DeMISTifying Deidentification of PHI in Free-formatted Text
|
|
- Lenard Perry
- 8 years ago
- Views:
Transcription
1 DeMISTifying Deidentification of PHI in Free-formatted Text Cathy Petrozzino March 2016 Approved for Public Release; Distribution Unlimited. Case Number The MITRE Corporation. All rights reserved. mitre
2 2 Overview Introduction Tool Rationale MITRE Identification Scrubber Toolkit (MIST) Use Case 1 Deidentification Hiding in Plain Sight Use Case 2 Identification of PHI in Privacy Risk Identification and Management Engine (PRIME)
3 3 MITRE We are a (not-for-profit) public interest company, working with industry and academia to advance and apply science, technology, systems engineering, and strategy, enabling government and the private sector to make better decisions and implement (publicly available) solutions to complex challenges of national and global significance. including in the areas of natural language processing, privacy, and cybersecurity.
4 4 Open Source MITRE Identification Scrubber Toolkit (MIST)
5 5 Use Case #1: Research Doctor s Notes: research involving free-formatted text Treasure trove of information How to disclose free-formatted text to external researchers Take advantage of linguistics experts Mitigate hurtles/risk of sharing PHI How to mine while respecting patient privacy? Solution: De-identify Protected Health Information (PHI) Identifiers
6 6 PHI in Free-Formatted Text: De-Identification Challenge Start with known PHI object, locate PHI elements, and de-identify HISTORY OF PRESENT ILLNESS: The patient is a 77-year-old-woman with long standing hypertension who presented as a walk-in to me at the Sun Hill Medical Center on August 12th. Recently had been started q.o.d. on Clonidine since June 8th to taper off of the drug. Was told to start Zestril 20 mg. q.d. again. Patient sent to Jones Cardiac Unit for direct admission for cardioversion and anticoagulation, with the Cardiologist, Dr. Pearson to follow. Sample PHI Object Doctors notes Discharge summaries Letters
7 7 Today s Products Consumer Off the Shelf (COTS) de-identification tools While some are standalone, many are components of larger, expensive data and network management tools For unstructured data, identification tends to rely on brute force keywords and regular expressions Lists of names Hand-crafted patterns requiring skilled developers $$$$ There is no solution that is 100% full proof including manual de-identification.
8 8 MIST: Training a De-identification System mark PHI automatically in more documents using model train (better) train model model from from initial (more) documents documents hand-correct automatically marked documents Tag-A-Little, Learn-A-Little (TALLAL) Methodology mark PHI by hand in initial documents redact or resynthesize marked documents
9 9 MIST: Training a De-identification System HISTORY OF PRESENT ILLNESS: The patient is a 77-year-old-woman with long standing hypertension who presented as a walk-in to me at the [HOSPITAL Oak Sun Valley Hill Medical AA Health BB CC Center DD] on August [DATE July 9th 12th YY]. Recently had been started q.o.d. on Clonidine since [DATE June May 5th 8th ZZ] to taper off of the drug. Was told to start Zestril 20 mg. q.d. again. The patient was sent to the [HOSPITAL Jones Smith Cardiac EE FF Unit GG] for direct admission for cardioversion and anticoagulation, with the Cardiologist, Dr. [DOCTOR Faulkner Pearson HH] to follow. Step 1 Find the identifiers Step 2 Transform the identifiers
10 10 DeMISTifying Deidentification Study 8 hours of marking (training) data Narrative from patient records 95% accurate as a measure of precision (false positives) and recall (false negatives) (Favorably) comparable to manual reviews The MIST results Top score in the first i2b2 De-identification Challenge Evaluation Used to de-identify medical records by hospitals Has led to numerous collaborations on MITRE projects Rapidly portable adaptable to other domains The MIST TALLAL approach works well for a large corpus Precision/recall tradeoff can be adjusted
