Question 1

A covered entity suffers a ransomware attack that affects the personal health information (PHI) of more than 500 individuals. According to Federal law under HIPAA, which of the following would the covered entity NOT have to report the breach to?

Options :

A : Department of Health and Human Services

B : The affected individuals

C : The local media

D : Medical providers

Answer: D

Question 2

SCENARIO

Please use the following to answer the next QUESTION

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend

Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of

security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard

against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission,

Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She

intends to read applicants’ postings on social media, ask QUESTION NO:s about drug addiction, and solicit

character references. Felicia believes that if potential employees are serious about becoming part of a dynamic

new business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to

prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check

the company vehicle’s GPS for locations visited by employees. She also believes that employees who use their

own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that

many types of background checks are not allowed under California law. Her friend Celeste thinks these

worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results.

Nor does Celeste share Felicia’s concern about state breach notification laws, which, she claims, would be

costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it’s unlikely that a state agency would

hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense – like remembering to tear up sensitive

documents before throwing them in the recycling bin. Felicia hopes that she’s right, and that all of her

concerns will be put to rest next month when their new business consultant (who is also a privacy

professional) arrives from North Carolina.

Based on Felicia’s Bring Your Own Device (BYOD) plan, the business consultant will most likely advise

Felicia and Celeste to do what?

Options :

A : Reconsider the plan in favor of a policy of dedicated work devices.

B : Adopt the same kind of monitoring policies used for work-issued devices.

C : Weigh any productivity benefits of the plan against the risk of privacy issues.

D : Make employment decisions based on those willing to consent to the plan in writing.

Answer: D

Question 3

Which of the following best describes an employer’s privacy-related responsibilities to an employee who has

left the workplace?

Options :

A :

An employer has a responsibility to maintain a former employee’s access to computer systems and

company data needed to support claims against the company such as discrimination.

B :

An employer has a responsibility to permanently delete or expunge all sensitive employment records to

minimize privacy risks to both the employer and former employee.

C :

An employer may consider any privacy-related responsibilities terminated, as the relationship between

employer and employee is considered primarily contractual.

D :

An employer has a responsibility to maintain the security and privacy of any sensitive employment

records retained for a legitimate business purpose.

Answer: B

Question 4

Acme Student Loan Company has developed an artificial intelligence algorithm that determines whether an

individual is likely to pay their bill or default. A person who is determined by the algorithm to be more likely

to default will receive frequent payment reminder calls, while those who are less likely to default will not

receive payment reminders.

Which of the following most accurately reflects the privacy concerns with Acme Student Loan Company using

artificial intelligence in this manner?

Options :

A :

If the algorithm uses risk factors that impact the automatic decision engine. Acme must ensure that the

algorithm does not have a disparate impact on protected classes in the output.

B :

If the algorithm makes automated decisions based on risk factors and public information, Acme need not

determine if the algorithm has a disparate impact on protected classes.

C :

If the algorithm’s methodology is disclosed to consumers, then it is acceptable for Acme to have a

disparate impact on protected classes.

D :

If the algorithm uses information about protected classes to make automated decisions, Acme must

ensure that the algorithm does not have a disparate impact on protected classes in the output.

Answer: B

Question 5

What privacy concept grants a consumer the right to view and correct errors on his or her credit report?

Options :

A : Access.

B : Notice.

C : Action.

D : Choice.

Answer: B

Confidently Practice Online with Free CIPP-C Exam Cram

Buying Options: