Law & Ethics
HIPAA, patient rights, scope of practice for CMAs, and professional ethics.
Recommended Study Materials
CCMA Study Guide 2026
NHA Prep · NHA-aligned CCMA exam prep with practice questions.
Medical Assistant Exam Prep
Kaplan · Comprehensive review for NHA CCMA certification.
Clinical Medical Assistant Review
Saunders · Clinical and administrative skills review for the CCMA exam.
As an Amazon Associate we earn from qualifying purchases.
Law & Ethics covers 9% of the CCMA exam. Questions test HIPAA, patient rights, scope of practice, professional ethics, and legal documentation. These are scenario-based — you must apply the rule to the situation, not just recite definitions. The key skill: knowing when to act, when to report, and when to defer to the provider.
HIPAA and Patient Privacy
Protected Health Information (PHI) includes any health data combined with a patient identifier (name, DOB, address, MRN, phone, etc. — 18 identifiers total). The minimum necessary standard requires disclosing only the PHI needed for the specific purpose. Treatment, payment, and healthcare operations are the three permitted uses that do not require authorization. Patients have the right to receive a copy of their records within 30 days (extendable to 60). Authorization — not just consent — is required to share PHI with employers, attorneys, or other non-covered entities.
Minimum necessary: share only what is needed. More is a HIPAA violation.
Patient Rights and Informed Consent
Patients have the right to be informed about their care, participate in care decisions, refuse treatment, have their privacy protected, access their records, and receive considerate and respectful care. Informed consent requires: disclosure of the procedure, risks, benefits, and alternatives; patient comprehension; voluntariness; and competence. The provider obtains informed consent — the CCMA may witness the signature but does not obtain consent. Patients may revoke consent verbally at any time before the procedure begins.
Scope of Practice and Mandatory Reporting
CCMA scope varies by state — always stay within your defined role. CCMAs do not diagnose, prescribe, or interpret results for patients. Mandatory reporting requirements (varies by state): suspected child abuse, elder abuse, intimate partner violence, certain communicable diseases (TB, STIs, salmonella, etc.), gunshot wounds. Report to the appropriate authority (child protective services, public health department, law enforcement) — not to family members. Failure to report when required is itself a legal violation.
Must-Know for the Exam
- ✓PHI = health data + any of 18 patient identifiers
- ✓Minimum necessary standard: disclose only what is required for the specific purpose
- ✓Treatment, payment, healthcare operations: three permitted uses that need no authorization
- ✓Patient records: respond within 30 days (one 60-day extension)
- ✓Informed consent: provider explains and obtains; CCMA may only witness signature
- ✓CCMAs do not diagnose, prescribe, or interpret test results to patients
- ✓Mandatory reporting: child abuse, elder abuse, certain communicable diseases, gunshot wounds
- ✓Report suspected abuse to the appropriate authority — not to the family
Common Exam Mistakes
- ✗Releasing PHI with consent only — authorization is required for non-treatment third-party disclosures
- ✗The CCMA obtaining informed consent rather than witnessing the signature
- ✗Reporting suspected abuse to a family member instead of the proper authority
- ✗Interpreting lab results or imaging findings directly to the patient
- ✗Confusing permitted uses (no authorization needed) with third-party disclosures (authorization required)
Quiz yourself on Law & Ethics
Test what you just read — instant feedback on every question.
Start Law & Ethics Practice Quiz →Key Concepts — Part 1
1. A CMA overhears a coworker discussing a patient's HIV status in the break room with another employee who is not involved in that patient's care. Which HIPAA principle has most clearly been violated?
Minimum necessary standard
The minimum necessary standard requires that PHI only be shared with individuals who need it to perform their job duties. Discussing a patient's condition with a coworker not involved in care violates this standard. Amendment rights, accounting of disclosures, and breach notification address different aspects of HIPAA.
2. A patient requests a copy of their medical records. Under HIPAA, the practice generally must provide access within what timeframe?
30 days
HIPAA requires covered entities to provide patients access to their records within 30 days of the request, with one possible 30-day extension if needed. Shorter timeframes are not required by federal law, and 60 days exceeds the standard limit.
3. A CMA leaves the workstation to room a patient and does not log off the EHR. This is a violation of which type of HIPAA Security Rule safeguard?
Physical safeguard
Automatic logoff and workstation security are technical safeguards under the HIPAA Security Rule, controlling access to electronic PHI. Administrative safeguards involve policies and training, physical safeguards protect facilities and equipment, and organizational safeguards address business associate agreements.
