CIPP-US Exam Details

  • Exam Code
    :CIPP-US
  • Exam Name
    :Certified Information Privacy Professional/United States (CIPP/US)
  • Certification
    :IAPP Certifications
  • Vendor
    :IAPP
  • Total Questions
    :198 Q&As
  • Last Updated
    :Jun 28, 2026

IAPP CIPP-US Online Questions & Answers

  • Question 111:

    Which of the following privacy rights is NOT available under the Colorado Privacy Act?

    A. The right to access sensitive data.
    B. The right to correct sensitive data.
    C. The right to delete sensitive data.
    D. The right to limit the use of sensitive data.

  • Question 112:

    Edward Snowden’s revelations regarding government programs collecting massive amounts of information about U.S. citizens and noncitizens led to the passage of which law?

    A. Cybersecurity Information Sharing Act of 2015
    B. Foreign Intelligence Surveillance Act
    C. USA FREEDOM Act
    D. CLOUD Act

  • Question 113:

    Which of the following federal agencies does NOT have regulatory authority related to privacy?

    A. Consumer Financial Protection Bureau.
    B. U.S. Department of Transportation.
    C. U.S. Department of Commerce.
    D. Federal Reserve

  • Question 114:

    All of the following are tasks in the "Discover" phase of building an information management program EXCEPT?

    A. Facilitating participation across departments and levels
    B. Developing a process for review and update of privacy policies
    C. Deciding how aggressive to be in the use of personal information
    D. Understanding the laws that regulate a company's collection of information

  • Question 115:

    SCENARIO

    Please use the following to answer the next question:

    Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.

    Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI).

    Therefore, he is thinking carefully about privacy issues.

    On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department

    could reduce paper waste through a system of one-time distribution.

    He was also curious about the hospital's use of a billing company. He questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.

    On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to

    hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had

    plans to properly report what had happened.

    Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were

    accessible to all medical facilities nationwide.

    Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he

    feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he

    could explain why. John plans to ask a colleague about this.

    In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to

    think more carefully about genetic testing.

    Although Declan's day ended with many questions, he was pleased about his new position.

    Based on the scenario, what is the most likely way Declan's supervisor would answer his question about the hospital's use of a billing company?

    A. By suggesting that Declan look at the hospital's publicly posted privacy policy
    B. By assuring Declan that third parties are prevented from seeing Private Health Information (PHI)
    C. By pointing out that contracts are in place to help ensure the observance of minimum security standards
    D. By describing how the billing system is integrated into the hospital's electronic health records (EHR) system

  • Question 116:

    SCENARIO

    Please use the following to answer the next question:

    You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider,

    CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state

    B. As part of HealthCo's business associate agreement (BAA) with

    CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering

    the contract, and has not conducted audits of CloudHealth's security measures.

    A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been

    published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals ?ones that exposed the PHI of public figures including celebrities and politicians.

    During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law

    enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.

    A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted

    a discovery request for the ePHI exposed in the breach.

    What is the most significant reason that the U.S. Department of Health and Human Services (HHS) might impose a penalty on HealthCo?

    A. Because HealthCo did not require CloudHealth to implement appropriate physical and administrative measures to safeguard the ePHI
    B. Because HealthCo did not conduct due diligence to verify or monitor CloudHealth's security measures
    C. Because HIPAA requires the imposition of a fine if a data breach of this magnitude has occurred
    D. Because CloudHealth violated its contract with HealthCo by not encrypting the ePHI

  • Question 117:

    Which statute is considered part of U.S. federal privacy law?

    A. The Fair Credit Reporting Act.
    B. SB 1386.
    C. The Personal Information Protection and Electronic Documents Act.
    D. The e-Privacy Directive.

  • Question 118:

    What is an exception to the Electronic Communications Privacy Act of 1986 ban on interception of wire, oral and electronic communications?

    A. Where one of the parties has given consent
    B. Where state law permits such interception
    C. If an organization intercepts an employee's purely personal call
    D. Only if all parties have given consent

  • Question 119:

    Under HIPAA and the HITECH Act, business associates who receive Protected Health Information (PHI) from covered entities must execute Business Associate Agreements and also?

    A. Ensure there is a written agreement with the Department of Health and Human Services.
    B. Provide a SOC 2 audit to support the warranties in the agreements.
    C. Rea rm the terms of the agreements on an annual basis.
    D. Have any subcontractors enter into agreements.

  • Question 120:

    Which of the following best describes private-sector workplace monitoring in the United States?

    A. Employers have broad authority to monitor their employees
    B. U.S. federal law restricts monitoring only to industries for which it is necessary
    C. Judgments in private lawsuits have severely limited the monitoring of employees
    D. Most employees are protected from workplace monitoring by the U.S. Constitution

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-US exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.