Question 1

A covered entity suffers a ransomware attack that affects the personal health information (PHI) of more than 500 individuals. According to Federal law under HIPAA, which of the following would the covered entity NOT have to report the breach to?

Options :

A : Department of Health and Human Services

B : The affected individuals

C : The local media

D : Medical providers

Answer: D

Question 2

Which entities must comply with the Telemarketing Sales Rule?

Options :

A : For-profit organizations and for-profit telefunders regarding charitable solicitations

B : Nonprofit organizations calling on their own behalf

C : For-profit organizations calling businesses when a binding contract exists between them

D : For-profit and not-for-profit organizations when selling additional services to establish customers

Answer: D

Question 3

Read this notice:

Our website uses cookies. Cookies allow us to identify the computer or device you’re using to access the site,

but they don’t identify you personally. For instructions on setting your Web browser to refuse cookies, click

here.

What type of legal choice does not notice provide?

Options :

A : Mandatory

B :

Implied consent

C :

Opt-in

D :

Opt-out

Answer: B

Question 4

SCENARIO

Please use the following to answer the next QUESTION

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend

Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of

security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard

against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission,

Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She

intends to read applicants’ postings on social media, ask QUESTION NO:s about drug addiction, and solicit

character references. Felicia believes that if potential employees are serious about becoming part of a dynamic

new business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to

prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check

the company vehicle’s GPS for locations visited by employees. She also believes that employees who use their

own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that

many types of background checks are not allowed under California law. Her friend Celeste thinks these

worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results.

Nor does Celeste share Felicia’s concern about state breach notification laws, which, she claims, would be

costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it’s unlikely that a state agency would

hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense – like remembering to tear up sensitive

documents before throwing them in the recycling bin. Felicia hopes that she’s right, and that all of her

concerns will be put to rest next month when their new business consultant (who is also a privacy

professional) arrives from North Carolina.

Based on Felicia’s Bring Your Own Device (BYOD) plan, the business consultant will most likely advise

Felicia and Celeste to do what?

Options :

A : Reconsider the plan in favor of a policy of dedicated work devices.

B : Adopt the same kind of monitoring policies used for work-issued devices.

C : Weigh any productivity benefits of the plan against the risk of privacy issues.

D : Make employment decisions based on those willing to consent to the plan in writing.

Answer: D

Question 5

Acme Student Loan Company has developed an artificial intelligence algorithm that determines whether an

individual is likely to pay their bill or default. A person who is determined by the algorithm to be more likely

to default will receive frequent payment reminder calls, while those who are less likely to default will not

receive payment reminders.

Which of the following most accurately reflects the privacy concerns with Acme Student Loan Company using

artificial intelligence in this manner?

Options :

A :

If the algorithm uses risk factors that impact the automatic decision engine. Acme must ensure that the

algorithm does not have a disparate impact on protected classes in the output.

B :

If the algorithm makes automated decisions based on risk factors and public information, Acme need not

determine if the algorithm has a disparate impact on protected classes.

C :

If the algorithm’s methodology is disclosed to consumers, then it is acceptable for Acme to have a

disparate impact on protected classes.

D :

If the algorithm uses information about protected classes to make automated decisions, Acme must

ensure that the algorithm does not have a disparate impact on protected classes in the output.

Answer: B

Smartly Prepare Exam with Free Online CIPP-C Practice Test

Buying Options: