Question 1

In 2012, the White House and the FTC both issued reports advocating a new approach to privacy enforcement that can best be described as what?

Accepted Answer

C

Explanation: In 2012, the White House released a report titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”, which proposed a Consumer Privacy Bill of Rights based on the Fair Information Practice Principles (FIPPs). The report called for a comprehensive privacy framework that would apply to all commercial sectors and all personal data, regardless of the technology or business model involved. The report also urged Congress to enact legislation to implement the framework and empower the FTC to enforce it. Similarly, the FTC released a report titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”, which outlined a set of best practices for businesses to protect consumer privacy and foster innovation. The report also advocated for a comprehensive privacy framework that would cover both online and offline data, and apply to all entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or device. The report also recommended that Congress consider enacting baseline privacy legislation and giving the FTC rulemaking authority to implement it. Therefore, both reports can be described as advocating a comprehensive approach to privacy enforcement, rather than a harm- based, self-regulatory, or notice and choice approach. Reference: White House Report, FTC Report, IAPP CIPP/US Study Guide (p. 31-32)

Question 2

What is an exception to the Electronic Communications Privacy Act of 1986 ban on interception of wire, oral and electronic communications?

Accepted Answer

A

Explanation: The Electronic Communications Privacy Act of 1986 (ECPA) is a federal law that regulates the privacy of wire, oral, and electronic communications. The ECPA prohibits the intentional interception, use, or disclosure of such communications, unless authorized by law or by the consent of one of the parties to the communication12. The ECPA also provides exceptions for certain types of communications, such as those made in the normal course of business, those made for law enforcement purposes, or those made for foreign intelligence purposes12. One of the exceptions to the ECPA ban on interception is where one of the parties has given consent. This means that if a person who is a party to a communication agrees to have it intercepted, the interception is lawful under the ECPA. Consent can be express or implied, depending on the circumstances and the expectations of the parties3. For example, if a person calls a customer service line and hears a recorded message that the call may be monitored or recorded, the person has impliedly consented to the interception of the call. However, if a person calls a friend and does not know that the friend has a third party listening in on the call, the person has not consented to the interception of the call. Reference: 1: Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2523 2: [IAPP CIPP/US Study Guide], Chapter 8, Section 8.2.1. 3: [Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations], pp. 77-78.

Question 3

Which jurisdiction must courts have in order to hear a particular case?

Accepted Answer

C

Explanation: In order for a court to hear a case, it must have both personal jurisdiction and subject matter jurisdiction. Personal jurisdiction refers to the authority of a court over the parties to a case, while subject matter jurisdiction refers to the authority of a court to hear a particular type of case. For example, a federal court may have subject matter jurisdiction over a case involving a federal law, but it may not have personal jurisdiction over a defendant who has no contacts with the state where the court is located. Similarly, a state court may have personal jurisdiction over a resident of the state, but it may not have subject matter jurisdiction over a case involving a foreign treaty. Reference: [IAPP CIPP/US Study Guide], Chapter 2: Introduction to U.S. Law, p. 25-26; Wex Legal Dictionary, Subject Matter Jurisdiction and Personal Jurisdiction.

Question 4

Which of the following is an important implication of the Dodd-Frank Wall Street Reform and Consumer Protection Act?

Accepted Answer

B

Explanation: The Dodd-Frank Act created the Consumer Financial Protection Bureau (CFPB) as an independent agency within the Federal Reserve System. The CFPB has the authority to regulate consumer financial products and services, such as mortgages, credit cards, student loans, and payday loans. One of the main objectives of the CFPB is to promote transparency, fairness, and consumer choice in the financial marketplace. The CFPB has issued rules and guidance to require financial institutions to provide clear and accurate information to consumers about the costs, risks, and benefits of their products and services. The CFPB also has the power to enforce consumer protection laws and prohibit unfair, deceptive, or abusive acts or practices by financial institutions123 Reference: 1: Dodd-Frank Wall Street Reform and Consumer Protection Act, Title X, Subtitle A, Section 1011. 2: Consumer Financial Protection Bureau, Wikipedia. 3: Dodd-Frank Act: What It Does, Major Components, and Criticisms, Investopedia.

Question 5

All of the following organizations are specified as covered entities under the Health Insurance Portability and Accountability Act (HIPAA) EXCEPT?

