Christopher R. Apgar, CISSP - CEO & President SW Barbur, Ste PO Box 80278, Portland, OR (503) capgar@apgarandassoc.

Transcription

1 Christopher R. Apgar, CISSP - CEO & President SW Barbur, Ste PO Box 80278, Portland, OR (503) capgar@apgarandassoc.com Resume Qualifications Summary: Certified Information System Security Professional (CISSP) Workgroup for Electronic Data Interchange (WEDI) Board of Directors Co-chair, WEDI Regional Affiliates California Office of the Attorney General Medical Identity Theft Prevention project member American Health Information Management Association Medical Identity Theft Advisory Panel Member, Oregon Prescription Drug Monitoring Program Advisory Commission Co-Author, State E-Health Alliance white papers (interstate legal HIE barriers and solutions) RTI International Health Information Security & Privacy Collaborative (HISPC) Technical Advisory Panel (Phase I III) Oregon HISPC Phase I Technical Advisor Nationally recognized information security & HIPAA knowledge holder, speaker and author (security, privacy, national identifiers, electronic health information exchange) HIPAA/Financial/GLBA privacy & security auditor Nationally recognized expert in assisting organizations develop solid privacy and security programs and comply with HIPAA, GLBA and other applicable regulations (state and federal) Contributing editor for HCPro Briefings on HIPAA Oregon and SW Washington Healthcare, Privacy & Security Forum Board of Directors Personal Experience & Accomplishments: CEO & President, Apgar & Associates, LLC (April 4, 2004 to present): Provide consulting services on security and privacy program development and management, regulatory compliance, conduct compliance audits, conduct risk assessments, document risk mitigation strategies, implement mitigation strategies, etc. Provide outsourced compliance officer support to providers, health plans and business associates. Conduct risk analyses organizational and EHR implementation related. Assist with HIE/HIT planning (organizational, state and national). Provide security, privacy, transaction and code sets and national identifiers training ranging from beginner level to more

2 advanced training such as how to implement role based access control, how to conduct a risk assessment and management of a security and privacy compliance program, how to implement the national provider identifier, etc. Assist in HIPAA transaction & code set and national identifier implementation (provider, health plan, clearinghouse and vendor). Contributing editor, HCPro, Inc. Briefings on HIPAA. National Governors Association State Law HIE Barrier Analysis (September 5, 2009 to October 15, 2009 and August 2010 to September 2010): Develop a report analyzing the pros and cons to different solutions that reduce legal barriers to inter-state electronic health information exchange (HIE) Develop a report including tools for state use in addressing HIE interstate and federal statute legal barriers. Report 2 publication pending. National Privacy & Security Solutions Development (August 15, 2005 to March 31, 2009): Member of the RTI International team (HISPC project) on contract with the US Department of Health & Human Services to develop national privacy and security solutions and associated implementation plans for electronic health information exchange. Also a former member of the Oregon HISPC project team. Privacy & Security Compliance Auditor (April 4, 2004 to present): End-to-end privacy and security compliance auditor for small to large health care organizations (e.g., health plans, providers, vendors, hybrid entities and non-profits; HIPAA, 42 CFR Pt. 2, Red Flag Rule, state law, GLBA, SOX, appropriate privacy and security practices given technical changes and industry requirements). Author (January 2000 to present): Security Q&A and product review articles for HCPro, Inc., privacy how to s for AIS, Inc. and other health care related publications Miscellaneous Other Compliance Projects (April 4, 2004 to present): Security, privacy, regulatory and HIE projects for small clinics, non-profits, health care clearinghouses, large health plans and providers, vendors (US based and international). Also, speak nationally and am regularly quoted in national security, privacy and electronic health information exchange publications. This also includes re-writing Thompson Publishing s HIPAA textbook and contracted to write HIPAA Myths for AIS, Inc. Information Security and HIPAA Compliance Officer, Providence Health Plans (July 1, 1999 to April 4, 2004): Responsible for information security and HIPAA compliance efforts for Providence Health Plans (electronic transaction & code sets, privacy, information security and national identifiers); provide state & national advice/leadership in developing & communicating security, privacy and HIPAA required controls; all aspects of data security (training development & implementation, audit plan development & implementation, strategic planning, security tool review & selection, etc.); Regulatory Affairs liaison; policy development & management; HIPAA compliance; regulatory review & analysis; staff supervision. Responsible for assisting in the development and management of information services quality assurance program. Advisor in the development of business continuation plan. Education: BS, Psychology (with MIS coursework) - Portland State University, 1990 AS, Business/Accounting - Central Oregon Community College, 1986 March 2013 Bibliography - Apgar Page 2

