Impact of Legal and Regulatory Compliance on Higher Education Information Security Management. Dan Han Virginia Commonwealth University

Save this PDF as:

Size: px
Start display at page:

Download "Impact of Legal and Regulatory Compliance on Higher Education Information Security Management. Dan Han Virginia Commonwealth University"

Transcription

1 Impact of Legal and Regulatory Compliance on Higher Education Information Security Management Dan Han Virginia Commonwealth University

2 A little about me Worked in IT for close to 15 years, with 12 years focusing on Higher Education and Healthcare, and over 7 years in security practice and management Took a heavy interest in cyber law in grad school after studying the ChoicePoint data breach, but didn t really want to be a lawyer Conducted research in legal and regulatory compliance in IT and information security management with PhD candidates

3 Apologies

4 Higher education is like a

5 Educate students

6 Provide Financial Services

7 Conduct research

8 Provide healthcare services

9 Provide other goods, services, and living essentials

10 STUDENT ID NUMBERS DISABILITY STATUS NON-PUBLIC PERSONAL INFORMATION ACADEMIC STANDING HEALTH RECORDS PINS CARD HOLDER INFORMATION GRADES DEMOGRAPHICS PERSONALLY IDENTIFIABLE INFORMATION GPA CLASS SCHEDULE EDUCATION INFORMATION HEALTHCARE SOCIAL SECURITY NUMBERS CARD NUMBERS FINANCIAL SERVICES OPERATION RESEARCH DIAGNOSIS TREATMENT INFORMATION EXPORT CONTROL INSURANCE INFORMATION PROTECTED HEALTH INFORMATION MEDICAL RECORDS NUMBERS SPONSORED RESEARCH GENETIC INFORMATION MENTAL & MEDICAL HISTORY INTELLECTUAL PROPERTY CHILDREN S INFORMATION

11 GLBA HIPAA GINA HITECH FERPA Intellectual Property PHI USML ITAR PCI-DSS PII REGULATED INFORMATION SER FOIA Red Flag Rule OFAC-ETS CCL NPI Card holder Data EAR PPRA FTC Act Section 5 COPPA DMCA Safe Harbor

12 Regulations may include But are not limited to Federal Education Rights and Privacy Act (FERPA) Payment Card Industry Data Security Standard (PCI-DSS) Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH) Genetic Information Nondiscrimination Act (GINA) Children s Online Privacy Protection Act (COPPA) Protection of Pupil Rights Amendment (PPRA) Federal Information Security Management Act (FISMA) State Information Privacy Laws (46 States and 4 U.S. Territories) Export Control Laws (ITAR, EAR, OFAC-ETS) EU Directive 95/46/EC / Safe Harbor Privacy Principles Federal Trade Commission Act Section 5 (FTC Act) Digital Millennium Copyright Act (DMCA) Freedom of Information Act (FOIA) FTC Red Flag rule Wiretap Act / Electronic Communications Privacy Act (ECPA)

13 FERPA Federal Education Rights and Privacy Act Protection of Student Educational Records Protection of non-directory information from disclosure without written consent (Some exceptions apply) Directory Information is usually classified by an educational institution and can be generally be disclosed without prior consent Disclosure of Student Educational Records to School officials is permitted as long as they have a Need to know Student health information is covered under FERPA! Privacy of student financial aid data is covered under FERPA! Enforced by Department of Education Maybe applicable to student information related to education and research

14 GLBA Gramm-Leach-Bliley Act Safeguard Rule: Protect the confidentiality of customer non-public personal and financial information (NPI) held in possession of covered financial institutions Ensure confidentiality of these information Protect against unauthorized access Protect against anticipated threats or hazards Requires formalized security program Enforced primarily by FTC Affects student financial aid records, processing of financial loans or other financial services

