nerdexam
ExamsCAS-003Questions#12
CompTIA

CAS-003 · Question #12

CAS-003 Question #12: Real Exam Question with Answer & Explanation

The correct answer is A: When it is mandated by their legal and regulatory requirements. For a hospital, breach notification to affected patients is governed by HIPAA, which mandates specific disclosure timelines regardless of business or PR considerations.

Question

A hospital's security team recently determined its network was breached and patient data was accessed by an external entity. The Chief Information Security Officer (CISO) of the hospital approaches the executive management team with this information, reports the vulnerability that led to the breach has already been remediated, and explains the team is continuing to follow the appropriate incident response plan. The executive team is concerned about the hospital's brand reputation and asks the CISO when the incident should be disclosed to the affected patients. Which of the following is the MOST appropriate response?

Options

  • AWhen it is mandated by their legal and regulatory requirements
  • BAs soon as possible in the interest of the patients
  • CAs soon as the public relations department is ready to be interviewed
  • DWhen all steps related to the incident response plan are completed
  • EUpon the approval of the Chief Executive Officer (CEO) to release information to the public

Explanation

For a hospital, breach notification to affected patients is governed by HIPAA, which mandates specific disclosure timelines regardless of business or PR considerations.

Common mistakes.

  • B. While notifying patients quickly is ethically desirable, 'as soon as possible' is not a legally precise standard and could conflict with the need to confirm scope, contain the breach, and prepare accurate notifications.
  • C. PR department readiness is irrelevant to the legal obligation to notify patients and could improperly delay mandatory disclosure.
  • D. Waiting for all incident response steps to be completed could cause the organization to miss the legally mandated notification deadline.
  • E. CEO approval is an internal governance step and does not override or define the externally imposed legal timeline for patient notification.

Concept tested. HIPAA breach notification requirements for healthcare organizations

Reference. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice