Privacy Rule provisions US Medical PG Practice Questions and MCQs
Practice US Medical PG questions for Privacy Rule provisions. These multiple choice questions (MCQs) cover important concepts and help you prepare for your exams.
Privacy Rule provisions US Medical PG Question 1: A 68-year-old man comes to the physician for a follow-up examination, accompanied by his daughter. Two years ago, he was diagnosed with localized prostate cancer, for which he underwent radiation therapy. He moved to the area 1 month ago to be closer to his daughter but continues to live independently. He was recently diagnosed with osteoblastic metastases to the spine and is scheduled to initiate therapy next week. In private, the patient’s daughter says that he has been losing weight and wetting the bed, and she tearfully asks the physician if his prostate cancer has returned. She says that her father has not spoken with her about his health recently. The patient has previously expressed to the physician that he does not want his family members to know about his condition because they “would worry too much.” Which of the following initial statements by the physician is most appropriate?
- A. “As your father's physician, I think that it's important that you know that his prostate cancer has returned. However, we are confident that he will respond well to treatment.”
- B. “I'm sorry, I can't discuss any information with you without his permission. I recommend that you have an open discussion with your father.” (Correct Answer)
- C. “It concerns me that he's not speaking openly with you. I recommend that you seek medical power of attorney for your father. Then, we can legally discuss his diagnosis and treatment options together.”
- D. “It’s difficult to deal with parents aging, but I have experience helping families cope. We should sit down with your father and discuss this situation together.”
- E. “Your father is very ill and may not want you to know the details. I can imagine it's frustrating for you, but you have to respect his discretion.”
Privacy Rule provisions Explanation: ***“I'm sorry, I can't discuss any information with you without his permission. I recommend that you have an open discussion with your father.”***
- This statement upholds **patient confidentiality** and **autonomy**, as the patient explicitly stated he did not want his family to know about his condition.
- It encourages communication between the patient and his daughter, which is the most appropriate way for her to learn about his health status.
*“As your father's physician, I think that it's important that you know that his prostate cancer has returned. However, we are confident that he will respond well to treatment.”*
- This violates the patient's **confidentiality** and explicit wish to keep his medical information private from his family.
- Sharing medical information without explicit consent, even with family, is a breach of ethical and legal guidelines (e.g., **HIPAA** in the United States).
*“It concerns me that he's not speaking openly with you. I recommend that you seek medical power of attorney for your father. Then, we can legally discuss his diagnosis and treatment options together.”*
- While seeking medical power of attorney is an option for future decision-making, it is **premature and inappropriate** to suggest it solely to bypass the patient's current desire for confidentiality, especially when he is still competent to make his own decisions.
- This suggestion could undermine the patient's autonomy and trust in his physician.
*“It’s difficult to deal with parents aging, but I have experience helping families cope. We should sit down with your father and discuss this situation together.”*
- This statement, while empathetic, still risks undermining the patient's **autonomy** by pushing for a joint discussion against his explicit wishes to keep his family unaware.
- The physician's primary obligation is to the patient's stated preferences regarding his medical information.
*“Your father is very ill and may not want you to know the details. I can imagine it's frustrating for you, but you have to respect his discretion.”*
- While this statement acknowledges the daughter's feelings and respects the patient's discretion, it uses a somewhat **judgmental tone** ("very ill") and the phrasing "you have to respect his discretion" can come across as abrupt or dismissive rather than purely informative or guiding.
- The most appropriate initial response should focus on the **physician's inability to share information** due to confidentiality rather than attributing motives to the patient's decision or explicitly telling the daughter how to feel.
Privacy Rule provisions US Medical PG Question 2: A 42-year-old woman presents to the physician with symptoms of vague abdominal pain and bloating for several months. Test results indicate that she has ovarian cancer. Her physician attempts to reach her by phone multiple times but cannot reach her. Next of kin numbers are in her chart. According to HIPAA regulations, who should be the primary person the doctor discusses this information with?
- A. The patient's brother
- B. The patient's husband
- C. The patient's daughter
- D. All of the options
- E. The patient (Correct Answer)
Privacy Rule provisions Explanation: ***The patient***
- Under **HIPAA**, the patient has the **right to privacy** regarding their protected health information (PHI). Therefore, the physician must make all reasonable attempts to contact the patient directly to convey their diagnosis.
