IAPP CIPP/US Exam Practice Test Instant Access

Question 1

Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network.

Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S. Department of Health and Human Services about the breach.

Which statement accurately describes SMH's notification responsibilities?

AIf SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.

BIf SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.

CIf SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.

DIf SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate notification to individuals in the state of New York.

Answer : C

The correct answer is C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.Under the Health Insurance Portability and Accountability Act (HIPAA), SMH is required to notify the Office of Civil Rights (OCR) and the affected individuals of a data breach involving unsecured protected health information (PHI) within 60 days of discovery1.However, HIPAA does not preempt state laws that provide greater protection to individuals or impose additional obligations on covered entities2. Therefore, SMH must also comply with the state breach notification laws of the states where it operates, including New York.

According to the New York State Information Security Breach and Notification Act, any person or business that owns or licenses computerized data that includes private information of a resident of New York must disclose any breach of the security of the system to such resident in the most expedient time possible and without unreasonable delay, unless the exposure of the private information was inadvertent and unlikely to result in misuse or financial harm3.Private information includes personal information (such as name, number, or other identifier) plus one or more of the following data elements: social security number; driver's license number or non-driver identification card number; account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual's financial account; biometric information; or a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account3.

Therefore, if SMH's data breach involved any of these data elements of New York residents, SMH must notify them of the breach, regardless of whether SMH is compliant with HIPAA, has more than 500 patients in New York, or offers credit monitoring services.SMH must also notify the New York Attorney General, the Department of State, and the Division of State Police within 10 days of notifying the affected individuals3.Additionally, SMH must notify the New York Department of Health if the breach involved electronic health records4.

https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf

Question 2

SCENARIO

Please use the following to answer the next QUESTION

When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor

procedures for purging and destroying outdated dat

a. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.

Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.

When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.

Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.

Which principle of the Consumer Privacy Bill of Rights, if adopted, would best reform the company's privacy program?

AConsumers have a right to exercise control over how companies use their personal data.

BConsumers have a right to reasonable limits on the personal data that a company retains.

CConsumers have a right to easily accessible information about privacy and security practices.

DConsumers have a right to correct personal data in a manner that is appropriate to the sensitivity.

Answer : B

The Consumer Privacy Bill of Rights is a set of principles proposed by the Obama administration in 2012 to protect the privacy of consumers online and offline. The principles are based on the Fair Information Practice Principles, which are widely accepted as the foundation of privacy protection. One of the principles is the right to reasonable limits on the personal data that a company retains, which means that companies should collect and keep only the personal data they need for legitimate purposes, and dispose of it securely when it is no longer needed. This principle would best reform the company's privacy program in the scenario, as it would address the major concerns that Roberta identified in her report, such as the lack of rules and procedures for purging and destroying outdated data, and the excessive access to customer information by low-level employees. By implementing reasonable limits on the personal data that the company retains, the company would reduce the risk of data breaches, enhance customer trust, and comply with state breach notification laws.Reference:

Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to U.S. Privacy Law, Section 1.2: The Consumer Privacy Bill of Rights

Question 3

Which of the following would NOT constitute an exception to the authorization requirement under the HIPAA Privacy Rule?

ADisclosing health information for public health activities.

BDisclosing health information to file a child abuse report.

CDisclosing health information needed to treat a medical emergency.

DDisclosing health information needed to pay a third party billing administrator.

Answer : D

The HIPAA Privacy Rule requires covered entities to obtain an individual's written authorization for any use or disclosure of protected health information (PHI) that is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule. However, there are some exceptions to the authorization requirement for certain public interest-related activities, such as disclosing health information for public health activities, reporting child abuse, or treating a medical emergency. These exceptions are intended to balance the privacy interests of individuals with the public interest in protecting health and safety, promoting quality health care, and ensuring compliance with the law. Disclosing health information needed to pay a third party billing administrator is not one of the exceptions to the authorization requirement, as it is considered a payment activity that falls under the general rule of requiring authorization. Therefore, it is the correct answer to the question.Reference:Summary of the HIPAA Privacy Rule,HIPAA Exceptions,Exceptions to HIPAA Privacy Rule,Waiver of Authorization, IAPP CIPP/US Study Guide, Chapter 5.

