A Case for Review of Your Network Privacy and Security Policies
|
|
- Darlene Hawkins
- 8 years ago
- Views:
Transcription
1 A Case for Review of Your Network Privacy and Security Policies Recent events have highlighted the vulnerability of almost all digital systems - not to mention paper and analogue systems in the health care industry. The cyber attacks on several popular retail and on line applications shed some light on the vulnerability of the systems as a whole but attacks or simple non-internet based privacy breaches in health care received very little attention until recently. Cyber breaches at Catholic Health Initiatives (where there were 2 in 2014), Community Health Systems (over 4 million patient records disclosed), LA County California and the Montana Health Department, and more recently the Anthem breach have served notice that health care is a prime target of hackers. Not only do many health care related companies and providers maintain detailed protected health information on hundreds to millions of patients/members (for which there is a growing black market), these entities and providers maintain detailed personal data, financial and other information of patients/members for which there is a market in fraud, theft and marketing. Unfortunately, many health care companies including hospitals and physician groups do not maintain up to date policies and procedures related to data and cyber security, or for more traditional forms of improper privacy disclosure. Privacy laws have been on the books in many states for decades and significant federal privacy laws related to health information have been around since However, the focus on digital and network security has been on banking and retail. As a result, the development and implementation of risk management strategies designed to prevent privacy breaches in health care is behind the curve. The evolution of business, insurance and health care technology, the push by the federal government to make all health care digital (record keeping, access, care management, billing and payment) and new federal and state statutes and regulations have complicated the effort to catch up. Although impossible in this format to provide a detailed strategy to address these issues, I can remind all in risk management of the need for a comprehensive strategy involving organizational leadership, legal, compliance, accounting and IT is required to achieve any success in reducing risk to the organization presented by data and record privacy and security. This is an enterprise obligation; all related and responsible segments of the business must be included to develop, implement, maintain and enforce a compliant response to these legislative initiatives to protect personal data from improper disclosure. Improper disclosure under these laws is, and can be almost any disclosure of protected information without the patient s consent. The zone of risk is far wider than many people realize. The Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH) and the Gramm-Leach Bliley Act (GLBA) are directed in whole or in part to the health care industry and the records, data and transactions created, maintained and transferred/transmitted by health care entities and providers. With the evolution of technology in business not only as a
2 matter of efficiency but as required by the Affordable Care Act, the necessity of detailed yet workable risk management strategy to prevent the improper disclosure of protected information is now urgently needed. The statutes extend liability for a breach to the actual owner of the records/data even if the breach was caused by, the fault of, or a cyber attack at a vendor. The United States Department of Health and Human Services (HHS) is primarily responsible for investigation and enforcement of these legislative schemes at the federal level. Interestingly, these laws do not entitle a person whose information is improperly disclosed by any means to sue for damages. The entity is obligated to disclose the breach, notify all possibly impacted and initiate corrective action. HHS does have the ability to fine an entity for improper disclosure but high profile fines are rare, most fines are under $100,000 and there have been very few that would cause financial hardship to any entity. However, the real cost of a breach is the cost of the investigation, corrective action, disclosure and notification, and the cost of civil litigation based on state laws. These federal laws require health care entities and providers to be proactive and to adopt security measures, policies and procedures (and maintain/enforce them) designed to ensure that the healthcare and personal information is not lost, stolen, "hacked", improperly accessed or used or otherwise inappropriately disclosed. The statutes and regulations promulgated under them recognize that some entities have a greater exposure and more resources to respond to the risk. Whether an entity has violated the requirements of the statutes depends, in part, on the size and resources of the entity and what the entity has done to comply. HIPAA and HITECH recognize that a "one size fits all" approach is unrealistic and unworkable, and allows the entity and its vendors flexibility in developing and implementing measures to maintain the privacy and security of health information. This is not a hall pass for a small entity for not adopting compliance measures simply because it has limited resources. These laws and regulations are intended to serve as a "floor or the minimum standard every entity and vendor is expected to meet to protect the privacy and security of individuals' healthcare and personal information. All entities are expected to meet the minimum standards. There have been