3 Honors and Awards Phi Theta Kappa, Central Oregon Community College, 1985 Phi Kappa Phi, Portland State University, 1989 Senior Member, Information Systems Security Association, 2012 Associations and Community Service Chair, Community Advocates/Kids Can Board of Directors, 1994 to 1996 Information Systems Security Association, 2003 to Present American Health Information Management Association, 2011 to Present Oregon Health Information Management Association, 2011 to Present Health Care Compliance Association, 2013 Professional Certified Information Systems Security Professional, ISC 2, May 2002 to Present Chair, Oregon and SW Washington Healthcare, Privacy and Security Forum, May 2000 to August 2012 Member, Oregon and SW Washington Healthcare, Privacy and Security Forum Board of Directors, August 2012 to Present URAC Privacy Advisory Commission, 2002 to 2003 Co-chair, Workgroup for Electronic Data Interchange Regional Affiliate Workgroup, January 2005 to Present Member, Oregon Prescription Drug Monitoring Program Advisory Commission, July 2009 to Present Member, Workgroup for Electronic Data Interchange Board of Directors, January 2006 to Present Co-chair, Workgroup for Electronic Data Interchange Health Information Exchange Workgroup, December 2012 to Present Publications, Articles. Lectures and Addresses Editorial Oversight & Publication Advisory Editor, Security Compliance Newsletter, AISHealth, 2003 to 2005 Board of Advisors, Health Information Compliance Insider, HCPro, Inc to 2009 Moderator, HealthSec Conference and Expo, MIS Training Institute, 2004 Technical Advisor, Oregon Health Information Privacy and Security Collaborative 2006 to 2007 Member, Oregon Health Information Infrastructure Advisory Committee 2007 to 2009 Member, US Department of Health and Human Services, Office of the National Coordinator for Health Information Technology Health Infrastructure Standards and Technology Technical Committee Contributing editor, Briefings on HIPAA,, HCPro, Inc., 2008 to Present) Publications and Articles: Co-author, HIPAA Forms, Policies & Procedures, HIPAA Privacy Handbook, Oregon Medical Association, 2002 March 2013 Bibliography - Apgar Page 3

4 Chapter author, Audit Program Requirements, HIPAA Privacy Handbook, AISHealth, 2002 Chapter author and co-editor, HIPAA Security Handbook, AISHealth, 2004 to 2007 Co-author, Compliance Guide to HIPAA Security Risk Analysis HIPAA Risk Analysis Tools, Brownstone Publishers, Inc., 2004 HIPAA News & Views, Oregon Medical Association, 2005 to 2010 Contributing author, HIPAA Patient Privacy Compliance Guide, AISHealth, January 2005 Auditing Part 2, HIPAA Security Newsletter AISHealth, April 2005 Security Protocol & Systems Development, HIPAA Security Newsletter, AISHealth, April 2005 The Risk of Non-compliance, HIPAA Security Newsletter, AISHealth, April 2005 Privacy and Security in Healthcare & Confidential Information Exchange, MDT Quarterly, July 6, 2005 Security Q&A bi-monthly column, Briefings on HIPAA, HCPro, Inc to Present Product Watch bi-monthly column, Briefings on HIPAA, HCPro, Inc., 2006 to Present Secure Data Transmission Methods, Tech Target Security Media Group, January 2006 Co-author, Privacy and Security Assessment of Variation Toolkit, Agency for Healthcare Research and Quality and Office for the National Coordinator for Health Information Technology Health Information Privacy and Security Collaboration, April 2006 Precautions Privacy Officers Should Take to Minimize Risks Related to Laptop Computers, AISHealth, June 2006 Co-author, Stakeholder Group Meeting Facilitator s Guidebook, Agency for Healthcare Research and Quality and Office for the National Coordinator for Health Information Technology Health Information Privacy and Security Collaboration, July 2006 Monthly Privacy Issues column, Report on Patient Privacy, AISHealth, 2007 to 2010 Co-author, HIPAA Certification Training Manual, Supremus Group, LLC and Thompson Publishing, 2007 Co-author, Specially Protected Health Information Oregon Legal Requirements, Oregon Health Information Security & Privacy Collaboration, December, 2007 Co-author, Mitigating Medical Identity Theft, American Health Information Management Association, July 2008 Advantage, Journal of AHIMA: A Closer Look at the Red Flag Rules, American Health Information Management Association, November 2008 Co-author, Policy Strategies for Advancing Interstate Health Information Exchange: A Report to the State Alliance for ehealth, October 2009 Co-author, State and Federal Consent Laws Affecting Interstate Health Information Exchange: A Report to the National Governors Association, September 2010 Contributing author, The Financial Impact of Breached Protected Health Information A Business Case for Enhanced PHI Security, American National Standards Institute, March 2012 HIPAA & Compliance Assessments: Does HIPAA require covered entities and business associates conduct periodic compliance assessments and do they need to be outsourced?, Apgar & Associates, LLC Blog, June 2012 Risk Analysis versus Risk Assessment Conducting a risk analysis is not always the same as conducting a risk assessment, Apgar & Associates, LLC Blog, June 2012 Data Breach Examiner: Four Things You Need to Know About Risk Analysis, ID Experts, September 2012 March 2013 Bibliography - Apgar Page 4