15 PCI-DSS Payment Card Industry Data Security Standard Protect the confidentiality of Card Holder Data stored, transmitted, and processed by entities involved in payment card processing Recommends network segmentation and scoping Includes minimum standards on administrative, physical, and technical controls, including testing and audits Consist of 4 levels with varying auditing and compliance requirements External and internal assessment may be needed depending on qualifying level Enforced by PCI Counsel and banks Affects physical and web store fronts, dining services, athletics, housing and any other areas that may process credit cards

16 PCI-DSS 3.0 PCI-DSS 3.0 is right around the corner, designed to focus on several new areas: Education and Awareness Passwords and Authentication Methods Third party business partners Emerging technologies such as e-commerce, mobile processing, and cloud processing Consistent and verifiable security management with heavy focus on documentation

17 State Data Security and Privacy Laws Designed to protect the privacy and security of State residents personally identifiable information (PII) Based off of the CA SB 1386, 46 States and 4 U.S. Territories have laws applicable to residents PII usually include First Name or First initial and Last Name plus SSN, State ID / Driver s License Numbers, Card numbers and other financial information Can also include health care information May affect student / employee PII, may include information from HR, Registrar s office, Student Health, Campus Police, ERP systems, and other administrative and academic units

18 State Data Security and Privacy Laws Issues: Applicability Some laws apply to any entity with data on residents Others apply to entities operating in the State or territory Varying definitions Personal Information (Some include Health Information) Risk of harm assessment requirement Breach notification time limit Notification methodology and Police / AG notification requirement Requirement to encrypt data in transit Extremely confusing

19 Safe Harbor Privacy Principles Established by U.S. Department of Commerce to certify organizations that handle EU resident s personal data. Based off of the EU Data Protection Directive (95/46/EC) EU companies prohibited from transmitting personal data to countries that do not meet EU adequacy standard for privacy protection Voluntary certification for U.S. organizations, certified organizations will be deemed adequate by EU standards Requires 7 elements and annual certification May apply to collaborative research projects involving EU companies and / or the personal data of EU citizens.

20 Copyright Laws Patent Act Grants exclusive rights of making, using, or vending of useful or important inventions Copyright Act Grants exclusive rights to reproduce, create derivative work, distribute, perform, or display original works of authorship Digital Millennium Copyright Act Protects copyright information and prevent the circumvention of technological measures that effectively controls the access to copyrighted materials. ISP exemption given diligence in handling violation reports May apply to University computer and network resources used by faculty, staff and students, as well as research intellectual property (ownership)

21 Other laws and regulations Freedom of Information Act (FOIA) Allows public inspection and disclosure of public records in the custody of public body or its officers and employees May affect data retention and disclosure of potentially sensitive data Data Retention Schedules (Commonwealth, Federal) Defines the retention and removal requirements for various types of data such as administrative records, educational records, etc. May apply to data storage and retention Computer Fraud and Abuse Act (CFAA), Wiretap Act, and Electronic Communication Privacy Act (ECPA) Applicable to , telephone conversations and security of devices and data that is electronically transmitted through devices May apply to monitoring and forensic investigations (if no authorization or contractual provisions such as an AUP is established)

22 Other laws and regulations Federal Trade Commission Act Section 5 Prohibits Unfair or deceptive acts or practices in or affecting commerce Promotes privacy framework including Privacy by design, Simplified choice, and transparency Ensures organizational actions are consistent with their policies. FTC Red Flag Rule Requires a written identity theft protection program that detect, prevent, and mitigate identity theft Need to define the red flags Create policy, procedures, and practices to detect and respond to red flags

23 PHEW

24 And if that wasn t enough let s talk about Research

25 There are a plethora of laws and regulations that may apply to your research environment!

26 PPRA Protection of Pupil Rights Amendment Protection of minor student s personal information Written consent from parents is needed before the collection of the following information from minor students in any U.S. Department of Education funded survey, analysis, or evaluation: Political affiliations Mental and psychological problems that can embarrass Sex behavior and attitudes Illegal, anti-social, self-incriminating and demeaning behavior Critical appraisals of other individuals with whom respondents have close family relationships Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers Religious practices, affiliations, or beliefs of the student or student's parent*; or Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program.) Applicable to information related to under-age research subjects in DoE funded projects.