- Sharing sensitive medical information like a cancer diagnosis with anyone other than the patient, without their explicit consent, would be a **violation of HIPAA regulations**.
*The patient's brother*
- The patient's brother is not automatically authorized to receive her medical information, even if listed as **next of kin**, without the patient's explicit consent or a documented **healthcare power of attorney**.
- Discussing the diagnosis with the brother without the patient's direct consent would be a **breach of patient confidentiality**.
*The patient's husband*
- Even a spouse does not automatically have the right to access a patient's **PHI** without the patient's express permission, according to **HIPAA**.
- While often a trusted contact, without explicit consent, revealing the diagnosis to the husband would still violate the patient's **privacy rights**.
*The patient's daughter*
- Similar to other family members, the patient's daughter is not legally entitled to receive her mother's confidential medical information without explicit authorization or a medical **power of attorney**.
- The physician's primary responsibility is to the patient herself, ensuring her **privacy** is maintained.
*All of the options*
- According to **HIPAA**, sharing the patient's diagnosis with any family member without her explicit consent would be a **breach of confidentiality**.
- This option incorrectly assumes that **next of kin** automatically have the right to receive sensitive medical information.
Privacy Rule provisions US Medical PG Question 3: A 19-year-old man presents to an orthopedic surgeon to discuss repair of his torn anterior cruciate ligament. He suffered the injury during a college basketball game 1 week ago and has been using a knee immobilizer since the accident. His past medical history is significant for an emergency appendectomy when he was 12 years of age. At that time, he said that he never wanted to have surgery again. At this visit, the physician explains the procedure to him in detail including potential risks and complications. The patient acknowledges and communicates his understanding of both the diagnosis as well as the surgery and decides to proceed with the surgery in 3 weeks. Afterward, he signs a form giving consent for the operation. Which of the following statements is true about this patient?
- A. He cannot provide consent because he lacks capacity
- B. He has the right to revoke his consent at any time (Correct Answer)
- C. His parents also need to give consent to this operation
- D. He did not need to provide consent for this procedure since it is obviously beneficial
- E. His consent is invalid because his decision is not stable over time
Privacy Rule provisions Explanation: ***He has the right to revoke his consent at any time***
- **Informed consent** for medical procedures is an ongoing process, and a patient retains the right to **withdraw consent** at any point, even after initially signing the consent form.
- This right is a fundamental aspect of patient autonomy and ensures that medical interventions are only performed with a patient's current and willing agreement.
*He cannot provide consent because he lacks capacity*
- The patient is 19 years old, which in most jurisdictions (including the US where the age of majority is typically 18) means he is considered an **adult** and legally capable of providing his own consent.
- The scenario explicitly states he "communicates his understanding of both the diagnosis as well as the surgery," indicating he possesses the **mental capacity** to make an informed decision.
*His parents also need to give consent to this operation*
- As a 19-year-old, the patient has reached the **age of majority** and is legally entitled to make his own medical decisions, including consenting to surgery.
- Parental consent is generally required for minors (individuals under the age of majority), but not for adults like this patient.
*He did not need to provide consent for this procedure since it is obviously beneficial*
- Even for procedures that are clearly **beneficial**, informed consent is ethically and legally mandatory to uphold **patient autonomy** and ensure respect for individual rights.
- The concept of "obviously beneficial" does not negate the requirement for a patient's explicit agreement to a medical intervention.
*His consent is invalid because his decision is not stable over time*
- While the patient might have initially hated surgery at age 12, his current decision at age 19 to proceed with the ACL repair is based on current information and his mature understanding.
- The fact that his previous aversion to surgery has changed does not invalidate his current, well-informed decision; it simply indicates a change in perspective based on new circumstances and greater maturity.
Privacy Rule provisions US Medical PG Question 4: A 54-year-old man suffered an anterior wall myocardial infarction that was managed in the cath lab with emergent coronary stenting and revascularization. The patient states that his wife, adult children, and cousins may be disclosed information regarding his care and health information. The patient has been progressing well without any further complications since his initial catheterization. On hospital day #3, a woman stops you in the hall outside of the patient's room whom you recognize as the patient's cousin. She asks you about the patient's prognosis and how the patient is progressing after his heart attack. Which of the following is the most appropriate next step?
