social media is strictly prohibited.
3
, What should an employee do if their electronic login credentials are compromised?
✔✔Report it immediately and follow password reset procedures.
Can PHI be shared for payment purposes?
✔✔Yes, as necessary to process claims and collect payment.
What is the Breach Notification Rule?
✔✔Requires notification to affected individuals and regulatory authorities after a PHI breach.
Can patients revoke authorization for PHI disclosure?
✔✔Yes, patients can revoke consent in writing, except for actions already taken.
What is the purpose of role-based access to PHI?
✔✔To ensure only authorized personnel access information needed for their job duties.
Can employees take PHI home on personal devices?
✔✔Only if approved by policy and proper security measures are applied.
4
