HCCA - CHPC Study Exam 2025–2026 Accurate
Real Exam Questions and Verified Correct
Answers JUST RELEASED
Which of the following is not considered a HIPAA Entity Designation:
1. Affiliated covered entity
2. Entity that performs healthcare and non-healthcare component activities including
both covered and non-covered functions
3. A group health plan
4. Contract arrangement with FEDEX carrier - answer>>>4. Contract arrangement with
FEDEX carrier
What is a key concept of the Privacy Rule?
a. Training
b. Minimum necessary
c. Communication
d. Notice of Privacy Practices - answer>>>b. Minimum Necessary
The concept of "minimum necessary" is central to the Privacy Rule, and means to use or
disclose the minimum amount of PHI needed for the intended purpose.
How long does the Privacy Rule state that a practice or covered entity needs to retain
medical records?
a. Five years
b. Not stated
c. Six years
d. Seven years - answer>>>b. Not stated
The Privacy Rule does not include medical record retention requirements and covered
entities may destroy such records at the time permitted by state or other applicable law.
Note: practice question from AAPC CPCO Ch5
The Privacy Rule does not restrict the use or disclosure of _______________, which
neither identifies nor provides a reasonable basis to identify an individual.
a. non-protected health information (non-PHI)
b. reverse PHI
c. regulated PHI
d. de-identified health information - answer>>>d. de-identified health information.
,Ref. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-
identification/index.html
Protected health information (PHI) is considered de-identified by HIPAA Privacy Rule
standards by:
a. absence of actual knowledge by the covered entity that the remaining information
could be used alone or in combination with other information to identify the individual
b. removal of only patient name and date of birth
c. a formal determination by a qualified expert
d. the removal of 18 specified individual identifiers
e. A, C and D
f. All of the answers - answer>>>e. A, C and D
The Privacy Rule provides two de-identification methods: 1) a formal determination by a
qualified expert; or 2) the removal of specified individual identifiers as well as absence of
actual knowledge by the covered entity that the remaining information could be used
alone or in combination with other information to identify the individual.
Ref. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-
identification/index.html#preparation
The HIPAA Privacy Rule covers:
a. Health plans
b. Health care clearinghouses
c. Health care providers who conduct certain financial and administrative transactions
electronically.
d. Life insurance companies
e. A, B and C only - answer>>>e. A, B and C only
Collectively, the rule covers only "Covered Entities". It does not cover or regulate
employers, life insurance companies, or public agencies that deliver social security or
welfare benefits.
Ref. https://www.hhs.gov/hipaa/for-professionals/faq/190/who-must-comply-with-hipaa-
privacy-standards/index.html
What are the 3 components that make up security? - answer>>>Security CIA:
Confidentiality
Integrity
,Availability
What is a Business Associate (BA)? What do they do in healthcare? - answer>>>BA is an
entity that performs/assist Covered Entities in activities involving the use/disclosure of
individually identifiable health information (IHI) on behalf of a Covered Entity or provides
services such as legal, actuarial, accounting, data aggregation, or financial services for a
covered entity
What is a Health Care Clearinghouse? - answer>>>Entity that processes or facilitates the
processing of nonstandard data elements of health information into standard data
elements.
What is De-identified PHI? - answer>>>Health information that does not identify an
individual and there is no reasonable basis to believe that the information can be used to
identify an individual.
What is HIPAA Administrative Simplification? - answer>>>These are national standards
covering transactions, identifiers, code sets, and operating rule. Objectives:
1. reduce paperwork,
2. increase electronic transaction adoption,
3. standardize operating rules (claims),
4. overall, improve security in Electronic Data Interchange (EDI)
Key elements included in the HIPAA Administrative Simplification: -
answer>>>Administrative Simplification Rule:
• Electronic transaction standards - rules for electronic exchange (e.g. claims, eligibility,
payments)
• Standard code sets (e.g. ICD-10, CPT)
• Unique Identifiers - healthcare plan (HPID), national provider (NPI), employer (EIN)
See 45 CFR 162: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162
What is HIPAA? - answer>>>Comprehensive legislation that protects health information,
ensure access to health coverage for those who change jobs or temporarily out of work,
and provides funding to DOJ and FBI for Medicare fraud investigations
What is Limited Data Sets? - answer>>>Provide HIPAA Minimum Necessary (excluding the
direct identifiers) - Applies to areas such as Public Health, Research, Healthcare
operations.
