Agenda. About Our Work and Team. Background 5/11/2015. Background Prevention Incident Response Process
|
|
- Lindsay Kelley
- 8 years ago
- Views:
Transcription
1 Agenda Data Security Incidents: The Role of IRBs and Information Security Teresa Doksum, PhD, MPH & Sean Owen, CISSP, CAP, CRISC May 22, 2015 Background Prevention Incident Response Process 1. Preparation 2. Detection and Analysis 3. Containment and Eradication 4. Post-incident Abt Associates Pg 2 Background About Our Work and Team Our Work Social-behavioral research and evaluation Funders include U.S. and other governments, foundations IRB volumes (annually): 100 non-exempt human subjects research studies/yr 100 studies exempt or nonresearch w/sensitive data Our Team IRB Chair + Administrator Members: 12 voting Client Cybersecurity Team Dept partners Abt Associates Pg 3 Abt Associates Pg 4 1
2 Definitions PII Personally Identifiable Information PII has varying levels of sensitivity Consider what the PII is paired with PHI Protected Health Information per HIPAA Incident Security event that results in the loss of data confidentiality, integrity, or availability Loss of confidentiality is data being disclosed to someone who shouldn t see it Breach Loss of confidentiality of data protected under HIPAA. Breach can also have other meanings depending on the data (i.e., federal/state/contractual definitions of breach) Abt Associates Pg 5 Abt Associates Pg 6 Case Study #1: PII External study partner s PII to Abt researcher Case Study #1: What Abt does 1) Abt researcher notifies Abt IT help desk 2) Incident response team engaged 3) IRB helps identify level of sensitivity/requirements 4) Sender and receiver deletes and provides confirmation to incident response team 5) Abt researcher: Tells sender to not PII and reminds them of approved protocol Completes any additional steps required by Abt s Security team or the sender s security team Abt Associates Pg 7 Abt Associates Pg 8 2
3 Prevention Build Partnerships and Collaboration You need 5+ partners to be successful IT helpdesk manager Security manager or higher IRB chair or staff Legal counsel Grant/contracts department manager or higher Defined SOP s and templates for data security A communication strategy (meetings, posters, reminders) A training strategy for researchers AND PARTNERS Abt Associates Pg 9 Abt Associates Pg 10 Require Detailed Data Security Plan Main Contents of Data Security Plan Describes data in detail, including data dictionary/variable lists Documents flow of data from start of study to end among all study partners Identifies tools to protect data for each step Includes retention/destruction requirements Identifies applicable security/privacy regulations Lists training staff will take (CITI, HIPAA, general security awareness, study-specific) and promises to give a copy of data security plan to all staff Electronic Data Flow Chart from Data Security Plan Abt Associates Pg 11 Abt Associates Pg 12 3
4 Example of Inadequate Data Security Plan Original Abt IRB protocol section for data security: Describe the provisions to protect the privacy of subjects and to maintain the confidentiality of data Result: sparse, generic text to gain IRB approval: All staff will promise to keep data confidential Data will be stored in locked file cabinets Data will be stored in password protected computers and folders Case Study #2: Lost Audiorecorder Subcontractor travelled to site to conduct interviews Used a digital audiorecorder Sub s IRB approved study w/few data security details Digital audiorecorder lost half way through trip and interviews Abt Associates Pg 13 Abt Associates Pg 14 Case Study #2: What Abt did 1) Reported to both IRBs and funder 2) Security worked w/sub to develop procedures to prevent another incident (and continue interviews) Download interview onto laptop; delete from recorder Upload via secure web portal to secure server 3) Notified participants Poll What encryption does your institution require? A. No requirements for encryption B. Depends on personnel (students vs. other?), data & requirements C. IT encrypts and IRB isn t involved D. Not sure, but I plan to find out Abt Associates Pg 15 Abt Associates Pg 16 4
5 Encrypt Everything All mobile devices (e.g., laptops, phones, USB drives) that store, collect, process data Use full drive encryption Encrypt data being sent Microsoft file passwords are NOT encryption (or protection) Case Study #3: Stolen Laptop Field interviewer laptop stolen Laptop was company issued and encrypted Abt Associates Pg 17 Abt Associates Pg 18 Case Study #3: What Abt does 1) Field interviewer notifies IT help desk 2) Verify laptop had full disk encryption 3) Request that researcher notify police 4) Document incident and police report number Incident Response Process National Institute of Standards and Technology (NIST) SP rev.2 Abt Associates Pg 19 Abt Associates Pg 20 5
