Top HIPAA Training Questions Explained — Learn and Remember with Ease

…supplement those of the Common Rule and FDA.

Think of it as three concentric circles of protection around a patient’s data:

• Common Rule – Protects research participants as human subjects
• FDA Regulations – Protects subjects in clinical investigations of drugs/devices
• HIPAA – Protects health information (PHI) used or disclosed in research

Imagine a university hospital running a diabetes drug trial:
The IRB (under the Common Rule) ensures informed consent.
The FDA oversees drug safety and reporting.
HIPAA governs how the hospital uses patient records — requiring either authorization from the patient or a waiver by the IRB.
So HIPAA comes in addition — it doesn’t replace the other two.

identifiable health information that is created or held by covered entities and their business associates.

HIPAA protects a special type of information called “Protected Health Information” (PHI).
That means any personal health data that can identify someone and is handled by healthcare organizations or their partners.

So, PHI = personal + medical + handled by covered entities (or their business associates)

Easy examples:

PHI (Protected Health Information):
“John Smith – diabetes test results”
“Patient #10245 – MRI images” (if linked to name)
“jane.doe@email.com – COVID-19 vaccination record”
“Employee health record stored in hospital database”

❌ Not PHI:
“Anonymous diabetes statistics”
“MRI image with no identifiers”
“Number of vaccines given in 2024”
“Fitness tracker data shared privately (not by a covered entity)”

must be more detailed for disclosures that involve fewer than 50 subject records.

When someone (the data subject, meaning the patient) asks for an accounting of disclosures, the organization must tell them when and why their health information was shared with others.

Now — if the disclosure involved fewer than 50 people (records), HIPAA requires the organization to give more detailed, individual-level information about those disclosures.

If the disclosure involved 50 or more people, the organization can give a summary instead.

Example 1 – Small disclosure (fewer than 50 people):
A clinic mistakenly emails lab results for 20 patients to a researcher before getting authorization.
When one of those patients asks for an “accounting of disclosures,” the clinic must list each disclosure individually —
Date of disclosure
Who received it
What information was shared
Why it was shared

Example 2 – Large disclosure (more than 50 people):
A hospital participates in a state public health report and shares records for 5,000 patients.
The hospital can give a summary like:
“Between January–March 2025, we disclosed records of approximately 5,000 patients to the State Department of Health for public health surveillance purposes.”

development of generalizable knowledge.

Under HIPAA, “research” is not just any use of medical data — it specifically refers to systematic studies designed to produce knowledge that applies to people in general, not just to one patient or one organization.

So HIPAA says:

Research = organized effort to learn something new that can be generalized (applied broadly).

“Generalizable” = knowledge that can be applied to other cases, people, or settings — not just the specific situation studied.

It’s the opposite of a one-time internal review or a patient care improvement.

Example 1:
A hospital tests a new medication to see if it lowers blood pressure and plans to publish the results. This is considered research under HIPAA because it aims to generate generalizable knowledge that can apply to others beyond the hospital’s own patients.

Example 2:
A clinic reviews its own patients’ records to check whether they followed appointment reminders. This is not considered research under HIPAA because it’s a quality improvement activity intended for internal use only, not to produce generalizable findings.

for all human subjects research that uses PHI without authorization from the data subject, except for limited data sets.

If a researcher uses someone’s medical information without getting their written permission, the organization must keep a record (an accounting) of that disclosure — unless the data shared has been partially de-identified (a “limited data set”).

Example 1 – Disclosure accounting required:
A university hospital researcher studies the effects of a new asthma medication using patient medical records.
The IRB approves a waiver of authorization (patients didn’t sign forms). The hospital must keep a disclosure accounting showing which research project used which PHI and when.

Example 2 – Disclosure accounting NOT required:
The same researcher uses a limited data set (records contain only age, diagnosis, and city — no names or contact info). No disclosure accounting is required because the data isn’t fully identifiable.

Uses “plain language” that the data subject can understand, similar to the requirement for an informed consent document.

…is research, and so requires either an authorization or meeting one of the criteria for a waiver of authorization.

Under HIPAA, “retrospective research” — also called data mining — that uses PHI (Protected Health Information) is considered research.
Therefore, it requires either:

• a patient’s authorization, or
• a waiver of authorization approved by an IRB (Institutional Review Board) or Privacy Board.

