A Panel Discussion. Nancy Davis

Size: px
Start display at page:

Download "A Panel Discussion. Nancy Davis"

Transcription

1 A Panel Discussion 1 Nancy Davis Director of Compliance & Safety, Door County Medical Center Cathy Hansen Director, Health Information Services & Privacy Officer, St. Croix Regional Medical Center Rhonda Joseph Compliance & Privacy Manager Corporate Compliance, Froedtert Health Tennille Sifuentes Director Corporate Compliance, Medical College of Wisconsin Meghan O'Connor Partner and Milwaukee Office Chair of Health & Life Sciences Practice Group, Quarles & Brady LLP 2 Brief Summary of HIPAA Breach Requirements Risk Assessments Big Breaches Breach Notification Corrective Action Audience Participation (As Time Allows) Business Associates Technology and Increased Risk 3 1

2 A Brief Summary 4 An acquisition, access, use, or disclosure of PHI impermissible under the Privacy Rule that compromises the security or privacy of the PHI Presumed to be a breach unless the entity demonstrates there is a low probability that the PHI has been compromised based on a risk assessment Discretion to skip risk assessment and move right to providing notification 5 Low probability of compromise risk assessment must include, at a minimum, the following four factors: Nature and extent of the PHI involved, including the types of identifiers and likelihood of reidentification Unauthorized person who used the PHI or to whom the disclosure was made Whether the PHI was actually acquired or viewed The extent to which the risk to the PHI has been mitigated 6 2

3 Unintentional acquisition, access, or use of PHI by workforce member if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under Privacy Rule. Inadvertent disclosure by a person who is authorized to access PHI to another person authorized to access PHI at the same entity or OHCA, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule. Disclosure of PHI where entity has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information 7 Breach notification required if breach involved unsecured PHI Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through use of technology or methodology specified by HHS Secretary Encrypted at rest (NIST SP ) and in motion (NIST SP , NIST SP , or FIPS validated) 8 Without unreasonable delay and in no case later than 60 calendar days after discovery of breach of unsecured PHI "Discovered" as of first day on which breach is known, or by exercising reasonable diligence, would have been known Deemed knowledge of breach if known, or by exercising reasonable diligence, would have been known to any person (workforce member or agent) other than the person committing the breach 9 3

4 Written form, plain language First-class mail, or by if affected individual has agreed Substitute notice option if insufficient or out-ofdate contact information that precludes written notification Fewer than 10 individuals: Alternative form of written notice, phone, or other means 10 or more individuals: Conspicuous website posting for at least 90 days or major print/broadcast media in affected geographic area with toll-free number active for 90 days Additional phone/other notice in urgent situations because of possible imminent misuse of PHI 10 Brief description of what happened, including date of the breach and date of the discovery of the breach, if known Description of the types of unsecured PHI involved Any steps individuals should take to protect themselves from potential harm resulting from breach Brief description of what the entity involved is doing to investigate the breach, mitigate harm to individuals, and protect against any further breaches Contact procedures for individuals to ask questions or learn additional information, which shall include a tollfree telephone number, an address, website, or postal address 11 Fewer than 500 Individuals: May report any time, but report must be submitted within 60 days of the end of the calendar year in which the breach was discovered Notice submitted electronically via OCR portal 500 or more Individuals: Without unreasonable delay and in no case later than 60 calendar days from discovery of breach Notice submitted electronically via OCR portal Posted on "Wall of Shame" 12 4

5 If breach affects more than 500 residents of a state or jurisdiction, notice must be provided to prominent media outlets Without unreasonable delay and in no case later than 60 days following discovery of breach Must include same information as individual notice 13 Panel Discussion 14 Process / Workflow RA Tools Vendor tool or self-designed Documentation / Maintaining consistency Reporting / Tracking key indicators 15 5

