SlideShare ist ein Scribd-Unternehmen logo

Healthcare Data Security Update

GuardEra Access Solutions, Inc.
GuardEra Access Solutions, Inc.

This webinar provided an overview of the latest changes to healthcare data security and what technologies are needed to comply. Major changes discussed included expanded obligations for business associates under HIPAA, new requirements for breach notification, and increased enforcement and penalties. The webinar emphasized the importance of a defense-in-depth security approach using integrated technologies like encryption, access controls, and intrusion prevention to deliver a secure and compliant healthcare environment.

1 von 36
Downloaden Sie, um offline zu lesen
Healthcare Data Security Update Latest Changes and What Technologies You Need to Comply Live Webinar August 25, 2009 Sponsored by 3COM
informed Healthcare Data Security Update: Latest Changes and What Technologies You Need to Comply Healthcare Informatics Webinar August 25, 2009 www.morganlewis.com
Data Breach Notification – Federal Law? • 45 states now have data breach notification laws. • Generally apply to “owners” of data. • Laws vary on: – Triggering elements – Notification requirements – timing, recipients, method – Law enforcement involvement – Exceptions for encryption, decreased risk • Federal legislation warranted. • Has been introduced for last five years, seems more likely now. • Will generally provide universal regulation. © Morgan, Lewis & Bockius LLP 3
Mandatory Encryption • New laws in MA and NV expressly require encryption of “personal information” when it moves. • Extension of laws in many states requiring “reasonable precautions,” but now more specifics. • MA rules effective March 1, 2010. • Requires a “Comprehensive Written Information Security Plan.” • Retail – compliance with PCI/DSS will generally cover. • Some likelihood of federal preemption. © Morgan, Lewis & Bockius LLP 4
Amended HIPAA Privacy and Security • Amendments to HIPAA Privacy and Security Rules are in The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of The American Recovery & Reinvestment Act of 2009 (ARRA). • Effective Date: February 18, 2010, except as otherwise noted. © Morgan, Lewis & Bockius LLP 5
Major Changes in HITECH Act • Today we will address: – Expanded obligations of Business Associates (BAs). – Affirmative notification of breach requirements. – Increased enforcement and penalties. • Additional changes include: – Guidance on “Minimum Necessary” standard. – Prohibition on sale of PHI, and restrictions on marketing. – Increased individual rights with respect to certain PHI (applicable to providers). – Limited application to Personal Health Records (PHR) Vendors. © Morgan, Lewis & Bockius LLP 6
Business Associates • HITECH Act responded to concerns that a wide variety of organizations maintain and transmit PHI, but are not regulated by HIPAA. • HITECH Act is a game changer with respect to the legal obligations of BAs and this is likely to have a significant impact upon outsourcing arrangements. • Prior to HITECH Act, BAs were not directly regulated under HIPAA. – Subject to privacy and security restrictions pursuant to required BA agreements. – Only contractual remedies were available to covered entities for breach of the BA agreement. – Unless the BA also happened to be a covered entity, in which case a breach of a BA agreement could result in sanctions. © Morgan, Lewis & Bockius LLP 7
Business Associates and the Security Rule • Security Rule Obligations – Under HITECH Act, BAs must comply with the HIPAA Security Rule’s administrative, technical, and physical safeguard requirements. – Essentially the same compliance obligations as a covered entity. – Newly strengthened HIPAA civil and criminal sanctions apply. • Effective Date: February 18, 2010. © Morgan, Lewis & Bockius LLP 8
Business Associates and the Security Rule • New BA obligations will include: – Implementing written policies and procedures that address each Security Rule standard. – Implementing a security awareness and training program for workforce members. – Designating a security official. – Conducting a security risk analysis, coupled with a security management process. • Covered entities have often attempted to effectively “pass through” Security Rule standards to vendor BAs. – HITECH Act provides further support for rigorous security due diligence of vendors. © Morgan, Lewis & Bockius LLP 9
Business Associates and the Security Rule • Large BA organizations, such as outsourcing companies, are likely to already have implemented a comprehensive security compliance program. – However, program still may not be fully aligned with Security Rule requirements. • Smaller BAs, particularly those that are not exclusively dedicated to the healthcare industry, may have a lot of work to do. • The good news – the Security Rule represents a flexible standard that is consistent with prudent risk management practices. © Morgan, Lewis & Bockius LLP 10