Accepted Answer

C

Explanation: The Privacy Act of 1974 is a federal law that regulates the collection, use, and disclosure of personal information by federal agencies. The Privacy Act of 1974 applies to records that are maintained in a system of records, which is defined as a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual. The Privacy Act of 1974 grants individuals the right to access and amend their records, and requires agencies to provide notice of their systems of records, establish safeguards for the protection of the records, and limit the disclosure of the records to certain authorized purposes. The Privacy Act of 1974 also establishes civil and criminal penalties for violations of the law, such as unauthorized disclosure, failure to publish a notice, or refusal to grant access or amendment. The Privacy Act of 1974 does NOT require agencies to obtain the consent of the individual before collecting their personal information. However, the Privacy Act of 1974 does require agencies to inform the individual of the authority for the collection, the purpose and use of the collection, and the effects of not providing the information. Reference: : [Overview of the Privacy Act of 1974]

Question 6

SCENARIO
Please use the following to answer the next QUESTION:
Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital.
He has also started a program to become a registered nurse.
Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and
Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients’
Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.
On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient
a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning
patients, and if the radiology department could reduce paper waste through a system of one-time
distribution.
He was also curious about the hospital’s use of a billing company. He questioned whether the
hospital was doing all it could to protect the privacy of its patients if the billing company had details
about patients’ care.
On his first day Declan became familiar with all areas of the hospital’s large radiology department. As
he was organizing equipment left in the halfway, he overheard a conversation between two hospital
administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient
information was missing. The administrators expressed relief that the hospital would be able to avoid
liability. Declan was surprised, and wondered whether the hospital had plans to properly report what
had happened.
Despite Declan’s concern about this issue, he was amazed by the hospital’s effort to integrate
Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential
for streamlining care even more if they were accessible to all medical facilities nationwide.
Declan had many positive interactions with patients. At the end of his first day, he spoke to one
patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was
about to get blood work done, and he feared that the blood work could reveal a genetic
predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told
John that he did not think that was possible, but the patient was wheeled away before he could
explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he
will have had many interactions with patients he can use as examples. He will be pleased to give
credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan’s day ended with many Questions, he was pleased about his new position.
What is the most likely way that Declan might directly violate the Health Insurance Portability and
Accountability Act (HIPAA)?

Accepted Answer

D

Explanation: Declan might directly violate the HIPAA Privacy Rule by using John’s name and personal health information (PHI) in his paper without his written authorization. The Privacy Rule protects the confidentiality of PHI that is created, received, maintained, or transmitted by a covered entity or its business associate. PHI includes any information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual1. Declan, as a nursing assistant, is part of the covered entity’s workforce and must comply with the Privacy Rule. He cannot disclose John’s PHI to anyone, including his classmates or instructors, without John’s authorization or a valid exception under the Privacy Rule. Even if he does not use John’s full name, he may still reveal enough information to make John identifiable, such as his diagnosis, his father’s condition, or his location. This would be an impermissible use and disclosure of PHI, and a potential HIPAA violation. Declan should either obtain John’s written authorization to use his PHI in his paper, or de-identify the information according to the Privacy Rule’s standards2. Reference: Summary of the HIPAA Privacy Rule Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

Question 7

What is the main reason some supporters of the European approach to privacy are skeptical about self- regulation of privacy practices?

Accepted Answer

B

Explanation: The European approach to privacy is based on the recognition of privacy as a fundamental human right that requires strong legal protection and oversight. The EU has adopted comprehensive and binding privacy laws, such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive, that apply to all sectors and activities involving personal data. The EU also has independent data protection authorities (DPAs) that monitor and enforce compliance with the privacy laws, and a European Data Protection Board (EDPB) that issues guidance and opinions on privacy matters. The EU also requires adequate levels of privacy protection for personal data transferred to third countries or international organizations. In contrast, the U.S. approach to privacy is based on a sectoral and self-regulatory model that relies on a combination of federal and state laws, industry codes of conduct, consumer education, and market forces. The U.S. does not have a single, comprehensive, and enforceable federal privacy law that covers all sectors and activities involving personal data. Instead, the U.S. has a patchwork of federal and state laws that address specific issues or sectors, such as health, financial, children’s, and electronic communications privacy. The U.S. also has various federal and state agencies that share jurisdiction over privacy matters, such as the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and the Department of Health and Human Services (HHS). The U.S. also relies on self-regulation by industries that develop and adhere to voluntary codes of conduct, standards, and best practices for privacy. The U.S. also allows personal data to be transferred to third countries or international organizations without requiring adequate levels of privacy protection, as long as the data subjects have given their consent or the transfer is covered by a mechanism such as the Privacy Shield or the Standard Contractual Clauses. Some supporters of the European approach to privacy are skeptical about self-regulation of privacy practices because they believe that self-regulation is not effective, consistent, or accountable enough to protect the rights and interests of data subjects. They argue that self-regulation may not provide sufficient incentives or sanctions for industries to comply with privacy rules, or to adopt privacy- enhancing technologies and practices. They also contend that self-regulation may not reflect the views and expectations of data subjects, or address the emerging and complex privacy challenges posed by new technologies and business models. They also question the transparency and legitimacy of self-regulation, and the ability of data subjects to exercise their rights and seek redress for privacy violations. Reference: IAPP CIPP/US Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, pp. 9-10, 16-17 IAPP website, CIPP/US Certification NICCS website, Certified Information Privacy Professional/United States (CIPP/US) Training

