All Weeks Privacy Law and Data Protection Coursera Quiz Answers
Privacy Law and Data Protection Week 1 Quiz Answers
Quiz 1: Historical & Legal Context of Privacy in the United States
Q1. True or False: Privacy concerns first arose when newspapers began publishing photographs of well-known people without their consent, a practice criticized by Warren and Brandeis.
Q2. True or False: In the 1960 Supreme Court case Reporters Committee for Freedom of the Press vs. the U.S. Department of Justice, the Court held that the fact that criminal records were compiled in a single online clearinghouse had no bearing on the privacy concerns surrounding those records.
Q1. Which of the following was NOT one of the fair information principles set forth by the HEW report in 1973?
- An individual must be able to correct or amend a record of identifiable information about him.
- An individual may bring a complaint against an organization that misuses his personal information.
- An organization may not develop a personal data recordkeeping system and keep its existence a secret.
- An individual must be able to find out what information about him is in a record and how that record is used.
Q2. The National Directory of New Hires allows the government to use information collected by employers to locate parents for child support purposes. Which of the following fair information principles does this program reflect?
- Individual Choice
- Appropriate Uses
Q1. What was the impetus for passing the Privacy Act and Fair Credit Reporting Act in the 1960s?
- Congress became aware of concerning anecdotes involving privacy abuses by the federal government and credit bureaus.
- Congress wanted to increase the ease of sharing data among certain entities.
- At the time, the federal government and credit bureaus were the two sectors that had accumulated lots of data on millions of people.
Q2. True or False: Rather than adhering strictly to the list set forth by the 1973 HEW report, people and organizations today tend to develop their own interpretation of what fair information principles are.
Q3. According to the HEW report, the purpose of fair information principles is to:
- Protect corporations from the privacy threats carried by computerization.
- Protect the government from allegations that it misuses personal information.
- Prevent organizations from keeping personal data record keeping systems a secret.
- Protect individuals from the privacy threats spurred by computerization.
Q4. True or False: A data subject who has the choice to “opt-in” will not have his data shared for a particular purpose unless he gives the organization permission.
Q5. True or False: While the United States’ Constitution contains an explicit right to privacy, the European Convention of Human Rights does not.
Q6. Why does the marketing industry generally use “opt-out” as its form of choice?
- For security reasons
- Because opt-out rates are low, avoiding damages to marketers’ bottom line
- To promote transparency
- To promote self-reflection into organization practices
Q7. Which of the following was not an impetus for enacting privacy laws in the United States?
- Lawmaking by anecdote
- Special harm / concern
- Privacy law as part of some other data sharing initiative
Privacy Law and Data Protection Week 2 Quiz Answers
Quiz 1: Implementing HIPAA: Notice and Access
Q1. True or False: HIPAA allows covered entities to decide what is important to include in their notice of privacy practices.
Q2. Which of the following is NOT provided for in HIPAA’s policy surrounding access to records?
- The specific information a patient is entitled to receive
- The timeframes for responding to access requests
- Strict limits on the fees a patient can be charged
- A patient’s ability to review all information a covered entity has about him or her.
Q1. True or False: A covered entity should ensure that every member of the workforce has been trained in detail on the proper uses and disclosures of protected health information.
Q2. True or False: Covered entities are permitted to share health information with authorized public health authorities, like the Center for Disease Control, withoutpatients’ consent.
Q1. A healthcare clinic has long provided free services to the community but has recently begun offering certain services for a fee. What is the first the clinic’s compliance officer should ask?
- What is the scope of HIPAA? Does it apply to us?
- Are we adhering to HIPAA’s “minimum necessary” requirement?
- Is the clinic sharing protected health information with public health authorities?
- Who should be part of the oversight group we convene to implement the requirements of HIPAA?
Q2. Which of the following is not mandated by HIPAA?
- A patient has the right to access information about her contained in a designated record set.
- If a police officer asks for health information, a covered entity must provide it.
