HIPAA & Costly Data Breaches. Healthcare: Evolving Claims, Exposures and Regulatory Enforcement

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "HIPAA & Costly Data Breaches. Healthcare: Evolving Claims, Exposures and Regulatory Enforcement"

Transcription

1 HIPAA & Costly Data Breaches Healthcare: Evolving Claims, Exposures and Regulatory Enforcement 2015 NLC- RISC Staff Conference October 19, 2015 Annapolis, MD

2 Presenters Mark Greisiger, NetDiligence John Mullen, Lewis Brisbois Bisgaard & Smith

3 Why Are We Here?

4

5 Healthcare Info Challenges: ephi Data is Everywhere! Highly Dependent on technology Collec1ng/ Sharing vast PRIVATE data Con1nuing to outsource (CLOUD) Replica1ng data everywhere Finding it difficult to trace data flow (your Cloud s cloud) Data & Dependencies are Everywhere: (1.) Servers; (2.) Corp Databases/Web Applica1ons; (3.) Remote Users ( Laptops/ iphones); (4.) Back- Up/Storage Facili1es; (5.) Service Providers/ CLOUD; (5.b) The Clouds for your Clouds (6.) Contractor systems, (7.) Credit Card Processors; (8.) Mobile Apps (9) your Big Data analy1c marketers etc

6 General Cyber Threats Insiders or Malicious and Disgruntled Employees o Changing data/ Dele1ng data/ Destroying data or programs with logic bombs/ Crashing systems/ Holding data hostage/ Stealing & selling data/ Entering data incorrectly Outside ABackers or 'Crackers' o Intrusion / hack o DDoS o Social Eng o hacking o Extor1on Viruses & Malware Non- Malicious - Employees (Errors or lost media) Non- Malicious - System/Coding Glitch 3 rd Party Partner/Vendor/Cloud Breach or Mishap

7 How Do Incidents Occur? Accidental Intentional Internal Lost Devices & Inadvertent Publication of Data Disgruntled Employees External Vendors & Subcontractors Hackers & Unsecured Websites

8 Assess Your Readiness Purpose: Showcase Strengths & ID Weakspots! Build on PCI, HIPAA! Privacy & Security...and other liabili1es! Reaffirm reasonable safeguards! Benchmark to Standards & Peers! Good faith effort to compliance with Regs! Show Cloud Usage! Show lessons learned from past incidents (baele ready stance) Cyber Risk Insurability Assessment! Process should be collabora1ve! Educate Risk Manager/CFO about their own IT opera1ons! Wide- Angle: people, process & tech

9 4 Common Weak Spots PROBLEM 1) IDS or Intrusion Detection Software (Bad guy alert system)! Studies show that 70% of actual breach events are NOT detected by the victim-company, but by 3 rd parties (and many more go undetected completely).! FTC and plaintiff lawyers often cite failure to detect PROBLEM 2) Encryption (of private data)! Identity Theft Resource Center: Only 2.4% of all breaches had encryption! Issues: Budgets, complexities and partner systems! Key soft spots: data at rest...in database & laptops (lesser extent)! Benefits: Safe harbor (usually) PROBLEM 3) Patch Management Challenges:! All systems need constant care (patching) to keep bad guys out.! Lack of time: Gartner Group estimates that IT Managers spend an average of 2 hours per day managing patches. Problem 4) Vendor Mis-Management! Vendors in care, custody & control of systems or data! Often no oversight; No due Diligence! SLAs often disown security assurances! 1 on 3 events caused by 3 rd party vendor

10 Types of Data at Stake PHI Protected Health Information Information created or received by a covered entity or business associate relating to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of health care to an individual, that identifies or can be used to identify individual PII Personally Identifiable Information i.e., Social Security number, driver s license number, bank account information, credit card information, online/financial account username and password, MEDICAL INFORMATION, HEALTH INSURANCE INFORMATION, and address and password in California, Florida, and Puerto Rico. PCI Payment Card Industry Information Cardholder data

11 Threats Malicious attack Hackers in network, Malware and viruses, Phishing scams, Physical theft of hardware and paper Rogue employees UNSOPHISTICATED ACTORS Employees Negligence related to use and storage of data, failure to follow or learn policies and procedures, loss of portable devices, mis-mailing of paper, unencrypted s to the wrong recipients Business Associates Any of the above can occur to a business associates with whom data is shared