27 COPPA Children s Online Privacy Protection Act (COPPA) Provide parents with control over the information that is collected from their young children (<13) online. Need verifiable parental consent to collect information Must contain accurate privacy statement with specific content Provide parents with the control over the use and disclosure of their children s information Prohibits the collection of unnecessary information Applicable to information related to research projects

28 How do you get verifiable consent? UETA and ESIGN Uniform Electronic Transactions Act and Electronic Signatures in Global and National Commerce Act Guarantees the legality of electronic signatures So click-through agreements and EULAs are legal and binding contracts!

29 FISMA Federal Information Security Management Act (FISMA) Follows NIST SP security requirements Standard practice for HHS, DHS, DOD, DOE, NSF and other federal government agencies Fed sponsored research programs will see these requirements in grants, contracts, and data use agreements Three levels of risk, depending on data sensitivity In some cases requires FISMA certified data processing and storage facilities depending on risk level May apply to federally funded research projects, and may appear in the form of data management plans.

30 HIPAA / HITECH Health Information Portability and Accountability Act (HIPAA) Title II: regulates the privacy, security, use, and distribution of Protected Health Information Protected Health Information Health Information with 18 HIPAA identifiers from or to a Covered Entity Covered Entity Healthcare provider, insurance provider, or clearing house Two sets of rules under Title II Privacy rule: Use and distribution of PHI Security rule: Defines Required and Addressable security safeguards

31 HIPAA / HITECH Requirements Must safeguard PHI from unauthorized access, modification, or deletion Required and addressable safeguards Administrative Security policy, training, Business Associates Agreements Physical Secure facility, monitored physical access control PHI Technical Encrypted transmission, partner authentication, data integrity Cannot sell, use, or share PHI without appropriate consent or approval

32 HIPAA / HITECH Health Information Technology for Economic and Clinical Health Act (HITECH) Part of ARRA in 2009 Final Omnibus rule released this year, with compliance date of September, 2013 Strengthens HIPAA with stringent Enforcement rule Requires modified and more stringent privacy policies by Covered Entities Places more requirements on Business Associates New Breach notification rule that eliminates the No harm, no foul loop hole The 500 records rule

33 HIPAA / HITECH How do I know if I am covered? If you collect health information on behalf of a covered entity If you collect health information from a covered entity If you collect health information on behalf of the covered unit of a hybrid entity The conundrum of a hybrid entity Even when HIPAA is not applicable Many state laws will cover health information May be applicable to research projects and healthcare components in the University

34 GINA Genetic Information Non-Disclosure Act Prohibits discrimination in health coverage and employment based on genetic information Genetic information is considered PHI and same HIPAA safeguards and ramifications apply under GINA

35 Export Control Laws Export Administration Regulations (EAR) Regulates items and services specifically designed for military applications 10 categories of sensitive commercial and dual-use goods, software, technology listed in the Commerce Control List (CCL). These Include: nuclear, chemical, electronics Information security, telecommunications lasers and sensors, avionics and navigation marine, propulsion systems and space vehicles related equipment, software, and technology. Specific license and registration is required from Commerce Department for export Assets must be handled by U.S. Persons otherwise

36 Export Control Laws International Traffic in Arms Regulation (ITAR) Regulates import, export and re-export of Defense Articles and Defense Services Applicable to items and services enumerated on U.S. Munitions List (USML) Also controls other items and services that has been specifically designed, developed, configured, adapted or modified for military and does not have predominant civil applications Authorization is needed from State Department Directorate of Defense Trade Controls (DDTC) Assets must be handled by U.S. Persons otherwise Cannot export to proscribed countries under U.S. Arms Embargos