Question 8

Which of the following became the first state to pass a law specifically regulating the practices of data brokers?

Accepted Answer

D

Explanation: According to the web search results from my predefined tool, Vermont became the first state to pass a law specifically regulating the practices of data brokers in 2018. The law defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” The law requires data brokers to register with the Secretary of State, pay a registration fee, provide information about their data collection and opt-out practices, and implement security measures to protect the personal information they collect and sell. The law also imposes additional obligations on data brokers that possess the personal information of minors. The law aims to increase the transparency and accountability of the data broker industry and to protect the privacy rights of consumers12. Reference: Registered Data Brokers in the United States: 2021 | Privacy Rights … Am I A Data Broker?: A Quick Primer on State Laws Regulating a … - Taft

Question 9

SCENARIO
Please use the following to answer the next QUESTION:
Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital.
He has also started a program to become a registered nurse.
Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and
Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients’
Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.
On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient
a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning
patients, and if the radiology department could reduce paper waste through a system of one-time
distribution.
He was also curious about the hospital’s use of a billing company. He questioned whether the
hospital was doing all it could to protect the privacy of its patients if the billing company had details
about patients’ care.
On his first day Declan became familiar with all areas of the hospital’s large radiology department. As
he was organizing equipment left in the halfway, he overheard a conversation between two hospital
administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient
information was missing. The administrators expressed relief that the hospital would be able to avoid
liability. Declan was surprised, and wondered whether the hospital had plans to properly report what
had happened.
Despite Declan’s concern about this issue, he was amazed by the hospital’s effort to integrate
Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential
for streamlining care even more if they were accessible to all medical facilities nationwide.
Declan had many positive interactions with patients. At the end of his first day, he spoke to one
patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was
about to get blood work done, and he feared that the blood work could reveal a genetic
predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told
John that he did not think that was possible, but the patient was wheeled away before he could
explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he
will have had many interactions with patients he can use as examples. He will be pleased to give
credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan’s day ended with many Questions, he was pleased about his new position.
What is the most likely way that Declan might directly violate the Health Insurance Portability and
Accountability Act (HIPAA)?

Accepted Answer

C

Explanation: Data classification systematically categorizes information based on sensitivity and importance to determine its level of confidentiality. This process helps apply appropriate security and compliance measures to ensure each category receives proper protection1. This process also helps to identify which personal data is subject to specific GDPR requirements, such as obtaining explicit consent from data subjects, or notifying data subjects in the event of a data breach2. By classifying data, Cheryl can also make more informed decisions about where to store the information on her computer system and the nature of controls that are required based on classification3. This way, she can protect her customers’ privacy while maintaining the highest level of service. Reference: Data Classification for GDPR Explained A guide to data classification: confidential data vs. sensitive data vs. public information Why Is Data Classification Important?

Question 10

When may a financial institution share consumer information with non-affiliated third parties for marketing purposes?

