10. The following fact pattern appl ies to questions
10 - 14.
Katie goes to her neighborhood pharmacy to fill her prescript ion for heart medication. When asked,
Kat ie hands the pharmacist her prescript ion and insurance identifi cat ion card. The pharmacist provides Katie with the proper dose and type of medicat ion as indicated on the prescript ion but inadvert ently forget s to give Katie back her insurance identification card. One week later, Nata lie, another patron of the pharmacy, finds Kat ie's insur ance identificat ion card in her medicat ion bag, calls the pharmacy using the
contact num ber posted on the pharmacy's website, and returns the insurance identification card to the
pharmacy. The pharmacy promptly returns the card to Katie the next business day.
Has a violation of the Health Insurance Portabilit y and Accountability Act ("HIPAA") occurred?
A. No, the insurance identification card was safely returned to its owner within a reasonable amount of time
B. No, the insurance identification card does not constitute protected health information
C. No, the pharmacy is not a covered entity
D. Yes, the insurance identification card constitutes protected health information and the loss of the card created a significant risk of harm to the patient
ANSWER: A. The pharmacy is a covered entity, and a covered entity must prominently post and make
ava ilab le its notice on any website it maintains that provides information about its customer services or benefits. HIPAA complaints should be lodged with the Off ice for Civil Rights at the Department of Health and Human Services. The pharmacy must also notify Katie of the breach. This individual notificat ion must be provided without unreasonable delay and in no case later than 60 days following the discover y of the breach and must include, to the extent possible, (1) a brief descript ion of the breach, (2) a description of the types of information that were involved in the breach,
(3) the steps affected individuals should take to
protect them selves from potential harm, (4) a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, and (5) contact information for the pharmacy. Covered ent it ies that experience a breach affecting more than 500 residents of a state or
jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the state or jurisdiction. In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of HSS regardless of the size of the breach. If the breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following the breach. If, however, a breach affects fewer than 500 individuals, as occurred with Katie's insurance identification card, the covered entity only needs to notify the Secretary of such breaches on an annual basis.
ANSWER: A. The Bank Secrecy Act of 1970, also known as the Currency and Foreign Transactions Reporting Act, requires financial institutions in the United States to assist government agencies to detect and prevent money laundering. Specifically, the Act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash purchases of these negotiable instruments of more than $10,000 (daily aggregate amount), and report suspicious activity that might signify money laundering, tax evasion, or other criminal activities.
Currency Transaction Reports ("CTRs") and Suspicious Activity Reports ("SARs") are the primary means used by banks to satisfy the requirements of the BSA. A SAR must be filed when a bank detects a suspicious
transaction of $25,000 or more even if the identity of the perpetrator is unknown. A SAR must also be filed when a bank detects a suspicious currency transaction of $5,000 or more.
ANSWER: C. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule. The Rule requires the proper disposal of information in consumer reports and records to protect against unauthorized access to or use of the inf ormat ion . The standard for the proper disposal of information derived from a consumer report is flexible, and allows the organizations and individuals covered by the Ru le to determine what measures are reasonable based on
the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology. The Disposal Rule applies to consumer reports or information derived from consumer reports. The Fair Credit Reporting Act ("FCRA") defines the term consumer report to include information obtained from a consumer report ing company that is used - or expected to be used - in establishing a consumer's eligibility for credit, employm ent, or insurance, among
other purposes. Credit report s and credit scores are types of consumer reports. Reports that businesses or individ uals receive with informat ion relat ing to
employment back ground, check writ ing history, insurance claim s, residential or tenant history, or medical history are also considered consu mer report s.
ANSWER: C. In the United States, law is derived from vario us sources. The legislature (that is, Congress) creates statutory law. Regulatory bodies and administrative agencies, such as the Federal Trade Commission ("FTC") and Federal Communication Commission ("FCC"), create administrative law. Court decision s are the basis of common law (also sometimes referred to as "case law ") . Therefore, regulatory bodies, the legislature, and court decisions are all primary sources of Am erican law. Common law, on the other hand, is a type of law and not a source of law. Common law is the class of law
develop ed by judges through decisions of courts and similar tribunals, as opposed to statutes adopted through the legislative process or regulations issued by the executive branch.
ANSWER: D. The Electronic Communications Privacy Act (" ECPA") was enacted in 1986 to update the Federal Wiretap Act. The ECPA protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. Therefore, ECPA applies to email, telephone conversations, and data stored electronically. Two notable exceptions to ECPA's broad prohibition against interception of
communicat ions exist. First, under federal law, if one party to the communication consents to the interception, it is permitted. Under most state laws, however, consent of both parties is required. Second, operat ors are authorized to intercept and monitor communications placed over their facilities in order to combat fraud and theft of service. Because this question specifically deals with the federal law (ECPA) and not state law, the correct answer is that only one party to the call needs to consent to the interception.