6 Panel Discussion 16 Discovery Who Roles and Responsibilities of User(s) How Was PHI Accessed Containment Change Usernames and Passwords Communications Rapid Assessment Assess Scope Report to Insurer? (Beazley) Retain Outside Legal Counsel? Forensics Internal vs. External Review What systems and data How long was PHI vulnerable Amount and type of PHI Patients Impacted Identify Exact Patients and PHI Link to Demographics (Reg, Cognos) Duplicates, Missing Data Communicate with FH and CHW Notifications Establish Call Center Patients OCR MCW Employees; Board of Trustees Media Press Release Post Incident Patient Communications OCR Investigation 17 8 individuals 133,500 total s 15,000 flagged as possible PHI 2,000 attachments required manual review 10,619 patients identified; 1,159 duplicates 9,460 patients final 1,425 unidentified (no match, incomplete match) 8,035 identified and letters sent 34 w SSN; 1 with Financial Information 119 Calls to Call Center; 14 Escalated to Compliance 18 6

7 Panel Discussion 19 Communicating with affected individual(s) Individual notification letter language Include the names of the bad actor(s)? Responses from affected individuals? Small community factors 20 Panel Discussion 21 7

8 Level 1 Minor issue or issue due to carelessness For example: Talking loudly about a patient where others can hear Faxing to an incorrect location Leaving workstation without securing it Sending PHI electronically without appropriate safeguards (failing to encrypt ) 22 Level 2 Intentional inappropriate use, disclosure and/or access (without a legitimate business reason), but without malice For example: Accessing PHI of a family member who has given permission, but no signed authorization on file Sharing a password with a co-worker who forgot theirs 23 Level 3 Intentional use, access and/or disclosure with malice or with reckless disregard to consequences For example: Accessing PHI out of curiosity Accessing PHI of a co-worker to see why the coworker was in the medical center for care Intentional, unauthorized release of PHI Destroying, stealing, or tampering with records 24 8

9 Breach Level Re- Education Verbal Warning Written Warning Suspension/Last Chance Agreement Termination of Employment Level 1 1 st Offense R O 2 nd Offense R X O 3 rd Offense R X O 4 th Offense X O Level 2 1 st Offense R O X O 2 nd Offense R X O 3 rd Offense X Level 3 1 st Offense X 25 Length of employment Is this a good employee? History of other corrective action Prior HIPAA violation(s)? If so, what? Level of corrective action assigned Does the individual understand the seriousness of the offense? Other mitigating factors 26 Who makes the decision? Formal Coaching/Re-education Privacy Officer, Department Director Verbal Warning Privacy Officer, Department Director Written Warning Privacy Officer, Department Director, Human Resources Suspension Privacy Officer, Department Director, Human Resources Termination Privacy Officer, Department Director, Human Resources Working together: facility & medical group 27 9

10 Audience Participation 28 How do you handle reporting? BA report to affected individuals, OCR, and/or media? Consistent stance or case-by-case decision? Is reporting process outlined in your BAA? How do you control messaging to minimize PR hit? When reporting is done, what next steps do you think about? Revisit BAA? Initiate performance plan? Require ongoing compliance reporting? 29 How are you balancing providers' and patients' increased interest in using technology for communication (e.g., text, , photos, etc.) with privacy and security concerns? 30 10

University of Wisconsin-Madison Policy and Procedure

University of Wisconsin-Madison Policy and Procedure Page 1 of 10 I. Policy The Health Information Technology for Economic and Clinical Health Act regulations ( HITECH ) amended the Health Information Portability and Accountability Act ( HIPAA ) to establish

More information

QUALITY HIPAA December 23, 2013

QUALITY HIPAA December 23, 2013 December 23, 2013 Page 1 of 5 Breach, HIPAA and Protected Health Information This week, we look at the rules governing HIPAA, the HITECH Act and HIPAA Omnibus Rule. Unsecured PHI means Protected Health

More information

Breach Notification Remember State Law

Breach Notification Remember State Law Breach Notification HITECH: First federal law mandating breach notification for health care industry Applies to covered entities, business associates, PHR vendors, and PHR service providers FTC regulates

More information

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule The Twenty-Second National HIPAA Summit Healthcare Privacy and Security After HITECH and Health Reform Rebecca Williams,

More information

Federal Breach Notification Decision Tree and Tools

Federal Breach Notification Decision Tree and Tools Federal Breach Notification and Tools Disclaimer This document is copyright 2009 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers

More information

Privacy & Information Security Protocol: Breach Notification & Mitigation

Privacy & Information Security Protocol: Breach Notification & Mitigation The VUMC Privacy Office coordinates compliance with the required notification steps and prepares the necessary notification and reporting documents. The business unit from which the breach occurred covers

More information

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017 HIPAA in 2017: Hot Topics You Can t Ignore Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017 Breach Notification State Law Privacy Rule Authorizations Polices and Procedures The Truth Is Have created

More information

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016 How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are

More information

Security and Privacy Breach Notification

Security and Privacy Breach Notification Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains

More information

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA-HITECH: Privacy & Security Updates for 2015 South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site

More information

HIPAA Tips and Advice for Your. Medical Practice

HIPAA Tips and Advice for Your. Medical Practice HIPAA Tips and Advice for Your Ericka L. Adler Medical Practice Rachel V. Rose WHY Header HIPAA PATIENT and Medical PORTALS? Practices HIPAA Basics Who is a covered entity? What is PHI? When can you disclose

More information

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Policy and Procedure: SDM Guidance for HIPAA Business Associates Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:

More information

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide Cyber Attacks and Data Breaches: A Legal and Business Survival Guide August 21, 2012 Max Bodoin, Vince Farhat, Shannon Salimone Copyright 2012 Holland & Knight LLP. All Rights Reserved What this Program

More information

The HIPAA Omnibus Rule

The HIPAA Omnibus Rule The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed

More information

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,

More information

Incident Response: Are You Ready?

Incident Response: Are You Ready? Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher

More information

(c) Apgar & Associates, LLC

(c) Apgar & Associates, LLC Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher

More information

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Elements of a Swift (and Effective) Response to a HIPAA Security Breach Elements of a Swift (and Effective) Response to a HIPAA Security Breach Susan E. Ziel, RN BSN MPH JD Krieg DeVault LLP Past President, The American Association of Nurse Attorneys Disclaimer The information

More information

HIPAA FOR BROKERS. revised 10/17

HIPAA FOR BROKERS. revised 10/17 HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.

More information

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017 David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017 Privacy and security of patient information held by health care providers remains a concern of the federal government. More resources

More information

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected

More information

Employee Security Awareness Training Program

Employee Security Awareness Training Program Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,

More information

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates mgates@pattonboggs.com (303) 894-6111 October 25, 2013 THE CHANGING PRIVACY CLIMATE z HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY

More information

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security

More information

Data Breach Response Guide

Data Breach Response Guide Data Breach Response Guide A&M System Fall 2014 Introduction What is a breach? As defined by Texas law, a breach is an unauthorized acquisition of computerized data that compromises the security, confidentiality,

More information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin

More information

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges Pennsylvania ehealth Partnership Authority Pennsylvania s Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh,

More information

HIPAA Security Manual

HIPAA Security Manual 2010 HIPAA Security Manual Revised with HITECH ACT Amendments Authored by J. Kevin West, Esq. 2010 HALL, FARLEY, OBERRECHT & BLANTON, P.A. DISCLAIMER This Manual is designed to set forth general policies

More information

HIPAA Privacy, Security and Breach Notification

HIPAA Privacy, Security and Breach Notification HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance

More information

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements

More information

University of Mississippi Medical Center Data Use Agreement Protected Health Information

University of Mississippi Medical Center Data Use Agreement Protected Health Information Data Use Agreement Protected Health Information This Data Use Agreement ( DUA ) is effective on the day of, 20, ( Effective Date ) by and between (UMMC) ( Data Custodian ), and ( Recipient ), located at

More information

Putting It All Together:

Putting It All Together: Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,

More information

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San

More information

HIPAA and HIPAA Compliance with PHI/PII in Research

HIPAA and HIPAA Compliance with PHI/PII in Research HIPAA and HIPAA Compliance with PHI/PII in Research HIPAA Compliance Federal Regulations-Enforced by Office of Civil Rights State Regulations-Texas Administrative Codes Institutional Policies-UTHSA HOPs/IRB

More information

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY Practice Areas: Healthcare Labor and Employment JASON YUNGTUM jyungtum@clinewilliams.com (402) 397 1700 Practice Areas: Healthcare