12 HIPAA Set of national standards to protect protected health information that is created, received, used, or maintained Applies to covered entities and business associates Imposes reporting requirements and deadlines upon potential or actual unauthorized access, use, disclosure, or handling of protected health information

13 Covered Entity vs Business Associate Covered Entity Covered Entities are: Health plan (health insurance company; HMO; company health plan (self-insured); government program that pays for health care such as Medicare or Medicaid), Health care clearinghouse (includes entities that process nonstandard PHI received from another entity) Health care provider (doctor, clinic, dentist, chiropractor, nursing homes, pharmacies, psychologists) Required to comply with HIPAA s Privacy, Security and Notification Rules Business Associate Entity on behalf of covered entity creates, received, maintains, or transmits PHI for a function or activity regulated by HIPAA (includes data analysis, claims processing utilization review, quality assurance, billing, benefit management, practice management) or provides a service that involves the disclosure of PHI. Required to notify the covered entity of a breach no later than 60 days following discovery of the breach Content requirements: identification of affected population, and any other available information that the CE is required to include in notice to the affected individual. Required to comply with the Security Rule (administrative, physical and technical safeguards) No directly required to comply with the Privacy Rule, but often required to comply with certain sections under contract with the covered entity because the Privacy Rule protects PHI when it is created or maintained by a business associate and requires the covered entity to obtain satisfactory assurances from its business associate that it will employ appropriate safeguards.

14 HIPAA Security Incident v. Breach SECURITY INCIDENT is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system BREACH is the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information

15 Non-Traditional PHI PHI is broadly defined and includes: any information relating to the provision of health care and a physical condition any information created or received by a health care provider, health plan, public health authority, employer, life insurer, school, health clearinghousing, etc. Social Security numbers, payment information, dates of birth, contact information (telephone numbers, addresses), etc. alone trigger HIPAA Anthem

16 HIPAA Reporting Deadlines Deadline for breach reporting begins running from discovery Breach is treated as discovered as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. Covered entity is deemed to have knowledge of breach if such breach is known, or by exercising reasonable diligence would have been known, to any person other than the person committing the breach, who is a workforce member or agent of the covered entity.

17 HIPAA Reporting Deadlines, cont d Individuals without unreasonable delay and in no case later than 60 business days from discovery HHS without unreasonable delay and in no case later than 60 calendar days from discovery (over 500 affected), or no later than 60 calendar days following the year in which the breach occurred (less than 500 affected) Media without unreasonable delay and in no case later than 60 calendar days following discovery (over 500 in one state or jurisdiction)

18 HIPAA: OCR Investigations OCR will likely investigate any breach involving over 500 affected individuals OCR will request information relating to compliance of the Privacy Rule, Security Rule, and Breach Notification Rule at the time of breach reporting, and in subsequent investigation Responses to a request for information are due within twenty (20) to thirty (30) days of the date of OCR s request The length of an investigation may vary can be years OCR will attempt to resolve the investigation with the covered entity by obtaining: Voluntary compliance; Corrective action; and/or Resolution agreement. If an OCR investigation results in a finding of non-compliance of HIPAA, HHS may initiate a formal enforcement action that may result in the imposition of civil money penalties, or take other actions consistent with OCR s jurisdiction, including the referral of the complaint to the Department of Justice for investigation To prepare for OCR investigation some covered entities are taking steps to achieve voluntary compliance to mitigate potential fines that may result from a breach

19 HIPAA: Penalties for Noncompliance OCR may impose a civil money penalty on a covered entity or a business associate for a failure to comply with an applicable requirement of the Privacy, Security, or Breach Notification Rule. Considerations for penalty assessments: The nature and extent of the violation; The nature and extent of the harms resulting from the violation; THE HISTORY OF PRIOR COMPLIANCE, including previous violations; and The financial condition of the covered entity or business associate

20 OCR Enforcement Highlights The most common compliance issues investigated are: Impermissible uses and disclosures of protected health information LACK OF SAFEGUARDS OF PROTECTED HEALTH INFORMATION Lack of patient access to their protected health information Lack of administrative safeguards of electronic protected health information Use or disclosure of more than the minimum necessary to protected health information The most common types of covered entities required to take correction action to achieve voluntary compliance are: Private practice General hospitals Outpatient facilities Pharmacies Health plans (group health plans and health insurance issuers

