IAPP CIPP-US Exam Questions

Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and
operating in 7 other states. SMH uses an electronic medical record to enter and track
information about its patients. Recently, SMH suffered a data breach where a third-party
hacker was able to gain access to the SMH internal network.
Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights
at the U.S. Department of Health and Human Services about the breach.
Which statement accurately describes SMH’s notification responsibilities?

SCENARIO
Please use the following to answer the next QUESTION:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps
individuals realize their physical fitness goals through classes, individual instruction, and
access to an extensive indoor gym. She has owned the company for ten years and has
always been concerned about protecting customer’s privacy while maintaining the highest
level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company
has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her
develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the
draft and was concerned about the many changes the policy would bring throughout the
company. For example, the draft policy stipulates that a customer’s personal information
can only be held for one year after paying for a service such as a session with personal
trainer. It also promises that customer information will not be shared with third parties
without the written consent of the customer. The wording of these rules worry Cheryl since
stored personal information often helps her company to serve her customers, even if there
are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as
aerobics instructors who teach classes on a contract basis. Having access to customer files
and understanding the fitness levels of their students helps instructors to organize their
classes.
Janice understood Cheryl’s concerns and was already formulating some ideas for revision.
She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that
it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It
seemed that classifying data and treating each type differently would cause undue
difficulties in the company’s day-to-day operations. Cheryl wants one simple data storage
and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes
within her company were going to be necessary. She told Janice that she would be more
comfortable with implementing the new policy gradually over a period of several months,
one department at a time. She was also interested in a layered approach by creating
documents listing applicable parts of the new policy for each department.
Based on the scenario, which of the following would have helped Janice to better meet the
company’s needs?

The Family Educational Rights and Privacy Act (FERPA) requires schools to do all of the
following EXCEPT?

A company’s employee wellness portal offers an app to track exercise activity via users’
mobile devices. Which of the following design techniques would most effectively inform
users of their data privacy rights and privileges when using the app?

All of the following are tasks in the “Discover” phase of building an information
management program EXCEPT?