Certified Information Privacy Professional – United States (CIPP/US) — Question 30

Which of the following types of information would an organization generally NOT be required to disclose to law enforcement?

Answer options

• A. Information about medication errors under the Food, Drug and Cosmetic Act
• B. Money laundering information under the Bank Secrecy Act of 1970
• C. Information about workplace injuries under OSHA requirements
• D. Personal health information under the HIPAA Privacy Rule

Correct answer: D

Explanation

The correct answer is D because the HIPAA Privacy Rule protects personal health information, limiting disclosures without patient consent. In contrast, the other options involve legal requirements that mandate reporting to law enforcement, such as medication errors, money laundering, and workplace injuries.