approximately 110,000 breaches reported to and investigated by HHS since There were 3700 in That number was 13,000 in They are expected to top 20,000 per year by Many breaches, as one might imagine, go unreported. Not all breaches must be reported and voluntary reporting is not widespread. Reports are accepted from many sources including patients and whistleblowers. Breaches come in many sizes and occur under many circumstances, some of them are nefarious, some simply negligent or accidental. Although the large cyber attacks that make the news are known to the public, the majority are not at the hands of hackers. Theft of hardware at the hands of external and internal thieves is the primary source of most privacy breaches. The data and records (digital or hard copy) are simply content on the equipment or items that are stolen and is rarely used or even seen. Theft of data
3 by improper access primarily by employees or vendors is next. This includes employees not directly involved in patient care looking up information, vendors using records to which they have access for improper purposes, identity theft activities in house, or just blatant gossip and curiosity. Loss of hardware and digital storage devices is next. This includes the laptop, flash drive, PDA, smart phone or tablet left in the cab or on the train, simply lost or mistakenly sold with data still in the memory or taken or used by children of the owner. In many cases, the devises or hard copy records are never found and what happened to them remains unknown. However, as many personnel who work at hospitals or other medical facilities use their own devices and access the facilities data through it, safety is far more complicated than what might be first envisioned. Hacking is next and this can come at the hands of precocious teens and college students, groups like Anonymous, criminal enterprises or foreign governments. These cyber attacks are often through a backdoor created by malware installed on the system by attachment, a virus uploaded by a vendor, or through access to the system by personal devices. The Anthem and CHS hacks are both believed to have been by way of administrator user names and passwords that were acquired at a time other than at the time of the cyber attack. Improper disposal of data and records and improper disclosure are also breaches. There have been recent examples of prominent facilities cited for dumping records in the trash and entities that send bills or other mailings to patients with PHI visible through the envelope window pane. Many doctors offices and hospital admissions areas (especially in the ED) have had to significantly alter the way they admit patients for care because the open window and loud mouthed receptionist were violations of HIPAA. Gossip by employees in the cafeteria between those involved and those not involved in specific patient care can also be a breach. Despite the numbers and the ways a breach can occur, fewer than 1000 of these reported breaches has involved the records of more than 500 patients. As a result, they have been below the radar. HHS, in its investigations, has noted the primary reasons for the disclosures. These include failure to properly safeguard hardware, storage areas and storage devises; the failure to encrypt or employ other security measures, especially on personal mobile devices (including mobile medical devices); the improper use of personal devices; the failure to maintain updated policies related to network, storage and device security; the failure to properly train and discipline employees for violations; the failure to timely discover and disclose violations; and in last place the failure to utilize proper external network security or IT protocols. The offenders, by reported breach/violation, are not typically health plans or pharmacies. The majority of all breaches involve private physician offices, ancillary surgical centers, outpatient clinics and hospitals. Many of these breaches can be attributed to the lack of understanding, attention, resources devoted and the lack of proper policies and procedures to prevent them.
4 In addition to the noted federal laws, most states, including Florida, have a web of state based data/privacy protections, many of which carry separate fines and allow civil litigation against the entity involved. Forty-seven states and four territories have such laws. Florida has its own health care information privacy protection legislation including the new Florida Information Protection Act (FIPA). FIPA, which became effective July 1, 2014, expanded the requirements on covered entities that acquire, maintain, store or use personal information of Floridians. The law repealed Florida s prior data breach notification statue, Fl. Stat , and replaced it with Fla. Stat FIPA covers all personal identity information including electronic addresses and passwords, financial information, health records and insurance information. Personal information excludes information already made public or information that is encrypted in some fashion. By definition, all health care providers, facilities and insurance companies would be covered entities. This extends to any entity that is outside Florida that does business in Florida. Under FIPA the time period to report a breach is 30 days from the time the breach is discovered. If the breach affects 500 or more persons, FIPA requires that notice also be provided to the Florida Department of Legal Affairs. A covered entity subject to federal regulation still may defer to those applicable notice requirements if it provides the requisite notice to the Florida Department of Legal Affairs. If the breach affects 1,000 or more persons, additional notice must be given to all nationwide consumer credit reporting agencies. A significant difference between the federal laws and FIPA is that no notice is required to affected individuals under FIPA if, after an investigation by the entity and consultation with a law enforcement agency, the entity reasonably determines that no one has or is likely to suffer identity theft or any other financial harm. The basis for such a determination is vague, exactly how that is to be determined is unknown and the statute is ripe for litigation. Further, those breaches which require disclosure under HIPAA/HITECH would require compliance with federal, not state law. Any entity which, in reliance on the statute, decides not to advise those whose information has been improperly disclosed is walking on thin ice. Vendors and third-party agents that maintain a security system for covered entities and that suffer a data breach have only 10 days under FIPA to report a breach to the impacted entity. That notice then becomes the discovery date for the entity to comply with its obligations. It is still the obligation of the owner of the data/records to comply. FIPA requires the entities to use all reasonable measures to ensure proper disposal of records and data. This extends to the hard drives on office machines, the information contained on mobile medical devices and, where used for business purposes, the information stored on personal devices. FIPA unlike many state statutes related to privacy and security of health related information, does not create a private cause of action. FIPA authorizes the state to bring an enforcement action and to fine the offending entity up to $500,000. This does NOT mean that those adversely impacted by an improper disclosure cannot sue under other provisions of Florida law. FIPA does not usurp, but is in addition to the federal laws discussed above. Where those federal laws
5 are more comprehensive or establish greater obligations, the federal law will pre-empt FIPA. Although far more detailed for a discussion here, there are a number of steps risk managers can take to help ensure compliance with these legislative schemes, to reduce the risk associated with an improper disclosure and to lessen the financial impact of a breach. First, the risk management department (RMD) must work with the C-Suite, legal department, compliance, medical, billing and acquisitions/contracting departments to develop a workable plan. Security of this type is a weakest link in the chain process. If the entity takes all necessary steps, then contracts with a vendor which is not as vigilant or doesn t carry proper insurance for a breach, the devised system is worthless. If all hardware and personal devices are secured, and a staff doctor accesses the system though an infected personal device, the system is worthless. If an employee takes home data to work on reports in an insecure format and the laptop or flash drive is lost or stolen, the system is worthless. All moving parts must be involved. Second, finance, the RMD, CFO or others associated with risk transfer need to investigate advanced and cost efficient methods of risk financing through insurance or other vehicles to assist with the financial impact of data protection and network privacy and security. There are a number of insurance products available in the market from stand alone cyber policies to limited protections inside professional liability, errors and omissions or general liability policies which can address the impact of disclosure, notification, civil liability and investigative expenses. What is best for any given office or entity is a matter of analytics, risk tolerance, assets/resources, policy language, etc. Third, acquisitions/contracting and the legal department (if one external counsel if not), must build into vendor contracts indemnification, insurance and compliance criteria to help protect the entity from the failures of any vendor. This, given the service being acquired, is a scaled requirement. Allowing vendors whose actions can create huge risk for the entity to work with the entity without the necessary protections is an unnecessary risk. Contract language requiring the vendors to meet certain minimum security standards before being awarded the contract, having them maintain that level of security, carry necessary amounts of specific insurance coverage with a highly rated carrier and include the entity as an other named insured should all be evaluated. Indemnification clauses are a necessity but they are no substitute for high industry standards and proper insurance. For leasing contracts (office, phone/tablet and medical equipment) this must include either destroying or cleaning all hard drives before the equipment is replaced or returned. Business Associate agreements should be updated to meet the requirements of the entity and the latest revisions and regulations under all applicable federal and state legislation. Fourth, the entity must develop strict hardware and software security protocols that cannot be altered or overridden. Maintaining up to date self executing security software, encryption, rotating passwords, limited access by department/personnel, limited access
