HIPAA and State Privacy Basics for Exam Scenarios

HIPAA and the TPO framework

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR Parts 160 and 164) sets the national floor for protecting protected health information (PHI). PHI is individually identifiable health information created or held by a covered entity or business associate.

The rule lists 18 identifiers that, when tied to health data, make information PHI: name, geographic data smaller than a state, all date elements (birth, admission, discharge, death), phone/fax, email, Social Security number, medical record number (MRN), account number, health-plan number, vehicle and device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, and any other unique code.

The single most tested concept is treatment, payment, and health care operations (TPO). HIPAA permits a covered entity to use and disclose PHI for TPO without patient authorization. Coding, billing, abstracting, claim support, and quality review all fall under payment and operations, so a coder may access records for assigned work. Disclosures outside TPO — to an attorney, an employer, a life insurer, marketing — generally require a signed authorization.

When stricter rules apply

HIPAA is a floor, not a ceiling. A more stringent state law or special federal rule controls when it gives the patient greater privacy or access. Common stricter categories include behavioral health, HIV/AIDS status, genetic information, minors' reproductive or sexual-health care, and substance use disorder (SUD) records under 42 CFR Part 2. Part 2 historically required patient consent even for treatment; the 2024 CARES Act final rule (compliance required by February 16, 2026) now lets a single TPO consent function more like HIPAA, but the records still carry redisclosure restrictions.

Exam decision aid

Privacy spans verbal, paper, and electronic information. A hallway conversation, a printer tray, a misrouted fax, an email, a coding worksheet, or a screenshot can all disclose PHI. The strongest exam answers protect the information first, limit disclosure to the minimum necessary, and route uncertainty to the privacy officer, HIM director, supervisor, or compliance line rather than guessing.

Covered entities, business associates, and patient rights

The CCA exam expects you to know who HIPAA regulates. A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically (the hospital or clinic where the coder works). A business associate is an outside vendor that creates, receives, maintains, or transmits PHI on the covered entity's behalf — for example, an outsourced coding company, a release-of-information vendor, or a cloud EHR host. Business associates must sign a business associate agreement (BAA) and are directly liable under HIPAA.

A scenario describing a contractor handling PHI without a signed BAA is a compliance gap.

Patients hold enforceable rights that drive many scenario answers: the right to access and obtain a copy of their record (a provider must act within 30 days), the right to request an amendment, the right to an accounting of disclosures outside TPO, the right to request restrictions and confidential communications, and the right to receive the Notice of Privacy Practices (NPP). When a question describes a patient asking for their own information, minimum necessary does not limit it and the access request process applies.

How the exam frames Domain 6

Domain 6, Compliance, includes privacy, security, and confidentiality and is weighted heavily on the 105-question CCA exam. Questions are scenario-based: they describe a workplace event and ask for the best first action. The pattern that earns points is consistent — identify whether a permitted purpose (TPO, authorization, required disclosure) exists, protect the PHI, apply the stricter rule when one exists, and escalate uncertainty through policy. Watch for distractors that sound helpful but bypass the privacy officer, disclose from memory, or rely on personal judgment about whether a rule applies.

The penalties behind these rules are real: civil money penalties scale by culpability tier, and willful neglect can reach into the millions, while criminal violations for selling PHI carry prison time.

Worked example

A coder is assigned to finalize the codes on a surgical inpatient stay. While reviewing the operative report, the coder notices the patient is a coworker from another department. Nothing in the chart is needed beyond the operative and pathology documentation, and the coworker's status is obvious. What is the HIPAA-correct sequence? First, the coder confirms a legitimate purpose exists — the encounter is assigned for coding under payment, so accessing the needed documents is permitted. Second, the coder limits review to the documents that support code assignment, ignoring unrelated visits.

Third, the coder does not mention the coworker's admission to anyone, because the diagnosis and even the fact of admission are PHI. Finally, if the coder feels uncomfortable coding a known person, the right move is to ask the supervisor to reassign, not to abandon the task or discuss it. This single scenario touches permitted access, minimum necessary, confidentiality of verbal information, and escalation — the exact blend Domain 6 tests.