Free IAPP CIPP-C Practice Exam Questions and Answers 2026

Which entities must comply with the Telemarketing Sales Rule? 

What important action should a health care provider take if the she wants to qualify for funds under the Health Information Technology for Economic and Clinical Health Act (HITECH)?

SCENARIOPlease use the following to answer the next QUESTION:You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is aHIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloudcomputing service provider, CloudHealth, stores and manages the electronic protected health information(ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part ofHealthCo’s business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth toimplement securitymeasures, including industry standard encryption practices, to adequately protect the data. However, HealthCodid not perform due diligence on CloudHealth before entering the contract, and has not conducted audits ofCloudHealth’s security measures.A CloudHealth employee has recently become the victim of a phishing attack. When the employeeunintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients wascompromised. It has since been published online. The HealthCo cybersecurity team quickly identifies theperpetrator as a known hacker who has launched similar attacks on other hospitals – ones that exposed the PHIof public figures including celebrities and politicians.During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI inaccordance with the terms of its contract. In addition, CloudHealth has not provided privacy or securitytraining to its employees. Law enforcement has requested that HealthCo provide its investigative report of thebreach and a copy of the PHI of the individuals affected.A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect theindividual’s ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient’sattorney has submitted a discovery request for the ePHI exposed in the breach.What is the most significant reason that the U.S. Department of Health and Human Services (HHS) mightimpose a penalty on HealthCo?

Global Manufacturing Co’s Human Resources department recently purchased a new software tool. This toolhelps evaluate future candidates for executive roles by scanning emails to see what those candidates say andwhat is said about them. This provides the HR department with an automated “360 review” that lets themknow how the candidate thinks and operates, what their peers and direct reports say about them, and how wellthey interact with each other.What is the most important step for the Human Resources Department to take when implementing this newsoftware?

Which of the following types of information would an organization generally NOT be required to disclose tolaw enforcement?