Internet2 Health Network Initiative Security Group. Co-Chairs Bob Meeker Sean Lynch Internet2 Program Office Department of Veterans Affairs
|
|
- Elmer Adam Goodman
- 8 years ago
- Views:
Transcription
1 Internet2 Health Network Initiative Security Group Co-Chairs Bob Meeker Sean Lynch Internet2 Program Office Department of Veterans Affairs
2 1. Federal Security Regulations in RHCPP Partnerships Presentation & Discussion 2. 3 rd Party Security/Network Operations Center Support for RHCPPs A concept discussion 3. SEC-WG Action for the Future Round Table
3 1. Federal Security Regulations in RHCPP Partnerships Presentation & Discussion 2. 3 rd Party Security/Network Operations Center Support for RHCPPs A concept discussion 3. SEC-WG Action for the Future Round Table
4 The HIPAA Security Rule Confidentiality & Integrity Entities that manage patient data need to protect that data by making sure it stays confidential, that it isn't altered, and can't be accessed by those not authorized. FTC Red Flag Rule Confidentiality Requires financial institutions to implement a program to detect, prevent and mitigate instances of identity theft. SOX Confidentiality, Integrity & Availability Establishes a requirement for public corporations to install security controls on their system and report on the effectiveness of the controls annually. In the same report, their certified accounting firms must attest to the Corporation s statement and assessment. FISMA Confidentiality, Integrity & Availability Establishes a risk-based policy for cost-effective security in Federal government systems. It is probably the most thorough of the regulations in terms of identifying risk, the selection of required security controls, the assessment of the implementation of those controls, and reporting the status of the controls. 4
5 FISMA HIPAA Security Rule Sarbanes- Oxley (SOX) FTC Red Flag Rule 5
6 Deployment of a series of administrative, technical, and physical security procedures for use by covered entities to assure the confidentiality and integrity of electronic protected health information HIPAA Security Rule 6
7 Who is Subject to the Standard? Covered Health Care Providers Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard Health Plans Any individual or group plan that provides or pays the cost of health care (e.g., a health insurance issuer and the Medicare and Medicaid programs) Health Care Clearinghouses A public or private entity that processes another entity s health care transactions from a standard format to a non-standard format, or vice-versa HIPAA Security Rule 7
8 The Business Associate Escape Hatch Protected health information covered entities may be disclosed to a business associate to help the covered entity carry out its health care functions A covered entity must obtain satisfactory assurances in writing that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity The document may be a contract or other agreement between the covered entity and the business associate This is going away! HIPAA Security Rule 8
9 $100 for each violation The total amount imposed for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000 HIPAA Security Rule 9
10 Business Associates must now comply directly with the Security Rule Disclosure accounting requirements must be maintained for disclosure of an electronic health record for treatment, payment or healthcare operations. (Effective date between Jan. 1, 2011 and Jan. 1, 2014) Each individual affected by a security breach must be notified by the entity or business associate that had the breach HHS must issue, and annually update, guidance specifying the technologies and methodologies that will render EPHI secure General effective date is February 17, 2010 HIPAA Security Rule 10
11 Compliance with a patient restriction request is required if the disclosure is to a health plan for purposes of carrying out payment or health care operations (not treatment) and the PHI pertains solely to a health care item or service for which the health care provider has been paid in full Sale of Electronic Health Records, or PHI, is expressly prohibited without patient approval Vendors of personal health records are now subject to HIPAA Periodic audits" by HHS are required to ensure compliance by business associates and covered entities HIPAA Security Rule 11
12 Violations due to "reasonable cause and not to willful neglect Violations due to willful neglect Corrected violations Violations due to willful neglect Violations not corrected properly $1,000 for each violation $10,000 for each violation $50,000 for each violation $100,000 maximum penalty during a calendar year $250,000 maximum penalty during a calendar year $1,500,000 maximum penalty during a calendar year HIPAA Security Rule 12
13 State attorney generals can now bring a HIPAA enforcement action for rules violation States may not initiate action while a Federal action is in progress Individuals affected by a HIPAA violation will be able to receive a percentage of any civil monetary penalty or monetary settlement HIPAA Security Rule 13
14 FISMA HIPAA Security Rule Sarbanes- Oxley (SOX) FTC Red Flag Rule 14
15 Develop and implement a written Identity Theft Prevention Program (ITPP) to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts FTC Red Flag Rule 15
16 The Program must include four elements as reasonable policies and procedures Identify relevant Red Flags for covered accounts and incorporate those Red Flags into the Program Detect Red Flags that have been incorporated into the Program Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft Ensure the Program is updated periodically, to reflect changes in risks to customers, or to the safety and soundness of the financial institution, or creditor from identity theft FTC Red Flag Rule 16
17 The initial written Program must be approved by the board of directors or a committee of the board The board or a senior executive must have oversight of the development, implementation and administration of the Program Staff must be trained in the Program Oversight authority includes the administration of service provider arrangements FTC Red Flag Rule 17
18 Creditors" with covered accounts A creditor is any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit Non-profit and government entities that defer payment for goods and services are considered creditors Accepting credit cards as a form of payment does not make you a creditor FTC Red Flag Rule 18
19 A covered account is An account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions Any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft FTC Red Flag Rule 19
20 Effectively, anyone that extends credit to consumers comes under the FTC's Red Flag Rule If you accept payment after services are rendered, it is very likely that Red Flag applies to you. Check with your legal department FTC Red Flag Rule 20
21 States may impose a $1,000 penalty if there is no Federal action Penalties imposed by the FTC for violations may not exceed $2,500 per infraction FTC Red Flag Rule 21
22 FISMA HIPAA Security Rule Sarbanes- Oxley (SOX) FTC Red Flag Rule 22