21 OCR Settlement Highlights Concentra Health Services (Concentra) Unencrypted laptop containing protected health information of 870 patients. OCR found: Concentra failed to adequately remediate and manage its identified lack of encryption and failed to sufficiently implement policies and procedures to prevent, detected, contain, and correct security violations to reduce its identified lack of encryption. $1,725,220 settlement Presbyterian Hospital & Columbia University (2014) ephi accessible through internet search engines related to 6,800 individuals. OCR investigation found: hospital made no effort to assure the server was secure or contained appropriate software protections; no thorough risk analysis or risk management plan; failed to implement appropriate policies or to enforce those it did have in place $4.8 million settlement Anchorage Community Mental Health Services (ACMHS) Malware infected ACMHS s information technology resource system 2,743 affected individuals $150,000 settlement and agreement to adopt corrective action plan

22 State Regulatory Exposures 47 states (plus Puerto Rico, Washington D.C., Virgin Islands) require notice to residents after unauthorized access to personally identifiable information. Some states contain express language relating to HIPAA that allow simultaneous compliance with HIPAA and state law as it relates to individual notice (state regulator notice may be required) Require companies that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information (includes health information in some states) Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies Notice due without unreasonable delay Some states are requesting an Assurance of Voluntary Compliance Some states allow private right of action for violations

23 Evolving Exposures VERMONT Notice to affected individuals within 45 days of breach discovery Notice to VT AG within 14 days of breach discovery or affected individual notice (whichever is sooner) KENTUCKY Became 47th state with breach notification law in April 2014 FLORIDA Notice to affected within 30 days address and PW = PII MASSACHUSETTS Written information security plan for businesses storing MA resident personal information NEW JERSEY Username/ address and PW = PII (passed Assembly, currently in Senate committee) Certain health insurers must encrypt PII INDIANA Notice without unreasonable delay interpreted by AG as 30 days Recent surge in Assurance of Voluntary Compliance requests CALIFORNIA address and PW = PII Amendment effective 2015 requires entity providing notice to offer appropriate identity theft prevention and mitigation services if the entity was source of breach. Strict health information protection Notice to DPH and affected individuals within 15 business days of learning of breach CONNECTICUT AG practice of requesting 2 YEARS OF CREDIT MONITORING following SSN exposure, though not in statute Statute requiring at least one year of identity theft prevention and mitigation services, and notice within 90 days (although AG issued a statement stressing notice within 90 days could still be unreasonable delay) PENNSYLVANIA AG requests notice if incident affects PA residents, though no statutory requirement

24 State Law: Evolving Exposures California Personal information triggering notice includes medical information and health insurance information. Strict health information protection: Notice to Department of Public Health and affected individuals within 15 business days of learning of breach (CMIA). Florida Notice to affected within 30 days. Any information regarding an individual's medical history, mental or physical condition or medical treatment or diagnosis by a health care professional is considered personal information. Montana New regulatory requirement and expansion of the definition of personally identifiable information to include medical record information and taxpayer identification numbers (effective October 1, 2015). Nevada Expanded the definition of personally identifiable information to included driver authorization card numbers, medical identification or health insurance identification numbers, user names, unique identifiers, or addresses in combination with passwords, access codes or security questions (effective July 1, 2015). Oregon Requires regulator reporting by the entity maintaining or possessing personal information on behalf of another entity in addition to reporting the breach to the affected state resident (pending). Wyoming Expanded the definition of personally identifiable information to include medical information, health insurance information and unique biometric information.