4. A 16-year-old presents to the clinic alone requesting testing for a sexually transmitted infection. In most states, the CMA should:
Proceed with testing under minor consent laws for STI services
Most states allow minors to consent to their own care for sensitive services including STI testing, contraception, and substance abuse treatment without parental involvement. Emancipation is not required for these specific services. Contacting parents without consent could violate the minor's confidentiality rights.
5. A physician instructs a CMA to interpret an EKG and communicate the diagnosis to the patient. The CMA should:
Decline because interpretation and diagnosis are outside the MA scope of practice
Interpreting diagnostic tests and communicating diagnoses are outside the scope of practice for medical assistants, regardless of certification or physician instruction. MAs may perform EKGs but cannot interpret them. Following an order outside scope does not protect the MA legally.
6. A patient signs a consent form for a procedure but later states they didn't understand what would be done. Which element of valid informed consent was most likely missing?
Disclosure and comprehension
Valid informed consent requires that the patient understand the disclosed information about risks, benefits, and alternatives. If the patient did not comprehend what was explained, the disclosure element was inadequate. Voluntariness refers to being free of coercion, competence to decision-making capacity, and documentation to the record itself.
7. A CMA is asked to call in a prescription for oxycodone (Schedule II) to the pharmacy. What is the correct action?
Inform the physician that Schedule II drugs generally require a written or electronic prescription, not a phoned-in order
Schedule II controlled substances generally require a written prescription or a compliant electronic prescription (EPCS); they cannot be called in except in specific emergency situations with a written follow-up. Faxing is not acceptable for a routine Schedule II fill in most cases, and unencrypted email is never appropriate for PHI or prescriptions.
8. A CMA observes bruising in various stages of healing on an elderly patient and the caregiver answers all questions for the patient. What is the CMA's most appropriate action?
Notify the supervising provider and follow mandatory reporting procedures for suspected elder abuse
Healthcare workers are mandatory reporters for suspected elder abuse and do not need proof or a patient disclosure to make a report—only reasonable suspicion. Waiting could endanger the patient, and confronting the caregiver could escalate risk. Reports must be made regardless of whether the patient confirms abuse.
9. A CMA administers an injection to the wrong patient because they did not verify identifiers. Under which legal doctrine could the employing physician also be held liable?
Respondeat superior
Respondeat superior ('let the master answer') holds employers responsible for the actions of their employees performed within the scope of employment. Res ipsa loquitur is a negligence doctrine where the act speaks for itself. Stare decisis relates to legal precedent, and habeas corpus concerns unlawful detention.
10. Which of the following is an example of libel rather than slander?
A CMA posting on social media that a specific patient is faking their symptoms
Libel is defamation in written or published form, including social media posts, while slander is spoken defamation. All the other examples are verbal communications and would constitute slander if false and damaging. Social media posts qualify as libel because they are recorded and disseminated in writing.
Key Concepts — Part 2
1. A patient has a valid advance directive stating they do not want to be resuscitated. During a clinic visit, the patient becomes unresponsive with no pulse. What should the CMA do?
Follow the facility's protocol regarding the DNR and notify the provider immediately
A valid DNR order should be honored, and the CMA should follow facility protocol and immediately involve the provider. Beginning CPR against a valid DNR could violate the patient's autonomy. Waiting for family or an attorney is inappropriate in an emergency situation with an existing valid directive.
2. A CMA receives a subpoena for a patient's medical records. What is the appropriate initial response?
Notify the practice's administrator or legal counsel before releasing anything
A subpoena must be reviewed by the practice's administrator or legal counsel to ensure it is valid, complies with HIPAA, and that appropriate authorizations or court orders are in place before releasing PHI. Automatic release could violate HIPAA, ignoring it could result in legal consequences, and destroying records is illegal.
3. The four elements that must be proven to establish negligence are:
Duty, breach, causation, and damages
Negligence requires proof of the four D's: Duty (a duty of care existed), Dereliction/Breach (the duty was breached), Direct cause/Causation (the breach caused the injury), and Damages (actual harm occurred). The other options describe unrelated legal or clinical concepts.
4. According to the HITECH Act, if a breach of unsecured PHI affects 500 or more individuals, the covered entity must notify:
The affected individuals, HHS, and prominent media outlets serving the area
Under HITECH breach notification rules, breaches affecting 500 or more individuals require notification to the affected individuals, HHS Secretary (without unreasonable delay), and prominent media outlets in the affected area. Smaller breaches have less stringent media requirements but still require individual and HHS notification.
5. An unconscious patient arrives at an urgent care via EMS with a life-threatening injury and no available family. Treatment can proceed under which principle?
