Free Practice Questions for IAPP CIPP-US Exam

According to HIPAA, a business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity. A business associate agreement (BAA) is a written contract between a covered entity and a business associate that establishes the permitted and required uses and disclosures of PHI by the business associate, as well as the safeguards that the business associate must implement to protect the PHI. In this scenario, MedApps is a business associate of Miraculous, since it provides a telehealth app that involves the use or disclosure of PHI on behalf of Miraculous. Therefore, HIPAA would require Miraculous and MedApps to enter into a BAA before using the telehealth app. The other options are incorrect because HIPAA does not prohibit the use of cloud hosting services or the hosting of in-person appointment data in the cloud, as long as the appropriate safeguards and agreements are in place. HIPAA also does not require patient consent for the sharing of PHI with third parties for treatment, payment, or health care operations purposes, which would include the use of the telehealth app. References:

HIPAA and Telehealth - Office for Civil Rights

HIPAA Rules for telehealth technology - Telehealth.HHS.gov

Notification of Enforcement Discretion for Telehealth - Office for Civil Rights

Guidance: How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Provide Audio-Only Telehealth - Office for Civil Rights

HIPAA Compliant App - Telehealth.org

IAPP CIPP/US Certified Information Privacy Professional Study Guide - Chapter 3: HIPAA and HITECH, pages 75-76, 81-82, 86-87.

 According to the web search results from my predefined tool, Vermont became the first state to pass a law specifically regulating the practices of data brokers in 2018. The law defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” The law requires data brokers to register with the Secretary of State, pay a registration fee, provide information about their data collection and opt-out practices, and implement security measures to protect the personal information they collect and sell. The law also imposes additional obligations on data brokers that possess the personal information of minors. The law aims to increase the transparency and accountability of the data broker industry and to protect the privacy rights of consumers12. References:

Registered Data Brokers in the United States: 2021 | Privacy Rights …

Am I A Data Broker?: A Quick Primer on State Laws Regulating a … - Taft

The HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and use of health information technology, especially electronic health records (EHRs), in the United States. The HITECH Act established the Medicare and Medicaid EHR Incentive Programs, which provide financial incentives to eligible health care providers who demonstrate meaningful use of certified EHR technology. Meaningful use is defined as using EHRs to improve quality, safety, efficiency, and coordination of care, as well as to engage patients and protect their privacy and security. To qualify for the incentive payments, health care providers must meet certain objectives and measures that demonstrate meaningful use of EHRs as part of their regular care. Some of these objectives and measures include:

Protect electronic protected health information (ePHI)

Generate prescriptions electronically

Implement clinical decision support (CDS)

Use computerized provider order entry (CPOE) for medication, laboratory, and diagnostic imaging orders

Timely patient access to electronic files

Exchange health information with other providers and public health agencies

Report clinical quality measures and public health data

Therefore, the correct answer is A. Making EHRs part of regular care is an important action that a health care provider must take if she wants to qualify for funds under the HITECH Act. References:

What is the HITECH Act? 2024 Update, section “The Meaningful Use Program”

The HITECH Act explained: Definition, compliance, and violations, section “HITECH Act definition and summary” and “Why was the HITECH Act created and why is it important?”

Proposed Rulemaking to Implement HITECH Act Modifications, section “The Health Information Technology for Economic and Clinical Health (HITECH) Act”

Health Information Technology for Economic and Clinical Health (HITECH) Audits, section “The American Recovery & Reinvestment Act of 2009 (ARRA, or Recovery Act)”

What is HITECH Compliance? Understanding and Meeting HITECH Requirements, section “HITECH Compliance Requirements”

The biggest potential privacy concern related to Chanel’s use of this new software is scanning a client’s social media accounts to use in a client profile without notice to the client. This could violate the client’s reasonable expectation of privacy and consent, as well as the privacy policies of the social media platforms. The client may not be aware that their social media posts are being used for this purpose, and may not have given their permission or opt-in consent for such data collection and processing. This could also expose the client to potential discrimination or harm based on their social media activity, such as losing their appointment or being charged a cancellation fee. Furthermore, this practice could conflict with the Fair Information Practice Principles (FIPPs), such as transparency, purpose specification, and data minimization12. References:

CIPP/US Practice Questions (Sample Questions), Question 149, Answer A, Explanation A.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1, Section 1.1, p. 9-10.

In the U.S., it is a best practice and, in some states, a requirement to conduct a data protection impact assessment (DPIA) or similar evaluation when technology is used to monitor employees. This practice aligns with privacy principles aimed at ensuring that monitoring practices are proportionate, necessary, and lawful, while minimizing potential harm to employees' privacy.

