Free Access to IAPP.CIPP-US.v2024-06-24.q124 with Valid Practice Test (Page 10)

Question 41

Which of the following would NOT constitute an exception to the authorization requirement under the HIPAA Privacy Rule?

A.Disclosing health information for public health activities.
B.Disclosing health information to file a child abuse report.
C.Disclosing health information needed to treat a medical emergency.
D.Disclosing health information needed to pay a third party billing administrator.

Question 42

SCENARIO
Please use the following to answer the next QUESTION
Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in Californi a. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask Question:s about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.
Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.
Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.
In any case, Celeste feels that all they need is common sense - like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.
Which law will be most relevant to Felicia's plan to ask applicants about drug addiction?

A.The Occupational Safety and Health Act (OSHA).
B.The Health Insurance Portability and Accountability Act (HIPAA).
C.The Americans with Disabilities Act (ADA).
D.The Genetic Information Nondiscrimination Act of 2008.

Question 43

SCENARIO
Please use the following to answer the next QUESTION
Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop. "Doing your homework?" Matt asked hopefully.
"No," the boy said. "I'm filling out a survey."
Matt looked over his son's shoulder at his computer screen. "What kind of survey?" "It's asking Question:s about my opinions."
"Let me see," Matt said, and began reading the list of Question:s that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd. You're only ten." Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Question:s about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
Depending on where Matt lives, the marketer could be prosecuted for violating which of the following?

A.Consumer Bill of Rights.
B.Investigative Consumer Reporting Agencies Act.
C.Unfair and Deceptive Acts and Practices laws.
D.Red Flag Rules.

Question 44

A covered entity suffers a ransomware attack that affects the personal health information (PHI) of more than
500 individuals. According to Federal law under HIPAA, which of the following would the covered entity NOT have to report the breach to?

A.Department of Health and Human Services
B.The affected individuals
C.The local media
D.Medical providers

Correct Answer: D

According to the Health Insurance Portability and Accountability Act (HIPAA), a covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. A covered entity must report a breach of unsecured protected health information (PHI) to the following parties:
* The Department of Health and Human Services (HHS), which is the federal agency responsible for enforcing HIPAA and issuing regulations and guidance on privacy and security issues. A covered entity must notify HHS of a breach affecting 500 or more individuals without unreasonable delay and in no
* case later than 60 days after discovery of the breach. A covered entity must also notify HHS of breaches affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breaches occurred.
* The affected individuals, who are the individuals whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. A covered entity must notify the affected individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must be in writing by first-class mail or, if the individual agrees, by electronic mail. The notification must include a brief description of the breach, the types of information involved, the steps the individual should take to protect themselves, the steps the covered entity is taking to investigate and mitigate the breach, and the contact information of the covered entity.
* The local media, if the breach affects more than 500 residents of a state or jurisdiction. A covered entity must notify prominent media outlets serving the state or jurisdiction without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must include the same information as the notification to the affected individuals.
A covered entity does not have to report the breach to medical providers, unless they are also affected individuals or business associates of the covered entity. A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. A covered entity must have a writtencontract or agreement with its business associates that requires them to protect the privacy and security of PHI and report any breaches to the covered entity.
References:
* IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section C: Sector-specific Requirements for Health Information
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.3: Sector-specific Requirements for Health Information
* Practice Exam - International Association of Privacy Professionals

Question 45

Which of the following statements is most accurate in regard to data breach notifications under federal and state laws:

A.You must notify the Federal Trade Commission (FTC) in addition to affected individuals if over 500 individuals are receiving notice.
B.When providing an individual with required notice of a data breach, you must identify what personal information was actually or likely compromised.
C.When you are required to provide an individual with notice of a data breach under any state's law, you must provide the individual with an offer for free credit monitoring.
D.The only obligations to provide data breach notification are under state law because currently there is no federal law or regulation requiring notice for the breach of personal information.

Correct Answer: D

Data breach notification laws in the United States vary by state and territory, and there is no comprehensive federal law that applies to all types of personal information. Some federal laws, such as HIPAA, GLBA, and the FDIC rule, impose data breach notification requirements for specific industries or sectors, but they do not cover all types of personal information or all entities that collect, store, or process such information. Therefore, the only obligations to provide data breach notification for the breach of personal information are under state law, unless a specific federal law applies to the entity or the information involved. The other statements are incorrect because:
* A. You do not have to notify the FTC in addition to affected individuals if over 500 individuals are receiving notice, unless you are a health care entity subject to HIPAA, in which case you have to notify the Department of Health and Human Services (HHS) within 60 days of the breach.
* B. When providing an individual with required notice of a data breach, you do not have to identify what personal information was actually or likely compromised, unless the state law requires you to do so.
Some states, such as California, require the notice to include the types of personal information that were or are reasonably believed to have been the subject of the breach, while others, such as Alabama, do not specify the content of the notice.
* C. When you are required to provide an individual with notice of a data breach under any state's law, you do not have to provide the individual with an offer for free credit monitoring, unless the state law requires you to do so. Some states, such as Connecticut, require the offer of appropriate identity theft prevention and mitigation services for at least 12 months, while others, such as Arizona, do not impose such a requirement. References: Data Breach Notification in the United States and Territories, Data Breach Notification Laws in the United States: What is Required and How is that Determined?, US State Data Breach Notification Law Matrix, Breach Notification in United States, Data Breach Notification Laws: How to Manufacture a Confident Response

Question 41

Question 42

Question 43

Question 44

Question 45

Download PDF File