HIPAA Compliance Quiz Privacy and Security Rules

Q: What is the practical difference between the HIPAA Privacy Rule and the Security Rule?

The Privacy Rule sets rules for how PHI may be used or disclosed and what rights individuals have over their information. The Security Rule applies to ePHI and requires administrative, physical, and technical safeguards, such as access controls, audit controls, and risk management.

Q: Is encryption required under HIPAA?

Encryption is an addressable implementation specification under the Security Rule for data at rest and in transit. Addressable does not mean optional. You must implement encryption, implement an equivalent alternative, or document why neither is reasonable in your environment, based on your risk analysis.

Q: How fast must an organization respond to a patient’s request for access to records?

HIPAA sets a general expectation of responding within 30 days for access requests, with a possible one-time extension of up to 30 additional days if the individual is given a written explanation for the delay. Many compliance failures come from lost requests, unclear identity verification steps, or partial production of the designated record set.

8 – 16 Questions 6 min

This quiz targets the HIPAA Privacy Rule and Security Rule decisions that come up in real workflows, such as minimum necessary access, permissible disclosures, and required safeguards for ePHI. Use it to spot gaps that trigger OCR findings, including weak risk analysis, missing BAAs, and poor breach triage.

Start Quiz

Part 1 — Questions

Answer each question on paper. Do not turn the page until you are ready to check your work.

Protected Health Information (PHI) is health information that can identify a person and relates to their health condition, care, or payment for care.

True
False

You are sorting documents at a clinic. Which item is PHI by itself?

A list of appointment times with no names
A lab result labeled with a patient name
A staff schedule for next week
A patient’s blood pressure reading with no identifiers

You step away from your workstation at a nurses’ station. What is the best HIPAA-aligned action?

Close only the EHR tab
Turn the monitor brightness down
Lock the screen or log off
Leave it if you will be back soon

The minimum necessary standard applies to disclosures of PHI for treatment between health care providers.

True
False

Which is most likely considered a direct identifier under HIPAA’s de-identification “safe harbor” approach?

Email address
Age in years
City and state
Lab value range

A coworker from another department says, “I’m curious, can you pull up my neighbor’s lab results?” What should you do?

Access it only if you are friends with the neighbor
Access the record if you do not share it
Decline and report the inappropriate request per policy
Print it and remove the patient’s name

A patient wants their records emailed to a personal account even after you warn them ordinary email could be insecure. What is the most HIPAA-aligned response?

Refuse, HIPAA forbids sending PHI by email
Tell them to come in person, electronic copies are optional
Send it if the patient accepts the risk and requests that method
Send it only if you encrypt it with no exceptions

A provider may list a patient’s name on a sign-in sheet as long as it does not include diagnosis or other medical details.

True
False

You receive an email that looks like it is from IT asking you to “verify your password” to keep EHR access. What should you do first?

Reply with your password so you do not get locked out
Forward it to coworkers so they are aware
Report it as a suspected phishing attempt through the proper channel
Click the link if the email has the company logo

10.

A patient asks you to send their lab results directly to a third-party app they use for tracking. The patient signs a clear, written request with the destination specified. What should you do?

Send it only after the app signs a business associate agreement
Send it only if the doctor approves in writing
Refuse because apps are never secure
Send it as directed, treating it as a patient-directed disclosure

11.

A staff member accidentally emails a patient’s discharge summary to the wrong patient with a similar name. Which factor is most important in assessing whether there is a low probability of compromise?

Whether the sender feels sorry
Whether the recipient is authorized to receive that PHI and what they did with it
Whether the clinic has a privacy poster in the lobby
Whether the email subject line was short

12.

A therapist keeps separate “psychotherapy notes” documenting detailed session conversations. A patient requests “my entire record.” What is the most accurate HIPAA treatment of psychotherapy notes?

They are not PHI if kept separately
They must always be included with the rest of the record
They can be shared freely for payment activities
They can generally be excluded from the access right and have special authorization rules

Part 2 — Answer key

Compare your answers after you have finished Part 1.

Protected Health Information (PHI) is health information that can identify a person and relates to their health condition, care, or payment for care.
True
You are sorting documents at a clinic. Which item is PHI by itself?
A lab result labeled with a patient name
You step away from your workstation at a nurses’ station. What is the best HIPAA-aligned action?
Lock the screen or log off
The minimum necessary standard applies to disclosures of PHI for treatment between health care providers.
False
Which is most likely considered a direct identifier under HIPAA’s de-identification “safe harbor” approach?
Email address
A coworker from another department says, “I’m curious, can you pull up my neighbor’s lab results?” What should you do?
Decline and report the inappropriate request per policy
A patient wants their records emailed to a personal account even after you warn them ordinary email could be insecure. What is the most HIPAA-aligned response?
Send it if the patient accepts the risk and requests that method
A provider may list a patient’s name on a sign-in sheet as long as it does not include diagnosis or other medical details.
True
You receive an email that looks like it is from IT asking you to “verify your password” to keep EHR access. What should you do first?
Report it as a suspected phishing attempt through the proper channel
A patient asks you to send their lab results directly to a third-party app they use for tracking. The patient signs a clear, written request with the destination specified. What should you do?
Send it as directed, treating it as a patient-directed disclosure
A staff member accidentally emails a patient’s discharge summary to the wrong patient with a similar name. Which factor is most important in assessing whether there is a low probability of compromise?
Whether the recipient is authorized to receive that PHI and what they did with it
A therapist keeps separate “psychotherapy notes” documenting detailed session conversations. A patient requests “my entire record.” What is the most accurate HIPAA treatment of psychotherapy notes?
They can generally be excluded from the access right and have special authorization rules

1Protected Health Information (PHI) is health information that can identify a person and relates to their health condition, care, or payment for care.

