Objectives in this domain

Apply HIPAA Privacy and Security Rule requirements to protect patient health information in clinical and administrative contexts.
Section 7.1medium
Explain informed consent requirements, patient rights, advance directives, and the role of power of attorney in care decisions.
Section 7.2medium
Distinguish the medical assistant scope of practice from that of other healthcare professionals and apply the professional code of ethics.
Section 7.3medium
Identify mandatory reporting obligations and apply correct medical record retention and storage requirements.
Section 7.4medium

Sample question from this domain

Free sampleMedical Law and Ethicsmedium

A medical assistant at a family practice receives a phone call from a community pharmacy requesting the dosing history of a patient's antihypertensive medication so the pharmacist can verify a refill. The caller identifies the pharmacy and the patient by name and date of birth, and the patient is an established patient of the practice. What is the BEST action under the HIPAA Privacy Rule?

ARefuse to release any information because the patient has not signed a specific written authorisation for this disclosure to the pharmacy.
BVerify the pharmacy's identity and the patient context, then share only the dosing information needed for the refill verification. Correct
CFax the patient's full medication list and recent progress notes to the pharmacy so the pharmacist has complete clinical context for the refill.
DTell the pharmacist to have the patient call the practice directly because clinical staff cannot release any medication information to a pharmacy by telephone.

Apply the HIPAA Privacy Rule's treatment exception and minimum-necessary standard when releasing PHI to another treating provider. The HIPAA Privacy Rule permits covered entities to disclose protected health information for treatment, payment, and healthcare operations without a separate patient authorisation, and a pharmacist verifying a refill is engaged in treatment. The Privacy Rule still requires the disclosure to meet the minimum-necessary standard, so the medical assistant verifies the requester and limits the response to the dosing data the pharmacist needs, not the full chart.

Why A is wrong: Tempting because authorisation feels safest, but the Privacy Rule allows disclosure for treatment without a separate written authorisation. Refusing here delays legitimate patient care and misapplies the authorisation requirement, which is reserved for uses outside treatment, payment, or healthcare operations.

Why B is correct: Pharmacy refill verification is a treatment activity between healthcare providers, permitted under the Privacy Rule's treatment, payment, and healthcare operations provisions without separate authorisation, while the minimum-necessary standard still limits the disclosure to the dosing data the pharmacist actually needs.

Why C is wrong: Sending the full chart feels thorough and provider-friendly, but the Privacy Rule's minimum-necessary standard limits disclosures to the information reasonably needed for the purpose. Sharing progress notes and the entire medication list exceeds what refill verification requires.

Why D is wrong: Routing the patient back into the call seems privacy-protective, but the Privacy Rule does not bar telephone disclosures to another treating provider after reasonable identity verification. Refusing creates an unnecessary barrier to care and misreads the rule as more restrictive than it is.

Other domains in this exam

Foundational Knowledge and Basic Science10% of the exam
Anatomy and Physiology5% of the exam
Clinical Patient Care56% of the exam
Patient Care Coordination and Education8% of the exam
Administrative Assisting8% of the exam
Communication and Customer Service8% of the exam

See also the CCMA cert hub, the study guide, and the cheat sheet.