A company is subject to HIPAA. An employee loses a company laptop containing unencrypted ePHI (electronic Protected Health Information). Under the HIPAA Breach Notification Rule, what is the immediate requirement if the breach affects more than 500 individuals?

Answer options:

Notify the individuals within 60 days; notify HHS annually.

Notify the individuals, the Secretary of HHS, and prominent media outlets without unreasonable delay (no later than 60 days).

Notify the individuals only.

Pay a fine immediately.

How to approach this question

Recall the '500 rule' for HIPAA notifications.

Full Answer

B.Notify the individuals, the Secretary of HHS, and prominent media outlets without unreasonable delay (no later than 60 days).✓ Correct

For breaches affecting 500 or more individuals, HIPAA requires notification to the affected individuals, the Secretary of HHS, and prominent media outlets in the state or jurisdiction. This must happen without unreasonable delay and no later than 60 days after discovery.

Common mistakes

Thinking HHS notification can wait until the end of the year (only true for <500).

Question 24 All questions Question 26

Practice the full CPA ISC Practice Exam 3

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud-based s...Medium Q02During a review of a client's cloud governance structure, an auditor notes that the client uses a...Medium Q03An auditor is evaluating the 'Processing Integrity' principle for a financial institution's loan ...Hard Q04A company uses a batch processing system to update inventory records overnight. The 'Grandfather-...Hard Q05During a walkthrough of the change management process, an auditor observes that the 'Developer' r...Medium

View all 82 questions →