23 Corporations are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting The firm s registered accounting firm must, in the same report, attest to and report on the assessment of the effectiveness of the internal control structure and procedures for financial reporting The emphasis is on the accuracy and authenticity of the annual financial statements Sarbanes-Oxley (SOX) 23
24 Applies to all Public Companies Exceptions for Smaller Public Companies: Management assessment delayed until 2007 annual report (Last year) Auditor's attestation delayed until 2008 annual reports (This Year) If you are a public corporation, you are probably undergoing assessments and creating corrective action plans for your deficiencies under the watchful eye of your corporation s registered accounting firm Sarbanes-Oxley (SOX) 24
25 The Public Company Accounting Oversight Board (PCAOB) was created by the Act to: - Develop Standards and Related Rules - Certify Public Accounting Firms SOX is part of the federal code that empowers the FTC with regulatory and enforcement responsibilities Sarbanes-Oxley (SOX) 25
26 Fines and/or up to 20 years imprisonment for altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation Fines and/or imprisonment up to 10 years for any accountant who knowingly and willfully violates the requirements of maintenance of all audit or review papers for a period of 5 years Fines and/or imprisonment up to 10 years for anyone who knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offense Sarbanes-Oxley (SOX) 26
27 FISMA HIPAA Security Rule Sarbanes- Oxley (SOX) FTC Red Flag Rule 27
28 Title III of the E-Government Act of 2002, the Federal Information Security Management Act (FISMA) Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources FISMA 28
29 Each federal agency must develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source FISMA 29
30 For each system: Develop a Plan for security Ensure that appropriate officials are assigned security responsibility Periodically review the security controls in their information systems Authorize system processing prior to operations and, periodically, thereafter Develop a Contingency Plan FISMA 30
31 Who is subject to the Standard? All non-classified Federal Civilian IT Systems including those provided or managed by another agency, contractor, or other source Each agency varies in how it applies FISMA to contractor systems In general, if it has a contract with a Federal agency and 1. Performs data processing for the agency or 2. Has an IT support system that is a repository for agency data or 3. Produces planning or engineering data for the agency You will be subject to FISMA in some form FISMA 31
32 Each agency is responsible for performing a Certification and Accreditation (C&A) on all systems at least once every three years or when significant changes are made to the system Financial systems have an annual C&A requirement For systems having a Moderate or High sensitivity, the assessment must be performed by an independent party Deficiencies are recorded and tracked in Corrective Action Plans (CAP) and reported to OMB, quarterly The Department IG reviews agency C&As to verify that defined process is followed to insure the Authorizing Official has a clear understanding of the risk associated with a system FISMA 32
33 Loss of authority to operate (for contractors possible termination of contract) Loss of system funding except to correct deficiencies In some cases, the opportunity to testify before Congress FISMA 33
34 34
35 All of the standards codify best practices in IT and security including: Documentation (Policy, Procedures, Product, etc.) Separation of duties Minimum privilege Change Management Access Control (Generally, RBAC) & Management Contingency Planning Prudence and due diligence Summary 35
36 All of the standards promote a risk management approach to security in their respective areas of interest All of the standards provide for cost benefit trade-offs in applying controls including consideration for company environment SOX and FISMA include controls that address the other standards Summary 36
37 The Application of these standards to a RHCPP will be determined by the services provided by the entity. If the RHCPP is a legal association of independent businesses to obtain telecommunications services for all, it may be that none of the standards apply. HIPAA No use, storage or visibility of EPHI Red Flag No credit to the public SOX A public corporation subject to FTC regulation? FISMA Carriers are not subject to FISMA, the RHCPP entity is equivalent to a carrier. The system owner is responsible for assuring security Summary 37
38 RHCPP services or characteristics which would be subject to security standards: Administrative, Billing, Payment HIPAA, Red Flag (?) HIE, Central Health Record Storage HIPAA Regional Health Information Organizations HIPAA In the unlikely event that a RHCPP is a public corporation subject to FTC regulation, do not forget SOX Summary 38
39 If the RHCPP entity provides SOC/NOC services, the services should be compliant with HIPPA and FISMA controls If the RHCPP entity provides telecommunications for disaster recovery, it should be designed for compliance with HIPAA and FISMA controls Summary 39
40 FTC Red Flag and HIPAA are the likely standards that will apply to members of an RHCPP consortium HIPAA is a sure thing FTC Red Flag is punishment for the good deed of payment plans for a patient SOX compliance is a benefit of going public (Corporate IPOs) FISMA compliance may stem from collaboration with a Federal Agency Summary 40
41 FISMA HIPAA Security Rule Sarbanes- Oxley (SOX) FTC Red Flag Rule 41
42 FISMA HIPAA Security Rule Sarbanes- Oxley (SOX) FTC Red Flag Rule 42
43 Detailed Standards are referenced in the following publication: Department of Health and Human Services Office of the Secretary 45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule securityfinalrule.pdf HIPAA Security Rule 43
44 HIPAA Security Educational Paper Series (CMS) Seven papers providing guidance on the implementation of the standards developed by CMS The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (HHS OCR & ONC) Establishes the roles of individuals and the responsibilities of those who hold and exchange electronic individually identifiable health information through a network The Health IT Privacy and Security Toolkit (HHS ONC) Tools for implementing the Privacy and Security Framework HIPAA Security Rule 44
45 Covered Entity Charts (CMS) CoveredEntitycharts.pdf An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (NIST SP Rev 1, Oct 2008) Revision1.pdf HIPAA Security Rule 45
46 1. A fraud alert included with a consumer report 2. Notice of a credit freeze in response to a request for a consumer report 3. A consumer-reporting agency providing a notice of address discrepancy 4. Unusual credit activity, such as an increased number of accounts or inquiries 5. Documents provided for identification appearing altered or forged 6. Photograph on ID inconsistent with appearance of customer 7. Information on ID inconsistent with information provided by person opening account 8. Information on ID, such as signature, inconsistent with information on file at financial institution FTC Red Flag Rule 46