Why Conduct a DPIA When Monitoring Employees?

Employee Privacy Risks: Monitoring technologies, such as video surveillance, keystroke logging, or location tracking, can significantly impact employees’ privacy. Assessments help evaluate these risks and ensure compliance with applicable privacy laws.

State-Specific Requirements: Some states, like California under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), require businesses to implement privacy safeguards, including assessments for high-risk activities involving sensitive data.

Best Practices: Even when not legally required, conducting a DPIA demonstrates accountability and helps mitigate risks associated with employee privacy violations.

Explanation of Options:

A. When a background check is used as part of the hiring process:While background checks involve sensitive data and compliance with laws like the Fair Credit Reporting Act (FCRA), a DPIA is not typically required for this process. Instead, consent and notice are emphasized.

B. When any information is processed by a corporation:This is too broad. DPIAs are generally reserved for high-risk activities involving sensitive data or technologies, not for all data processing activities.

C. When trade secrets are shared with a third party:Sharing trade secrets involves contractual and confidentiality measures, but it does not usually necessitate a data protection assessment unless personal data is also involved.

D. When technology is used to monitor employees:This is correct. Monitoring employees with technology poses significant privacy risks, making it a best practice (and sometimes a requirement) to assess the impacts on privacy and ensure compliance with state and federal laws.

References from CIPP/US Materials:

California Privacy Rights Act (CPRA): Introduces risk assessments for certain data processing activities.

IAPP CIPP/US Certification Textbook: Discusses privacy risks associated with employee monitoring and the importance of impact assessments.

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call."1 The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions. References: 1: eCFR :: 16 CFR Part 310 – Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.

The Federal Trade Commission Act (FTCA) was adopted in 1914 as part of the Progressive Era reforms that aimed to curb the power and influence of monopolies and trusts in the U.S. economy. The FTCA created the Federal Trade Commission (FTC) as an independent agency to investigate and prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce. The FTCA also gave the FTC the authority to issue cease and desist orders, seek injunctions, and impose civil penalties for violations of the law. The FTCA was intended to complement and supplement the existing antitrust laws, such as the Sherman Act and the Clayton Act, that prohibited restraints of trade, price-fixing, mergers, and other anticompetitive conduct.

The other options are not correct, because:

The FTCA did not explicitly address privacy rights of U.S. citizens, although the FTC later used its authority under the FTCA to enforce against unfair or deceptive privacy practices, such as making false or misleading claims, failing to disclose material information, or violating consumers’ choices or expectations regarding their personal data.

The FTCA did not specifically focus on consumer protection, although the FTC later expanded its scope to include consumer protection issues, such as advertising and marketing, credit and finance, privacy and security, and consumer education. The FTC also enforced other consumer protection laws, such as the Truth in Lending Act, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, and the CAN-SPAM Act.

The FTCA did not authorize the FTC to negotiate consent decrees with companies violating personal privacy, although the FTC later used consent decrees as a common tool to settle privacy cases and impose remedial measures, such as audits, reports, and compliance programs. Consent decrees are agreements between the FTC and the parties involved in a case that resolve the FTC’s charges without admitting liability or wrongdoing.

References:

FTC website, Federal Trade Commission Act

Britannica website, Federal Trade Commission Act (FTCA)

IAPP CIPP/US Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, pp. 11-12

IAPP website, Federal Trade Commission Act, Section 5 of

According to the Wiley study guide, one of the steps in developing a privacy policy is to conduct a privacy assessment, which involves identifying the organization’s information goals and needs, as well as the legal and regulatory requirements that apply to its data collection and use practices3. By spending more time understanding the company’s information goals, Janice would have been able to tailor the privacy policy to fit the company’s business model and customer expectations, while still complying with the relevant privacy laws and standards. This would have also helped Janice to address Cheryl’s concerns about the impact of the policy on the company’s operations and customer relationships, and to propose solutions that balance privacy protection and service delivery.

References:

1: https://iapp.org/certify/cippus/

2: https://iapp.org/certify/get-certified/cippus/

3: https://www.wiley.com/en-be/IAPP+CIPP+US+Certified+Information+Privacy+Professional+Study+Guide-p-9781119755517

4: https://www.techtarget.com/searchsecurity/quiz/10-CIPP-US-practice-questions-to-test-your-privacy-knowledge

5: https://www.study4exam.com/iapp/free-cipp-us-questions

https://www.passitcertify.com/iapp/cipp-us-questions.html