Free Healthcare Compliance Training

10 – 51 Questions 12 min

This healthcare compliance quiz targets day-to-day decisions governed by HIPAA privacy/security, OSHA worker-safety requirements, CMS billing rules, and HHS-OIG fraud-and-abuse guidance. Reinforcing these standards prevents privacy breaches, unsafe exposures, and improper claims. Non-compliance can trigger patient harm, civil penalties, repayment demands, exclusion, and OSHA citations.

Start

Choose quiz length

1HIPAA’s “minimum necessary” principle means workforce members should access or disclose only the least amount of PHI needed to do their job.

True / False

2If you observe a potential compliance issue and are unsure what to do, which resource is typically most appropriate to contact?

3To save time, a coworker wheels a heavy oxygen cylinder without securing it, despite posted safety procedures. What should you do immediately?

4You overhear two coworkers discussing a patient’s full name and diagnosis in a crowded elevator while a visitor is listening. What is the best response?

5You are about to follow a process you learned at a previous employer, but you’re not sure it matches your current organization’s rules. What should you do?

6If you are busy, it is acceptable to skip required PPE as long as you are careful.

True / False

7Billing at a higher level of service than the documentation supports violates CMS billing rules and may be considered fraud if done knowingly.

True / False

8A mandatory online module instructs staff to use a form your organization retired months ago, and the updated policy is on the intranet. Arrange the best actions in order.

Put in order

1Follow the current intranet policy for real work tasks

2Document your completion and any guidance you received

3Flag the module error to the training/compliance contact

4Complete the required module to meet training requirements

9A family member calls asking for a patient’s lab results and says, “The patient always lets me see everything,” but there is no authorization on file. What is the best response?

10While batching claims, you notice several visits are billed at a higher level of service than the documentation supports. Your supervisor is rushing everyone to meet a deadline. What should you do first?

11It is acceptable for an organization to skip tracking training completion as long as training is offered to everyone.

True / False

12You suspect a compliance violation occurred (privacy, billing, or safety). Select all that apply: Which actions generally align with a strong compliance reporting process?

Select all that apply

13During claim review you identify an error that could lead to an overpayment. Select all that apply: Which actions support compliant billing correction?

Select all that apply

14A coworker texts you a photo of a patient’s wound and name from their personal phone asking, “Is this infected?” What is the best response?

15After giving an injection, what is the safest and most compliant way to handle the used needle?

16A supervisor tells you to submit claims now and “we’ll fix any coding problems later” to meet a deadline. What is the most compliant response?

17A blood/body-fluid spill occurs in a clinical area. Select all that apply: Which actions are generally appropriate?

Select all that apply

18A laptop containing unencrypted patient information is reported missing. Arrange the typical breach-response steps in the best order.

Put in order

1Report the incident immediately through required channels

2Assess whether PHI was compromised (risk assessment)

3Contain/mitigate (e.g., remote wipe, disable access) as directed

4Notify affected parties and regulators as required and document actions

19A Medicare patient is scheduled for a service that may not be covered under their plan based on medical necessity rules. What is the most appropriate next step?

20During internal review you find repeated billing for separate procedure components that are typically included in a single comprehensive code, and documentation does not support separate billing. What is the best next step?

21A caller requests patient information by phone. Select all that apply: Which steps help you comply with HIPAA and organizational policy before disclosing PHI?

Select all that apply

22You notice a coworker documenting vitals in the chart that they did not actually take. What is the best action?

23A training module instructs you to use an outdated form, but the current procedure on the intranet uses a different form. What should you do?

Disclaimer

This quiz is for educational purposes only. It does not replace official safety training, certification, or regulatory compliance programs.

Healthcare Compliance Pitfalls: HIPAA Privacy, OSHA Safety, CMS Billing, and OIG Integrity

Most compliance failures in healthcare are not “big scandals”—they are repeatable workflow errors that accumulate until an incident, audit, or complaint forces review. The quiz emphasizes the decision points where staff commonly drift from written standards.

HIPAA errors that create reportable risk

Assuming “treatment” makes any disclosure acceptable. Treatment supports sharing for care coordination, but you still need reasonable safeguards (voice level, screens, printers, secure messaging) and role-based access.
Misapplying the minimum necessary standard. It generally applies to many operational uses/disclosures and requests, but not to disclosures for treatment or to the patient; learners often over-share “just in case” or under-share when care needs it.
Device and account shortcuts. Sharing logins, leaving workstations unlocked, or texting patient identifiers outside approved tools turns routine work into a security incident.

