Pass the IAPP Certified Information Privacy Professional CIPP-US Questions and answers with ExamsMirror

 Declan might directly violate the HIPAA Privacy Rule by using John’s name and personal health information (PHI) in his paper without his written authorization. The Privacy Rule protects the confidentiality of PHI that is created, received, maintained, or transmitted by a covered entity or its business associate. PHI includes any information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual1. Declan, as a nursing assistant, is part of the covered entity’s workforce and must comply with the Privacy Rule. He cannot disclose John’s PHI to anyone, including his classmates or instructors, without John’s authorization or a valid exception under the Privacy Rule. Even if he does not use John’s full name, he may still reveal enough information to make John identifiable, such as his diagnosis, his father’s condition, or his location. This would be an impermissible use and disclosure of PHI, and a potential HIPAA violation. Declan should either obtain John’s written authorization to use his PHI in his paper, or de-identify the information according to the Privacy Rule’s standards2. References:

Summary of the HIPAA Privacy Rule

Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

The Civil Rights Act, Pregnancy Discrimination Act, Americans with Disabilities Act, Age Discrimination Act, and Equal Pay Act are all federal laws that prohibit employment discrimination based on certain protected characteristics, such as race, sex, disability, age, and pay1234 These laws also afford certain classes of employees’ privacy protection by limiting inquiries concerning their personal information that may reveal their protected status or be used for discriminatory purposes. For example:

The Civil Rights Act of 1964 prohibits employers from making pre-employment inquiries that express a preference, limitation, or specification based on race, color, religion, sex, or national origin, unless they are bona fide occupational qualifications.

The Pregnancy Discrimination Act of 1978, which amended the Civil Rights Act of 1964, prohibits employers from making pre-employment inquiries about whether an applicant is pregnant or intends to become pregnant, unless they are related to the ability to perform the job.

The Americans with Disabilities Act of 1990 prohibits employers from making pre-employment inquiries about whether an applicant has a disability or the nature or severity of a disability, unless they are related to the ability to perform the essential functions of the job with or without reasonable accommodation.

The Age Discrimination in Employment Act of 1967 prohibits employers from making pre-employment inquiries about an applicant’s age, unless they are related to a bona fide occupational qualification or a lawful affirmative action plan.

The Equal Pay Act of 1963 prohibits employers from making pre-employment inquiries about an applicant’s salary history, unless they are made for a lawful purpose other than determining the applicant’s pay.

Option A is incorrect because these laws do not require employers not to discriminate against certain classes when employees use personal information. Rather, they require employers not to discriminate against certain classes in any aspect of employment, such as hiring, firing, pay, promotion, training, benefits, etc1234 The use of personal information by employees is not directly addressed by these laws, although it may be subject to other privacy laws or policies.

Option B is incorrect because these laws do not require that employers provide reasonable accommodations to certain classes of employees. Rather, only the Americans with Disabilities Act and the Pregnancy Discrimination Act require employers to provide reasonable accommodations to qualified individuals with disabilities and workers with limitations related to pregnancy, childbirth, or related medical conditions, respectively, unless doing so would cause an undue hardship to the employer. The other laws do not have a similar requirement, although they may prohibit employers from denying equal opportunities to certain classes of employees.

Option C is correct because these laws afford certain classes of employees’ privacy protection by limiting inquiries concerning their personal information that may reveal their protected status or be used for discriminatory purposes, as explained above.

Option D is incorrect because these laws do not permit employers to use or disclose personal information specifically about employees who are members of certain classes. Rather, these laws generally prohibit employers from using or disclosing personal information that is protected by these laws for any unlawful or discriminatory purpose, unless an exception applies. For example, employers may use or disclose such information for legitimate business reasons, such as complying with reporting requirements, administering benefits, or conducting investigations.

