Which of the following is a HIPAA violation?

A medical assistant discussing a patient's diagnosis in a public hallway where others can overhear. Discussing a patient's diagnosis in a public hallway where others can overhear is a HIPAA violation because it exposes PHI to unauthorized individuals. Sharing records for treatment (referring physician), payment (insurance claim), and public health reporting (communicable disease) are all permitted under HIPAA without specific patient authorization.

Under HIPAA, patients have the right to request a copy of their medical records. The covered entity must respond within:

30 days. Under HIPAA, covered entities must respond to a patient's request for access to their PHI within 30 days. A one-time 30-day extension is allowed if the entity notifies the patient in writing with the reason for the delay. The practice may charge a reasonable, cost-based fee for copies.

The HIPAA "Minimum Necessary Standard" means:

Only the minimum amount of PHI needed to accomplish the purpose should be shared. The Minimum Necessary Standard requires that when accessing, using, or disclosing PHI, covered entities must limit it to the minimum amount necessary to accomplish the intended purpose. For example, a billing clerk should only see diagnosis and procedure codes, not the patient's full medical record.

HIPAA and Patient Rights — Free Study Guide 2026

Key Takeaways

HIPAA (Health Insurance Portability and Accountability Act) protects patient health information through the Privacy Rule, Security Rule, and Breach Notification Rule
PHI (Protected Health Information) includes any individually identifiable health information — name, DOB, SSN, medical record number, diagnosis, treatment, and payment information
The Minimum Necessary Standard requires that only the minimum amount of PHI needed to accomplish the task should be accessed, used, or disclosed
Patients have the right to access their records, request amendments, receive an accounting of disclosures, and request restrictions on uses of their PHI
HIPAA violations can result in civil penalties (\$100-\$50,000 per violation, up to \$1.5 million per year) and criminal penalties (up to \$250,000 and 10 years imprisonment for intentional violations)
PHI can be disclosed without patient authorization for treatment, payment, and healthcare operations (TPO), as well as for public health, law enforcement, and court orders

HIPAA and Patient Rights

HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the primary federal law protecting patient health information. Every medical assistant must understand and comply with HIPAA regulations.

Three Key HIPAA Rules:

Rule	Purpose	Application
Privacy Rule	Protects PHI in any form (paper, electronic, verbal)	Controls who can access, use, and disclose patient information
Security Rule	Protects electronic PHI (ePHI) specifically	Requires administrative, physical, and technical safeguards for digital data
Breach Notification Rule	Requires notification of unauthorized PHI disclosures	Covered entities must notify patients, HHS, and media (for breaches >500 people)

Protected Health Information (PHI)

PHI is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity. The 18 HIPAA identifiers include:

Identifiers
Name
Address (anything smaller than state)
Dates (birth date, admission/discharge dates, date of death)
Phone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
Web URLs
IP addresses
Biometric identifiers
Full-face photographs
Any other unique identifying number

Minimum Necessary Standard

The minimum necessary standard requires that covered entities limit PHI access, use, and disclosure to the minimum amount necessary to accomplish the intended purpose.

Examples:

A billing clerk only needs diagnosis and procedure codes — NOT the full medical record
A referral to a specialist includes relevant medical history — NOT the entire chart
A pharmacist needs the prescription — NOT the patient's surgical history
Staff should only access records of patients they are directly involved in treating

When PHI Can Be Disclosed WITHOUT Patient Authorization

Purpose	Example
Treatment	Sharing records with a consulting specialist
Payment	Sending claim information to the insurance company
Healthcare operations	Quality improvement, audits, training
Public health	Reporting communicable diseases to the health department
Law enforcement	Court order, subpoena, warrant
Workers' compensation	Required reporting for workplace injuries
Abuse/neglect reporting	Mandatory reporting of suspected child/elder abuse
Threat to safety	Imminent danger to the patient or others
Coroner/funeral director	Identification of deceased, cause of death
Organ donation	Facilitating organ/tissue procurement

Authorization IS Required for:

Release of records to the patient's employer (unless work-related injury)
Sharing records with family members (unless the patient consents or is incapacitated)
Marketing purposes
Sale of PHI
Psychotherapy notes (special protections)

Patient Rights Under HIPAA

Right	Description
Access	Right to inspect and obtain a copy of their PHI (within 30 days of request)
Amendment	Right to request changes to their PHI if they believe it is incorrect
Accounting of disclosures	Right to know who has received their PHI (excluding TPO)
Restriction request	Right to request restrictions on how their PHI is used/disclosed
Confidential communications	Right to request PHI be sent to an alternative address or phone number
Notice of Privacy Practices	Right to receive a written notice explaining how their PHI will be used
Complaint	Right to file a complaint with the covered entity or HHS Office for Civil Rights

HIPAA Violations and Penalties

Level	Description	Civil Penalty
Tier 1	Did not know (and could not have known)	$100-$50,000 per violation
Tier 2	Reasonable cause, not willful neglect	$1,000-$50,000 per violation
Tier 3	Willful neglect, corrected within 30 days	$10,000-$50,000 per violation
Tier 4	Willful neglect, NOT corrected	$50,000 per violation (max $1.5 million/year)

Criminal Penalties:

Knowingly obtaining/disclosing PHI: Up to $50,000 and 1 year
Under false pretenses: Up to $100,000 and 5 years
With intent to sell or use for malicious harm: Up to $250,000 and 10 years

Common HIPAA Violations in Medical Offices:

Discussing patient information in public areas
Leaving computer screens visible with PHI
Sharing login credentials with coworkers
Sending PHI via unsecured email or text
Accessing records of patients you are not treating ("chart surfing")
Posting about patients on social media (even without names — can be identifiable)
Improperly disposing of records (not shredded)
Leaving paper records unattended in public areas

NHA CCMA Certified Clinical Medical Assistant

7.1 HIPAA and Patient Rights

Key Takeaways

HIPAA and Patient Rights

HIPAA Overview

Protected Health Information (PHI)

Minimum Necessary Standard

When PHI Can Be Disclosed WITHOUT Patient Authorization

Patient Rights Under HIPAA

HIPAA Violations and Penalties

NHA CCMA Certified Clinical Medical Assistant

1Introduction: NHA CCMA Exam Overview

2Chapter 1: Foundational Knowledge and Basic Science (10%)

3Chapter 2: Anatomy and Physiology (5%)

4Chapter 3: Clinical Patient Care (56%)

5Chapter 4: Patient Care Coordination and Education (8%)

6Chapter 5: Administrative Assisting (8%)

7Chapter 6: Communication and Customer Service (8%)

8Chapter 7: Medical Law and Ethics (5%)

7.1 HIPAA and Patient Rights

Key Takeaways

HIPAA and Patient Rights

HIPAA Overview

Protected Health Information (PHI)

Minimum Necessary Standard

When PHI Can Be Disclosed WITHOUT Patient Authorization

Patient Rights Under HIPAA

HIPAA Violations and Penalties