6 Main Players and Data Security Responsibilities 1. Preparation IRB Security IT Study Team Contracts Department Legal Counsel Ensure researchers protect data; respond to incidents per human subjects regulations Manage the information security incident response and investigation Maintain software and hardware used to protect the information Protect data and report incidents Support above Support above Abt Associates Pg 21 Abt Associates Pg 22 Working against the clock Timers for reporting data security incidents and/or breaches to funder or data providers are in the following: Contracts and data use agreements Varies, hours and no more than 30 days.. Federal Laws PII 60 minutes HIPAA 60 days State Laws MA Without unreasonable delay CA Without unreasonable delay Other thoughts about timers Ethical responsibility Reputation 30 days is a long time for participants, short for you. Better to over report and work out a system with your client/funder/partner/data provider than under report and surprise them. Builds trust. Abt Associates Pg 23 Abt Associates Pg 24 6
7 Case Study #4: Lost Paper Case Study #4: What Abt did Incident (Event) Program site lost 2 consents and baseline form w/ssn Forms not found despite weeks of looking and site visit Incident (Reporting) Day 1: Site notified Abt study team Day 3: Abt study team notified IRB +Security. Required study director to immediately notify funder Day 5: Abt study director notified funder Funder said notification took too long 1) Followed established process once Security was notified 2) Flew to the site and did data security refresher training 3) Explained timers involved to all parties 4) Refined incident reporting process to require simultaneous notification 5) Clarified description of an incident 6) Training on details above and remediation that can be taken in the field 7) Notified participants and offered identity theft protection Abt Associates Pg 25 Abt Associates Pg Detection and Analysis Study Team Reports Incident IT or Security will ask for the following information to begin any triage: 1. What study data was or may have been lost or disclosed to unauthorized people 2. Why you believe it was lost/disclosed 3. Who it was disclosed to, if known 4. Date and time of all the events 5. What was done, if anything, to reduce the risk of disclosure Abt Associates Pg 27 Abt Associates Pg 28 7
8 Triage What are the data? Protected Health Information (PHI) subject to HIPAA? Personally Identifiable Information (PII)? Identifiers only? Other types of data subject to data agreement requirements? What was seen or lost? How many records? There will be false alarms!!! Classification of Incidents Customize with legal counsel, funder, institution expectations Minor incidents that do not require notification Incident does not disclose information outside the study team Minor incidents that require notification Incident that results in a violation of regulation or requirement, but does not rise to the level of breach Major incidents that require notification Incidents that result in potential harm to participants. The incident satisfies the requirements for breach Abt Associates Pg 29 Abt Associates Pg Containment and Eradication Containment & Eradication Abt Associates Pg 31 Abt Associates Pg 32 8
9 4. Post-Incident Post-Incident Security Provides final incident report to funder Notifies them that you consider the matter closed IRB (if needed per policy & regulations) Request unanticipated problem report Notify participants IRB and legal counsel with Security Determine threshold for notifying externally (e.g., regulators such as OHRP) Abt Associates Pg 33 Refer to security regulations Lessons learned feeds back into prevention Abt Associates Pg 34 Final Thoughts Incident Response is a team effort Prepare before study teams collect sensitive data Train everyone on requirements and incident reporting process Communicate early and honestly with affected parties (participants, data provider, funder, regulators) Report incident trends back to study teams and internal partners For More Info/Resources PRIM&R Blog post with data security plan template: Sean_Owen@abtassoc.com; Teresa_Doksum@abtassoc.com; Abt Associates Pg 35 Abt Associates Pg 36 9
Data Security Plan Development Guide for Researchers
Data Security Plan Development Guide for Researchers November 2014 Prepared for: Association for Public Policy Analysis and Management Fall Research Conference Submitted by: Sean Owen, CISSP, CAP and Teresa
More information2014 Core Training 1