References: 1: Facts About Equal Pay and Compensation Discrimination 2: Pregnancy Discrimination and Pregnancy-Related Disability Discrimination | U.S. Equal Employment Opportunity Commission 3: Regulations, Guidance and Policy | Equal Opportunity Guidance | OEEOWE 4: Age Discrimination | U.S. Equal Employment Opportunity Commission : Pre-Employment Inquiries and Medical Questions & Examinations | U.S. Equal Employment Opportunity Commission : Employee Medical Information | U.S. Equal Employment Opportunity Commission : Employee Privacy Rights | U.S. Department of Labor : Title VII of the Civil Rights Act of 1964 | U.S. Equal Employment Opportunity Commission : Fact Sheet: Pregnancy Discrimination | U.S. Equal Employment Opportunity Commission : The Americans with Disabilities Act: A Primer for Small Business : Age Discrimination in Employment Act of 1967 | U.S. Equal Employment Opportunity Commission : Equal Pay Act of 1963 | U.S. Equal Employment Opportunity Commission

The HIPAA Privacy Rule requires covered entities to obtain an individual’s written authorization for any use or disclosure of protected health information (PHI) that is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule. However, there are some exceptions to the authorization requirement for certain public interest-related activities, such as disclosing health information for public health activities, reporting child abuse, or treating a medical emergency. These exceptions are intended to balance the privacy interests of individuals with the public interest in protecting health and safety, promoting quality health care, and ensuring compliance with the law. Disclosing health information needed to pay a third party billing administrator is not one of the exceptions to the authorization requirement, as it is considered a payment activity that falls under the general rule of requiring authorization. Therefore, it is the correct answer to the question. References: Summary of the HIPAA Privacy Rule, HIPAA Exceptions, Exceptions to HIPAA Privacy Rule, Waiver of Authorization, IAPP CIPP/US Study Guide, Chapter 5.

Cheryl’s suggested method of communicating the new privacy policy by creating documents listing applicable parts of the new policy for each department and implementing it gradually over several months may create confusion and inconsistency among employees and customers. Different departments may have different interpretations and expectations of the policy, and customers may not be aware of the changes or their rights under the policy. This may lead to errors, complaints, and violations of the policy and the applicable laws. A better approach would be to communicate the policy in full to all employees and customers at once, and provide training and guidance on how to comply with it. The policy should also be easily accessible and updated on the company’s website and other channels. References:

Privacy Policy for Health Coaches

Privacy Policies for Online Coaches

Privacy Policy - Coaching.com

The annual privacy notice requirement under the Gramm-Leach-Bliley Act (GLBA) applies to financial institutions that collect nonpublic personal information from customers and disclose it to nonaffiliated third parties, unless they qualify for an exception. A financial institution is any entity that engages in activities that are financial in nature or incidental to such activities, as defined by section 4(k) of the Bank Holding Company Act of 1956. The King County Savings and Loan is a financial institution under this definition, as it engages in lending money and accepting deposits. Therefore, it is required to provide its customers with an annual privacy notice, unless it meets the conditions for an exception. The Four Winds Tribal College, the Golden Gavel Auction House, and the Breezy City Housing Commission are not financial institutions under the GLBA, as they do not engage in activities that are financial in nature or incidental to such activities. Therefore, they are not required to provide their customers with an annual privacy notice under the GLBA. References:

Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act, section I. Background, paragraph 2.

17 CFR § 248.5 - Annual privacy notice to customers required., paragraph (a) (1).

IAPP CIPP/US Study Guide, page 65.

One of the most significant changes introduced by Nevada Senate Bill 260 (SB 260) is the inclusion of the term “Data Brokers” into Nevada privacy law. The bill requires data brokers to register with the Nevada Secretary of State and comply with new privacy requirements, such as responding to consumer opt-out requests. This addition aligns Nevada’s privacy framework more closely with laws like Vermont’s data broker law.

Key Provisions of SB 260:

Definition of Data Brokers:

A data broker is defined as a company that collects, sells, or licenses consumer data and does not have a direct relationship with the consumer.

Registration Requirements:

Data brokers must register annually with the Nevada Secretary of State.

Consumer Rights:

Consumers are granted the right to opt out of the sale of their personal information, extending the scope of Nevada's existing privacy law.

Explanation of Options:

A. Data Ethics:While data ethics is an important concept, it is not introduced as a specific term under SB 260.

B. Data Brokers:This is correct. The inclusion of data brokers as a regulated entity is the primary addition introduced by SB 260.

C. Artificial Intelligence:SB 260 does not address artificial intelligence directly.

D. Transfer Mechanism:SB 260 focuses on regulating data brokers, not cross-border data transfer mechanisms.

References from CIPP/US Materials:

Nevada Senate Bill 260 (SB 260): Introduces data broker registration and opt-out rights.

IAPP CIPP/US Certification Textbook: Discusses state-specific privacy laws, including Nevada’s privacy framework.

Mega Corp. is a U.S.-based business with employees in California, Virginia, and Colorado. Therefore, it must comply with the privacy laws of these three states in regard to its human resources data, unless it qualifies for an exemption under each law.