- A. Decline to comment per HIPAA patient confidentiality regulations
- B. Direct the woman to discuss these issues with the patient himself
- C. Ask the patient if it is acceptable to share information with this individual
- D. Discuss the patient's hospital course and expected prognosis with the woman
- E. Ask for identification confirming that the woman is truly the patient's cousin (Correct Answer)
Privacy Rule provisions Explanation: ***Ask for identification confirming that the woman is truly the patient's cousin***
- While **HIPAA** emphasizes patient privacy, it also allows disclosure to family members if the patient has agreed to it or if disclosure is deemed in the patient's best interest.
- The patient explicitly stated that his cousins may be disclosed information; therefore, confirming the woman's identity as a cousin is the most **appropriate first step** to determine if she is one of the individuals he approved for information disclosure.
*Decline to comment per HIPAA patient confidentiality regulations*
- This is an overly broad and potentially **unnecessary response**, as the patient has already indicated that his cousins can receive information.
- **HIPAA allows for disclosure** to family members or others involved in the patient's care if the patient expresses a preference or does not object.
*Direct the woman to discuss these issues with the patient himself*
- This option **shifts the responsibility** of disclosure from the healthcare provider, who holds the medical information, to the patient.
- While the patient can certainly share his own information, the family may be seeking **professional medical updates** that the patient might not be fully equipped to provide.
*Ask the patient if it is acceptable to share information with this individual*
- Although obtaining direct patient consent is generally a good practice, the patient has already **verbally authorized family members**, including cousins, to receive information.
- The primary outstanding issue is confirming this specific individual's relationship to the patient, rather than re-asking for permission to share with cousins in general.
*Discuss the patient's hospital course and expected prognosis with the woman*
- This action would be **premature and a violation of HIPAA** if the woman cannot be confirmed as the patient's cousin.
- **Verification of identity** and relationship is crucial before disclosing any protected health information.
Privacy Rule provisions US Medical PG Question 5: A psychiatrist receives a call from a patient who expresses thoughts of harming his ex-girlfriend. The patient describes a detailed plan to attack her at her workplace. Which of the following represents the psychiatrist's most appropriate legal obligation?
- A. Warn the ex-girlfriend and notify law enforcement (Correct Answer)
- B. Only notify the patient's family
- C. Warn only law enforcement
- D. Maintain patient confidentiality
Privacy Rule provisions Explanation: ***Warn the ex-girlfriend and notify law enforcement***
- This scenario directly triggers the **"duty to warn"** and **"duty to protect"** principles, primarily stemming from the **Tarasoff v. Regents of the University of California** case.
- The psychiatrist has a legal obligation to take reasonable steps to protect the identifiable victim, which includes directly warning the intended victim and informing law enforcement.
*Only notify the patient's family*
- Notifying the patient's family alone does not fulfill the **legal obligation to protect** an identifiable third party from a serious threat of harm.
- While family involvement might be part of a comprehensive safety plan, it is insufficient as the sole action in this critical situation.
*Warn only law enforcement*
- While notifying law enforcement is a crucial step, the **Tarasoff duty** specifically mandates warning the **intended victim** directly (or those who can reasonably be expected to notify the victim).
- Relying solely on law enforcement might not ensure the immediate safety of the ex-girlfriend, especially if there's a delay in their response or ability to locate her.
*Maintain patient confidentiality*
- Patient confidentiality is a cornerstone of psychiatric practice, but it is **not absolute** when there is a serious and imminent threat of harm to an identifiable individual.
- The **duty to protect** a potential victim *outweighs* the duty to maintain confidentiality in such extreme circumstances.
Privacy Rule provisions US Medical PG Question 6: A healthy, 16-year-old girl is brought in by her mother for a wellness visit. During the appointment, the patient’s mother brings up concerns about her daughter’s acne. The patient has had acne for 2 years. She washes her face twice a day with benzoyl peroxide and has been on doxycycline for 2 months with only mild improvement. The patient does not feel that the acne is related to her menstrual cycles. The patient’s mother states she does well in school and is the captain of the junior varsity cross-country team. She is worried that the acne is starting to affect her daughter’s self-esteem. The patient states that prom is coming up, and she is considering not going because she hates taking pictures. Upon physical exam, there are multiple open and closed comedones and scattered, red nodules on the patient’s face with evidence of scarring. The patient’s mother says her neighbor’s son tried isotretinoin and wants to know if that may work for her daughter. While talking about the risk factors for isotretinoin, you mention that patient will need to be on 2 forms of birth control. The mother asks, “Is that really necessary? We are a very religious family and my daughter knows our household rule about no sex before marriage.” Which of the following is the next step in management?
- A. Have the patient take a pregnancy test to prove abstinence
- B. Ask the mother to leave the room before talking to the patient about her sexual activity (Correct Answer)
- C. Talk to patient and mother about patient’s sexual activity, since parental permission is needed for isotretinoin
- D. Prescribe the isotretinoin as the patient does not need additional contraception if she is abstinent
- E. Prescribe the isotretinoin after giving the patient a handout about birth control methods
Privacy Rule provisions Explanation: ***Ask the mother to leave the room before talking to the patient about her sexual activity***
- This respects the **adolescent's right to confidentiality** and allows for a candid discussion about sensitive topics like sexual activity and contraception
- A **16-year-old** has the right to private discussions about reproductive health matters, regardless of parental presence
- The **iPLEDGE program** requires comprehensive counseling about contraception for all females of childbearing potential, which is best accomplished in a private setting
- This approach balances the need to respect parental involvement while protecting the minor's confidentiality on sensitive health matters
*Have the patient take a pregnancy test to prove abstinence*
- While a pregnancy test is necessary before starting isotretinoin, it does not confirm or prove abstinence
- This is not the appropriate first step in addressing the mother's concerns or the patient's need for contraception counseling
- iPLEDGE guidelines require monthly negative pregnancy tests but also mandate contraception counseling regardless of pregnancy test results
*Talk to patient and mother about patient's sexual activity, since parental permission is needed for isotretinoin*
- Discussing sexual activity with both the patient and mother present **violates adolescent confidentiality** and may prevent honest disclosure
- Many states allow **mature minors** to consent to contraceptive services without parental involvement
- This approach could damage the therapeutic relationship and compromise the patient's willingness to share sensitive information
*Prescribe the isotretinoin as the patient does not need additional contraception if she is abstinent*
- This is incorrect as the **FDA-mandated iPLEDGE program** requires all females of childbearing potential to use two forms of contraception, regardless of stated abstinence
- The program makes no exception for patients claiming abstinence due to the **extreme teratogenicity** of isotretinoin
- Bypassing this requirement would violate federal regulations and expose the patient to risk of severe congenital malformations if pregnancy occurs
*Prescribe the isotretinoin after giving the patient a handout about birth control methods*
- Simply providing a handout is insufficient for effective contraception counseling required by the **iPLEDGE program**
- The patient needs detailed, private counseling to understand contraceptive options, the risks of isotretinoin, and to ensure adherence
- This approach fails to address the confidentiality issue raised by the mother's presence
Privacy Rule provisions US Medical PG Question 7: A 36-year-old man comes to the physician because of a 2-week history of productive cough, weight loss, and intermittent fever. He recently returned from a 6-month medical deployment to Indonesia. He appears tired. Physical examination shows nontender, enlarged, palpable cervical lymph nodes. An x-ray of the chest shows right-sided hilar lymphadenopathy. A sputum smear shows acid-fast bacilli. A diagnosis of pulmonary tuberculosis is made from PCR testing of the sputum. The patient requests that the physician does not inform anyone of this diagnosis because he is worried about losing his job. Which of the following is the most appropriate initial action by the physician?
- A. Request the patient's permission to discuss the diagnosis with an infectious disease specialist
- B. Assure the patient that his diagnosis will remain confidential
- C. Confirm the diagnosis with a sputum culture
- D. Notify all of the patient's household contacts of the diagnosis
- E. Inform the local public health department of the diagnosis (Correct Answer)
Privacy Rule provisions Explanation: ***Inform the local public health department of the diagnosis***
- **Tuberculosis** is a **reportable disease** to public health authorities due to its significant public health implications, including the risk of transmission.
- Physicians have a **legal and ethical obligation** to report such diagnoses to protect the community, even against a patient's wishes for secrecy.
*Request the patient's permission to discuss the diagnosis with an infectious disease specialist*
- While consulting an infectious disease specialist is often beneficial for managing TB, the immediate and most appropriate initial action is related to **public health notification**.
- Delaying notification to seek patient permission first would **compromise public health safety** regarding a reportable disease.
*Assure the patient that his diagnosis will remain confidential*
- This assurance would be **misleading and unethical** because TB is a reportable condition, meaning its confidentiality is necessarily breached for public health purposes.
