Free Access to IAPP.CIPP-US.v2024-04-26.q101 with Valid Practice Test (Page 18)

Question 81

Which of the following laws is NOT involved in the regulation of employee background checks?

A.The Civil Rights Act.
B.The Gramm-Leach-Bliley Act (GLBA).
C.The U.S. Fair Credit Reporting Act (FCRA).
D.The California Investigative Consumer Reporting Agencies Act (ICRAA).

Question 82

SCENARIO
Please use the following to answer the next QUESTION :
Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.
Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.
On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.
He was also curious about the hospital's use of a billing company. He questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.
On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.
Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.
Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan's day ended with many QUESTIONS, he was pleased about his new position.
What is the most likely way that Declan might directly violate the Health Insurance Portability and Accountability Act (HIPAA)?

A.By being present when patients are checking in
B.By speaking to a patient without prior authorization
C.By ignoring the conversation about a potential breach
D.By following through with his plans for his upcoming paper

Question 83

California's SB 1386 was the first law of its type in the United States to do what?

A.Require commercial entities to disclose a security data breach concerning personal information about the state's residents
B.Require notification of non-California residents of a breach that occurred in California
C.Require encryption of sensitive information stored on servers that are Internet connected
D.Require state attorney general enforcement of federal regulations against unfair and deceptive trade practices

Correct Answer: A

California's SB 1386, also known as the California Security Breach Information Act, was enacted in 2002 and became effective in 2003. It was the first law of its kind in the United States to require commercial entities that own or license personal information of California residents to notify them in the event of a security breach that compromises their unencrypted data. The law aims to protect the privacy and security of personal information and to enable individuals to take preventive measures against identity theft and fraud. The law applies to any business or person that conducts business in California and that owns or licenses computerized data that includes personal information, as defined by the law. Personal information includes an individual's first name or first initial and last name in combination with any one or more of the following data elements: Social Security number, driver's license number or California identification card number, account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or medical information or health insurance information. The law does not apply to encrypted information, publicly available information, or information that is lawfully obtained from federal, state, or local government records. The law requires the disclosure of a breach of the security of the system to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The disclosure may be made by written notice, electronic notice, or substitute notice, as specified by the law. The law also requires any person or business that maintains computerized data that includes personal information that the person or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The law also authorizes a civil action for damages by a customer injured by a violation of the law and provides that the rights and remedies available under the law are cumulative to each other and to any other rights and remedies available under law. References:
* California Senate Bill 1386 (2002)
* California SB 1386: For the Love of Privacy
* What Is the California Security Breach Information Act?
* California Raises the Bar on Data Security and Privacy

Question 84

Which entity within the Department of Health and Human Services (HHS) is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA) "Privacy Rule"?

A.Office for Civil Rights.
B.Office of Social Services.
C.Office of Inspector General.
D.Office of Public Health and Safety.

Question 85

An organization self-certified under Privacy Shield must, upon request by an individual, do what?

A.Suspend the use of all personal information collected by the organization to fulfill its original purpose.
B.Provide the identities of third and fourth parties that may potentially receive personal information.
C.Identify all personal information disclosed during a criminal investigation.
D.Provide the identities of third parties with whom the organization shares personal information.

Question 81

Question 82

Question 83

Question 84

Question 85

Download PDF File