Module: 02e — HIPAA Security Rule: A Complete Operational Guide for Security Researchers and Healthcare Pen Testers Difficulty: Advanced

Questions

Q1. HIPAA's Security Rule (45 C.F.R. Parts 160 and 164, Subparts A and C) applies exclusively to which type of information, and how does it differ from the Privacy Rule's scope?

  • A) The Security Rule applies to all protected health information (PHI) in any form; the Privacy Rule applies only to electronic records
  • B) The Security Rule applies only to electronic protected health information (ePHI); the Privacy Rule governs PHI in all forms including paper and oral communications
  • C) Both rules apply exclusively to ePHI; the Privacy Rule governs access rights and the Security Rule governs technical controls
  • D) The Security Rule applies to PHI held by covered entities only; the Privacy Rule extends to business associates

Correct answer: B Explanation: The Security Rule applies exclusively to ePHI — PHI created, received, maintained, or transmitted in electronic form. The Privacy Rule governs PHI in any form (paper, oral, or electronic) and establishes patient rights and permissible uses. A paper patient chart is subject only to the Privacy Rule; a scanned image of that same chart stored on a server is ePHI subject to both.

Q2. The HITECH Act of 2009 extended direct Security Rule liability to business associates. Before HITECH, what was a business associate's enforcement posture under HIPAA?

  • A) Business associates were fully regulated by HHS OCR under the original 1996 statute
  • B) Business associates had contractual obligations to covered entities under BAAs but were not directly regulated by HHS; HHS could not directly enforce the Security Rule against them
  • C) Business associates were exempt from HIPAA entirely and relied on state law only
  • D) Business associates faced criminal liability under § 1320d-6 but not civil penalties

Correct answer: B Explanation: Prior to HITECH, business associates had contractual obligations to covered entities through Business Associate Agreements but were not directly regulated by HHS OCR. The HITECH Act of 2009 (Pub. L. 111-5) extended direct Security Rule liability to BAs, meaning HHS OCR can now directly enforce the Security Rule against a business associate — including a penetration testing firm — regardless of whether the covered entity suffered a breach.

Q3. A penetration tester's firm is engaged by a hospital for a network security assessment. The assessment will involve access to production systems that may contain real ePHI. Under HIPAA, what is the tester's firm's relationship to the hospital, and what document is legally required before the engagement begins?

  • A) The firm is a contractor, not subject to HIPAA, and only needs a standard non-disclosure agreement
  • B) The firm is a covered entity and must register with HHS before the engagement
  • C) The firm is a business associate, and a signed Business Associate Agreement (BAA) is a Required implementation specification under 45 C.F.R. § 164.308(b)(3) before any access occurs
  • D) The firm is a workforce member of the hospital and is covered by the hospital's own HIPAA compliance program

Correct answer: C Explanation: A security firm that performs functions on behalf of a covered entity that involve access to PHI — including testing to assess ePHI protection — is a business associate under 45 C.F.R. § 160.103. A BAA is a Required implementation specification (not addressable) under 45 C.F.R. § 164.308(b)(3). Without a signed BAA, the covered entity is automatically out of compliance before the test begins, and the tester lacks contractual authorization for ePHI access.

Q4. The Security Rule distinguishes between "Required" and "Addressable" implementation specifications. What does "Addressable" actually mean under 45 C.F.R. § 164.306(d)(3)?

  • A) Addressable specifications are optional controls that organizations may implement at their discretion based on budget
  • B) Addressable specifications must be implemented if reasonable and appropriate, or replaced with an equally effective alternative backed by documented analysis; they cannot simply be skipped
  • C) Addressable specifications are recommended best practices that carry no civil penalty for non-implementation
  • D) Addressable specifications apply only to large covered entities with more than 500 employees

Correct answer: B Explanation: "Addressable" is the most commonly misunderstood concept in the Security Rule. Under 45 C.F.R. § 164.306(d)(3), a covered entity must assess whether the specification is reasonable and appropriate. If it is, the entity must implement it. If it genuinely is not, the entity must document why and implement an equivalent alternative. OCR has assessed civil monetary penalties against covered entities that treated addressable specifications as optional without conducting the required analysis.

Q5. Under HIPAA's Breach Notification Rule (45 C.F.R. Part 164, Subpart D), a covered entity must notify affected individuals after discovering a breach. What is the maximum timeframe, and when does the discovery clock start?

  • A) 30 days from the date the breach is publicly reported; discovery occurs when news media publish the breach
  • B) 60 calendar days from discovery; discovery occurs when any member of the covered entity's workforce knows of the breach, or would have known with reasonable diligence
  • C) 90 days from the breach incident date, regardless of when it was discovered
  • D) 72 hours from discovery for breaches over 500 individuals; 30 days for smaller breaches

Correct answer: B Explanation: Under 45 C.F.R. § 164.404(b), a covered entity must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. Discovery occurs when the breach is known to any member of the covered entity's workforce, or with the exercise of reasonable diligence would have been known — a constructive knowledge standard. If a pen tester operating as a BA discovers an existing breach during testing, the covered entity's 60-day clock begins at that moment of discovery.

