Health Insurance Portability and Accountability Act (HIPPA) Practice Exam

What should covered entities do if there’s been a breach of medical information?

• A. Ignore it if it's minor
• B. Inform authorities and affected parties
• C. Change all passwords
• D. Limit access to affected areas

The correct answer is: Inform authorities and affected parties

When a breach of medical information occurs, covered entities are required to inform authorities and affected parties. This requirement stems from the Health Insurance Portability and Accountability Act (HIPAA), which mandates that when a breach of unsecured protected health information (PHI) is identified, the entity must notify affected individuals and, in some cases, report the breach to the Department of Health and Human Services (HHS) and potentially other relevant enforcement authorities. The rationale behind this requirement includes protecting the rights of individuals to be informed about breaches that may affect their personal health information, allowing them to take necessary precautions to mitigate any potential harm. Additionally, notifying authorities helps ensure that proper investigations and responses can be undertaken to address the breach and prevent future occurrences. The other choices do not fulfill the legal obligations set by HIPAA. Ignoring a breach, even if perceived as minor, undermines the importance of accountability and transparency in handling medical information. Changing passwords is a good security practice but does not address the need for breach notification. Limiting access to affected areas can be a part of a response strategy, but it also does not substitute the need for notifying affected individuals and authorities.