Implied (emergency) consent
Implied consent, also called emergency consent, allows providers to treat unconscious or incapacitated patients in life-threatening situations under the assumption that a reasonable person would consent to lifesaving care. Expressed and written consent require patient communication, and informed refusal is the opposite—declining care.
6. Which of the following best represents the ethical principle of autonomy?
Respecting the patient's right to make their own healthcare decisions
Autonomy is the ethical principle that respects a patient's right to make informed, voluntary decisions about their own healthcare. Non-maleficence is 'do no harm,' justice involves fair distribution of resources, and beneficence involves acting in the patient's best interest.
7. A CMA posts a photo from work on Instagram that shows a computer screen with a visible patient name in the background. This is a violation of:
HIPAA privacy regulations
Posting any identifiable PHI on social media, even accidentally in the background, violates HIPAA privacy regulations. OSHA addresses workplace safety, Joint Commission focuses on accreditation standards, and CLIA governs laboratory testing—none primarily address social media PHI disclosures.
8. A physician orders a medication that the CMA believes is contraindicated for the patient based on a documented allergy. The CMA should:
Verify the order with the physician and document the concern before administration
The CMA has a duty of care to the patient and should clarify any concerning orders with the ordering physician before administration. Blindly administering could constitute negligence and harm the patient. Refusing without communication or altering the dose independently are inappropriate actions outside the CMA's scope.
9. Which controlled substance schedule includes drugs with no accepted medical use in the United States?
Schedule I
Schedule I substances (such as heroin and LSD) have a high potential for abuse and no currently accepted medical use in the United States. Schedules II-V all have accepted medical uses, with decreasing potential for abuse from II to V.
10. A CMA grabs a patient's arm to prevent them from leaving before completing paperwork, despite the patient's clear objection. This action could constitute:
Assault and battery
Assault is the threat of harmful or offensive contact, and battery is the actual unwanted physical contact—grabbing a patient against their will constitutes both. Negligence involves failure to meet a standard of care, libel is written defamation, and breach of contract involves agreement violations.
Key Concepts — Part 3
1. A CMA overhears two coworkers discussing a celebrity patient's diagnosis in the break room. What is the CMA's most appropriate action?
Remind the coworkers that this violates HIPAA and report the incident to the privacy officer
Discussing patient information without a treatment purpose violates HIPAA's minimum necessary standard, and staff have a duty to report privacy violations to the compliance/privacy officer. Joining, posting, or ignoring the breach would perpetuate the violation.
2. A patient requests a copy of their medical records. Under HIPAA, within how many days must the covered entity generally provide access?
30 days
HIPAA's Privacy Rule requires covered entities to respond to a patient's request for access to their records within 30 days, with one 30-day extension allowed if the patient is notified. Shorter timeframes are not required, and 60 days exceeds the initial deadline.
3. A CMA leaves a workstation unlocked while stepping away, and another employee views a patient's chart. Which HIPAA Security Rule safeguard was violated?
Physical safeguard
Automatic logoff and workstation access controls are technical safeguards under the HIPAA Security Rule. Administrative safeguards involve policies and training, physical safeguards involve facility access, and organizational requirements involve business associate agreements.
4. An unconscious patient is brought to the clinic after collapsing. The provider begins emergency treatment without written consent. This is legally justified under which principle?
Implied consent
Implied consent applies in emergencies when a patient cannot communicate and treatment is needed to prevent harm; it is assumed the patient would consent. Informed and expressed consent require patient communication, and proxy consent requires an authorized representative present.
5. A 16-year-old who lives independently, is married, and financially supports herself presents for care. Legally, she can consent to her own treatment because she is considered:
An emancipated minor
An emancipated minor is legally recognized as an adult for medical decision-making, typically through marriage, military service, court order, or financial independence. Mature minor doctrine applies to minors who demonstrate the capacity to understand treatment but does not fit this scenario as clearly.
6. A CMA administers a medication to the wrong patient because the provider ordered it incorrectly. Under which legal doctrine may the employer be held liable for the CMA's actions?
Respondeat superior
Respondeat superior holds employers liable for the acts of employees performed within the scope of employment. Res ipsa loquitur means 'the thing speaks for itself,' stare decisis refers to legal precedent, and habeas corpus concerns unlawful detention.
7. Which of the following is required to prove negligence in a malpractice case?
Duty, breach, causation, and damages
The four elements of negligence (the '4 Ds') are Duty, Dereliction (breach), Direct cause (causation), and Damages. Intent is not required for negligence; assault/battery and libel/slander are separate torts.
8. A CMA administers an injection to a competent adult patient who verbally refused it moments earlier. This could be considered:
Battery
Battery is the unlawful touching of a person without consent, which applies when treatment is given despite refusal. Assault is the threat of harm, slander is spoken defamation, and libel is written defamation.