Example 1 – Authorization required:
A researcher reviews 10 years of hospital records to study how smoking habits affect heart disease.
Because they’re using identifiable PHI (names, dates, diagnoses), this counts as research, so the hospital must either:

• Obtain each patient’s authorization, or
• Obtain an IRB waiver of authorization.

Example 2 – Waiver granted:
The researcher applies to the IRB and shows that contacting thousands of patients is impossible, and that all data will be securely stored and de-identified after analysis.
The IRB grants a waiver, allowing the study to proceed without individual authorizations.

…can qualify as an activity “preparatory to research,” at least for the initial contact, but data should not leave the covered entity.

When researchers are looking for potential participants (recruiting) using medical records, that early stage — where they’re just reviewing data to identify who might qualify — can be treated as “preparatory to research” under HIPAA.

This means:
They don’t need patient authorization yet, as long as they don’t remove any identifiable data from the covered entity (like a hospital or clinic).

Example 1 – Allowed (preparatory to research):
A hospital researcher wants to study diabetes patients over age 60.
They review patient charts inside the hospital system to estimate how many people fit the criteria.
This is preparatory to research — no authorization needed, because data stays within the covered entity.

Example 2 – Not allowed (goes beyond preparatory):
The same researcher exports names and phone numbers of those patients to start calling them about the study before IRB approval or authorization.
Not allowed. Data left the covered entity → violates HIPAA.
Recruiting or contacting patients requires authorization or an IRB waiver.

an organizational IRB or Privacy Board, privacy official (“Privacy Officer”), or security official (“Security Officer”), depending on the issue.

If you’re not sure how HIPAA applies to a research situation — for example, whether you need authorization, a waiver, or what counts as PHI — you should ask the people in your organization who are responsible for HIPAA compliance:

• The IRB or Privacy Board,
• The Privacy Officer, or
• The Security Officer,depending on your question.

…to all human subjects research that uses PHI without authorization from the data subject.

…development of generalizable knowledge.

Data that does not cross state lines when disclosed by the covered entity.

HIPAA allows some uses or disclosures of PHI without patient permission — but not all.
Your job is to identify the one situation that still requires authorization (the “EXCEPT”).

PHI transmitted electronically.

In fact, it also applies to PHI in any form — electronic, paper, or even spoken — as long as it’s handled by a covered entity or business associate.

But the rule was originally designed to protect electronic transmission of health data (like emails, faxes, electronic health records), which are especially vulnerable to privacy breaches.

Example 1 – Electronic (covered):
A hospital sends a patient’s MRI results to a specialist via secure email.
Covered by the HIPAA Privacy Rule — it’s PHI transmitted electronically.

Example 2 – Electronic (covered):
A billing company uploads patient data to a secure cloud system for insurance claims.
Covered — it’s electronic PHI (ePHI) handled by a business associate.

Example 3 – Paper (also covered):
A nurse prints a discharge summary with patient identifiers.
Still covered under the Privacy Rule — PHI in any form is protected.

Example 4 – Verbal (also covered):
A doctor discusses a patient’s diagnosis with another provider over the phone.
Still covered — verbal disclosures are included.

Example 5 – Not covered:
A researcher uses a fully de-identified dataset (no names, dates, or identifiers).
Not covered by HIPAA, because it’s no longer “PHI.”

…a health plan, a health care clearinghouse, or a health care provider engaged in standard electronic transactions covered by HIPAA.

Under HIPAA, a Covered Entity (CE) is:

• a health plan,
• a health care clearinghouse, or
• a health care provider who conducts standard electronic transactions (like billing or insurance claims) that HIPAA covers.

HIPAA doesn’t apply to every person or company that touches health data.
It applies specifically to these three types of organizations that handle Protected Health Information (PHI) in the healthcare system.

If a provider never transmits data electronically (for example, a small rural clinic that does everything on paper), HIPAA does not apply to them as a “covered entity.”
But in practice, almost all modern providers use electronic billing — so they are covered.

Example 1 – Health plan:
Blue Cross Blue Shield processes insurance claims for patients.
It’s a covered entity (health plan).

Example 2 – Provider using electronic billing:
A dentist submits insurance claims online for patient cleanings.
It’s a covered entity (health care provider engaged in electronic transactions).

Example 3 – Clearinghouse:
A billing company that converts hospital claim data into a standard format before sending it to insurers.
It’s a covered entity (clearinghouse).

Example 4 – Not a covered entity:
A fitness app that tracks heart rate but doesn’t bill insurance or work for a healthcare provider.
Not a covered entity — HIPAA doesn’t apply (unless it partners with one).

limits uses, disclosures, and requests for PHI to the minimum necessary amount of PHI needed to carry out the intended purposes of the use or disclosure. The minimum necessary standard does not apply to disclosures to, or requests by, a health care provider for treatment purposes. It also does not apply to uses or disclosures made to the individual or pursuant to the individual’s authorization.

HIPAA says that when someone uses, discloses, or requests Protected Health Information (PHI), they should share only the smallest amount of information necessary to do the job.

This rule helps protect patient privacy by limiting unnecessary exposure of health data.

An individual’s first and last name and the medical diagnosis in a physician’s progress report.

PHI that is transmitted or maintained by a covered entity or a business associate in any form or medium.

The HIPAA Privacy Rule protects Protected Health Information (PHI) — whether it’s:

• Sent (transmitted electronically, by fax, or verbally), or

• Stored (maintained in files, databases, paper charts, or backups),
  as long as it’s handled by a covered entity (like a hospital or insurer) or a business associate (like a billing or cloud storage company).

And “in any form or medium” means — it doesn’t matter how it exists: electronic, paper, or spoken.
HIPAA protects it all.

Example 1 – Electronic PHI (ePHI):
A hospital emails lab results to a specialist.
Protected — PHI transmitted electronically.

Example 2 – Paper PHI:
A nurse prints a patient’s discharge summary with name and diagnosis.
Protected — PHI maintained on paper.

Example 3 – Verbal PHI:
A doctor discusses a patient’s treatment plan with another doctor by phone.
Protected — PHI disclosed verbally.

Example 4 – PHI stored by a vendor:
A cloud storage company hosts a hospital’s patient database.
Protected — business associate maintaining PHI electronically.

Example 5 – Not PHI:
A fitness tracker app that collects heart rate but doesn’t work for a covered entity.
Not covered by HIPAA — it’s not transmitted or maintained by a CE or BA.

The HIPAA Security Rule established a national set of standards for the protection of PHI that is created, received, maintained, or transmitted in electronic media by a HIPAA CE or BA; protects ePHI; and addresses three types of safeguards – administrative, technical, and physical – that must be in place to secure individuals’ ePHI.

The HIPAA Security Rule created national standards to protect electronic Protected Health Information (ePHI) — that is, any health information created, received, stored, or transmitted electronically by a Covered Entity (CE) or Business Associate (BA).

It focuses on how to secure that information through three types of safeguards: administrative, technical, and physical.

So, the Security Rule is about keeping electronic health information safe from unauthorized access, theft, or damage.

Example 1 – Administrative safeguard:
A hospital performs an annual risk analysis to identify vulnerabilities in its systems and trains staff on security procedures.
That’s part of administrative protection.

Example 2 – Technical safeguard:
A clinic uses encryption when emailing lab results to ensure only the intended recipient can read them.
That’s a technical safeguard.

Example 3 – Physical safeguard:
A healthcare organization locks its server room and uses security cameras to prevent unauthorized physical access.
That’s a physical safeguard.

Example 4 – Not covered by Security Rule:
A paper medical record stored in a file cabinet.
This is PHI, but not ePHI, so the Privacy Rule, not the Security Rule, applies.

True.

HIPAA does not apply to education records that are already protected under FERPA (the Family Educational Rights and Privacy Act).

FERPA is another federal law that protects the privacy of student education records — including certain health records maintained by schools.

Both HIPAA and FERPA are privacy laws, but they cover different settings:

• HIPAA protects medical information held by healthcare providers and insurers.

• FERPA protects student education and health information held by schools.

Example 1 – Education record (covered by FERPA, not HIPAA):
A school nurse keeps a student’s vaccination record or visits to the nurse’s office.
That’s an education record under FERPA, so HIPAA does not apply.

Example 2 – College health clinic:
A university health center keeps records of a student’s medical visit.
Still FERPA, not HIPAA, because the clinic is part of the school system and maintains the record as part of education records.

Example 3 – Outside healthcare provider:
A hospital (not part of a school) treats a high school student for a broken arm and stores their medical record.
That’s PHI under HIPAA, not FERPA — because it’s not an education record.