Accepted Answer

C

Explanation: According to the Gramm-Leach-Bliley Act (GLBA) and its implementing Regulation P, a financial institution may share consumer information with non-affiliated third parties for marketing purposes only after disclosing its information-sharing practices to customers and after giving them an opportunity to opt out of such sharing. The GLBA defines a customer as a consumer who has a continuing relationship with a financial institution that provides one or more financial products or services to be used primarily for personal, family, or household purposes. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. A non-affiliated third party is any person except a financial institution’s affiliate or a person employed jointly by a financial institution and a company that is not the financial institution’s affiliate. An affiliate is any company that controls, is controlled by, or is under common control with another company. The GLBA requires that a financial institution provide a privacy notice to customers: (i) at the time of establishing the customer relationship; (ii) annually during the continuation of the customer relationship; and (iii) before disclosing any nonpublic personal information (NPI) about the customer to any non-affiliated third party, unless an exception applies. The privacy notice must describe the categories of NPI that the financial institution collects and discloses; the categories of affiliates and non-affiliated third parties to whom the financial institution discloses NPI; the categories of NPI disclosed to service providers and joint marketers; the policies and practices with respect to protecting the confidentiality and security of NPI; and the disclosures of NPI to which the customer has a right to opt out. The financial institution must also provide a reasonable means for the customer to opt out of the disclosure of NPI to non-affiliated third parties, such as a check-off box, a reply form, or a toll-free telephone number. The opt-out notice must be clear and conspicuous, and must state that the customer can opt out at any time. The opt-out notice must also explain how the customer can opt out, and the effect of opting out. The financial institution must honor the customer’s opt-out direction as soon as reasonably practicable after receiving it, and must not disclose any NPI to which the opt-out applies, unless an exception applies. The GLBA provides several exceptions to the opt-out requirement, such as when the disclosure of NPI is necessary to effect, administer, or enforce a transaction requested or authorized by the customer; when the disclosure of NPI is required or permitted by law; when the disclosure of NPI is to a consumer reporting agency in accordance with the Fair Credit Reporting Act; or when the disclosure of NPI is to a person that performs marketing services on behalf of the financial institution or on behalf of the financial institution and another financial institution under a joint marketing agreement. A joint marketing agreement is a formal written contract between a financial institution and any other person under which the parties agree to offer, endorse, or sponsor a financial product or service. The joint marketing agreement must prohibit the other person from using or disclosing the NPI for any purpose other than offering, endorsing, or sponsoring the financial product or service covered by the agreement. The GLBA also requires that a financial institution provide a privacy notice to consumers who are not customers before disclosing any NPI about the consumer to any non-affiliated third party, unless an exception applies. The financial institution does not need to provide an opt-out notice to consumers who are not customers, unless it has a customer relationship with them. However, if the financial institution establishes a customer relationship with a consumer who was previously not a customer, it must provide a privacy notice and an opt-out notice to the customer as described above. Reference: Guide to the Gramm–Leach–Bliley Act GLBA or FCRA? Data Sharing Between Affiliates and Non-Affiliates Existing Privacy Laws Already Regulate Information Sharing Why Do Banks Share Your Financial Information and Are They Allowed To? [IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 161-165.

Question 11

SCENARIO
Please use the following to answer the next QUESTION:
Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital.
He has also started a program to become a registered nurse.
Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and
Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients’
Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.
On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient
a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning
patients, and if the radiology department could reduce paper waste through a system of one-time
distribution.
He was also curious about the hospital’s use of a billing company. He questioned whether the
hospital was doing all it could to protect the privacy of its patients if the billing company had details
about patients’ care.
On his first day Declan became familiar with all areas of the hospital’s large radiology department. As
he was organizing equipment left in the halfway, he overheard a conversation between two hospital
administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient
information was missing. The administrators expressed relief that the hospital would be able to avoid
liability. Declan was surprised, and wondered whether the hospital had plans to properly report what
had happened.
Despite Declan’s concern about this issue, he was amazed by the hospital’s effort to integrate
Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential
for streamlining care even more if they were accessible to all medical facilities nationwide.
Declan had many positive interactions with patients. At the end of his first day, he spoke to one
patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was
about to get blood work done, and he feared that the blood work could reveal a genetic
predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told
John that he did not think that was possible, but the patient was wheeled away before he could
explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he
will have had many interactions with patients he can use as examples. He will be pleased to give
credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan’s day ended with many Questions, he was pleased about his new position.
What is the most likely way that Declan might directly violate the Health Insurance Portability and
Accountability Act (HIPAA)?

Accepted Answer

A

Explanation: Larry has a misconception about the applicability of federal law to private-sector employee rights. He believes that the U.S. Constitution protects American workers from various forms of discrimination, harassment, and invasion of privacy by their employers. However, the U.S. Constitution only applies to government actions, not private actions, unless there is a specific federal statute that extends constitutional protections to the private sector1. For example, the Civil Rights Act of 1964 prohibits discrimination on the basis of race, color, religion, sex, or national origin by private employers2. The Electronic Communications Privacy Act of 1986 regulates the interception and disclosure of electronic communications by private parties3. The CAN-SPAM Act of 2003 sets the rules for commercial email and gives recipients the right to opt out of receiving unwanted messages4. These are examples of federal laws that apply to private-sector employees, but they do not cover all the situations that Larry faces at SunriseLynx. For instance, there is no federal law that protects private- sector employees from political discrimination or from having their personal mail opened by their employers. Larry may have to rely on state laws or common law torts to seek redress for these violations of his rights. Reference: 1: Private Sector vs. Public Sector Employee Rights2: [Civil Rights Act of 1964 - Wikipedia] 3: [Electronic Communications Privacy Act - Wikipedia] 4: CAN-SPAM Act: A Compliance Guide for Business : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Federal Trade Commission and Consumer Privacy, p. 141-142

Question 12

How did the Fair and Accurate Credit Transactions Act (FACTA) amend the Fair Credit Reporting Act (FCRA)?

