SCENARIO

Please use the following to answer the next question:

Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.

Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI).

Therefore, he is thinking carefully about privacy issues.

On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department

could reduce paper waste through a system of one-time distribution.

He was also curious about the hospital's use of a billing company. He questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.

On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to

hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had

plans to properly report what had happened.

Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were

accessible to all medical facilities nationwide.

Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he

feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he

could explain why. John plans to ask a colleague about this.

In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to

think more carefully about genetic testing.

Although Declan's day ended with many questions, he was pleased about his new position.

Based on the scenario, what is the most likely way Declan's supervisor would answer his question about the hospital's use of a billing company?

A. By suggesting that Declan look at the hospital's publicly posted privacy policy

B. By assuring Declan that third parties are prevented from seeing Private Health Information (PHI)

C. By pointing out that contracts are in place to help ensure the observance of minimum security standards

D. By describing how the billing system is integrated into the hospital's electronic health records (EHR) system

Which act violates the Family Educational Rights and Privacy Act of 1974 (FERPA)?

A. A K-12 assessment vendor obtains a student's signed essay about her hometown from her school to use as an exemplar for public release

B. A university posts a public student directory that includes names, hometowns, e-mail addresses, and majors

C. A newspaper prints the names, grade levels, and hometowns of students who made the quarterly honor roll

D. University police provide an arrest report to a student's hometown police, who suspect him of a similar crime

What practice does the USA FREEDOM Act NOT authorize?

A. Emergency exceptions that allow the government to target roamers

B. An increase in the maximum penalty for material support to terrorism

C. An extension of the expiration for roving wiretaps

D. The bulk collection of telephone data and internet metadata

Acme Student Loan Company has developed an artificial intelligence algorithm that determines whether an individual is likely to pay their bill or default. A person who is determined by the algorithm to be more likely to default will receive frequent payment reminder calls, while those who are less likely to default will not receive payment reminders.

Which of the following most accurately reflects the privacy concerns with Acme Student Loan Company using artificial intelligence in this manner?

A. If the algorithm uses risk factors that impact the automatic decision engine. Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.

B. If the algorithm makes automated decisions based on risk factors and public information, Acme need not determine if the algorithm has a disparate impact on protected classes.

C. If the algorithm's methodology is disclosed to consumers, then it is acceptable for Acme to have a disparate impact on protected classes.

D. If the algorithm uses information about protected classes to make automated decisions, Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.

Which of the following is NOT one of three broad categories of products offered by data brokers, as identified by the U.S. Federal Trade Commission (FTC)?

A. Research (such as information for understanding consumer trends).

B. Risk mitigation (such as information that may reduce the risk of fraud).

C. Location of individuals (such as identifying an individual from partial information).

D. Marketing (such as appending data to customer information that a marketing company already has).

What privacy concept grants a consumer the right to view and correct errors on his or her credit report?

A. Access.

B. Notice.

C. Action.

D. Choice.

Which statute is considered part of U.S. federal privacy law?

A. The Fair Credit Reporting Act.

B. SB 1386.

C. The Personal Information Protection and Electronic Documents Act.

D. The e-Privacy Directive.

Which of the following scenarios would be most likely to violate the Fourth Amendment of the U.S. Constitution with regard to contact tracing?

A. A private employer conducting a voluntary contact-tracing program with its employees.

B. An employer asking employees if they have been diagnosed with or tested for COVID-19 before allowing them to physically enter the workplace.

C. A government program that installs a contact-tracing app on an individual's phone and collects data after providing notice and obtaining the individual's consent.

D. A government program that automatically installs a contact-tracing app on an individual's phone and collects data without obtaining the individual's consent.

SCENARIO

Please use the following to answer the next question:

You are the privacy manager at a privately-owned U.S. company that produces an increasingly popular tness app called GetFit. After users create an account with their contact information, the app uses a smartphone and a system of

connected smartwatch sensors to track users when they exercise. It collects information on location when users walk or run outdoors, as well as general health information (such as heart rate) during all exercise sessions. The app also

collects credit card information for payment of the monthly subscription fee.

One Friday, the company's security team contacts you about the discovery of malware on their media server. The team assures you that there was no user data on this server and that, in any case, they found the malware before any damage

could be done.

However, on Monday morning the security team contacts you again, this time with the information that they have discovered the same malware on the company's payments server. They suspect it likely that users' credit card information was

taken by the attacker. By Monday evening, the situation has gotten dramatically worse, as the security team has also discovered this malware on the company's database server, an in ltration that gives the attacker access to users' pro le,

health and location information.

After coordinating with the security team, you are asked to meet with senior management and advise them on the company's obligations in connection with the incident. The Chief Financial O cer asks, "If we decide to notify all our users of this

incident, are we obligated to provide any of them with a free credit monitoring offer?" The General Counsel wants to know if providing this notice and offer will help the company avoid liability.

How does the Monday evening discovery of the malware on the company's database server alter the company's noti cation obligations, if at all?

A. This discovery requires notice also be provided to the U.S. Dept. of Health and Human Services since the impacted information includes health information.

B. This discovery has no effect on the situation, since the user information does not include a social security number or driver's license number.

C. This discovery requires notice also be provided to the FTC since a health app is subject to the Health Breach Noti cation Rule.

D. This discovery has no effect on the situation, since all required noti cations are already being provided.

A California resident has created an account on your company's online food delivery platform and placed several orders in the past month. Later she submits a data subject request to access her personal information under the California Privacy Rights Act.

Assuming that the CPRA is in force, which of the following data elements would your company NOT have to provide to the requester once her identity has been veri ed?

A. Inferences made about the individual for the company's internal purposes.

B. The loyalty account number assigned through the individual's use of the services.

C. The time stamp for the creation of the individual's account in the platform's database.

D. The email address submitted by the individual as part of the account registration process.