1 plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know
2 Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of the worst security breaches ever in a public K-12 school system, confidential data for thousands of students including, in some cases, medical information and Social Security numbers were accidentally posted online. Laptop theft puts 40,000 school employees at risk (The Daily Journal, April 6, 2007) Two laptop computers containing the names and Social Security numbers of about 40,000 current and former employees were stolen from district headquarters.
3 Tomorrow s Headline Let s hope not Latest data security risk for schools: Copiers (eschool News, May 17, 2007) As schools take steps to protect the security of data on their computer networks, experts warn they also should consider securing copiers and scanners that could be used to copy sensitive information. Coach sued for requesting students Facebook logins (eschool News, September 2009) A high school cheerleader is suing her school and former A high school cheerleader is suing her school and former coach, claiming violation of privacy and free speech
4 Privacy and Security Privacy What should be protected? Obtain permission before disclosing personal information Those handling medical data must account for disclosures and limit disclosure for purposes other than for treatment Allow parents/students to obtain copies of records and request amendments to records Affects paper and oral communication Security How should it be protected? Procedures to guard data integrity, confidentiality, and availability Restriction of access to information by physical and technical safeguards Technical system standards to prevent unauthorized access to data transmitted over a communications network
5 Personal Information Definition varies from state to state Most states, include an individual s first name or first initial and last name in combination with any of the following: SSN Di Drivers license number or State t ID card number Account numbers, credit, or debit card numbers along with security or access codes or passwords Some states also include tax payer ID, biometric data (e.g., fingerprint, voice print, retina, or iris image), passport p numbers, DOB, and digital signatures
6 Personal Information Majority of states prohibit use of more than 4 digits of SSN for various purposes Various exceptions as dictated by law Must notify of potential breach If data containing personal information is lost, stolen, or inadvertently disclosed A few states require notification of any data breach Most states require notification when harm to potential victims is likely or reasonably likely. Residence of affected individuals id determines applicable notice law
7 Personal Information Know where your data is Hosted Server within the district Laptops Thumb drives Make sure you have an incident response plan in place Personal information on a portable device Personal information on a portable device consider encryption
8 What do we have to comply pywith? FERPA HIPAA CIPA PCI ediscovery
9 The list will continue to grow
10 Family Educational Rights and Privacy Act (FERPA) Federal student education records law Its two main goals are: 1) Guarantee access to student educational records by students 2) Prevent unauthorized disclosure of educational records Educational Records are records, files, documents, or other materials that: t 1) Contain information directly related to a student 2) Are maintained by an educational agency or institution or by 2) Are maintained by an educational agency or institution or by a person acting for such agency or institution.
11 FERPA January 2009 Revision Expanded school official exception to include contractors/consultants/ hosting providers Have vendors sign acceptable use policy indicating compliance with FERPA Clarified that remote students are covered by FERPA Expanded definition of personal identifiers Several other changes as well
12 HIPAA Health Insurance Portability & Accountability Act The Privacy Rule took effect on April 14, 2003, with a one-year extension for certain "small plans." It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI = information about health status, provision of health care, or payment for health care that can be linked to an individual. Broadly interpreted - any part of a patient s medical record or payment history. Need to keep data secure and private Overlap between FERPA and HIPAA
13 Children s Internet Protection Act (CIPA) Federal law Addresses concerns about access to offensive content over the Internet on school and library computers. Applies to any school or library that receives funding from the E-rate program
14 Payment Card Industry (PCI) Data Security Standards aimed at preventing identity theft Applicable if you process, store or transmit credit card data The core of the PCI Data Security Standard (DSS) is a group of principles and accompanying requirements: Build and maintain a secure network Protect Cardholder data Maintain a Vulnerability Management Program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy
15 Payment Card Industry (PCI) Ongoing process Minimal transactions still subject to PCI DSS Number of transactions does dictate the steps necessary for compliance. Fines and other penalties for lack of compliance Not an IT-driven project must be driven by district p j y administration
16 ediscovery New amendments to the Federal Rules of Civil Procedures went into effect on December 1, 2006 Requires any organization that might be sued in federal court to have systems s for retrieving e electronic ec c data a Identifies Electronically Stored Information (ESI) Sets a time line for events surrounding discovery of ESI Obligation to preserve ESI when litigation is a reasonable possibility
17 ediscovery ESI has been interpreted to mean: Voic and Voice Recordings Instant Messaging ipod's Blogs Collaboration tools like Wiki's and SharePoint Proprietary Databases Thumb Drives The computer in your car RFID Info Internet Logs Phone Logs Credit Card Databases Shipping Databases Regular Third-party (Hotmail) Forensic Fragments Deleted Files Caches Cookies...