6 to hardware and other protocols is a must. These policies must be extended to all staff (physician and non-physician), employed or not, and any external but related business entities like parent companies, owned health plans, medical education entities and staff, etc. These policies and procedures must be updated far more often than standard policies and procedures. The technology and digitization of health care is moving far to quickly to look as the policies annually. The entity must also develop strict use, storage and disposal policies to limit access and secure storage sites in house or off site (in the cloud, whatever that is). Fifth, education and training is required. This must be a priority despite its cost in terms of time and resources. All employed and staff personnel must be taught what is and is not permissible, when and how they can access data, for what purpose, the limitations on the use of personal devices, etc. They must be taught how to report and how to handle any suspected breach. This includes all departments from the C-Suite to the janitorial staff. Again it s the weakest link that must be upgraded and walled off as much as possible. Sixth, distinct IT protocols should be identified to regularly review systems for any possible breach, malware or virus, to ensure passwords are being altered, and that hardware and software is being upgraded and protected. Seventh, the RMD should have on hand all requirements related to investigation, disclosure, notification and any other agreed upon responses to any suspected breach or improper disclosure so that fast implementation of the protocol can be effectuated something that may prevent much of the financial impact of a breach. It is, indeed, time for all health care entities to evaluate their policies and procedures related to data protection from all perspectives. Unfortunately, its not a matter of if, but when, your organization will be the site of a breach or improper disclosure of protected information. Reducing the size, scope and impact of a breach and preventing it from happening again are all within the preview of the risk manager. No matter the size of the organization, all moving parts must be included, the policies and procedures must be properly drafted, taught and updated, and all possible measures taken to insulate the organization from the financial impact of a breach. This is time consuming and can be a difficult and expensive process. However, failure to do what is necessary will expose the organization to the costs associated with investigation, disclosure, notification, remediation, fines and civil liability. Kenneth White, J.D. Willis Group - Health Care Practice National Managed Care Practice Leader
Medical Information Breaches: Are Your Records Safe?
Medical Information Breaches: Are Your Records Safe? Learning Objectives At the conclusion of this presentation the learner will be able to: Recognize the growing risk of data breaches Assess the potential
More informationImplementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind
Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and
More information3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?
HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationDATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT
Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationCSR Breach Reporting Service Frequently Asked Questions
CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could
More information7 VITAL FACTS ABOUT HEALTHCARE BREACHES. www.eset.com
7 VITAL FACTS ABOUT HEALTHCARE BREACHES www.eset.com 7 vital facts about healthcare breaches Essential information for protecting your business and your patients Large breaches of Personal Health Information
More informationCyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029
Cyber Liability Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029 Today s Agenda What is Cyber Liability? What are the exposures? Reality of a
More informationClinical Solutions. 2 Hour CEU
1 2 Hour CEU 2 Course Objectives The purpose of this program is to provide nurses with information about the Health Insurance Portability and Accountability Act (HIPAA), especially as it relates to protected
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More information2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security
2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009
More informationHIPPA Goes HITECH. Data Protection for Agents
HIPPA Goes HITECH Data Protection for Agents For agent information only. this material should not be distributed to the public or used in any solicitation. 13-0127 Course objectives Agents will be able
More informationCompromises in Healthcare Privacy due to Data Breaches
Compromises in Healthcare Privacy due to Data Breaches S. Srinivasan, PhD Distinguished Professor of Information Systems Jesse H. Jones School of Business Texas Southern University, Houston, Texas, USA
More informationMatthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com
WHITE PAPER Global Digital Security: The Human Element March 2014 Written by: Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com TABLE
More informationMobile Medical Devices and BYOD: Latest Legal Threat for Providers
Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and
More informationZip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37.
Zip It! Feds, State Strengthen Privacy Protection Practice Management Feature July 2012 Tex Med. 2012;108(7):33-37. By Crystal Conde Associate Editor When it comes to enforcing HIPAA data security and
More informationHackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common
Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable Steven J. Fox (sjfox@postschell.com) Peter D. Hardy (phardy@postschell.com) Robert Brandfass (BrandfassR@wvuh.com) (Mr. Brandfass
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationHIPAA: Bigger and More Annoying
HIPAA: Bigger and More Annoying Instructor: Laney Kay, JD Contact information: 4640 Hunting Hound Lane Marietta, GA 30062 (770) 312-6257 (770) 998-9204 (fax) laney@laneykay.com www.laneykay.com OFFICIAL
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationHIPAA/ HITECH HEALTH INSURANCE PORTABILITY ACCOUNTABILITY ACT. and. Health Information Technology for Economic and Clinical Health Act.