, CE must have a DUA in order to disclose the Limited Data Set
https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-
preparedness/limited-data-set/index.html
What is the record retention period for HIPAA related work product? - answer>>>6 years
What is the timeframe requirement to train new employees about HIPAA? -
answer>>>"within a reasonable period of time after the person joins the covered entity's
workforce"
What is Unsecured PHI? - answer>>>PHI that has not been rendered unusable,
unreadable, or indecipherable to unauthorized persons through the use of a technology
or methodology specified by the Secretary in guidance
What subpart in Part 164 deals with Privacy - answer>>>Subpart E (Hint: Privacy....Privacy-
E)
What subpart in Part 164 deals with Security - answer>>>Subpart C (Hint: "C"-curity)
Which of the following would be considered an incidental disclosure of PHI?
a. Patient overhearing a nurse on the phone discussing lab results with another patient
b. An email containing a large list of patients (names, addresses, and Medicare ID
Numbers) was sent unsecured to a yahoo.com email address
c. An email sent to another employee on a secure server, but the employee who received
it was the wrong employee
d. A and C are correct
e. None of the above are correct
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/incidental-uses-and-
disclosures/index.html - answer>>>a. Patient overhearing a nurse on the phone discussing
lab results with another patient.
Incidental vs. Accidental:
Accidental and incidental can both mean "something happening by chance," but usage
suggests that "accidental" also implies an element of carelessness or inattention while
"incidental" implies the occurrence would have happened with or without attention or
care.
Real Exam Questions and Verified Correct
Answers JUST RELEASED
Which of the following is not considered a HIPAA Entity Designation:
1. Affiliated covered entity
2. Entity that performs healthcare and non-healthcare component activities including
both covered and non-covered functions
3. A group health plan
4. Contract arrangement with FEDEX carrier - answer>>>4. Contract arrangement with
FEDEX carrier
What is a key concept of the Privacy Rule?
a. Training
b. Minimum necessary
c. Communication
d. Notice of Privacy Practices - answer>>>b. Minimum Necessary
The concept of "minimum necessary" is central to the Privacy Rule, and means to use or
disclose the minimum amount of PHI needed for the intended purpose.
How long does the Privacy Rule state that a practice or covered entity needs to retain
medical records?
a. Five years
b. Not stated
c. Six years
d. Seven years - answer>>>b. Not stated
The Privacy Rule does not include medical record retention requirements and covered
entities may destroy such records at the time permitted by state or other applicable law.
Note: practice question from AAPC CPCO Ch5
The Privacy Rule does not restrict the use or disclosure of _______________, which
neither identifies nor provides a reasonable basis to identify an individual.
a. non-protected health information (non-PHI)
b. reverse PHI
c. regulated PHI
d. de-identified health information - answer>>>d. de-identified health information.
,Ref. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-
identification/index.html
Protected health information (PHI) is considered de-identified by HIPAA Privacy Rule
standards by:
a. absence of actual knowledge by the covered entity that the remaining information
could be used alone or in combination with other information to identify the individual
b. removal of only patient name and date of birth
c. a formal determination by a qualified expert
d. the removal of 18 specified individual identifiers
e. A, C and D
f. All of the answers - answer>>>e. A, C and D
The Privacy Rule provides two de-identification methods: 1) a formal determination by a
qualified expert; or 2) the removal of specified individual identifiers as well as absence of
actual knowledge by the covered entity that the remaining information could be used
alone or in combination with other information to identify the individual.