47 9. Application appearing forged or altered or destroyed and reassembled 10. Information on ID not matching any address in the consumer report, Social Security number has not been issued or appears on the Social Security Administration's Death Master File, a file of information associated with Social Security numbers of those who are deceased 11. Lack of correlation between Social Security number range and date of birth 12. Personal identifying information associated with known fraud activity 17. Suspicious addresses supplied, such as a mail drop or prison, or phone numbers associated with pagers or answering service 18. Social Security number provided matching one submitted by another person opening an account or other customers FTC Red Flag Rule 47
48 15. An address or phone number matching one supplied by a large number of applicants 16. The person opening the account unable to supply identifying information in response to notification that the application is incomplete 17. Personal information inconsistent with information already on file at financial institution or creditor 18. Person opening account or customer unable to correctly answer challenge questions 19. Shortly after change of address, creditor receiving request for additional users of account 20. Most of available credit used for cash advances, jewelry or electronics, plus customer fails to make first payment FTC Red Flag Rule 48
49 21. Drastic change in payment patterns, use of available credit or spending patterns 23. An account that has been inactive for a lengthy time suddenly exhibiting unusual activity 24. Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account 25. Financial institution or creditor notified that customer is not receiving paper account statements 26. Financial institution or creditor notified of unauthorized charges or transactions on customer's account 27. Financial institution or creditor notified that it has opened a fraudulent account for a person engaged in identity theft FTC Red Flag Rule 49
50 ID Theft Red Flags EDUCAUSE CONNECT [Term View] The Red Flags Rule: What Heath Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft Agencies Issue Final Rules on Identity Theft Red Flags FTC's red flag rules cast wide identity theft net - Network World FTC Red Flag Rule 50
51 Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements Standards_and_Related_Rules/Auditing_Standard_No. 5.aspx Sarbanes-Oxley (SOX) 51
52 The Sarbanes-Oxley Act SOX Internal Control Reporting Provisions Spotlight on: Sarbanes-Oxley Rulemaking and Reports Sarbanes-Oxley Section 404: A Guide for Small Business NIST - RBAC & Sarbanes-Oxley Compliance The Public Company Accounting Oversight Board Sarbanes-Oxley (SOX) 52
53 FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Controls) FISMA 53
54 NIST Special Publication (Security Plan Development) NIST Special Publication (Risk Assessment) NIST Special Publication (Contingency Plan Development) NIST Special Publication (Certification & Accreditation) NIST Special Publication , Draft (Risk Management Framework) NIST Special Publication (Recommended Security Controls) FISMA 54
55 NIST Special Publication A (Security Control Assessment) NIST Special Publication (National Security Systems) NIST Special Publication (Security Category Mapping) NIST Special Publication (Electronic Authentication Guideline) (Appendix A: Estimating Password Entropy and Strength) FISMA 55
56 1. Federal Security Regulations in RHCPP Partnerships. Presentation & Discussion 2. 3 rd Party Security/Network Operations Center Support for RHCPPs A concept discussion 3. SEC-WG Action for the Future Round Table
57 The RHCPP is an assembly of independent businesses and individuals to provide medical care to rural areas The contractual basis for associations vary (association, partnership, joint venture, etc), but must meet the requirements of the FCC RHCPP SOC/NOC Support 57
58 Undetermined organization hierarchy At best, a hazy management structure defined by the type of association agreement Multiple independent entities where the AMCs are the big fish in the pond Diverse physical environments with variable levels of physical security Data centers, store fronts, large and small clinics Guards and badge reader entries to open doors with simple locks SOC/NOC Support 58
59 Diverse systems with broad variations in equipment, staffing and IT security One or more workstations with limited, or no local networks Windows internal firewalls or small internal firewalls Limited, at best, IDS/IPS capability Broad variation in account and password management Minimal, or no IT staff to full organizations Training programs to did you read the manual or office meetings The potential for aged or even legacy technology SOC/NOC Support 59
60 How will the following functions be addressed in the RHCPP environment? - Incident Response - IDS/IPS - NOC/SOC To what level should individual organizations be responsible for local access controls and account management? Some will have very limited or no IT expertise? Can the larger organizations in the RHCPP assume this function? Can it be provided as a network service? SOC/NOC Support 60
61 The creation of a consortium by the RHCPPs to provide common network and security services to the RHCPPs was discussed by a group of attendees at the Fall 08 Internet2 Member Meeting. The services could include: Network Operations (Control & Monitoring) Security Operations (IDS/IPS, Malware Maintenance, Scanning, etc.) Incident Response Account Management SOC/NOC Support 61
62 Is the underlying assumption valid (i.e. the RHCPP entities have a need for this type of service)? How should the stated services be ranked for need? Are other services needed? Are the FCC rules which could limit the ability to obtain services in this fashion? There are multiple approaches for defining a provider. What do the RHCPPs favor? Consortium Independent Third Party Commercial SOC/NOC Support 62
63 SOC/NOC Support 63
64 1. Federal Security Regulations in RHCPP Partnerships. Presentation & Discussion 2. 3 rd Party Security/Network Operations Center Support for RHCPPs A concept discussion 3. SEC-WG Action for the Future Round Table
65 What topics do you believe the HNI Security Working Group should address for the Fall Member Meeting? SEC-WG Action for the Future 65
Identity Theft Prevention Policy. Effective Date: January 1, 2011. Policy Statement
Identity Theft Prevention Policy Effective Date: January 1, 2011 Policy Statement Identity Theft is a crime in which an individual wrongfully obtains and uses another person's personal data, usually for
More informationRed Flag Rules and Aging Services: What You Need to Know
Red Flag Rules and Aging Services: What You Need to Know Late in 2007, six federal agencies, including the Federal Trade Commission ( FTC ), jointly issued final rules and accompanying guidelines to implement
More informationInteragency Guidelines on Identity Theft Detection, Prevention, and Mitigation
Guidelines to FTC Red Flag Rule(reformatted) Appendix A to Part 681 Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation Section 681.2 of this part requires each financial institution
More informationpolicy All terms used in this policy that are defined in 16 C.F.R. 681.2 shall have the same meaning provided in that section.
