Certified Information Privacy Professional – United States (CIPP/US) — Question 74

Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network. Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S. Department of Health and Human Services about the breach.
Which statement accurately describes SMH’s notification responsibilities?

Answer options

• A. If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.
• B. If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.
• C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.
• D. If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate notification to individuals in the state of New York.

Correct answer: A

Explanation

The correct answer is A because HIPAA compliance allows entities to avoid separate notifications in states like New York. Option B is incorrect as the 500-patient threshold only applies to breach notifications, and not to state-specific requirements. Option C is wrong since notification obligations are determined by the state laws where the breach occurred, not by the operation in other states. Option D is incorrect because offering credit monitoring does not exempt SMH from notification requirements.