Quiz: Sector-Specific Governance: Finance, Health, Education

Test your understanding before moving to the next chapter. Target: 70% or higher to proceed.

Section 1: Multiple Choice (1 point each)

1. Sector-specific governance exists because:

  • A) General-purpose data protection laws are unconstitutional in certain sectors.
  • B) Some data types create unique harm profiles, operate within pre-existing regulatory infrastructure, and involve sector-specific power dynamics that general-purpose laws cannot adequately address.
  • C) The GDPR explicitly exempts the finance, health, and education sectors.
  • D) Industry lobbying has prevented general-purpose laws from applying to regulated sectors.
Answer **B)** Some data types create unique harm profiles, operate within pre-existing regulatory infrastructure, and involve sector-specific power dynamics that general-purpose laws cannot adequately address. *Explanation:* Section 24.1.1 identifies four reasons: unique harm profiles (a breached medical record differs from a breached shopping preference), pre-existing regulatory infrastructure (finance and health were regulated long before data protection law), technical complexity (domain-specific standards), and sector-specific power dynamics (doctor-patient, bank-borrower, school-child relationships). General-purpose laws provide the floor; sector-specific laws raise it where stakes are highest.

2. Under HIPAA, "protected health information" (PHI) includes:

  • A) Only data stored in electronic medical records.
  • B) Any individually identifiable health information held or transmitted by a covered entity or business associate, in any form — electronic, paper, or oral.
  • C) Only information about diagnosed medical conditions.
  • D) Health-related marketing data collected by fitness app companies.
Answer **B)** Any individually identifiable health information held or transmitted by a covered entity or business associate, in any form — electronic, paper, or oral. *Explanation:* Section 24.3 explains that HIPAA's definition of PHI is broad: it covers health information that identifies an individual and is held by a covered entity (health plan, healthcare provider, healthcare clearinghouse) or a business associate. The form is irrelevant — electronic, paper, and oral communications are all covered. However, HIPAA has a significant limitation: it applies only to covered entities and their business associates, not to all organizations that handle health data.

3. The "minimum necessary" standard under HIPAA requires that:

  • A) Healthcare providers collect the absolute minimum amount of health data possible.
  • B) Covered entities limit the use and disclosure of PHI to the minimum amount necessary to accomplish the intended purpose.
  • C) Patients receive the minimum necessary medical treatment.
  • D) HIPAA compliance officers minimize their work to the lowest acceptable level.
Answer **B)** Covered entities limit the use and disclosure of PHI to the minimum amount necessary to accomplish the intended purpose. *Explanation:* Section 24.3 describes the minimum necessary standard as HIPAA's operational equivalent of data minimization. When using or disclosing PHI, covered entities must make reasonable efforts to limit access to only the information needed for the purpose. A billing department processing an insurance claim does not need access to the patient's full psychiatric history. This standard has significant implications for data governance: it requires role-based access controls, purpose-specific data views, and ongoing assessment of who accesses what.

4. FERPA applies to:

  • A) All educational institutions, public and private, regardless of funding source.
  • B) Educational institutions that receive federal funding from the US Department of Education.
  • C) Only public K-12 schools, not colleges or universities.
  • D) Only institutions that use digital learning management systems.
Answer **B)** Educational institutions that receive federal funding from the US Department of Education. *Explanation:* Section 24.4 specifies that FERPA applies to institutions receiving funding under programs administered by the Department of Education. This includes virtually all public schools and most colleges and universities (which receive federal financial aid). The consequence of FERPA violation is not a fine but the potential loss of federal funding — an existential threat for most institutions. Private schools that do not receive federal funding are not subject to FERPA.

