CIPP-US Exam QuestionsBrowse all questions from this exam
Go to Exam

CIPP-US Exam - Question 153

SCENARIO -

Please use the following to answer the next question:

Miraculous Healthcare is a large medical practice with multiple locations in California and Nevada. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have virtual appointments with on-site doctors via a phone app.

For this new initiative, Miraculous is considering a product built by MedApps, a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices’ branding. MedApps provides technical support for the app, which it hosts in the cloud. MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service.

Riya is the Privacy Officer at Miraculous, responsible for the practice's compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists procurement in vetting vendors and inquiring about their own compliance practices, as well as negotiating the terms of vendor agreements. Riya is currently reviewing the suitability of the MedApps app from a privacy perspective.

Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps’ optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the appointments to a portal hosted by MedApps.

What HIPAA compliance issue would Miraculous have to consider before using the telehealth app?

Show Answer
Correct Answer: CD

HIPAA requires covered entities to enter into a Business Associate Agreement (BAA) with any vendor or third party that will have access to Protected Health Information (PHI). Since MedApps will be hosting the telehealth app and handling patient appointment data, they are considered a business associate. Therefore, Miraculous must ensure that a BAA is in place to establish the vendor's compliance with HIPAA's security, privacy, and breach notification rules. Without a BAA, the use of MedApps could result in non-compliance with HIPAA regulations.

Discussion

5 comments
Sign in to comment
[Removed]Option: C
May 15, 2023

I believe it's C. Covered entities are required to enter into a BAA before taking a business associate on as a vendor.

[Removed]Option: D
May 10, 2023

Can someone confirm the answer is D?

AmbulocetusOption: D
Aug 20, 2023

Both C and D are correct, but D is the better answer because of the sharing of ePHI with the optional benchmarking app (which is not a covered transaction).

RomeoktonOption: C
Feb 5, 2024

The key is to reach a conclusion if the app vendor is a business associate or not. However, as in many other occasions the questions are not developed in the best possible way and leave room for interpretation (frankly, I am curious if this is intentional or not). I tend to believe that in this case the developer is a business associate, so not a third party which makes D wrong.

BhimeshOption: C
Apr 13, 2024

Vendor Management Organizations will need to select the agreement type(s) most appropriate for their specific circumstances. These agreements take on particular importance when the vendor will be involved in the handling of sensitive information on behalf of the organization. Organizations operating under some regulatory frameworks may need to follow the vendor management practices required by those standards. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires the creation of a “business associate agreement (BAA)” that obligates the vendor to comply with HIPAA's security, privacy, and breach notification rules.