2014 Core Training 1 Course Agenda Review of Key Privacy Laws/Regulations: Federal HIPAA/HITECH regulations State privacy laws Privacy & Security Policies & Procedures Huntsville Hospital Health System
More informationHIPAA Training for Staff and Volunteers
HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help
More informationHIPAA Training for Hospice Staff and Volunteers
HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you
More informationSHS Annual Information Security Training
SHS Annual Information Security Training Information Security: What is It? The mission of the SHS Information Security Program is to Protect Valuable SHS Resources Information Security is Everyone s Responsibility
More informationITS Policy Library. 11.06 - Device Encryption. Information Technologies & Services
ITS Policy Library 11.06 - Device Encryption Information Technologies & Services Responsible Executive: Chief Information Officer, WCMC Original Issued: July 15, 2008 Last Updated: November 21, 2014 POLICY
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationToday s Webcast is presented by Michael, also from the DART Team. Michael will provide
Welcome to today s Webcast. Thank you so much for joining us today! My name is Ellie Coombs. I m a member of the DART Team, one of several groups engaged by HAB to provide training and technical assistance
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationPolicies and Procedures for Electronic Protected Health Information (ephi) and Personally Identifiable Information (PII)
Policies and Procedures for Electronic Protected Health Information (ephi) and Personally Identifiable Information (PII) Effective Date: April 10, 2012 Prepared by: Joe Raschke (IT) Table of Contents Purpose
More informationWhat to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER
What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER INFORMATION AND PRIVACY COMMISSIONER/ONTARIO Table of Contents What is a privacy breach?...1
More informationHighlights of PHI/PI Security Requirements
ACBHCS Quality Assurance Office August 2014 Highlights of PHI/PI Security Requirements These guidelines are excerpts from ACBHCS s contract with the CA DHCS and applies to all ACBHCS contract providers
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationProtecting Privacy & Security in the Health Care Setting
2013 Compliance Training for Contractors and Vendors Module 3 Protecting Privacy & Security in the Health Care Setting For Internal Training Purposes Only. After completing this training, learners will
More informationUtica College. Information Security Plan
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
More informationProcedure for Managing a Privacy Breach
Procedure for Managing a Privacy Breach (From the Privacy Policy and Procedures available at: http://www.mun.ca/policy/site/view/index.php?privacy ) A privacy breach occurs when there is unauthorized access
More informationHIPAA Security Training Manual
HIPAA Security Training Manual The final HIPAA Security Rule for Montrose Memorial Hospital went into effect in February 2005. The Security Rule includes 3 categories of compliance; Administrative Safeguards,
More informationChecklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security
Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Review the
More informationHIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals
HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI
More informationMy Docs Online HIPAA Compliance
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationHIPAA Privacy & Security Rules
HIPAA Privacy & Security Rules HITECH Act Applicability If you are part of any of the HIPAA Affected Areas, this training is required under the IU HIPAA Privacy and Security Compliance Plan pursuant to
More informationHITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC dschoolcraft@omwlaw.com
HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST David G. Schoolcraft Ogden Murphy Wallace, PLLC dschoolcraft@omwlaw.com Presenters David Schoolcraft, Member, Ogden Murphy Wallace, PLLC Taya Briley,
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationThe Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015
The Department of Health and Human Services Privacy Awareness Training Fiscal Year 2015 Course Objectives At the end of the course, you will be able to: Define privacy and explain its importance. Identify
More informationSecuring the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer
Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health
More informationPrepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014
Prepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A.
