Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015



Similar documents
Isaac Willett April 5, 2011

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Business Associates, HITECH & the Omnibus HIPAA Final Rule

OCR UPDATE Breach Notification Rule & Business Associates (BA)

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Dissecting New HIPAA Rules and What Compliance Means For You

Overview of the HIPAA Security Rule

Business Associate Management Methodology

HIPAA Compliance Guide

HIPAA Compliance Guide

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

HIPAA and HITECH Compliance for Cloud Applications

Business Associate Agreement (BAA) Guidance

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

You Probably Don t Even Know

HIPAA Security Rule Compliance

New HIPAA regulations require action. Are you in compliance?

Presented by Jack Kolk President ACR 2 Solutions, Inc.

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Datto Compliance 101 1

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

University Healthcare Physicians Compliance and Privacy Policy

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

Texas House Bill 300 & HIPAA. A MainNerve Whitepaper

Somansa Data Security and Regulatory Compliance for Healthcare

The HIPAA Audit Program

HIPAA in an Omnibus World. Presented by

HIPAA BUSINESS ASSOCIATE AGREEMENT

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

Data Breach, Electronic Health Records and Healthcare Reform

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

My Docs Online HIPAA Compliance

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HIPAA PRIVACY AND SECURITY AWARENESS

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Meeting the HIPAA Training and Business Associate Requirements Questions and Answers, with HIPAA Security Expert Mike Semel

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Arizona Physicians Group To Pay $100,000 To Settle HIPAA Charges

Business Associate Agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Transcription:

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746 klayman@cozen.com

H I P A Health Insurance Portability Accountability A Act of 1996 HIPAA Issues Adopted consumer privacy protections and safeguards for security of protected health information ( PHI ) through detailed rule making. 2

H I Health Information HITECH T Technology E Economic C Clinical H Health Act 2009 Amended HIPAA Breach notification Business associates subject to HIPAA Strengthened enforcement tools and fines Omnibus regulation: generally effective Sept. 2013 3

Who Is Subject To HIPAA Covered Entities Providers Insurers and health plans Health care clearinghouses Business Associates: Entity that performs services for (e.g., lawyers, accountants) or on behalf of (e.g., cloud provider, data storage company) a CE Includes subcontractors Relationship of CE and BA is key Agency 4

Enforcement Office of Civil Rights of HHS $7.5M in settlements in 2014 Large and small CEs; also BAs in 2015 Most result from reported breaches Onerous Corrective Active Plans Risk Assessments are key Encryption: de facto now a requirement FTC: Scope of jurisdiction being tested 2015 OIG Work Plan Will audit CEs receiving EHR incentive payments and their BAs 5

State Laws Breach Notification is required for breach of personal information (PI) PI generally includes name plus SSN, credit card number, or drivers license number Essence is identity theft 47 states have breach notification laws (not SD, AL, NM) Federal Law likely to be enacted Data Protection CA, CT, MD, MA, and OR mandate some kind of comprehensive security program Extending this requirement to downstream service providers 6

Security Standards: HIPAA Sets national standards for protecting PHI held or transferred in electronic form: physical, administrative and technical safeguards CE must: Ensure confidentiality, integrity and availability of e-phi it creates, receives, maintains or stores Identify and protect against reasonably anticipated threats Protect against reasonably anticipated impermissible uses or disclosures Ensure workforce compliance Scalability 7

Security Standards for Cloud Computing: CMS CMS/CISO Memorandum 14-02: CMS Cloud Computing and Federal Risk and Authorization Management Program Guidance (July 10, 2014) Explains Federal Risk and Authorization Management Program (FED RAMP) to CMS components Provides contract language Incorporates HIPAA requirements where applicable 8

Strategies for Dealing with Cloud Don t use Cloud Large entities may prefer to control PHI and have resources to do so (fewer companies taking this route) Use Private Cloud exclusive use Outsourcing Contract 9

Strategies for Dealing with Due diligence Cloud (Cont. d) Has a third party assessment been done? Check for frequency of risk analyses and detail about most recent risk analysis Check details of controls (e.g., encryption; who has key) Health Care Cloud Coalition (HC3) Security Assessment Tool BAAs 10

Contracting Issues Cloud providers of CEs should be considered BAs OCR has sent mixed messages about this issue, but best practice is to treat a cloud provider as a BA Will CE be liable for HIPAA violations of BA? CE is responsible for its own HIPAA compliance Agency is key No guarantees that a BA is not an agent Terms of BAA are non-negotiable; BA must agree to CE terms or not do business 11

Contracting Issues (Cont. d) Better off signing a BAA as it gives CE control over terms Does state law preempt HIPAA? Ex: MN & CA Highly confidential information (e.g. mental health) Where is data stored? Is any data stored off shore/internationally? What if entity storing information on cloud is not a CE? 12

Outsourcing Contract Provisions Security Requirements Oversight and audits re: HIPAA Protocol dealing with issues like encryption, firewalls, etc. Data Ownership Use of data: acceptable use Access and control of data Including possible access by other contractors of CE 13

Outsourcing Contract Provisions Indemnification re: HIPAA (Cont. d) Limitations of liability Vendor warranties Incorporate BAA SLA: cloud service, performance standards, services terms for provided services 14

Key BAA Provisions Vendor/BA to comply with HIPAA Breach notification Who pays Time frame for notification Consumer protection provisions When BA does not know where the PHI is Indemnification Agency 15

Katherine Layman, Esquire Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746 klayman@cozen.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information