Ref. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-
identification/index.html#preparation
The HIPAA Privacy Rule covers:
a. Health plans
b. Health care clearinghouses
c. Health care providers who conduct certain financial and administrative transactions
electronically.
d. Life insurance companies
e. A, B and C only - answer>>>e. A, B and C only
Collectively, the rule covers only "Covered Entities". It does not cover or regulate
employers, life insurance companies, or public agencies that deliver social security or
welfare benefits.
Ref. https://www.hhs.gov/hipaa/for-professionals/faq/190/who-must-comply-with-hipaa-
privacy-standards/index.html
What are the 3 components that make up security? - answer>>>Security CIA:
Confidentiality
Integrity
,Availability
What is a Business Associate (BA)? What do they do in healthcare? - answer>>>BA is an
entity that performs/assist Covered Entities in activities involving the use/disclosure of
individually identifiable health information (IHI) on behalf of a Covered Entity or provides
services such as legal, actuarial, accounting, data aggregation, or financial services for a
covered entity
What is a Health Care Clearinghouse? - answer>>>Entity that processes or facilitates the
processing of nonstandard data elements of health information into standard data
elements.
What is De-identified PHI? - answer>>>Health information that does not identify an
individual and there is no reasonable basis to believe that the information can be used to
identify an individual.
What is HIPAA Administrative Simplification? - answer>>>These are national standards
covering transactions, identifiers, code sets, and operating rule. Objectives:
1. reduce paperwork,
2. increase electronic transaction adoption,
3. standardize operating rules (claims),
4. overall, improve security in Electronic Data Interchange (EDI)
Key elements included in the HIPAA Administrative Simplification: -
answer>>>Administrative Simplification Rule:
• Electronic transaction standards - rules for electronic exchange (e.g. claims, eligibility,
payments)
• Standard code sets (e.g. ICD-10, CPT)
• Unique Identifiers - healthcare plan (HPID), national provider (NPI), employer (EIN)
See 45 CFR 162: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162
What is HIPAA? - answer>>>Comprehensive legislation that protects health information,
ensure access to health coverage for those who change jobs or temporarily out of work,
and provides funding to DOJ and FBI for Medicare fraud investigations
What is Limited Data Sets? - answer>>>Provide HIPAA Minimum Necessary (excluding the
direct identifiers) - Applies to areas such as Public Health, Research, Healthcare
operations.
, CE must have a DUA in order to disclose the Limited Data Set
https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-
preparedness/limited-data-set/index.html
What is the record retention period for HIPAA related work product? - answer>>>6 years
What is the timeframe requirement to train new employees about HIPAA? -
answer>>>"within a reasonable period of time after the person joins the covered entity's
workforce"
What is Unsecured PHI? - answer>>>PHI that has not been rendered unusable,
unreadable, or indecipherable to unauthorized persons through the use of a technology
or methodology specified by the Secretary in guidance
What subpart in Part 164 deals with Privacy - answer>>>Subpart E (Hint: Privacy....Privacy-
E)
What subpart in Part 164 deals with Security - answer>>>Subpart C (Hint: "C"-curity)
Which of the following would be considered an incidental disclosure of PHI?
a. Patient overhearing a nurse on the phone discussing lab results with another patient
b. An email containing a large list of patients (names, addresses, and Medicare ID
Numbers) was sent unsecured to a yahoo.com email address
c. An email sent to another employee on a secure server, but the employee who received
it was the wrong employee
d. A and C are correct
e. None of the above are correct
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/incidental-uses-and-
disclosures/index.html - answer>>>a. Patient overhearing a nurse on the phone discussing
lab results with another patient.
Incidental vs. Accidental:
Accidental and incidental can both mean "something happening by chance," but usage
suggests that "accidental" also implies an element of carelessness or inattention while
"incidental" implies the occurrence would have happened with or without attention or
care.
