HIPAA Practice Questions and Answers
Question 1: A patient calls the pharmacy asking for details about their spouse’s recent prescription refill. The spouse has not given written authorization.
What should the pharmacy staff do?
A) Provide the information since they’re married
B) Refuse to provide information without patient authorization
C) Provide only limited information like medication name
D) Send the caller to the pharmacist for approval
Answer: B
Under HIPAA, no protected health information (PHI) can be disclosed without the patient’s authorization, even to family members.
Under HIPAA, no protected health information (PHI) can be disclosed without the patient’s authorization, even to family members.
Question 2: A pharmacy technician overhears another technician discussing a patient’s HIV medication in the break room where others can hear.
What HIPAA rule is potentially being violated?
A) Minimum Necessary Rule
B) Patient Authorization
C) Privacy Rule
D) Security Rule
Answer: C
The HIPAA Privacy Rule requires safeguarding PHI and avoiding unauthorized verbal disclosures in public or non-secure areas.
The HIPAA Privacy Rule requires safeguarding PHI and avoiding unauthorized verbal disclosures in public or non-secure areas.
Question 3: Which of the following is the correct particle size that HEPA filters are designed to capture with 99.97% efficiency?A patient wants to review their pharmacy records and asks for a printed copy.
What should the pharmacy do under HIPAA?
A) Refuse due to privacy concerns
B) Charge an excessive fee to discourage printing
C) Allow access and provide the copy within 30 days
D) Provide only if the patient submits a formal legal request
Answer: C
HIPAA guarantees a patient’s right to access their health records and receive a copy within 30 days, for a reasonable fee.
HIPAA guarantees a patient’s right to access their health records and receive a copy within 30 days, for a reasonable fee.
Question 4: A pharmacist is emailing a patient about their lab results but uses a personal email account without encryption.
Which HIPAA safeguard is at risk?
A) Physical safeguard
B) Administrative safeguard
C) Technical safeguard
D) Authorization safeguard
Answer: C
Technical safeguards require secure, encrypted communication methods when transmitting electronic PHI (ePHI).
Technical safeguards require secure, encrypted communication methods when transmitting electronic PHI (ePHI).
Question 5: A pharmacy receives a subpoena for a patient’s prescription records but no patient authorization.
What is the correct HIPAA-compliant action?
A) Immediately release the records
B) Contact the patient for permission
C) Verify the subpoena’s validity and check state/federal requirements before releasing
D) Refuse to release the records under all circumstances
Answer: C
HIPAA permits disclosures under certain legal requests, but the pharmacy must ensure the subpoena is valid and complies with all applicable laws.
HIPAA permits disclosures under certain legal requests, but the pharmacy must ensure the subpoena is valid and complies with all applicable laws.
Question 6: A pharmacy’s computer system is hit by ransomware, locking access to all patient records. The IT team confirms that no data was exfiltrated, but access was blocked for several days.
Under HIPAA, what must the pharmacy do next?
A) Ignore the incident since no data was stolen
B) Report the incident as a potential breach and follow breach notification procedures
C) Only notify the patients if they ask about service delays
D) Simply restore the system from backup and resume operations without further action
Answer: B
Even if no data was taken, ransomware counts as a potential breach under HIPAA, requiring breach risk assessment and possible notification.
Even if no data was taken, ransomware counts as a potential breach under HIPAA, requiring breach risk assessment and possible notification.
Question 7: A pharmacy technician working from home uses their personal laptop to access the pharmacy system remotely. The laptop is shared with family members and does not have password protection or encryption.
What specific HIPAA compliance issue is involved here?
A) Violation of the Minimum Necessary Standard
B) Failure to apply appropriate physical and administrative safeguards for ePHI
C) Unauthorized disclosure requiring patient notification
D) Violation of the marketing and fundraising rules
Answer: B
HIPAA’s Security Rule requires technical, physical, and administrative safeguards when handling ePHI, including secure devices and controlled access.
HIPAA’s Security Rule requires technical, physical, and administrative safeguards when handling ePHI, including secure devices and controlled access.
Question 8: At a family gathering, a pharmacist casually jokes about “one of their patients taking Viagra” without naming the patient — but gives enough details (like age, marital status, or occupation) that a relative present easily guesses who it is.
Is this a HIPAA violation?
A) No, because no name was mentioned
B) No, because it happened outside the pharmacy
C) Yes, because enough identifiable details were shared to reveal the patient
D) Yes, but only if the patient files a formal complaint
Answer: C
Under HIPAA, protected health information includes any details that can reasonably identify the patient, even without naming them; casual or joking disclosures can still be violations.
Under HIPAA, protected health information includes any details that can reasonably identify the patient, even without naming them; casual or joking disclosures can still be violations.
Question 9: A delivery driver for the pharmacy asks the technician to tell them what’s inside each prescription package so they can “be extra careful” with refrigerated medications.
What is the best HIPAA-compliant response?
A) Provide the medication details so the driver can handle packages properly
B) Only provide details if the patient consents
C) Refuse to disclose the medication details and ensure packages are labeled per policy without revealing PHI
D) Mark all packages as “urgent” to avoid discussing contents
Answer: C
PHI (including medication details) should not be disclosed to non-authorized individuals, even delivery staff; pharmacy staff should use appropriate labeling systems instead.
PHI (including medication details) should not be disclosed to non-authorized individuals, even delivery staff; pharmacy staff should use appropriate labeling systems instead.
Question 10: A technician prints a patient’s prescription profile but accidentally leaves it on the pharmacy counter, where another customer sees it before staff notices.
What HIPAA requirement has likely been violated?
A) Administrative safeguards
B) Physical safeguards
C) Technical safeguards
D) Breach notification requirements
Answer: B
Physical safeguards require that PHI is protected from unauthorized exposure in all environments, including controlling access to printed documents.
Physical safeguards require that PHI is protected from unauthorized exposure in all environments, including controlling access to printed documents.
Question 11: A pharmacist posts on social media about a “crazy busy day filling ADHD medications for college students” at their pharmacy, mentioning the city and showing a picture of the waiting area (no people or names in the photo).
Does this pose a HIPAA risk?
A) No, because no names or faces were shown
B) Yes, because patterns and context can indirectly identify patients
C) No, because it’s personal social media and not the pharmacy’s official account
D) Yes, but only if patients complain
Answer: B
Even without names, sharing details about medications, locations, or patient populations on public platforms can reveal identifiable information and violate HIPAA.
Even without names, sharing details about medications, locations, or patient populations on public platforms can reveal identifiable information and violate HIPAA.