5 Chapter author, Regulatory Aspects of Healthcare IT: Legal Best Practices and Requirements, Healthcare Information Technology Exam Guide, McGraw-Hill, 2013 Training/ Conferences/ Addresses: Healthcare: Privacy in a Digital Age, Concordia University, November 2001 The Successful Privacy Officer: The Steps Every Privacy Officer Should be Taking to Lead Their HCO Toward Compliance, Healthcare Intelligence Network, 2002 HIPAA Privacy Compliance, Costal Health & Train, 2002 HIPAA 2002: A Technical Look at Security & Privacy, American Health Quality Association Technical Conference, January 2002 A Conversation with Chris Apgar, Data Security Officer, Providence Health Plans, Oregon Medical Association, 2003 HIPAA Awareness, Oregon Department of Human Services, 2003\ Practical Strategies in Complying with the HIPAA Security Rule, International Association of Privacy Professionals Annual Conference, February 2003 Analysis of the Final HIPAA Security Rule, International Association of Privacy Professionals Annual Conference, February 2003 HIPAA Readiness Workshop: How to Submit Clean Claims When Carriers Requirements Differ, HCPro, Inc., August 2003 Role Based Access Control, HealthSec Conference & Expo, MIS Training Institute, September 2003 HIPAA Transactions and Code Sets After the Deadline: Strategies for Survival, Healthcare Intelligence Network, November 2003 Business Associates and Covered Entities: Adapt Contracts to Comply With New HIPAA Law, HCPro, Inc., 2003 Regulatory Education Series, Oregon Medical Association, 2004 to Present HIPAA Security: The One-Year Checklist, Healthcare Intelligence Network, 2004 HIPAA Security Auditing: How to Create a Consistent, Repeatable, and Documented Program, Healthcare Intelligence Network, 2004 HIPAA Security Rule, America s Health Insurance Plans, September 2004 HIPAA Security Auditing and Monitoring: Creating, Building and Testing a Strategy to Ensure Your Organization s Compliance, Healthcare Intelligence Network, 2004 Managing a Privacy & Security Compliance Program, HealthSec Conference & Expo, MIS Training Institute, September 2004 Security Roles, Responsibilities & Reporting: A Panel Discussion, HealthSec Conference & Expo, MIS Training Institute, September 2004 HIPAA Security & the Final Rules, HealthSec Conference & Expo, MIS Training Institute, September 2004 HIPAA Security Rule Overview, America s Health Insurance Plans, September 2004 HIPAA Security Auditing: How to Create a Consistent, Repeatable and Documented Program, Health Intelligence Network, November 2004 Adopting a Security Culture, HealthStream, Inc., November 2004 HIPAA Security Risk Assessment: An Audio Workshop, Healthcare Intelligence Network, 2005 HIPAA Security Rule Workshop, Northwest Benefit Planning, January 2005 HIPAA Security 201: Policies & Procedures, Oregon Medical Association, March 2005 March 2013 Bibliography - Apgar Page 5