18 ediscovery Identify an ediscovery team Cross functional IT, HR, Legal Know where your data is Make sure your document retention policy applies to and other ESI Consider periodic checks to make sure staff are complying
19 Additional Challenges Social Networking Portability of data Technology natives Increasing fraud incidents New technologies Web 2.0 Web-based
20 Data Security: Threats Sources of threats & remediation factors that need to be considered: Network Logons / Phishing Malware, Viruses Wireless Networks Social Engineering Rouge apples Complexity in passwords (security policy) Providing secure access and training Implementing products and training Authorized access and encryption Training Threats are inside (students and staff) and outside (strangers, community)
21 Security Program Made Simple Implement. Enforce. Maintain. Monitor. Interruptions Interceptions Modifications Fabrication Prevention Protection Recovery Detection Investigation i People Administrators Teachers Staff Students Third-parties Process Physical Security Logical Security User Management Password Management Business Continuity Change Management Systems Development Incident Response Training Policies & Procedures Technology Firewall User Access Software Remote Access Software VPN Technology Encryption Biometrics Antivirus Access Cards IDS/IPS
22 Data Security: Security Policy A secure network starts with a strong security policy Protecting your data 3 Key factors (C.I.A.) Confidentiality Protecting data from unauthorized access Integrity Protecting data from unauthorized modifications Availability Making sure that data is available at all times
23 Data Security: Security Policy Security ypolicy should address who needs access, who can modify the data, and how data and availability is protected. Some guidelines for a security policy: High-level document - defines the purpose and scope of the policy Define responsibilities, limitations, emergency procedures Define consequences of failing to comply with these requirements Need involvement of HR, Business and IT
24 Data Security: Security Policy Avoid tying the policy to particular systems or technology Should be reviewed / updated on a periodic (annual or semiannual) basis Policy should not include specifics; use procedural document for details
25 Data Security: Security Policy Security is a Balancing Act between Securing Data and Providing Flexibility Connectivity Performance Ease of Use Access Identity Integrity Active Audit Security
26 Security Framework Administrative Controls Policies i Risk assessment Assign security responsibility User access process (new user, terminations, ti changes) Access authorization Security awareness & training Security incident response Contingency planning / data backup Physical Controls Facility access controls Workstation controls Device and media controls Technical Controls Authentication ti ti controls (password, etc.) Access controls (operating system, application) Audit controls (monitoring and testing) Encryption controls Architecture controls (firewalls, VPN, etc.) Configuration controls Vendor Management Controls Contract language (confidentiality, ownership, regulatory and legal compliance) Security audit, SAS70 Vendor access control Vendor copies of confidential information
27 Data Security: Not a one time fix!
28 Digital Forensics The application of computer science and investigative procedures for a legal purpose. Employs validated processes to properly secure / collect evidence Chain of custody for potential evidence Finding pertinent data Documents Malicious Code Analyzing properties of the data and systems Validating the data accuracy and source Repeatability bl of processes used Presentability (attorneys and court) * Forensic Magazine 37
29 What Can Be Discovered with Forensics? Recover and search deleted files, formatted drives, , and other data thought to be erased Examine file related metadata File creation, modification, deletion, and last accessed dates User ID used to create modify and access data Operating system artifacts When and to what printer a file was printed If a web site was accessed via a link or typed in If a USB drive was connected and what type 39
30 Common Issues with Digital Forensics Easy to spoil evidence - Consider the impact of such simple actions as logging out the subject user or examining the system. Secure an image first. Some organizations miss evidence because they do not secure all of the possible sources of evidence. Shared computers provides a common defense; counter with wellenforced password policies and interviews Incorrect conclusions must have deep technical expertise. Many states are requiring computer forensic experts to have a Private Investigator (PI) license to perform forensic work 40
31 Summary: Questions you should ask Do you know what statutes and laws apply? (most likely more than just state laws) What data/assets are you/should you be protecting? Who has access to this data? Limit access. What is currently in place to protect this data? Policies/procedures/agreements Policies regarding leaving laptops in cars, etc. IT measures Secure network Encrypted hard drives and thumb drives Encrypted laptops Are the portals secure? Is paper secure? What are your destruction policies?