Business Associates and the Privacy Rule • Different than approach under Security Rule. • Requires a BA to only use or disclose PHI consistent with obligations under a BA agreement with a covered entity. – Provisions of BA agreement dictated by Privacy Rule. • Violation of a BA agreement will be a violation of HIPAA (and subject to new, enhanced sanctions). © Morgan, Lewis & Bockius LLP 11
Business Associates and the Privacy Rule • The additional privacy requirements of the HITECH Act that are applicable to covered entities will also apply to BAs (Section 13404(a) of ARRA). • Seems to refer to new privacy requirements relating to: – Access to electronic health records (EHRs) – Accounting of disclosures from EHRs – New “minimum necessary rule” standards – HITECH’s limitations on marketing – Prohibition on sale of EHRs and PHI • It appears that each of these new requirements must be reflected in the BA agreement. • Will a general incorporation by reference work or should each requirement be specifically addressed in the BA agreement? © Morgan, Lewis & Bockius LLP 12
Business Associates and Security Breaches • BAs must notify covered entities of any breach of which they become aware. • BA is not required to notify individuals. • BA agreements will be required to include a confusing array of breach notification provisions: – Notice of unauthorized uses and disclosures of PHI (Privacy Rule) – Notice of “Security Incidents” (Security Rule) – Notice of “Breaches” (HITECH Act) © Morgan, Lewis & Bockius LLP 13
Amendment of Business Associate Agreements • Additional privacy and security requirements imposed upon BAs must be incorporated into the BA agreement. • Potentially very burdensome given the number of BA agreements entered into by most HIPAA-covered entities. • New BA obligations are imposed by force of law, not contract; so, are BA agreement amendments really necessary? • Susan McAndrew of HHS Office for Civil Rights (OCR) has stated that OCR is working on a proposed rule over the summer that will be issued later this year. – A model of a BA agreement on the OCR website is expected to be updated at some point. © Morgan, Lewis & Bockius LLP 14
Amendment of Business Associate Agreements • What should you do if you are entering into an outsourcing agreement that will have a term that runs through February 2010? – Incorporate provisions now that are likely to meet HITECH Act requirements? – Execute an amendment prior to February adding HITECH Act provisions? • One consideration favoring early amendment: – New security breach obligations imposed on BAs will become effective by September 24, 2009. © Morgan, Lewis & Bockius LLP 15
Affirmative Notification Obligation • Pre-HITECH Act Rule: – No affirmative obligation to notify individuals or HHS of a breach of HIPAA Privacy or Security Rules. – But, covered entities’ obligation to mitigate any harm caused by a breach may have included notification of breach. © Morgan, Lewis & Bockius LLP 16
Affirmative Notification Obligation • Under HITECH Act, if security of “Unsecured PHI” is “breached,” covered entity must provide notice without unreasonable delay and within 60 days after “discovery” of breach: – To the impacted individuals. – To the media: If breach involves more than 500 individuals in a state or jurisdiction. – To HHS: If breach involves more than 500 individuals, immediate notice to HHS; if less than 500 impacted individuals, covered entity logs breach and provides annual log to HHS. • If BA discovers breach, it must notify the covered entity, but it may be possible to delegate notification obligations to BA. – HHS issued interim final regulations governing breach notification on August 19, 2009. © Morgan, Lewis & Bockius LLP 17
Notice of Breach – Content • Notice of Breach must include: – Brief description of breach, including dates. – Description of types of Unsecured PHI involved. – Steps impacted individual should take to protect against potential harm. – Brief description of steps covered entity has taken to investigate incident, mitigate harm, and protect against further breaches. – Contact information. © Morgan, Lewis & Bockius LLP 18
Definition of “Unsecured PHI” • “Unsecured PHI” is PHI not secured through use of a technology or methodology identified by HHS as rendering the information unusable, unreadable, or indecipherable to unauthorized persons. • Notification obligations are only triggered by breach of “Unsecured PHI.” © Morgan, Lewis & Bockius LLP 19
Security Guidance • By April 17 (and annually thereafter) HHS will issue guidance on what constitutes “unsecured PHI” • HHS issued guidance on April 17 and met its deadline, with further clarification provided in the August 19 security breach notification regulations. • If HHS had not issued guidance in time, then “unsecured PHI” would have been defined as PHI that is not secured by a technology standard (such as encryption) accredited by the American National Standards Institute (ANSI) – This fall-back provision is now moot • Should the government get into the business of recommending encryption standards and other technologies? © Morgan, Lewis & Bockius LLP 20
Security Guidance -- Encryption • HHS Security Guidance says that PHI is rendered “unusable, unreadable or indecipherable” if: – For data at rest: encryption consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices – For data in motion: encryption that complies with the requirements of Federal Information Processing Standards (FIPS) 140-2 © Morgan, Lewis & Bockius LLP 21
Security Guidance -- Destruction • Media on which PHI is stored or recorded must be destroyed: – Paper, film or other hard copy media: must be shredded or destroyed such that PHI cannot be read or otherwise reconstructed – Electronic media: must be cleared, purged or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization • Guidance creates the “functional equivalent of a safe harbor” © Morgan, Lewis & Bockius LLP 22
Increased Enforcement Mechanisms • Periodic Audits. Effective Feb. 2010. • “Willful Neglect.” – Audit required if preliminary investigation of complaint indicates “willful neglect,” and HHS is required to impose a penalty for violations due to willful neglect. – Effective Feb. 2011 (regs. expected in Aug. 2010). • State Attorneys General. Authorized to bring a civil action for HIPAA violations to enjoin violations and seek limited damages on behalf of residents. Effective immediately. • Mechanism for Individual Recovery. Regs. to issue by Feb. 2012, and effective on or after date of regulations. • Annual Reports to Congress. © Morgan, Lewis & Bockius LLP 23
Increased Tiered Penalties • Increased Tiered Penalties: – Tier 1: If person is not aware of the violation (and would not have known with reasonable diligence), penalty is at least $100/violation, not to exceed $25,000 for all violations of the same requirement in the same year. – Tier 2: If violation is due to “reasonable cause” (but not willful neglect), penalty is at least $1,000/violation, not to exceed $100,000 for all violations of the same requirement in the same year. – Tier 3: If violation is due to willful neglect and is corrected in 30 days, penalty is at least $10,000/violation, not to exceed $250,000 for all violations of the same requirement in the same year. – Tier 4: If violation is due to willful neglect and is not corrected in 30 days, penalty is at least $50,000/violation, not to exceed $1.5 million for all violations of the same requirement in the same year. • Effective Date: Increased penalty amounts apply immediately. “Willful neglect” provisions not applicable until February 2011. © Morgan, Lewis & Bockius LLP 24
For further information contact: Reece Hirsch, CIPP Morgan Lewis & Bockius LLP 415.442.1422 rhirsch@morganlewis.com © Morgan, Lewis & Bockius LLP 25
Defense in Depth Security Solutions Integrated End-to-End Security Sean Newman, Global Product Manager, Security 3Com Confidential, NDA Required 3Com Confidential, NDA Required 26
3Com Delivers “No Compromise” Enterprise Networking Data Center Campus Branch Ultra Modern Lower TCO Defense Architecture By Design In Depth Ease of integration, future Lower operational and End to end defense-in- proof investment protection, capital costs depth, fewer incidents “green,” faster time to service per dollar spent delivery/enablement 3Com Confidential 3Com 27 Security
Defense in Depth – The Secure Network Fabric 3Com Enterprise Security › Accommodates large customers › End to end solution for branch office, (e.g. CNPC - 10K VPN locations) LAN and Data Center › Standalone and embedded › Integrated best of breed technologies › Multi-core processing › Internal and External Comprehensive architecture for high scaling Perimeter protection Defense in Depth Architecture Easier to install and Manage › NOC/SOC experience with IMC Integration › Comware enterprise class OS › Proactive security with IPS/iMC/NAC 3Com Confidential 3Com 28 Security
Delivering a Secure, Compliant, Healthcare Environment 3Com Confidential 3Com Security
Intelligent Management Center – The “Secret Sauce” 3Com Confidential 3Com Security
Network Access Control with IMC 3Com Confidential 3Com Security
Integrated Flexible IPS Deployment TippingPoint Centralized Policy and Digital Vaccine Configuration Management Service Integrates with IMC • INTERNAL ATTACKS AGAINST – WIRED / WIRELESS LAN INFRASTRUCTURE – DATA CENTER • INTERNAL & EXTERNAL ATTACKS – MAJOR NETWORK SEGMENTS • EXTERNAL ATTACKS THROUGH – CORPORATE WAN PERIMETER – WEB APPLICATION INFRASTUCTURE – ROBO – SERVICE PROVIDER / PARTNER PERRING POINTS 3Com Confidential 3Com 32 Security
Delivering a Secure, Compliant, Healthcare Environment 3Com Confidential 3Com Security
Questions? 3Com Confidential, NDA Required Confidential 34
Learn More Webinars from Healthcare Informatics http://www.vendomewebinars.com
Contact Information Richard Jarvis Webinar Director Phone: 212.812.1413 E-mail: rjarvis@vendomegrp.com Abbegayle Hunicke Webinar Project Manager Phone: 212.812.8429 E-mail: ahunicke@vendomegrp.com

