The Global Privacy Enforcement Network (GPEN) is a network for privacy enforcement authorities (PEAs) to share knowledge, experience and best practices on the practical aspects of privacy enforcement and cooperation. GPEN was created in response to the OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy, which called for member countries to foster the establishment of an informal network of PEAs. GPEN’s main purpose is to facilitate cross-border cooperation and coordination among PEAs, especially in cases involving multiple jurisdictions or regions. GPEN also aims to enhance information sharing, promote awareness and education, and support capacity building among PEAs.  References:

Home (public) | Global Privacy Enforcement Network

Global Privacy Enforcement Network - International Association of Privacy Professionals

International Partnerships - Office of the Privacy Commissioner of Canada

Specialised networks – Global Privacy Assembly

Action Plan for the Global Privacy Enforcement Network (GPEN)

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.

The Dodd-Frank Act created the Consumer Financial Protection Bureau (CFPB) as an independent agency within the Federal Reserve System. The CFPB has the authority to regulate consumer financial products and services, such as mortgages, credit cards, student loans, and payday loans. One of the main objectives of the CFPB is to promote transparency, fairness, and consumer choice in the financial marketplace. The CFPB has issued rules and guidance to require financial institutions to provide clear and accurate information to consumers about the costs, risks, and benefits of their products and services.  The CFPB also has the power to enforce consumer protection laws and prohibit unfair, deceptive, or abusive acts or practices by financial institutions 1 2 3   References:   1 :  Dodd-Frank Wall Street Reform and Consumer Protection Act , Title X, Subtitle A, Section 1011.  2 :  Consumer Financial Protection Bureau , Wikipedia.  3 :  Dodd-Frank Act: What It Does, Major Components, and Criticisms , Investopedia.

According to Section 5 of the FTC Act, self-regulation primarily involves a company’s right to adhere to its industry’s code of conduct. Self-regulation is a process by which an industry or a group of companies voluntarily adopts and enforces standards or guidelines to protect consumers and promote fair competition. The FTC encourages self-regulation as a way to complement its enforcement efforts and address emerging issues in the marketplace. The FTC also monitors self-regulatory programs and may take action against companies that fail to comply with their own codes of conduct or misrepresent their participation in such programs.  References:

Federal Trade Commission Act, Section 5 of

Self-Regulation | Federal Trade Commission

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 3, page 79

The Colorado Privacy Act (CPA) grants consumers the right to access, correct, or delete their personal data, including sensitive data, that is processed by a controller 1 .  Sensitive data is defined as personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data, or personal data from a known child 2 .  The CPA also grants consumers the right to opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or certain kinds of profiling 3 . However, the CPA does not grant consumers the right to limit the use of sensitive data for other purposes, such as providing a product or service requested by the consumer, complying with legal obligations, or protecting the vital interests of the consumer or another person.  Therefore, option D is the correct answer, as it is not a privacy right available under the CPA.  References:   1 :  Colorado Privacy Act (CPA) - Colorado Attorney General   2 :  Protect Personal Data Privacy | Colorado General Assembly   3 :  SENATE BILL 21-190 Woodward, Garcia; PRIVACY. COLORADO PRIVACY ACT …  : Colorado Privacy Act: What You Need to Know | OneTrust DataGuidance

A consent decree is a legal document that resolves a dispute between a governmental agency and an adverse party without admission of guilt or liability by either side. It is approved by a judge and has the force of a court order. A consent decree may include terms such as compliance, monitoring, reporting, or remediation. A consent decree is often used to settle civil enforcement actions brought by federal agencies such as the Federal Trade Commission (FTC), the Environmental Protection Agency (EPA), or the Department of Justice (DOJ).  References:

IAPP Glossary , entry for “consent decree”

[IAPP CIPP/US Study Guide], p. 39, section 2.1.3

[IAPP CIPP/US Body of Knowledge], p. 9, section B.1.a

The Children’s Online Privacy Protection Act (COPPA) is a federal law that regulates the online collection and use of personal information from children under 13 years of age. COPPA requires operators of websites or online services that are directed to children, or that knowingly collect personal information from children, to obtain verifiable parental consent before collecting, using, or disclosing such information. Verifiable parental consent means any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, the child’s parent receives notice of the operator’s information practices and consents to those practices. COPPA also imposes other obligations on operators, such as providing parents with access to their children’s information, maintaining reasonable security measures, and limiting data retention.  References:   COPPA ,  IAPP CIPP/US Study Guide, Chapter 2, Section 2.3.1