6 HIPAA Security 201: Auditing & Monitoring Training, Oregon Medical Association, March 2005 Managing a Privacy & Security Compliance Program, IT Security World Conference & Expo, MIS Training Institute, September 2005 Why Worry About Security Compliance, Oregon & SW Washington Healthcare, Privacy & Security Forum, September 2005 Security Incident Response What to do if a Breach Occurs & How to Mitigate Damages, HIPAA Summit, September 2005 (NOTE: Presented at eight of the ten preceding summits but did not retain the presentation material) Security Incident Response: How Providers can Minimize Impact & Liability, Decision Health/UCG, October 2005 Protecting Patient Privacy, University of Portland, November 2005 National Provider Identifier: Know How Changes will Affect Your Business, HCPro, Inc., November Encryption Solution That Won't Break Your Budget, InBox Conference, Spring 2006 Encryption - Secure Transmission In A Not So Secure World, Lorman Education Services, Inc., March 2006 Healthcare: Ethics and Compliance, Lorman Education Services, Inc., March 2006 Find a Secure Solution: Protect Patient Privacy & Your Organization, HCPro, Inc., May 2006 Managing a Data Security Audit Program, HIPAA Summit, August 2006 Gauging the Maturity of Your Security Compliance Program, HealthSec Conference & Expo, MIS Training Institute, September 2006 Privacy/Security Identity Management, HIPAA Collaborative of Wisconsin Fall Conference, September 2006 National Provider Identifier Implementation: Comply and get paid, HCPro, Inc., October 2006 Legalities of Utilizing & Maintaining Computerized Medical Records in Oregon, Lorman Education Services, Inc., October 2006 National Provider Identifier Implementation: Comply & Get Paid, HCPro, Inc., October 2006 Document Retention & Destruction Program Development & Management, Lorman Education Services, Inc., October 2006 Privacy & Security Solutions for Interoperable Health Information Exchange, Workgroup for Electronic Data Exchange Fall Conference, November 2006 National Provider Identifiers: Health Plan Contingencies to Avert a Spring Disaster, AISHealth, December 2006 HIPAA Secure Transmission Rules: Minimizing Your Legal Risks, Progressive Business Publications, March 2007 Personal Health Records: An Industry Primer from a Privacy & Security Perspective, Workgroup for Electronic Data Interchange Spring Conference, May 2007 Alphabet Soup: Rules of the Game from the Privacy, Security & Interoperability Perspective, Workgroup for Electronic Data Interchange Spring Conference, May 2007 Health Information Security & Privacy Collaborative: Project Overview, Workgroup for Electronic Data Interchange Spring Conference, May 2007 CMS NPI Guidance, HCPro, Inc., May 2007 Document Retention A Legal Perspective, Lorman Education Services, Inc., May 2007 NPI: Strategies to prepare your contingency plan and get paid, HCPro, Inc., May 2007 HIPAA Security: Prevent & Respond to Breaches, HCPro, Inc., August 2007 March 2013 Bibliography - Apgar Page 6

7 Personal Health Records: Privacy & Security Best Practices, Progressive Business Publications, September 2007 The High Cost of Medical Identity Theft, IT Security World Conference Expo, MIS Training Institute, September 2007 How Much is Enough? Interpreting the HIPAA Security Rule (panel), IT Security World Conference Expo, MIS Training Institute, September 2007 Staffing for Security & Safety, Professional Association of Health Care Office Management Fall Conference, September 2007 Personal Health Records: Privacy and Security Best Practices, Progressive Business Publications, September 2007 Oregon Identity Theft Protection Act, Oregon Health Information Management Association Fall Conference, September 2007 Preparing for an Audit: The OIG is Coming, Workgroup for Electronic Data Interchange Fall Conference, November 2007 Are You at Risk: Business in a Digital World, Parker, Smith, Feek, November 2007 HIPAA Administrative Simplification Overview, Portland State University, November 2007 Subpoena, Court Order & Record Retention Requirements, Central City Concern, December 2007 Coordinating & Balancing Privacy, Security & Practical Operations, HIPAA Summit, December 2007 Healthcare Security Professional Advanced Problem Solving Roundtable (panel), HIPAA Summit, December 2007 Complying With New Health Data Breach Laws, MelaMedia, LLC, February 2008 Risk Analysis & Risk Management, ISSA Portland Student Chapter, April 2008 HIPAA Security Requirements: Prevent and Respond to Breaches, Progressive Business Conferences, May 2008 Electronic Health Records not the Solution: Bridge to Improved Health Information Exchange, Oregon Health Information Management Association Annual Conference, May 2008 EHR's Not the Solution - Bridge to Improved Health Information Exchange, Oregon Health Information Management Association Spring Conference, May 2008 Health Information Security & Privacy Collaboration: Phase III, WEDI Spring Conference, May 2008 Legal Issues Legal & Regulatory Issues Related to Health Information Exchange, Northwest Medical Informatics Symposium, September 2008 Personal Health Records: Overcome Privacy and Security Barriers and Other Challenges, HCPro, Inc., January 2009 ARRA & Red Flag Rules Changes in Healthcare Privacy and Security Requirements, Oregon Health Information Management Association Spring Conference, May 2009 Business Associated Action Plan: Comply with HITECH by February Deadline, HCPro, Inc., 2009 Legal Issues Legal & Regulatory Issues Related the Privacy & Security of Patient Information, RMC, Inc., February 2009 Legal Issues Legal & Regulatory Issues Related the Privacy & Security of Patient Information, Portland Medical Community Managers, April 2009 HCPro e-learning Changes on the Horizon, HCPro, Inc., May 2009 Covered Entities and Business Associates: Adapt Contracts to Comply with New HIPAA Law, HCPro Inc., July 2009; January 2010 Dealing with the Use of Social Networking and Communications Vehicles in the Healthcare Environment: Twitter, Facebook, MySpace, IM and P-2-P, 17th HIPAA Summit, August 2009 March 2013 Bibliography - Apgar Page 7