More information

by Robert Hudock and Patricia Wagner April 2009 Introduction

by Robert Hudock and Patricia Wagner April 2009 Introduction HITECH Updates: Proposed Health Breach Notification Rule Promulgated by the FTC; HHS Releases Guidance on How to Render PHI Unusable, Unreadable, or Indecipherable by Robert Hudock and Patricia Wagner

More information

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014 Computer Security Incident Response Plan Name of Approver: Mary Ann Blair Date of Approval: 23-FEB-2014 Date of Review: 31-MAY-2016 Effective Date: 23-FEB-2014 Name of Reviewer: John Lerchey Table of Contents

More information

PRIVACY-SECURITY INCIDENT REPORT

PRIVACY-SECURITY INCIDENT REPORT SECTION I GENERAL INFORMATION Name of Staff Member Reporting Incident PRIVACY-SECURITY INCIDENT REPORT Telephone Number Email Address Division/Office/Facility Unit/Section Supervisor SECTION II PRIVACY

More information

PTLGateway Data Breach Policy

PTLGateway Data Breach Policy 1 PTLGateway Data Breach Policy Last Updated Date: 02 March 2018 Data Breach Policy This page informs you of our policy which is to establish the goals and the vision for the breach response process. This

More information

The Relationship Between HIPAA Compliance and Business Associates

The Relationship Between HIPAA Compliance and Business Associates The Relationship Between HIPAA Compliance and Business Associates 1 HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach

More information

HIPAA & Privacy Compliance Update

HIPAA & Privacy Compliance Update HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com

More information

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule. Medical Privacy Version 2018.03.26 Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a Covered Entity

More information

Audits Accounting of disclosures

Audits Accounting of disclosures Once more unto the breach Mastering HIPAA s data breach notification requirements September 20, 2011 Presented by: Kathy Kenady Senior Loss Prevention Representative Medical Insurance Exchange of California

More information

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1 PLEASE NOTE This is an interactive panel, and we will be conducting voting throughout. To make voting easy, please register NOW, before the panel starts. To register: - Text the phrase MICHAELBERWA428

More information

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits Iliana L. Peters, J.D., LL.M. Senior Advisor for HIPAA Compliance and Enforcement OCR RULEMAKING UPDATE What s s Done?

More information

HIPAA Privacy, Security and Breach Notification 2018

HIPAA Privacy, Security and Breach Notification 2018 HIPAA Privacy, Security and Breach Notification 2018 An Eagle Associates Presentation Eagle Associates, Inc. www.eagleassociates.net info@eagleassociates.net P.O. Box 1356 Ann Arbor, MI 48106 800-777-2337

More information

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC 855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 Started in 2005 by HIPAA auditors & Compliance experts Market need for a total end client solution Created The Guard: cloud-based solution Compliance

More information

Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ).

Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ). myvirtua.org Terms of Use PLEASE READ THESE TERMS OF USE CAREFULLY Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ). Virtua has partnered with a company

More information

Revised January

Revised January Revised January 2017 1 Copyright and Trade Secret Warning All Rights Reserved. This training presentation contains confidential and proprietary trade secrets of and copyrights belonging to RadNet Management,

More information

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization

More information

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is

More information

Cyber Security Issues

Cyber Security Issues RHC Summit 6/9/2017 Cyber Security Issues Dennis E. Leber CISO CHFS Why is it Important? Required by Law Good Business Strategy Right Thing to Do Why is it Important? According to Bitglass' 2017 Healthcare

More information

HIPAA Federal Security Rule H I P A A

HIPAA Federal Security Rule H I P A A H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created

More information

Summary Comparison of Current Data Security and Breach Notification Bills

Summary Comparison of Current Data Security and Breach Notification Bills Topic S. 117 (Nelson) S. (Carper/Blunt) H.R. (Blackburn/Welch) Comments Data Security Standards The FTC shall promulgate regulations requiring information security practices that are appropriate to the

More information

2017_Privacy and Information Security_English_Content

2017_Privacy and Information Security_English_Content 2017_Privacy and Information Security_English_Content 2.3 Staff includes all permanent or temporary, full-time, part-time, casual or contract employees, trainees and volunteers, including but not limited

