Free HIPAA practice test with answers and explanations.

HIPAA basics: who is covered and what counts as PHI

HIPAA, the Health Insurance Portability and Accountability Act, sets national rules for how protected health information is used and disclosed. The rules apply to covered entities, which are health plans, healthcare clearinghouses, and healthcare providers that send claims electronically. The rules also reach business associates, the vendors and contractors that handle protected health information on behalf of those covered entities. If a company is neither of those, HIPAA usually does not apply to it, even when it touches health data, although other privacy laws might.

Protected health information, or PHI, is individually identifiable health information. The test it has to pass is simple: does the data identify a person, and does it relate to their health, care, or payment for care? A name next to a diagnosis is PHI. A medical record number tied to a visit is PHI. A fully de-identified dataset with no identifiers is not PHI, because no one can be singled out. HIPAA lists 18 identifiers, including names, dates, contact details, account numbers, and device identifiers, and any of them linked to health information turns ordinary data into PHI.

The Privacy Rule and the minimum necessary standard

The Privacy Rule controls how PHI may be used and shared. The most important idea to carry into the exam is the minimum necessary standard: you use, disclose, or request only the PHI that is reasonably needed for the task in front of you. A billing clerk filing a claim needs the procedure code, not the full clinical note. A scheduler needs an appointment time, not a complete history. The clearest violations on a test involve someone reaching for far more information than the job requires.

There is one large exception worth memorizing. Minimum necessary does not restrict disclosures for treatment among providers, because clinicians need a complete picture to care for a patient safely. The Privacy Rule also permits use and disclosure for treatment, payment, and healthcare operations, often shortened to TPO, without a separate patient authorization. Most other uses, such as marketing or selling a patient list, require written authorization from the patient.

Patient rights you will be tested on

Patients hold several rights under the Privacy Rule, and questions love to probe the edges of them. The right of access lets a patient inspect and obtain a copy of their records, generally within 30 days, for no more than a reasonable cost-based fee. Patients can request an amendment when they believe a record is wrong, request an accounting of certain disclosures, and request restrictions on how their information is used. What patients cannot do is force a provider to permanently delete a lawful medical record on demand, and HIPAA does not control what a person voluntarily shares about their own health on social media.

The Security Rule: three kinds of safeguards

The Security Rule protects electronic PHI through three safeguard categories, and you should be able to sort any example into the right bucket. Administrative safeguards are the policies and people side: workforce training, risk analysis, access management, and sanction policies. Physical safeguards control physical access to systems and devices, such as locking server rooms, securing workstations, and controlling the disposal of media. Technical safeguards live in the technology itself: unique user IDs, authentication, access control, audit logs, and encryption.

Two details show up often. First, the risk analysis is foundational. It identifies risks to the confidentiality, integrity, and availability of electronic PHI so the organization can put reasonable and appropriate safeguards in place. Second, encryption is an addressable specification, not a flat mandate. Addressable does not mean optional. It means you assess whether encryption is reasonable and appropriate, implement it when it is, and document your reasoning and any equivalent alternative when it is not.

Breach notification: timelines and thresholds

When unsecured PHI is breached, the clock starts. Affected individuals must be notified without unreasonable delay and no later than 60 calendar days after discovery. If a breach affects 500 or more residents of a state or jurisdiction, the entity also has to notify prominent media outlets serving that area and notify the Department of Health and Human Services without unreasonable delay. Smaller breaches are logged and reported to HHS on an annual basis. The exam-friendly takeaway is the 60-day outer limit and the 500-individual media threshold.

The most realistic scenario on any HIPAA test is a simple human mistake, such as emailing PHI to the wrong recipient. The right first move is to report it immediately through your incident response process so the team can contain the problem, run a risk assessment, and document everything. Quietly deleting the message or waiting to see if anyone complains skips the analysis the rules require and makes a small mistake worse.

Business associates and BAAs

A business associate is a person or company that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Cloud storage providers, billing companies, IT contractors, and many software vendors fall into this category. Before PHI changes hands, the parties sign a business associate agreement, or BAA, which contractually obligates the business associate to safeguard PHI and follow applicable HIPAA requirements. A BAA does not erase the covered entity's own duties, and signing one does not transfer all liability away. When a question describes a new vendor that will handle patient data, the key issue is almost always whether a BAA is in place.

Enforcement and penalties

The Department of Health and Human Services, Office for Civil Rights, known as OCR, is the primary enforcer of the Privacy, Security, and Breach Notification Rules. Civil monetary penalties follow a tiered structure based on culpability, ranging from cases where the entity did not know and could not reasonably have known, up to willful neglect that was never corrected. The dollar amounts and annual caps are adjusted over time, so a good test answer focuses on the tiered, culpability-based structure rather than memorizing a specific number. One behavior that regulators and employers treat seriously is snooping, meaning accessing records out of curiosity with no work-related reason. It is a violation even if nothing is shared.

