Get IAPP CIPP/US Exam Practice Questions - Real and Updated

Answer : A

The HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and use of health information technology, especially electronic health records (EHRs), in the United States. The HITECH Act established the Medicare and Medicaid EHR Incentive Programs, which provide financial incentives to eligible health care providers who demonstrate meaningful use of certified EHR technology. Meaningful use is defined as using EHRs to improve quality, safety, efficiency, and coordination of care, as well as to engage patients and protect their privacy and security. To qualify for the incentive payments, health care providers must meet certain objectives and measures that demonstrate meaningful use of EHRs as part of their regular care. Some of these objectives and measures include:

Protect electronic protected health information (ePHI)

Generate prescriptions electronically

Implement clinical decision support (CDS)

Use computerized provider order entry (CPOE) for medication, laboratory, and diagnostic imaging orders

Timely patient access to electronic files

Exchange health information with other providers and public health agencies

Report clinical quality measures and public health data

Therefore, the correct answer is A. Making EHRs part of regular care is an important action that a health care provider must take if she wants to qualify for funds under the HITECH Act.Reference:

What is the HITECH Act? 2024 Update, section ''The Meaningful Use Program''

The HITECH Act explained: Definition, compliance, and violations, section ''HITECH Act definition and summary'' and ''Why was the HITECH Act created and why is it important?''

Proposed Rulemaking to Implement HITECH Act Modifications, section ''The Health Information Technology for Economic and Clinical Health (HITECH) Act''

Health Information Technology for Economic and Clinical Health (HITECH) Audits, section ''The American Recovery & Reinvestment Act of 2009 (ARRA, or Recovery Act)''

What is HITECH Compliance? Understanding and Meeting HITECH Requirements, section ''HITECH Compliance Requirements''

Answer : D

The Gramm-Leach-Bliley Act (GLBA) is a federal law that regulates the privacy and security of consumer financial information collected, used, and disclosed by financial institutions, such as banks, credit unions, securities firms, insurance companies, and others12.Under the GLBA, financial institutions must comply with two main rules: the Privacy Rule and the Safeguards Rule12.The Privacy Rule requires financial institutions to provide notice to their customers about their information-sharing practices and to obtain verifiable parental consent before collecting, using, or disclosing personal information from children12.The Privacy Rule also gives customers the right to opt out of having their personal information shared with certain nonaffiliated third parties, unless an exception applies12.The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program that protects the confidentiality, security, and integrity of customer information12.

Therefore, banks and other financial institutions are required to offer an opt-out before transferring personal information (PI) to an unaffiliated third party for the latter's own use, unless an exception applies, such as when the disclosure is necessary to complete a transaction requested or authorized by the customer, or when the disclosure is to a service provider or joint marketer that agrees to protect the information and use it only for the purposes for which it was disclosed12.This requirement is intended to give customers more control over how their personal information is used and shared by financial institutions and to protect their privacy rights12.

Answer : B

According to the web search results from my predefined tool, Florida is the only state among the four options that currently imposes a definite limit for notification to affected individuals in case of a data breach.Florida's law requires that notice be provided within 30 days after determination of the breach or reason to believe a breach occurred, unless delayed by law enforcement or measures to determine the scope of the breach and restore the integrity of the system1.The other states have more flexible or vague terms for the notification timeframe, such as ''as soon as practicable'' (Maine), ''in the most expedient time possible and without unreasonable delay'' (New York), or ''in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement'' (California)2.Reference:

Security Breach Notification Chart | Perkins Coie

State Data Breach Notification Chart - International Association of ...

Answer : B

The Dodd-Frank Act created the Consumer Financial Protection Bureau (CFPB) as an independent agency within the Federal Reserve System. The CFPB has the authority to regulate consumer financial products and services, such as mortgages, credit cards, student loans, and payday loans. One of the main objectives of the CFPB is to promote transparency, fairness, and consumer choice in the financial marketplace. The CFPB has issued rules and guidance to require financial institutions to provide clear and accurate information to consumers about the costs, risks, and benefits of their products and services.The CFPB also has the power to enforce consumer protection laws and prohibit unfair, deceptive, or abusive acts or practices by financial institutions123Reference:1:Dodd-Frank Wall Street Reform and Consumer Protection Act, Title X, Subtitle A, Section 1011.2:Consumer Financial Protection Bureau, Wikipedia.3:Dodd-Frank Act: What It Does, Major Components, and Criticisms, Investopedia.

Answer : D

According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:

Uses the transferred data only for limited and specified purposes;

Provides the same level of privacy protection as is required by the Privacy Shield Principles;

Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles;

Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;

Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and

Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.

Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual's consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent.The contract must, however, ensure that the agent will process the data in accordance with the individual's choices and expectations, as well as the Privacy Shield Principles2.