More information

Red Flags/Identity Theft Prevention Policy: Purpose

Red Flags/Identity Theft Prevention Policy: Purpose Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and

More information

HIPAA Privacy, Security and Breach Notification 2017

HIPAA Privacy, Security and Breach Notification 2017 HIPAA Privacy, Security and Breach Notification 2017 An Eagle Associates Presentation Eagle Associates, Inc. www.eagleassociates.net info@eagleassociates.net P.O. Box 1356 Ann Arbor, MI 48106 800-777-2337

More information

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016 HIPAA Faux Pas Lauren Gluck Physician s Computer Company User s Conference 2016 Goals of this course Overview of HIPAA and Protected Health Information Define HIPAA s Minimum Necessary Rule Properly de-identifying

More information

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision

More information

HIPAA Security and Privacy Policies & Procedures

HIPAA Security and Privacy Policies & Procedures Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400

More information

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy & Security Training HIPAA The Health Insurance Portability and Accountability Act of 1996 AMTA confidentiality requirements AMTA Professional Competencies 20. Documentation 20.7 Demonstrate

More information

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance HIPAA Compliance Officer Training By HITECH Compliance Associates Building a Culture of Compliance Your Instructor Is Michael McCoy Nationally Recognized HIPAA Expert » Nothing contained herein should

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications Gramm-Leach Bliley Act Section 501(b) and Customer Notification Roger Pittman Director of Operations Risk Federal Reserve Bank of Atlanta Overview Bank IT examination perspective Background information

More information

NMHC HIPAA Security Training Version

NMHC HIPAA Security Training Version NMHC HIPAA Security Training 2017 Version HIPAA Data Security HIPAA Data Security is intended to provide the technical controls to ensure electronic Protected Health Information (PHI) is kept secure and

More information

NYSIF.com Online Account Third-Party Billers.V3

NYSIF.com Online Account Third-Party Billers.V3 NYSIF.com Online Account Third-Party Billers.V3 April 26, 2018 Contents About this Guide... 1 Create an Account... 2 Logging into your Account... 2 Account Management... 3 Change Password... 3 Enhanced

More information

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT? ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT? Jonathan Carroll, MBA, CISSP AVP Enterprise IT Operations Information Security Officer University of Connecticut Why Are We Talking About This? Data breaches

More information

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative

More information

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017 HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting

More information

HIPAA Cloud Computing Guidance

HIPAA Cloud Computing Guidance HIPAA Cloud Computing Guidance Adam Greene, JD, MPH Partner Rebecca Williams, BSN, JD Partner Nature is a mutable cloud which is always and never the same Ralph Waldo Emerson 2 Agenda A few historical

More information

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009 Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009 Privacy Policy Intent: We recognize that privacy is an important issue, so we design and operate our services with

More information

Privacy Breach Policy

Privacy Breach Policy 1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure

More information

HIPAA Privacy and Security Training Program

HIPAA Privacy and Security Training Program Note The following HIPAA training is intended for Vendors, Business Associates, Students, Pre Approved Shadowers, and Visitors. The following training module does not provide credit for annual training

More information

Data Privacy Breach Policy and Procedure

Data Privacy Breach Policy and Procedure Data Privacy Breach Policy and Procedure Document Information Last revision date: April 16, 2018 Adopted date: Next review: January 1 Annually Overview A privacy breach is an action that results in an

More information

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA CYBERSECURITY IN THE POST ACUTE ARENA AGENDA 2 Introductions 3 Assessing Your Organization 4 Prioritizing Your Review 5 206 Benchmarks and Breaches 6 Compliance 0 & Cybersecurity 0 7 Common Threats & Vulnerabilities

More information

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017 Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World September 20, 2017 The information and opinions expressed by our panelists today are their own, and do not necessarily represent the views of

More information

EXHIBIT A. - HIPAA Security Assessment Template -

EXHIBIT A. - HIPAA Security Assessment Template - Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,

More information

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE 164.502 Develop "minimum necessary" policies for: HIPAA PRIVACY RULE 164.514 - Uses 15 Exempts disclosure for the purpose of treatment from the minimum necessary standard. Page references for - Routine

More information

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation How To Establish A Compliance Program Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda High level requirements A written program A sample structure Elements of the program Create

More information

HIPAA For Assisted Living WALA iii

HIPAA For Assisted Living WALA iii Table of Contents The Wisconsin Assisted Living Association... ix Mission... ix Vision... ix Values... ix Acknowledgments... ix Who Should Use This Manual... x How to Use This Manual... x Updates and Forms...

