IAPP CIPP-US Certified Information Privacy Professional/United States (CIPP/US) Online Training

Question #41

What are banks required to do under the Gramm-Leach-Bliley Act (GLBA)?

A . Conduct annual consumer surveys regarding satisfaction with user preferences
B . Process requests for changes to user preferences within a designated time frame
C . Provide consumers with the opportunity to opt out of receiving telemarketing phone calls
D . Offer an Opt-Out before transferring PI to an unaffiliated third party for the latter’s own use

Question #42

SCENARIO

Please use the following to answer the next QUESTION:

Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital.

He has also started a program to become a registered nurse.

Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients’ Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.

On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.

He was also curious about the hospital’s use of a billing company. He questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients’ care.

On his first day Declan became familiar with all areas of the hospital’s large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.

Despite Declan’s concern about this issue, he was amazed by the hospital’s effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.

Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.

In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.

Although Declan’s day ended with many Questions, he was pleased about his new position.

What is the most likely way that Declan might directly violate the Health Insurance Portability and Accountability Act (HIPAA)?

A . By being present when patients are checking in
B . By speaking to a patient without prior authorization
C . By ignoring the conversation about a potential breach
D . By following through with his plans for his upcoming paper

Reveal Solution Hide Solution

Question #43

SCENARIO

Please use the following to answer the next QUESTION:

Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital.

He has also started a program to become a registered nurse.

Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients’ Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.

On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.

He was also curious about the hospital’s use of a billing company. He Questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients’ care.

On his first day Declan became familiar with all areas of the hospital’s large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.

Despite Declan’s concern about this issue, he was amazed by the hospital’s effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.

Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.

In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.

Although Declan’s day ended with many Questions, he was pleased about his new position.

How can the radiology department address Declan’s concern about paper waste and still comply with the Health Insurance Portability and Accountability Act (HIPAA)?

A . State the privacy policy to the patient verbally
B . Post the privacy notice in a prominent location instead
C . Direct patients to the correct area of the hospital website
D . Confirm that patients are given the privacy notice on their first visit

Reveal Solution Hide Solution

Question #44

SCENARIO

Please use the following to answer the next QUESTION:

Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital.

He has also started a program to become a registered nurse.

Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients’ Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.

On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.

He was also curious about the hospital’s use of a billing company. He Questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients’ care.

On his first day Declan became familiar with all areas of the hospital’s large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.

Despite Declan’s concern about this issue, he was amazed by the hospital’s effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.

Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.

In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.

Although Declan’s day ended with many Questions, he was pleased about his new position.

Based on the scenario, what is the most likely way Declan’s supervisor would answer his question about the hospital’s use of a billing company?

A . By suggesting that Declan look at the hospital’s publicly posted privacy policy
B . By assuring Declan that third parties are prevented from seeing Private Health Information (PHI)
C . By pointing out that contracts are in place to help ensure the observance of minimum security standards
D . By describing how the billing system is integrated into the hospital’s electronic health records (EHR) system

Reveal Solution Hide Solution

Question #45

Which entities must comply with the Telemarketing Sales Rule?

A . For-profit organizations and for-profit telefunders regarding charitable solicitations
B . Nonprofit organizations calling on their own behalf
C . For-profit organizations calling businesses when a binding contract exists between them
D . For-profit and not-for-profit organizations when selling additional services to establish customers

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call."1 The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions.

Reference: 1: eCFR :: 16 CFR Part 310 C Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule – Federal Trade Commission2, Exemptions to the TSR.

Question #46

Under the Telemarketing Sales Rule, what characteristics of consent must be in place for an organization to acquire an exception to the Do-Not-Call rules for a particular consumer?

A . The consent must be in writing, must state the times when calls can be made to the consumer and must be signed
B . The consent must be in writing, must contain the number to which calls can be made and must have an end date
C . The consent must be in writing, must contain the number to which calls can be made and must be signed
D . The consent must be in writing, must have an end data and must state the times when calls can be made

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call."1 The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding

charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions.

Reference: 1: eCFR:: 16 CFR Part 310 C Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule – Federal Trade Commission2, Exemptions to the TSR.

Question #47

When does the Telemarketing Sales Rule require an entity to share a do-not-call request across its organization?

A . When the operational structures of its divisions are not transparent
B . When the goods and services sold by its divisions are very similar
C . When a call is not the result of an error or other unforeseen cause
D . When the entity manages user preferences through multiple platforms

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The Telemarketing Sales Rule (TSR) is a federal regulation that implements the Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994. The TSR aims to protect consumers from deceptive or abusive telemarketing practices, such as unwanted calls, false or misleading claims, unauthorized billing, and privacy violations1.

The TSR requires telemarketers and sellers to comply with the National Do Not Call Registry, which is a list of phone numbers of consumers who have indicated that they do not want to receive telemarketing calls2.

The TSR also requires telemarketers and sellers to honor the do-not-call requests of individual consumers, regardless of whether their numbers are on the National Do Not Call Registry or not2.

A do-not-call request is a statement made by a consumer, either orally or in writing, that they do not wish to receive any more calls from a specific telemarketer or seller2.

The TSR requires an entity to share a do-not-call request across its organization when the operational structures of its divisions are not transparent to consumers3. This means that the entity must treat the do-not-call request as if it applies to all of its affiliates and subsidiaries that engage in telemarketing, unless the consumer would reasonably expect them to be separate and distinct entities based on their names, products, or services3.

The TSR does not require an entity to share a do-not-call request across its organization in the following situations:

When the goods and services sold by its divisions are very similar. This is not a relevant factor for determining whether the entity must share a do-not-call request across its organization. The key factor is whether the consumers can distinguish between the different divisions based on their operational structures3.

When a call is not the result of an error or other unforeseen cause. This is not an exception to the requirement to honor a do-not-call request. The TSR prohibits telemarketers and sellers from calling a consumer who has made a do-not-call request, unless the call falls under one of the specific exemptions, such as calls from or on behalf of tax-exempt nonprofit organizations, calls to consumers with whom the seller has an established business relationship, or calls to consumers who have given

prior express written consent2.

When the entity manages user preferences through multiple platforms. This is not an excuse for not sharing a do-not-call request across its organization. The TSR requires telemarketers and sellers to maintain an internal do-not-call list of consumers who have asked them not to call again, and to update the list at least once every 31 days2. The entity must ensure that the do-not-call request is recorded and communicated across all of its platforms that are used for telemarketing purposes3.

Reference: 1: Telemarketing Sales Rule 2: Q&A for Telemarketers & Sellers About DNC Provisions in TSR 3: Federal Register:: Telemarketing Sales Rule

Question #48

Within what time period must a commercial message sender remove a recipient’s address once they have asked to stop receiving future e-mail?

A . 7 days
B . 10 days
C . 15 days
D . 21 days

Reveal Solution Hide Solution

Question #49

A student has left high school and is attending a public postsecondary institution.

Under what condition may a school legally disclose educational records to the parents of the student without consent?

A . If the student has not yet turned 18 years of age
B . If the student is in danger of academic suspension
C . If the student is still a dependent for tax purposes
D . If the student has applied to transfer to another institution

Reveal Solution Hide Solution

Question #50

In what way does the “Red Flags Rule” under the Fair and Accurate Credit Transactions Act (FACTA) relate to the owner of a grocery store who uses a money wire service?

A . It mandates the use of updated technology for securing credit records
B . It requires the owner to implement an identity theft warning system
C . It is not usually enforced in the case of a small financial institution
D . It does not apply because the owner is not a creditor

Reveal Solution Hide Solution