IAPP CIPP-US Certified Information Privacy Professional/United States CIPP/US Exam Practice Test

Page: 1 / 14
Total 195 questions
Question 1

SCENARIO

Please use the following to answer the next question;

Miraculous Healthcare is a large medical practice with multiple locations in California and Nevad

a. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have virtual appointments with on-site doctors via a phone app.

For this new initiative. Miraculous is considering a product built by MedApps. a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices" branding. MedApps provides technical support for the app. which it hosts in the cloud MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service

Riya is the Privacy Officer at Miraculous, responsible for the practice s compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists procurement in vetting vendors and inquiring about their own compliance practices. as well as negotiating the terms of vendor agreements Riya is currently reviewing the suitability of the MedApps app from a pnvacy perspective

Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps' optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the appointments to a portal hosted by MedApps

Which of the following would accurately describe the relationship of the parties if they enter into a contract for use of the app?



Answer : D

Under the Health Insurance Portability and Accountability Act (HIPAA), entities involved in the handling of protected health information (PHI) are classified as either covered entities or business associates based on their roles and activities.

Definitions Under HIPAA:

Covered Entity (CE):

A healthcare provider, health plan, or healthcare clearinghouse that creates, receives, maintains, or transmits PHI.

Miraculous Healthcare qualifies as a covered entity because it is a medical practice directly providing healthcare services to patients.

Business Associate (BA):

An organization or individual that performs functions, activities, or services involving the use or disclosure of PHI on behalf of a covered entity.

MedApps qualifies as a business associate because it is providing a telehealth app service to Miraculous, which involves hosting and maintaining PHI (e.g., appointment details, patient information).

Analysis of the Relationship:

Miraculous Healthcare: As the healthcare provider, it is responsible for patient care and compliance with HIPAA. Since it directly provides healthcare services to patients, it is the covered entity in this scenario.

MedApps: Although MedApps designed, hosts, and supports the telehealth app, it is providing these services on behalf of Miraculous Healthcare. As such, MedApps is a business associate under HIPAA. This designation requires MedApps to comply with HIPAA regulations through a Business Associate Agreement (BAA), ensuring that it appropriately safeguards the PHI it handles on behalf of Miraculous Healthcare.

Consideration of the Benchmarking Service:

The optional benchmarking service also reinforces MedApps' role as a business associate. Miraculous Healthcare would need to assess whether the PHI uploaded for benchmarking meets HIPAA's minimum necessary standard and that MedApps implements appropriate safeguards for PHI used for benchmarking. The BAA would need to address these specific uses.

Explanation of Options:

A . Miraculous Healthcare would be the covered entity because its name and branding are on the app. MedApps would be a business associate because it is hosting the data that supports the app: While this is close, it oversimplifies the reasoning by focusing solely on branding. The covered entity designation is determined by the healthcare services provided, not just branding.

B . MedApps would be the covered entity because it built and hosts the app and all the data. Miraculous Healthcare would be a business associate because it only provides its brand on the app: This is incorrect because MedApps is not directly providing healthcare services. Hosting and maintaining PHI does not make it a covered entity but rather a business associate.

C . Miraculous Healthcare would be a covered entity because it is the healthcare provider; MedApps would also be a covered entity because the data in the app is being shared with it: This is incorrect because MedApps does not independently provide healthcare services to patients. Its role is solely as a service provider to Miraculous.

D . Miraculous Healthcare would be the covered entity because it is the healthcare provider; MedApps would be a business associate because it is providing a service to support Miraculous: This is the correct answer. Miraculous is the covered entity, and MedApps, by hosting the telehealth app and handling PHI on Miraculous' behalf, is a business associate.

Reference from CIPP/US Materials:

HIPAA Privacy Rule (45 CFR 160.103): Defines covered entities and business associates.

Business Associate Agreements (BAAs): HIPAA requires a BAA between covered entities and business associates to ensure PHI is appropriately protected.

IAPP CIPP/US Certification Textbook: Provides detailed examples of covered entities and business associates, along with their roles and responsibilities under HIPAA.


Question 2

Which of the following is NOT a common challenge large organizations face when implementing data portability?



Answer : D

When implementing data portability, organizations often face significant challenges due to the complexity of managing data transfers. These challenges commonly include concerns about third-party data, technical compatibility for data transmission, and security considerations. However, the technical skillsets available in the transmitting organization is NOT typically identified as a primary challenge because most organizations have or can acquire the necessary technical expertise through training or by outsourcing.

Explanation of Options:

A . The presence of third-party data in the data to be ported: This is a valid challenge, as the inclusion of third-party data can raise legal and contractual concerns about ownership and transferability.

B . Technically compatible systems for transmission feasibility: Ensuring that data can be transferred between systems in compatible formats is a critical and common challenge.

C . Security considerations in relation to the transfer of the data: Data transfers must be secure to prevent unauthorized access or breaches, making this a valid challenge.

D . The technical skillsets available in the transmitting organization: While technical skills are important, organizations usually have the ability to address this issue through hiring, training, or outsourcing, making this the least common challenge.

Reference from CIPP/US Materials:

IAPP CIPP/US Certification Textbook: Discusses operational challenges related to data portability, including system compatibility, data security, and third-party involvement.

NIST Privacy Framework: Addresses organizational readiness and data transfer risks.


Question 3

The concept of data portability refers to what?



Answer : C

The concept of data portability refers to an individual's right to access and transfer their personal data from one organization to another. It enables individuals to obtain and reuse their personal data for their own purposes across different services. For example, an individual can request their data from one service provider and transfer it to another provider, facilitating competition and giving consumers more control over their data.

This right is commonly associated with General Data Protection Regulation (GDPR) but is becoming more widely discussed in U.S. privacy contexts, such as under the California Consumer Privacy Act (CCPA) and similar state laws. Although the CCPA does not explicitly mention 'data portability,' the concept aligns with its provision that grants individuals the right to access their data in a portable and usable format.

Explanation of Options:

A . The practice of disclosing all the data sources one organization uses to enhance data collection from different social media platforms: This describes a data disclosure practice, not data portability.

B . The technical measures organizations use to empower consumers' control in case data is being transferred to service providers: This refers to technical controls but does not fully capture the essence of data portability.

C . The ability of individuals to obtain and reuse their personal data for their own purposes across different services: This is the correct answer and accurately defines data portability.

D . The ability of individuals to easily change to another similar service provider if fees are unlawfully being raised: While data portability might facilitate switching providers, it is not specifically tied to the issue of unlawful fee increases.

Reference from CIPP/US Materials:

GDPR Article 20: Provides the right to data portability in the EU.

CCPA Section 1798.100: Requires businesses to provide personal data in a readily usable format upon request.

IAPP CIPP/US Certification Textbook: Discusses data portability as part of consumer rights and privacy frameworks.


Question 4

Under GLB



Answer : D

Under the Gramm-Leach-Bliley Act (GLBA), financial institutions are required to provide their customers with an annual privacy notice that explains how they collect, share, and protect customers' personal information. However, the GLBA Privacy Rule (16 CFR Part 313) was amended by the Fixing America's Surface Transportation Act (FAST Act) in 2015, which introduced an exception to this requirement.

According to the FAST Act, financial institutions are not required to provide annual privacy notices if they meet two conditions:

No changes have been made to their privacy policy or practices since the last notice was sent to customers.

The financial institution does not share customers' nonpublic personal information with nonaffiliated third parties in a way that triggers an opt-out requirement under GLBA.

Explanation of Options:

A . An insurance company that has no privacy department: This is irrelevant. The requirement to provide privacy notices depends on whether the organization falls under GLBA's definition of a 'financial institution' and their compliance with privacy practices, not on the presence of a privacy department.

B . An auction house that also acts as a financial institution: If the auction house qualifies as a financial institution under GLBA (e.g., if it arranges financing), it would still need to comply with GLBA privacy requirements, including issuing annual privacy notices unless it qualifies for the exception.

C . A credit union that has made changes to its privacy notice from last year: If any changes are made to the privacy policy, the credit union must issue an updated privacy notice to its customers.

D . A credit union that has not made changes to its privacy notice from last year: This is the correct answer. If the credit union has not made any changes to its privacy notice and meets the FAST Act exception criteria (outlined above), it is not required to issue an annual privacy notice.

Reference from CIPP/US Materials:

GLBA Privacy Rule (16 CFR Part 313): This rule outlines the requirements for financial institutions to provide privacy notices.

FAST Act (2015) Amendment to GLBA Privacy Rule: This amendment introduced exceptions to the annual notice requirement for institutions that meet specific criteria.

IAPP CIPP/US Certification Textbook: Details the conditions under which GLBA exceptions apply and describes how the FAST Act impacted annual privacy notice requirements.


Question 5

SuperMart is a large Nevada-based business that has recently determined it sells what constitutes ''covered information'' under Nevada's privacy law, Senate Bill 260. Which of the following privacy compliance steps would best help SuperMart comply with the law?



Answer : A

Nevada's privacy law, Senate Bill 260 (SB 260), is an amendment to the existing Nevada Revised Statutes (NRS) Chapter 603A that was enacted in June 2021 and will take effect on October 1, 2021. SB 260 expands the scope and definition of ''covered information'' under NRS 603A to include any information that identifies, relates to, describes, or is capable of being associated with a consumer, such as name, address, email, phone number, social security number, biometric data, geolocation data, and online identifiers. SB 260 also grants Nevada consumers the right to opt out of the sale of their covered information by an operator of a website or online service that collects and maintains such information.

Under SB 260, an operator is defined as a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service, and purposefully directs its activities toward Nevada. A sale is defined as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. However, there are some exceptions to the definition of a sale, such as:

If the consumer has consented to the sale after being provided with clear and conspicuous notice of the sale and the opportunity to opt out.

If the sale is to a person who processes the covered information on behalf of the operator.

