CIPP-US Exam Dumps - Certified Information Privacy Professional/United States (CIPP/US)

The Fair Credit Reporting Act (FCRA) is considered part of U.S. federal privacy law because it regulates the collection, use, and disclosure of personal information by consumer reporting agencies, such as credit bureaus, background check companies, and tenant screening services. The FCRA aims to protect the privacy, accuracy, and fairness of consumer credit information, and to ensure that consumers have access to and control over their own credit reports. The FCRA also imposes obligations on users and furnishers of consumer reports, such as creditors, employers, insurers, and landlords, to obtain consent, provide notice, and correct errors when using consumer reports for various purposes. The FCRA is enforced by the Federal Trade Commission (FTC) and other federal agencies, as well as by private lawsuits and state attorneys general. The FCRA was enacted in 1970 and has been amended several times, most notably by the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which added provisions on identity theft prevention, fraud alerts, free credit reports, and disposal of consumer information. References:

Fair Credit Reporting Act - Wikipedia

Fair Credit Reporting Act | Federal Trade Commission

Fair Credit Reporting Act (FCRA) - Consumer Information

Fair Credit Reporting Act (FCRA) | Privacy Rights Clearinghouse

Under the GDPR, the complainant’s request regarding her personal information is known as the right to be forgotten, also known as the right to erasure. This right allows individuals to ask organizations to delete their personal data in certain circumstances, such as when the data is no longer necessary, the consent is withdrawn, or the processing is unlawful. The right to be forgotten is not absolute and may not apply if the processing is necessary for legal, public interest, or legitimate purposes. The right to be forgotten also requires organizations to inform any recipients of the data about the erasure request, unless it is impossible or involves disproportionate effort. References:

Everything you need to know about the “Right to be forgotten”

Right to erasure | ICO

Art. 17 GDPR – Right to erasure (‘right to be forgotten’) - General …

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.

Under the California Consumer Privacy Act (CCPA), a business that collects personal information of California residents must notify them of a data breach if their personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices. However, the CCPA excludes encrypted or redacted personal information from the definition of personal information, unless the encryption key or security credential is also compromised. Therefore, Privacy Is Hiring Inc. would need to notify the affected individuals only if the encryption keys were also taken along with the credit card information, as this would render the encryption ineffective and expose the personal information to unauthorized access. The other options are not relevant to the CCPA notification requirement, although they may be relevant to other laws or best practices. References: CCPA (Section 1798.150), IAPP CIPP/US Study Guide (p. 63-64)

The Cable Communications Policy Act of 1984 (CCPA) is a federal law that regulates the cable television industry and protects the privacy of cable subscribers. One of the provisions of the CCPA is that cable operators must providetheir subscribers with an annual notice that clearly and conspicuously informs them of the following information12:

The nature of personally identifiable information collected or to be collected with respect to the subscriber and the nature of the use of such information

The nature, frequency, and purpose of any disclosure of such information, including an identification of the types of persons to whom the disclosure may be made

The period during which such information will be maintained by the cable operator

The times and place at which the subscriber may have access to such information

The limitations provided by the CCPA with respect to the collection and disclosure of information by a cable operator and the right of the subscriber under the CCPA to enforce such limitations

The annual notice must also state that the subscriber has the right to prevent disclosure of personally identifiable information to third parties, except as required by law or court order, and that the subscriber may sue for damages, attorney’s fees, and other relief for violations of the CCPA12.

References: 1: Cable Communications Policy Act of 1984, Section 631 2: [IAPP CIPP/US Study Guide], Chapter 8, Section 8.3.2

The HIPAA Privacy Rule requires covered entities to obtain an individual’s written authorization for any use or disclosure of protected health information (PHI) that is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule. However, there are some exceptions to the authorization requirement for certain public interest-related activities, such as disclosing health information for public health activities, reporting child abuse, or treating a medical emergency. These exceptions are intended to balance the privacy interests of individuals with the public interest in protecting health and safety, promoting quality health care, and ensuring compliance with the law. Disclosing health information needed to pay a third party billing administrator is not one of the exceptions to the authorization requirement, as it is considered a payment activity that falls under the general rule of requiring authorization. Therefore, it is the correct answer to the question. References: Summary of the HIPAA Privacy Rule, HIPAA Exceptions, Exceptions to HIPAA Privacy Rule, Waiver of Authorization, IAPP CIPP/US Study Guide, Chapter 5.

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of students’ educational records. FERPA generally requiresschools to obtain written consent from students before disclosing their records to third parties, such as parents. However, FERPA allows some exceptions to this rule, such as when the disclosure is for health or safety emergencies, or when the student is still a dependent for tax purposes. According to FERPA, a school may disclose educational records to the parents of a student who is claimed as a dependent on the parents’ most recent federal income tax return, without the student’s consent. This exception applies regardless of the student’s age or enrollment status at a postsecondary institution. References:

IAPP CIPP/US Body of Knowledge, Section III, C, 2

[IAPP CIPP/US Study Guide, Chapter 3, Section 3.5]

[FERPA, 34 CFR § 99.31(a)(8)]

The HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and use of health information technology, especially electronic health records (EHRs), in the United States. The HITECH Act established the Medicare and Medicaid EHR Incentive Programs, which provide financial incentives to eligible health care providers who demonstrate meaningful use of certified EHR technology. Meaningful use is defined as using EHRs to improve quality, safety, efficiency, and coordination of care, as well as to engage patients and protect their privacy and security. To qualify for the incentive payments, health care providers must meet certain objectives and measures that demonstrate meaningful use of EHRs as part of their regular care. Some of these objectives and measures include:

Protect electronic protected health information (ePHI)

Generate prescriptions electronically

Implement clinical decision support (CDS)

Use computerized provider order entry (CPOE) for medication, laboratory, and diagnostic imaging orders

Timely patient access to electronic files

Exchange health information with other providers and public health agencies

Report clinical quality measures and public health data

Therefore, the correct answer is A. Making EHRs part of regular care is an important action that a health care provider must take if she wants to qualify for funds under the HITECH Act. References:

What is the HITECH Act? 2024 Update, section “The Meaningful Use Program”

The HITECH Act explained: Definition, compliance, and violations, section “HITECH Act definition and summary” and “Why was the HITECH Act created and why is it important?”

Proposed Rulemaking to Implement HITECH Act Modifications, section “The Health Information Technology for Economic and Clinical Health (HITECH) Act”

Health Information Technology for Economic and Clinical Health (HITECH) Audits, section “The American Recovery & Reinvestment Act of 2009 (ARRA, or Recovery Act)”

What is HITECH Compliance? Understanding and Meeting HITECH Requirements, section “HITECH Compliance Requirements”

The Colorado Privacy Act (CPA) grants consumers the right to access, correct, or delete their personal data, including sensitive data, that is processed by a controller1. Sensitive data is defined as personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data, or personal data from a known child2. The CPA also grants consumers the right to opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or certain kinds of profiling3. However, the CPA does not grant consumers the right to limit the use of sensitive data for other purposes, such as providing a product or service requested by the consumer, complying with legal obligations, or protecting the vital interests of the consumer or another person. Therefore, option D is the correct answer, as it is not a privacy right available under the CPA. References: 1: Colorado Privacy Act (CPA) - Colorado Attorney General 2: Protect Personal Data Privacy | Colorado General Assembly 3: SENATE BILL 21-190 Woodward, Garcia; PRIVACY. COLORADO PRIVACY ACT … : Colorado Privacy Act: What You Need to Know | OneTrust DataGuidance