Loading questions...
Loading questions...
Preview
Updated
SCENARIO -
Please use the following to answer the next question:
Miraculous Healthcare is a large medical practice with multiple locations in California and Nevada. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have virtual appointments with on-site doctors via a phone app.
For this new initiative, Miraculous is considering a product built by MedApps, a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices’ branding. MedApps provides technical support for the app, which it hosts in the cloud. MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service.
Riya is the Privacy Officer at Miraculous, responsible for the practice's compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists procurement in vetting vendors and inquiring about their own compliance practices, as well as negotiating the terms of vendor agreements. Riya is currently reviewing the suitability of the MedApps app from a privacy perspective.
Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps’ optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the appointments to a portal hosted by MedApps.
What can Riya do to most effectively minimize the privacy risks of using an app for telehealth appointments?
Which of the following is NOT a common challenge large organizations face when implementing data portability?
Dobbs v. Jackson Women’s Health Organization led to the U.S. Department of Health and Human Services issuing public guidance regarding which of the following?
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
What was the original purpose of the Federal Trade Commission Act?
If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?
Under state breach notification laws, which is NOT typically included in the definition of personal information?
In which situation is a company operating under the assumption of implied consent?
SCENARIO -
Please use the following to answer the next question:
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: “Please act immediately by identifying all personal data received from our company.”
This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup’s rapid market penetration.
As the Company’s data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
Upon review, the data privacy leader discovers that the Company’s documented data inventory is obsolete. What is the data privacy leader’s next best source of information to aid the investigation?
All of the following are tasks in the “Discover” phase of building an information management program EXCEPT?
SCENARIO -
Please use the following to answer the next question:
Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants’ postings on social media, ask questions about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.
Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle’s GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.
Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia’s concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that even if the business grows a customer database of a few thousand, it’s unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.
In any case, Celeste feels that all they need is common sense – like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she’s right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.
Which law will be most relevant to Felicia’s plan to ask applicants about drug addiction?
Although an employer may have a strong incentive or legal obligation to monitor employees’ conduct or behavior, some excessive monitoring may be considered an intrusion on employees’ privacy? Which of the following is the strongest example of excessive monitoring by the employer?
Support Examcademy
Your support keeps this platform running. Become a Supporter to remove all ads and unlock exclusive study tools.
What information did the Red Flag Program Clarification Act of 2010 add to the original Red Flags rule?
Which federal agency plays a role in privacy policy, but does NOT have regulatory authority?
Which of the following statements is most accurate in regard to data breach notifications under federal and state laws:
Which federal act does NOT contain provisions for preempting stricter state laws?
How did the Fair and Accurate Credit Transactions Act (FACTA) amend the Fair Credit Reporting Act (FCRA)?
Under what conditions will personal data processing be subject to the Virginia Consumer Data Protection Act (VCDPA) requirements for a documented data protection assessment?
An addiction researcher at a hospital wishes to remotely review Protected Health Information (PHI). Which of the following explicitly establishes privacy protections for this processing activity?
SCENARIO -
Please use the following to answer the next question:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customers’ privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hires Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice creates a first draft of a new policy. Cheryl reads through the draft and becomes concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer’s personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worries Cheryl, since stored personal information often helps her company to serve her customers, even if there are long gaps between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understands Cheryl’s concerns and is already formulating some ideas for revision. She tries to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl is skeptical. It seems to her that classifying data and treating each type differently would cause undue difficulties in the company’s day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy is only a draft, Cheryl is beginning to see that changes within her company are going to be necessary. She tells Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She also expresses interest in employing a layered approach, creating documents listing applicable parts of the new policy for each department.
What is the best reason for Cheryl to follow Janice’s suggestion about classifying customer data?
Study without distractions
Supporters get zero ads, spaced-repetition Learn Mode, timed Exam Mode, and AI-powered explanations from AstroTutor.
Under the California Consumer Privacy Act (as amended by the California Privacy Rights Act), a consumer may initiate a civil action against a business for?
Which of the following data elements is most likely to be subject to comprehensive state data security and privacy laws?
When does the Telemarketing Sales Rule require an entity to share a do-not-call request across its organization?
Read this notice:
Our website uses cookies. Cookies allow us to identify the computer or device you’re using to access the site, but they don’t identify you personally. For instructions on setting your Web browser to refuse cookies, click here.
What type of legal choice does not notice provide?
In what way does the “Red Flags Rule” under the Fair and Accurate Credit Transactions Act (FACTA) relate to the owner of a grocery store who uses a money wire service?
A company’s employee wellness portal offers an app to track exercise activity via users’ mobile devices. Which of the following design techniques would most effectively inform users of their data privacy rights and privileges when using the app?
