AHPREP-CMAA · CMAA — Certified Medical Administrative Assistant (NHA)·UnitAHPREP-CMAA · Unit 05Access: Premium
Unit 5: HIPAA and Regulatory Compliance
Prepare for Unit 5: HIPAA and Regulatory Compliance with practice questions covering 7 topics. Part of CMAA — Certified Medical Administrative Assistant (NHA) — build your knowledge and track your progress with AH Prep.
What’s in it.
7 topics- Topic 01
HIPAA Privacy Rule — PHI, Minimum Necessary, and Notice of Privacy Practices
34 questions - Topic 02
HIPAA Security Rule — Administrative, Physical, and Technical Safeguards
33 questions - Topic 03
HIPAA Breach Notification — Reporting Timelines and Corrective Action
39 questions - Topic 04
HITECH Act — Electronic PHI Protections and Penalties
36 questions - Topic 05
Advance Directives — Living Wills, Healthcare Proxies, and POLST
42 questions - Topic 06
Patient Rights — Access, Amendment, Accounting of Disclosures, and Complaints
48 questions - Topic 07
Mandatory Reporting — Abuse, Neglect, Communicable Diseases
34 questions
Sample questions
3 of manyA few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.
An MA discovers that she inadvertently included the wrong patient's lab results in a records release sent to an insurance company two days ago. Which sequence of actions is most appropriate?
- Consult an attorney before reporting the incident to the Privacy Officer, because disclosures to the insurance company may have legal implications for the facility
- Complete a self-assessment using the four-factor risk assessment tool and determine independently whether notification is required before involving anyone else
- Notify the patient affected by the error immediately and provide a written apology; documentation can follow within the week
- Immediately notify the Privacy Officer of the incident, document what occurred (which records, which recipient, when), and allow the Privacy Officer and compliance team to conduct the breach risk assessment and determine notification obligationsCorrect answer
ExplanationThe MA's role is to promptly report the incident internally with as much relevant detail as possible — what records were included, to whom they were sent, and when. The Privacy Officer and compliance team then conduct the risk assessment, determine whether notification is required, and manage any corrective action including attempting to recover or have the misdirected records destroyed. The MA should not attempt to independently manage the breach or delay internal reporting. Key takeaway: the MA reports internally with relevant details and allows the Privacy Officer to manage the breach response process.
What is Protected Health Information (PHI) under the HIPAA Privacy Rule?
- Any health information created by a physician, regardless of whether it identifies the patient
- Only electronic health records stored in a certified EHR system used by a healthcare provider
- Health information that has been filed with a health insurance company for reimbursement purposes
- Individually identifiable health information held or transmitted by a covered entity or its business associate in any form — paper, electronic, or oralCorrect answer
ExplanationPHI under the HIPAA Privacy Rule is defined as individually identifiable health information that is created or received by a covered entity or business associate, relates to an individual's past, present, or future physical or mental health condition, healthcare provision, or payment for healthcare, and identifies or could be used to identify the individual. PHI exists in all forms — paper, electronic, and oral. Key takeaway: PHI is individually identifiable health information in any form held or transmitted by a covered entity or business associate.
A covered entity's Security Officer completes an applications and data criticality analysis and concludes that the billing system contains highly critical ePHI. However, the entity has no written emergency mode operation plan covering what staff should do during an outage. An OCR investigation begins. What is the most accurate assessment of the entity's compliance?
- The entity is compliant because it identified the billing system as critical, which demonstrates awareness of its contingency obligations under the Security Rule
- The entity has a compliance gap — the emergency mode operation plan is a required contingency plan component; completing the criticality analysis (an addressable component) does not satisfy the separate required obligation to have an emergency mode operation planCorrect answer
- The only required component of the contingency plan is the data backup plan; all other components including the emergency mode operation plan are addressable
- The emergency mode operation plan is only required for hospitals and large covered entities; smaller entities may rely on their vendor's emergency procedures instead
ExplanationThe contingency plan has three required components: (1) data backup plan; (2) disaster recovery plan; and (3) emergency mode operation plan. The applications and data criticality analysis is an addressable component. Completing an addressable component does not satisfy separate required components. The emergency mode operation plan, which governs how the entity continues critical operations during a system failure, is required for all covered entities regardless of size. Key takeaway: required and addressable contingency plan components are separate obligations — completing an addressable component does not substitute for a required one.