CIPP US EXAM SCRIPT 2025/2026 QUESTIONS WITH
ANSWERS GRADED A+
✔✔exceptions to consent requirements - ✔✔(1) respond to specific request from child,
as long as PI is deleted immediately after
(2) to protect safety of child
(3) to protect security/integrity of the site, or to respond for law matters
✔✔HIPAA Generally - ✔✔who is covered: health care providers, health plan insurers,
healthcare clearing houses, business associates (under Hi-Tech
who enforces: Dep't of HHS
preemption: states may pass privacy laws w/ stricter requirements
✔✔HIPAA Privacy Rule - ✔✔(1) Privacy notice: detailed privacy notice at date of first
delivery w/ stmts about individual's rights w/ respect to PHI
(3) other uses require opt-in authorizations
(4) Minimum Necessary Use: covered entities must make reasonable efforts to limit the
use/disclosure of PHI
(5) Individuals have right to access and copy their own PHI from a covered entity-
business associate
(6) Adminsitrative, technical, physical safeguards
(7) Privacy official designation
✔✔when can HIPAA Privacy Rule can be circumvented - ✔✔Treatment, payment and
healthcare operations.
(1) De-Identified Data
(2) Medical Research Purposes (w/ consent of the individual OR w/o consent if
institutional review board approves it)
✔✔HIPAA's opt in authorization - ✔✔Independent document that identifies the
information to be used or disclosed; purposes of the use or disclosure; the person or
entity to which disclosure made
✔✔HIPAA Security Rule - ✔✔what type of information: ePHI
(1) ensure CIA of all ePHI
, (2) Protect against reasonably anticipated threats
(3) Protect against reasonably anticipated uses/disclosures
who enforces: identify an individual who is responsible for implementation and oversight
of the Security Rule compliance
✔✔HITECH - ✔✔(1) breach of unsecured information --> conduct risk assessment to
determine the risk (if high risk --> notification w/i 60 days of discovery
(2) Increased penalty --> up to 1.5 mill
(3) patients can limit disclosure by provider to their health plan
✔✔21st Century Cures Act of '16 - ✔✔(1) gives medical researchers the ability to
review certain data to develop research protocols remotely
(2) creates a certificate of confidentiality --> protects privacy in the research field
(3) requires more guidance in conection w/ patient authorizations under HIPAA for
research purposes
✔✔Confidentiality of Alcohol and Drug Abuse Patient Records - ✔✔issue: privacy
records of individuals who may seek treatment for substance abuse
- patients who have general designation of "to whom" in their consent form, must be
provided a list of entities to which their information has been disclosed pursuant to
general designation
- entities that legally hold identifying patient info are now required to have formal policies
and procedures addressing security
✔✔GINA - ✔✔who is covered: health insurance companies
types of info: genetic info
- insurance companies can't discriminate on the basis of genetic predisposition in the
absence of manifest symptoms
- can't request that applicant receive genetic testing AND
- employers can use genetic info in making employment decisions
✔✔GINA exceptions - ✔✔employers CAN request genetic information IF:
- request is inadvertent
- request is part of employer-offered wellness program that employee voluntarily
participates in w/ written authorization
- Family Medical Leave Act of '93
ANSWERS GRADED A+
✔✔exceptions to consent requirements - ✔✔(1) respond to specific request from child,
as long as PI is deleted immediately after
(2) to protect safety of child
(3) to protect security/integrity of the site, or to respond for law matters
✔✔HIPAA Generally - ✔✔who is covered: health care providers, health plan insurers,
healthcare clearing houses, business associates (under Hi-Tech
who enforces: Dep't of HHS
preemption: states may pass privacy laws w/ stricter requirements
✔✔HIPAA Privacy Rule - ✔✔(1) Privacy notice: detailed privacy notice at date of first
delivery w/ stmts about individual's rights w/ respect to PHI
(3) other uses require opt-in authorizations
(4) Minimum Necessary Use: covered entities must make reasonable efforts to limit the
use/disclosure of PHI
(5) Individuals have right to access and copy their own PHI from a covered entity-
business associate
(6) Adminsitrative, technical, physical safeguards
(7) Privacy official designation
✔✔when can HIPAA Privacy Rule can be circumvented - ✔✔Treatment, payment and
healthcare operations.
(1) De-Identified Data
(2) Medical Research Purposes (w/ consent of the individual OR w/o consent if
institutional review board approves it)
✔✔HIPAA's opt in authorization - ✔✔Independent document that identifies the
information to be used or disclosed; purposes of the use or disclosure; the person or
entity to which disclosure made
✔✔HIPAA Security Rule - ✔✔what type of information: ePHI
(1) ensure CIA of all ePHI
, (2) Protect against reasonably anticipated threats
(3) Protect against reasonably anticipated uses/disclosures
who enforces: identify an individual who is responsible for implementation and oversight
of the Security Rule compliance
✔✔HITECH - ✔✔(1) breach of unsecured information --> conduct risk assessment to
determine the risk (if high risk --> notification w/i 60 days of discovery
(2) Increased penalty --> up to 1.5 mill
(3) patients can limit disclosure by provider to their health plan
✔✔21st Century Cures Act of '16 - ✔✔(1) gives medical researchers the ability to
review certain data to develop research protocols remotely
(2) creates a certificate of confidentiality --> protects privacy in the research field
(3) requires more guidance in conection w/ patient authorizations under HIPAA for
research purposes
✔✔Confidentiality of Alcohol and Drug Abuse Patient Records - ✔✔issue: privacy
records of individuals who may seek treatment for substance abuse
- patients who have general designation of "to whom" in their consent form, must be
provided a list of entities to which their information has been disclosed pursuant to
general designation
- entities that legally hold identifying patient info are now required to have formal policies
and procedures addressing security
✔✔GINA - ✔✔who is covered: health insurance companies
types of info: genetic info
- insurance companies can't discriminate on the basis of genetic predisposition in the
absence of manifest symptoms
- can't request that applicant receive genetic testing AND
- employers can use genetic info in making employment decisions
✔✔GINA exceptions - ✔✔employers CAN request genetic information IF:
- request is inadvertent
- request is part of employer-offered wellness program that employee voluntarily
participates in w/ written authorization
- Family Medical Leave Act of '93