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy
More informationCYBER SECURITY A L E G A L P E R S P E C T I V E
A L E G A L P E R S P E C T I V E T H O M A S G. S C H R O E T E R A S S O C I A T E G E N E R A L C O U N S E L P O R T O F H O U S T O N A U T H O R I T Y DISCLAIMER! This presentation: does not include
More informationData Security Considerations for Research
Data Security Considerations for Research Institutional Review Board Annual Education May 8, 2012 1 PRIVACY vs. SECURITY What s the Difference?: PRIVACY Refers to WHAT is protected Health information about
More informationHIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees
HIPAA TRAINING A training course for Shiawassee County Community Mental Health Authority Employees WHAT IS HIPAA? HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act.
More informationDATA BREACHES: HOW TO AVOID THEM AND WHAT TO DO IF IT HAPPENS. Emory IRB Webinar January 8, 2015
DATA BREACHES: HOW TO AVOID THEM AND WHAT TO DO IF IT HAPPENS Emory IRB Webinar January 8, 2015 ACKNOWLEDGMENTS Thanks to Kris West for the information provided for this webinar DEFINITIONS Protected Health
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationHIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012
HIPAA Privacy and Security Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012 Goals and Objectives Course Goal: To introduce the staff of Munson Healthcare to the concepts
More informationPhilip L. Gordon, Esq. Littler Mendelson, P.C.
Beyond The Legal Requirements: Key Practical Issues in Negotiating Business Associate Agreements, Responding to a Breach of Unsecured PHI, and Understanding HHS Enforcement Philip L. Gordon, Esq. Littler
More informationHIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as
HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the
More informationPresented by Dave Olsen, CPA, President
Presented by Dave Olsen, CPA, President My Frame of Reference 15 Years in Public Practice 11 Years in Tax & Accounting Software (20% of prof. e-files) 3 Year term on IRS ETAAC committee and Security Sub-Group
More informationHow To Protect Your Health Information Under Hiopaa
Towards Unified Data Security Requirements for Human Research Susan Bouregy, Ph.D., CIP Chief HIPAA Privacy Officer Vice Chair, Human Subjects Committee Yale University susan.bouregy@yale.edu March 21,
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationIRB Challenge: Research on the Internet
IRB Challenge: Research on the Internet Jeffrey M. Cohen, Ph.D. HRP Associates 240-432-4525 Disclaimer Views Expressed in This Workshop are Those of the Speaker and Not Necessarily of the University of
More informationWhen HHS Calls, Will Your Plan Be HIPAA Compliant?
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
More informationYour Agency Just Had a Privacy Breach Now What?
1 Your Agency Just Had a Privacy Breach Now What? Kathleen Claffie U.S. Customs and Border Protection What is a Breach The loss of control, compromise, unauthorized disclosure, unauthorized acquisition,
More informationHIPAA Compliance. 2013 Annual Mandatory Education
HIPAA Compliance 2013 Annual Mandatory Education What is HIPAA? Health Insurance Portability and Accountability Act Federal Law enacted in 1996 that mandates adoption of Privacy protections for health
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More informationPHI- Protected Health Information
HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson
More informationPrivacy 101 Awareness and Best Practices
Privacy 101 Awareness and Best Practices GPO Protection of Personally Identifiable Information (PII) National Institute Of Standards & Technology What is Privacy It is more than information security Privacy
More informationHIPAA Security Rule Changes and Impacts
HIPAA Security Rule Changes and Impacts Susan A. Miller, JD Tony Brooks, CISA, CRISC HIPAA in a HITECH WORLD American Health Lawyers Association March 22, 2013 Baltimore, MD Agenda I. Introduction II.
More informationMust score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.
