CIPP-US Online Practice Questions and Answers

What was the original purpose of the Federal Trade Commission Act?

A. To ensure privacy rights of U.S. citizens

B. To protect consumers

C. To enforce antitrust laws

D. To negotiate consent decrees with companies violating personal privacy

A covered entity suffers a ransomware attack that affects the personal health information (PHI) of more than 500 individuals. According to Federal law under HIPAA, which of the following would the covered entity NOT have to report the breach to?

A. Department of Health and Human Services

B. The affected individuals

C. The local media

D. Medical providers

SCENARIO

Please use the following to answer the next question:

Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.

Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI).

Therefore, he is thinking carefully about privacy issues.

On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department

could reduce paper waste through a system of one-time distribution.

He was also curious about the hospital's use of a billing company. He questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.

On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to

hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.

Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.

Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.

In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.

Although Declan's day ended with many questions, he was pleased about his new position.

What is the most likely way that Declan might directly violate the Health Insurance Portability and Accountability Act (HIPAA)?

A. By being present when patients are checking in

B. By speaking to a patient without prior authorization

C. By ignoring the conversation about a potential breach

D. By following through with his plans for his upcoming paper

Under the Telemarketing Sales Rule, what characteristics of consent must be in place for an organization to acquire an exception to the Do-Not-Call rules for a particular consumer?

A. The consent must be in writing, must state the times when calls can be made to the consumer and must be signed

B. The consent must be in writing, must contain the number to which calls can be made and must have an end date

C. The consent must be in writing, must contain the number to which calls can be made and must be signed

D. The consent must be in writing, must have an end date and must state the times when calls can be made

What is the main purpose of the CAN-SPAM Act?

A. To diminish the use of electronic messages to send sexually explicit materials

B. To authorize the states to enforce federal privacy laws for electronic marketing

C. To empower the FTC to create rules for messages containing sexually explicit content

D. To ensure that organizations respect individual rights when using electronic advertising

What do the Civil Rights Act, Pregnancy Discrimination Act, Americans with Disabilities Act, Age Discrimination Act, and Equal Pay Act all have in common?

A. They require employers not to discriminate against certain classes when employees use personal information

B. They require that employers provide reasonable accommodations to certain classes of employees

C. They afford certain classes of employees' privacy protection by limiting inquiries concerning their personal information

D. They permit employers to use or disclose personal information specifically about employees who are members of certain classes

Which law provides employee benefits, but often mandates the collection of medical information?

A. The Occupational Safety and Health Act.

B. The Americans with Disabilities Act.

C. The Employee Medical Security Act.

D. The Family and Medical Leave Act.

In what way is the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act intended to help consumers?

A. By providing consumers with free spam-filtering software.

B. By requiring a company to receive an opt-in before sending any advertising e-mails.

C. By prohibiting companies from sending objectionable content through unsolicited e-mails.

D. By requiring companies to allow consumers to opt-out of future e-mails.

Which of the following statements is most accurate in regard to data breach notifications under federal and state laws:

A. You must notify the Federal Trade Commission (FTC) in addition to affected individuals if over 500 individuals are receiving notice.

B. When providing an individual with required notice of a data breach, you must identify what personal information was actually or likely compromised.

C. When you are required to provide an individual with notice of a data breach under any state's law, you must provide the individual with an offer for free credit monitoring.

D. The only obligations to provide data breach notification are under state law because currently there is no federal law or regulation requiring notice for the breach of personal information.

What consumer service was the Fair Credit Reporting Act (FCRA) originally intended to provide?

A. The ability to receive reports from multiple credit reporting agencies.

B. The ability to appeal negative credit-based decisions.

C. The ability to correct inaccurate credit information.

D. The ability to investigate incidents of identity theft.

Which federal agency plays a role in privacy policy, but does NOT have regulatory authority?

A. The Office of the Comptroller of the Currency.

B. The Federal Communications Commission.

C. The Department of Transportation.

D. The Department of Commerce.

Which statement is FALSE regarding the provisions of the Employee Polygraph Protection Act of 1988 (EPPA)?

A. The EPPA requires that employers post essential information about the Act in a conspicuous location.

B. The EPPA includes an exception that allows polygraph tests in professions in which employee honesty is necessary for public safety.

C. Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits.

D. Employers involved in the manufacture of controlled substances may terminate employees based on polygraph results if other evidence exists.

ABC Corp. is a consumer-facing business that uses a number of vendors to help operate its business, such as payment processors, cloud service providers, and an e-commerce platform.

If ABC Corp. were subject to the California Consumer Privacy Act (CCPA), what would it have to do in order to avoid having its transfer of personal information to vendors be considered a "sale" of personal information?

A. Register its transfer of personal information with the California Attorney General's office.

B. Ensure that it does not receive any monetary consideration from the vendors for the personal information.

C. Enter into a contract with the vendors containing restrictions on what they can do with the personal information.

D. State in its privacy policy that it will only transfer the personal information to vendors who provide the business with certain services.

Which of the following state laws has an entity exemption for organizations subject to the Gramm-Leach-Bliley Act (GLBA)?

A. Nevada Privacy Law.

B. California Privacy Rights Act.

C. California Consumer Privacy Act.

D. Virginia Consumer Data Protection Act.

One of the most signi cant elements of Senate Bill No. 260 relating to Internet privacy is the introduction of what term into Nevada law?

A. Data Ethics.

B. Data Brokers.

C. Arti cial Intelligence.

D. Transfer Mechanism.