More information

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst HIPAA Privacy and Security Kate Wakefield, CISSP/MLS/MPA Information Security Analyst Kwakefield@costco.com Presentation Overview HIPAA Legislative history & key dates. Who is affected? Employers too!

More information

Seven gray areas of HIPAA you can t ignore

Seven gray areas of HIPAA you can t ignore White Paper: HIPAA Gray Areas Seven gray areas of HIPAA you can t ignore This guide exists to shed some light on some of the gray areas of HIPAA (the Health Insurance Portability and Accountability Act).

More information

University of Pittsburgh Security Assessment Questionnaire (v1.7)

University of Pittsburgh Security Assessment Questionnaire (v1.7) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided

More information

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7 Appropriate Methods of Communicating Protected Health Information Statement of Policy Washington University and its member organizations (collectively, Washington

More information

Information Security Incident Response Plan

Information Security Incident Response Plan Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,

More information

Cyber Risks in the Boardroom Conference

Cyber Risks in the Boardroom Conference Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks

More information

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements

More information

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston CYBERSECURITY Recent OCR Actions & Cyber Awareness Newsletters Claire C. Rosston DISCLAIMER This presentation is similar to any other legal education materials designed to provide general information on

More information

Information Security Incident Response Plan

Information Security Incident Response Plan Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,

More information

Implementing an Audit Program for HIPAA Compliance

Implementing an Audit Program for HIPAA Compliance Implementing an Audit Program for HIPAA Compliance Mike Lynch Fifth National HIPAA Summit November 1, 2002 Seven Guiding Principles of HIPAA Rules Quality and Availability of Care Nothing in the proposed

More information

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012 HIPAA Privacy and Security Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012 Goals and Objectives Course Goal: Can serve as annual HIPAA training for physician practice

More information

BoostMyShop.com Privacy Policy

BoostMyShop.com Privacy Policy BoostMyShop.com Privacy Policy BoostMyShop.corp ( Boostmyshop.com or the Site ) makes its extensions, services, and all Site content available to you subject to this Privacy Policy and its Terms of Service.

More information

HIPAA Security Rule: Annual Checkup. Matt Sorensen

HIPAA Security Rule: Annual Checkup. Matt Sorensen HIPAA Security Rule: Annual Checkup Matt Sorensen Disclaimer This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The statements

More information

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within

More information

If you have any questions or concerns about this Privacy Policy, please Contact Us.

If you have any questions or concerns about this Privacy Policy, please Contact Us. Illuminate Education Your Privacy Rights Are Important To Us The privacy of students and their parents and guardians is important to Illuminate Education, Inc. ( Illuminate ) and the teachers, administrators,

More information

The simplified guide to. HIPAA compliance

The simplified guide to. HIPAA compliance The simplified guide to HIPAA compliance Introduction HIPAA, the Health Insurance Portability and Accountability Act, sets the legal requirements for protecting sensitive patient data. It s also an act

More information

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018 Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations Christopher S. Yoo University of Pennsylvania July 12, 2018 Overview of Research Tort and products liability for CPS Privacy and

More information

Schedule Identity Services

Schedule Identity Services This document (this Schedule") is the Schedule for Services related to the identity management ( Identity Services ) made pursuant to the ehealth Ontario Services Agreement (the Agreement ) between ehealth

More information

Table of Contents. PCI Information Security Policy

Table of Contents. PCI Information Security Policy PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology

More information

LCU Privacy Breach Response Plan

LCU Privacy Breach Response Plan LCU Privacy Breach Response Plan Sept 2018 Prevention Communication & Notification Evaluation of Risks Breach Containment & Preliminary Assessment Introduction The Credit Union makes every effort to safeguard

More information