Q6. For a breach affecting 500 or more individuals, the Breach Notification Rule triggers two additional notification obligations beyond individual notice. What are they?

  • A) Notification to the FBI Cyber Division and publication on the covered entity's website for 30 days
  • B) Contemporaneous notification to HHS (resulting in posting to the public "Wall of Shame") and, for 500+ residents of a single state or jurisdiction, notice to prominent media outlets in that state
  • C) Notification to the state attorney general within 30 days and to CISA within 72 hours
  • D) Notification to HHS within 90 days and to the FTC within 60 days

Correct answer: B Explanation: Under 45 C.F.R. §§ 164.406 and 164.408, breaches affecting 500+ individuals require: (1) contemporaneous notification to HHS (within the 60-day window), which results in public posting on HHS's breach database — the "Wall of Shame" at hhs.gov — identifying the entity by name, state, number affected, breach type, and location; and (2) for breaches affecting 500+ residents of a single state, notice to prominent media outlets serving that state within the same 60-day window.

Q7. HIPAA's civil monetary penalty framework, restructured by HITECH, is organized into four tiers based on culpability. Which tier carries the highest annual cap, and what culpability standard applies?

  • A) Tier 1 (did not know); $25,000 annual cap
  • B) Tier 2 (reasonable cause); $100,000 annual cap
  • C) Tier 3 (willful neglect, corrected within 30 days); $250,000 annual cap
  • D) Tier 4 (willful neglect, not corrected within 30 days); $1,900,000 annual cap per violation category

Correct answer: D Explanation: Under 42 U.S.C. § 1320d-5 as amended by HITECH, Tier 4 applies to willful neglect that is not corrected within 30 days of discovery — the most culpable category. It carries a per-violation minimum of $50,000, a per-violation maximum of $50,000, and an annual cap of $1,900,000 for violations of the same requirement. OCR has found willful neglect where organizations knew about vulnerabilities and failed to act — making a documented ignored security disclosure a direct path to Tier 4.

Q8. The Change Healthcare breach of February 2024 — the largest healthcare data breach in U.S. history — is cited in the module as illustrating a critical Security Rule failure. What was the root cause of attackers' initial access?

  • A) An unpatched Log4j vulnerability in Change Healthcare's claims processing application
  • B) A successful phishing attack that compromised a developer's source code repository
  • C) Citrix remote access credentials with no multi-factor authentication enabled
  • D) An insider threat from a terminated employee whose access was not revoked

Correct answer: C Explanation: Attackers gained initial access to Change Healthcare (a UnitedHealth Group subsidiary processing approximately one-third of U.S. healthcare transactions) through Citrix remote access credentials that lacked multi-factor authentication — a fundamental control failure. The attack encrypted systems and exfiltrated an estimated 100 million patient records. The module uses this case to illustrate that MFA for remote ePHI access has long been considered baseline security under any reasonable risk analysis.

Q9. Section 524B of the Federal Food, Drug, and Cosmetic Act (added by the Omnibus Consolidated Appropriations Act of 2023) imposes new premarket cybersecurity requirements on medical device manufacturers. Which of the following is a required submission element for "cyber devices" under § 524B, effective March 29, 2023?

  • A) A copy of the device's source code deposited with the FDA for security review
  • B) A software bill of materials (SBOM) listing all commercial, open-source, and off-the-shelf software components including version numbers
  • C) A third-party penetration test report conducted within 12 months of the submission date
  • D) A binding commitment to provide software updates for a minimum of 10 years post-market

Correct answer: B Explanation: Under § 524B of the FD&C Act, manufacturers of cyber devices must submit a software bill of materials (SBOM) listing all software components — commercial, open-source, and off-the-shelf — with version numbers, enabling identification of known vulnerabilities in device components. The section also requires a postmarket cybersecurity vulnerability monitoring plan and reasonable assurances that the device is designed to prevent unauthorized access and respond to security incidents.

Q10. California's Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code § 56 et seq.) creates an important enforcement difference compared to HIPAA. Which answer correctly identifies this difference and its practical consequence for pen testers working on California healthcare engagements?

  • A) The CMIA has no civil penalty provision and relies entirely on criminal enforcement by the California AG
  • B) The CMIA has a private right of action under Cal. Civ. Code § 56.35, allowing patients to sue for nominal damages of $1,000 per violation plus actual and punitive damages plus attorneys' fees — unlike HIPAA, which has no private right of action
  • C) The CMIA preempts HIPAA for California-based covered entities, so only the CMIA applies
  • D) The CMIA applies only to paper records; ePHI is governed exclusively by HIPAA in California

Correct answer: B Explanation: Unlike HIPAA, which has no private right of action (only HHS OCR can enforce it), California's CMIA under Cal. Civ. Code § 56.35 creates a private right of action for individuals — allowing patients to sue directly for nominal damages of $1,000 per violation plus actual damages, punitive damages, and attorneys' fees. For pen testers, a breach affecting California patients creates class action exposure from day one, before OCR even opens an investigation. The CMIA also covers a broader set of entities than HIPAA.