HCCA CHPC STUDY GUIDE EXAMINATION
TEST 2026 COMPLETE QUESTIONS WITH
SOLUTIONS GRADED A+
⩥ DVD medical records are destroyed by Answer: Shredding and
cutting
⩥ Few other examples for use or disclosure of PHI other that TPO:
Answer: Public health interest, research, serious threat, organ/tissue
donation decedent information, worker's compensation insurers.
⩥ Give examples of administrative safeguards Answer: • Policies and
procedures
• Training and education
• Designation of individuals (Ex. Security Officer)
• Contingency Planning
⩥ Give examples of physical safeguards Answer: • Facility security or
access plan
• Disposal processes and media reuse
• Data backup and storage
⩥ Give examples of technical safeguards Answer: • Passwords
,• Encryption
• Auto Log Off
• Unique User Identification
⩥ HIPAA "consent" and "authorization" have key differences, what are
they? Answer: Consent is voluntary for TPO, while authorization is
required by the Privacy Rule for use and disclosure of PHI
https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-
difference-between-consent-and-authorization/index.html
⩥ What is the primary difference between HIPAA authorization and
Right of Access? (regarding disclosure) Answer: HIPAA authorization is
a PERMITTED disclosure.
and
Right of Access is a REQUIRED disclosure
https://www.law.cornell.edu/cfr/text/45/164.524
⩥ What is excluded from the Right of Access? Answer: 1. any
information that is not part of the Designated Records Set
2. Psychotherapy notes/records (see 45 CFR 164.524(a)(1)(i) and
164.501)
,3. Records gathered in anticipation of, or for use in, a civil, criminal, or
administrative action or proceeding (45 CFR 164.524(a)(1)(ii))
https://www.hhs.gov/hipaa/for-
professionals/privacy/guidance/access/index.html
⩥ HIPAA Civil Penalties Answer: Did not know: $100 to $50K
Reasonable cause: $1000 to $50K
Willful neglect, correct in 30 days: $10K to $50K
Willful neglect, not corrected in 30 days: $50K: Max per year: $1.5
million
⩥ HIPAA Criminal Penalties Answer: Committed offense Knowingly -
up to 1 year in prison + $50,000
Committed offense under False Pretense: 5 years + $100,000
Committed offense with Intent, Harm/Personal Gain: 10 years +
$250,000
⩥ HIPAA of 1996, examples of criminal offense Answer: Makes it a
criminal offense to submit claims based on incorrect codes or medically
unnecessary services and the government has the power to exclude the
organization from Medicare, Medicaid, and a long list of other
government programs.
, ⩥ Security Rule Documentation requirements: how long does the CE
must maintain written records for? Answer: at least 6 years from date
records was created or effective date
⩥ Risk Assessment to determine LoProCo: Answer: 1. Nature and extent
of PHI involved including type of identifiers and likelihood of
reidentification;
2. The unauthorized person who used the PHI or to whom the disclosure
was made;
3. Whether the PHI was actually acquired or viewed; and
4. The extent to which the risk to the PHI has been mitigated.
⩥ HITECH is part of what? Answer: American Recovery and
Reinvestment Act (ARRA)
⩥ How long is PHI protected after the person's death? Answer: 50 years
⩥ How many identifiers are listed in the HIPAA Privacy Rules? Answer:
18
⩥ Laser Discs medical records are destroyed by Answer: Pulverizing
⩥ Levels of Confidentiality Answer: Confidential
Anonymous
TEST 2026 COMPLETE QUESTIONS WITH
SOLUTIONS GRADED A+
⩥ DVD medical records are destroyed by Answer: Shredding and
cutting
⩥ Few other examples for use or disclosure of PHI other that TPO:
Answer: Public health interest, research, serious threat, organ/tissue
donation decedent information, worker's compensation insurers.
⩥ Give examples of administrative safeguards Answer: • Policies and
procedures
• Training and education
• Designation of individuals (Ex. Security Officer)
• Contingency Planning
⩥ Give examples of physical safeguards Answer: • Facility security or
access plan
• Disposal processes and media reuse
• Data backup and storage
⩥ Give examples of technical safeguards Answer: • Passwords
,• Encryption
• Auto Log Off
• Unique User Identification
⩥ HIPAA "consent" and "authorization" have key differences, what are
they? Answer: Consent is voluntary for TPO, while authorization is
required by the Privacy Rule for use and disclosure of PHI
https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-
difference-between-consent-and-authorization/index.html
⩥ What is the primary difference between HIPAA authorization and
Right of Access? (regarding disclosure) Answer: HIPAA authorization is
a PERMITTED disclosure.
and
Right of Access is a REQUIRED disclosure
https://www.law.cornell.edu/cfr/text/45/164.524
⩥ What is excluded from the Right of Access? Answer: 1. any
information that is not part of the Designated Records Set
2. Psychotherapy notes/records (see 45 CFR 164.524(a)(1)(i) and
164.501)
,3. Records gathered in anticipation of, or for use in, a civil, criminal, or
administrative action or proceeding (45 CFR 164.524(a)(1)(ii))
https://www.hhs.gov/hipaa/for-
professionals/privacy/guidance/access/index.html
⩥ HIPAA Civil Penalties Answer: Did not know: $100 to $50K
Reasonable cause: $1000 to $50K
Willful neglect, correct in 30 days: $10K to $50K
Willful neglect, not corrected in 30 days: $50K: Max per year: $1.5
million
⩥ HIPAA Criminal Penalties Answer: Committed offense Knowingly -
up to 1 year in prison + $50,000
Committed offense under False Pretense: 5 years + $100,000
Committed offense with Intent, Harm/Personal Gain: 10 years +
$250,000
⩥ HIPAA of 1996, examples of criminal offense Answer: Makes it a
criminal offense to submit claims based on incorrect codes or medically
unnecessary services and the government has the power to exclude the
organization from Medicare, Medicaid, and a long list of other
government programs.
, ⩥ Security Rule Documentation requirements: how long does the CE
must maintain written records for? Answer: at least 6 years from date
records was created or effective date
⩥ Risk Assessment to determine LoProCo: Answer: 1. Nature and extent
of PHI involved including type of identifiers and likelihood of
reidentification;
2. The unauthorized person who used the PHI or to whom the disclosure
was made;
3. Whether the PHI was actually acquired or viewed; and
4. The extent to which the risk to the PHI has been mitigated.
⩥ HITECH is part of what? Answer: American Recovery and
Reinvestment Act (ARRA)
⩥ How long is PHI protected after the person's death? Answer: 50 years
⩥ How many identifiers are listed in the HIPAA Privacy Rules? Answer:
18
⩥ Laser Discs medical records are destroyed by Answer: Pulverizing
⩥ Levels of Confidentiality Answer: Confidential
Anonymous