5. The "school official exception" under FERPA allows:

  • A) School officials to access any student data for any purpose without restriction.
  • B) Schools to disclose education records to contractors and service providers who perform institutional services, provided the school maintains direct control and the contractor does not re-disclose the data.
  • C) School administrators to share student records with law enforcement without a court order.
  • D) Teachers to post student grades publicly as a pedagogical motivation technique.
Answer **B)** Schools to disclose education records to contractors and service providers who perform institutional services, provided the school maintains direct control and the contractor does not re-disclose the data. *Explanation:* Section 24.4 describes the school official exception as the primary mechanism by which ed-tech companies access student data without individual consent. The school designates the company as a "school official" with a "legitimate educational interest." The exception requires that the school maintain control over the data and that the company use it only for the specified educational purpose. Critics argue this exception has been stretched to cover data-intensive ed-tech platforms far beyond its original intent.

6. PCI-DSS is:

  • A) A US federal law governing payment card data, enforced by the FTC.
  • B) An industry security standard developed by the major payment card brands (Visa, Mastercard, etc.) that applies to any organization processing, storing, or transmitting cardholder data.
  • C) An EU regulation governing electronic payment systems, enforced by the European Banking Authority.
  • D) A voluntary certification program for fintech companies.
Answer **B)** An industry security standard developed by the major payment card brands (Visa, Mastercard, etc.) that applies to any organization processing, storing, or transmitting cardholder data. *Explanation:* Section 24.2 describes PCI-DSS as a private-sector standard — not a government regulation — maintained by the PCI Security Standards Council (founded by Visa, Mastercard, American Express, Discover, and JCB). Despite being non-governmental, PCI-DSS has significant enforcement power: non-compliant merchants face fines from their acquiring banks, increased transaction fees, and potential loss of the ability to process card payments. This makes PCI-DSS a powerful example of co-regulation — industry standards with market-enforced consequences.

7. The EU's Payment Services Directive 2 (PSD2) is significant because it:

  • A) Prohibits all digital payments within the EU to protect consumer privacy.
  • B) Requires banks to provide third-party providers with access to customer account data (with customer consent), enabling open banking and fintech innovation.
  • C) Requires all EU citizens to use a single government-issued digital payment system.
  • D) Bans the use of cash within the eurozone.
Answer **B)** Requires banks to provide third-party providers with access to customer account data (with customer consent), enabling open banking and fintech innovation. *Explanation:* Section 24.2 describes PSD2 as a transformative regulation that shifts the balance of power in financial services. By requiring banks to provide API access to customer data — with customer consent — PSD2 enables fintech companies to build services on top of banking data (budgeting apps, comparison tools, payment initiation services). This introduces data portability into finance and breaks banks' monopoly on customer financial data. The regulation combines data governance (consent, security, access controls) with competition policy.

8. HIPAA's Security Rule specifically governs:

  • A) The physical security of hospital buildings.
  • B) Administrative, physical, and technical safeguards for electronic protected health information (ePHI).
  • C) The security clearance requirements for healthcare workers.
  • D) The security of pharmaceutical supply chains.
Answer **B)** Administrative, physical, and technical safeguards for electronic protected health information (ePHI). *Explanation:* Section 24.3 describes the HIPAA Security Rule as requiring covered entities to implement three categories of safeguards for ePHI: administrative safeguards (policies, training, risk assessment), physical safeguards (facility access controls, workstation security, device management), and technical safeguards (access controls, audit controls, transmission security, encryption). The Security Rule is implementation-focused — it translates the Privacy Rule's access restrictions into specific security requirements.

9. Which of the following scenarios would most likely trigger HIPAA's Breach Notification Rule?

  • A) A hospital upgrades its electronic health record system.
  • B) A healthcare worker accesses a patient's record for treatment purposes.
  • C) An unencrypted laptop containing 5,000 patient records is stolen from a VitraMed employee's car.
  • D) A patient requests and receives a copy of their own medical records.
Answer **C)** An unencrypted laptop containing 5,000 patient records is stolen from a VitraMed employee's car. *Explanation:* Section 24.3 describes the Breach Notification Rule as requiring covered entities to notify affected individuals, HHS, and (for breaches affecting 500+ individuals) the media when unsecured PHI is accessed, used, or disclosed in a way not permitted by the Privacy Rule. A stolen unencrypted laptop containing 5,000 patient records is a textbook breach scenario — the data was unsecured (not encrypted) and accessed by an unauthorized party (the thief). Options A, B, and D describe normal, compliant healthcare data operations.