11 11 How Good is Manual De-id by Humans? 120 Counts of overlooked PHI # Leaked PHI Instances MIST (Single Model) In 100 Family Practice notes Containing 1,093 PHI instances Reviewed by: Individuals Pairs of reviewers Trios of reviewers 0 Individuals Pairs Trios From: Is the Juice Worth the Squeeze? Costs and Benefits of Multiple Human Annotators for Clinical Text De-identification. D. S. Carrell; D. J. Cronkite; B. A. Malin; J. S. Aberdeen; L. Hirschman, submitted to Meth of Info in Medicine
12 DeMISTifying Deidentification On Steroids Hiding in Plain Sight (HIPS)* Research 12 Resynthesis: HISTORY OF PRESENT ILLNESS: The patient is a 77-year-old-woman with long standing hypertension who presented as a walk-in to me at the Sun Hill Medical Center on August 12th. Recently had been started q.o.d. on Clonidine since June 8th to taper off of the drug. Was told to start Zestril 20 mg. q.d. again. Patient sent to Jones Cardiac Unit for direct admission for cardioversion and anticoagulation, with the Cardiologist, Dr. Pearson to follow. HIPS Principles: *HIPS is a collaborative research effort among GroupHealth, Vanderbilt, and MITRE Hypothesis: With good resynthesis, it can be nearly impossible to detect leaked PHI manually OR using data mining hackers. Initial research results: Good resynthesis reduced the detection of PHI leaks by at worse case an additional 85%. Additional testing with larger sample sizes is necessary to validate.
13 Use Case #2 - Identifying PHI in Free-Formatted Text 13 Dr. Famous and his Laptop (1) - Loss of control over unencrypted laptop which contains that may have protected health information (PHI) back-up is available Need to establish extent of PHI content in for Health Information Portability and Accountability Act (HIPAA) Solution: Intensive manual review ($$$$$$) Research Seedling: Is there a possibility MIST can facilitate PHI discovery in ? 1. Tagging and Modeling: Can MIST successfully tag PHI identifiers in and be trained to model e- mail tagging? 2. If Step 1 is successful, identify prospective next steps for re-purposing MIST as an identification tool for locating PHI in (1) Halamka, Dr. John D., Surviving the Cybersecurity Cold War: A CIO s Practical Guide for Risk Management, slide 1
14 Problem Scope Compromised Assets 14 HIPAA 700,000 covered entity providers under HIPAA(1) Breaches 2012 Ponemon Institute Study(2) on Provider Breaches: 94% of healthcare organizations had at least one breach in the prior 2 years 45% had more than 5 breaches in the prior 2 years 46% of breaches caused by lost or stolen computing device Connectivity 81% of organizations permit employees and medical staff to use their own personal mobile devices to connect to their networks or enterprise systems (such as ) Enterprise data-at-rest encryption solutions offer partial risk mitigation (1) Department of Health and Human Services, 45 CFR Parts 160 and 164, Federal Register, Vol. 78, No. 17, Part II, January 25, 2013 (2) Ponemon Institute Research Report, Third Annual Benchmark Study on Patient Privacy and Data Security, Dec 2012
15 15 Problem Creep Identifying other types of sensitive data of in compromised assets Sensitive personal identifiable information (PII) such as financial information (as per Gramm-Leach-Bliley) PII defined in state consumer protection and/or breach notification laws Proprietary data, Sensitive but Unclassified (SBU), etc. Loss of control over a device with potentially multiple sources of sensitive unstructured data; Risk assessment requires reconstructing the contents of the device Backups Information on application servers , SharePoint, Database, Etc.
16 16 The Challenge of PHI Discovery Protected Health Information is: Created or received by a covered entity AND Identifies an individual (or is identifiable) (i.e., contains PHI identifiers) AND Relates to the individual s past, present, or future physical or mental health, the provisioning of health for the individual, or payment HIPAA de-identification is governed by a safe-harbor standard 17 fields plus a catch-all PHI identifiers In with MIST is different from the narrative, clinical note domain Structure, context mix of text and control characters
17 MIST PHI Identification Results 17 Based on one run Precision: Fraction of identified terms that were relevant = Recall: Fraction of relevant terms that were identified = F-measure: 2 ((precision recall) / (precision + recall)) = Additional modeling Precision: Recall: F-measure: 2 ((precision recall) / (precision + recall)) = (was 0.736) Given (many) constraints, MIST performance was (very) encouraging for processing Opportunity for significant improvement with an enhanced tag set and -aware blocking software Additional hours/dollars needed for product-ready solution
18 18 Privacy Risk Management Automated Tool Automated tools to support data-associated risk management PHI de-identification of doctor s notes Hiding in Plain Sight Resynthesis of believable fake data Tailorable (TALLAL) tool at the ready for assessing leakage of {PHI, PII, proprietary information, sensitive information, } in freeformatted text (e.g., )? How about a tailorable automated tool that supports privacy risk management?
19 What is MITRE s Privacy Risk Identification and Management Engine ((P)RIME*)? 19 RIME is a foundation for organizations to normalize and manage risk Organization defines RIME-hosted instance Web front-end with database backend RIME provides engines for: Risk Managers Risk metrics Dashboards Automated compliance document generation Risk management (raw vs. residual risk) PII Owners (Business Application, Program, System) Dynamic question-naires Cursor sensitive, as-needed help Immediate risk feedback * (P)RIME - Initially designed with Privacy as the risk focus
20 20 Risk Identification and Management Engine User- facing artifacts Questionnaire Templates Risk Areas & Priorities Risk Mitigation Suggestions Document Templates R I M E WEB FRONT-END: ENGINES: DATABASE: Context-dependent questions Cursor-sensitive help Dashboard Risk identification, priority and metrics (Compliance) document generation Dynamic Questionnaire Processing Risk Analysis Dashboard Generation Risk Management Document Creation Organizationally-defined elements Privacy Impact Assessments (PIA s) Privacy Threshold Assessment (PTA s) Data-Rich Completed Questionnaires Access Control Document Templates Query Results Dashboard Contents Key: Defined by the Organization Management-facing artifacts
21 [P]RIME Big Ideas 21 1 Move away from Word, etc., documents as risk tool 3 Push privacy SME-ness to PII owners 2 Separate data gathering from risk analysis and [compliance or other] document generation Eliminate redundancies (and wasted time), reduce inconsistencies 4 Covert, timely awareness by making privacy risk more explicit Empower risk managers with risk metrics and tools Inject discipline and consistency The The MITRE Corporation. All All rights rights reserved. For Internal MITRE Use. mitre mitre 21
22 22 P[RIME] Demo Functionality is real Production Use Ready for transfer to sponsor and to industry For optimal results, MITRE should assist with initial instantiation effort Instantiation Examples Traditional PIA, breach, inventory support Down-select from a complete set of possible risk issues Automated requirements/testing support
23 MIST, HIPS, PRIME, and other Privacy or Cybersecurity Tools 23 For more information, please contact Cathy Petrozzino at
Combining structured data with machine learning to improve clinical text de-identification
Combining structured data with machine learning to improve clinical text de-identification DT Tran Scott Halgrim David Carrell Group Health Research Institute Clinical text contains Personally identifiable
More informationPrivacy Requirements Definition and Testing in the Healthcare Environment
Definition and Testing in the Healthcare Environment Julie S. McEwen, CIPM, CIPP/G/IT/US, CISSP, PMP Julie Snyder, CIPM, CIPP/G/US Approved for Public Release. Distribution Unlimited. 13-2766 2013 The
More informationHIPAA Update Focus on Breach Prevention
HIPAA Update Focus on Breach Prevention Objectives By the end of this program, participants should be able to: Identify top reasons why breaches occur Review the breach definition and notification process
More informationHIPAA-G04 Limited Data Set and Data Use Agreement Guidance
HIPAA-G04 Limited Data Set and Data Use Agreement Guidance GUIDANCE CONTENTS Scope Reason for the Guidance Guidance Statement Definitions ADDITIONAL DETAILS Additional Contacts Web Address Forms Related
More informationData Security Basics: Helping You Protect You
Data Security Basics: Helping You Protect You Why the Focus on Data Security? Because ignoring it can get you: Fined Fired Criminally Prosecuted It can also impact your ability to get future funding, and
More informationIRB Policy for Security and Integrity of Human Research Data
IRB Policy for Security and Integrity of Human Research Data Kathleen Hay Human Subjects Protection Office Terri Shkuda Research Informatics & Computing, Information Technology Overview of Presentation
More informationDe-Identification of Clinical Free Text in Dutch with Limited Training Data: A Case Study
De-Identification of Clinical Free Text in Dutch with Limited Training Data: A Case Study Elyne Scheurwegs Artesis Hogeschool Antwerpen elynescheurwegs@hotmail.com Kim Luyckx biomina - biomedical informatics
More information8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
More informationDegrees of De-identification of Clinical Research Data
Vol. 7, No. 11, November 2011 Can You Handle the Truth? Degrees of De-identification of Clinical Research Data By Jeanne M. Mattern Two sets of U.S. government regulations govern the protection of personal
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationUnderstanding and Selecting a DLP Solution. Rich Mogull Securosis
Understanding and Selecting a DLP Solution Rich Mogull Securosis No Wonder We re Confused Data Loss Prevention Data Leak Prevention Data Loss Protection Information Leak Prevention Extrusion Prevention
More informationBUSINESS ASSOCIATE ADDENDUM
BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate
More informationGetting Hip to the HIPAA and HITECH Act Compliance
Getting Hip to the HIPAA and HITECH Act Compliance NaNotchka M. Chumley, D.O., M.P.H. Family Medicine Physician Los Angeles, CA Integrating Global Trade & Logistic and Cybersecurity Westin St. Francis,
More informationHIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets
HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information
More informationAnonymizing Unstructured Data to Enable Healthcare Analytics Chris Wright, Vice President Marketing, Privacy Analytics
Anonymizing Unstructured Data to Enable Healthcare Analytics Chris Wright, Vice President Marketing, Privacy Analytics Privacy Analytics - Overview For organizations that want to safeguard and enable their
More informationHIPAA Security & Compliance
Creative Mind. Creative Heart. Creative Care. 2014 WALA Spring Conference HIPAA Security & Compliance Jeff Grady Thursday, March 27 10:30 am HIPAA Security & Compliance A TIME FOR ACTION Jeff Grady, Senior
More informationBest Practices for DLP Implementation in Healthcare Organizations
Best Practices for DLP Implementation in Healthcare Organizations Healthcare organizations should follow 4 key stages when deploying data loss prevention solutions: 1) Understand Regulations and Technology
More informationHCCA Compliance Institute 2013 Privacy & Security
HCCA Compliance Institute 2013 Privacy & Security 704 Conducting a Privacy Risk Assessment A Practical Guide to the Performance, Evaluation and Response April 23, 2013 Presented By Eric Dieterich Session
More informationResearch and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,
Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman, Department of Biomedical Informatics Vanderbilt University School
More informationBUSINESS ASSOCIATE AGREEMENT
THIS IS A TEMPLATE ONLY. CERTAIN STATES MAY NOT PERMIT THE TYPES OF ACTIVITIES ALLOWED HEREUNDER RELATING TO PROTECTED HEALTH INFORMATION. THUS THIS AGREEMENT MAY NEED TO BE MODIFIED IN ORDER TO COMPLY
More informationCompromises in Healthcare Privacy due to Data Breaches
Compromises in Healthcare Privacy due to Data Breaches S. Srinivasan, PhD Distinguished Professor of Information Systems Jesse H. Jones School of Business Texas Southern University, Houston, Texas, USA
More informationWhen HHS Calls, Will Your Plan Be HIPAA Compliant?
