Certified Information Privacy Professional – United States (CIPP/US) — Question 39

Which of the following would NOT constitute an exception to the authorization requirement under the HIPAA Privacy Rule?

Answer options

• A. Disclosing health information for public health activities.
• B. Disclosing health information to file a child abuse report.
• C. Disclosing health information needed to treat a medical emergency.
• D. Disclosing health information needed to pay a third party billing administrator.

Correct answer: D

Explanation

The correct answer is D because disclosing health information for payment purposes requires patient authorization under the HIPAA Privacy Rule. In contrast, options A, B, and C are exceptions where information can be shared without authorization for public health activities, child abuse reporting, and emergency treatment, respectively.