Health Insurance Portability and Accountability Act (HIPPA) Practice Exam

If a breach occurs in medical information systems, what must a covered entity do?

• A. Notify only the patients involved
• B. Create a written report and notify all parties involved
• C. Take no action if the breach is minor
• D. Restructure their security system immediately

The correct answer is: Create a written report and notify all parties involved

The requirement for a covered entity in the event of a breach in medical information systems is to create a written report and notify all parties involved. This is in line with the guidelines established under the Health Insurance Portability and Accountability Act (HIPAA) and its Breach Notification Rule. When a breach occurs, the covered entity has an obligation to assess the situation, determine the nature and extent of the breach, and document its findings. Creating a written report serves several critical purposes: it provides a clear record of the incident for compliance and regulatory purposes, helps with internal analysis to prevent future breaches, and ensures that the entity has taken the necessary steps to address the breach appropriately. Additionally, notifying affected parties—including patients, the Department of Health and Human Services (HHS) if the breach affects a certain number of individuals, and in some cases, the media—is essential to ensure transparency and allow those affected to take proactive measures to protect their personal information. In contrast, simply notifying only the patients involved would ignore the broader obligations for transparency and accountability. Taking no action if the breach is minor undermines the importance of addressing even minor breaches, as they can escalate and have more significant implications. Lastly, while restructuring the security system is a prudent step to mitigate future