8 Healthcare Providers and Social Networking: New Threat to Patient Privacy presents Minimizing Liability for Unwitting Physician and Staff Breaches, Strafford Legal Webinars, October 2009 Social Networking and Healthcare Providers Minimizing Liability, Legal Publishing Group of Strafford Publications, October 2009 Security Audits From an Auditor s Perspective, American Heath Information Management Association Virtual Conference, December Challenges & Trends, ISSA Portland Chapter, January 2010 Social Networking: Risks to Privacy and Security, Iowa Medical Society, April 2010 Meaningful Use: What is it and what does it mean?, Portland Medical Community Managers, April 2010 EHR Implementation: What you need to know about security beyond Implementation, Oregon and Washington Medical Group Management Association Annual Conference, June 2010 Privacy & Security Breaches: Requirements & Responsibilities; Business Associates: Requirements & Responsibilities, Oregon Health Information Management Association Fall Conference, September 2010 The art of Social Networking, America Health Information Management Association Virtual Conference, September 2010 The Latest on Meaningful Use and EHR Certification: Implications for Privacy and Security, HIPAA Summit West, October 2010 Feeling Anti-Social? HIM Privacy & Social Media, American Health Information Management Association, April 2011 Privacy, Security and the HITECH Act: Compliance deadlines have come and gone, Greater Oregon Behavioral Health, Inc. Spring Conference, May 2011 Connectivity Solutions: Increasing Connectivity through Game-Changing Advances in HIT & HIE, World Congress Executive Forum & Expo on HealthCare Payment, July 2011 EHR Accounting of Disclosures Draft Rule Overview, AISHealth, July 2011 Social Media Risks & Remedies, AISHealth, November 2011 Patient Privacy Rights: Tips & Trends, International Association of Privacy Professionals, December 2011 HIMSS 2012, Symantec, February 2012 o Data Loss Prevention: If You Don t Want to Cry, Don t Spill the Milk in the First Place o Encryption: You Can make it Harder to Read than A Physician s Handwriting! o Name Your Poison: HHS Audit or OCR o HIPAA Audits: Double Your Pleasure, Double Your Fun Proposed Meaningful Use Stage 2 Requirements, Axway, March 2012 Electronic Health Records & Meaningful Use Incentives: Medicare & Medicaid, Oregon Psychiatric Association Annual Conference, March 2012 Privacy, Security and the American Recovery and Reinvestment Act: Health Care Regulatory Environment Overview, Portland State University, March 2012 How to Conduct a HIPAA Security Audit (or Risk Assessment), Healthcare Care Compliance Association Compliance Institute: April, 2012 Risk Analysis & Meaningful Use, Physicians Insurance, April 2012 How to Prepare for Office for Civil Rights HIPAA Audits, Oregon Health Information Management Association Spring Conference, May 2012 Incident Response: Are you ready?, HIPAA Summit West, October 2012 Mobile Devices: Managing Risk, Central Oregon Mobility Summit, October 2012 March 2013 Bibliography - Apgar Page 8

9 Managing Security and Compliance in a Virtual World, Healthcare IT News/HIMSS Media, October 2012 How to Prepare for Office for Civil Rights HIPAA Audits, Oregon Health Information Management Association, January 2013 EMPLOYMENT HISTORY: 2004 to Present: CEO & President of Apgar & Associates, LLC 2000 to Present: Contributing Editor of HCPro, Inc., Briefings on HIPAA 1998 to 2004: Information Security Officer and HIPAA Compliance Officer of Providence Health Plans REFERENCES: Available upon request. March 2013 Bibliography - Apgar Page 9