CMS/OIG billing and integrity mistakes

Upcoding without documentation. Selecting a higher level of service than the note supports, or “cloning” templates that don’t reflect what occurred, is a frequent audit trigger.
Fixing errors quietly. Correct practice is to follow your compliance process: correct/void/replace claims as required, track the root cause, and document corrective action and education.
Ignoring conflicts of interest and inducements. Referral and gift scenarios are rarely obvious; the safe approach is disclose, ask compliance, and document the determination.

OSHA mistakes that lead to injuries and citations

Inconsistent sharps and exposure response. Delayed reporting after a needlestick, incomplete exposure documentation, or skipping post-exposure steps undermines worker safety and medical record requirements.
Skipping hazard communication basics. Using chemicals without reviewing the SDS, required PPE, or approved disinfectant dwell times creates preventable exposure events.

Real-World Compliance Decision Drills for Clinical and Revenue-Cycle Staff

Use these short prompts the way an auditor or safety officer would: identify the governing standard (HIPAA, OSHA, CMS, OIG), then choose the action that is documentable, repeatable, and consistent with policy.

Elevator conversation (HIPAA incidental disclosure)

Two staff members discuss a patient’s full name, diagnosis, and room number in a public elevator while visitors are present. Decide what immediate safeguard you apply, what coaching you provide, and whether your organization’s policy requires reporting as a potential privacy incident.
Wrong recipient (fax/email/portal)

A discharge summary is sent to the wrong physician office. List the containment steps (retrieve/confirm destruction if possible), internal notifications (privacy officer), and what facts you must document to support a breach-risk assessment.
“Just use my login” (access controls)

A coworker can’t access the EHR and asks to “borrow” your credentials to document vitals. Decide the compliant alternative and the escalation path if the issue is recurring and affecting care throughput.
Needlestick during a rushed blood draw (OSHA BBP)

An MA sustains a needlestick, washes the area, and says they are “fine” and want to keep working. Identify the required reporting steps, the post-exposure evaluation expectations, and what records/logs your facility typically must complete.
Level-of-service mismatch (CMS documentation support)

While batching claims, you see repeated high-level E/M codes with short notes lacking medical decision-making detail. Choose what you do next: hold claims, request addenda, route to coding review, notify compliance, and document your rationale.
Gift or “thank you” benefit tied to referrals (OIG risk)

A vendor offers free lunch and “education” if your clinic increases orders for a specific product line. Identify the red flags, what information you gather, and how you route it for review before anything is accepted.

Five Habits That Prevent HIPAA Breaches, OSHA Injuries, and CMS/OIG Findings

Name the authority before you act. For each scenario, explicitly identify whether HIPAA (privacy/security), OSHA (worker safety), CMS (billing/payment rules), or OIG (fraud/abuse risk) is driving the decision.
Make “minimum necessary” operational. Share the least identifying information needed for the task, and use role-based access and privacy safeguards even when care delivery is urgent.
Document what supports the claim. If the service level, time, or procedure is not supported in the record, fix the documentation workflow—don’t “code to expectation.”
Report early through formal channels. Use your compliance hotline/officer and safety reporting tools so issues can be investigated, trended, and remediated—informal hallway corrections don’t create an audit trail.
Treat exposures like emergencies, not inconveniences. After a sharps injury or splash, follow the exposure protocol immediately, including evaluation, documentation, and follow-up—speed is part of safety.