Empfohlen

Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Joe Orlando
 
HIPAA Omnibus Rule: Critical Changes for Business Associates
HIPAA Omnibus Rule: Critical Changes for Business AssociatesHIPAA Omnibus Rule: Critical Changes for Business Associates
HIPAA Omnibus Rule: Critical Changes for Business AssociatesBridge Front
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry RegulationsNicholas Davis
 
Cloud primer
Cloud primerCloud primer
Cloud primerZeno Idzerda
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...eringold
 
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsPatton Boggs LLP
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Richik Sarkar
 

Empfohlen

Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Joe Orlando
 
HIPAA Omnibus Rule: Critical Changes for Business Associates
HIPAA Omnibus Rule: Critical Changes for Business AssociatesHIPAA Omnibus Rule: Critical Changes for Business Associates
HIPAA Omnibus Rule: Critical Changes for Business AssociatesBridge Front
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry RegulationsNicholas Davis
 
Cloud primer
Cloud primerCloud primer
Cloud primerZeno Idzerda
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...eringold
 
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsPatton Boggs LLP
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Richik Sarkar
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKnowledge Management Associates, LLC
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA ComplianceRaffa Learning Community
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
Legal issues of domain names & trademarks
Legal issues of domain names & trademarksLegal issues of domain names & trademarks
Legal issues of domain names & trademarksMatt Siltala
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White PaperDmcenter
 
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...Patton Boggs LLP
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?Resilient Systems
 
Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to ComplyCanada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to ComplyThis account is closed
 
IBM SmartCloud Enterprise - A Secure Infrastructure for Test and Development
IBM SmartCloud Enterprise - A Secure Infrastructure for Test and DevelopmentIBM SmartCloud Enterprise - A Secure Infrastructure for Test and Development
IBM SmartCloud Enterprise - A Secure Infrastructure for Test and DevelopmentPiotr Pietrzak
 
A New Approach to Healthcare Security
A New Approach to Healthcare SecurityA New Approach to Healthcare Security
A New Approach to Healthcare SecurityAngel Villar Garea
 
Healthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemHealthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemCheapSSLsecurity
 
Healthcare Infrastructure Solutions that Deliver Dramatic Savings
Healthcare Infrastructure Solutions that Deliver Dramatic SavingsHealthcare Infrastructure Solutions that Deliver Dramatic Savings
Healthcare Infrastructure Solutions that Deliver Dramatic SavingsMestizo Enterprises
 

Weitere ähnliche Inhalte

Was ist angesagt?

HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA ComplianceRaffa Learning Community
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
Legal issues of domain names & trademarks
Legal issues of domain names & trademarksLegal issues of domain names & trademarks
Legal issues of domain names & trademarksMatt Siltala
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White PaperDmcenter
 
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...Patton Boggs LLP
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?Resilient Systems
 
Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to ComplyCanada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to ComplyThis account is closed
 

Was ist angesagt? (18)

HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response Checklist
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information Security
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
Legal issues of domain names & trademarks
Legal issues of domain names & trademarksLegal issues of domain names & trademarks
Legal issues of domain names & trademarks
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
 
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
 
Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to ComplyCanada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
 

Andere mochten auch

IBM SmartCloud Enterprise - A Secure Infrastructure for Test and Development
IBM SmartCloud Enterprise - A Secure Infrastructure for Test and DevelopmentIBM SmartCloud Enterprise - A Secure Infrastructure for Test and Development
IBM SmartCloud Enterprise - A Secure Infrastructure for Test and DevelopmentPiotr Pietrzak
 
A New Approach to Healthcare Security
A New Approach to Healthcare SecurityA New Approach to Healthcare Security
A New Approach to Healthcare SecurityAngel Villar Garea
 
Healthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemHealthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemCheapSSLsecurity
 
Healthcare Infrastructure Solutions that Deliver Dramatic Savings
Healthcare Infrastructure Solutions that Deliver Dramatic SavingsHealthcare Infrastructure Solutions that Deliver Dramatic Savings
Healthcare Infrastructure Solutions that Deliver Dramatic SavingsMestizo Enterprises
 
The Security Gap: Protecting Healthcare Data in Office 365
The Security Gap: Protecting Healthcare Data in Office 365The Security Gap: Protecting Healthcare Data in Office 365
The Security Gap: Protecting Healthcare Data in Office 365Bitglass
 
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODRoadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODSierraware
 

Andere mochten auch (8)

IBM SmartCloud Enterprise - A Secure Infrastructure for Test and Development
IBM SmartCloud Enterprise - A Secure Infrastructure for Test and DevelopmentIBM SmartCloud Enterprise - A Secure Infrastructure for Test and Development
IBM SmartCloud Enterprise - A Secure Infrastructure for Test and Development
 
A New Approach to Healthcare Security
A New Approach to Healthcare SecurityA New Approach to Healthcare Security
A New Approach to Healthcare Security
 
Healthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemHealthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend Them
 
Healthcare Infrastructure Solutions that Deliver Dramatic Savings
Healthcare Infrastructure Solutions that Deliver Dramatic SavingsHealthcare Infrastructure Solutions that Deliver Dramatic Savings
Healthcare Infrastructure Solutions that Deliver Dramatic Savings
 
The Security Gap: Protecting Healthcare Data in Office 365
The Security Gap: Protecting Healthcare Data in Office 365The Security Gap: Protecting Healthcare Data in Office 365
The Security Gap: Protecting Healthcare Data in Office 365
 