The California Privacy Rights Act (CPRA) is an amendment to the California Consumer Privacy Act (CCPA) that was approved by voters in November 2020 and will take effect on January 1, 2023. The CPRA expands the rights and protections of California residents with respect to their personal information and creates a new category of sensitive personal information that includes certain employment-related data, such as Social Security numbers, driver’s license numbers, passport numbers, financial account information, biometric information, and geolocation data. The CPRA also establishes a new enforcement agency, the California Privacy Protection Agency, to oversee and enforce the law.

The Virginia Consumer Data Protection Act (VCDPA) is a comprehensive privacy law that was enacted in March 2021 and will take effect on January 1, 2023. The VCDPA grants Virginia residents several rights with respect to their personal data, such as the right to access, correct, delete, port, and opt out of certain processing activities. The VCDPA also imposes various obligations on businesses that control or process personal data of Virginia residents, such as conducting data protection assessments, entering into contracts with processors, and providing privacy notices.

The Colorado Privacy Act (CPA) is another comprehensive privacy law that was enacted in July 2021 and will take effect on July 1, 2023. The CPA grants Colorado residents similar rights as the VCDPA, with some variations, such as the right to appeal a business’s response to a request and the right to opt out of targeted advertising, the sale of personal data, and certain profiling activities. The CPA also imposes similar obligations as the VCDPA, with some differences, such as requiring opt-in consent for the processing of sensitive data and allowing businesses to join a universal opt-out mechanism.

All three laws apply to businesses that conduct business in or target consumers in the respective states and meet certain thresholds of revenue or data processing volume. However, all three laws also provide exemptions for certain types of data or entities that are subject to other federal or state laws, such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), and the Family Educational Rights and Privacy Act (FERPA).

One of the exemptions that may be relevant for Mega Corp. is the employee data exemption, which excludes personal data that is collected and used by an employer within the context of an employment relationship or for emergency contact or benefits administration purposes. However, this exemption is not permanent or uniform across the three laws. The CPRA’s employee data exemption is set to expire on January 1, 2023, unless extended by the legislature. The VCDPA’s employee data exemption is set to expire on January 1, 2023, unless repealed by the legislature. The CPA’s employee data exemption does not have an expiration date, but it does not apply to the right to opt out of the sale of personal data or the right to appeal a business’s response to a request.

Therefore, depending on the type and scope of the human resources data that Mega Corp. collects and processes, it may have to comply with the California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act, unless it qualifies for another exemption under each law.

References:

[IAPP CIPP/US Study Guide], Chapter 10: State Data Security Laws, pp. 227-229.

CIPP/US Practice Questions (Sample Questions), Question 32.

The Red Flag Program Clarification Act of 2010 amended the original Red Flags rule, which required certain financial institutions and creditors to develop and implement a written identity theft prevention program. The Clarification Act narrowed the definition of creditor to include only those who regularly and in the ordinary course of business advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person12. This excludes creditors who advance funds for expenses incidental to a service provided by the creditor to that person3. References:

CIPP/US Practice Questions (Sample Questions), Question 133, Answer B, Explanation B.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4, Section 4.3, p. 108-109.

Red Flag Program Clarification Act of 2010, Section 2, Subsection (b).

A company that develops a privacy policy with standards that are much higher than its competitors may face the risk of being more closely scrutinized for any breaches of policy by regulators, customers, media, or other stakeholders. This is because the company sets a higher expectation for its privacy practices and may be held to a higher standard of accountability and transparency. If the company fails to comply with its own policy or experiences a data breach, it may face more severe consequences, such as reputational damage, loss of trust, legal liability, or regulatory sanctions. References:

IAPP CIPP/US Body of Knowledge, Section I, B, 2

[IAPP CIPP/US Study Guide, Chapter 1, Section 1.4]

The law that is not involved in the regulation of employee background checks is B. The Gramm-Leach-Bliley Act (GLBA). The GLBA is a federal law that regulates the privacy and security of financial information collected, used, or shared by financial institutions, such as banks, insurance companies, or securities firms. The GLBA does not apply to employee background checks, unless the employer is a financial institution that obtains financial information from a consumer reporting agency for employment purposes. In that case, the employer must comply with the GLBA’s notice and opt-out requirements, as well as the FCRA’s requirements for using consumer reports. References:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 113-114.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 3: Background Checks.

IAPP CIPP/US Practice Questions, Question 150.