IAPP CIPP-US Certified Information Privacy Professional/United States CIPP/US Exam Practice Test

Page: 1 / 14
Total 195 questions
Question 1

Which of the following types of information would an organization generally NOT be required to disclose to law enforcement?



Answer : D

The HIPAA Privacy Rule generally prohibits covered entities and business associates from disclosing protected health information (PHI) to law enforcement without the individual's authorization, unless one of the exceptions in 45 CFR 164.512 applies. These exceptions include disclosures required by law, disclosures for law enforcement purposes, disclosures about victims of abuse, neglect or domestic violence, disclosures for health oversight activities, disclosures for judicial and administrative proceedings, disclosures for research purposes, disclosures to avert a serious threat to health or safety, disclosures for specialized government functions, disclosures for workers' compensation, and disclosures to coroners and medical examiners. None of these exceptions apply to the type of information in option D, which is personal health information that is not related to any of the above purposes. Therefore, an organization would generally not be required to disclose such information to law enforcement under the HIPAA Privacy Rule.Reference:https://www.justice.gov/opcl/overview-privacy-act-1974-2020-edition/disclosures-third-parties

https://bing.com/search?q=information+disclosure+to+law+enforcement

https://hipaatrek.com/law-enforcement-hipaa-disclosing-phi/


Question 2

Why was the Privacy Protection Act of 1980 drafted?



Answer : B

The Privacy Protection Act of 1980 (PPA) is a federal law that protects journalists and newsrooms from search and seizure by government officials in connection with criminal investigations or prosecutions. The PPA prohibits the government from searching for or seizing any work product materials or documentary materials possessed by a person who intends to disseminate them to the public through a newspaper, book, broadcast, or other similar form of public communication, unless certain exceptions apply. The PPA was drafted in response to the Supreme Court's decision in Zurcher v. Stanford Daily, which upheld the constitutionality of a police search of a student newspaper's office without a subpoena, based on probable cause that the newspaper had evidence of a crime.The PPA was intended to protect the First Amendment rights of the press and the privacy interests of journalists and their sources from unreasonable government intrusion123.Reference:

1: IAPP, Privacy Protection Act of 1980, https://epic.org/the-privacy-protection-act-of-1980/

2: DOJ, Privacy Protection Act of 1980, https://www.justice.gov/archives/jm/criminal-resource-manual-661-privacy-protection-act-1980

3: Wikipedia, Privacy Protection Act of 1980, https://en.wikipedia.org/wiki/Privacy_Protection_Act_of_1980


Question 3

Which of the following became the first state to pass a law specifically regulating the practices of data brokers?



Answer : D

According to the web search results from my predefined tool, Vermont became the first state to pass a law specifically regulating the practices of data brokers in 2018. The law defines a data broker as ''a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.'' The law requires data brokers to register with the Secretary of State, pay a registration fee, provide information about their data collection and opt-out practices, and implement security measures to protect the personal information they collect and sell. The law also imposes additional obligations on data brokers that possess the personal information of minors.The law aims to increase the transparency and accountability of the data broker industry and to protect the privacy rights of consumers12.Reference:

Registered Data Brokers in the United States: 2021 | Privacy Rights ...

Am I A Data Broker?: A Quick Primer on State Laws Regulating a ... - Taft


Question 4

SCENARIO

Please use the following to answer the next QUESTION:

Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.

Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.

On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.

He was also curious about the hospital's use of a billing company. He questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.

On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.

Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.

Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.

In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.

Although Declan's day ended with many Questions, he was pleased about his new position.

What is the most likely way that Declan might directly violate the Health Insurance Portability and Accountability Act (HIPAA)?



Answer : D

Declan might directly violate the HIPAA Privacy Rule by using John's name and personal health information (PHI) in his paper without his written authorization. The Privacy Rule protects the confidentiality of PHI that is created, received, maintained, or transmitted by a covered entity or its business associate.PHI includes any information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual1. Declan, as a nursing assistant, is part of the covered entity's workforce and must comply with the Privacy Rule. He cannot disclose John's PHI to anyone, including his classmates or instructors, without John's authorization or a valid exception under the Privacy Rule. Even if he does not use John's full name, he may still reveal enough information to make John identifiable, such as his diagnosis, his father's condition, or his location. This would be an impermissible use and disclosure of PHI, and a potential HIPAA violation.Declan should either obtain John's written authorization to use his PHI in his paper, or de-identify the information according to the Privacy Rule's standards2.Reference:

Summary of the HIPAA Privacy Rule

Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule


Question 5

Which of the following best describes an employer's privacy-related responsibilities to an employee who has left the workplace?