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODRoadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in Healthcare
 
Hospital or Healthcare Security
Hospital or Healthcare SecurityHospital or Healthcare Security
Hospital or Healthcare Security
 

Ähnlich wie Healthcare Data Security Update

Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rulemihinpr
 
Keeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantKeeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantCarbonite
 
HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upDavid Sweigert
 
Hipaa privacy and security 03192014
Hipaa privacy and security 03192014Hipaa privacy and security 03192014
Hipaa privacy and security 03192014Samantha Haas
 
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...Colin Zick
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate RulesJan Dhont
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013RightScale
 
Protecting patient privacy
Protecting patient privacyProtecting patient privacy
Protecting patient privacydlemin919
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkDivya Kothari
 
It industry regulations
It industry regulationsIt industry regulations
It industry regulationsNicholas Davis
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilituescomplianceexpert
 
Hipaa random audit
Hipaa random auditHipaa random audit
Hipaa random auditsupportc2go
 
HIPAA Rules and Action Steps for Compliance April 2013
HIPAA Rules and Action Steps for Compliance April 2013HIPAA Rules and Action Steps for Compliance April 2013
HIPAA Rules and Action Steps for Compliance April 2013Quarles & Brady
 
HIPAA Omnibus Presentation
HIPAA Omnibus PresentationHIPAA Omnibus Presentation
HIPAA Omnibus PresentationCompliancy Group
 
Healthcare Transactions and Compliance
Healthcare Transactions and ComplianceHealthcare Transactions and Compliance
Healthcare Transactions and ComplianceCurtis Bernstein
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
HIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and GuidelinesHIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and GuidelinesConference Panel
 

Ähnlich wie Healthcare Data Security Update (20)

Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rule
 
Medical Records Seminar
Medical Records SeminarMedical Records Seminar
Medical Records Seminar
 
Keeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantKeeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-Compliant
 
HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats up
 
Hipaa privacy and security 03192014
Hipaa privacy and security 03192014Hipaa privacy and security 03192014
Hipaa privacy and security 03192014
 
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate Rules
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
 
Protecting patient privacy
Protecting patient privacyProtecting patient privacy
Protecting patient privacy
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. Framework
 
It industry regulations
It industry regulationsIt industry regulations
It industry regulations
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guide
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
 
The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilitues
 
Hipaa random audit
Hipaa random auditHipaa random audit
Hipaa random audit
 
HIPAA Rules and Action Steps for Compliance April 2013
HIPAA Rules and Action Steps for Compliance April 2013HIPAA Rules and Action Steps for Compliance April 2013
HIPAA Rules and Action Steps for Compliance April 2013
 
HIPAA Omnibus Presentation
HIPAA Omnibus PresentationHIPAA Omnibus Presentation
HIPAA Omnibus Presentation
 
Healthcare Transactions and Compliance
Healthcare Transactions and ComplianceHealthcare Transactions and Compliance
Healthcare Transactions and Compliance
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
HIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and GuidelinesHIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and Guidelines
 

Mehr von GuardEra Access Solutions, Inc.

Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostValiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostGuardEra Access Solutions, Inc.
 

Mehr von GuardEra Access Solutions, Inc. (20)

HIPAA Regs
HIPAA RegsHIPAA Regs
HIPAA Regs
 
HITECH Modifications to HIPAA
HITECH Modifications to HIPAAHITECH Modifications to HIPAA
HITECH Modifications to HIPAA
 
Patrick Notley1
Patrick Notley1Patrick Notley1
Patrick Notley1
 
Awarenesstechnologies Intro Document
Awarenesstechnologies Intro DocumentAwarenesstechnologies Intro Document
Awarenesstechnologies Intro Document
 
Mx Pb En 100929
Mx Pb En 100929Mx Pb En 100929
Mx Pb En 100929
 
Rp 2010 data-breach-report-en_xg
Rp 2010 data-breach-report-en_xgRp 2010 data-breach-report-en_xg
Rp 2010 data-breach-report-en_xg
 
Deepwater Horizon
Deepwater HorizonDeepwater Horizon
Deepwater Horizon
 
Cloud Computing Payback
Cloud Computing PaybackCloud Computing Payback
Cloud Computing Payback
 
10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets
 
Security Breach Laws
Security Breach LawsSecurity Breach Laws
Security Breach Laws
 
2010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V12010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V1
 
2010 Hipaa Rules 011310
2010 Hipaa Rules 0113102010 Hipaa Rules 011310
2010 Hipaa Rules 011310
 
Og Disparate It Mgmt Tool Impact Report
Og Disparate It Mgmt Tool Impact ReportOg Disparate It Mgmt Tool Impact Report
Og Disparate It Mgmt Tool Impact Report
 
