HCCA – CHPC EXAM 2025 UPDATE QUESTIONS AND CORRECT VERIFIED
ANSWERS ALREADY GRADED A+ (BRAND NEW VISION)
A privacy professional is preparing an education session in follow-up to a recent increase of lost
or misplaced thumb drives that may have contained PHI including patient SSNs. Which of the
following would be the MOST beneficial for the privacy professional to review when preparing
the education session?
a. GINA
b. HITECH
c. Sarbanes-Oxley
d. Social Security Act - answersb. HITECH
HIPAA Rule Subpart C (Security of ePHI) outlines the three safeguards to ensure the -
Confidentiality, Integrity, and Availability - of ePHI that both, Covered Entities and Business
Associates must implement to ensure compliance and protect against anticipated threats,
and/or reasonably anticipated uses/disclosures (incidental/inadvertent/unintentional)
Name the safeguards: - answersPhysical, technical, administrative safeguards
What does unsecured PHI mean under the HHS Secretary in guidance - answersMeans PHI that
is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the
use of a technology or methodology specified by the Secretary in the guidance
Name examples for which an authorization is required, other than for use/disclosure of
Psychotherapy notes: - answersmarketing and sales of PHI
1. What are the required core elements of a VALID Authorization. Ref. 45 CFR 164.508(b) -
answers1. Description
2. Purpose use/disclosure
3. Recipient
,4. Authorized person making the disclosure
5. Expiration date
6. Signature/dates
A HIPAA Valid Authorization must include all 6 core elements and 3 required statements, lack of
any of these elements would be considered a _________ authorization. - answersDefective
Authorization.
For instance:
(i) The authorization expiration date has passed or the expiration event is known by the covered
entity to have occurred;
(ii) The authorization has not been filled out completely (missing core elements and required
statements)
(iii) The authorization is known by the covered entity to have been revoked;
(iv) The authorization violates provision of a compound or prohibition on conditioning of
authorizations if applicable;
(v) Any material information in the authorization is known by the covered entity to be false.
Ref. 45 CR 164.508(b)(2)
What are the three type of Authorization under the HIPAA rule - answersValid - Defective -
Compound
45 CFR § 164.508(b)(1), (2) and (3)
True or False:
For dates as identifiers (birth date, admission date, discharge date, etc), the year only exception
to dates is when year indicates an age over 89 since very few individuals reached that milestone
when the definition was established - answersTRUE
,This Code of Federal Regulation (CFR) applies to federally assisted Substance Use Disorder (SUD)
programs or alcohol/drug treatment programs conducted directly by the federal or state/local
government - answers42 CFR Part 2
True of False:
The Federal law 42 CFR Part 2 is similar to the HIPAA state law preemption, where the more
restrictive regulation prevails. - answersTRUE
True or False:
Part 2 Programs must always limit the amount of information disclosed, even in Treatment
situations, unlike HIPAA where the TPO exception applies. - answersTRUE
Examples of Numbers as Identifiers: - answers• Phone and Fax Numbers
• Email Addresses
• Social Security Numbers
• Medical Records Numbers
• Health Plan Beneficiary Numbers
• Account Numbers
• Certificate/License Numbers
• Vehicle Identifiers
• Device Identifiers
• Internet Protocol Address
• Genetic Information
• URLs
Examples of Biometrics as Identifiers: - answers• Finger and Voice Prints
• Full Face Photo and/or other images
, • Any other Unique Individual Identifiers
Is genetic information a HIPAA PHI indicator? - answersYes. Genetic info includes genetic test,
genetic counseling, generic disease/disorder. And this information is protected under GINA
(Genetic Information Nondiscrimination Act of 2008)
Factors considered by HHS to impose civil monetary penalties (CMP) - answersLooking at the
nature of the harm, for instance:
Was violation due to "reasonable cause" or "willful neglect"?
If a provider is "clueless" then that might imply "willful neglect." The bottom line? Do the right
thing and implement the necessary safeguards.
Have there been previous misconduct/violations?
Aggravating or Mitigating circumstances?
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-B/part-155/subpart-C/section-
155.285
Also,
Health Care Privacy Compliance Handbook, 3rd edition, pg 17-18, under "Penalties" section.
GINA Title I - answersTitle 1. Makes it illegal to require or use Genetic info to determine
eligibility or coverage
GINA Title II - answersTitle II - Illegal for employer to use genetic info when making decisions
about hiring, promotion, and several other terms of employment.