True / False

2You are sorting documents at a clinic. Which item is PHI by itself?

3You step away from your workstation at a nurses’ station. What is the best HIPAA-aligned action?

4The minimum necessary standard applies to disclosures of PHI for treatment between health care providers.

True / False

5Which is most likely considered a direct identifier under HIPAA’s de-identification “safe harbor” approach?

6A coworker from another department says, “I’m curious, can you pull up my neighbor’s lab results?” What should you do?

7A patient wants their records emailed to a personal account even after you warn them ordinary email could be insecure. What is the most HIPAA-aligned response?

8A provider may list a patient’s name on a sign-in sheet as long as it does not include diagnosis or other medical details.

True / False

9You receive an email that looks like it is from IT asking you to “verify your password” to keep EHR access. What should you do first?

10A patient asks you to send their lab results directly to a third-party app they use for tracking. The patient signs a clear, written request with the destination specified. What should you do?

11A staff member accidentally emails a patient’s discharge summary to the wrong patient with a similar name. Which factor is most important in assessing whether there is a low probability of compromise?

12A therapist keeps separate “psychotherapy notes” documenting detailed session conversations. A patient requests “my entire record.” What is the most accurate HIPAA treatment of psychotherapy notes?

Disclaimer

This quiz is for educational purposes only. It does not constitute professional advice. Consult a qualified professional for specific guidance.

HIPAA Privacy and Security Rule Mistakes That Trigger Audit Findings

Most HIPAA misses are not about memorizing acronyms. They come from mixing up what the Privacy Rule permits, what the Security Rule requires for ePHI, and what your organization must be able to prove through documentation.

Frequent Privacy Rule errors

Over-sharing for “convenience”: staff disclose PHI beyond the minimum necessary for payment or operations. Fix: build role-based workflows and default to limited datasets for routine tasks.
Using the wrong legal basis: teams treat patient authorization, consent, and “allowed without authorization” as interchangeable. Fix: map common disclosures to TPO (treatment, payment, health care operations) versus situations that need a signed authorization, such as many marketing disclosures.
Weak patient-rights handling: access requests are delayed, routed informally, or fulfilled with incomplete records. Fix: standardize intake, identity verification, and response time tracking.

Frequent Security Rule errors

Risk analysis that is outdated or superficial: inventories miss cloud apps, endpoints, or remote access paths. Fix: keep an ePHI data flow map and tie risks to specific safeguards and remediation dates.
Misunderstanding “addressable” safeguards: teams assume addressable means optional. Fix: document the decision to implement, implement an equivalent alternative, or not implement with a defensible rationale.
Access control gaps: shared accounts, missing MFA on remote access, or poor termination procedures. Fix: unique user IDs, least privilege, and automated deprovisioning.

Breach and vendor pitfalls

No Business Associate Agreement before a vendor touches PHI. Fix: require BAAs in procurement and re-check subcontractor chains.
Assuming “no harm” means no breach: breach decisions are made without a documented risk assessment. Fix: use a consistent breach triage checklist and retain evidence.

Authoritative HIPAA Privacy, Security, and Breach Notification References

Use these primary sources to confirm rule text, official interpretations, and security implementation expectations.

HIPAA Guidance Materials (Privacy): OCR guidance and professional FAQs on permitted uses and disclosures, patient rights, and common scenarios.
The Security Rule (HHS): Security Rule overview, guidance links, and tools related to administrative, physical, and technical safeguards.
Guidance on Risk Analysis: OCR expectations for risk analysis scope, documentation, and common mistakes.
Breach Notification Rule (HHS): requirements for notifying individuals, HHS, and media after a breach of unsecured PHI.
NIST SP 800-66 (HIPAA Security Rule Implementation Guide): a detailed framework for translating Security Rule standards into practical security controls.

HIPAA Privacy and Security Rules FAQ for Compliance Professionals

What is the practical difference between the HIPAA Privacy Rule and the Security Rule?

The Privacy Rule sets rules for how PHI may be used or disclosed and what rights individuals have over their information. The Security Rule applies to ePHI and requires administrative, physical, and technical safeguards, such as access controls, audit controls, and risk management.

When does the “minimum necessary” standard apply, and when does it not?

Minimum necessary generally applies to uses and disclosures for payment and health care operations, and to many internal uses. It typically does not apply to disclosures for treatment, disclosures to the individual, disclosures required by law, or disclosures made pursuant to a valid HIPAA authorization. Your policies should spell out role-based limits.

Is encryption required under HIPAA?

Encryption is an addressable implementation specification under the Security Rule for data at rest and in transit. Addressable does not mean optional. You must implement encryption, implement an equivalent alternative, or document why neither is reasonable in your environment, based on your risk analysis.

What makes someone a Business Associate, and what is the common BAA mistake?

A Business Associate is a person or entity that performs functions or services for a covered entity that involve creating, receiving, maintaining, or transmitting PHI. The common mistake is signing the vendor contract first and handling the BAA later. If the vendor handles PHI, the BAA should be executed before any PHI is shared.

What is “unsecured PHI,” and why does it matter for breach notification?

Unsecured PHI is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons using approved methods, such as certain encryption approaches. If PHI is properly secured, an incident may not trigger breach notification duties. If it is unsecured, you generally need a documented breach risk assessment and timely notifications when required.

How fast must an organization respond to a patient’s request for access to records?

HIPAA sets a general expectation of responding within 30 days for access requests, with a possible one-time extension of up to 30 additional days if the individual is given a written explanation for the delay. Many compliance failures come from lost requests, unclear identity verification steps, or partial production of the designated record set.

Looking for more? Browse more Compliance & Safety quizzes on QuizWiz or explore the full QuizWiz workplace quiz library.