Question 4

What information did the Red Flag Program Clarification Act of 2010 add to the original Red Flags rule?

AThe most common methods of identity theft.

BThe definition of what constitutes a creditor.

CThe process for proper disposal of sensitive data.

DThe components of an identity theft detection program.

Answer : B

The Red Flag Program Clarification Act of 2010 amended the original Red Flags rule, which required certain financial institutions and creditors to develop and implement a written identity theft prevention program.The Clarification Act narrowed the definition of creditor to include only those who regularly and in the ordinary course of business advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person12.This excludes creditors who advance funds for expenses incidental to a service provided by the creditor to that person3.Reference:

CIPP/US Practice Questions (Sample Questions), Question 133, Answer B, Explanation B.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4, Section 4.3, p. 108-109.

Red Flag Program Clarification Act of 2010, Section 2, Subsection (b).

Question 5

Which venture would be subject to the requirements of Section 5 of the Federal Trade Commission Act?

AA local nonprofit charity's fundraiser

BAn online merchant's free shipping offer

CA national bank's no-fee checking promotion

DA city bus system's frequent rider program

Answer : B

Section 5 of the Federal Trade Commission Act (FTC Act) prohibits ''unfair or deceptive acts or practices in or affecting commerce.''1This prohibition applies to all persons engaged in commerce, including banks, but also exempts some entities, such as nonprofit organizations and common carriers, from FTC jurisdiction.2Therefore, among the four options, only an online merchant's free shipping offer would be subject to the requirements of Section 5, as it involves a commercial activity that could potentially mislead or harm consumers.For example, if the online merchant fails to disclose the terms and conditions of the offer, or charges hidden fees, or delivers the products late or damaged, it could violate Section 5 by engaging in a deceptive practice.3Reference:1: Section 5 | Federal Trade Commission2: Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices, page 13: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 23.

Question 6

What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

AA consent decree

BStare decisis decree

CA judgment rider

DCommon law judgment

Answer : A

A consent decree is a legal document that resolves a dispute between a governmental agency and an adverse party without admission of guilt or liability by either side. It is approved by a judge and has the force of a court order. A consent decree may include terms such as compliance, monitoring, reporting, or remediation. A consent decree is often used to settle civil enforcement actions brought by federal agencies such as the Federal Trade Commission (FTC), the Environmental Protection Agency (EPA), or the Department of Justice (DOJ).Reference:

IAPP Glossary, entry for ''consent decree''

[IAPP CIPP/US Study Guide], p. 39, section 2.1.3

[IAPP CIPP/US Body of Knowledge], p. 9, section B.1.a

Question 7

Which jurisdiction must courts have in order to hear a particular case?

ASubject matter jurisdiction and regulatory jurisdiction

BSubject matter jurisdiction and professional jurisdiction

CPersonal jurisdiction and subject matter jurisdiction

DPersonal jurisdiction and professional jurisdiction

Answer : C

In order for a court to hear a case, it must have both personal jurisdiction and subject matter jurisdiction. Personal jurisdiction refers to the authority of a court over the parties to a case, while subject matter jurisdiction refers to the authority of a court to hear a particular type of case. For example, a federal court may have subject matter jurisdiction over a case involving a federal law, but it may not have personal jurisdiction over a defendant who has no contacts with the state where the court is located. Similarly, a state court may have personal jurisdiction over a resident of the state, but it may not have subject matter jurisdiction over a case involving a foreign treaty.Reference:[IAPP CIPP/US Study Guide], Chapter 2: Introduction to U.S. Law, p. 25-26;Wex Legal Dictionary, Subject Matter Jurisdiction and Personal Jurisdiction.

IAPP Certified Information Privacy Professional/United States CIPP/US Exam Practice Test