HIPAA/ HITECH HEALTH INSURANCE PORTABILITY and ACCOUNTABILITY ACT Health Information Technology for Economic and Clinical Health Act Revised 4/4/14 1 Your Accountability Quality Care Compliance Reputation
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationReporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule
Reporting of HIPAA Privacy/Security Breaches The Breach Notification Rule Objectives What is the HITECH Act? An overview-what is Protected Health Information (PHI) and can I protect patient s PHI? What
More information6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More informationWHITE PAPER BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION CYBER COVERAGES
BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION IDT911 1 DEFINITIONS 1. Cyber Programs - Focuses on services and systems related to technology and their use in business. Risks addressed include
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More information8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
More informationCyber and Privacy Risk What Are the Trends? Is Insurance the Answer?
Minnesota Society for Healthcare Risk Management September 22, 2011 Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Melissa Krasnow, Partner, Dorsey & Whitney, and Certified Information
More informationDATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE
DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE ACC-Charlotte February 4, 2015 THIS WILL NEVER HAPPEN TO ME! Death, Taxes & Data Breach Not just Home Depot, Target or Sony Do you employ the next
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationHow To Find Out What People Think About Hipaa Compliance
Healthcare providers attitudes towards HIPAA compliance in 2015 Created July, 27 2015 Healthcare providers attitudes towards HIPAA compliance in 2015 Over the course of this last year the healthcare industry
More informationHIPAA and Privacy Policy Training
HIPAA and Privacy Policy Training July 2015 1 This training addresses the requirements for maintaining the privacy of confidential information received from HFS and DHS (the Agencies). During this training
More informationAnatomy of a Healthcare Data Breach
BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared
More informationHIPAA Privacy Overview
HIPAA Privacy Overview General HIPAA stands for a federal law called the Health Insurance Portability and Accountability Act. This law, among other purposes, was created to protect the privacy and security
More informationOCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA
Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act
More informationManaging Cyber & Privacy Risks
Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationPrivacy Law Basics and Best Practices
Privacy Law Basics and Best Practices Information Privacy in a Digital World Stephanie Skaff sskaff@fbm.com What Is Information Privacy? Your name? Your phone number or home address? Your email address?
More informationCyber Threats: Exposures and Breach Costs
Issue No. 2 THREAT LANDSCAPE Technological developments do not only enhance capabilities for legitimate business they are also tools that may be utilized by those with malicious intent. Cyber-criminals
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More informationPrivacy Legislation and Industry Security Standards
Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,
More informationSafeguard Your Hospital. Six Proactive Best Practices to Improve Healthcare Data Security
Safeguard Your Hospital Six Proactive Best Practices to Improve Healthcare Data Security April 2015 A Piece of Paper Can t Cause that Much Harm. Or Can It? Imagine a piece of paper arriving at ABC Hospital
More informationWhat Data? I m A Trucking Company!
What Data? I m A Trucking Company! Presented by: Marc C. Tucker 434 Fayetteville Street, Suite 2800 Raleigh, NC, 27601 919.755.8713 marc.tucker@smithmoorelaw.com Presented by: Rob D. Moseley, Jr. 2 West
More informationHIPAA Compliance and the Protection of Patient Health Information
HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance
More informationHIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013
Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationHow To Understand And Understand The Benefits Of A Health Insurance Risk Assessment
4547 The Case For HIPAA Risk Assessment Leader s Guide IMPORTANT INFORMATION FOR EDUCATION COORDINATORS & PROGRAM FACILITATORS PLEASE NOTE: In order for this program to meet Florida course requirements,
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationGALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability
GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationData Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked
Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent & Associates Founder The Identity Advocate San Pedro, California The opinions expressed
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationPatient Privacy and HIPAA/HITECH
Patient Privacy and HIPAA/HITECH What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Implemented in 2003 Title II Administrative Simplification It s a federal law HIPAA is mandatory,
More informationHIPAA Compliance: Efficient Tools to Follow the Rules
Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability
More informationHOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group
HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,
More informationGeneral HIPAA Implementation FAQ