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
More informationA Commercial Approach to De-Identification Dan Wasserstrom, Founder and Chairman De-ID Data Corp, LLC
A Commercial Approach to De-Identification Dan Wasserstrom, Founder and Chairman De-ID Data Corp, LLC De-ID Data Corp, LLC Founded to: ENHANCE DATA ACCESS WHILE PROTECTING PATIENT PRIVACY Founders Problem
More informationPotential Liability for HIPAA Violations: A Primer
Potential Liability for HIPAA Violations: A Primer Wednesday, March 23, 2016 Presented By the IADC Medical Defense and Health Law Committee and In-House and Law Firm Management Committee Welcome! The Webinar
More informationI Have...Who Has... Multiplication Game
How to play the game: Distribute the cards randomly to your students. Some students may get more than one card. Select a student to begin by reading their card aloud. (example: 35. who has 4x4?) 35 4 x
More informationRemote Monitoring of Clinical Trials and EMRs
Remote Monitoring of Clinical Trials and EMRs Sandra SAM Sather, MS, BSN, CCRA, CCRC Vice-President Clinical Pathways LLC samsather@clinicalpathwaysresearch.com Lindsey Spangler, J.D. Associate Director,
More information`DEPARTMENT OF VETERANS AFFAIRS VA SOUTHEAST NETWORK Automated Information System User Access Notice
`DEPARTMENT OF VETERANS AFFAIRS VA SOUTHEAST NETWORK Automated Information System User Access Notice I understand, accept, and agree to the following terms and conditions that apply to my access to, and
More informationDe-identification Koans. ICTR Data Managers Darren Lacey January 15, 2013
De-identification Koans ICTR Data Managers Darren Lacey January 15, 2013 Disclaimer There are several efforts addressing this issue in whole or part Over the next year or so, I believe that the conversation
More informationDIGITECH AND HIPAA COMPLIANCE
White Paper DIGITECH AND HIPAA COMPLIANCE April 2004 As HIPAA compliance becomes mandatory, Digitech Systems continues to proactively address the unique needs of the Health Care market. PaperVision Enterprise
More informationData Loss Prevention and HIPAA. Kit Robinson Director kit.robinson@vontu.com
Data Loss Prevention and HIPAA Kit Robinson Director kit.robinson@vontu.com ID Theft Tops FTC's List of Complaints For the 5 th straight year, identity theft ranked 1 st of all fraud complaints. 10 million
More informationHealthcare in the Crosshairs for Data Breaches. April 22, 2015. Deborah Hiser (512) 703-5718 deborah.hiser@huschblackwell.com
Healthcare in the Crosshairs for Data Breaches April 22, 2015 1 Presenters Deborah Hiser (512) 703-5718 deborah.hiser@huschblackwell.com Ana Cowan (512) 703-5791 ana.cowan@huschblackwell.com Debbie Juhnke,
More informationPREVENTIA. Skyhigh Best Practices and Use cases. Table of Contents
PREVENTIA Forward Thinking Security Solutions Skyhigh Best Practices and Use cases. Table of Contents Discover Your Cloud 1. Identify all cloud services in use & evaluate risk 2. Encourage use of low-risk
More informationData Loss Prevention. Keeping sensitive data out of the wrong hands*
Data Loss Prevention Keeping sensitive data out of the wrong hands* September 9, 2007 Aaron Davies-Morris, Director PwC Advisory Services Zeke Jaggernauth, Manager PwC Advisory Services Agenda Data Breaches
More informationNew HIPAA Rules and EHRs: ARRA & Breach Notification
New HIPAA Rules and EHRs: ARRA & Breach Notification Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC www.lewiscreeksystems.com and Raj Goel Chief Technology Officer Brainlink
More informationHIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help
HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,
More informationBUSINESS ASSOCIATE AGREEMENT. Recitals
BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and
More informationU.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment
U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE Privacy Impact Assessment Enterprise Software Services PTOI-020-00 July 8, 2015 Privacy Impact Assessment This Privacy Impact Assessment
More informationInsulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015
Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact February 10, 2015 Overview 1 The Legal Risks And Issues/The Role Of Legal Counsel: The Breach Coach The Slippery
More informationHITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC dschoolcraft@omwlaw.com
HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST David G. Schoolcraft Ogden Murphy Wallace, PLLC dschoolcraft@omwlaw.com Presenters David Schoolcraft, Member, Ogden Murphy Wallace, PLLC Taya Briley,
More informationPrivacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting.