37 Export Control Laws Economic and Trade Sanction Regulations regulated by Treasury Department s Office of Foreign Assets Control (OFAC) Applicable to non-friendly countries, goods, investments, transactions and services exported or reexported to or imported from these countries Also applicable to entities and individuals in the SDN list that includes agents of sanctioned countries, terrorism sponsoring organizations, international narcotics traffickers, weapons proliferators or otherwise engage in activities that threaten the security of the United States

38 So what now?

39

40 While there are some differences among these regulations

41 The commonalities Ambiguity in requirements Encryption safe harbor Requirements of being a good data steward Risk based security management programs Administrative, physical, and technical controls for detection, prevention, and treatment of threats Prevention, detection, response, and remediation of threats Formalized data sharing and usage processes Transparent self-regulation Breach reporting requirements and regulations Adequate and proportionate security and privacy policy and programs Enforce and follow the policies and programs

42 Recommendations Know what regulation is applicable to your environment Classify your information based on risk and impact Be transparent, clear and concise about acceptable use, information collection, usage, and management. Take applicable laws and regulations into consideration when classifying your data Document policies, procedures, and controls regarding data protection and management Establish and maintain data governance structure with clearly defined stewardship responsibilities

43 Recommendations Encrypt your regulated data in transit and at storage based on risk, take advantage of the encryption safe harbor Ensure you have data sharing / use agreements or business associate agreements with third party Minimize the scope of coverage as much as possible (You can t lose what you don t have, it is not applicable if it is not covered) Consider risk transference by use of cyber liability insurance Do not be disingenuous and do not sweep things under the rug

44 Resources PTAC FERPA Privacy and Security Toolkit HIPAA Omnibus rule summary %20of%20New%20HIPAA%20Rules%20by%20Elizabeth%20Johnson %20Jan% pdf HITRUST (HIPAA + PCI + State reqs.) Cloud Security Alliance Red Flag Rule FTC Privacy Framework Mintz State Data Breach Law summary /state_data_breach_matrix.pdf

45 Thank you Questions?

EXPORT CONTROLS COMPLIANCE

EXPORT CONTROLS COMPLIANCE Responsible University Official: Vice President for Research Responsible Office: Office for Export Controls Compliance Origination Date: May 1, 2014 EXPORT CONTROLS COMPLIANCE Policy Statement Northwestern

More information

Virginia Commonwealth University Information Security Standard

Virginia Commonwealth University Information Security Standard Virginia Commonwealth University Information Security Standard Title: Scope: Data Classification Standard This document provides the classification requirements for all data generated, processed, stored,

More information

I. U.S. Government Privacy Laws

I. U.S. Government Privacy Laws I. U.S. Government Privacy Laws A. Privacy Definitions and Principles a. Privacy Definitions i. Privacy and personally identifiable information (PII) b. Privacy Basics Definition of PII 1. Office of Management

More information

Harvard Export Control Compliance Policy Statement

Harvard Export Control Compliance Policy Statement Harvard Export Control Compliance Policy Statement Harvard University investigators engage in a broad range of innovative and important research both in the United States and overseas. These activities

More information

Export Control Training

Export Control Training 2007 Export Control Training Office of Sponsored Research and Programs Missouri State University Missouri State University Research Security and Export Controls Compliance Manual 11/7/2007 1 As an employee

More information

Online Lead Generation: Data Security Best Practices

Online Lead Generation: Data Security Best Practices Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:

More information

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable Steven J. Fox (sjfox@postschell.com) Peter D. Hardy (phardy@postschell.com) Robert Brandfass (BrandfassR@wvuh.com) (Mr. Brandfass

More information

Middle Tennessee State University. Office of Research Services

Middle Tennessee State University. Office of Research Services Middle Tennessee State University Office of Research Services Procedure No.: ORS 007: Export Control Date Approved: December 08, 2011 1. INTRODUCTION: It is the intent of Middle Tennessee State University

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

Privacy Legislation and Industry Security Standards

Privacy Legislation and Industry Security Standards Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,

