A company is subject to HIPAA. An employee loses a company laptop containing unencrypted ePHI (electronic Protected Health Information) of 600 patients. Under the HIPAA Breach Notification Rule, which of the following actions is REQUIRED?

Answer options:

Notify only the affected individuals.

Notify the affected individuals and the Secretary of HHS only.

Notify the affected individuals, the Secretary of HHS, and the media.

No notification is required if the laptop had a password.

How to approach this question

HIPAA 500 rule: > 500 records = Individuals + HHS + Media.

Full Answer

C.Notify the affected individuals, the Secretary of HHS, and the media.✓ Correct

The HIPAA Breach Notification Rule requires that if a breach affects more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving that state or jurisdiction.

Common mistakes

Forgetting the media requirement for breaches > 500.

Question 23 All questions Question 25

Practice the full CPA ISC Practice Exam 4

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...Hard Q02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...Hard Q03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor disco...Hard Q04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...Hard Q05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard

View all 82 questions →