Accel Ops Brochure0609
Accel Ops Brochure0609Accel Ops Brochure0609
Accel Ops Brochure0609
 
HITECH Act
HITECH ActHITECH Act
HITECH Act
 
EMR Yes- No
EMR Yes- NoEMR Yes- No
EMR Yes- No
 
SourceFire IPS Overview
SourceFire IPS OverviewSourceFire IPS Overview
SourceFire IPS Overview
 
Closing the Clinical IT Chasm
Closing the Clinical IT ChasmClosing the Clinical IT Chasm
Closing the Clinical IT Chasm
 
Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostValiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & Cost
 
2009 Databreach Report
2009 Databreach Report2009 Databreach Report
2009 Databreach Report
 

Healthcare Data Security Update

  • 1. Healthcare Data Security Update Latest Changes and What Technologies You Need to Comply Live Webinar August 25, 2009 Sponsored by 3COM
  • 2. informed Healthcare Data Security Update: Latest Changes and What Technologies You Need to Comply Healthcare Informatics Webinar August 25, 2009 www.morganlewis.com
  • 3. Data Breach Notification – Federal Law? • 45 states now have data breach notification laws. • Generally apply to “owners” of data. • Laws vary on: – Triggering elements – Notification requirements – timing, recipients, method – Law enforcement involvement – Exceptions for encryption, decreased risk • Federal legislation warranted. • Has been introduced for last five years, seems more likely now. • Will generally provide universal regulation. © Morgan, Lewis & Bockius LLP 3
  • 4. Mandatory Encryption • New laws in MA and NV expressly require encryption of “personal information” when it moves. • Extension of laws in many states requiring “reasonable precautions,” but now more specifics. • MA rules effective March 1, 2010. • Requires a “Comprehensive Written Information Security Plan.” • Retail – compliance with PCI/DSS will generally cover. • Some likelihood of federal preemption. © Morgan, Lewis & Bockius LLP 4
  • 5. Amended HIPAA Privacy and Security • Amendments to HIPAA Privacy and Security Rules are in The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of The American Recovery & Reinvestment Act of 2009 (ARRA). • Effective Date: February 18, 2010, except as otherwise noted. © Morgan, Lewis & Bockius LLP 5
  • 6. Major Changes in HITECH Act • Today we will address: – Expanded obligations of Business Associates (BAs). – Affirmative notification of breach requirements. – Increased enforcement and penalties. • Additional changes include: – Guidance on “Minimum Necessary” standard. – Prohibition on sale of PHI, and restrictions on marketing. – Increased individual rights with respect to certain PHI (applicable to providers). – Limited application to Personal Health Records (PHR) Vendors. © Morgan, Lewis & Bockius LLP 6
  • 7. Business Associates • HITECH Act responded to concerns that a wide variety of organizations maintain and transmit PHI, but are not regulated by HIPAA. • HITECH Act is a game changer with respect to the legal obligations of BAs and this is likely to have a significant impact upon outsourcing arrangements. • Prior to HITECH Act, BAs were not directly regulated under HIPAA. – Subject to privacy and security restrictions pursuant to required BA agreements. – Only contractual remedies were available to covered entities for breach of the BA agreement. – Unless the BA also happened to be a covered entity, in which case a breach of a BA agreement could result in sanctions. © Morgan, Lewis & Bockius LLP 7
  • 8. Business Associates and the Security Rule • Security Rule Obligations – Under HITECH Act, BAs must comply with the HIPAA Security Rule’s administrative, technical, and physical safeguard requirements. – Essentially the same compliance obligations as a covered entity. – Newly strengthened HIPAA civil and criminal sanctions apply. • Effective Date: February 18, 2010. © Morgan, Lewis & Bockius LLP 8
  • 9. Business Associates and the Security Rule • New BA obligations will include: – Implementing written policies and procedures that address each Security Rule standard. – Implementing a security awareness and training program for workforce members. – Designating a security official. – Conducting a security risk analysis, coupled with a security management process. • Covered entities have often attempted to effectively “pass through” Security Rule standards to vendor BAs. – HITECH Act provides further support for rigorous security due diligence of vendors. © Morgan, Lewis & Bockius LLP 9
  • 10. Business Associates and the Security Rule • Large BA organizations, such as outsourcing companies, are likely to already have implemented a comprehensive security compliance program. – However, program still may not be fully aligned with Security Rule requirements. • Smaller BAs, particularly those that are not exclusively dedicated to the healthcare industry, may have a lot of work to do. • The good news – the Security Rule represents a flexible standard that is consistent with prudent risk management practices. © Morgan, Lewis & Bockius LLP 10