25 Regulatory Action State AGs Kaiser Foundation Health Plan Inc. (2014) (California AG) 20,0000 affected Breach occurred December 2011; notice provided March 2012 Settlement requires notification on a rolling basis (as soon as reasonably possible after identifying a portion of the total affected population) Kaiser Permanent paid $150,000 in penalties and attorneys fees Beth Israel Deaconess Medical Center (2014) (Massachusetts AG) Theft of unencrypted laptop 3,796 affected Breach occurred May 2012; notice provided August 2012 Settlement included payment of $100,000, security assessment, corrective measures and steps to ensure future compliance with state and federal data security laws and regulations (i.e., encryption and training)

26 Regulatory Action State AGs Massachusetts: Women & Infants Hospital of Rhode Island (WIH) (2014) (Massachusetts AG) WIH discovered 19 unencrypted backup tapes containing PII of 12,000 Mass. residents were missing in April 2012 after they were supposedly shipped in the summer of 2011; no notice to consumers and regulators until the fall of $150,000 settlement. WellPoint (2011) (Indiana AG) Records (including SS#s, health and financial info) of over 32,000 Indiana residents were potentially accessible on an unsecured website (Involved 645,000 nationally) Settlement includes $100,000 fine to the state, up to two years of credit protection to affected state residents, and reimbursement of up to $50,000 for any losses

27 Federal Trade Commission Applies to a vendor of personal health information, a PRH-related entity, or a third-party service provider for a vendor of PHRs or a PHR entity who are not otherwise obligated to comply with HIPAA FTC s breach notification rule parallels HIPAA. OCR and FTC may engage in parallel audits which may include exchange of information Individual notice is required without unreasonable delay and within 60 days of discovery of the breach. If more than 500 individuals are affected, notice is required to the FTC within 10 business days. If less than 500 are affected, notice is required to the FTC within 60 days following the end of the calendar year. Audit/Investigation Fines may be $16,000 per violation

28 Litigation Trends SINGLE PLAINTIFF Identity theft Privacy GOVERNMENT ACTION Attorney General FTC HHS SUBRO/INDEMNITY Contractual Issues (Business Associate Agreements) BANKS Cost of replacing credit cards Reimbursement of fraudulent charges Business interruption CLASS ACTION Failure to protect data Failure to properly notify Failure to mitigate Unjust enrichment Violations of consumer protection Statutory Time

29 Incidents to Watch Anthem (2015) 80 million affected Class actions filed in Alabama and California federal courts Premera (2015) 11 million affected At least 5 class actions filed to date Excellus (2015) 10.5 million affected At least 5 class actions filed to date and filed in federal court

30 What Can Be Done? PROACTIVE RISK MANAGER STEPS! EMPOWERED SENIOR EXECUTIVE! Talk to your IT Security staff. Gain an appreciation of the many challenges! KNOW: How many records you have; what type of data is being collected, stored, shared, protected; where does all this data reside; when is it purged?! ASSESS & test your own staff and operations! Incident response plan! Document your due care measures (training and enforcement)! INSURANCE! Red Flags, data security and breach response plans affirmative duties! Service level agreements! Repeat

31 THANK YOU! John Mullen Mark Greisiger

TRENDS IN CYBER LIABILITY Presented by Chris DiIenno Data Privacy and Network Security Group Lewis Brisbois Bisgaard & Smith

TRENDS IN CYBER LIABILITY Presented by Chris DiIenno Data Privacy and Network Security Group Lewis Brisbois Bisgaard & Smith TRENDS IN CYBER LIABILITY Presented by Chris DiIenno Data Privacy and Network Security Group Lewis Brisbois Bisgaard & Smith Types of Data at Stake Residents, constituents, employees PII Personally Identifiable

More information

LEGAL AND REGULATORY RAMIFICATIONS OF A DATA BREACH

LEGAL AND REGULATORY RAMIFICATIONS OF A DATA BREACH LEGAL AND REGULATORY RAMIFICATIONS OF A DATA BREACH NLC- RISC STAFF CONFERNCE Octobegffgfdadadddffffdfddfadr NLC- RISC STAFF CONFERENCE October 22nd, 2013 Portland, Oregon Jim Prendergast Partner, Data Privacy

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

T H E R E A L C O S T O F A D ATA B R E A C H

T H E R E A L C O S T O F A D ATA B R E A C H T H E R E A L C O S T O F A D ATA B R E A C H Hosted by AllClear ID www.allclearid.com/business WELCOME // QUICK NOTES Presentation is being recorded and will be available within 2-3 business days at www.allclearid.com/business