General HIPAA Implementation FAQ What is HIPAA? Signed into law in August 1996, the Health Insurance Portability and Accountability Act ( HIPAA ) was created to provide better access to health insurance,
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationThe Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano
The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments Robin B. Campbell Ethan P. Schulman Jennifer S. Romano HIPAAPrivacy and Security Breach Overview of the Laws Developments Incident
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationData breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd
Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationBy Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN
Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationWhite Paper #6. Privacy and Security
The Complexity of America s Health Care Industry White Paper #6 Privacy and Security www.nextwavehealthadvisors.com 2015 Next Wave Health Advisors and Lynn Harold Vogel, Ph.D. The Complexity of America
More informationPresented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com
Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Legal Disclaimer This information
More informationBusiness Associates and HIPAA
Business Associates and HIPAA What BAs need to know to comply with HIPAA privacy and security rules by Dom Nicastro White paper The lax days of complying with privacy and security laws are over for business
More informationCybersecurity: Emerging Exposures for Technology Companies. October 7, 2010
Cybersecurity: Emerging Exposures for Technology Companies October 7, 2010 Your panelists David Allred, Head of the Technology Segment for North America Commercial at Zurich Liesyl Franz, Vice President
More informationCyber Exposure for Credit Unions
Cyber Exposure for Credit Unions What it is and how to protect yourself L O C K T O N 2 0 1 2 www.lockton.com Add Cyber Title Exposure Here Overview #1 financial risk for Credit Unions Average cost of
More informationInsurance Considerations Related to Data Security and Breach in Outsourcing Agreements
Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements Greater New York Chapter Association of Corporate Counsel November 19, 2015 Stephen D. Becker, Executive Vice President
More informationCyber Risks in Italian market
Cyber Risks in Italian market Milano, 01.10.2014 Forum Ri&Assicurativo Gianmarco Capannini Agenda 1 Cyber Risk - USA 2 Cyber Risk Europe experience trends Market size and trends Market size and trends
More informationProactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID
Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation By Marc Ostryniec, vice president, CSID The increase in volume, severity, publicity and fallout of recent data breaches
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationEasing the Burden of Healthcare Compliance
Easing the Burden of Healthcare Compliance In This Paper Federal laws require that healthcare organizations that suspect a breach of sensitive data launch an investigation into the matter For many mid-sized
More informationWHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
More informationIAPP Practical Privacy Series. Data Breach Hypothetical
IAPP Practical Privacy Series Data Breach Hypothetical Presented by: Jennifer L. Rathburn, Partner, Quarles & Brady LLP Frances Wiet, CPO and Assistant General Counsel, Takeda Pharmaceuticals U.S.A., Inc.
More information2014 Core Training 1
2014 Core Training 1 Course Agenda Review of Key Privacy Laws/Regulations: Federal HIPAA/HITECH regulations State privacy laws Privacy & Security Policies & Procedures Huntsville Hospital Health System
More informationMedicare Advantage and Part D Fraud, Waste, and Abuse Training. October 2010
Medicare Advantage and Part D Fraud, Waste, and Abuse Training October 2010 Introduction 2008: United States spent $2.3 trillion on health care. Federal fiscal year 2010: Medicare expected to cover an
More informationYOUR HIPAA RISK ANALYSIS IN FIVE STEPS
Ebook YOUR HIPAA RISK ANALYSIS IN FIVE STEPS A HOW-TO GUIDE FOR YOUR HIPAA RISK ANALYSIS AND MANAGEMENT PLAN 2015 SecurityMetrics YOUR HIPAA RISK ANALYSIS IN FIVE STEPS 1 YOUR HIPAA RISK ANALYSIS IN FIVE
More informationThe Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training
The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training Introduction The HIPAA Security Rule specifically requires training of all members of the workforce.
More informationWhitepaper. Best Practices for Securing Your Backup Data. BOSaNOVA Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.com
Whitepaper Best Practices for Securing Your Backup Data BOSaNOVA Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.com DATA PROTECTION CHALLENGE Encryption, the process of scrambling information
More informationHIPAA compliance audit: Lessons learned apply to dental practices
HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers
More informationThe Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor
The Matrix Reloaded: Cybersecurity and Data Protection for Employers Jodi D. Taylor Why Talk About This Now? Landscape is changing Enforcement by federal and state governments on the rise Legislation on
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer
ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you
More informationHIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS
HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,
More information