April 23, 2014 Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually. What is it? Electronic Protected Health Information There are 18 specific
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationHIPAA Myths. WEDI Member Town Hall. Chris Apgar, CISSP Apgar & Associates
HIPAA Myths WEDI Member Town Hall Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More informationComputer Security Incident Response Plan. Date of Approval: 23- FEB- 2015
Name of Approver: Mary Ann Blair Date of Approval: 23- FEB- 2015 Date of Review: 22- FEB- 2015 Effective Date: 23- FEB- 2015 Name of Reviewer: John Lerchey Table of Contents Table of Contents... 2 Introduction...
More informationHIPAA Privacy and Security and Research
ICTS Brown Bag Seminar Successful Completion: Participants must complete an evaluation form to receive a certificate of completion Contact Hours: 1 contact hours is available to those who meet the successful
More informationHIPAA compliance audit: Lessons learned apply to dental practices
HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationHIPAA Privacy and Information Security Management Briefing
HIPAA Privacy and Information Security Management Briefing Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212)
More informationHuman Subject Research: HIPAA Privacy and Security. Human Research Academy 101
Human Subject Research: HIPAA Privacy and Security Human Research Academy 101 Your Enterprise Privacy Officer Christine Adams, CHC, CHPC Enterprise Privacy Officer Compliance & Enterprise Risk Management
More informationTable of Contents. Acknowledgement
OPA Communications and Member Services Committee February 2015 Table of Contents Preamble... 3 General Information... 3 Risks of Using Email... 4 Use of Smartphones and Other Mobile Devices... 5 Guidelines...
More informationHIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014
1 HIPAA BREACH NOTIFICATION REQUIREMENTS Heman A. Marshall, III July 25, 2014 2 SCENARIO FOR VBA SUMMER MEETING The Medical Marijuana Growers Association (MMGA) Health Plan, which is a self-fund plan,
More informationIntroduction to the NHS Information Governance Requirements
Introduction to the NHS Information Governance Requirements 2 Version April 2014 Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information. The widely
More informationPROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs
PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs The Identity Theft and Fraud Protection Act (Act No. 190) allows for the collection, use
More informationDATA BREACH LAW UPDATE Global Trends Legal Complexities
DATA BREACH LAW UPDATE Global Trends Legal Complexities Moderator: Lucy L. Thomson Livingston PLLC Panelists: Thomas Smedinghoff Edwards Wildman Eric Hibbard Hitachi Data Systems Robert Thibadeau Wave
More informationHIPAA: Bigger and More Annoying
HIPAA: Bigger and More Annoying Instructor: Laney Kay, JD Contact information: 4640 Hunting Hound Lane Marietta, GA 30062 (770) 312-6257 (770) 998-9204 (fax) laney@laneykay.com www.laneykay.com OFFICIAL
More informationAGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED
Michael Almvig Skagit County Information Services Director 1 AGENDA 1 2 HIPAA How Did Privacy The Breach Happen? HIPAA Incident Security Response 3 Corrective Action Plan 4 What We Learned Questions? ACRONYMS
More informationIntroducing the NASW Updated Sample HIPAA Privacy Forms and Policies
Introducing the NASW Updated Sample HIPAA Privacy Forms and Policies Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2013 National
More informationArt Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches
Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA
More informationAPPROVED BY: DATE: NUMBER: PAGE: 1 of 9
1 of 9 PURPOSE: To define standards for appropriate and secure use of MCG Health electronic systems, specifically e-mail systems, Internet access, phones (static or mobile; including voice mail) wireless
More informationState of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop All Agency Mobile Security July 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy Overview: Mobile Security
More informationACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer
ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you
More informationHealthcare Horizons Webinar Series:
Healthcare Horizons Webinar Series: HIPAA and HITECH Enforcement Pete Enko peter.enko@huschblackwell.com 816.983.8312 Steve James steve.james@huschblackwell.com 816.983.8374 Husch Blackwell LLP Before
More informationWho Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5
Information Security Policy Type: Administrative Responsible Office: Office of Technology Services Initial Policy Approved: 09/30/2009 Current Revision Approved: 08/10/2015 Policy Statement and Purpose
More informationWritten Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.
Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR
More informationProtecting Patient Privacy It s Everyone s Responsibility
Protecting Patient Privacy It s Everyone s Responsibility Observation & Student Learning Packet 1. Read packet Instructions for Self-Study Module 2. Complete post-test. A score of 80% must be achieved.
More informationTexas Medical Records Privacy Act (a.k.a. Texas House Bill 300)
Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Ricky Link, Coalfire ISACA North Texas and IIA Fort Worth Chapters The Petroleum Club of Fort Worth March 4, 2014 1 About Coalfire Coalfire
More informationHIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates
HIPAA Myths WEDI Regional Affiliates Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the
More informationHIPAA Privacy and Security
HIPAA Privacy and Security Cindy Cummings, RHIT February, 2015 1 HIPAA Privacy and Security The regulation is designed to safeguard Protected Health Information referred to PHI AND electronic Protected
More informationIDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance
More informationSCDA and SCDA Member Benefits Group
SCDA and SCDA Member Benefits Group HIPAA Privacy Policy 1. PURPOSE The purpose of this policy is to protect personal health information (PHI) and other personally identifiable information for all individuals
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationEncryption. From the Real World
HIPAA Safe Harbor Requirement Encryption Lessons Learned From the Real World Larry.Yob@AscensionHealth.org Scott.Aschenbach@StJohn.org Breach 45 CFR Parts 160 and 164 Breach Notification for Unsecured
More informationElectronic Communication In Your Practice. How To Use Email & Mobile Devices While Maintaining Compliance & Security
Electronic Communication In Your Practice How To Use Email & Mobile Devices While Maintaining Compliance & Security Agenda 1 HIPAA and Electronic Communication 2 3 4 Using Email In Your Practice Mobile
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationPrivacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues
Doing Business in Oregon Under the Oregon Consumer Identity Theft Protection Act and Related Privacy Risks Privacy Data Loss www.breachblog.com Presented by: Mike Porter March 10, 2009 2 Privacy Data Loss
More informationChecklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @
Checklist for Breach Readiness Enabling a Resilient Organization Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Facts about breach violation impact
More informationHealthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014
Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014 Agenda Introduction / Session Overview HIT Budgeting 101 Security and Compliance EHR budgeting HIT Where Are We Going Q & A 2 Copyright
More informationHIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP
HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR Chris Apgar, CISSP 2015 OVERVIEW Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right
More informationViolation Become a Privacy Breach? Agenda
How Does a HIPAA Violation Become a Privacy Breach? Karen Voiles, MBA, CHC, CHPC, CHRC Senior Managing Consultant, Compliance Agenda Differentiating between HIPAA violation and reportable breach Best practices
More informationOur Commitment to Information Security
Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationInformation Security Education and Awareness Training
Information Technology Information Security Education and Awareness Training Standard Identifier: IT-STND-002 Revision Date: 8/1/2015 Effective Date: 3/1/2015 Approved by: BOR CIO Approved on date: 10/17/2014
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
More informationHIPAA ephi Security Guidance for Researchers
What is ephi? ephi stands for Electronic Protected Health Information (PHI). It is any PHI that is stored, accessed, transmitted or received electronically. 1 PHI under HIPAA means any information that
More informationData Security Breach. How to Respond
Data Security Breach How to Respond About ERM About The Speaker Information Security Director at ERM CISSP, CISA, CRISC, PCIP, PCI-QSA Core Experience: Information Assurance Computer Forensics Penetration
More informationHIPAA Privacy and Security
HIPAA Privacy and Security Course ID: 1020 - Credit Hours: 2 Author(s) Kevin Arnold, RN, BSN Accreditation KLA Education Services LLC is accredited by the State of California Board of Registered Nursing,
More informationStatement of Policy. Reason for Policy
Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions
More information