HIPAA and State Privacy Basics for Exam Scenarios
Key Takeaways
- HIPAA privacy questions usually test whether patient information is used, disclosed, accessed, or discussed for an allowed purpose.
- State privacy rules can be stricter than HIPAA, so facility policy should reflect both federal and state requirements.
- CCA scenarios often ask for the best first action: protect the information, follow policy, and route questions to the privacy officer or HIM leader.
- Confidentiality applies to verbal, paper, and electronic health information.
HIPAA and state privacy basics
HIPAA sets national privacy and security expectations for protected health information, often called PHI. PHI includes health information tied to an individual, such as a name, medical record number, date of birth, diagnosis, procedure, account number, image, or other identifier.
For the CCA exam, focus on the work behavior. A coder may access records needed for coding, abstracting, claim support, quality review, or other assigned job duties. Curiosity access is not allowed, even if the coder knows the patient or the record is easy to open.
State law can add stricter rules for certain records, such as behavioral health, substance use treatment, HIV status, genetic information, minors, reproductive health, or abuse-related documentation. When a scenario mentions state-specific protection, choose the answer that follows the stricter rule and facility policy.
Exam decision aid
| Scenario clue | Best CCA mindset |
|---|---|
| Treatment, payment, or operations task | Use only information needed for the assigned work |
| Family member asks for details | Verify authorization, patient permission, or policy before disclosing |
| Staff member discusses a patient in public | Treat as a potential privacy issue and report through policy |
| State rule is stricter than HIPAA | Follow the stricter protection |
Privacy is not limited to the EHR. A hallway conversation, printer output, fax, email, coding worksheet, screenshot, or paper query can disclose PHI. Good exam answers protect the information first, avoid unnecessary disclosure, and involve the privacy officer, HIM director, supervisor, or compliance pathway when needed.
A coder recognizes the name of a neighbor in the EHR work queue but has no assigned coding task for that encounter. What is the best action?
A state privacy law requires extra protection for a category of records. Which rule should guide the facility workflow?
Which situation most clearly involves PHI?