10. A cross-sector pattern identified in this chapter is that sector-specific governance frameworks tend to:

  • A) Replace general-purpose data protection law entirely within their sector.
  • B) Layer on top of general-purpose law, adding sector-specific obligations that go beyond the baseline protections.
  • C) Apply only to government agencies, not private companies.
  • D) Focus exclusively on data security, ignoring privacy and individual rights.
Answer **B)** Layer on top of general-purpose law, adding sector-specific obligations that go beyond the baseline protections. *Explanation:* Section 24.5 identifies layered governance as a cross-sector pattern. HIPAA does not replace the GDPR for European health data processing — both apply. PCI-DSS does not replace state breach notification laws — both apply. FERPA does not replace state student privacy laws — both apply. This layering creates compliance complexity but also depth: the general-purpose floor ensures baseline protection, while sector-specific layers raise standards where the stakes are highest.

Section 2: True/False with Justification (1 point each)

11. "HIPAA applies to all organizations that collect or process health data in the United States."

Answer **False.** *Explanation:* HIPAA applies only to "covered entities" (health plans, healthcare providers conducting certain electronic transactions, and healthcare clearinghouses) and their "business associates." A fitness app that collects health data (heart rate, sleep patterns, exercise habits) but is not a covered entity or business associate is not subject to HIPAA — even though it processes sensitive health information. This is one of the most significant gaps in US health data governance: vast quantities of health-related data collected by consumer technology companies fall outside HIPAA's scope.

12. "PCI-DSS is enforced by the US government's Federal Trade Commission."

Answer **False.** *Explanation:* PCI-DSS is enforced through contractual relationships, not government authority. The payment card brands (Visa, Mastercard, etc.) require their member banks, which in turn require merchants, to comply with PCI-DSS as a condition of processing card payments. Non-compliance results in fines imposed by acquirer banks, increased transaction fees, or loss of card processing privileges. The FTC may take action against companies whose security failures constitute unfair or deceptive practices, but this is under the FTC's general Section 5 authority, not PCI-DSS enforcement.

13. "The European Health Data Space (EHDS) would allow researchers to access patient health data without individual consent for secondary use purposes."

Answer **True (with important nuances).** *Explanation:* Section 24.3 describes the EHDS proposal as including provisions for "secondary use" of health data — use for research, innovation, and public health purposes — without requiring individual consent, subject to strict governance conditions. Access would be controlled through authorized health data access bodies, pseudonymization or anonymization requirements, specific purpose limitations, and oversight mechanisms. This represents a significant departure from standard GDPR consent requirements and has generated substantial debate about the balance between research utility and individual data rights.

14. "FERPA gives students the right to sue their school if it violates their privacy by disclosing education records."

Answer **False.** *Explanation:* Section 24.4 notes that FERPA does not include a private right of action — students cannot sue their institutions for FERPA violations. The sole enforcement mechanism is the potential withdrawal of federal funding, administered by the Family Policy Compliance Office within the Department of Education. This enforcement mechanism is rarely invoked (no institution has ever lost federal funding for a FERPA violation), leading critics to describe FERPA as having "toothless" enforcement. This stands in contrast to HIPAA, which includes civil and criminal penalties, and the GDPR, which includes significant fines and individual complaint mechanisms.

15. "Regulatory arbitrage — structuring operations to fall outside sector-specific governance — is a theoretical concern that rarely occurs in practice."

Answer **False.** *Explanation:* Section 24.5 provides concrete examples. Health apps that avoid being classified as "medical devices" or "covered entities" escape HIPAA's requirements while collecting highly sensitive health data. Fintech companies structured as "technology platforms" rather than "financial institutions" may avoid banking regulation. Ed-tech platforms classified as "school officials" access student data under an exception designed for school employees, not data-intensive technology companies. Regulatory arbitrage is not theoretical — it is a widespread and consequential governance challenge.