Healthcare Compliance Glossary: Terms You Must Apply on the Job

PHI (Protected Health Information): Individually identifiable health information held or transmitted by a covered entity/business associate. Example: A room number paired with a diagnosis on a whiteboard can be PHI if it identifies the patient.
Minimum Necessary: A HIPAA principle requiring limiting many uses/disclosures/requests to the least information needed for the purpose. Example: For a scheduling call, confirm appointment time without discussing detailed diagnoses.
Incidental Disclosure: A secondary, unavoidable disclosure that may occur as a by-product of an otherwise permitted disclosure when reasonable safeguards are used. Example: A visitor briefly overhears a provider speaking quietly at a bedside.
Business Associate (BA): An entity that performs functions involving PHI on behalf of a covered entity (e.g., billing vendor, cloud service). Example: A transcription vendor handling clinic dictations is a BA.
Breach (HIPAA): An impermissible use/disclosure of unsecured PHI presumed to be a breach unless a risk assessment shows a low probability of compromise. Example: Sending a lab result to the wrong patient portal account.
Exposure Control Plan (ECP): An OSHA-required written plan describing how the organization will eliminate or minimize occupational exposure to bloodborne pathogens. Example: The plan specifies sharps containers, safer device use, and post-exposure steps.
Upcoding: Billing for a higher level of service than documentation and medical necessity support. Example: Selecting a high-complexity E/M level when the note shows a brief, low-risk visit.
Fraud, Waste, and Abuse (FWA): Misconduct that increases costs or leads to improper payment; fraud is intentional deception, while waste/abuse may be due to poor practices. Example: Billing for services not provided is fraud; repetitive unnecessary testing can be waste/abuse.

Authoritative Standards and Guidance (HHS, OSHA, CMS, OIG)

Use these primary-source references to verify quiz concepts and align your local policy work with regulatory expectations.

HHS — HIPAA Guidance Materials (Privacy Rule) — Official guidance on permitted disclosures, safeguards, and common privacy scenarios.
OSHA — Healthcare — Sector-specific worker safety hazards, controls, and compliance resources for healthcare settings.
OSHA — 29 CFR 1910.1030 Bloodborne Pathogens — The standard that drives exposure control plans, training, and post-exposure requirements.
CMS — Medicare Learning Network (MLN) Web-Based Training — CMS training modules, including compliance and fraud, waste, and abuse topics used across Medicare programs.
HHS-OIG — Compliance Guidance — OIG guidance and publications that shape effective compliance programs and integrity expectations.

Healthcare Compliance Training FAQ: Privacy, Safety, Billing Integrity, and Reporting

When does HIPAA’s “minimum necessary” standard apply in day-to-day work?

Apply minimum necessary when you’re using, disclosing, or requesting PHI for many operational purposes (for example, scheduling support, quality workflows, or administrative requests). It generally does not apply to disclosures for treatment or to the patient, but you still must use reasonable safeguards (quiet voices, screen privacy, secure tools) and follow role-based access.

Is a hallway or elevator conversation automatically a HIPAA violation?

Not automatically, but it is a high-risk setting. HIPAA tolerates some incidental disclosures only when reasonable safeguards are in place. If patient identifiers and sensitive details are shared where the public can hear, treat it as a preventable privacy risk: stop the conversation, move it to a private area, and follow your organization’s incident reporting policy when exposure may have occurred.

What should I do if I realize I sent PHI to the wrong person (fax, email, portal message, or printout)?

Contain first (retrieve the document, request secure deletion, disable portal access if misdirected), then notify the privacy/security contact per policy so a formal breach-risk assessment can be performed. Document the key facts: what data went out, to whom, when, how it was secured (or not), and what mitigation steps were taken.

What makes a billing issue “compliance” instead of “just a coding mistake”?

It becomes a compliance issue when the pattern suggests systemic risk (repeated level-of-service inflation, missing documentation across multiple encounters, pressure to “code to the schedule,” or edits being bypassed). The safe response is to pause questionable claims, route for coding/compliance review, and document corrective action and education rather than “fixing it later.”

How do OSHA requirements show up in healthcare compliance training beyond needles and sharps?

Healthcare OSHA exposure often includes chemical disinfectants (SDS/PPE), ergonomics and safe patient handling, respiratory protection (when applicable), workplace violence prevention practices, and injury/illness reporting. If you want deeper practice on blood and sharps scenarios specifically, pair this quiz with the Quiz Bloodborne.

What’s the right way to raise a concern about potential fraud, waste, or abuse without making accusations?

Report objective observations through formal channels (compliance hotline, supervisor chain per policy, compliance officer) and include the minimum facts needed: dates, claim identifiers, documentation gaps, and what policy step you followed. Avoid confronting coworkers as the “investigator”; your role is to surface risk so it can be reviewed and trended.

How is “compliance” connected to patient safety decisions at the bedside?

Privacy safeguards, accurate documentation, correct orders, and safe work practices reduce clinical error pathways—especially during handoffs, high-volume clinic sessions, and discharge. For patient-harm-focused scenarios (handoffs, medication safety, error prevention), use the Patient Safety Multiple Choice Questions alongside this compliance quiz.