9. Which of the following controlled substances is classified as Schedule II by the DEA?
Oxycodone
Oxycodone is a Schedule II controlled substance—high abuse potential with accepted medical use. Heroin is Schedule I (no accepted medical use), alprazolam is Schedule IV, and pregabalin is Schedule V.
10. How often must a DEA-registered practice conduct a complete inventory of controlled substances?
Every 2 years
The DEA requires a complete controlled substance inventory every 2 years, in addition to an initial inventory upon registration. Records must be kept for at least 2 years and available for DEA inspection.
Key Concepts — Part 4
1. A CMA suspects a 4-year-old patient is being physically abused based on unexplained bruising in various stages of healing. What is the CMA's legal obligation?
Report the suspicion to child protective services or designated authority per state law
Healthcare workers are mandated reporters and must report reasonable suspicion of child abuse to the appropriate authorities; proof is not required. Confronting the parent, waiting for evidence, or only documenting fails to meet legal reporting obligations.
2. After administering a vaccine, a patient develops an unexpected adverse reaction. This event should be reported to:
VAERS
VAERS (Vaccine Adverse Event Reporting System) is the national program for reporting adverse events after vaccination. OSHA regulates workplace safety, The Joint Commission accredits healthcare organizations, and CLIA regulates laboratory testing.
3. A terminally ill patient signs a document indicating they do not want CPR performed if their heart stops. This document is a:
Do Not Resuscitate (DNR) order
A DNR (Do Not Resuscitate) order specifically instructs providers not to perform CPR if the patient's heart or breathing stops. A living will outlines broader end-of-life wishes, a DPOA appoints a decision-maker, and NPP is a HIPAA disclosure document.
4. Which ethical principle is most directly upheld when a CMA allows a competent patient to refuse a recommended treatment?
Autonomy
Autonomy is the patient's right to make their own healthcare decisions, including refusal of treatment. Beneficence means doing good, non-maleficence means avoiding harm, and justice concerns fair distribution of care.
5. A CMA receives a subpoena requesting a patient's medical records. What is the most appropriate first action?
Notify the provider and office manager or legal counsel before releasing any records
A subpoena for records requires review by the provider, office manager, or legal counsel to verify validity, ensure proper authorization, and confirm HIPAA compliance before release. Immediate release, ignoring the subpoena, or delegating to the patient are all inappropriate.
6. A CMA posts a photo from work showing the back of a patient in the waiting room, with no names visible. Why is this still a HIPAA violation?
The image could still identify the patient and reveals they received care at that facility
Any image that could identify a patient—directly or indirectly—including revealing they visited a facility is protected health information under HIPAA. Even without names, identifiable characteristics and the association with treatment constitute a disclosure.
7. Which of the following is NOT one of the required elements of valid informed consent?
Guarantee of a successful outcome
No provider can guarantee a successful outcome; doing so may constitute a breach of contract or misrepresentation. Valid informed consent requires disclosure of the procedure, risks, benefits, alternatives, and the opportunity to ask questions in a language the patient understands.
8. Under the HITECH Act, if a breach of unsecured PHI affects 500 or more individuals, the covered entity must notify:
HHS and affected patients within 60 days, and notify prominent media outlets in the affected area
Under HITECH, breaches affecting 500+ individuals require notification to affected patients, HHS, and prominent media outlets in the state or jurisdiction, all within 60 days of discovery. Smaller breaches have different reporting requirements.
9. A CMA is asked by a provider to interpret abnormal lab results and adjust a patient's medication dose over the phone. What should the CMA do?
Politely decline, as this exceeds the MA scope of practice
Interpreting lab results and adjusting medication doses are outside the CMA scope of practice; these are provider responsibilities. Delegating to another MA or contacting the pharmacy would still be practicing beyond one's legal scope and could expose the CMA and employer to liability.
10. A CMA discovers an error in vital signs entered into a patient's chart. What is the correct method for correcting the paper record?
Draw a single line through the error, write the correction, initial, and date it
Proper documentation correction requires a single line through the error (so original is still legible), the correct entry, initials, and date—preserving the legal record. Using white-out, erasing, or discarding pages is considered chart tampering and can create legal liability.
Key Concepts — Part 5
1. A CMA is asked by a friend who works in the billing department about the diagnosis of a mutual acquaintance who was recently seen in the clinic. The billing employee has legitimate access to the patient's account for billing purposes. What should the CMA do?