More information

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) May 15, 2009 LLP US Information Security Framework Historically industry-specific HIPAA Fair Credit Reporting

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Cyber, PrivaCy. & Data SeCurity. www.mpplaw.com

Cyber, PrivaCy. & Data SeCurity. www.mpplaw.com Cyber, PrivaCy & Data SeCurity 360 www.mpplaw.com about our PraCtiCe Data is the lifeblood of our global economy. Collected, stored and transmitted, digital data not only imparts great opportunities, but

More information

DATA SECURITY AGREEMENT. Addendum # to Contract #

DATA SECURITY AGREEMENT. Addendum # to Contract # DATA SECURITY AGREEMENT Addendum # to Contract # This Data Security Agreement (Agreement) is incorporated in and attached to that certain Agreement titled/numbered and dated (Contract) by and between the

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Law & Ethics, Policies & Guidelines, and Security Awareness

Law & Ethics, Policies & Guidelines, and Security Awareness Law & Ethics, Policies & Guidelines, and Security Awareness Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of

More information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information about HIPAA, the HITECH-HIPAA Omnibus Privacy Act, how

More information

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern

More information

EXPORT CONTROLS AND RESEARCH AT WPI TRAINING PRESENTATION

EXPORT CONTROLS AND RESEARCH AT WPI TRAINING PRESENTATION EXPORT CONTROLS AND RESEARCH AT WPI TRAINING PRESENTATION EXPORT CONTROL LAWS WHAT ARE EXPORT CONTROLS? U.S. laws and their implementing regulations that govern the distribution to foreign nationals and

More information

PII Personally Identifiable Information Training and Fraud Prevention

PII Personally Identifiable Information Training and Fraud Prevention PII Personally Identifiable Information Training and Fraud Prevention Topics What is Personally Identifiable Information (PII)? Why are we committed to protecting PII? What laws govern us? How do we comply?

More information

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

Information Security Program

Information Security Program Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August

More information

Policy and Procedures Date: 08-24-11

Policy and Procedures Date: 08-24-11 Virginia Polytechnic Institute and State University Policy and Procedures Date: 08-24-11 Subject: Export and Sanctions Compliance Policy Definitions 1.0 Policy 2.0 Oversight 3.0 Responsibilities of Faculty,

More information

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule Understanding Health Insurance Portability Accountability Act AND HITECH HIPAA s Privacy Rule 1 What Is HIPAA s Privacy Rule The privacy rule is a component of the Health Insurance Portability and Accountability

More information

Contact: Henry Torres, (870) 972-3033

Contact: Henry Torres, (870) 972-3033 Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures

More information

Second Annual Impact of Export Controls on Higher Education & Scientific Institutions

Second Annual Impact of Export Controls on Higher Education & Scientific Institutions The following presentation was presented at the Second Annual Impact of Export Controls on Higher Education & Scientific Institutions Hosted by Georgia Institute of Technology In cooperation with Association

More information

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996 HIPAA RISKS & STRATEGIES Health Insurance Portability and Accountability Act of 1996 REGULATORY BACKGROUND Health Information Portability and Accountability Act (HIPAA) was enacted on August 21, 1996 Title

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,

More information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

More information

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues Todd Bertoson Daniel Gibb Erin Sheppard Principal Senior Managing Associate Counsel todd.bertoson@dentons.com

More information

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5 Information Security Policy Type: Administrative Responsible Office: Office of Technology Services Initial Policy Approved: 09/30/2009 Current Revision Approved: 08/10/2015 Policy Statement and Purpose

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Data Privacy & Security: Essential Questions Every Business Must Ask

Data Privacy & Security: Essential Questions Every Business Must Ask Data Privacy & Security: Essential Questions Every Business Must Ask Presented by: Riddell Williams P.S. Riddell Williams P.S. May 6, 2015 #4841-4703-9779 Innocent? 2 Overview 3 basic questions every business

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

Using Technology Control Plans in Export Compliance. Mary Beran, Georgia Tech David Brady, Virginia Tech

Using Technology Control Plans in Export Compliance. Mary Beran, Georgia Tech David Brady, Virginia Tech Using Technology Control Plans in Export Compliance Mary Beran, Georgia Tech David Brady, Virginia Tech What is a Technology Control Plan (TCP)? The purpose of a TCP is to control the access and dissemination

More information

Information Security Law: Control of Digital Assets.

