Free IAPP CIPP-US Exam Actual Questions

The questions for CIPP-US were last updated On Nov 18, 2024

Question No. 1

Which of the following became the first state to pass a law specifically regulating the collection of biometric data?

Show Answer Hide Answer
Correct Answer: C

Question No. 2

Which jurisdiction must courts have in order to hear a particular case?

Show Answer Hide Answer
Correct Answer: C

~klett/chapter%25202%2520bl281%2520judicial%2520review%2520new.htm

+&cd=1&hl=en&ct=clnk&gl=pk&client=firefox-b-e

Question No. 3

SCENARIO

Please use the following to answer the next QUESTION :

You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.

A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals -- ones that exposed the PHI of public figures including celebrities and politicians.

During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.

A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.

Of the safeguards required by the HIPAA Security Rule, which of the following is NOT at issue due to HealthCo's actions?

Show Answer Hide Answer
Correct Answer: C

Section 8.1.2 of the textbook lists the Security Rule Safeguards as admin, technical and physical. Security safeguards are not considered one of the three categories.


Question No. 4

A large online bookseller decides to contract with a vendor to manage Personal Information (PI). What is the

least important factor for the company to consider when selecting the vendor?

Show Answer Hide Answer
Correct Answer: C

While it is important for a company to consider the reputation and financial health of a vendor, as well as their employee training program, the retention rates of the vendor's employees are not a direct indicator of the vendor's ability to protect personal information. It is important for the company to ensure that the vendor has appropriate security measures in place to protect personal information, such as access controls, encryption, and data breach response procedures. The company should also consider the vendor's compliance with applicable privacy and data protection laws, as well as their experience working with sensitive personal information. Overall, while employee retention rates may indirectly reflect the quality of the vendor's services, they are not a direct factor in assessing the vendor's ability to manage personal information.


Question No. 5

What important action should a health care provider take if the she wants to qualify for funds under the Health Information Technology for Economic and Clinical Health Act (HITECH)?

Show Answer Hide Answer
Correct Answer: A

What funding did the HITECH Act provide healthcare? The Department of Health & Human Services (HHS) was given a budget in excess of $25 billion to achieve the goals of the HITECH Act. The HHS used some of that budget to fund the Meaningful Use program -- a program that incentivized care providers to adopt certified EHRs by offering monetary incentives