CIPP-US Online Practice Questions and Answers
Which venture would be subject to the requirements of Section 5 of the Federal Trade Commission Act?
A. A local nonprofit charity's fundraiser
B. An online merchant's free shipping offer
C. A national bank's no-fee checking promotion
D. A city bus system's frequent rider program
In which situation would a policy of "no consumer choice" or "no option" be expected?
A. When a job applicant's credit report is provided to an employer
B. When a customer's financial information is requested by the government
C. When a patient's health record is made available to a pharmaceutical company
D. When a customer's street address is shared with a shipping company
SCENARIO
Please use the following to answer the next question:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider,
CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with
CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering
the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been
published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals ?ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law
enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted
a discovery request for the ePHI exposed in the breach.
Which of the following would be HealthCo's best response to the attorney's discovery request?
A. Reject the request because the HIPAA privacy rule only permits disclosure for payment, treatment or healthcare operations
B. Respond with a request for satisfactory assurances such as a qualified protective order
C. Turn over all of the compromised patient records to the plaintiff's attorney
D. Respond with a redacted document only relative to the plaintiff
What practice do courts commonly require in order to protect certain personal information on documents, whether paper or electronic, that is involved in litigation?
A. Redaction
B. Encryption
C. Deletion
D. Hashing
More than half of U.S. states require telemarketers to?
A. Identify themselves at the beginning of a call
B. Obtain written consent from potential customers
C. Register with the state before conducting business
D. Provide written contracts for customer transactions
What does the Massachusetts Personal Information Security Regulation require as it relates to encryption of personal information?
A. The encryption of all personal information of Massachusetts residents when all equipment is located in Massachusetts.
B. The encryption of all personal information stored in Massachusetts-based companies when all equipment is located in Massachusetts.
C. The encryption of personal information stored in Massachusetts-based companies when stored on portable devices.
D. The encryption of all personal information of Massachusetts residents when stored on portable devices.
SCENARIO
Please use the following to answer the next question:
Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use.
The company is based in Seattle, Washington, with offices throughout the U.S. and Asia. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system
of the APEC Privacy Framework.
Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station's network and was able to steal data relating to employees in the company's Human
Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing
database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself.
The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the
various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.
The Board has asked Otto whether the company will need to comply with the new California Consumer Privacy Law (CCPA). What should Otto tell the Board?
A. That CCPA will apply to the company only after the California Attorney General determines that it will enforce the statute.
B. That the company is governed by CCPA, but does not need to take any additional steps because it follows CPBR.
C. That business contact information could be considered personal information governed by CCPA.
D. That CCPA only applies to companies based in California, which exempts the company from compliance.
SCENARIO
Please use the following to answer the next question:
Miraculous Healthcare is a large medical practice with multiple locations in California and Nevada. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have
virtual appointments with on-site doctors via a phone app.
For this new initiative, Miraculous is considering a product built by MedApps, a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices’ branding. MedApps provides technical
support for the app, which it hosts in the cloud. MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service.
Riya is the Privacy Officer at Miraculous, responsible for the practice's compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists
procurement in vetting vendors and inquiring about their own compliance practices, as well as negotiating the terms of vendor agreements. Riya is currently reviewing the suitability of the MedApps app from a privacy perspective.
Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps’ optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the appointments to a portal hosted by MedApps.
Which of the following would accurately describe the relationship of the parties if they enter into a contract for use of the app?
A. Miraculous Healthcare would be the covered entity because its name and branding are on the app; MedApps would be a business associate because it is hosting the data that supports the app.
B. MedApps would be the covered entity because it built and hosts the app and all the data; Miraculous Healthcare would be a business associate because it only provides its brand on the app.
C. Miraculous Healthcare would be a covered entity because it is the healthcare provider; MedApps would also be a covered entity because the data in the app is being shared with it.
D. Miraculous Healthcare would be the covered entity because it is the healthcare provider; MedApps would be a business associate because it is providing a service to support Miraculous.
SCENARIO
Please use the following to answer the next question:
Miraculous Healthcare is a large medical practice with multiple locations in California and Nevada. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have
virtual appointments with on-site doctors via a phone app.
For this new initiative, Miraculous is considering a product built by MedApps, a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices’ branding. MedApps provides technical
support for the app, which it hosts in the cloud. MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service.
Riya is the Privacy Officer at Miraculous, responsible for the practice's compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists
procurement in vetting vendors and inquiring about their own compliance practices, as well as negotiating the terms of vendor agreements. Riya is currently reviewing the suitability of the MedApps app from a privacy perspective.
Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps’ optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the
appointments to a portal hosted by MedApps.
What can Riya do to most effectively minimize the privacy risks of using an app for telehealth appointments?
A. Require MedApps to de-identity all patient data.
B. Prohibit MedApps from using subcontractors.
C. Require MedApps to submit a SOC2 report.
D. Engage in active oversight of MedApps.
SCENARIO
Please use the following to answer the next question:
You are the privacy manager at a privately-owned U.S. company that produces an increasingly popular tness app called GetFit. After users create an account with their contact information, the app uses a smartphone and a system of connected smartwatch sensors to track users when they exercise. It collects information on location when users walk or run outdoors, as well as general health information (such as heart rate) during all exercise sessions. The app also collects credit card information for payment of the monthly subscription fee.
One Friday, the company's security team contacts you about the discovery of malware on their media server. The team assures you that there was no user data on this server and that, in any case, they found the malware before any damage could be done.
However, on Monday morning the security team contacts you again, this time with the information that they have discovered the same malware on the company's payments server. They suspect it likely that users' credit card information was taken by the attacker. By Monday evening, the situation has gotten dramatically worse, as the security team has also discovered this malware on the company's database server, an in ltration that gives the attacker access to users' pro le, health and location information.
After coordinating with the security team, you are asked to meet with senior management and advise them on the company's obligations in connection with the incident. The Chief Financial O cer asks, "If we decide to notify all our users of this incident, are we obligated to provide any of them with a free credit monitoring offer?" The General Counsel wants to know if providing this notice and offer will help the company avoid liability.
What answer should be given to the General Counsel?
A. "Users can only sue us if we violate the state breach noti cation laws."
B. "This is a health data incident subject to HIPAA, so the private right of action does not apply."
C. "Users cannot sue us, because only federal and state regulators have enforcement authority in data breaches."
D. "Even if we provide notice, we may still face liability due to mishandling the data and causing potential harm to users."