If the sale is to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.

If the sale is to a person for purposes that are consistent with the reasonable expectations of the consumer considering the context in which the consumer provided the covered information to the operator.

If the sale is to a person who is an affiliate of the operator.

If the sale is to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the operator's assets.

To comply with SB 260, an operator that sells covered information must provide a designated request address through which a consumer may submit a verified request to opt out of the sale. The designated request address may be an email address, a toll-free telephone number, or an Internet website. The operator must respond to the verified request within 60 days, and may extend the response period for an additional 30 days if reasonably necessary. The operator must also provide a notice to the consumer that identifies the categories of covered information that the operator collects and the categories of third parties to whom the operator may disclose the covered information.

Therefore, the best privacy compliance step for SuperMart to comply with SB 260 is to provide a mechanism for consumers to opt out of sales, as this is the core requirement of the law. Option A is the correct answer.

Option B is incorrect, as SB 260 does not grant consumers the right to access or delete their covered information, unlike other state privacy laws such as the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA).

Option C is incorrect, as SB 260 does not require operators to provide a notice of financial incentive for any loyalty programs offered to their customers, unlike the CCPA.

Option D is incorrect, as SB 260 does not impose service provider restrictions on the vendors of the operators, unlike the CCPA or the VCDPA.


[IAPP CIPP/US Study Guide], Chapter 10: State Data Security Laws, pp. 229-230.

CIPP/US Practice Questions (Sample Questions), Question 33.

Question 6

Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?



Answer : B

Most state breach notification laws require entities to notify affected individuals and/or regulators when there is unauthorized access to or acquisition of personal information that compromises its security, confidentiality, or integrity. However, some states provide exceptions to this requirement under certain conditions, such as:

If the data involved was encrypted or otherwise rendered unreadable or unusable, and the encryption key or other means of access was not compromised. This is based on the assumption that encrypted data is not accessible to unauthorized parties, even if they obtain the data.

If the entity was subject to and complied with another federal or state law that provides similar or greater protection and notification requirements, such as the GLBA Safeguards Rule or the HIPAA Breach Notification Rule. This is to avoid duplication or inconsistency of obligations for entities that are already regulated by other laws.

If the entity conducted a risk assessment and determined that there is no reasonable likelihood of harm to the affected individuals, based on factors such as the nature and extent of the data, the circumstances of the breach, the evidence of misuse, and the ability to mitigate the risk. This is to allow entities to exercise some discretion and judgment in evaluating the potential impact of the breach.

However, none of the state laws provide an exception for the mere access of data without exportation. Access alone is considered a breach that triggers the notification requirement, unless one of the other conditions applies. Therefore, option B is not a sufficient excuse for not providing breach notification under state law.


[IAPP CIPP/US Study Guide], Chapter 9: State Data Security Laws, pp. 209-211.

CIPP/US Practice Questions (Sample Questions), Question 29.

Question 7

In 2011, the FTC announced a settlement with Google regarding its social networking service Google Buzz. The FTC alleged that in the process of launching the service, the company did all of the following EXCEPT?



Answer : D

The FTC alleged that Google violated its own privacy policies, engaged in deceptive trade practices, and failed to comply with Safe Harbor principles when it launched Google Buzz, a social networking service that automatically enrolled Gmail users and exposed their email contacts and other personal information without their consent or control. The FTC did not allege that Google failed to employ sufficient security safeguards, although it did require Google to implement a comprehensive privacy program and submit to regular privacy audits as part of the settlement. The other statements are incorrect because:

A . Violated its own privacy policies: The FTC alleged that Google violated its own privacy policies by using information collected from Gmail users for a purpose that was incompatible with the purpose for which the information was collected, without obtaining their affirmative consent. Google's privacy policy stated that 'When you sign up for a particular service that requires registration, we ask you to provide personal information.If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.'1

B . Engaged in deceptive trade practices: The FTC alleged that Google engaged in deceptive trade practices by misrepresenting the extent to which consumers could exercise control over the collection, use, and sharing of their personal information through Google Buzz. For example, Google offered consumers the option to decline or turn off Google Buzz, but the option was ineffective and did not fully remove the consumer from the social network.Google also misled consumers about how their email contacts would be treated on Google Buzz, and failed to disclose that certain information, such as the user's frequent email contacts, would be made public by default.1

C . Failed to comply with Safe Harbor principles: The FTC alleged that Google failed to comply with the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data from the European Union to the United States in a way that meets EU data protection requirements. Google had self-certified to the Department of Commerce that it adhered to the Safe Harbor Privacy Principles, which include notice, choice, access, and enforcement.The FTC alleged that Google's conduct violated the notice and choice principles, as well as the requirement to adhere to the Safe Harbor FAQs.1Reference:FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network,Google, Inc., In the Matter of,Google settles with FTC over Buzz; Privacy policies to be audited for two decades,Google Settles FTC Complaint over Google Buzz Privacy


Page:    1 / 14   
Total 195 questions