Name of Policy: Identity theft detection, prevention, and mitigation. Policy Number: 3364-15-12 Approving Officer: President Responsible Agent: Compliance Officer Scope: All University of Toledo Campuses
More informationAdministrative Procedure 5800 Prevention of Identity Theft in Student Financial Transactions
Reference: Fair and Accurate Credit Transactions Act, ( Pub. L. 108-159) The purpose of the Identity Theft Prevention Program (ITPP) is to control reasonably foreseeable risks to students from identity
More informationWholesale Broker Red Flag/Identity Theft Prevention Program Certification
Wholesale Broker Red Flag/Identity Theft Prevention Program Certification Federal regulations require that all financial institutions and their affiliates create an identity theft prevention program in
More informationPhysician Office Compliance with the Red Flag Rule
Physician Office Compliance with the Red Flag Rule The Red Flag Rule, implemented by the Federal Trade Commission (FTC) on May 1, 2009, requires all financial institutions and creditors, including physician
More informationIdentity Theft Prevention Program
The University of North Carolina at Chapel Hill Identity Theft Prevention Program The Board of Trustees of The University of North Carolina at Chapel Hill (the University ) adopts this Identity Theft Prevention
More informationCentral Oregon Community College. Identity Theft Prevention Program
Central Oregon Community College Identity Theft Prevention Program Effective beginning May 1, 2009 I. PROGRAM ADOPTION This program has been created to put COCC in compliance with Section 41.90 under the
More informationEXHIBIT A Identity Theft Protection Program. Definitions. For purposes of the Policy, the following definitions apply (1);
EXHIBIT A Identity Theft Protection Program Definitions. For purposes of the Policy, the following definitions apply (1); A. City means: the City of Troy, Montana B. Covered Account means: An account that
More informationRESOLUTION TO ADOPT IDENTITY THEFT POLICY
RESOLUTION TO ADOPT IDENTITY THEFT POLICY WHEREAS, in late 2008 the Federal Trade Commission (FTC) and federal banking agencies issued a regulation known as the Red Flag Rule under sections 114 and 315
More informationDetecting, Preventing, and Mitigating Identity Theft
THE RED FLAGS RULE Detecting, Preventing, and Mitigating Identity Theft Training for Ball State University s Identity Theft Protection Program What is the Red Flag Rule? Congress passed the Fair and Accurate
More informationCalifornia State University, Chico. Identity Theft Prevention Red Flags Program
Identity Theft Prevention Red Flags Program Version 1.0 November 16, 2010 REVIEW/APPROVAL HISTORY Document Title: Author: Brooke F. Banks, Information Security Officer Date By Action Pages 10/30/2009 Bill
More informationIdentity Theft Policy Created: June 10, 2009 Author: Financial Services and Information Technology Services Version: 1.0
Identity Theft Policy Created: June 10, 2009 Author: Financial Services and Information Technology Services Version: 1.0 Scope: The risk to Loyola University Chicago and its faculty, staff and students
More informationUniversity Identity Theft and Detection Program (NEW) All Campuses and All Service Providers Subject to the Red Flags Rule
NUMBER: BUSF 4.12 SECTION: SUBJECT: Finance and Planning University Identity Theft and Detection Program (NEW) DATE: March 3, 2011 Policy for: Procedure for: Authorized by: Issued by: All Campuses and
More informationNORTHEAST COMMUNITY COLLEGE ADMINISTRATIVE PROCEDURE NUMBER: AP-3250.0 FOR POLICY NUMBER: BP 3250 IDENITY THEFT PREVENTION PROGRAM PROCEDURES
NORTHEAST COMMUNITY COLLEGE ADMINISTRATIVE PROCEDURE NUMBER: AP-3250.0 FOR POLICY NUMBER: BP 3250 IDENITY THEFT PREVENTION PROGRAM PROCEDURES 1. PROCEDURE SUMMARY STATMENT The purpose of this procedure
More informationThe National Association of Community Health Centers, Inc. ISSUE BRIEF
The National Association of Community Health Centers, Inc. ISSUE BRIEF FTC Red Flag Rule Considerations in Developing an Identity Theft Prevention Program April 2009 Prepared for NACHC by: Carrie Bill
More informationACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg.
