5.1 Domain 2 Compliance Decision Frame

Build the Domain 2 Compliance Lens

The current AHIMA RHIA Exam Content Outline names this area Domain 2: Compliance with Access, Use, and Disclosure of Health Information and weights it at 15-18% of the exam — the lightest of the five scored domains, though still high-yield. The RHIA exam delivers 150 items (130 scored plus 20 unscored pretest) in a 3.5-hour appointment through Pearson VUE, scored on a scaled 100-400 range with a fixed passing score of 300. At 15-18%, expect roughly 21 of the 130 scored items to draw on Domain 2.

That weight matters because RHIA is an administrator-level credential. The exam asks what a leader should approve, monitor, escalate, document, or correct when PHI is accessed, used, requested, disclosed, or exchanged — not how a clerk fills out one form.

Separate Access, Use, and Disclosure

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR Part 164) gives three precise verbs you must keep apart on the exam:

Treatment, Payment, and health care Operations (TPO) disclosures generally need no patient authorization (164.506); nearly everything else does. The minimum necessary standard (164.502(b)) applies to most uses and disclosures but not to disclosures to the patient, to a provider for treatment, or those required by law.

The Six-Point Decision Frame

Before acting on any scenario, walk these six points:

• Purpose — patient access, TPO, legal, regulatory, public health, or other.
• Authority — valid authorization, patient direction, personal representative document, court order, or statutory basis.
• Scope — date range, document type, data elements, exclusions.
• Recipient — verified individual or organization and confirmed destination.
• Minimum necessary — applies unless an exception removes it.
• Escalation — route sensitive, ambiguous, broad, or high-risk requests to the Privacy Officer or legal counsel.

Covered Entities, Business Associates, and Penalties

Know exactly who is bound. A covered entity is a health plan, health care clearinghouse, or a provider that transmits health information electronically for a HIPAA standard transaction. A business associate (BA) is a vendor that creates, receives, maintains, or transmits PHI on the entity's behalf — a transcription service, ROI vendor, cloud host, or analytics firm. A business associate agreement (BAA) is mandatory before PHI flows to a BA, and the HITECH Act (2009) made BAs directly liable for Privacy and Security Rule violations.

Civil penalties are tiered by culpability, from roughly the low-hundreds of dollars per violation for unknowing conduct up to a statutory annual cap (about $2 million per identical-violation category for willful neglect not corrected), with the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) enforcing. The exam rewards knowing that willful neglect is the most severe tier and that prompt correction within 30 days can reduce exposure.

Worked Scenario

A quality analyst asks for a department-wide dataset to study readmissions. Walk the frame: the purpose is health care operations (a permitted TPO use), so no authorization is needed; the authority is internal role; the scope is governed by minimum necessary, so the analyst should receive de-identified or limited data, not full charts. A limited data set (164.514(e)) strips direct identifiers but keeps dates and ZIP codes and requires a data use agreement — the correct middle path between full PHI and full de-identification.

Full de-identification follows either the Safe Harbor method (remove all 18 specified identifiers, including names, geographic units smaller than a state, all date elements more specific than year, and any unique identifying number) or the Expert Determination method (a qualified statistician certifies a very small re-identification risk). De-identified data is no longer PHI and falls outside the Privacy Rule entirely, which is why it is the strongest answer when a request needs no individual identity.

Common Exam Traps

The dominant trap is choosing the fastest action over the controlled action. Speed without verification produces an impermissible disclosure that may trigger breach analysis under the Breach Notification Rule. The opposite trap is over-restricting in a way that violates the patient's 164.524 access right. A third trap is treating a subpoena like a court order — a subpoena signed only by an attorney requires satisfactory assurances (164.512(e)) before you disclose. A fourth is forgetting the BAA: PHI cannot flow to a vendor until the agreement is signed.

The RHIA balance: support access and exchange while preserving clear authority, limited scope, secure delivery, documented vendor controls, and measurable oversight.