  • 11. Business Associates and the Privacy Rule • Different than approach under Security Rule. • Requires a BA to only use or disclose PHI consistent with obligations under a BA agreement with a covered entity. – Provisions of BA agreement dictated by Privacy Rule. • Violation of a BA agreement will be a violation of HIPAA (and subject to new, enhanced sanctions). © Morgan, Lewis & Bockius LLP 11
  • 12. Business Associates and the Privacy Rule • The additional privacy requirements of the HITECH Act that are applicable to covered entities will also apply to BAs (Section 13404(a) of ARRA). • Seems to refer to new privacy requirements relating to: – Access to electronic health records (EHRs) – Accounting of disclosures from EHRs – New “minimum necessary rule” standards – HITECH’s limitations on marketing – Prohibition on sale of EHRs and PHI • It appears that each of these new requirements must be reflected in the BA agreement. • Will a general incorporation by reference work or should each requirement be specifically addressed in the BA agreement? © Morgan, Lewis & Bockius LLP 12
  • 13. Business Associates and Security Breaches • BAs must notify covered entities of any breach of which they become aware. • BA is not required to notify individuals. • BA agreements will be required to include a confusing array of breach notification provisions: – Notice of unauthorized uses and disclosures of PHI (Privacy Rule) – Notice of “Security Incidents” (Security Rule) – Notice of “Breaches” (HITECH Act) © Morgan, Lewis & Bockius LLP 13
  • 14. Amendment of Business Associate Agreements • Additional privacy and security requirements imposed upon BAs must be incorporated into the BA agreement. • Potentially very burdensome given the number of BA agreements entered into by most HIPAA-covered entities. • New BA obligations are imposed by force of law, not contract; so, are BA agreement amendments really necessary? • Susan McAndrew of HHS Office for Civil Rights (OCR) has stated that OCR is working on a proposed rule over the summer that will be issued later this year. – A model of a BA agreement on the OCR website is expected to be updated at some point. © Morgan, Lewis & Bockius LLP 14
  • 15. Amendment of Business Associate Agreements • What should you do if you are entering into an outsourcing agreement that will have a term that runs through February 2010? – Incorporate provisions now that are likely to meet HITECH Act requirements? – Execute an amendment prior to February adding HITECH Act provisions? • One consideration favoring early amendment: – New security breach obligations imposed on BAs will become effective by September 24, 2009. © Morgan, Lewis & Bockius LLP 15
  • 16. Affirmative Notification Obligation • Pre-HITECH Act Rule: – No affirmative obligation to notify individuals or HHS of a breach of HIPAA Privacy or Security Rules. – But, covered entities’ obligation to mitigate any harm caused by a breach may have included notification of breach. © Morgan, Lewis & Bockius LLP 16
  • 17. Affirmative Notification Obligation • Under HITECH Act, if security of “Unsecured PHI” is “breached,” covered entity must provide notice without unreasonable delay and within 60 days after “discovery” of breach: – To the impacted individuals. – To the media: If breach involves more than 500 individuals in a state or jurisdiction. – To HHS: If breach involves more than 500 individuals, immediate notice to HHS; if less than 500 impacted individuals, covered entity logs breach and provides annual log to HHS. • If BA discovers breach, it must notify the covered entity, but it may be possible to delegate notification obligations to BA. – HHS issued interim final regulations governing breach notification on August 19, 2009. © Morgan, Lewis & Bockius LLP 17
  • 18. Notice of Breach – Content • Notice of Breach must include: – Brief description of breach, including dates. – Description of types of Unsecured PHI involved. – Steps impacted individual should take to protect against potential harm. – Brief description of steps covered entity has taken to investigate incident, mitigate harm, and protect against further breaches. – Contact information. © Morgan, Lewis & Bockius LLP 18
  • 19. Definition of “Unsecured PHI” • “Unsecured PHI” is PHI not secured through use of a technology or methodology identified by HHS as rendering the information unusable, unreadable, or indecipherable to unauthorized persons. • Notification obligations are only triggered by breach of “Unsecured PHI.” © Morgan, Lewis & Bockius LLP 19
  • 20. Security Guidance • By April 17 (and annually thereafter) HHS will issue guidance on what constitutes “unsecured PHI” • HHS issued guidance on April 17 and met its deadline, with further clarification provided in the August 19 security breach notification regulations. • If HHS had not issued guidance in time, then “unsecured PHI” would have been defined as PHI that is not secured by a technology standard (such as encryption) accredited by the American National Standards Institute (ANSI) – This fall-back provision is now moot • Should the government get into the business of recommending encryption standards and other technologies? © Morgan, Lewis & Bockius LLP 20