ANSWERS ALREADY GRADED A+ (BRAND NEW VISION)
A privacy professional is preparing an education session in follow-up to a recent increase of lost
or misplaced thumb drives that may have contained PHI including patient SSNs. Which of the
following would be the MOST beneficial for the privacy professional to review when preparing
the education session?
a. GINA
b. HITECH
c. Sarbanes-Oxley
d. Social Security Act - answersb. HITECH
HIPAA Rule Subpart C (Security of ePHI) outlines the three safeguards to ensure the -
Confidentiality, Integrity, and Availability - of ePHI that both, Covered Entities and Business
Associates must implement to ensure compliance and protect against anticipated threats,
and/or reasonably anticipated uses/disclosures (incidental/inadvertent/unintentional)
Name the safeguards: - answersPhysical, technical, administrative safeguards
What does unsecured PHI mean under the HHS Secretary in guidance - answersMeans PHI that
is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the
use of a technology or methodology specified by the Secretary in the guidance
Name examples for which an authorization is required, other than for use/disclosure of
Psychotherapy notes: - answersmarketing and sales of PHI
1. What are the required core elements of a VALID Authorization. Ref. 45 CFR 164.508(b) -
answers1. Description
2. Purpose use/disclosure
3. Recipient
,4. Authorized person making the disclosure
5. Expiration date
6. Signature/dates
A HIPAA Valid Authorization must include all 6 core elements and 3 required statements, lack of
any of these elements would be considered a _________ authorization. - answersDefective
Authorization.
For instance:
(i) The authorization expiration date has passed or the expiration event is known by the covered
entity to have occurred;
(ii) The authorization has not been filled out completely (missing core elements and required
statements)
(iii) The authorization is known by the covered entity to have been revoked;
(iv) The authorization violates provision of a compound or prohibition on conditioning of
authorizations if applicable;
(v) Any material information in the authorization is known by the covered entity to be false.
Ref. 45 CR 164.508(b)(2)
What are the three type of Authorization under the HIPAA rule - answersValid - Defective -
Compound
45 CFR § 164.508(b)(1), (2) and (3)
True or False:
For dates as identifiers (birth date, admission date, discharge date, etc), the year only exception
to dates is when year indicates an age over 89 since very few individuals reached that milestone
when the definition was established - answersTRUE
,This Code of Federal Regulation (CFR) applies to federally assisted Substance Use Disorder (SUD)
programs or alcohol/drug treatment programs conducted directly by the federal or state/local
government - answers42 CFR Part 2
True of False:
The Federal law 42 CFR Part 2 is similar to the HIPAA state law preemption, where the more
restrictive regulation prevails. - answersTRUE
True or False:
Part 2 Programs must always limit the amount of information disclosed, even in Treatment
situations, unlike HIPAA where the TPO exception applies. - answersTRUE
Examples of Numbers as Identifiers: - answers• Phone and Fax Numbers
• Email Addresses
• Social Security Numbers
• Medical Records Numbers
• Health Plan Beneficiary Numbers
• Account Numbers
• Certificate/License Numbers
• Vehicle Identifiers
• Device Identifiers
• Internet Protocol Address
• Genetic Information
• URLs
Examples of Biometrics as Identifiers: - answers• Finger and Voice Prints
• Full Face Photo and/or other images
, • Any other Unique Individual Identifiers
Is genetic information a HIPAA PHI indicator? - answersYes. Genetic info includes genetic test,
genetic counseling, generic disease/disorder. And this information is protected under GINA
(Genetic Information Nondiscrimination Act of 2008)
Factors considered by HHS to impose civil monetary penalties (CMP) - answersLooking at the
nature of the harm, for instance:
Was violation due to "reasonable cause" or "willful neglect"?
If a provider is "clueless" then that might imply "willful neglect." The bottom line? Do the right
thing and implement the necessary safeguards.
Have there been previous misconduct/violations?
Aggravating or Mitigating circumstances?
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-B/part-155/subpart-C/section-
155.285
Also,
Health Care Privacy Compliance Handbook, 3rd edition, pg 17-18, under "Penalties" section.
GINA Title I - answersTitle 1. Makes it illegal to require or use Genetic info to determine
eligibility or coverage
GINA Title II - answersTitle II - Illegal for employer to use genetic info when making decisions
about hiring, promotion, and several other terms of employment.
