A covered entity under HIPAA uses a cloud service to store Patient Health Information (PHI). The cloud provider experiences a data breach where unencrypted PHI is exposed. Under the HIPAA Breach Notification Rule, which of the following actions is REQUIRED?

Answer options:

The cloud provider must notify the patients directly within 60 days.

The covered entity must notify affected individuals without unreasonable delay, and no later than 60 days following discovery.

Notification is only required if the breach involves more than 500 individuals.

The covered entity must pay a fine before notifying individuals.

How to approach this question

Recall HIPAA Breach Notification timelines (60 days) and responsibilities (Covered Entity vs Business Associate).

Full Answer

B.The covered entity must notify affected individuals without unreasonable delay, and no later than 60 days following discovery.✓ Correct

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals of a breach of unsecured PHI without unreasonable delay and in no case later than 60 days following discovery.

Common mistakes

Thinking the 500-person limit applies to individual notification (it applies to media notice).

Question 15 All questions Question 17

Practice the full CPA ISC Practice Exam

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...Hard Q02During a walkthrough of a client's change management process, the auditor notes that developers h...Hard Q03A service organization provides a real-time transaction processing platform. The service level ag...Hard Q04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...Hard Q05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...Hard

View all 82 questions →