- Physicians are bound by law to report communicable diseases, which supersedes general confidentiality in this specific context.
*Confirm the diagnosis with a sputum culture*
- The diagnosis of pulmonary tuberculosis has already been established by a **sputum smear showing acid-fast bacilli** and **PCR testing**, which are highly reliable.
- While a sputum culture provides drug susceptibility information, it is not the *initial* most appropriate action regarding the patient's stated concerns about confidentiality in the context of a reportable disease.
*Notify all of the patient's household contacts of the diagnosis*
- While contact tracing is an important part of TB control, it is typically initiated and managed by the **public health department** after notification.
- The physician's primary responsibility is to notify the health department, who then assumes the role of **contact investigation** and management.
Privacy Rule provisions US Medical PG Question 8: A 32-year-old male asks his physician for information regarding a vasectomy. On further questioning, you learn that he and his wife have just had their second child and he asserts that they no longer wish to have additional pregnancies. You ask him if he has discussed a vasectomy with his wife to which he replies, "Well, not yet, but I'm sure she'll agree." What is the next appropriate step prior to scheduling the patient's vasectomy?
- A. Insist that the patient first discuss this procedure with his wife
- B. Telephone the patient's wife to inform her of the plan
- C. Refuse to perform the vasectomy
- D. Explain the risks and benefits of the procedure and request signed consent from the patient and his wife
- E. Explain the risks and benefits of the procedure and request signed consent from the patient (Correct Answer)
Privacy Rule provisions Explanation: ***Explain the risks and benefits of the procedure and request signed consent from the patient***
- A patient has the **right to make autonomous decisions** about their own medical care, including reproductive choices, regardless of their marital status or spousal approval.
- The physician's role is to ensure the patient is fully informed and provides **voluntary, uncoerced consent** after understanding the risks, benefits, and alternatives of the procedure.
*Insist that the patient first discuss this procedure with his wife*
- This option would be a **violation of patient autonomy** and confidentiality, as a married person has the right to make independent medical decisions.
- Requiring spousal consent for a procedure performed solely on one individual is not ethically or legally mandated and could be considered discriminatory.
*Telephone the patient's wife to inform her of the plan*
- This action would be a **breach of patient confidentiality**, as the patient's medical information, including his intent to have a vasectomy, cannot be shared with a third party, even a spouse, without explicit permission.
- Informing the wife without the husband's consent also undermines the patient's autonomy and right to privacy regarding his healthcare decisions.
*Refuse to perform the vasectomy*
- Refusing to perform the procedure simply because the patient has not discussed it with his wife would be **unethical and inconsistent with medical professionalism**, assuming the patient is competent and fully informed.
- A physician should not deny medically appropriate care based on a patient's marital dynamics or the presumed wishes of a spouse, as long as the patient's consent is valid.
*Explain the risks and benefits of the procedure and request signed consent from the patient and his wife*
- While it is advisable for a patient to discuss major life decisions with their spouse, requiring **spousal consent for a patient's own medical procedure** is not legally or ethically mandated for competent adults.
- Obtaining consent from both individuals is typically reserved for procedures affecting both parties directly or for those involving a surrogate decision-maker, not for an autonomous adult's personal medical choice.
Privacy Rule provisions US Medical PG Question 9: An 86-year-old man is admitted to the hospital for management of pneumonia. His hospital course has been relatively uneventful, and he is progressing well. On morning rounds nearing the end of the patient's hospital stay, the patient's cousin finally arrives to the hospital for the first time after not being present for most of the patient's hospitalization. He asks about the patient's prognosis and potential future discharge date as he is the primary caretaker of the patient and needs to plan for his arrival home. The patient is doing well and can likely be discharged in the next few days. Which of the following is the most appropriate course of action?
- A. Bring the cousin to the room and explain the plan to both the patient and cousin
- B. Explain the plan to discharge the patient in the next few days
- C. Explain that you cannot discuss the patient's care at this time
- D. Tell the cousin that you do not know the patient's course well
- E. Bring the cousin to the room and ask the patient if it is acceptable to disclose his course (Correct Answer)
Privacy Rule provisions Explanation: ***Bring the cousin to the room and ask the patient if it is acceptable to disclose his course***
- This option prioritizes **patient autonomy** and privacy by allowing the patient to decide if their medical information can be shared with the cousin.