Section 3: Short Answer (2 points each)

16. Explain why HIPAA's scope limitation — applying only to covered entities and business associates — is a significant gap in US health data governance. Provide a specific example of health data that falls outside HIPAA's protection.

Sample Answer HIPAA was enacted in 1996, when health data was primarily created within the traditional healthcare system — hospitals, clinics, health insurance companies. Today, vast quantities of health-related data are generated by consumer technology: fitness trackers recording heart rate and sleep patterns, period-tracking apps recording reproductive health data, mental health apps recording mood and therapy notes, genetic testing services (23andMe, Ancestry) recording genomic data. None of these are "covered entities" under HIPAA unless they have a formal relationship with a healthcare provider or health plan. A specific example: A period-tracking app that records users' menstrual cycles, sexual activity, and pregnancy status collects deeply sensitive health information. But because the app company is not a healthcare provider, health plan, or business associate, HIPAA does not apply. The data may be shared with advertisers, sold to data brokers, or — as has occurred — subpoenaed by law enforcement. The user has no HIPAA protections whatsoever. This gap means that some of the most sensitive health data generated today is governed only by the app's privacy policy and applicable state laws — far weaker protection than HIPAA provides. *Key points for full credit:* - Identifies HIPAA's scope limitation (covered entities only) - Explains why this is a gap in the modern data landscape - Provides a specific, concrete example of unprotected health data

17. Describe how the "school official exception" under FERPA has been used by ed-tech companies to access student data, and evaluate whether this use is consistent with the exception's original purpose.

Sample Answer The school official exception allows schools to disclose education records to parties performing institutional services without obtaining student consent, provided the school maintains direct control and the data is used only for specified educational purposes. Ed-tech companies have relied on this exception extensively: when a school district contracts with a learning management system, a plagiarism detection service, or a student engagement platform, the company is designated as a "school official" and receives student data without individual consent. This use stretches the exception beyond its original purpose. The exception was designed for situations like a school hiring an accountant to audit financial records — a narrow, well-defined service performed under direct institutional oversight. Modern ed-tech platforms collect far more data than necessary for their stated educational purpose, retain data longer than the service relationship requires, and may use data for product improvement, algorithm training, or commercial purposes that go beyond the school's educational mission. The school's "direct control" over a sophisticated technology platform is often nominal rather than substantive — the school lacks the technical expertise to audit the company's data practices. The exception was designed for an analog world; its application to the digital ed-tech ecosystem raises serious governance concerns. *Key points for full credit:* - Explains the school official exception and how ed-tech companies use it - Identifies the gap between original purpose and current use - Evaluates the adequacy of "direct control" in the ed-tech context

18. Compare the enforcement mechanisms of HIPAA, FERPA, and PCI-DSS. Which is most effective, and why?

Sample Answer **HIPAA:** Enforced by the Department of Health and Human Services Office for Civil Rights (OCR). Enforcement includes civil monetary penalties (up to $1.9 million per violation category per year), corrective action plans, and criminal referrals for willful violations. OCR actively investigates complaints and conducts audits. HIPAA enforcement has produced significant settlements (Anthem: $16 million, Premera: $6.85 million). **FERPA:** Enforced by the Department of Education's Family Policy Compliance Office (FPCO). The sole sanction is withdrawal of federal funding — a severe but rarely used threat. No fines, no criminal penalties, no private right of action. No institution has ever lost federal funding for a FERPA violation. FPCO primarily issues guidance and complaint determinations. **PCI-DSS:** Enforced through contractual relationships within the payment card ecosystem. Non-compliant entities face fines from acquiring banks (up to $100,000/month), increased transaction fees, and potential loss of card processing ability. No government enforcement, but market-based penalties can be severe. PCI-DSS is arguably the most effective in driving compliance behavior because its penalties are immediate, certain, and economically significant — a merchant that cannot process credit cards cannot operate. HIPAA is moderately effective — penalties are significant but investigations are slow. FERPA is the least effective because its sole sanction (funding withdrawal) is too severe to be credible, creating an enforcement gap where violations go unpunished. *Key points for full credit:* - Describes enforcement mechanisms for all three frameworks - Compares effectiveness with reasoning - Identifies the credibility problem in FERPA enforcement

19. Explain the concept of "regulatory arbitrage" in the health-tech context. Provide a specific example and explain how regulators could address it.