ACCG Identity Theft Prevention Program ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg.org July 2009 Contents Summary of ACCG Identity Theft Prevention Program...
More informationIdentity Theft Prevention Program
Identity Theft Prevention Program Illinois College of Optometry Illinois Eye Institute Effective Date: May 2009 Revised: Review Dates: IDENTITY THEFT PREVENTION POLICY STATEMENT The Illinois College of
More informationIDENTITY THEFT PREVENTION PROGRAM COUNTY OF DUPLIN, NORTH CAROLINA
IDENTITY THEFT PREVENTION PROGRAM COUNTY OF DUPLIN, NORTH CAROLINA TO ESTABLISH AN IDENTIFY THEFT PREVENTION PROGRAM; TO COMPLY WITH FEDERAL REGULATIONS RELATING TO ADDRESS DISCREPANCIES; TO COMPLY WITH
More informationWHEREAS the Federal Trade Commission regulations include utility companies in the definition of creditor;
CITY OF STATE OF GEORGIA ORDINANCE NO: AN ORDINANCE TO AMEND THE CODE OF ORDINANCES, CITY OF, GEORGIA TO PROVIDE A NEW ARTICLE, IDENTITY THEFT PREVENTION PROGRAM; TO COMPLY WITH FEDERAL REGULATIONS RELATING
More informationUniversity of Nebraska - Lincoln Identity Theft Prevention Program
I. Purpose & Scope This program was developed pursuant to the Federal Trade Commission s (FTC) Red Flag Rules promulgated pursuant to the Fair and Accurate Credit Transactions Act (the FACT Act). The University
More informationUNION COUNTY S IDENTITY THEFT PREVENTION PROGRAM
UNION COUNTY S IDENTITY THEFT PREVENTION PROGRAM This program shall become effective November 1, 2008. Adopted this the 20 th day of October, 2008. I. PREFACE The purpose of this program is to detect,
More informationThese rules became effective August 1, 2009, and require certain agencies to implement an identity theft program and policy.
Red Flag Policy Protecting your privacy is of paramount importance at Missouri Southern State University, and we are dedicated to the responsible handling of your personal information. We are very committed
More informationDSU Identity Theft Prevention Policy No. DSU 802.7.001
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 IDENTITY THEFT PREVENTION DSU Policy No. 802.7.001 SOURCE: Fair and Accurate
More informationNortheast Technology Center Board Policy 2110 Page 1 IDENTITY THEFT PREVENTION (MANY COVERED ACCOUNTS)
Page 1 IDENTITY THEFT PREVENTION (MANY COVERED ACCOUNTS) This Policy is adopted to ensure compliance with the Fair and Accurate Credit Transaction Act, 15 U.S.C. 1601 et seq. and the Federal Trade Commission
More informationCOUNTY OF SONOMA AND SONOMA COUNTY COMMUNITY DEVELOPMENT COMMISSION IDENTITY THEFT PREVENTION PROGRAM
COUNTY OF SONOMA AND SONOMA COUNTY COMMUNITY DEVELOPMENT COMMISSION IDENTITY THEFT PREVENTION PROGRAM In Accordance with the Fair and Accurate Credit Transactions Act of 2003 And 16 CFR 681.1 and 16 CFR
More informationDHHS POLICIES AND PROCEDURES
DHHS POLICIES AND PROCEDURES Section VIII: Privacy and Security Identity Theft Policies, Identity Theft Red Flags and Address Discrepancy Identity Theft Policies Current Effective 2/1/16, 10/1/15 Date:
More informationRed Flag Identity Theft Financial Policy 1.10
Issued: 05/16/2014 Revised: Policy and College ( Seminary ) developed this Identity Theft Prevention Program ("Program") pursuant to the Federal Trade Commission's ( FTC ) Red Flags Rule, which implements
More information31-R-11 A RESOLUTION ADOPTING THE CITY OF EVANSTON IDENTITY PROTECTION POLICY. WHEREAS, The Fair and Accurate Credit Transactions Act of 2003,
5/23/2011 31-R-11 A RESOLUTION ADOPTING THE CITY OF EVANSTON IDENTITY PROTECTION POLICY WHEREAS, The Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159, requires municipalities to promulgate
More informationUniversity Policy: Identity Theft Prevention Policy
University Policy: Identity Theft Prevention Policy Policy Category: Ethics, Integrity and Legal Compliance Policies Subject: Detection, prevention and mitigation of identity theft Office Responsible for
More informationIdentity Theft Prevention Program Compliance Model
September 29, 2008 State Rural Water Association Identity Theft Prevention Program Compliance Model Contact your State Rural Water Association www.nrwa.org Ed Thomas, Senior Environmental Engineer All
More informationA Guide to Benedictine College and Identity Theft
IDENTITY THEFT PREVENTION PROGRAM The risk to Benedictine College, its employees and students from data loss and identity theft is of significant concern to the College and can be reduced only through
More informationPolicies and Procedures: IDENTITY THEFT PREVENTION
Policies and Procedures: IDENTITY THEFT PREVENTION Section: Chapter: Policy: Compliance Administration Identity Theft Prevention I. PURPOSE The purpose of this policy is to protect patients and West Virginia
More informationDOYLESTOWN FAMILY MEDICINE, P.C. IDENTITY THEFT PREVENTION PROGRAM TEMPLATE ADOPTED AND EFFECTIVE: APRIL 15, 2009 UPDATED:
DOYLESTOWN FAMILY MEDICINE, P.C. IDENTITY THEFT PREVENTION PROGRAM TEMPLATE ADOPTED AND EFFECTIVE: APRIL 15, 2009 UPDATED: I. Adoption of Identity Theft Prevention Program Doylestown Family Medicine, P.C.
