Similar documents
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

The Relationship Between HIPAA Compliance and Business Associates

HIPAA and HIPAA Compliance with PHI/PII in Research

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

The HIPAA Omnibus Rule

Hospital Council of Western Pennsylvania. June 21, 2012

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Putting It All Together:

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Security and Research VALERIE GOLDEN, HIPAA SECURITY OFFICER

Data Breach Notification: what EU law means for your information security strategy

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

Data Processing Agreement

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Learning Management System - Privacy Policy

HIPAA Cloud Computing Guidance

Data Leak Protection legal framework and managing the challenges of a security breach

All Aboard the HIPAA Omnibus An Auditor s Perspective

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

HIPAA & Privacy Compliance Update

HIPAA Security and Privacy Policies & Procedures

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Eco Web Hosting Security and Data Processing Agreement

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Motorola Mobility Binding Corporate Rules (BCRs)

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

EU data security and privacy trends

HIPAA Tips and Advice for Your. Medical Practice

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

HIPAA Privacy, Security and Breach Notification

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

University of Mississippi Medical Center Data Use Agreement Protected Health Information

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Healthcare Privacy and Security:

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Breach Notification Remember State Law

The ABCs of HIPAA Security

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Seven gray areas of HIPAA you can t ignore

Data Backup and Contingency Planning Procedure

Understanding the Impact of Data Privacy January 2012

HIPAA & IT THE HIPAA SECURITY RULE AND THE ROLE OF THE IT PROFESSIONAL DOES YOUR IT PROVIDER UNDERSTAND THEIR ROLE AND ARE THEY COMPLIANT?

HPE DATA PRIVACY AND SECURITY

Data Processing Agreement DPA

Subject: Kier Group plc Data Protection Policy

Data Privacy Statement for myportal to go

Introductory guide to data sharing. lewissilkin.com

Security and Privacy Breach Notification

SECURITY STATE OF THE INDUSTRY

HIPAA Security Rule: Annual Checkup. Matt Sorensen

Cyber Security Issues

University of Wisconsin-Madison Policy and Procedure

HIPAA and the Chiropractic Practice

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA Federal Security Rule H I P A A

Data Processing Agreement for Oracle Cloud Services

The Role of the Data Protection Officer

NEWSFLASH GDPR N 8 - New Data Protection Obligations

HIPAA Security & Privacy

GDPR Controls and Netwrix Auditor Mapping

HIPAA For Assisted Living WALA iii

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

DATA PROCESSING AGREEMENT

What s New with HIPAA? Policy and Enforcement Update

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

Security Lessons Learned from HIPAA Enforcement

DATA PROCESSING TERMS

Virginia Commonwealth University School of Medicine Information Security Standard

ecare Vault, Inc. Privacy Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

HIPAA 101: What All Doctors NEED To Know

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

Transcription:

Core Elements of HIPAA The Privacy Rule establishes individuals privacy rights and addresses the use and disclosure of protected health information ( PHI ) by covered entities and business associates The Security Rule establishes requirements for protecting electronic PHI The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI The Enforcement Rule establishes both civil monetary penalties and federal criminal penalties for the knowing use or disclosure of PHI in violation of HIPAA

Omnibus Final Rule Original HIPAA Final Rule was issued in 2002 and effective in 2003. On January 17, 2013, HHS released the Omnibus Final Rule ( Final Rule ) interpreting and implementing provisions of the HITECH Act of 2009. Expanded direct regulation to Business Associates and their subcontractors.

HIPAA HAT TRICK: SUMMER 2016 On July 18, OCR announced that Oregon Health & Science University ( OHSU ) agreed to pay $2.7 million and enter into a three-year comprehensive corrective action plan as part of a settlement following OCR s investigation of OHSU s compliance with the HIPAA Security Rule. OHSU submitted multiple reports of HIPAA breaches involving the unsecured protected health information (PHI) of thousands of individuals. Two of the breaches involved unencrypted laptops, and the third involved a stolen, unencrypted thumb drive. On July 21, OCR announced a similar settlement with the University of Mississippi Medical Center ( UMMC ) for $2.75 million. UMMC investigated after it reported a HIPAA breach involving a stolen laptop containing ephi. On August 4, OCR announced that it had entered into the largest ever settlement of HIPAA claims with Advocate Health Care Network ( Advocate ). Advocate agreed to pay $5.55 million, due in part to the extent and duration of Advocate s alleged noncompliance and the large number of individuals whose PHI was affected. Advocate s HIPAA investigated after it reported three separate HIPAA breaches involving its subsidiary, Advocate Medical Group, affecting approximately 4 million individuals. OCR reports that Advocate failed to conduct accurate and thorough risk assessments, implement appropriate security policies and procedures, enter into written business associate agreements to protect ephi, and reasonably safeguard an unencrypted laptop that was left in an unlocked car.

After the Omnibus Final Rule, Who is Required to Protect PHI? HIPAA Covered Entity: health care provider, health plan, or health care clearinghouse (billing services). Business Associate: An individual or entity that provides services on behalf of the Covered Entity or another Business Associate that require the entity to create, receive, maintain, or transmit protected health information (PHI). Includes subcontractors

Who Is NOT a Covered Entity? Employers are not Covered Entities But they must make sure their group health plans are in compliance Strict rules govern the flow of health information between the company (including its subsidiaries), with the group health plan it sponsors

European Union Data Security Security law Cyber attacks Cyber security Personal Data protection (fundamental right + secondary law) Confidentiality of electronic communications (fundamental right + secondary law) Civil liability Specific regulations (lawyers, banks, medical professions, etc.) Contractual protections SLAs NDAs IT contracts (cloud, etc.) Etc. McGuireWoods 23

From Data Protection to Data Security Growing importance of data protection Number of databases containing personal data Value of personal data Civil liability GDPR: up to 20.000.000 or 4 % of annual turnover Actors Data subject : identified or identifiable natural person Controller : the person which determines the purposes and means of the processing of personal data Processor : the person which processes personal data on behalf of the controller Personal data : any information relating to an identified or identifiable natural person McGuireWoods 24

From Data Protection to Data Security Main Duties of the controller Implementation of security measures Notification of security breaches? Security Measures the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. (art. 17 directive 95/46 and see also art. 4 of directive 2002/58) McGuireWoods 25

From Data Protection to Data Security (cont.) Data security Availability Integrity Confidentiality Security Breaches personal data breach : means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (art. 2 (i) directive 2002/58 and see art. 32 GDPR) Examples: laptop or mobile device lost, penetration in a database, read over the shoulder McGuireWoods 26

From Data Protection to Data Security (cont.) Duty of notification Duty under E-Privacy directive Duty under GDPR Standard of care under the directive 95/46 + specific national laws Norway, Germany, Austria Denmark, Republic of Ireland, UK, Spain Civil liability vis-à-vis data subjects McGuireWoods 27

From Data Protection to Data Security (cont.) Duty of notification To whom? Competent National Authority Data subjects: Deadlines? Without undue delay Sanctions fines + civil liability draft GDPR: up to 20.000.000 or 4 % of annual turnover McGuireWoods 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback