CIPP-US Exam QuestionsBrowse all questions from this exam
Go to Exam

CIPP-US Exam - Question 106

Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network. Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S. Department of Health and Human Services about the breach.

Which statement accurately describes SMH’s notification responsibilities?

Show Answer
Correct Answer: AC

If Smith Memorial Healthcare (SMH) is compliant with HIPAA, it typically would not have to make a separate notification to individuals in the state of New York. HIPAA-covered entities often have exceptions under state statutes that exempt them from separate state-level notifications if they are already compliant with federal HIPAA regulations.

Discussion

3 comments
Sign in to comment
smp175Option: A
Jul 6, 2023

Most state statutes have carve-outs for entities subject to federal privacy laws. NY is no exception. A is the correct answer. https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-york.html

RomeoktonOption: A
Feb 2, 2024

Exception: Compliance with Other Laws. If notice of the breach of the security of the system is made pursuant to any of the following laws, nothing in this statute shall require separate notice to affected individuals, but notice must still be provided to the regulators noted above and the consumer reporting agencies. HIPAA

BhimeshOption: A
Apr 12, 2024

Notice of Breach A breach applies only to “unsecured” information, and a covered entity can avoid liability if it utilizes encryption software to secure information (HIPAA Compliant). In the event of unauthorized acquisition, access, use or disclosure of information, a breach is presumed to have occurred, “unless the covered entity demonstrates through a risk assessment that there is a low probability that the security or privacy of the information has been compromised (HIPAA Compliant). If there is a high probability that the security or privacy of the information (financial, reputational or other) has been compromised, a covered entity must notify individuals within 60 days of discovery. If the breach affects more than 500 people, the covered entity must notify HHS immediately, and If the breach affects 500 or more in the “same jurisdiction”, it must notify the media. All breaches requiring notice must be reported to HHS at least annually.

Bhimesh
Apr 12, 2024

The HIPAA Security Rule The HIPAA Security Rule was finalized in February 2003 and modified in January 2013. It establishes minimum security requirements for PHI that a covered entity receives, creates, maintains or transmits in electronic form. The Security Rule is designed to require covered entities to implement “reasonable” security measures in a technology-neutral manner. The goal is for all covered entities to implement “policies and procedures to prevent, detect, contain, and correct security violations.”