Certified Information Privacy Professional – United States (CIPP/US) — Question 61

A covered entity suffers a ransomware attack that affects the personal health information (PHI) of more than 500 individuals. According to Federal law under HIPAA, which of the following would the covered entity NOT have to report the breach to?

Answer options

• A. Department of Health and Human Services
• B. The affected individuals
• C. The local media
• D. Medical providers

Correct answer: D

Explanation

Under HIPAA, the covered entity must report breaches to the Department of Health and Human Services, notify the affected individuals, and in certain cases, inform the local media. However, there is no requirement to notify medical providers about the breach, making option D the correct answer.