Information Security Law: Control of Digital Assets. Brochure More information from http://www.researchandmarkets.com/reports/2128523/ Information Security Law: Control of Digital Assets. Description: For most organizations, an effective information security

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

Implications of HIPAA Requirements on Healthcare Payment Processing

Implications of HIPAA Requirements on Healthcare Payment Processing Implications of HIPAA Requirements on Healthcare Payment Processing Linda M Wolverton Vice President, Compliance, TEAMHealth Lynne Pearson Vice President, National Healthcare Treasury Management Fifth

More information

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October

More information

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Happenings in Hospital Systems Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Health Insurance Portability and Accountability Act of 1996 Title 1 Title II Title III Title IV Title

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

Privacy Law Basics and Best Practices

Privacy Law Basics and Best Practices Privacy Law Basics and Best Practices Information Privacy in a Digital World Stephanie Skaff sskaff@fbm.com What Is Information Privacy? Your name? Your phone number or home address? Your email address?

More information

Introduction to Data Privacy & ediscovery Intersection of Data Privacy & ediscovery

Introduction to Data Privacy & ediscovery Intersection of Data Privacy & ediscovery Today s Topics Introduction to Data Privacy & ediscovery General Overview Data Privacy in the United States Data Privacy in Foreign Countries Intersection of Data Privacy & ediscovery Preservation of Data

More information

Data Privacy & Security in the Cloud: Legal Basics and New Developments

Data Privacy & Security in the Cloud: Legal Basics and New Developments Data Privacy & Security in the Cloud: Legal Basics and New Developments Lawrence R. Freedman Partner, Edwards Wildman Palmer LLP lfreedman@edwardswildman.com (202) 939-7923 1 The Basics Two basic data

More information

Bridging the HIPAA/HITECH Compliance Gap

Bridging the HIPAA/HITECH Compliance Gap CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap

More information

Health Information Privacy Refresher Training. March 2013

Health Information Privacy Refresher Training. March 2013 Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

Ø Externally Hosted Computing Services Appropriate Use Guidelines Ø Matrix for Appropriate Use

Ø Externally Hosted Computing Services Appropriate Use Guidelines Ø Matrix for Appropriate Use Ø Externally Hosted Cputing Services Ø Matrix for Appropriate Use 3/31/2015 1 Externally Hosted Cputing Services This overview is intended to provide information for faculty, staff and students about the

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

SANS Securing The Human

SANS Securing The Human SANS Securing The Human Introduction Most organizations have invested in security technology to protect their information, putting in place solutions such as firewalls, encryption or IDS sensors. However,

More information

Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014

Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014 Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A. Puplava

More information

[Company Name] HIPAA Security Awareness and Workforce Training Program Manual

[Company Name] HIPAA Security Awareness and Workforce Training Program Manual [Company Name] HIPAA Security Awareness and Workforce Training Program Manual The Importance of Security Awareness Training 4 Data Security Breaches 5 What is Information Security? 6 Roles and Responsibilities

More information

1/23/2015. MSBO Technology Committee January 22, 2015. Examples of Online Educational Services

1/23/2015. MSBO Technology Committee January 22, 2015. Examples of Online Educational Services MSBO Technology Committee January 22, 2015 Technology Policies Online Educational Services 2015 Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A. Puplava Mika Meyers Beckett

More information

Export Control Laws Training Presentation FLORIDA INSTITUTE OF TECHNOLOGY

Export Control Laws Training Presentation FLORIDA INSTITUTE OF TECHNOLOGY Export Control Laws Training Presentation FLORIDA INSTITUTE OF TECHNOLOGY 1 Why Be Concerned with Export Control Laws Certain export control laws may apply to FIT research activities here and abroad. Failure

