ExpertHard1 markMultiple Choice
CPA · Question 24 · Area II: Security
A company is subject to HIPAA. An employee loses a company laptop containing unencrypted ePHI (electronic Protected Health Information) of 600 patients. Under the HIPAA Breach Notification Rule, which of the following actions is REQUIRED?
A company is subject to HIPAA. An employee loses a company laptop containing unencrypted ePHI (electronic Protected Health Information) of 600 patients. Under the HIPAA Breach Notification Rule, which of the following actions is REQUIRED?
Answer options:
A.
Notify only the affected individuals.
B.
Notify the affected individuals and the Secretary of HHS only.
C.
Notify the affected individuals, the Secretary of HHS, and the media.
D.
No notification is required if the laptop had a password.
How to approach this question
HIPAA 500 rule: > 500 records = Individuals + HHS + Media.
Full Answer
C.Notify the affected individuals, the Secretary of HHS, and the media.✓ Correct
Notify the affected individuals, the Secretary of HHS, and the media.
The HIPAA Breach Notification Rule requires that if a breach affects more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving that state or jurisdiction.
Common mistakes
Forgetting the media requirement for breaches > 500.
Practice the full CPA ISC Practice Exam 4
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...HardQ02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...HardQ03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor disco...HardQ04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...HardQ05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard