What is a HIPAA Review Test?

HIPAA Review Test

A HIPAA review test is an exam that an organization can administer to its staff. The test can consist of questions that address key HIPAA topics and concepts. Potential HIPAA review test content is discussed below.

What Can be Covered in a HIPAA Review Test?

A HIPAA review test can cover the following key HIPAA concepts.

To Whom Does HIPAA Apply?

The HIPAA Privacy Rule, the HIPAA Security Rule, the Breach Notification Rule, and the Omnibus Rule, apply to covered entities and business associates. A HIPAA review test should address the key requirements of each of these rules, as well as the entities – covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates – to whom the HIPAA regulations apply.

Would you pass a HIPAA audit? Take this quiz to find out! 

What is a Business Associate?

A HIPAA review test should emphasize the distinction between a covered entity and a business associate. A business associate is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. Business associates include (among other entities):

    • A third-party administrator that assists a health plan with claims processing
    • A consultant that performs utilization reviews for a hospital
    • An independent medical transcriptionist that provides transcription services to a physician

What Information Does HIPAA Apply To?

HIPAA regulates the use, disclosure, creation, maintenance, storage, transmission, and receipt  of protected health information (PHI) and electronic protected health information (ePHI).

Protected health information is individually identifiable information that relates to the past, present, or future health status of an individual, that is created, collected, transmitted, or maintained by a HIPAA covered entity in relation to:

  • The provision of healthcare;
  • Payment for healthcare services; or
  • Healthcare operations (healthcare business uses).   

Examples of protected health information include medical test results, prescription information, diagnoses, and treatment information.  PHI relates to physical records, while ePHI is any PHI that is created, stored, transmitted, or received electronically.

When Did the Various Provisions of HIPAA Become Law?

A HIPAA review test can include a section on the enactment dates of the various HIPAA regulations. A HIPAA review test should ultimately be designed to test the understanding of the importance of HIPAA in regulating medical privacy and security. Understanding the history of HIPAA allows a person to understand why HIPAA operates the way that it does. 

HIPAA was passed in 1996 to improve the efficiency and effectiveness of the healthcare system. When it was passed, HIPAA included administrative simplification provisions. These provisions required HHS to adopt national standards for electronic healthcare transactions and code sets, unique health identifiers, and security. 

Congress, recognizing that advances in electronic technology could compromise patient privacy, incorporated privacy protection provisions into HIPAA. These provisions required HHS to adopt privacy regulations for individually identifiable health information.

The privacy provisions HHS adopted were published as a final Privacy Rule. The final Privacy Rule was published in 2002. The rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers who conduct the standard healthcare transactions electronically.  

Compliance with the Privacy Rule was required as of 2003. That same year, HHS published a final Security Rule, which set national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. By 2006, all covered entities and business associates had to comply with the Security Rule.

HHS, recognizing that requiring compliance means little if there is no enforcement mechanism, introduced the Enforcement Rule in 2006. The Enforcement Rule gave HHS the power to investigate complaints against covered entities for failing to comply with the Privacy Rule, and to fine covered entities for avoidable breaches of ePHI due to not following the safeguards set forth in the Security Rule. As part of the Enforcement Rule, OCR was given the power to bring criminal charges against persistent offenders who fail to introduce corrective measures within 30 days. 

Enforcement of the HIPAA regulations by the Office for Civil Rights significantly increased in 2009. In 2009, a new law, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was passed, to promote the adoption and meaningful use of health information technology.  Subtitle D of this HITECH contained several provisions that strengthened the civil and criminal enforcement of the HIPAA rules, by providing for a tiered penalty system.

In 2009, HHS also passed the Breach Notification Rule. This rule required individuals’ health information to be secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals be appropriately notified when data breaches occur.

In 2013, the HIPAA Omnibus Rule was published. The Omnibus Rule made business associates of covered entities directly liable for compliance with certain HIPAA Privacy and Security Rule requirements. The Omnibus Rule also strengthened the limitations on PHI use and disclosure for marketing and fundraising purposes, and banned the sale of PHI without individual authorization. The Omnibus Rule also expanded individuals’ right to receive electronic copies of their health information.  

Where Does HIPAA Apply?


A HIPAA review test should cover the geographic reach of HIPAA as well. HIPAA applies to covered entities and business associates that conduct business within the United States. However, the nationality or citizenship of patients is irrelevant to the issue of HIPAA applicability. The Privacy Rule further defines PHI as individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, that is transmitted or maintained in any form or medium, including the individually identifiable health information of non-U.S. citizens.