Ohio Hospital Association Centennial Annual Meeting Privacy & Security Risk Management Strategies for Healthcare Data Chris Allman, JD Director of Risk Management, Compliance & Insurance Garden City Hospital
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationPlease Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax
Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating
More informationBUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION
BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION This Agreement governs the provision of Protected Health Information ("PHI") (as defined in 45 C.F.R.
More informationNEXT GENERATION SUBROGATION SOLUTIONS
NEXT GENERATION SUBROGATION SOLUTIONS BY ELIZABETH LONGO, DISCOVERY HEALTH PARTNERS Many health plans are struggling to reduce costs while increasing revenue. Plans must leverage next generation subrogation
More informationHow To Protect Your Data From Theft
Understanding the Effectiveness of a Data Protection Program IIA: Almost Free Seminar 21 June 2011 Agenda Data protection overview Case studies Ernst & Young s point of view Understanding the effectiveness
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationVendor Management Challenge Doing More with Less
Vendor Management Challenge Doing More with Less Megan Hertzler Assistant General Counsel Director of Data Privacy Xcel Energy Boris Segalis Partner InfoLawGroup LLP Session ID: GRC-402 Insert presenter
More informationSecurity Compliance, Vendor Questions, a Word on Encryption
Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org
More informationa new approach to IT security
REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security FEATURE STORY REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach
More informationHow to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008
How to De-identify Data Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008 1 Outline The problem Brief history The solutions Examples with SAS and R code 2 Background The adoption
More informationThe Importance of Perimeter Security
REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security FEATURE STORY REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach
More informationData Security - Trends and Remedies
1 Overvie w of Data Anonymiz ation Points to Ponder What is data anonymization? What are the drivers for data anonymization? Here are some startling statistics on security incidents and private data breaches:
More informationHIPAA Privacy Breach Notification Regulations
Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification
More informationVA Data Breach Follow-Up. Adair Martinez, Deputy Assistant Secretary for Information Protection and Risk Management Department of Veterans Affairs
VA Data Breach Follow-Up Adair Martinez, Deputy Assistant Secretary for Information Protection and Risk Management Department of Veterans Affairs Incidents In The News - VA Is Not Alone Data HMO Report:
More informationHIPAA Training 2010. For Research Investigators and Study Staff
HIPAA Training 2010 For Research Investigators and Study Staff HIPAA IS... THE HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 Portability Created to ensure access to health coverage Allows for
More informationPersonally Identifiable Information (PII), Protected Health Information (PHI), and Federal Information Requirements
Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Information Requirements (Revised April 9, 2015) 1. General Requirements Overview - Personally Identifiable Information
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Addendum is made part of the agreement between Boston Medical Center ("Covered Entity ) and ( Business Associate"), dated [the Underlying Agreement ]. In connection with
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationWhite Paper. Data Breach Mitigation in the Healthcare Industry
White Paper Data Breach Mitigation in the Healthcare Industry Thursday, October 08, 2015 Table of contents 1 Executive Summary 3 2 Personally Identifiable Information & Protected Health Information 4 2.1
More informationBUSINESS ASSOCIATE AGREEMENT Tribal Contract
DEPARTMENT OF HEALTH SERVICES Division of Enterprise Services F-00714 (08/2013) STATE OF WISCONSIN BUSINESS ASSOCIATE AGREEMENT Tribal Contract This Business Associate Agreement is made between the Wisconsin
More informationSEALED BID REQUEST FOR INFORMATION
Department of Buildings and General Services Purchasing & Contract Administration 10 Baldwin St. Agency of Administration Montpelier VT 05633 [phone] 802-828-2210 [Fax] 802-828-2222 www.bgs.state.vt.us
More informationWhy Add Data Masking to Your IBM DB2 Application Environment
Why Add Data Masking to Your IBM DB2 Application Environment dataguise inc. 2010. All rights reserved. Dataguise, Inc. 2201 Walnut Ave., #260 Fremont, CA 94538 (510) 824-1036 www.dataguise.com dataguise
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is made and entered into as of the day of, 20, by and between Delta Dental of California (the Covered Entity ) and (the Business
More informationU.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment
U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE Privacy Impact Assessment Employee Relation and Labor Relation Case Management System (ERLRCSMS) PTOC-031-00 May 11, 2015 Privacy Impact
More informationImplementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind
Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and
More informationWelcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information
Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information about HIPAA, the HITECH-HIPAA Omnibus Privacy Act, how
More informationNetwork Faxing and HIPAA: Security and Privacy in the Health Care Industry
Network Faxing and HIPAA: Security and Privacy in the Health Care Industry Summary The Health Insurance Portability and Accountability Act (HIPAA) prescribes new health care industry rules and recommendations
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability
More informationPOLICY AND PROCEDURE MANUAL
Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL
More informationAPPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version)
APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version) THIS AGREEMENT is entered into and made effective the day of, 2012 (the Effective Date ), by and between (a)
More informationAccelerating Software Security With HP. Rob Roy Federal CTO HP Software
Accelerating Software Security With HP Rob Roy Federal CTO HP Software If we were in a cyberwar today, the United States would lose. Mike McConnell Former DNI, NSA. Head of Booz Allen Hamilton National
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationBUSINESS ASSOCIATE AGREEMENT TERMS
BUSINESS ASSOCIATE AGREEMENT TERMS This Addendum ( Addendum ) is incorporated into and made part of the Agreement between SIGNATURE HEALTHCARE CORPORATION ("Covered Entity ) and ( Business Associate"),
More informationHIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014
1 HIPAA BREACH NOTIFICATION REQUIREMENTS Heman A. Marshall, III July 25, 2014 2 SCENARIO FOR VBA SUMMER MEETING The Medical Marijuana Growers Association (MMGA) Health Plan, which is a self-fund plan,
More informationThe HITECH Act: Protect Patients and Your Reputation
The HITECH Act: Protect Patients and Your Reputation By: Donna Maassen Director of Compliance, and Privacy & Security Officer Extendicare Health Services, Inc. Table of Contents Executive Summary...3 The
More informationThe Information Leak Detection & Prevention Guide
The Information Leak Detection & Prevention Guide Essential Requirements for a Comprehensive Data Leak Prevention System April 2007 GTB Technologies 4685 MacArthur Court Newport Beach, CA 92660 WWW.GTTB.COM
More informationWhat do you need to know?
What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,
More informationAn examination of information security issues, methods and securing data with LTO-4 tape drive encryption Introduction
Silverton Consulting, Inc. StorInt Briefing An examination of information security issues, methods and securing data with LTO-4 tape drive encryption Introduction Each month many companies, big or small,
More informationHIPAA ephi Security Guidance for Researchers
What is ephi? ephi stands for Electronic Protected Health Information (PHI). It is any PHI that is stored, accessed, transmitted or received electronically. 1 PHI under HIPAA means any information that
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationCoventry Privacy and Security. Protecting Everyone s Privacy
Coventry Privacy and Security Protecting Everyone s Privacy Module Purpose Consider this scenario: A large hospital intended to have outdated patient files securely destroyed. An employee decided to save
More informationHIPAA Basics for Clinical Research
HIPAA Basics for Clinical Research Audio options: Built-in audio on your computer OR Separate audio dial-in: 415-930-5229 Toll-free: 1-877-309-2074 Access Code: 960-353-248 Audio PIN: Shown after joining
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationData Breach Strikes - Nerds & Geeks Unite: Effective Cooperation Between Privacy and Technical Experts Presented by: Paul H. Luehr, Managing Dir.