- Even if the cousin is the primary caretaker, explicit permission from the patient is required under **HIPAA** rules before disclosing protected health information.
- This approach balances **confidentiality protection** with practical discharge planning needs.
*Bring the cousin to the room and explain the plan to both the patient and cousin*
- This option prematurely assumes the patient's consent to share information with the cousin, which may violate **patient privacy**.
- While it facilitates communication, it bypasses the critical step of confirming the patient's willingness to disclose their medical details.
- This constitutes a **HIPAA violation** by disclosing information before obtaining consent.
*Explain the plan to discharge the patient in the next few days*
- Disclosing this information solely to the cousin without the patient's explicit permission constitutes a **breach of confidentiality**.
- This action violates **HIPAA regulations**, even if the cousin is identified as the primary caretaker.
- Protected health information (PHI) cannot be shared with family members without patient authorization.
*Explain that you cannot discuss the patient's care at this time*
- While protecting patient privacy, this response is overly abrupt and unhelpful, potentially creating **frustration** and hindering discharge planning.
- It does not offer a constructive path toward obtaining consent or addressing the cousin's legitimate concerns as a caretaker.
- A better approach involves facilitating consent rather than simply refusing communication.
*Tell the cousin that you do not know the patient's course well*
- This statement is **untruthful** and unprofessional, as the physician on rounds is expected to be knowledgeable about their patient's condition.
- It undermines trust and misrepresents the physician's duty to provide accurate information when appropriate.
- Dishonesty is never an acceptable approach to navigating privacy concerns.
Privacy Rule provisions US Medical PG Question 10: A 26-year-old man comes to the emergency department because of a 1-week history of fever, throat pain, and difficulty swallowing. Head and neck examination shows an erythematous pharynx with purulent exudates overlying the palatine tonsils. Microscopic examination of a throat culture shows pink, spherical bacteria arranged in chains. Treatment with amoxicillin is initiated. A day later, a physician colleague from another department approaches the physician in the lobby of the hospital and asks about this patient, saying, "Did you see him? What does he have? He's someone I play football with and he hasn't come to play for the past 5 days. I'm worried about him." Which of the following is the most appropriate action by the physician?
- A. Inform the colleague that they should ask the patient's attending physician
- B. Inform the colleague that they cannot divulge any information about the patient (Correct Answer)
- C. Tell the colleague the patient's case file number so they can look it up themselves
- D. Tell the colleague that they cannot tell them the diagnosis but that their friend was treated with antibiotics
- E. Ask the colleague to meet in the office so they can discuss the patient in private
Privacy Rule provisions Explanation: ***Inform the colleague that they cannot divulge any information about the patient***
- The **Health Insurance Portability and Accountability Act (HIPAA)** strictly prohibits the disclosure of a patient's **Protected Health Information (PHI)** without their explicit consent.
- Even if the inquirer knows the patient, a physician-patient relationship creates a **duty of confidentiality** that supersedes personal acquaintance.
- Disclosing any information without patient consent, even to another physician, violates HIPAA regulations.
*Tell the colleague the patient's case file number so they can look it up themselves*
- Providing the case file number would enable unauthorized access to the patient's medical records, thereby violating **patient confidentiality** and **HIPAA regulations**.
- This action does not rectify the breach of confidentiality and escalates the potential for further misuse of PHI.
*Inform the colleague that they should ask the patient's attending physician*
- Recommending that the colleague ask the attending physician shifts the burden but does not address the underlying ethical and legal obligation of the current physician to maintain **confidentiality**.
- The attending physician would also be bound by **HIPAA** and ethical guidelines not to disclose information without consent.
*Tell the colleague that they cannot tell them the diagnosis but that their friend was treated with antibiotics*
- While seemingly less specific, stating that the friend was treated with **antibiotics** is still a disclosure of **Protected Health Information (PHI)**.
- This action violates **patient confidentiality** as it reveals a detail of the patient's medical management without consent.
*Ask the colleague to meet in the office so they can discuss the patient in private*
- Moving to a private setting does not negate the fact that discussing the patient's information with an unauthorized individual is a **breach of confidentiality**.
- The location of the conversation does not change the ethical and legal obligations to protect **PHI**.
More Privacy Rule provisions US Medical PG questions available in the OnCourse app. Practice MCQs, flashcards, and get detailed explanations.
