Mixed

Question 1

Definition of “unfair practice” under FTC Act Section 5

Answer 1

(1) causes or is likely to cause substantial injury to consumers;
(2) cannot be reasonably avoided by consumers; and
(3) not outweighed by countervailing benefits to consumers or to competition

Question 2

Definition of “deceptive practice” under FTC Act Section 5

Answer 2

(1) representation, omission, or practice misleads or is likely to mislead the consumer;
(2) a consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and
(3) the misleading representation, omission or practice is material

Question 3

Under 2012 FTC Report, when is no consumer choice/no option expected for using or collecting consumer data?

Answer 3

(i) “Companies do not need to provide choice before collecting and using consumers’ data for practices that are consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or as required or specifically authorized by law”

Question 4

Which laws give consumers clear rights to access PI held about them and correct errors?

Answer 4

FCRA (credit reports); HIPAA (note to file about what patient believes is incorrect)

Question 5

Definition of protected health information (PHI)

Answer 5

Individually identifiable health info that:

(a) Is transmitted or maintained in any form or medium;
(b) Is held by a covered entity or its business associate;
(c) Is created or received by a covered entity or an employer; and
(d) Relates to a past, present or future physical or mental condition, provision of healthcare, or payment for health care to that individual

Question 6

What are the categories of “covered entities” under HIPAA?

Answer 6

Healthcare providers that conduct certain transactions in electronic form; health plans; healthcare clearinghouses

Question 7

Under the HIPAA Privacy Rule, when can covered entities disclose PHI w/o patient’s express written authorization?

Answer 7

To facilitate (1) treatment, (2) payment, or (3) healthcare operations. If it discloses PHI, it must make reasonable efforts to disclose only the minimum necessary information required to achieve its purpose. Covered entities can freely disclose de-identified PHI – this is not subject to the Privacy Rule.

Question 8

What is covered by the HIPAA Security Rule?

Answer 8

Electronic PHI (ePHI)

Question 9

Under the HIPAA Security Rule, what types of safeguards must covered entities implement to protect ePHI?

Answer 9

Administrative, physical, and technical.

Question 10

What is the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009?

Answer 10

It expanded HIPAA Privacy and Security Rules to directly regulate “business associates” of covered entities and to establish data breach notification requirements.

Question 11

Under HITECH, what triggers a covered entity’s duty to report a data breach?

Answer 11

When unsecured PHI has been accessed, acquired, or disclosed as a result of a data breach.

Question 12

What are the reporting requirements for a data breach under HITECH?

Answer 12

When unsecured PHI has been accessed, acquired, or disclosed as a result of a data breach, the covered entity must notify each affected individual and DHHS within 60 days. If a business associate discovers the breach, it must notify the covered entity. If the breach affects over 500 people, it must notify DHHS immediately and, if all of the 500 people are in the same jurisdiction, it must notify the media.

Question 13

Who is regulated by the Fair Credit Reporting Act of 1970 (FCRA)?

Answer 13

(1) consumer reporting agencies and (2) users of consumer reports.

Question 14

What are a consumer reporting agency’s basic responsibilities under FCRA?

Answer 14

(1) Only furnish if permissible purpose or with permission from consumer; (2) Ensure no prohibited info; (3) Follow reasonable procedures to assure accuracy; (4) Clearly and accurately disclose to consumer all info in file and all who have requested for employment purposes in last 2 years and all who have requested for any purpose in last 1 year; and (5) Annual free copy + free copy within 60 days of any adverse decision based on report

Question 15

What are a user of consumer reports’ basic responsibilities under FCRA?

Answer 15

(1) Certify to agency what its permissible purpose is and that it won’t use for impermissible purpose; (2) if taking adverse action based on report, notice to consumer of adverse action + info about agency and consumer’s rights; and (3) if using for employment purposes, certify to agency that user has written authorization from consumer

Question 16

What is the Fair and Accurate Credit Transactions Act of 2003 (FACTA)?

Answer 16

FACTA updated FCRA to include “Red Flags” Rule designed to combat identity theft and Disposal Rule to protect against unauthorized access to or use of info in report.

Question 17

What is the Red Flags Rule?

Answer 17

Under FACTA, the Red Flags Rule requires creditors and financial institutions to address risk of identity theft by developing and implementing written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

Question 18

What is the Disposal Rule?

Answer 18

Under FACTA, it requires user to properly dispose of info in consumer report to protect against “unauthorized access or use.”

Question 19

Who is regulated by the Financial Services Modernization Act of 1999 (“Gramm-Leach-Bliley” or GLBA)?

Answer 19

Institutions that are “significantly engaged” in financial activities in the US (aka “domestic financial institutions”) (e.g. banks, auto dealers, savings and loans, credit unions, etc.).