  • 21. Security Guidance -- Encryption • HHS Security Guidance says that PHI is rendered “unusable, unreadable or indecipherable” if: – For data at rest: encryption consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices – For data in motion: encryption that complies with the requirements of Federal Information Processing Standards (FIPS) 140-2 © Morgan, Lewis & Bockius LLP 21
  • 22. Security Guidance -- Destruction • Media on which PHI is stored or recorded must be destroyed: – Paper, film or other hard copy media: must be shredded or destroyed such that PHI cannot be read or otherwise reconstructed – Electronic media: must be cleared, purged or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization • Guidance creates the “functional equivalent of a safe harbor” © Morgan, Lewis & Bockius LLP 22
  • 23. Increased Enforcement Mechanisms • Periodic Audits. Effective Feb. 2010. • “Willful Neglect.” – Audit required if preliminary investigation of complaint indicates “willful neglect,” and HHS is required to impose a penalty for violations due to willful neglect. – Effective Feb. 2011 (regs. expected in Aug. 2010). • State Attorneys General. Authorized to bring a civil action for HIPAA violations to enjoin violations and seek limited damages on behalf of residents. Effective immediately. • Mechanism for Individual Recovery. Regs. to issue by Feb. 2012, and effective on or after date of regulations. • Annual Reports to Congress. © Morgan, Lewis & Bockius LLP 23
  • 24. Increased Tiered Penalties • Increased Tiered Penalties: – Tier 1: If person is not aware of the violation (and would not have known with reasonable diligence), penalty is at least $100/violation, not to exceed $25,000 for all violations of the same requirement in the same year. – Tier 2: If violation is due to “reasonable cause” (but not willful neglect), penalty is at least $1,000/violation, not to exceed $100,000 for all violations of the same requirement in the same year. – Tier 3: If violation is due to willful neglect and is corrected in 30 days, penalty is at least $10,000/violation, not to exceed $250,000 for all violations of the same requirement in the same year. – Tier 4: If violation is due to willful neglect and is not corrected in 30 days, penalty is at least $50,000/violation, not to exceed $1.5 million for all violations of the same requirement in the same year. • Effective Date: Increased penalty amounts apply immediately. “Willful neglect” provisions not applicable until February 2011. © Morgan, Lewis & Bockius LLP 24
  • 25. For further information contact: Reece Hirsch, CIPP Morgan Lewis & Bockius LLP 415.442.1422 rhirsch@morganlewis.com © Morgan, Lewis & Bockius LLP 25
  • 26. Defense in Depth Security Solutions Integrated End-to-End Security Sean Newman, Global Product Manager, Security 3Com Confidential, NDA Required 3Com Confidential, NDA Required 26
  • 27. 3Com Delivers “No Compromise” Enterprise Networking Data Center Campus Branch Ultra Modern Lower TCO Defense Architecture By Design In Depth Ease of integration, future Lower operational and End to end defense-in- proof investment protection, capital costs depth, fewer incidents “green,” faster time to service per dollar spent delivery/enablement 3Com Confidential 3Com 27 Security
  • 28. Defense in Depth – The Secure Network Fabric 3Com Enterprise Security › Accommodates large customers › End to end solution for branch office, (e.g. CNPC - 10K VPN locations) LAN and Data Center › Standalone and embedded › Integrated best of breed technologies › Multi-core processing › Internal and External Comprehensive architecture for high scaling Perimeter protection Defense in Depth Architecture Easier to install and Manage › NOC/SOC experience with IMC Integration › Comware enterprise class OS › Proactive security with IPS/iMC/NAC 3Com Confidential 3Com 28 Security
  • 29. Delivering a Secure, Compliant, Healthcare Environment 3Com Confidential 3Com Security
  • 30. Intelligent Management Center – The “Secret Sauce” 3Com Confidential 3Com Security
  • 31. Network Access Control with IMC 3Com Confidential 3Com Security
  • 32. Integrated Flexible IPS Deployment TippingPoint Centralized Policy and Digital Vaccine Configuration Management Service Integrates with IMC • INTERNAL ATTACKS AGAINST – WIRED / WIRELESS LAN INFRASTRUCTURE – DATA CENTER • INTERNAL & EXTERNAL ATTACKS – MAJOR NETWORK SEGMENTS • EXTERNAL ATTACKS THROUGH – CORPORATE WAN PERIMETER – WEB APPLICATION INFRASTUCTURE – ROBO – SERVICE PROVIDER / PARTNER PERRING POINTS 3Com Confidential 3Com 32 Security
  • 33. Delivering a Secure, Compliant, Healthcare Environment 3Com Confidential 3Com Security
  • 34. Questions? 3Com Confidential, NDA Required Confidential 34
  • 35. Learn More Webinars from Healthcare Informatics http://www.vendomewebinars.com
  • 36. Contact Information Richard Jarvis Webinar Director Phone: 212.812.1413 E-mail: rjarvis@vendomegrp.com Abbegayle Hunicke Webinar Project Manager Phone: 212.812.8429 E-mail: ahunicke@vendomegrp.com