Decline to discuss the patient because sharing would violate the minimum necessary standard
The HIPAA minimum necessary standard requires that PHI only be shared for a legitimate work purpose and only to the extent needed. Even though the billing employee may access records for billing, casual discussion about a mutual acquaintance is not a permitted use. Verbal promises of confidentiality and access rights do not authorize unnecessary disclosure.
2. A CMA steps away from the workstation to escort a patient to an exam room and leaves the EHR open on the screen. This action MOST directly violates which HIPAA Security Rule safeguard?
Technical safeguard regarding workstation security and automatic logoff
Automatic logoff and securing unattended workstations are technical safeguards under the HIPAA Security Rule designed to prevent unauthorized access to ePHI. Facility access controls address physical entry to buildings, while workforce training and business associate agreements are administrative safeguards unrelated to this specific action.
3. A 16-year-old presents to a family practice office requesting testing for a sexually transmitted infection without her parents' knowledge. Which of the following BEST describes the legal principle that typically allows the CMA and provider to proceed with care?
Minor consent laws that allow adolescents to consent to STI-related care in most states
Most states have minor consent laws that specifically allow adolescents to consent to sensitive services such as STI testing, contraception, and substance abuse treatment without parental involvement. Implied consent applies to routine, low-risk care; emancipation requires a specific legal status; and this scenario does not involve a life-threatening emergency.
4. A patient falls in the hallway after a CMA fails to clean up a spilled cup of water she had noticed 20 minutes earlier. The patient sustains a fractured wrist. Which element of negligence is MOST clearly demonstrated by the CMA's failure to clean the spill?
Breach of duty
Breach of duty occurs when a healthcare worker fails to act according to the standard of care, such as ignoring a known hazard. Duty is the pre-existing obligation to the patient, causation links the breach to the injury, and damages refer to the actual harm (the fractured wrist). The failure to act itself is the breach.
5. A provider asks a CMA to call in a new prescription for alprazolam (Xanax), a Schedule IV controlled substance, to the patient's pharmacy. Which action is appropriate?
The CMA may phone in the prescription with the provider's DEA number
Schedule III, IV, and V controlled substances may be called in or faxed to a pharmacy, and refills are permitted (up to 5 within 6 months). Schedule II medications have the strictest requirements, generally requiring a written or properly authorized electronic prescription and no refills. E-prescribing is allowed for all controlled substances when EPCS-compliant systems are used.
6. A CMA notices that an elderly patient has multiple unexplained bruises, appears fearful of her adult son who accompanies her, and has lost significant weight since her last visit. What is the CMA's MOST appropriate action?
Report the concerns to the provider and follow mandatory elder abuse reporting procedures
CMAs are mandated reporters and must report suspected elder abuse through proper channels, which begins with alerting the provider and following facility protocol for reporting to Adult Protective Services. Confronting the alleged abuser could endanger the patient, waiting could allow harm to continue, and questioning the patient in the presence of a suspected abuser is unsafe.
7. A competent, terminally ill patient refuses further chemotherapy despite the oncologist's recommendation to continue. Respecting this decision primarily reflects which ethical principle?
Autonomy
Autonomy is the ethical principle that recognizes a competent patient's right to make decisions about their own healthcare, including refusing treatment. Beneficence involves acting in the patient's best interest, non-maleficence means avoiding harm, and justice concerns fair distribution of healthcare resources.
8. A CMA posts a photo from the break room on social media that includes, in the background, a computer monitor displaying a patient's name and appointment schedule. This action:
Constitutes a HIPAA breach requiring notification and reporting
Any unauthorized disclosure of PHI, including inadvertent exposure through a social media background image, constitutes a HIPAA breach and must be reported per HITECH breach notification requirements. Intent, privacy settings, and later deletion do not undo the disclosure or exempt the employee from HIPAA obligations.
9. A CMA receives a subpoena requesting a patient's medical records for a legal case. What is the MOST appropriate initial action?
Notify the office manager or compliance officer and verify the subpoena before releasing any records
A subpoena must be verified for validity and reviewed by the practice's compliance officer or legal counsel before any PHI is released, and patient authorization or a court order may be required. Sending records immediately risks improper disclosure, giving records to the patient does not fulfill the subpoena, and ignoring it can result in legal penalties.
10. A patient presents an advance directive stating they do not want CPR or intubation if their heart stops. This document is BEST described as:
A DNR/DNI order
A DNR (Do Not Resuscitate) and DNI (Do Not Intubate) order specifically directs providers not to perform CPR or intubation. A DPOA designates a person to make healthcare decisions, a living will outlines general treatment preferences, and a POLST is a physician order that covers a broader range of end-of-life interventions but is not limited to organ donation.
Ready to test your knowledge?
Practice questions with instant feedback and explanations.
Take a CCMA Practice Test →