More informationPOLICY NO. 449 IDENTITY THEFT PREVENTION POLICY
POLICY NO. 449 IDENTITY THEFT PREVENTION POLICY I. POLICY SUMMARY It shall be the policy of Polk County Rural Public Power District (PCRPPD) to take all reasonable steps to identify, detect, and prevent
More informationPacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009
Pacific University Policy Governing Identity Theft Prevention Program Red Flag Guidelines Approved June 10, 2009 Program adoption Pacific University developed this identity Theft Prevention Program ( Program
More informationIdentity Theft Prevention Program. Approved by the Arizona Board of Regents on May 1, 2009
Identity Theft Prevention Program Approved by the Arizona Board of Regents on May 1, 2009 I. Purpose & Scope This Program was developed pursuant to the Federal Trade Commission s ( FTC ) Red Flag Rules
More informationUniversity of St. Thomas. Identity Theft Prevention Program. (Red Flags Regulation Response)
University of St. Thomas Identity Theft Prevention Program (Red Flags Regulation Response) Revised: January 10, 2013 Program Adoption and Administration The University of St. Thomas ( University ) established
More informationRANDOLPH COUNTY EMERGENCY SERVICES & TAX DEPARTMENT. Identity Theft Prevention Program. Adopted August 3, 2009 Effective beginning August 1, 2009
RANDOLPH COUNTY EMERGENCY SERVICES & TAX DEPARTMENT Identity Theft Prevention Program Adopted August 3, 2009 Effective beginning August 1, 2009 I. PROGRAM ADOPTION The Randolph County Emergency Services
More informationELKHORN RURAL PUBLIC POWER DISTRICT POLICY #1230. Identity Theft Prevention Policy
ELKHORN RURAL PUBLIC POWER DISTRICT 1230-1 I. POLICY SUMMARY POLICY #1230 Identity Theft Prevention Policy It shall be the policy of Elkhorn Rural Public Power District ( District ) to take all reasonable
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationWisconsin Rural Water Association Identity Theft Prevention Program Compliance Model
Wisconsin Rural Water Association Identity Theft Prevention Program Compliance Model All utilities are required to comply with this regulation. The Red Flag Rule requires any entity where there is a risk
More informationIdentity Theft Prevention Program Derived from the FTC Red Flags Rule requirements
Identity Theft Prevention Program Derived from the FTC Red Flags Rule requirements 1.0 Introduction In 2003, Congress enacted the Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. Section 1681,
More informationRANDOLPH COUNTY PUBLIC WORKS. Identity Theft Prevention Program. Adopted September 1, 2009 Effective beginning September 1, 2009
RANDOLPH COUNTY PUBLIC WORKS Identity Theft Prevention Program Adopted September 1, 2009 Effective beginning September 1, 2009 I. PROGRAM ADOPTION The Randolph County Public Works Department ( the Department
More informationUSF System & Preventing Identity Fraud
POLICY USF System USF USFSP USFSM Number: 0-109 Subject: Identity Theft Program Procedures and Protocol Responsible Office: Business and Finance Date of Origin: 1-11-11 Date Last Amended: Date Last Reviewed:
More informationIdentity Theft Policy
Identity Theft Policy Policy/Procedure Section 1: Background The risk to Dickinson College (the College ), its employees and students from data loss and identity theft is of significant concern to the
More informationSpotting ID Theft Red Flags A Guide for FACTA Compliance. An IDology, Inc. Whitepaper
Spotting ID Theft Red Flags A Guide for FACTA Compliance An IDology, Inc. Whitepaper With a November 1 st deadline looming for financial companies and creditors to comply with Sections 114 and 315 of the
More informationORDINANCE NUMBER 644 AN ORDINANCE ESTABLISHING THE TOWN OF YORKTOWN IDENTITY THEFT PREVENTION PROGRAM
ORDINANCE NUMBER 644 AN ORDINANCE ESTABLISHING THE TOWN OF YORKTOWN IDENTITY THEFT PREVENTION PROGRAM WHEREAS, the Federal Trade Commission, through 16 C.F.R. Part 681.1, adopted Identity Theft Rules requiring
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationUNC Asheville. Red Flag Rule and NC Identity Protection Act Information
UNC Asheville Red Flag Rule and NC Identity Protection Act Information Why Should UNC Asheville be Concerned? The Federal Trade Commission (FTC) regulates financial transactions at UNC Asheville The FTC
More informationFACTA Identity Theft Red Flags Program. www.chs.acfei.com
1 FACTA Identity Theft Red Flags Program Module 1 Fair and Accurate Credit Transactions Act Overview Identity thieves use individual s personal identifiable information to open new accounts and misuse
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationBoard of Commissioners Policy. Town of Nags Head Identity Theft Protection Program. Adopted October 22, 2008
M. Renée Cahoon Mayor Anna D. Sadler Mayor Pro Tem Charlie Cameron Town Manager/ Public Safety Director Town of Nags Head Post Office Box 99 Nags Head, North Carolina 27959 Telephone 252-441-5508 Fax 252-441-0776
More informationRANDOLPH COUNTY HEALTH DEPARTMENT. Identity Theft Prevention Program. Adopted August 3, 2009 Effective beginning August 1, 2009
RANDOLPH COUNTY HEALTH DEPARTMENT Identity Theft Prevention Program Adopted August 3, 2009 Effective beginning August 1, 2009 I. PROGRAM ADOPTION The Randolph County Health Department ( the Department
More informationCovered Areas: Those EVMS departments that have activities with Covered Accounts.