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

SECTION-BY-SECTION ANALYSIS

SECTION-BY-SECTION ANALYSIS INTRODUCED BY CONGRESSMAN RANDY NEUGEBAUER (R-TX) AND CONGRESSMAN JOHN CARNEY (D-DE) SECTION-BY-SECTION ANALYSIS Section 1: Short Title The Data Security Act of 2015. Section 2: Purposes The purposes of

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

BUSINESS ASSOCIATE AGREEMENT Tribal Contract DEPARTMENT OF HEALTH SERVICES Division of Enterprise Services F-00714 (08/2013) STATE OF WISCONSIN BUSINESS ASSOCIATE AGREEMENT Tribal Contract This Business Associate Agreement is made between the Wisconsin

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

UC PRIVACY AND INFORMATION SECURITY STEERING COMMITTEE OCTOBER 25, 2010

UC PRIVACY AND INFORMATION SECURITY STEERING COMMITTEE OCTOBER 25, 2010 UC PRIVACY AND INFORMATION SECURITY STEERING COMMITTEE OCTOBER 25, 2010 Agenda 1:00 pm Welcome Introductions Review of the Committee s Charge A Provisional 18-Month Plan 1:30 Setting the Stage Privacy

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So? Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So? Bruce Heiman K&L Gates September 10, 2015 Bruce.Heiman@klgates.com (202) 661-3935 Why share information? Prevention

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

Exhibit A. Federal Statutes Impacting Data Security

Exhibit A. Federal Statutes Impacting Data Security Exhibit A Federal Statutes Impacting Data Security Michele A. Whitham Partner, Founding Co-Chair Security & Privacy Practice Group Foley Hoag LLP 155 Seaport Boulevard Boston, MA 02210 Federal Law Citation

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

P02.07.066. Mobile Device Security.

P02.07.066. Mobile Device Security. P02.07.066. Mobile Device Security. A. University employees and students using a laptop computer or mobile device (e.g. portable hard drives, USB flash drives, smartphones, tablets) are responsible for

More information

MASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2

MASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2 MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...

More information

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013 CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street

More information

Cloud Computing Contracts. October 11, 2012

Cloud Computing Contracts. October 11, 2012 Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best

More information

Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Information Requirements

Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Information Requirements Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Information Requirements (Revised April 9, 2015) 1. General Requirements Overview - Personally Identifiable Information

More information

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules Professional Solutions Insurance Company Business Associate Agreement re HIPAA Rules I. Purpose of Agreement This Agreement reflects Professional Solutions Insurance Company s agreement to comply with

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

HIPAA In The Workplace. What Every Employee Should Know and Remember

HIPAA In The Workplace. What Every Employee Should Know and Remember HIPAA In The Workplace What Every Employee Should Know and Remember What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 Portable Accountable Rules for Privacy Rules for Security

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

Covered California. Terms and Conditions of Use

Covered California. Terms and Conditions of Use Terms and Conditions of Use Contents: Purpose Of This Agreement Privacy Policy Modification Of This Agreement Permission To Act On Your Behalf How We Identify You Registration Additional Terms For Products

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

Privacy Impact Assessment (PIA) Waiver Review System (WRS) Version 03.06.01.01. Last Updated: December 2, 2013

Privacy Impact Assessment (PIA) Waiver Review System (WRS) Version 03.06.01.01. Last Updated: December 2, 2013 United States Department of State (PIA) Waiver Review System (WRS) Version 03.06.01.01 Last Updated: December 2, 2013 Bureau of Administration 1. Contact Information Department of State Privacy Coordinator

More information

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9 1 of 9 PURPOSE: To define standards for appropriate and secure use of MCG Health electronic systems, specifically e-mail systems, Internet access, phones (static or mobile; including voice mail) wireless

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP

More information