Free Access to IAPP.CIPP-US.v2024-06-24.q124 with Valid Practice Test (Page 15)

Question 66

What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

A.A consent decree
B.Stare decisis decree
C.A judgment rider
D.Common law judgment

Question 67

A student has left high school and is attending a public postsecondary institution. Under what condition may a school legally disclose educational records to the parents of the student without consent?

A.If the student has not yet turned 18 years of age
B.If the student is in danger of academic suspension
C.If the student is still a dependent for tax purposes
D.If the student has applied to transfer to another institution

Question 68

SCENARIO
Please use the following to answer the next QUESTION:
Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.
Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.
On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.
He was also curious about the hospital's use of a billing company. He Questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.
On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.
Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.
Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan's day ended with many Questions, he was pleased about his new position.
How can the radiology department address Declan's concern about paper waste and still comply with the Health Insurance Portability and Accountability Act (HIPAA)?

A.Confirm that patients are given the privacy notice on their first visit Section: (none) Explanation
B.Post the privacy notice in a prominent location instead
C.State the privacy policy to the patient verbally
D.Direct patients to the correct area of the hospital website

Question 69

What is a key way that the Gramm-Leach-Bliley Act (GLBA) prevents unauthorized access into a person's back account?

A.By requiring immediate public disclosure after a suspected security breach.
B.By requiring the amount of customer personal information printed on paper.
C.By requiring the financial institutions limit the collection of personal information.
D.By restricting the disclosure of customer account numbers by financial institutions.

Question 70

What was unique about the action that the Federal Trade Commission took against B.J.'s Wholesale Club in
2005?

A.It made third-party audits a penalty for policy violations.
B.It was based on matters of fairness rather than deception.
C.It was the first substantial U.S.-EU Safe Harbor enforcement.
D.It made user consent mandatory after any revisions of policy.

Correct Answer: B

The Federal Trade Commission (FTC) is the primary federal agency that enforces consumer privacy and data security laws in the United States. The FTC has the authority to bring enforcement actions against businesses that engage in unfair or deceptive acts or practices that affect commerce, under Section 5 of the FTC Act.
Unfair acts or practices are those that cause or are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers and is not outweighed by countervailing benefits to consumers or competition. Deceptive acts or practices are those that involve a material representation, omission, or practice that is likely to mislead consumers acting reasonably under the circumstances.
The FTC's action against B.J.'s Wholesale Club in 2005 was unique because it was based on matters of fairness rather than deception. The FTC alleged that B.J.'s Wholesale Club, a retailer that operates warehouse stores and gas stations, failed to provide reasonable security for the sensitive information of its customers, such as name, card number, and expiration date, that it collected from the magnetic stripes of credit and debit cards. The FTC claimed that this information was used by unauthorized persons to make millions of dollars of fraudulent purchases. The FTC did not allege that B.J.'s Wholesale Club made any false or misleading statements or omissions about its data security practices, but rather that its failure to take appropriate security measures was an unfair practice that violated Section 5 of the FTC Act. The FTC argued that B.J.'s Wholesale Club's lax security caused or was likely to cause substantial injury to consumers that was not reasonably avoidable by consumers and was not outweighed by any benefits to consumers or competition.
The FTC's action against B.J.'s Wholesale Club was one of the first cases in which the FTC used its unfairness authority to address data security issues,and it set a precedent for future enforcement actions against businesses that fail to protect consumer data. The settlement required B.J.'s Wholesale Club to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years. References:
* FTC Complaint, Paragraphs 1-23
* FTC Agreement Containing Consent Order, Paragraphs 1-9
* FTC Analysis of Proposed Consent Order to Aid Public Comment, Pages 1-3
* [IAPP CIPP/US Study Guide], Pages 69-70

Question 66

Question 67

Question 68

Question 69

Question 70

Download PDF File