When handling sensitive data, such as protected health information (PHI) in compliance with HIPAA , it is crucial for covered entities, such as Miraculous Healthcare, to ensure that their business associates (e.g., MedApps) appropriately safeguard the data they process. While contracts like Business Associate Agreements (BAAs) establish the obligations of business associates, active oversight by the covered entity is a practical and necessary step to mitigate privacy risks and ensure compliance.

Why Active Oversight is the Best Option:

Active oversight involves regular monitoring, audits, and reviews of MedApps’ practices to ensure they comply with the agreed-upon privacy and security obligations.

This approach allows Miraculous Healthcare to confirm that MedApps is implementing appropriate technical and organizational safeguards, such as encryption, secure access controls, and breach notification processes.

It also ensures that MedApps remains compliant with HIPAA requirements over time, even if there are changes to the app, its services, or legal requirements.

Explanation of Options:

A. Prevent MedApps from using copies of the patient data: While restricting MedApps from creating unnecessary data copies could reduce some risks, it is often impractical, especially for troubleshooting, app hosting, and support purposes. HIPAA does not require outright prevention of data copies, as long as PHI is appropriately safeguarded and used solely for permissible purposes.

B. Require MedApps to obtain consent from all patients: Under HIPAA, covered entities (not business associates) are primarily responsible for obtaining patient consent or authorization where required. MedApps, as a business associate, processes PHI on behalf of Miraculous Healthcare and is not in a position to obtain consent directly from patients.

C. Require MedApps to submit a SOC2 report: A SOC 2 (Service Organization Control 2) report can provide valuable assurance regarding MedApps’ security, availability, and confidentiality practices. However, this action alone does not mitigate all risks, as SOC 2 reports are point-in-time assessments and may not reflect ongoing compliance or address specific HIPAA requirements.

D. Engage in active oversight of MedApps: This is the most practical and comprehensive approach. Active oversight includes reviewing MedApps’ privacy practices, conducting periodic assessments, and monitoring compliance with the Business Associate Agreement (BAA) . It ensures that MedApps continues to protect PHI appropriately and addresses any privacy risks proactively.

Additional Context:

In the context of the optional benchmarking service, Riya should ensure:

The uploaded data is de-identified or aggregated to comply with HIPAA’s de-identification standard (45 CFR § 164.514) if possible.

The use of PHI for benchmarking is explicitly addressed in the BAA or a separate agreement.

References from CIPP/US Materials:

HIPAA Privacy Rule (45 CFR § 160.103 and 164.504): Describes the responsibilities of covered entities and business associates, including the need for BAAs and safeguards for PHI.

NIST Privacy Framework and NIST SP 800-53: Provides guidance on implementing oversight mechanisms for third-party risk management.

IAPP CIPP/US Certification Textbook: Discusses the importance of vendor management and active oversight in ensuring privacy compliance.

Conclusion:

Requiring MedApps to submit a SOC 2 report or restricting data use might address specific concerns but would not provide the comprehensive, ongoing protection necessary to reduce risks effectively. Engaging in active oversight is the most practical and effective action to minimize privacy risks while maintaining compliance with HIPAA.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law that regulates the privacy and security of health information in the United States.  HIPAA preempts state laws that are contrary to its provisions, unless the state laws provide more stringent protections for health information 1 2  HIPAA establishes a floor of federal standards for health information privacy and security, but allows states to enact laws that are more protective of individuals’ rights 3 4  For example, some states may require more specific consent from individuals before disclosing their health information, or impose stricter penalties for violations of health information privacy and security.  HIPAA also provides exceptions for certain state laws that serve a compelling public interest, such as public health, safety, or welfare. References:   https://www.findlaw.com/litigation/legal-system/the-supremacy-clause-and-the-doctrine-of-preemption.html

https://www.bonalaw.com/insights/legal-resources/when-does-federal-law-preempt-state-law