KT-CG HIPAA

Business associate agreement missing for cloud backup vendor storing ePHI. Risk?

Multiple choice — select one answer

Answer choices

  1. a. Required only for fax, without security or identity team coordination per policy.
  2. b. BAAs optional for encryption, without security or identity team coordination per policy.
  3. c. Only applies to EU GDPR, without security or identity team coordination per policy.
  4. d. Regulatory liability and unclear breach notification duties

Architectural breakdown & explanation

BAAs define HIPAA obligations for vendors handling ePHI.

Correct answer(s): d. Regulatory liability and unclear breach notification duties

Exam domain: HIPAA (20% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the KeyTrain's Key Training — Compliance & Governance bank. Run a full timed practice exam with domain-weighted random questions in your browser.