I. POLICY Eastern Virginia Medical School (EVMS) establishes the following identity theft program ( Program ) to detect, identify, and mitigate identity theft in its Covered Accounts in accordance with
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationCENTENARY COLLEGE POLICIES UNDER THE FAIR & ACCURATE CREDIT TRANSACTION ACT S RED FLAG RULES
(FACTA) April 30, 2009 Approved by: Audit Committee of the Board of Trustees CENTENARY COLLEGE POLICIES UNDER THE A RESOLUTION ADOPTING AN IDENTITY THEFT POLICE Centenary College ( College ) developed
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationidentity TheFT PREVENTION Programs and Response
IDENTITY THEFT PREVENTION PROGRAM This program is launched in response to the Federal Trade Commission Red Flag Rules and Address Discrepancy Rules in conjunction with the Fair and Accurate Credit Transaction
More informationNEVADA SYSTEM OF HIGHER EDUCATION PROCEDURES AND GUIDELINES MANUAL CHAPTER 13 IDENTITY THEFT PREVENTION PROGRAM (RED FLAG RULES)
NEVADA SYSTEM OF HIGHER EDUCATION PROCEDURES AND GUIDELINES MANUAL CHAPTER 13 IDENTITY THEFT PREVENTION PROGRAM (RED FLAG RULES) Section 1. NSHE... 2 Section 2. UNR... 4 Section 3. WNC... 9 Chapter 13,
More informationHIPAA Security Overview of the Regulations
HIPAA Security Overview of the Regulations Presenter: Anna Drachenberg Anna Drachenberg has been assisting healthcare providers and hospitals comply with HIPAA and other federal regulations since 2008.
More informationCHAPTER 99: IDENTITY THEFT PREVENTION PROGRAM
CHAPTER 99: IDENTITY THEFT PREVENTION PROGRAM Section 99.01 Objective 99.02 Scope 99.03 Definitions 99.04 Policy 99.05 Program Management and Accountability 99.06 Responsibility 99.07 Identity Theft Prevention
More informationIdentity Theft Prevention Program
Smyth County Policy Identity Theft Prevention Program Purpose The purpose of the program is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in
More informationMCPHS IDENTITY THEFT POLICY
SECTION 1: BACKGROUND MCPHS IDENTITY THEFT POLICY The risk to the College, its employees and students from data loss and identity theft is of significant concern to the College and can be reduced only
More informationDMACC IDENTITY THEFT- RED FLAGS PROCEDURES
DMACC IDENTITY THEFT- RED FLAGS PROCEDURES This document contains identity theft red flag procedures for Des Moines Area Community College. Section Topic Page 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 XX PURPOSE
More informationFerris State University
Ferris State University BUSINESS POLICY TO: All Members of the University Community 2009:08 DATE: May 2009 I. BACKGROUND IDENTITY THEFT PREVENTION PROGRAM The risk to the University, and its students,
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationPROVISIONS IDENTITY THEFT RED FLAG FAQS
R E D F L A G PROVISIONS 2 0 0 9 IDENTITY THEFT RED FLAG FAQS Provided to you by P r e p a r e d b y Eduard Goodman, J.D.,LL.M. Chief Privacy Officer I d e n t i t y T h e f t 9 11, L L C FREQUENTLY ASKED
More informationIDENTITY THEFT PREVENTION PROGRAM TRAINING MODULE February 2009
IDENTITY THEFT PREVENTION PROGRAM TRAINING MODULE February 2009 Table of Contents Introduction to the Training Module.. i I. Introduction. 1 II. Definitions. 3 III. Recognizing Identity Theft.. 6 IV. Identifying
More informationModel Identity Theft Policy and Adopting Resolution
Model Identity Theft Policy and Adopting Resolution, Tennessee RESOLUTION NO. A RESOLUTION ADOPTING AN IDENTITY THEFT POLICY WHEREAS, The Fair and Accurate Credit Transactions Act of 2003, an amendment
More informationRADLEY ACURA RED FLAG IDENTITY THEFT PROTECTION PROGRAM and ADDRESS DISCREPANCY PROGRAM
RADLEY ACURA RED FLAG IDENTITY THEFT PROTECTION PROGRAM and ADDRESS DISCREPANCY PROGRAM SUMMARY OF OUR PROGRAM AND PROCESSES This dealership is committed to protecting its customers and itself from identity
More informationDRAFT National Rural Water Association Identity Theft Program Model September 22, 2008
DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008 This model has been designed to help water and wastewater utilities comply with the Federal Trade Commission s (FTC)
More informationMOTLOW STATE COMMUNITY COLLEGE
Page 1 of 5 MOTLOW STATE COMMUNITY COLLEGE SUBJECT: FACTA Red Flag Rule and Identity Theft Prevention Program I. BACKGROUND In late 2007 the Federal Trade Commission (FTC) and Federal banking agencies
More informationPOLICY: Identity Theft Red Flag Prevention
POLICY SUBJECT: POLICY: Identity Theft Red Flag Prevention It shall be the policy of the Cooperative to take all reasonable steps to identify, detect, and prevent the theft of its members personal information
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationDavid Coble Internal Control Officer
WESTERN WASHINGTON UNIVERSITY S RED FLAGS IDENTITY THEFT PREVENTION PROGRAM IMPLEMENTING SECTIONS 114 AND 315 OF THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003 David Coble Internal Control Officer