Data Breach Strikes - Nerds & Geeks Unite: Effective Cooperation Between Privacy and Technical Experts Presented by: Paul H. Luehr, Managing Dir. Stroz Friedberg Gerard M. Stegmaier, Esq. Wilson Sonsini
More informationAssessment Process. 2013 HITRUST, Frisco, TX. All Rights Reserved.
Assessment Process Assessment Process Define Scope The assessment scope gives context to the security controls and those organizations and individuals relying on the results Organization scope defines
More informationITS Policy Library. 11.06 - Device Encryption. Information Technologies & Services
ITS Policy Library 11.06 - Device Encryption Information Technologies & Services Responsible Executive: Chief Information Officer, WCMC Original Issued: July 15, 2008 Last Updated: November 21, 2014 POLICY
More informationCYBERSECURITY IN HEALTHCARE: A TIME TO ACT
share: TM CYBERSECURITY IN HEALTHCARE: A TIME TO ACT Why healthcare is especially vulnerable to cyberattacks, and how it can protect data and mitigate risk At a time of well-publicized incidents of cybersecurity
More informationIDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance
More informationAppendix A: Rules of Behavior for VA Employees
Appendix A: Rules of Behavior for VA Employees Department of Veterans Affairs (VA) National Rules of Behavior 1 Background a) Section 5723(b)(12) of title 38, United States Code, requires the Assistant
More informationCyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029
Cyber Liability Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029 Today s Agenda What is Cyber Liability? What are the exposures? Reality of a
More informationCyber Security Metrics Dashboards & Analytics
Cyber Security Metrics Dashboards & Analytics Feb, 2014 Robert J. Michalsky Principal, Cyber Security NJVC, LLC Proprietary Data UNCLASSIFIED Agenda Healthcare Sector Threats Recent History Security Metrics
More informationThird-Party Cybersecurity and Data Loss Prevention
Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management
More informationData and Analysis. Informatics 1 School of Informatics, University of Edinburgh. Part III Unstructured Data. Ian Stark. Staff-Student Liaison Meeting
Inf1-DA 2010 2011 III: 1 / 89 Informatics 1 School of Informatics, University of Edinburgh Data and Analysis Part III Unstructured Data Ian Stark February 2011 Inf1-DA 2010 2011 III: 2 / 89 Part III Unstructured
More informationHealth Homes Implementation Series: NYeC Privacy and Security Toolkit. 16 February 2012
Health Homes Implementation Series: NYeC Privacy and Security Toolkit 16 February 2012 1 Agenda What are the New York ehealth Collaborative (NYeC) and the Regional Extension Center? What are Health Homes?
More informationCLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013
CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street
More informationMetrics that Matter Security Risk Analytics
Metrics that Matter Security Risk Analytics Rich Skinner, CISSP Director Security Risk Analytics & Big Data Brinqa rskinner@brinqa.com April 1 st, 2014. Agenda Challenges in Enterprise Security, Risk
More informationSAP/PHEMI Big Data Warehouse and the Transformation to Value-Based Health Care
PHEMI Health Systems Process Automation and Big Data Warehouse http://www.phemi.com SAP/PHEMI Big Data Warehouse and the Transformation to Value-Based Health Care Bringing Privacy and Performance to Big
More informationWhite Paper #6. Privacy and Security
The Complexity of America s Health Care Industry White Paper #6 Privacy and Security www.nextwavehealthadvisors.com 2015 Next Wave Health Advisors and Lynn Harold Vogel, Ph.D. The Complexity of America
More informationHealthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service
Services > Overview MaaS360 Ensure Technical Safeguards for EPHI are Working Monitor firewalls, anti-virus packages, data encryption solutions, VPN clients and other security applications to ensure that
More information