Sample Answer Regulatory arbitrage in health-tech occurs when companies structure their products and operations to fall outside the scope of health data regulations — particularly HIPAA — while collecting and processing data that is functionally equivalent to protected health information. A specific example: a "wellness" app that tracks users' blood pressure, blood glucose levels, and medication schedules but markets itself as a "lifestyle tool" rather than a "medical device" or "health service." Because the company is not a covered entity, HIPAA does not apply, even though the data is as sensitive as any clinical record. Regulators could address this through several mechanisms: (1) expanding HIPAA's scope to cover any entity that collects individually identifiable health information, regardless of whether it is a covered entity; (2) enacting a comprehensive federal privacy law that provides baseline protections for all personal data, eliminating the gap between HIPAA-covered and non-covered health data; (3) the FTC using its Section 5 authority more aggressively against health apps whose data practices are "unfair" (the FTC has taken some enforcement actions in this space); or (4) Congress enacting health-app-specific legislation that imposes governance requirements on consumer health technology regardless of HIPAA classification. *Key points for full credit:* - Defines regulatory arbitrage in the health-tech context - Provides a specific example - Proposes at least two regulatory responses

Section 4: Applied Scenario (5 points)

20. Read the following scenario and answer all parts.

Scenario: EduTrack Analytics

EduTrack Analytics provides a "student success" platform to 200 US school districts. The platform collects: student names, grades, attendance, disciplinary records, free/reduced lunch status, and — through a machine learning feature — predicted likelihood of on-time graduation. EduTrack recently added a "Social-Emotional Learning" (SEL) module that asks students to self-report their emotional state daily through emoji selections.

The company has contracts with each school district designating EduTrack as a "school official" under FERPA. EduTrack's privacy policy states that it does not "sell" student data but reserves the right to use aggregated data for "product improvement and research." The company recently published a research paper using aggregated EduTrack data, analyzing correlations between free/reduced lunch status and predicted graduation likelihood.

A parent in one district — a single mother whose child is flagged as "at risk" by the graduation prediction model — contacts the school to ask why her son is receiving targeted intervention. The school cannot explain the model's reasoning.

(a) Identify the FERPA implications of EduTrack's data collection and use. Is the school official exception appropriately applied? What specific FERPA requirements might be violated? (1 point)

(b) The SEL module collects students' self-reported emotional states. Analyze whether this data qualifies as an "education record" under FERPA. What additional governance concerns does emotional wellbeing data raise? (1 point)

(c) EduTrack's use of aggregated data for research — specifically, the correlation between free/reduced lunch status and graduation prediction — raises concerns even though no individual student is identified. Explain what these concerns are, referencing the concepts of re-identification risk, proxy discrimination, and the potential for aggregated findings to harm vulnerable groups. (1 point)

(d) The mother cannot get an explanation for why her son was flagged. Analyze this transparency gap under FERPA (right of access to education records) and under the broader ethical frameworks from Chapter 6 (transparency, accountability). What should the school and EduTrack be required to provide? (1 point)

(e) Propose a governance framework for school districts that would address the issues identified in this scenario. Your framework should cover: vendor selection criteria, contract requirements, data minimization standards, transparency obligations, and parent/student rights. (1 point)