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

CYBER RISK Threats, Loss Control, Liability & Claims

CYBER RISK Threats, Loss Control, Liability & Claims CYBER RISK Threats, Loss Control, Liability & Claims Mark Greisiger, NetDiligence Chris DiIenno, Esq., Nelson Levine MARK GREISIGER NETDILIGENCE Mark Greisiger leads NetDiligence, a Cyber Risk Management

More information

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule NYCR-245157 HIPPA, HIPAA HiTECH& the Omnibus Rule A. HIPAA IIHI and PHI Privacy & Security Rule Covered Entities and Business Associates B. HIPAA Hi-TECH Why

More information

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013 Regulatory Updates Eric M. Wright, CPA, CITP Schneider Downs & Co., Inc. December 5, 2013 Eric M. Wright, CPA, CITP Eric has been involved with Information Technology with Schneider Downs since 1983. He

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

New Developments in Cyber Security & Data Breaches San Diego, California May 2014

New Developments in Cyber Security & Data Breaches San Diego, California May 2014 New Developments in Cyber Security & Data Breaches San Diego, California May 2014 Sharon Lyon John Mullen NetDiligence Lewis Brisbois Bisgaard & Smith Claire Lee Reiss NLC-RISC John F. Mullen, Sr. John

More information

Philip L. Gordon, Esq. Littler Mendelson, P.C.

Philip L. Gordon, Esq. Littler Mendelson, P.C. Beyond The Legal Requirements: Key Practical Issues in Negotiating Business Associate Agreements, Responding to a Breach of Unsecured PHI, and Understanding HHS Enforcement Philip L. Gordon, Esq. Littler

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Cloudy With a Chance Of Risk Management

Cloudy With a Chance Of Risk Management Proudly presents Cloudy With a Chance Of Risk Management Toby Merrill, ACE USA John Mullen, Nelson Levine de Luca & Hamilton Shawn Melito, Immersion Ltd. Michael Trendler, ACE INA Canada What is Cloud

More information

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable Steven J. Fox (sjfox@postschell.com) Peter D. Hardy (phardy@postschell.com) Robert Brandfass (BrandfassR@wvuh.com) (Mr. Brandfass

More information

Network Security & Privacy Landscape

Network Security & Privacy Landscape Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

Are Data Breaches a Real Concern? Protecting Your Sensitive Information. Phillips Auction House NY- 03/24/2015

Are Data Breaches a Real Concern? Protecting Your Sensitive Information. Phillips Auction House NY- 03/24/2015 Are Data Breaches a Real Concern? Protecting Your Sensitive Information Phillips Auction House NY- 03/24/2015 1 Agenda Current Data Breach Issues & Legal Implications Data Breach Case Study Risk Management

More information

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com Data Security 101 A Lawyer s Guide to Ethical Issues in the Digital Age Christopher M. Brubaker cbrubaker@clarkhill.com November 4-5, 2015 Pennsylvania Bar Institute 21 st Annual Business Lawyers Institute

More information

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared; Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014

More information

Iowa Health Information Network (IHIN) Security Incident Response Plan

Iowa Health Information Network (IHIN) Security Incident Response Plan Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell

Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell Who s Afraid Of A Big Bad Breach?: Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell Overview Identifying the laws that protect personal information and protected

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com

More information

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Legal Disclaimer This information

More information

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Minnesota Society for Healthcare Risk Management September 22, 2011 Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Melissa Krasnow, Partner, Dorsey & Whitney, and Certified Information

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (Hereinafter "Agreement") dated as of, 2013, is made by and between (Hereinafter Covered Entity ) and (Hereinafter Business Associate ). ARTICLE

More information

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS DATA SECURITY HACKS, HIPAA AND HUMAN RISKS MSCPA HEALTH CARE SERVICES SEMINAR Ken Miller, CPA, CIA, CRMA, CHC, CISA Senior Manager, Healthcare HORNE LLP September 25, 2015 AGENDA 2015 The Year of the Healthcare

More information

Data Breach and Senior Living Communities May 29, 2015

Data Breach and Senior Living Communities May 29, 2015 Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations

More information

Tape Vaulting Audit And Encryption Usage Analysis

Tape Vaulting Audit And Encryption Usage Analysis Tape Vaulting Audit And Encryption Usage Analysis Prepared for Public Presentation (includes SB 1386, Gramm Leach Bliley, and Personal Data Protection and Security Act of 2005 Customer Information Protection

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent & Associates Founder The Identity Advocate San Pedro, California The opinions expressed

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

Healthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.

Healthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon. Healthcare Practice Breach Notification Requirements Under HIPAA/HITECH Act and Consumer Identity Theft Protection Act August 2013 Anchorage Beijing New York Portland Seattle Washington, D.C. www.gsblaw.com

More information

The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano

The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments Robin B. Campbell Ethan P. Schulman Jennifer S. Romano HIPAAPrivacy and Security Breach Overview of the Laws Developments Incident

More information

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed

More information

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY. REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS

More information

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

HIPAA Business Associate Addendum

HIPAA Business Associate Addendum HIPAA Business Associate Addendum THIS HIPAA BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is by and between ( Covered Entity ) and TALKSOFT CORPORATION ( Business Associate ) (hereinafter, Covered Entity

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act

More information

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012 HIPAA Privacy, Security, Breach, and Meaningful Use Practice Requirements for 2012 CHUG October 2012 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Standards for Privacy of Individually

More information

Solutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson

Solutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson Solutions Brief PC Encryption Regulatory Compliance Meeting Statutes for Personal Information Privacy Gerald Hopkins Cam Roberson March, 2013 Personal Information at Risk Legislating the threat Since the

More information

The Institute of Professional Practice, Inc. Business Associate Agreement

The Institute of Professional Practice, Inc. Business Associate Agreement The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute

More information

Navigating the New MA Data Security Regulations

Navigating the New MA Data Security Regulations Navigating the New MA Data Security Regulations Robert A. Fisher, Esq. 2009 Foley Hoag LLP. All Rights Reserved. Presentation Title Data Security Law Chapter 93H Enacted after the TJX data breach became

More information

what your business needs to do about the new HIPAA rules

what your business needs to do about the new HIPAA rules what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or

More information

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you

More information

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,

More information

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section

More information

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification Adam H. Greene, JD, MPH Partner Davis Wright Tremaine HCCA Compliance Institute April 22, 2015 Doug Pollack Chief Strategy

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY

More information

Data Breach Response Planning: Laying the Right Foundation

Data Breach Response Planning: Laying the Right Foundation Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA

More information

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr. Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches Gerard M. Stegmaier gstegmaier@wsgr.com @1sand0slawyer Data Breach Trends 2011 Average Loss to Organization = $5.5 million

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

The Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor

The Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor The Matrix Reloaded: Cybersecurity and Data Protection for Employers Jodi D. Taylor Why Talk About This Now? Landscape is changing Enforcement by federal and state governments on the rise Legislation on

More information

STANDARD ADMINISTRATIVE PROCEDURE

STANDARD ADMINISTRATIVE PROCEDURE STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq. The HITECH Act: Implications to HIPAA Covered Entities and Business Associates Linn F. Freedman, Esq. Introduction and Overview On February 17, 2009, President Obama signed P.L. 111-05, the American Recovery

More information

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

More information

HIPAA Compliance: Efficient Tools to Follow the Rules

HIPAA Compliance: Efficient Tools to Follow the Rules Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

plantemoran.com What School Personnel Administrators Need to know

plantemoran.com What School Personnel Administrators Need to know plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of

More information

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant The federal Health Insurance Portability and Accountability Act (HIPAA) spells out strict regulations for protecting health information. HIPAA is expansive and can be a challenge to navigate. Use this

More information

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate Privacy, Data Security & Information Use September 16, 2010 Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate by John L. Nicholson and Meighan E. O'Reardon Effective

More information

HIPAA & HITECH AND THE DISCOVERY PROCESS

HIPAA & HITECH AND THE DISCOVERY PROCESS HIPAA & HITECH AND THE DISCOVERY PROCESS HEATHER L. HUGHES, J.D. U.S. Legal Support, Inc. 363 North Sam Houston Parkway East, Suite 900 Houston, Texas 77060 (713) 653-7100 State Bar of Texas 8 th ANNUAL

More information

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August

More information

Health Care Data Breach Discovery Strategies for Immediate Response

Health Care Data Breach Discovery Strategies for Immediate Response Health Care Data Breach Discovery Strategies for Immediate Response March 27, 2014 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Sarah Flanagan Partner

More information