ANSWER: D. FOIA has the following nine exemptions:
(1) those documents properly classified as secret in the interest of national defense or foreign policy; (2) documents related solely to internal personnel rules and practices; (3) documents specifically exempted by other statutes; (4) a trade secret or privileged or confidential commercial or financial information obtained from a person; (5) a privileged inter-agency or intra-agency memorandum or letter; (6) a personnel, medical, or similar file the release of which would constitute a clearly unwarranted invasion of personal privacy; (7) documents com piled for law enforcement purposes; (8) records contained in or related to examination, operat ing, or condition reports about financial institutions; and (9) those documents containing exempt information (for example, the location ) about gas or oil wells. Answers A, B, and C fall in exemptions (4), (9), and (8), respectively .
An swer D is not a recognized exemption and, therefor e, is the correct answer.
ANSWER: A. The PCI Security Standards Council is the organization responsible for the development, management, education, and awareness of the PCI Secur ity Standards, including the Data Security Standard (" PCI DSS"). The Council therefore acts as a self-regulatory organizat ion for the payment card processing industry. The Council's five founding
global payment brands - American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. - have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. The PCI DSS was developed to encourage and enhance cardh older data security and facilit at e the broad adoption of consistent data security measures globally. PCI DSS app lies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers,
and service providers, as well as all other entities that store, process or transmit cardholder data.
ANSWER: D. The basic steps to developing an information management program are ( 1) discover,
(2) build, (3) communicate, and (4) evolve. First , the organ izat ion must discover the environment in which the organization operates. For example, an
organ izat ion should understand which laws regulate
the organization and impose obligations on the organization related to privacy. An organization must also discover and develop its goals for the information management program . Next, the organization should build and design the information management program with the ident ified goals in mind. Typically, an information management program consists of policies and procedures related to how information will be managed at the organization. The third step is to communicate the policies and procedures to the employees of the organization. In some instances, a formal training may be required. Finally, the organization should ensure that the program evolves as the business needs and legal environment changes. By adhering to these four basic steps, an organization wil l develop an effective informat ion management program.
ANSWER: B. In accordance with the Privacy Rule, a covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) to the individuaI; ( 2) treatment, payment, and healthcare operations; (3) opportunity to agree or obj ect; ( 4) incident to an otherwise permitted use and disclosure; (5) public interest and benefit act ivit ies; and (6) limited data set for the
purposes of research, public health or health care operations. Therefore, B is the correct answer because there are other permitted uses besides for treatment, payment, and health care operations. In addit ion, the Privacy Rule permits covere d entities to disclose or use protected health information in certain circum st an ces but never requires disclosure or use.
Covered entities may rely on professional ethics and best judgments in deciding which of the permissive uses and disclosures to make. The HIPAA Privacy Rule also requires covered entities to implement
app ropriate administrative, technical, and physical safeguards to protect the privacy of protected health informat ion ("PHI").
ANSWER: C. In accordance with the Family Educational Rights and Privacy Act ("FERPA"), schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about the disclosure of directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them (that is, provide them the opportunity to opt-out). ANSWER: B. The Telemarketing Sales Rule (as amended) regulates " telemar keting" - defined in the Rule as "a plan, pr ogram , or campaign ... to induce the purchase of goods or services or a charitable contribution" involving more than one interstate telephone call. With some important exceptions, any business or individual that takes part in
" telemar keting" must comply with the Rule. This is true whet her, as " telemar keters," they initiate or receive telephone calls to or from consumers, or as
" sellers," they provide, offer to provide, or arrange to provide goods or services to consumers in exchange for payment. It makes no difference whether a
company makes or receives calls using low-tech equipm ent or the newest technology - such as voice response units and other automated systems.
Sim ila r ly , it makes no difference whether the calls are made from out side the United States; so long as they are made to consumers in the United States, those maki ng the calls, unless otherwise exempt, must
comply wit h the Rule 's provisions. If the calls are
made to induce the purchase of goods, services, or a charit ab le contribution, the company is engaging in "telemarketing."
ANSWER: C. The Nat ional Do Not Call Registry does not cover calls from political organizations, charities, telephone surveyors, or companies with which a consumer has an existing business relationship. The area codes in the National Do Not Call Registry cover the 50 states, the District of Colu mbia, Puerto Rico,
U.S. Virgin Islands, Guam, North Mariana Islands, American Samoa, and toll-free numbers. It makes no difference whether a company makes or receives calls using low-tech equipment or the newest technology - such as voice response units and other automated systems. Similarly, it makes no difference whether the calls are made from outside the United States; so long as they are made to consumers in the United States, those making the calls, unless otherwise
exempt, must comply with the Rule's provisions.
ANSWER: C. A court may, for good cause, issue a protective order to protect a party or person from annoyance, embarrassment, oppression or undue burden or expense. In evaluating requests for protective orders, courts have considered variou s
factors, including, the confidentiality interests at issue, the need to protect public health and safety, the fairness and efficiency of entering a protective order, and the importance of the litigation to the public.