Sample Answer **(a)** The school official exception is stretched here. While FERPA permits disclosure to parties performing institutional services, the scope of EduTrack's collection goes beyond what is necessary for academic support: disciplinary records, free/reduced lunch status, and predicted graduation likelihood are not needed for basic academic services. The "product improvement and research" use of aggregated data may violate the requirement that the school official use data only for the specified educational purpose. Additionally, FERPA requires that the school maintain "direct control" over the data — but school districts likely lack the technical capacity to audit EduTrack's machine learning models or data practices. FERPA's access rights are also potentially implicated: if the graduation prediction becomes part of the student's record, the parent has a right to inspect and challenge it. **(b)** If the emotional state data is maintained by the school or a party acting on its behalf and is directly related to the student, it likely qualifies as an education record under FERPA. Emotional wellbeing data raises heightened concerns: it is sensitive, subjective, and potentially stigmatizing. A record showing that a student reported feeling "sad" daily for two months could be interpreted by future institutions, employers, or others who access the record. The data may also implicate COPPA (if students are under 13), state student privacy laws, and emerging mental health data protection standards. Governance should require: informed consent beyond the standard FERPA disclosure, age-appropriate data collection methods, strict access limitations, and defined retention/deletion schedules. **(c)** Even aggregated, the correlation between free/reduced lunch status and predicted graduation likelihood is problematic. First, re-identification risk: in small school districts, "students receiving free lunch" may be a small enough group to identify individuals. Second, proxy discrimination: free/reduced lunch status is strongly correlated with race and ethnicity. Publishing this correlation without context risks reinforcing stereotypes and could be used to justify reduced investment in low-income students ("the model predicts they won't graduate anyway"). Third, the research may feed back into the model itself, creating a self-fulfilling prophecy: if the model weights socioeconomic status heavily in its predictions, students from low-income families are flagged as at-risk not because of their academic performance but because of their economic background. **(d)** Under FERPA, the mother has the right to inspect and review her son's education records. If the graduation prediction is maintained as part of his record, she should be able to see it and challenge it. But FERPA does not require explanation of algorithmic reasoning — it grants access to records, not to the logic behind predictions. Ethically, this is insufficient: the transparency principle (Chapter 6) requires that individuals understand decisions that affect them, and the accountability principle requires that decision-makers can explain and justify their actions. The school and EduTrack should be required to provide: (a) the specific data inputs used in the prediction, (b) a non-technical explanation of how the model works, (c) the factors that contributed to the "at risk" classification, and (d) a mechanism for the parent to contest the classification. **(e)** Governance framework for school districts: - **Vendor selection:** Require vendors to demonstrate FERPA compliance, provide data governance documentation, submit to independent security audits, and commit to data minimization (collect only data necessary for the contracted educational service). - **Contract requirements:** Specify that the vendor may not use student data for product improvement, research, or any purpose beyond the contracted service. Require data deletion within 90 days of contract termination. Prohibit re-disclosure to third parties. - **Data minimization:** Limit collection to data directly necessary for academic support. Prohibit collection of emotional wellbeing data without explicit parental consent. Require justification for each data field collected. - **Transparency:** Require vendors to provide plain-language explanations of any predictive models used. Publish data practices summaries for parents. Provide annual data use reports to the school board. - **Parent/student rights:** Ensure parents can access all data held about their child (including algorithmic predictions). Provide a mechanism to contest predictions and request human review. Require affirmative consent for sensitive data collection (emotional, behavioral, health).

Scoring & Review Recommendations

Score Range Assessment Next Steps
Below 50% (< 15 pts) Needs review Re-read Sections 24.1-24.3, redo Part A exercises
50-69% (15-20 pts) Partial understanding Review specific weak areas, focus on Part B exercises
70-85% (21-25 pts) Solid understanding Ready to proceed to Chapter 25
Above 85% (> 25 pts) Strong mastery Proceed to Chapter 25: Enforcement, Compliance, and the Limits of Law
Section Points Available
Section 1: Multiple Choice 10 points (10 questions x 1 pt)
Section 2: True/False with Justification 5 points (5 questions x 1 pt)
Section 3: Short Answer 8 points (4 questions x 2 pts)
Section 4: Applied Scenario 5 points (5 parts x 1 pt)
Total 28 points