De-identification and the two HIPAA methods

Questions often hinge on whether data is still PHI. HIPAA recognizes two ways to de-identify information so it falls outside the Privacy Rule. The first is Safe Harbor, which removes 18 specific categories of identifiers, including names, all geographic detail smaller than a state with a narrow exception for the first three ZIP code digits, all date elements more specific than a year, phone and fax numbers, email addresses, account and record numbers, biometric identifiers, and full-face photos. The second is the expert determination method, where a qualified statistician documents that the risk of re-identification is very small. Once data is properly de-identified, it is no longer PHI and can be used more freely. The trap on a test is assuming that simply deleting a name is enough, because a date of service paired with a small town can still identify someone.

Notice of Privacy Practices and authorizations

Covered entities must give patients a Notice of Privacy Practices that explains how their information may be used and disclosed and what rights they hold. The notice is not a permission slip; it is a disclosure document. Separate from the notice, a valid HIPAA authorization is a signed form that grants permission for uses beyond treatment, payment, and operations. A test answer is usually wrong if it treats the notice as consent for marketing, or if it claims that treatment and routine billing need a signed authorization. They do not. Marketing that involves payment from a third party, and any sale of PHI, almost always require an explicit authorization, and patients can revoke an authorization in writing.

Incidental disclosures versus impermissible disclosures

Not every overheard detail is a violation. The Privacy Rule tolerates incidental disclosures, the limited and unavoidable byproducts of an otherwise permitted use, as long as the entity applies reasonable safeguards and follows the minimum necessary standard. A visitor catching a fragment of a clinical conversation in a treatment area can be acceptable. An impermissible disclosure is different: sharing PHI with someone who has no legitimate reason to receive it, or sharing far more than the situation requires. The exam-friendly distinction is whether reasonable safeguards were in place and whether the underlying use was permitted. Lowering your voice, using private rooms when practical, and positioning screens away from public view are the safeguards that turn a risky moment into an acceptable incidental one.

Workforce sanctions and a culture of compliance

The Security Rule and the Privacy Rule both expect organizations to apply sanctions against workforce members who violate policies, and to document those sanctions. This is why snooping cases end in discipline or termination even when no information leaves the building. Training, clear policies, role-based access, audit log review, and consistent enforcement work together as a program rather than as isolated rules. On a test, the best answer in a workforce scenario usually combines reporting the issue, applying the policy evenly, and documenting the outcome, rather than handling it quietly or making a one-time exception. A compliance program is judged on whether it is real and consistent, not on whether a binder of policies exists.

HITECH, the Omnibus Rule, and direct liability for vendors

The original 1996 law was strengthened by the HITECH Act in 2009 and the Omnibus Rule in 2013. Two changes matter most for a test. First, business associates became directly liable for many HIPAA requirements, so a vendor can now be investigated and penalized by OCR on its own, not only through the covered entity that hired it. Second, the breach standard shifted toward a presumption that an impermissible use or disclosure of unsecured PHI is a breach unless a documented four-factor risk assessment shows a low probability that the information was compromised. The four factors look at the nature of the PHI, who received or used it, whether it was actually viewed or acquired, and the extent to which the risk has been mitigated. If a question asks who can be held responsible for a vendor mishandling PHI, the modern answer often includes both the covered entity and the business associate.

State laws, the floor rule, and where HIPAA stops

HIPAA sets a federal floor, not a ceiling. When a state privacy law is more protective of the individual or grants greater rights, the stricter state requirement generally applies on top of HIPAA. This is why organizations in states with their own health privacy statutes follow both. It also helps to remember what HIPAA does not cover. HIPAA does not regulate every entity that touches health data, so many consumer apps, wearables, and direct-to-consumer services sit outside it, even though other laws such as state privacy statutes or Federal Trade Commission rules may still apply. HIPAA also does not restrict what individuals choose to share about their own health. Knowing the edges of the law is as useful on a test as knowing the core rules, because several questions are designed to see whether you can recognize when HIPAA simply does not apply.

Common mistakes that cost points

A few errors show up again and again. People assume encryption is always mandatory when it is an addressable specification that still must be addressed and documented. They assume a signed BAA moves all liability to the vendor when the covered entity keeps its own duties. They confuse the 30-day right of access timeline with the 60-day breach notification deadline. They treat the Notice of Privacy Practices as consent. They forget that minimum necessary does not apply to treatment disclosures between providers. And they pick the quiet option in an incident scenario when the rules require prompt reporting and documentation. Slowing down to ask which rule the question is testing, and what that rule actually requires, prevents most of these mistakes.

How to use your practice score

After you finish, the summary breaks your result down by topic so you can see exactly where to study. If business associates or breach notification came back weak, open the matching guides below and run the practice test again. Aim for 90 percent or higher before you sit for a graded assessment. That margin shows you understand the reasoning, which matters more than memorizing an answer key, because real situations rarely look exactly like a sample question.