32 Summary: Questions you should ask What are your document retention policies? Does policy apply to ESI? Are staff complying with policy? Is a crisis response team in place? Security incidents ediscovery Do you have a written crisis/emergency checklist?
33 Summary: Questions you should ask Do you already have legal and technical experts familiar with this area and your organization? Don t want to learn during a crisis. Do you have insurance coverage? Should you?
35 plantemoran.com Contact t Information Judy Wright t Marvin Sauer
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services firstname.lastname@example.org April 23, 2012 Overview Technology
Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: email@example.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) May 15, 2009 LLP US Information Security Framework Historically industry-specific HIPAA Fair Credit Reporting
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. firstname.lastname@example.org www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 email@example.com Each business is required by Massachusetts law
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.
Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
If you rely on your IT infrastructure to maintain data integrity and protect your business from financial losses, it s a good idea to invest in a full fledged network monitoring program and achieve compliance
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
STATE OF NEW JERSEY Security Controls Assessment Checklist Appendix D to 09-11-P1-NJOIT P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 Agency/Business (Extranet) Entity Response
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
HIPAA Privacy & Security Rules HITECH Act Applicability If you are part of any of the HIPAA Affected Areas, this training is required under the IU HIPAA Privacy and Security Compliance Plan pursuant to
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,
Cyber Security Best Practices 1. Set strong passwords; Do not share them with anyone: They should contain at least three of the five following character classes: o Lower case letters o Upper case letters
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
Data Security Threats for School Districts WASBO March 24, 2016 Data Security Everyone is at Risk Threat Environment Attack Vectors Protecting Credentials Overall Data Security Best Practices Data Security
How Much Do I Need To Do to Comply? Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda Background Requirements and you Risk language Risk Factors Assessing risk Program elements and
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information
INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE
BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
Certified Secure Computer User Exam Info Exam Name CSCU (112-12) Exam Credit Towards Certification Certified Secure Computer User (CSCU). Students need to pass the online EC-Council exam to receive the
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP
AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
HIPAA Security Regulations: Documentation and Procedures The Second National HIPAA Summit Healthcare Computing Strategies, Inc. John Parmigiani Practice Director, Compliance Programs Tom Walsh, CISSP Practice
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
OPA Communications and Member Services Committee February 2015 Table of Contents Preamble... 3 General Information... 3 Risks of Using Email... 4 Use of Smartphones and Other Mobile Devices... 5 Guidelines...
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
HIPAA Security Training Manual The final HIPAA Security Rule for Montrose Memorial Hospital went into effect in February 2005. The Security Rule includes 3 categories of compliance; Administrative Safeguards,
Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
How to Practice Safely in an era of Cybercrime and Privacy Fears Christina Harbridge INFORMATION PROTECTION SPECIALIST Information Security The practice of defending information from unauthorised access,
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
Best practices and insight to protect your firm today against tomorrow s cybersecurity breach July 8, 2015 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently
Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
Page 1 Page 2 Page 3 Agenda Defining the Massachusetts Personal Data Security Law Becoming Compliant Page 4 Massachusetts Privacy Law Defining the Massachusetts Personal Data Security Law - 201 CMR 17.00
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor
HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)
PII Personally Identifiable Information Training and Fraud Prevention Topics What is Personally Identifiable Information (PII)? Why are we committed to protecting PII? What laws govern us? How do we comply?
Policy Title: HIPAA Security Awareness and Training Number: TD-QMP-7011 Subject: HIPAA Security Awareness and Training Primary Department: TennDent/Quality Monitoring/Improvement Effective Date of Policy:
The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training Introduction The HIPAA Security Rule specifically requires training of all members of the workforce.
HIPAA and Health Information Privacy and Security Revised 7/2014 What Is HIPAA? H Health I Insurance P Portability & A Accountability A - Act HIPAA Privacy and Security Rules were passed to protect patient
1 of 9 PURPOSE: To define standards for appropriate and secure use of MCG Health electronic systems, specifically e-mail systems, Internet access, phones (static or mobile; including voice mail) wireless