Certified Information Privacy Professional – United States (CIPP/US) — Question 188

Under HIPAA and the HITECH Act, business associates who receive Protected Health Information (PHI) from covered entities must execute Business Associate Agreements and also?

Answer options

• A. Ensure there is a written agreement with the Department of Health and Human Services.
• B. Provide a SOC 2 audit to support the warranties in the agreements.
• C. Reaffirm the terms of the agreements on an annual basis.
• D. Have any subcontractors enter into agreements.

Correct answer: D

Explanation

The correct answer is D because business associates are required to ensure that any subcontractors who handle PHI also enter into Business Associate Agreements to maintain compliance. Options A, B, and C are incorrect as they do not represent mandatory requirements under HIPAA and the HITECH Act for business associates regarding PHI.