Certified Information Privacy Professional – United States (CIPP/US) — Question 177

SCENARIO -
Please use the following to answer the next question:
Miraculous Healthcare is a large medical practice with multiple locations in California and Nevada. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have virtual appointments with on-site doctors via a phone app.
For this new initiative, Miraculous is considering a product built by MedApps, a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices’ branding. MedApps provides technical support for the app, which it hosts in the cloud. MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service.
Riya is the Privacy Officer at Miraculous, responsible for the practice's compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists procurement in vetting vendors and inquiring about their own compliance practices, as well as negotiating the terms of vendor agreements. Riya is currently reviewing the suitability of the MedApps app from a privacy perspective.
Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps’ optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the appointments to a portal hosted by MedApps.
If MedApps receives an access request under CCPA from a California-based app user, how should it handle the request?

Answer options

• A. MedApps should decline the request because Protected Health Information is not subject to CCPA.
• B. MedApps should promptly verify the user's identity and provide the requested information.
• C. MedApps should promptly forward the request to Miraculous for instructions on handling.
• D. MedApps should decline the request because MedApps is not based in California.

Correct answer: C

Explanation

The correct answer is C because MedApps is acting on behalf of Miraculous Healthcare, and the request should be directed to them for appropriate handling. Option A is incorrect as CCPA can apply to certain health information under specific circumstances, and option B assumes MedApps can respond independently, which it cannot. Option D is also incorrect since a company's location does not exempt it from compliance with CCPA for California residents.