Answer : D

Employers have a duty to protect the personal information of their current and former employees, as well as applicants, from unauthorized access, use, or disclosure. This duty may arise from federal or state laws, such as the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act (CCPA), or from contractual obligations, such as non-disclosure agreements or privacy policies. Employers may retain sensitive employment records, such as performance evaluations, disciplinary actions, medical records, or background checks, for a legitimate business purpose, such as complying with legal requirements, defending against lawsuits, or conducting audits. However, employers must ensure that these records are stored securely, accessed only by authorized personnel, and disposed of properly when no longer needed.Reference:IAPP CIPP/US Study Guide, Chapter 4, Section 4.1.1,IAPP CIPP/US Body of Knowledge, Domain IV, Objective B


Question 6

Which of the following does Title VII of the Civil Rights Act prohibit an employer from asking a job applicant?



Answer : D

Title VII of the Civil Rights Act of 1964 is a federal law that prohibits employment discrimination based on race, color, religion, sex, and national origin1It also prohibits retaliation against individuals who assert their rights under the law or participate in an EEOC investigation1Title VII applies to employers with 15 or more employees, as well as to employment agencies, labor organizations, and joint labor-management committees1

Title VII prohibits employers from making pre-employment inquiries that express a preference, limitation, or specification based on any of the protected characteristics, unless they are bona fide occupational qualifications (BFOQs)2BFOQs are rare and narrowly construed exceptions that allow employers to consider a protected characteristic when it is reasonably necessary to the normal operation of the business2For example, a religious organization may require its employees to share its faith, or a women's shelter may hire only female counselors2

Option A is incorrect because questions about age are not prohibited by Title VII, but by the Age Discrimination in Employment Act of 1967 (ADEA), which protects individuals who are 40 years of age or older from employment discrimination based on age3The ADEA generally prohibits employers from asking applicants about their age or date of birth, unless age is a BFOQ or the inquiry is part of a lawful affirmative action plan3

Option B is incorrect because questions about a disability are not prohibited by Title VII, but by the Americans with Disabilities Act of 1990 (ADA), which protects qualified individuals with disabilities from employment discrimination based on disability4The ADA generally prohibits employers from asking applicants about whether they have a disability or the nature or severity of a disability, unless the inquiry is related to the ability to perform the essential functions of the job with or without reasonable accommodation4

Option C is incorrect because questions about a national origin are prohibited by Title VII, but not in all circumstances.Title VII prohibits employers from asking applicants about their national origin, ancestry, birthplace, native language, or accent, unless they are BFOQs or the inquiry is related to a legitimate business purpose, such as verifying eligibility to work in the United States or assessing language proficiency for a job that requires communication skills25

Option D is correct because questions about intended pregnancy are prohibited by Title VII, as amended by the Pregnancy Discrimination Act of 1978 (PDA), which protects women from employment discrimination based on pregnancy, childbirth, or related medical conditions. The PDA prohibits employers from asking applicants about whether they are pregnant or intend to become pregnant, unless they are related to the ability to perform the job. Such questions may indicate an intent to discriminate based on sex or pregnancy, or may deter women from applying for certain jobs.


Question 7

What is the most important action an organization can take to comply with the FTC position on retroactive changes to a privacy policy?



Answer : B

The FTC has stated that it is a deceptive practice to make retroactive changes to a privacy policy that affect how a company uses or shares previously collected personal information, unless the company obtains affirmative consent from the affected consumers. This means that the company must clearly and conspicuously disclose the changes and obtain the consumers' express agreement to them. Simply describing the policy changes on the website, publicizing them through social media, or reassuring customers of the security of their information are not sufficient to comply with the FTC's position.Reference:

FTC Staff Revises Online Behavioral Advertising Principles, paragraph 3.

Do I really have to obtain consent from all my customers to make a change to my privacy policy?, paragraph 2.

IAPP CIPP/US Study Guide, page 64.


Page:    1 / 14   
Total 195 questions