- A covered entity must adopt procedures that limit employee access to patient information to what is “reasonably necessary” for their role.
- Patients must sign that they acknowledge receipt of HIPAA’s Privacy Notice, and if they refuse, the covered entity must document that this is the case.
Q3. A patient authorizes a hospital to share her health records with her employer. Is the employer then bound by HIPAA?
- Yes, because the employer is in possession of protected health information.
- Yes, because the employer received the information from the hospital, a covered entity.
- No, because the employer is not a covered entity under HIPAA.
- No, because the patient authorized the records to be shared with the employer.
Q4. What explains the detail with which HIPAA sets forth timeframes, procedures, and other details to ensure patients can access their information and correct inaccurate information?
- Warren and Brandeis’s concern with protecting the right to privacy
- Modern medicine’s embrace of patient awareness and involvement in their own care
- Historically-rooted fears regarding the assembly of secret records
- Options 2 and 3
Q5. HIPAA regulates healthcare clearinghouses, which are:
- healthcare providers that bill electronically.
- healthcare providers that offer free services.
- health insurance companies.
- entities that engage in facilitating electronic billing.
Q6. Which of the following could a covered entity use to implement HIPAA’s Minimum Necessary requirement? Hint: There are 3 correct answers.
- Set up role-based access in information systems.
- Train employees on how to handle information requests in an emergency.
- Use a gatekeeper for certain types of large data requests.
- Train individuals on what is sensitive data and ensure strict “need to know” access and disclosure.
Q7. True or False: Patient portals help entities “bake” privacy into their systems.
Privacy Law and Data Protection Week 3 Quiz Answers
Quiz 1: Data Security Rules
Q1. True or False: HIPAA’s Security Rule explicitly requires covered entities to protect patients’ “privacy,” meaning that their e-PHI is not available or disclosed to unauthorized persons.
Q2. True or False: HIPAA’s Security Rule mandates that all covered entities conduct a risk assessment and respond to identified risks with mitigation and continued review.
Q3. True or False: The Gramm Leach Bliley Act requires entities to implement administrative, physical, and technical safeguards to ensure individuals’ data security.
Q1. States’ breach notification laws generally:
- Provide a private right of action
- Require that the media be notified upon breach
- Define “personal information,” which triggers breach, in differing ways
- Provide a precise timeframe for notification
Q2. Which of the following is not a physical safeguard that covered entities must comply with under HIPAA’s Security Rule?
- Facility Access and Control
- Workstation Security
- Device Security
- Security Personnel
Q3. True or False: HIPAA and the Gramm Leach Bliley Act force an outcome rather than a process.
Q4. Which of the following statements is false?
- Many in the business community support a federal law on privacy.
- If you follow information security standards, your organization will not have data breaches.
- Under HIPAA, a covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
- Information security professionals regularly rely on guidelines set forth by bodies like the International Standards Organization regarding how to keep information secure.
Q5. True or False: You can have security without privacy, but you cannot have privacy without security.
Q6. Which of the following is true about the FIP of Minimization as it relates to privacy and security?
- Security advocates would likely want less information to be collected than privacy advocates.
- Privacy and security advocates would be more or less aligned in their views on Minimization.
- A privacy advocate would be concerned with obtaining enough information with which to track a user.
- A privacy advocate would seek to limit the collection of information to what is needed for the purpose at hand.
Q7. Under the Gramm Leach Bliley Act, a covered entity must conduct a risk assessment that:
- considers the risks in each relevant area of the entity’s operations.
- is disseminated to all of the entity’s vendors.
- must adhere to a long list of specific requirements.
- is published for public review.
Privacy Law and Data Protection Week 4 Quiz Answers
Quiz 1: International Law & the GDPR
Q1. True or False: Though Europe’s current privacy regime imposes extensive requirements on organizations, EU authorities do not enforce privacy laws as aggressiely as the United States.
Q2. True or False: The “Right to be Forgotten,” expressed in the GDPR, does not have a functional equivalent in U.S. federal statutory privacy law.