More informationCOUNCIL POLICY NO. C-13
COUNCIL POLICY NO. C-13 TITLE: POLICY: Identity Theft Prevention Program See attachment. REFERENCE: Salem City Council Finance Committee Report dated November 7, 2011, Agenda Item No. 3 (a) Supplants Administrative
More informationIdentity Theft Prevention Program
Identity Theft Prevention Program I. PROGRAM PURPOSE AND DEFINITIONS The purpose of this Identity Theft Prevention Program ( Program ) is to detect, prevent and mitigate identity theft in connection with
More informationIBN Financial Services, Inc. Identity Theft Prevention Program(ITPP) under the FTCFACTActRedFlagsRule
IBN Financial Services, Inc. Identity Theft Prevention Program(ITPP) under the FTCFACTActRedFlagsRule I. Firm Policy Our firm s policy is to protect our customers and their accounts from identity theft
More informationRESOLUTION NO. 0913 IDENTITY THEFT PREVENTION PROGRAM
RESOLUTION NO. 0913 IDENTITY THEFT PREVENTION PROGRAM WHEREAS, the Eugene Water & Electric Board (EWEB) recognizes the importance of establishing a Identity Theft Prevention Program (Program) and procedures
More informationRed Flag Policy and Procedures for Alexander Orthopaedic Associates
Red Flag Policy and Procedures for Alexander Orthopaedic Associates The Identify Theft Prevention Program developed by Alexander Medical Group LLC dba Alexander Orthopaedic Associates referred throughout
More informationCHAPTER 12 IDENTITY PROTECTION AND IDENTITY THEFT PREVENTION POLICIES
CHAPTER 12 IDENTITY PROTECTION AND IDENTITY THEFT PREVENTION POLICIES Section 1-12-1: Purpose 1-12-2: Definitions 1-12-3: Scope 1-12-4: Identity Protection Policy 1-12-5: Identity Theft Prevention Policy
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationXavier University. Fair & Accurate Credit Transactions Act (Red Flags Rule) Policy and Procedures
Xavier University Fair & Accurate Credit Transactions Act (Red Flags Rule) Policy and Procedures Revised April 7, 2009 1 Identity Theft Policy IdentityTheft An identity can be stolen with nothing more
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationidentity Theft Prevention and Identification Requirements For Utility
[Utility Name] Identity Theft Prevention Program Effective beginning, 2008 I. PROGRAM ADOPTION The [Utility Name] ("Utility") developed this Identity Theft Prevention Program ("Program") pursuant to the
More informationCounty Identity Theft Prevention Program
INTRODUCTION CHAPTER OSCEOLA COUNTY IDENTITY THEFT PREVENTION PROGRAM The Osceola County Board of County Commissioners is committed to protecting consumers who do business with Osceola County, and as such
More informationUNIVERSITY OF MASSACHUSETTS IDENTITY THEFT PREVENTION PROGRAM
Doc. T08-109 Passed by the BoT 12/11/08 UNIVERSITY OF MASSACHUSETTS IDENTITY THEFT PREVENTION PROGRAM The Board recognizes that some activities of the University are subject to the provisions of the Fair
More informationDeer Park Independent School District. Identity Theft Policy and Board of Trustees Resolution
Deer Park Independent School District Identity Theft Policy and Board of Trustees Resolution Deer Park, Texas ORDINANCE AND RESOLUTION A RESOLUTION ADOPTING AN IDENTITY THEFT POLICY WHEREAS, The Fair and
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationTHE LUTHERAN UNIVERSITY ASSOCIATION, INC. d/b/a Valparaiso University IDENTITY THEFT PREVENTION PROGRAM
THE LUTHERAN UNIVERSITY ASSOCIATION, INC. d/b/a Valparaiso University IDENTITY THEFT PREVENTION PROGRAM SECTION 1: BACKGROUND The risk to Valparaiso University ("University"), its employees, students (in
More informationCity of Hercules Hercules Municipal Utility Identity Theft Prevention Program
City of Hercules Hercules Municipal Utility Identity Theft Prevention Program Purpose The purpose of the program is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationPlease Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax
Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationWake Forest University. Identity Theft Prevention Program. Effective May 1, 2009
Wake Forest University Identity Theft Prevention Program Effective May 1, 2009 I. GENERAL It is the policy of Wake Forest University ( University ) to comply with the Federal Trade Commission's ( FTC )
More informationORDINANCE IDENTITY THEFT PREVENTION PROGRAM
ORDINANCE IDENTITY THEFT PREVENTION PROGRAM The Mayor and Council of the City of Sugar Hill hereby ordain that Chapter 74 of the Code of the City of Sugar Hill, Georgia shall be amended as follows: By
More informationSOUTH TEXAS COLLEGE. Identity Theft Prevention Program and Guidelines. FTC Red Flags Rule
SOUTH TEXAS COLLEGE Identity Theft Prevention Program and Guidelines FTC Red Flags Rule Issued June 24, 2009 Table of Contents Section Section Description Page # 1 Section 1: Program Background and Purpose
More information