Accepted Answer

B

Explanation: FACTA added a new section to the FCRA that requires any person who maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose, to properly dispose of any such information or compilation. The purpose of this provision is to reduce the risk of identity theft and other consumer harm resulting from improper disposal of consumer information. The FTC and other federal agencies have issued rules implementing this provision, which specify the reasonable measures that covered entities must take to ensure secure disposal of consumer information, such as burning, pulverizing, shredding, erasing, or otherwise modifying the information to make it unreadable or indecipherable (16 CFR § 682.3). Reference: 1, 2, 3

Question 13

Which federal act does NOT contain provisions for preempting stricter state laws?

Accepted Answer

D

Explanation: The federal act that does NOT contain provisions for preempting stricter state laws is the Telemarketing Consumer Protection and Fraud Prevention Act1. This act authorizes the Federal Trade Commission (FTC) to establish and enforce rules for telemarketing practices, such as the Do Not Call Registry, the prohibition of robocalls, and the disclosure of material information2. However, the act also explicitly states that it does not "annul, alter, or affect, or exempt any person subject to the provisions of this section from complying with, the laws of any State with respect to telemarketing practices, except to the extent that those laws are inconsistent with any provision of this section, and then only to the extent of the inconsistency"1. This means that states can enact and enforce their own laws regarding telemarketing, as long as they are not less protective than the federal law. In contrast, the other three acts listed in the question do contain preemption clauses that limit or override the authority of states to regulate certain aspects of electronic communications, online privacy, and credit transactions345. Reference: 1: Telemarketing Consumer Protection and Fraud Prevention Act2: Telemarketing Sales Rule | Federal Trade Commission3: CAN-SPAM Act: A Compliance Guide for Business4: Children’s Online Privacy Protection Rule (“COPPA”) | Federal Trade Commission5: Fair and Accurate Credit Transactions Act of 2003 - Wikipedia : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Federal Trade Commission and Consumer Privacy, p. 144-145, 149-150, 154-155

Question 14

Which of the following types of information would an organization generally NOT be required to disclose to law enforcement?

Accepted Answer

D

Explanation: The HIPAA Privacy Rule generally prohibits covered entities and business associates from disclosing protected health information (PHI) to law enforcement without the individual’s authorization, unless one of the exceptions in 45 CFR § 164.512 applies. These exceptions include disclosures required by law, disclosures for law enforcement purposes, disclosures about victims of abuse, neglect or domestic violence, disclosures for health oversight activities, disclosures for judicial and administrative proceedings, disclosures for research purposes, disclosures to avert a serious threat to health or safety, disclosures for specialized government functions, disclosures for workers’ compensation, and disclosures to coroners and medical examiners. None of these exceptions apply to the type of information in option D, which is personal health information that is not related to any of the above purposes. Therefore, an organization would generally not be required to disclose such information to law enforcement under the HIPAA Privacy Rule. Reference: https://www.justice.gov/opcl/overview-privacy-act-1974-2020-edition/disclosuresthird-parties https://bing.com/search?q=information+disclosure+to+law+enforcement https://hipaatrek.com/law-enforcement-hipaa-disclosing-phi/

Question 15

Which of the following best describes private-sector workplace monitoring in the United States?

Accepted Answer

A

Explanation: In the United States, there is no comprehensive federal law that regulates employee monitoring in the private sector. Instead, there are various federal and state laws that address specific aspects of monitoring, such as electronic communications, video surveillance, GPS tracking, and biometric data. Generally, these laws provide more protection for employees’ privacy when they are using their own devices or personal accounts, or when they are outside of work hours or premises. However, when employees are using company-owned devices or accounts, or when they are performing work- related tasks, employers have broad authority to monitor their activities, as long as they have a legitimate business interest and do not violate any specific laws. Employers are also advised to inform employees of their monitoring practices and obtain their consent, either explicitly or implicitly, to avoid potential legal disputes or employee backlash123 Reference: https://www.jibble.io/article/us-employee-monitoring https://www.worktime.com/most-asked-questions-on-us-employee-monitoring-laws

Free IAPP CIPP-US Actual Exam Questions