ExamGecko
Search Search Login
Home Home / IAPP / CIPP-US
Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Which of the following federal agencies does NOT have regulatory authority related to privacy?
Under the Driver's Privacy Protection Act (DPPA), which of the following parties would require consent of an individual in order to obtain his or her Department of Motor Vehicle information?
The use of cookies on a website by a service provider is generally not deemed a 'sale' of personal information by CCPA, as long as which of the following conditions is met?
Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?
Which of the following data elements is most likely to be subject to comprehensive state data security and privacy laws?
Which power was NOT granted to the California Privacy Protection Agency by the California Privacy Rights Act (CPRA)?
Which of the following most accurately describes the regulatory status ot pandemic contact-tracing apps in the United States?
The Clarifying Lawful Overseas Use of Data (CLOUD) Act is primarily intended to do which of the following?
Due to cookie deprecation, businesses will be required to simplify their tracking practices by doing what?
A software company wants to use web scraping to collect personal data from professional networking websites in order to train an artificial intelligence program to evaluate Job applications. The company has identified several actions for limiting their potential legal liability regarding affected data subjects and professional networking websites. Which of the following would be the least effective action for helping them do this?

Question 109 - CIPP-US discussion

Report
Export

Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network.

Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S. Department of Health and Human Services about the breach.

Which statement accurately describes SMH's notification responsibilities?

A.

If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.

Answers
A.

If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.

B.

If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.

Answers
B.

If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.

C.

If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.

Answers
C.

If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.

D.

If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate notification to individuals in the state of New York.

Answers
D.

If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate notification to individuals in the state of New York.

Suggested answer: C

Explanation:

The correct answer is C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.Under the Health Insurance Portability and Accountability Act (HIPAA), SMH is required to notify the Office of Civil Rights (OCR) and the affected individuals of a data breach involving unsecured protected health information (PHI) within 60 days of discovery1.However, HIPAA does not preempt state laws that provide greater protection to individuals or impose additional obligations on covered entities2. Therefore, SMH must also comply with the state breach notification laws of the states where it operates, including New York.

According to the New York State Information Security Breach and Notification Act, any person or business that owns or licenses computerized data that includes private information of a resident of New York must disclose any breach of the security of the system to such resident in the most expedient time possible and without unreasonable delay, unless the exposure of the private information was inadvertent and unlikely to result in misuse or financial harm3.Private information includes personal information (such as name, number, or other identifier) plus one or more of the following data elements: social security number; driver's license number or non-driver identification card number; account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual's financial account; biometric information; or a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account3.

Therefore, if SMH's data breach involved any of these data elements of New York residents, SMH must notify them of the breach, regardless of whether SMH is compliant with HIPAA, has more than 500 patients in New York, or offers credit monitoring services.SMH must also notify the New York Attorney General, the Department of State, and the Division of State Police within 10 days of notifying the affected individuals3.Additionally, SMH must notify the New York Department of Health if the breach involved electronic health records4.

https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf

Show Answer
asked 22/11/2024
Solomon Nidish
33 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms